BACS Risk Management Plan

Table of Contents
# 9>;98<0 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! %
$ 0110.=3?0 ;3<4 6,7,20607= !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! %
% <.890 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! %
& /01373=387<!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! &
' -,.< .87<8;=3>6 ;850< ,7/ ;0<987<3-353=30< !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! '
( ;3<4 6,7,20607= 9;8.0<< !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!#"
(!# .;<*+31;0 <0. ,65<.?< !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! ##
(!$ 1-.5<1<@ 91;2; !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! ##
(!% *5*3@A. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! #$
(!& 791691<1A.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! #'
(!' 73*5 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! #'
(!( 4*5*/. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! #(
) /,=, 6,7,20607= !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!#+
* ,9907/3.0<!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!$#
)!# 91;2 ;,6915/ ;,0.4. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! $#
)!$ *,<1>1<@"-.31>.9*+3. 9.8=19.4.5<; *5- <14.315.; !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! $$
Document No. M-BAC-000000-GK00-MPL-00001 Page 2 of 23 Printed: 12 Jan 14

Risk Management Plan
Electronic documents once printed, are uncontrolled and may become out-dated. Refer to Aconex for current revision.
© 2013 High Commission for the Development of ArRiyadh
1 PURPOSE
The purpose of this plan is to describe the process for implementing Risk Management on the
Riyadh Metro Project. It sets out the approach, management components and resources to be
applied to the management of risk.
The Risk Management process under this Risk Management Plan (RIMP) is a continuous cycle of
identifying, analysing, evaluating, monitoring and reviewing risks.
The risk analysis philosophy to be used on the Riyadh Metro project will be qualitative and at
certain defined intervals quantitative. The project team will consider positive (opportunities) and
negative (threats) consequences and the likelihood that those consequences can occur. For both
threats and opportunities the Project team will consider options involving a balance between cost
and efforts of implementation against benefits derived with regards to Project objectives.
2 EFFECTIVE RISK MANAGEMENT

Effective risk management will:
" Minimize the impacts of risks on Project objectives related to on-time delivery, meeting budget
expectations, and achieving performance specifications within the required health and safety,
quality and environmental standards.
" Improve the identification of threats and opportunities on the Riyadh Metro Project while
eliminating surprises.
" Provide a reliable basis for decision making and planning.
" Promote teamwork and good decisions, and focus management attention on significant issues
and opportunities to help achieve the Project’s goals.
" Aid project decisions and project planning through the provision of better information.
" Promote proper communication of key project risks and their potential impact on the project.
" Align the project team(s) and the external stakeholders.
This RIMP is directed at managing impacts of uncertain events on Project objectives in dimensions
including but not limited to:
Cost Time Reputation
Safety Quality Security
Environmental Community
3 SCOPE
The BACS Consortium will utilize Project Execution Risk Management (PERM) processes to
examine, among others, the business, commercial, technical, environmental, political and social
risks associated with the Project (i.e. external context and internal context) using Riyadh Metro
program-wide Risk Breakdown Structure (to be agreed with the Engineer). Additionally, this RIMP

differentiates risk identification and management from other activities performed for the projects
such as provision of insurances, HAZOP and Environmental, Safety & Health processes.
BACS Risk Management team will conduct monthly qualitative risk assessments through
workshops, expert input and team member interviews, quarterly quantitative cost risk analysis
(QCRA) and semi-annual quantitative schedule risk analysis (QSRA). Should additional adhoc
assessments and analyses be requested by the Employer, the Engineer will consult with the
Contractor in terms of reporting timelines, format and content. The Project team will utilize Active
Risk Manager (ARM) tool in its process of identifying, analysing, evaluating, monitoring and
reviewing risks.
4 DEFINITIONS
This Risk Management Plan follows the standards, processes and definitions as set out in the
Project Management Body of Knowledge, Fifth Edition (PMBOK).
Actions – one-off responses in a Response Plan to mitigate or avoid a risk
ALARP – As Low As Reasonably Practicable
BACS – Consortium of Bechtel, Almabani, CCC and Siemens
Contingency – the amount of money and work hours which must be added to an estimate to
account for uncertainties within the estimate detail, in quantity, pricing, and productivity that are
understood by the project and are within an expected range based on historical data and within the
defined project scope. The contingency is expected to be expended during project execution.
Controls – recurring responses in a Response Plan to mitigate or avoid a risk.
Current Risk Level (Current Risk Ranking) – is the current value (or range) of probability of the
risk and of its impact in the relevant impact dimensions. As the understanding of risk progresses,
and as the actions and controls are applied, the Current Risk Level will change and should be
updated in ARM.
Earliest Impact Date – the date on or after which you believe a risk might impact
Employer- Arriyadh Development Authority (ADA)
Engineer- Riyadh Metro Transit Consultants (RMTC)
Fallback Plan – a Recovery plan to execute if an event occurs
HAZOP – Hazard Operability
Latest Impact Date – that date after which the risk cannot impact
Opportunity – an event with a possible beneficial impact
PERM – Project Execution Risk Management
PMBOK – Project Management Body of Knowledge
PMT – Project Management Team, comprises of the Project Director and Deputy Project Directors
QCRA – Quantitative Cost Risk Analysis
QSRA – Quantitative Schedule Risk Analysis
Responding to Risks – processes to prepare Response Plans and execute and manage their
implementation

