Professional Documents
Culture Documents
RESEARCHSUPPORTBUILDINGANDINFRASTRUCTURE
MODERNIZATION
RISKMANAGEMENTPLAN
April2009
SLACI05007010002
Risk Management Plan
Contents
1.0 INTRODUCTION............................................................................................................................................. 1
1.1 Scope......................................................................................................................................................... 1
2.0 MANAGEMENTAPPROACH ......................................................................................................................... 2
2.1 Responsibilities ....................................................................................................................................... 2
2.2 RiskManagementProcess ..................................................................................................................... 2
3.0 RISKIDENTIFICATIONANDASSESSMENT ................................................................................................. 4
3.1 RiskIdentification................................................................................................................................... 4
3.2 RiskCategories........................................................................................................................................ 5
3.3 RiskAssessmentandQuantification ................................................................................................... 6
3.4 RiskProbabilities .................................................................................................................................... 7
3.5 RiskSeverities ......................................................................................................................................... 8
4.0 RISKMANAGEMENTIMPACTANDCONTROLACTION............................................................................ 9
4.1 RiskHandling ......................................................................................................................................... 9
4.2 RiskImpactDetermination ................................................................................................................. 11
4.3 Abatement.............................................................................................................................................. 11
4.4 CostandScheduleImpactMonteCarloSimulation..11
5.0 RISKTRACKINGANDDOCUMENTATION ................................................................................................ 12
5.1 RiskRegistry.......................................................................................................................................... 13
5.2 RiskDocumentation ............................................................................................................................. 13
APPENDIXA:RISKREGISTRYREPORT..................................................................................................... 14
CONTENTS i
Research Support Building and Infrastructure Modernization
Revision History
Rev. 0 04.15.09 Initial Issue; Risk Management Plan for CD-1 Not Applicable
ii REVISION HISTORY
Risk Management Plan
1.0 Introduction
1.1 Scope
This document, the Risk Management Plan (RMP), describes the management processes used on
the project to plan, identify, assess, categorize, quantify, handle and report/track risks associated
withtheachievementoftheprojectrequirementsandgoalsfortheResearchSupportBuildingand
Infrastructure Modernization (RSB) Project, which is being established at SLAC National
AcceleratorLaboratory.TheRSBRMPisconsistentwithDOEO413.3A,ProjectManagementforthe
Acquisition of Capital Assests, and strives to incorporate best practices from other large scale
constructionprojectsaroundDOEcomplex.
RSB management team believe that the risk is an inherent in all activities of any large scale
constructionproject. To besuccessful,ariskmanagementprocessisneededsuchthatriskcanbe
continuallyevaluatedandmanagedinordertominimizetheconsequencesofadverseevents.
Theultimategoalofriskmanagementistoincreasetheprobabilityofprojectandactivitysuccess
by focusing attention on problem areas early and reducing the amount of costly rework in the
future.Foreachandeveryrisk,thereisthepotentialimpactofcostoverruns,scheduledelaysand
compromises in quality and safety if the risk occurs. Hence, risk management will be applied
continuouslythroughouttheRSBprojectlifecycleandwillevolveandadapttoaccommodatethe
variousprojectphases.
Ariskisaneventthathasthepotentialtocauseanunwantedchangeintheproject.Ariskisas
follow:
Adefinableevent;
Withaprobabilityofoccurrence;and
Withaconsequenceorimpactifitoccurs.
Ameasureoftheseverityofriskis:
Severity=ProbabilityxImpact.
Forrisks,wehaveamitigationplan.Amitigationplaneitherlowerstheprobabilityand/orthe
impacttoreducetheseveritytoanacceptablelevel.
Managingriskisakeyelementoftheprojectmanagementprocessforboththeplanningandthe
performancephasesoftheRSBproject.Assuch,thisRMPdevelopsamethodologytoidentifyand
quantifyspecific riskstotheproject,determinetheirconsequenceandassociatedprobability,and
developmitigationstrategies.
INTRODUCTION 1
Research Support Building and Infrastructure Modernization
2.0 ManagementApproach
2.1 Responsibilities
RSB project management has established specific roles andresponsibilities to support project risk
management processes and control over the life cycle of the project. The specific responsibilities
relatingtotheRSBRMPareasfollows:
RSBProjectManagerTheRSBProjectManagerisresponsibilityformanagingcostand
schedule contingency, consistent with the change control process and thresholds
described in the PEP. The objectives are to maintain contingency commensurate with
project risk through project completion and to ensure that the full project scope is
achievedonscheduleandonbudget.