Risk – an uncertain event or condition that, if it occurs, has a positive or negative effect on at least
one of the project's objectives
Risk Assessment – processes to identify, evaluate, mitigate and monitor resolution of project risks
Risk Analysis and Quantification – the process of examining the root cause and effect of a risk
and evaluating the probability or frequency that the risk event will occur, and assessing the range
of possible impacts
Risk Identification – an approach for determining which events are likely to affect the program,
project or activity, and for documenting those events
Risk Impact – a description and quantification of the impact of a risk
Risk Impact can be stated in cost, schedule, health & safety, environment, community and
reputation dimensions. A risk can have more than one impact
Risk Probability or Frequency – an assessment of the likelihood that the risk will occur.
Probability is used in preference to frequency whenever possible
Risk Ranking Matrix (also known as Probability Impact Diagram (PID) or risk heat map) –
Riyadh Metro project will use a 5 x 5 matrix. Individual risks are allocated to a cell of the matrix
according to the probability and impact severity range to which they belong in the risk scoring
scheme. If the risk has impacts in several dimensions, the highest impact is used. The individual
cells of the PID have a priority sequence to provide a risk ranking, and the risks are sequenced in
reports according to the priority sequence of the cells. Cells are also grouped on the PID into
coloured severity bands. Risks are prioritized for the attention of the Project Management Team
and the Project Risk Committee according to the coloured severity bands to which they belong
Risk Register – the Active Risk Manager (ARM) database is the tool for recording all aspects of
the Riyadh Metro project execution risk management plan
Risk Response Plan – documents the actions and controls to respond to the impacts of a risk and
the fallback (recovery) plan to adopt if the risk materializes
Risk Scoring Scheme – is defined by two component parts: probability and impact. The scale of
probabilities is approximately linear and composed of five ranges. Each dimension of impact
managed on Riyadh Metro project has a defined scale, composed of five ranges, from lowest to
highest
RIMP – Risk Management Plan
Target Risk Level (Target Risk Ranking) – the risk level as reduced by successful
implementation of a Response Plan
Threat – an event with a possible negative impact
Trend – an item of change that is certain to occur (or is occurring) and should therefore be
managed as a trend in the trend register. Items of change include events that can cause an
addition or reduction to the cost and/or schedule baseline, the project scope, pricing, unit rates,
schedule, or intended plant quality that causes an addition or reduction to the trend base estimate
including corrections for scope/estimate omissions.
5 BACS CONSORTIUM ROLES AND RESPONSIBILITIES

This section highlights the roles and responsibilities of key personnel in the BACS Consortium as it
relates to the execution of the Risk Management process and as stated in Section 6. Risk

Management of Volume 2.1 Project Management Requirements of the Contract for Package 1 of
the Riyadh Metro Project. As per this section, the BACS Consortium is contractually obligated to
manage project risk within the defined scope of Works, including those interface management
responsibilities identified within the Contract. Where risk is identified, outside the defined
contractual obligation, this will be escalated in accordance with the BACS Risk Management
process, as detailed in Section 6 of this plan.
Project Risk Committee may include members/organization(s) outside the BACS Consortium
including representatives from the Engineer, Employer and possibly external stakeholders with
influence on the Riyadh Metro project.
" Provide governance and guidance for Risk Management activities.
" Ensure legal and regulatory compliance.
" Establish performance measurements.
" Allocate resources to risk management.
Project Management Team has the following key responsibilities:

" Effectively communicate with the Engineer and Employer to ensure their input is considered
and factored into the Risk Management Plan.
" Approve the project Risk Management Plan.
" Approve risks and the prioritization of risks derived from the risk probability and impacts.
" Agree Risk Owners for development of risk responses.
" Approve Risk Response Plans.
" Monitor and review the risk process on a regular basis (as per KPIs to be agreed with the
Engineer).
" Have overall responsibility for the implementation of the RIMP.
" Escalate certain risks to the Project Risk Committee particularly risks with required mitigation
measures outside the control of the BACS Consortium.
The Project Risk Manager has the following key responsibilities:
" Take Ownership of the RIMP.
" Lead Risk coordination and communication internally and with the Project Risk Committee.
" Lead the Quantitative analysis activities.
" Perform management coordination
" Prepare the project RIMP based on the defined project risk management objectives.
" Obtain timely input from the project team to facilitate classification, identification and
assessment of potential new risks.
" Propose Risk Owners.
" Act as a facilitator and support Risk Owners and others to develop the cause and effect
sections of the risk identification process.

" Act as a facilitator and support Risk Owners and others to score and prioritize risks and assess
residual risk (the risk exposure that remains after delivery of, and that cannot be reduced
further by, the Response plan).
" Act as a facilitator and support to Risk Owners and others to develop the risk response.
" Prepare, update and maintain the project Risk Register for new, closed and revised risk
records.
" Prepare reports for the Project Director, Project Management Team and the Employer.
The Project Risk Coordinator reports to the Project Risk Manager and has the following
responsibilities:
" Act as a facilitator and support to Risk Owners and others to develop the cause and effect
sections of the risk identification process.
" Act as a facilitator and support to Risk Owners and others to score and prioritize risks and
assess residual risk.
" Act as a facilitator and support to Risk Owners and others to develop the risk response plans.
" Prepare, update and maintain the project’s Risk Register for new, closed and revised risk
records.
" In conjunction with Project Controls, conduct QCRA and QSRA activities using quantitative
assessment methods and tools.
" Monitor the progress of risks and risk response plans.
" Prepare reports for the Project Risk Manager to submit to the Project Director, Project
Management Team, and the Employer.
Risk Owners are nominated by the Project Risk Manager and approved by the Project
Management Team and assigned full responsibility for the management of risks.
" Carry out activities as required by the RIMP.
" Manage the risk and report to the Project Risk Manager, through the Project Risk Coordinator,
on Action progress, Control effectiveness and Fallback Plan preparedness (including any re-
assessment of the Current Score as a result of completed responses).
Risk Response Plan Owners are nominated by the Risk Owner and assigned full responsibility
for the management of the Risk Response Plans. All changes to Risk Response Plans and
progress must be reported through the Risk Coordinator to the Risk Owner and the Project Risk
Manager, and approved by the Project Management Team.
The Project Controls Manager has responsibility to:

" Review the Risk Register for risks that have been realized or partially realized for inclusion in
the Trend Register where appropriate.
" Review the Trend Register for “Potential Trends” and ensure that these trends are moved from
the Trend Register into the Risk Register where appropriate.
Functional Stakeholder – a Function will be allocated ownership of each Risk as part of the
completion of a risk record.
Below is Figure 1 showing how the Risk Management Team of the BACS Consortium will interact
with the Project team. In this figure, the Delivery Risk Leads from the BACS Consortium will attend

Risk Review meetings organised by the Central Risk Management Team and facilitated by the
Risk Coordinators. The frequency of these meetings will be dictated by the BACS Risk
Management Process. The Project Risk Manager who is part of the Central Risk team would
escalate project risks as appropriate particularly those with mitigations outside of the BACS
Consortium as the diagram depicts. The Engineer and the Employer participate in the Risk
Management process through the Project Risk Committee, and facilitate interaction with external
stakeholders when necessary.

Figure 1. Risk Management Team Structure

6 RISK MANAGEMENT PROCESS
The PERM process consists of the following key process steps:
" Identify risks via risk elicitation and assign Risk Owners.
" Analyze risks through an examination and documentation of Causes and Effects,
categorization of risks by their sources, and determination of potential impact dates.
" Prioritize risks based on estimation of Probability and Impacts, determination of Current Risk
Ranking on the Risk Ranking Matrix, and taking appropriate actions based on risk severity
color band.
" Plan Risk Responses, estimate the Target Risk Ranking, and estimate the Response Plan
cost.
" Manage risks by carrying out a cycle of review, ensuring Risk Register data quality,
establishing alignment with functional interfaces, executing Response Plans, providing reports
and metrics, transferring risks to the Trend Program, closing risks, and completing Lessons
Learned.
This process is illustrated in the following diagram:
Figure 2. PERM Process

6.1 Establish the Context
To establish the context means BACS will define the external and internal parameters that the
organization will consider during the Risk Management process. The context of the BACS risk
process will therefore consider the following:
External Context
" Stakeholders to be included as part of the Risk Management process
" Riyadh-specific Risks
" National and International environment
" All external factors which may impact on the Project’s objectives
Internal Context
" Internal stakeholders

" Approach to Governance
" Contractual relationships
" Capability
" Culture
" Standards
6.2 Identity Risks

The BACS Consortium Risk Management process will use a common Risk Breakdown Structure to
assist in the identification of risk. The BACS Consortium will work with the Engineer to define a
unified program-wide Risk Breakdown Structure to be used across Metro packages and
stakeholders.
Identifying Risks is the process of eliciting Risks that may negatively or positively affect the Project
– Threats and Opportunities. This process starts with a well-developed understanding of Project
objectives and consideration of how the current execution environment, historical information,
Lessons Learned, conventional wisdom and other factors may influence Project outcomes.
Further, as the Project progresses through different phases of execution, as work circumstances
evolve and as forecast assumptions change, it is expected that project Risks will change, emerge
from unforeseen considerations or be discovered from previously unknown information. Risk
identification will therefore occur as an on-going process during Project execution.
Working with the Project Team, the Project Risk Manager will facilitate periodic workshops and
meetings to identify Risks. These workshops and meetings will consider use of various
approaches and techniques to uncover uncertainties that may affect Project objectives. This effort
may include use of:
Historical Comparisons Brainstorming Session Project Surveys