RSBProjectRiskManagerTheRSBProjectRiskManagerisassignedresponsibilityfor
implementing the overall Risk Management Program and ensuring that it meets the
intent of DOE Order 413.3A and is assigned responsibility for working with risks,
qualityandsafetysubjectmatterexpertstoexecutetheriskmanagementprocess.The
ProjectRiskManagerisalsotheRiskManagerPointsOfContact(POCs)oftheproject.
RSBProjectRiskManagerisresponsible,butnotlimitedto,forthefollowing:
o Elicitingrisks,loggingrisksintheriskregister.
o Performinganalyses,reportingonriskexposuretoProjectManager.
o Identifyingabatementstrategies,abatementactionsandtrackingtheireffectiveness
atreducingriskexposure.
o ReportingabatementresultstotheProjectManager.
2.2 RiskManagementProcess
RSBprojectriskmanagementprocessissummarizedinthefollowingsteps.
Risk Management Planning Prior to the initiation of risk management, activities in the
proposedbaseline(scope,schedule,andcost)areevaluatedtodeterminetheirpotentialfor
risk. This evaluation (or risk screening) assesses all activities against a set of screening
categories typically in the areas of construction, interface control, safety, regulatory and
environmental, security, design, resources, space migration etc. Activities which are
identifiedasprojectriskswillbetrackedwithintheRSBRMP.
RiskIdentificationIdentifyrisksthatmayimpactthesuccessfulcompletionoftheproject.
Risksareidentifiedfortheentirelifecycleoftheproject.Riskassociatedwithprojectwork
scope, cost, and schedule are identified by systematically challenging the assumptions,
2 MANAGEMENT APPROACH
Risk Management Plan
logic, and scope of the project and examining the identified uncertainties associated with
eachstageoftheproject.
RiskAssessmentAssesstheriskstodeterminetheirlikelihoodandimpactontheprojects
cost,schedule,and/orworkscope.Thisincludesaqualitativeandquantitativeassessment
oftheconsequences(impact)oftherisksaswellastherisksprobabilityofoccurring.
RiskHandlingDeterminetheriskhandlingstrategy,whether(inorderofpreference)itis
toeliminate,transfer,prevent,mitigate,orassume(accepttherisk).
RiskManagementImpactandControlActionsAssessestheriskimpactontheprojectand
the effect of the risk handling strategies. Risk handling strategies will be reflected in the
projectsbaseline,whereasresidualriskswillbereflectedintheprojectcontingency.
RiskReportingandTrackingRiskreportingandtrackingisthedocumentationoftherisk
managementprocess.
Riskmanagementisaniterativeprocessinwhichtheeffectivenessofcontrolactionsisconstantly
evaluated, new risks are discovered, and existing risks are reassessed. New or revised control
actions are implemented as needed. By managing risks, the process helps minimize cost impact,
scheduledelays,ortheimpactofotherissuethatcouldimpedeaprojectsprogress.Theiterative
processcontinuesuntilalltherisksareclosedortheprojectiscompleted.
MANAGEMENT APPROACH 3
Research Support Building and Infrastructure Modernization
3.0 RiskidentificationandAssessment
3.1 RiskIdentification
Risk identification requires a methodical process to ensure that the list of identified risks is
comprehensive. In this process, the Risk Project Manager, Project Manager, Integrated Project
Team, Safety Subject Matter Experts, and Control Account Manager are asked to identify project
risksintheirareaofresponsibility.Theriskidentificationprocessisusingagradedapproach,the
Risk Management process begins with the team evaluating potential risk for each technical
equipmentitemandsubsystemthatexceeds$100K,isonornearthecriticalpath,orthatposesa
particulartechnicalchallenge.Commonriskareashavebeendevelopedasatooltoassisttheteam
inidentifyingareasofprojectrisk.Inaddition,theProjectRiskManagercanidentifyprojectrisks
thatmaynothavebeenidentifiedinanyofthesubprojectriskanalyses.Thecommonriskareasare
shownintable1:
Table1CommonRiskAreas
Project Risk Areas Significant risks
Facilities and Major equipment development
Equipment Inadequate planning for long lead items and vendor support.
Design Design relies on immature technologies or exotic materials to achieve
performance objectives.
Design not cost effective.
Requirements Operational requirements not properly established or vaguely stated.
Requirements are not stable.
Testing/Evaluation/ Test planning not initiated early in program (Initiation Phase).
Simulation Testing does not address the ultimate operating environment.
Test procedures dont address all major performance specifications.
Facilities not available to accomplish specific tests, especially system-level tests.
Insufficient time to test thoroughly.