Expert Input Root Cause Analysis Lessons Learned
Review of Baseline Team Member Interviews Checklists
Documents

The outcome of Risk identification activities will be carefully filtered by the Project Management
Team to add to the Risk Register. Items that are not considered Risks may include:
" Items certain to occur, almost certain to occur, or currently occurring. Note: PERM processes
are future oriented with a planned time-frame of management and control activities. Imminent
or immediate items are better addressed by more appropriate Project processes.
" Items outside the original scope of the Project Baseline that are initially addressed via the
Change Notice process; once such items are contractually agreed, associated risks will be
incorporated into and managed in the Risk Register.
" Items developed against an immature Project Baseline or immature Project objectives. Note:
Risk work is against Baseline planning or established Project objectives. Where Baseline
planning isn’t sufficiently mature or where Project objectives are not well defined, it may be too
soon to apply PERM tools and techniques.
" Each item that meets the definition of a Risk will be concisely recorded and described in the
Project Risk Register. Incorporation into the Risk Register will be according to: (1) a unique
identification number, (2) an IF/THEN Risk statement, (3) Causes, (4) Effects, (5) Risk
Sources, (6) Risk Owner, (7) Risk Title, (8) Earliest Impact Date, (9) Latest Impact Date, (10) a
next review date, and other information as needed.
" Project Risks will be described in the form of an IF/THEN statement:
- That clearly articulates the uncertain event and potential impact
- At a level of detail and thoroughness that allows Project staff and stakeholders to
understand the nature and the basis of the Risk without recourse to external documentation
- With Causes (facts or project requirements which make the Project Team believe that a
Risk Event is more or less likely to occur) and Effects (facts which make the Project Team
believe the potential impacts of the risk will be of a certain magnitude) documented in
sufficient detail to provide a factual basis for probability and impact determination per Risk
Analysis requirements below.
" For each Risk recorded in the Risk Register, the Project Management Team will assign a Risk
Owner who is responsible for ultimately and effectively implementing a Response Plan and
ensuring review and updates take place for the Risk as required by this RIMP.
" Upon initial identification and capture, new project Risks are given the status “Unapproved”
until accepted by the Project Management Team. Unapproved Risks will:
- Undergo analysis, prioritization, and response planning as described in this procedure.
- Be prepared for Project review, approval or closure within a certain period of time to be
agreed depending on the Current Risk Level.
6.3 Analyze
Analysis is a refinement of the identification process, used to determine as accurately as possible,
Causes and Effects. The Causes and Effects are then used by the Project to establish the
probability and potential impacts before Response Planning takes place (the Current Risk
Ranking).
Risk probability determination will be done by the Risk Owner in accordance with the criteria
established in Appendix 8.1 and confirmed by the Project Management Team review. This review

takes into consideration the documented Causes and the extent that the Causes make the Risk
Event more or less likely to occur.
" Probability assignment is subjective based on stakeholder input. If Causes are sufficiently
articulated, it will be easier to understand and arrive at consensus on probability assignment.
" Causes which make the Risk less likely to occur should also be documented and considered in
probability determination.
" Where a high level of probability >70% is initially assigned to a Risk, the Risk should be
considered for treatment outside of PERM processes (as a Trend).
Risk impact determination will be done by the Risk Owner in accordance with the criteria
established in Appendix 8.1 based on the identified Effects and confirmed by the Project
Management Team review.
Potential impacts are scored against the following areas:
Cost Safety Environmental

Time Quality Community
Reputation Security
The cost impact of a Risk as recorded in the Risk Register does include the cost of time impacts
i.e. the cost of ‘house loads’ associated with schedule delay.
The time impact of a Risk as recorded in the Risk Register includes all time impacts not solely
impacts on critical path schedule.
Earliest and Latest Impact Dates will be used for Time Phased Analysis, prioritization by impact
dates, and informing Project stakeholders of Risk status relative to baseline planning.
During the Analyze Risk Management process there will be identified risks which require
escalation within and outside of the BACS Consortium for resolution and management as shown in
Figure 3 below. The mitigation and response plans for these risks may require additional funding
sources.

Figure 3. Escalation path for Risks within and outside BACS Consortium
Quantitative Risk Analysis is the process of numerically analyzing the effect of identified risks on
overall Project objectives. The key benefit of this process is that it produces quantitative risk
information to support decision making in order to reduce project uncertainty.
The Project will make use of both cost and schedule quantitative analysis. The frequency and
output of reporting is described in Section 6.6.
QCRA will provide the project a means to examine the impact of individual risks on the overall
project cost. It will help determine the likelihood of finishing the project on budget as well as to
estimate the requisite Contingency reserve needed to provide the desired amount of certainty
about achieving the cost plus reserve.
QSRA will provide the project a means to examine the project’s critical path to identify risks from a
variety of sources using probabilistic techniques.
It should be noted the timing and frequency of the quantitative reporting output is to be reviewed
after the initial 6 months to ensure appropriateness of resource allocation to the task(s).

6.4 Prioritize
As a result of Probability and Impact assignment prior to Response Planning, individual Risks are
assigned an initial risk ranking level from 1 to 25, recorded as the Current Risk Ranking. This
ranking provides grouping according to colored severity bands. This system of numerical ranking
and color grouping prioritizes High-Level Risks according to Current Risk Ranking:
Individual risks are allocated a Risk Ranking according to the probability range and impact range to
which they belong (refer to Appendix 8.1). If the risk has impacts in several dimensions, the
highest impact is used to allocate a Risk Ranking. The individual cells have a priority sequence
and the risks are prioritized for the attention of the Project Management Team according to the
colored severity bands to which they belong.
Until a Response Plan has been developed and approved by the Risk Owner and the Project
Management Team, the Target Risk Ranking score is set to equal the Current Risk Ranking score
for Approved and Unapproved Risks. As described below, both the Current and Target Risk
Rankings will change as a result of ongoing reviews and Risk Response Plan performance.
6.5 Plan
Risk Response Plans will be prepared by considering the following risk response strategies:
" Risk avoidance which focuses on eliminating the root cause of a risk or by taking a different
course of action to avoid the risk or incorporating preventative measures.
" Risk reduction which focuses on lowering the probability or frequency that the risk will occur, or
minimizing the impacts.
" Risk transfer which focuses on transferring the impacts of a risk.
Note: Risk reduction and Risk transfer are known as risk mitigation strategies.
" Risk acceptance, which occurs when risks cannot be avoided or mitigated, the costs of doing
so would be unacceptable, or the impacts can be accepted by the Project. Risk acceptance
involves monitoring the risk, and may include a specific Fallback Plan and is likely to include
allocation of Contingency reserve funding to cover potential impacts.
" Share or exploit an opportunity to maximize the benefit to the Project objectives
Response Plan development will take place such that:
" High level Risks will undergo Response Plan development within a reasonable period of time
after identification. Lower level Risks may not require response planning.
" All Risk Response Plans will be approved by the Project Management Team prior to
implementation. Where appropriate, the Project Management Team may elect to review a
Risk Response Plan with the Employer.
" A Risk Response Plan may consist of activities not considered in Baseline planning. Where
necessary, a Risk Owner will submit a Trend for cost and schedule activities outside the
Baseline.
" The Risk Owner is responsible for effectively implementing the approved Risk Response Plan
for the Risk. This includes working with the Project Risk Manager to evaluate the effectiveness
of responses on a monthly basis and seeking Project Management Team support when
needed.

" A Risk Response Plan consists of Actions, Controls and Fallbacks assigned against Causes
and Effects. It establishes how the Project will address the probability of occurrence, the
magnitude of potential impacts and what actions will be taken should the Risk event occur.
- For Causes, Actions and Controls are assigned which will lower the probability of a Threat
or enhance the probability of an Opportunity.
- For Impacts, Actions and Controls are assigned which will lower the potential magnitude of
the Impact or prevent the Impact from occurring. For Opportunities, positive impacts are to
be maximized.
- The Project Management Team will determine the level of Fallback Planning needed for a
Risk based on recommendations from the Risk Owner. Fallback Planning will be
determined and assigned by the Risk Owner and Project Management Team.
- Detectability controls and Fallback Plans: If it is not possible to know that a risk is
materializing until its first impact on the project (for example a sandstorm or flash flooding at
the site) then the Fallback Plan may have relatively limited effectiveness in reducing the
impacts; but if a control could be introduced to detect and give early warning that the risk
event was occurring (for example a sandstorm alert), allowing a Fallback Plan to be
triggered before the first impact on the project, then the Fallback Plan could be much more
effective in reducing the impacts.
Each Action, Control, and Fallback in the Risk Register will:
" Be described in sufficient detail that will allow the activity to be clearly understood without
reference to external documentation.
" Be assigned a due date and a Response Plan Owner.
" Reference to Project information if such reference supports effective PERM activities.
Example information that might be referenced includes: plans, procedures, correspondence,
quality audits, corrective action reports, etc.
The Project Manager has sole approval authority for Risk Response Plans and their
implementation and management on the project.
After Response Plan development, the Target Risk Ranking is scored. Target Risk Ranking is the
forecast reduction in Current Risk Ranking expected from successful completion of the Response
Plan.
6.6 Manage
As the Project progresses through different phases of work execution, as work circumstances
change, and as forecast assumptions prove to be correct or incorrect, it may be expected that
Project Risks will change, emerge from unforeseen considerations or, be discovered from
previously unknown information. The Process of Risk review will therefore take place as an
ongoing process.
Regular risk reviews with Risk Owners will be scheduled according to Current Risk Ranking.
" Risk reviews with Risk Owners and the Project Management Team will include consideration
of: the quality of Risk information (Risk Statement, Causes, Effects), Risk review frequency,
effectiveness of Controls, completion of Actions, sufficiency of Fallbacks, evaluation of
Response Plans, updates to Current and Target Risk Rankings, proper Risk Owner