Project lacks proper tools and modeling and simulation capability to assess
alternatives.
Schedule Funding profile not stable from budget cycle to budget cycle.
Schedule does not reflect realistic acquisition planning.
Schedule objectives not realistic and attainable.
Resources not available to meet schedule.
Supplier Capabilities Restricted number of available vendors.
3.2 RiskCategories
RiskstotheRSBprojectareidentifiedaccordingtothefollowingcategories:
Management
o ConfigurationProcesses
o InterfaceManagement
o ProcurementsandProcurementProcess
o Programmatic
Technical
o DesignFunctionalRequirements
o DesignMaturity/Complexity
o DesignandEquipmentComplexity.
o InstallationandIntegrationComplexity
Environment,Safety&Health(ES&H).
o RegulatoryandEnvironmentalControls
o SafeguardsandSecurity
Schedule
Cost(includescurrencyandinflation)
o Resources(FundingandStaffing)
ES&H hazards associated with the RSB Project are well within the range of normal SLAC
operations. The project management will apply SLACs Integrated Safety & Environmental
Management(ISEMS)SystemforhandlingalltheES&HrisksentailedintheRSBProject.However,
ES&H impacts that increase the risk severity level of technical parameters or facilities will be
includedintheprojectsRiskManagementRegistry.
3.3 RiskAssessmentandQuantification
Risk level assessment is done by determining the probability of the occurrence and cost and
scheduleconsequenceofeachrisk.Consequencemustconsiderforeseeablecumulativeimpacton
projectscope,costandschedule.
Intermsofriskconsequences,eachriskcategoryhasthreeassessmentlevels:
2.3.1 TechnicalConsequenceLevel
Iftheriskoccurs:
Level0 negligibleornoimpactonfulfillmentofmissionneed
Level1 lowlevelofimpactonfulfillmentofmissionneed
Level2 moderateimpactonfulfillmentofmissionneed
Level3 considerableimpactonfulfillmentofmissionneed
2.3.2 ScheduleConsequenceLevel
Iftheriskoccurs:
Level0 potentialdelaytomilestoneofupto1month
Level1 potentialdelaytomilestoneofupto2months
Level2 potentialdelaytomilestoneofupto3months
Level3 potentialdelaytomilestoneofgreaterthan3months
2.3.3 CostConsequenceLevel
Iftheriskoccurs:
Level0 estimatedcostofimpactconsequenceis<$10K
Level1 estimatedcostofimpactconsequenceis<$100K
Level2 estimatedcostofimpactconsequenceis<$500K
Level3 estimatedcostofimpactconsequenceis>$500K
2.3.4 OverallConsequenceLevel
An overall consequence level is derived using the greatest of the technical, schedule and cost
consequencelevels.
Table2OverallConsequenceLevel
Level 0 Level 1 (Low) Level 2 (Moderate) Level 3 (High)
Overall (Negligible)
Level
Risk Area
Technical Negligible Low degradation. Significant technical Technical performance
degradation. effectively useless for
attaining physics objectives.
Cost
3.4 RiskProbabilities
Thefollowingriskprobabilitylevelsareassessedforeachriskcategory.
RiskProbabilityLevel:
LevelP0 <1%probabilitythattheconsequencesoftheriskwillberealized
LevelP1 <10%probabilitythattheconsequencesoftheriskwillberealized
LevelP2 <25%probabilitythattheconsequencesoftheriskwillberealized
LevelP3 >25%probabilitythattheconsequencesoftheriskwillberealized
3.5 RiskSeverities
Finally, a risk severity matrix determined from the Overall Consequence Level and the Risk
Probability Level provides the overall assessment of each identified risk to the RSB project, as
shownbelow:
Table3RiskSeverityMatrix
0 1 2 3
P0 0 0 0 0
Probability Level P1 0 1 2 3
P2 0 2 2 3
P3 0 3 3 3
Items with risk severity level of 2 or greater must be entered in the RSB Project Contingency
Analysis.
4.0 RiskManagementImpactandControlAction
4.1 RiskHandling
Risk management is the process used to identify risks and implement actions to reduce the
likelihood of a risk materializing and/or to reduce or eliminate the potential consequences of
identifiedprojectrisks.Riskmitigationstrategiesgenerallyfallintooneoffourcategories:1)risk
avoidance, 2) risk transfer, 3) risk reduction or mitigation, and 4) risk acceptance. Each of these
strategiesisdescribedintable4,asaregeneralmethodsusedtomanageidentifiedrisks.