assignment, dates associated with the Risk and any other information relevant to Project
objectives.
" Risk Owners are responsible for managing delivery of the Response Plans for their Risks.
- Risk Owners will evaluate Response Plans at the time intervals determined by the review
cycle for their Risks. Risk Owners will take steps to ensure Response Plan performance
occurs as planned and engage the Project Management Team when needed.
- Evaluation of a Response Plan will be against Control effectiveness, Action completion by
assigned due dates, changes to Causes and Effects influencing Response Plan
expectations, sufficiency of Fallbacks, and whether the overall effectiveness of the
Response Plan meets expectations. Current and Target Risk Rankings will be adjusted
from this evaluation.
- The Project Risk Manager / Risk Coordinator will provide a Response Plan status report to
Response Plan Owners, Risk Owners and the Project Management Team. This status
report will list all Responses with a due date occurring within 90 days of report issuance as
well as all overdue Responses.
- Baseline due dates for Actions and Controls associated with Approved Response Plans will
not be changed unless there is Project Management Team approval.
" Changes to Causes, Effects, or outcomes from Risk Response Plan performance will require
that Current Risk Ranking and Target Risk Ranking be adjusted accordingly.
" Current Risk Ranking will be updated according to Cause and Effect information present for
the Risk at the time of Review. This will include information as to successful or unsuccessful
completion of Actions and the effectiveness of Controls.
- The completion of Response Plan Actions and execution of effective Risk Controls may
cause the Current Risk Ranking to decrease for Threats and increase for Opportunities.
- Failure to have effective Risk Controls may cause the Current Risk Ranking to increase for
Threats and decrease for Opportunities.
- Current Risk Ranking cannot reflect credit for Actions that are incomplete or not performed.
" Target Risk Ranking will not change if Response Plan performance is as expected or if there
are no changes to the Risk Causes and Effects.
- Determination that there are Causes and Effects not addressed or not sufficiently
addressed by the Response Plan will cause the Target Risk Ranking to increase for Threats
and decrease for Opportunities.
- Determination that Causes and Effects are no longer a concern or less of a concern may
cause the Target Risk Ranking to decrease for Threats and increase for Opportunities.
- Determination that the Response Plan will be more or less effective may result in changes
to the Target Risk Ranking.
In addition to Risk reviews, the Risk Register will be updated based on the outcome of meetings,
discussions, and information received from the Project Management Team and Risk Owners.
Changes or updates will be appropriately documented, stating the reasons for changes or updates
in sufficient detail so that a record is created for historical information purposes.
Changes to Risk Ranking and the addition or removal of Response Plan Actions, Controls or
Fallbacks for High-Level Risks will only occur with Project Management Team approval.

Monthly Risk review meetings will take place with the Project Management Team, Risk Owners,
and interested parties as required to present information, analysis and recommendations regarding
the following as well as to review and evaluate PERM program effectiveness.
" Risk Program Health - - - Risks past review, High-level Risks without Response Plans,
overdue Risk Responses, the status of Unapproved Risks, and other considerations which
speak to the whether this RIMP is being performed as required.
" Risk Program Performance - - - Response Plan results both forecasted and actual, changes to
High-Level Risks, a summary overview of changes to Low and Medium level Risks, Project s-
curves, Response Plan costs, and other considerations which speak to the overall value of
PERM activities for the Project.
" Presentation and discussion of new and/or Unapproved Risks.
" Approving and closing of Risks
" Other issues, concerns, or successes associated with PERM execution and the need for
additional actions, activities or support.
The Project Management Team will meet quarterly to conduct an extensive review of the Risk
Register and evaluate PERM program effectiveness, and changing Project environment.
BACS Consortium will engage with the Engineer on an as needed basis for risk reviews, progress
meetings and risk response plans and also provide the Engineer with monthly reporting data as
appropriate.
Closing Risks
Risk records will be submitted with supporting documentation for Risk closure by the Project
Management Team when recommended by the Risk Owner and:
" Response plans have been completed and the Latest Impact Date has passed, or
" When the Threat or Opportunity has been fully transferred to the Project Trend Program, or
" When the Risk is no longer considered a Threat or Opportunity to Project objectives, or
" When the Risk has been accepted by the Project.
Risks will be actively considered for transfer to the Project Trend Program having a 70% and
higher probability of occurrence.
Decisions to close high-level Risks will be made following approval of the Project Management
Team as discussed at monthly Risk review meetings. Lower level Risks can be closed upon Risk
Owner recommendation but closure is subject to Project Management Team approval at the Risk
review meeting.
Risk Reporting
The BACS Consortium would prepare the following reports as part of its Risk Management
process as agreed with the Engineer. BACS Consortium will update the Risk Reports if there are
material changes and will provide the Engineer with the updated version.
" Monthly Dashboards from standard ARM Reports showing but not limited to:

- Number of Risks past their review dates
- Number of overdue Risk Responses
- Number of high level Risks without Response Plans
- Current & Target Risk Ranking counts
- Risk metrics by Work Breakdown Structure
- Number of unapproved Risks
- Number of Risks per Category
- Current and Target Risk S-Curves
- Risk count by owning delivery team/function
- Risk count by Risk sources
" Monthly Risk Report from standard ARM Reports showing but not limited to:
- Key KPIs
- New risks raised
- Risks closed out
- Monthly Risk Register showing the status of associated responses for all high level risks as
determined by their current risk ratings.
- Monthly response plan status showing due date occurring within 90 days of report issuance
as well as overdue responses
" Quarterly Quantitative Cost Risk Report showing:
- Cost exposure (Pre and Post mitigated)
- Summary of relevant critical Response Plans and associated costs
" Semi-Annual Quantitative Schedule Report showing:
- Milestone exposure (Pre and Post mitigated)
Quantitative Schedule Risk Analysis Reports will be provided to the Engineer after major Schedule
updates or material changes in risks.
The Project Risk Register will be audited as deemed necessary according to the internal
procedures of the BACS consortium.
7 DATA MANAGEMENT
To ensure compliance with Project minimum data standards, the Project Risk Manager will perform
a self-assessment of data quality for the Risk Register semi-annually and provide a report out at
the following Project Risk Review meeting.
At the end of each reporting cycle, the following information is to be archived in the project’s
document management system with appropriate document numbering:
" All reports and metrics provided to the Project Management Team during the month – native
file format.

" Full Risk Register export data showing Approved, Unapproved, Closed, and Impacted Risks –
excel spreadsheet file.
" Risk Ranking metric for all Approved Risks, showing Current and Target Risk counts – excel
spreadsheet file.
" Risk detail reports for all Approved and Unapproved Risks – PDF file.
" Response Plan register report – excel spread sheet file.
" Any meeting minutes and associated documentation from monthly held Risk meetings – PDF
file.

8 APPENDICES
8.1 Risk Scoring Scheme

This following represents the Risk scoring scheme provided by the Engineer subject to further discussion with intent to agree a program-wide
unified scheme for implementation across all metro packages.
Probability Score Min Max Description

Very Low 1 0% 10% Very low probability of the risk event actually occurring
Low 2 11% 30% Low probability of the risk event actually occurring
Medium 3 31% 70% Medium probability of the risk event actually occurring
High 4 71% 90% High probability of the risk event actually occurring
Very High 5 91% 100% Very high probability of the risk event actually
occurring
Consequen Score Cost Impact Cost Impact ($) Time Impact Performance/Quality Impact
ce (SAR)
Very Low 1 <=5Mil <=1.3Mil <two week No impact on Technical Specifications
Requirements
Low 2 5>x<25Mil 1.3<x<6.7Mil 0.5-1month High compliance with Technical Specification
Requirements
Moderate 3 25>x<50MIl 6.7<x<13.3Mil 1-2 months Partial compliance with Technical Specifications
Requirements
Significant 4 50>x<100Mil 13.3<x<26.7Mil 2-3 months Severe discrepancies with the Technical
Specifications Requirements
Very High 5 >100Mil >26.7Mil >3 months No compliance with Technical Specifications
Requirements

Risk Ranking Score Actions monitored by the Risk Management Plan
(P*C)
Acceptable 1 Normal action as dealt under risk register. Risk evolution to be monitored.
Minor 2-4 Situation not totally acceptable which requires from the Risk Owner regular
review and due care diligence.
Moderate 9-18 Disturbing position. Risk Owner obligation to undertake specific and immediate
actions.
Major 10-14 Disturbing position. Risk Owner obligation to undertake specific and immediate
actions.
High Level 19-25 Critical influence on project success. Position is totally unacceptable. Requires
important and major actions with regular review and reporting directly to the
PM Board/Steering Committee.
8.2 Activity/Deliverable Requirements and Timelines
Activity/Deliverable: Frequency: Function/requirement: Remarks:

Input into the Employer’s Weekly If there are emerging risks or material changes to the Format (Excel) as provided by
routine progress meeting (when list of Top 10 risks and Top 3 Opportunities this list the Engineer. Submission timing
material will be updated and given to the Engineer. to be agreed upon with the
changes Engineer
occur)
Working level Contractor/ Monthly Contractor Risk Manager & Engineer Risk Manager Agenda as required to reflect
Engineer Risk Review routine Risk Management co-ordination & progress Engineer’s feedback on
meeting. This frequency may be adjusted to weekly Contractor’s Risk Management
according to project needs or as risk activities activities / deliverables, guidance
dictates in discussion with the Engineer. on Employer’s requirements etc.
Risk Register Monthly A copy of the Contractors updated Risk Register, Metro-wide common Risk
submitted at month end (with the Monthly Progress Breakdown Structure and metrics
Report – see below). The Engineer will have visibility to be provided by the Engineer
through ARM on an as required basis.
Input to Contractors’ Monthly Monthly As required in Contract Vol 2.1. Detailed requirement as provided
Progress Report by Engineer
Contractors’ Monthly Monthly Detailed requirement as provided
Dashboard by Engineer
Input to Employer’s Monthly Monthly Focus on Employer mitigation support/decision- Information likely to be provided
Risk Review making. within other standard deliverables
Senior Management Joint Monthly Review of Risk Management status at the monthly
Engineer/Contractor Review Progress meetings currently being held between
RMTC senior management and BACS senior
management.
QCRA report Quarterly To inform Employers’ Quarterly Progress Reviews. Additional modelling/reports as
required by Employer or in
response to material change to
schedule, and/or emerging risks
QSRA Not less than To inform Employers’ Quarterly Progress Reviews. Additional modelling/reports as
semi required by Employer in response
annually to an update to the schedule,
and/or material emerging risks
6 monthly look ahead Updated bi- Agreement on next 6 month Risk Management
programme of Risk monthly programme (including Joint or Employer workshops
Management activities etc.) updated every two months.


BACS Risk Management Plan

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

BACS Risk Management Plan

Uploaded by

Copyright:

Available Formats

Table of Contents

Document No. M-BAC-000000-GK00-MPL-00001 Page 2 of 23 Printed: 12 Jan 14

2 EFFECTIVE RISK MANAGEMENT

Document No. M-BAC-000000-GK00-MPL-00001 Page 3 of 23 Printed: 12 Jan 14

Document No. M-BAC-000000-GK00-MPL-00001 Page 4 of 23 Printed: 12 Jan 14

5 BACS CONSORTIUM ROLES AND RESPONSIBILITIES

Document No. M-BAC-000000-GK00-MPL-00001 Page 5 of 23 Printed: 12 Jan 14

Project Management Team has the following key responsibilities:

Document No. M-BAC-000000-GK00-MPL-00001 Page 6 of 23 Printed: 12 Jan 14

The Project Controls Manager has responsibility to:

Document No. M-BAC-000000-GK00-MPL-00001 Page 7 of 23 Printed: 12 Jan 14

Document No. M-BAC-000000-GK00-MPL-00001 Page 8 of 23 Printed: 12 Jan 14

Document No. M-BAC-000000-GK00-MPL-00001 Page 9 of 23 Printed: 12 Jan 14

Figure 2. PERM Process

Document No. M-BAC-000000-GK00-MPL-00001 Page 10 of 23 Printed: 12 Jan 14

" Internal stakeholders

6.2 Identity Risks

Historical Comparisons Brainstorming Session Project Surveys

Document No. M-BAC-000000-GK00-MPL-00001 Page 11 of 23 Printed: 12 Jan 14

Document No. M-BAC-000000-GK00-MPL-00001 Page 12 of 23 Printed: 12 Jan 14

Potential impacts are scored against the following areas:

Cost Safety Environmental

Document No. M-BAC-000000-GK00-MPL-00001 Page 13 of 23 Printed: 12 Jan 14

Document No. M-BAC-000000-GK00-MPL-00001 Page 14 of 23 Printed: 12 Jan 14

Document No. M-BAC-000000-GK00-MPL-00001 Page 15 of 23 Printed: 12 Jan 14

Document No. M-BAC-000000-GK00-MPL-00001 Page 16 of 23 Printed: 12 Jan 14

Document No. M-BAC-000000-GK00-MPL-00001 Page 17 of 23 Printed: 12 Jan 14

Document No. M-BAC-000000-GK00-MPL-00001 Page 18 of 23 Printed: 12 Jan 14

Document No. M-BAC-000000-GK00-MPL-00001 Page 19 of 23 Printed: 12 Jan 14

Document No. M-BAC-000000-GK00-MPL-00001 Page 20 of 23 Printed: 12 Jan 14

8.1 Risk Scoring Scheme

Probability Score Min Max Description

Document No. M-BAC-000000-GK00-MPL-00001 Page 21 of 23 Printed: 12 Jan 14

8.2 Activity/Deliverable Requirements and Timelines

Activity/Deliverable: Frequency: Function/requirement: Remarks:

Document No. M-BAC-000000-GK00-MPL-00001 Page 23 of 23 Printed: 12 Jan 14

You might also like