A management strategy of risk handling is selected for each identified risks. Control actions are
specifiedforeachidentifiedprojectriskbasedonthemanagementstrategyselected,unlesstherisk
isaccepted.Alsospecifiedforeachidentifiedriskisthedatebywhichthecontrolactionistobe
completed, the responsibleaction POC, probability and consequence of the risk (pre and post
handling),acostestimateofimplementingthecontrolactions,thestatusofeachcontrolaction,and
indicationastowhetherornottheriskisclosed.
Themanagementstrategyandcontrolactionsselectedforeachidentifiedriskaretrackedintherisk
register.Thebaselinebudgetincludesthefundingrequiredtoimplementthemitigationactionsfor
theriskstoachievetheconfidencelevelsetbytheproject.
Table4GeneralMethodstoManageIdentifiedRisks
MANAGEMENT
METHOD OBJECTIVE FEATURES
Avoidance Riskiseliminatedoravoidedby *Maychangetheprojectplantoeliminateconditions
changingtheparametersofthe creatingtherisk(riskyrequirement,workscope,
project technology,orcontractor)oreliminatetheriskentirely.
*Maytradeoneriskforanotherlesserrisk.
*Ifalowerriskoptionisavailable,revisebaselineto
favorit.
*Checkthatthelowerriskisthebetterchoice
consideringtheprojectasawhole.
Transfer Riskremainsviablebutisshiftedto *Iffulltransferisnotpossible,considerapartialshift
anotherprojectororganization. e.g.,insurances,performancebond,PI,warranty,or
Oftencalledriskallocation. contractguarantee.
*Often,resultsinriskbeingsharedbetweenprojectand
others.
*Oftenbestwithfundingrisks.
*Mustconsidercostsandbenefitsoftransfer.Must
ensurerecipientisbestequippedandpreparedto
assumetheriskinwholeorinpart.
*Riskisnotavoided.RecipientMustbewillingto
assumetherisk,inwholeorinpart.
4.2 RiskImpactDetermination
Risk impact determination is the process of evaluating and quantifying the effect of risks on the
project.Riskimpactsaprojectintotwodifferenceways:
Handling strategy implementation. If the risk is handled using a risk reduction or
mitigation strategy, there may be a cost and schedule impact associated with the
implementation of that strategy. The implementation cost and schedule impacts of the
handlingstrategymustbeincludedinthebaselineprojectcostandschedule.
Residual risk. Even after riskhandling strategies have been implemented, there may be
remainingriskimpacts(residualrisks).Thecostandscheduleimpactofresidualrisksmust
beincludedinthecontingencycalculations.Thisisaccomplishedbydeterminingacostand
schedule impact probability distribution for each residual risk. These probability
distributionsarethencombinedstatisticallythroughaMonteCarloprocesstoproducethe
contingencyestimate.Atalltimes,theprojectsavailablecostcontingencyshouldbegreater
thanthestatisticalcalculationofresidualcostrisk.
4.3 Abatement
TheRiskManagerisresponsiblefordevelopingappropriateriskabatementstrategiestoacceptor
mitigateprojectrisk.
During risk elicitation, the Risk Manager will determine the abatement strategy for each of the
identifiedrisks.Theabatementstrategyisthegeneralapproachthatprojectmanagementwilltake
with regard to a risk. For risk that are deemed mitigate, abatement actions are developed.
Abatementactionsarethespecificactivitiesthatwillbeexecutedtoreducetheimpactoftherisk.
Thedatebywhichtheabatementactionistobecompleted,theRiskManagerusestheinformation
toensurethatabatementactionsarecompletedinatimelymannerandareeffectiveinreducingthe
risk. Additionally, the likelihood and consequence of the residual risk after abatement, and the
likelihoodofthesuccessoftheabatementactionsarereducedintheRiskRegister.
Table5commonriskareasandabatementstrategieshasbeenincludedbelowasatooltoassistin
addressingprojectrisks.
The three identified Risk types, Cost, Schedule, and Technical, all have different mitigation
strategiesthatcanbeusedtoreduceoreliminatetheirimpactorprobabilityofoccurrence.
Preparationofclearandconcisespecificationsandconstructiondrawings,judiciousdetermination
of subcontractor responsibility and approval of proposed lower tier subsubcontractors, and
implementationofQAprovisionswillminimizetechnicalrisk.
Useoffixedpricesubcontractsandcompetitionwillbemaximizedtoreducecostrisk.
In addition, the Project will be tracked monthly, with schedule changes carefully monitored and
approvedthroughachangecontrolprocessoverseenbyacombinationoftheProjectManagerand
theDOE.
Table5CommonRiskAbatementStrategies
Project Risk Category
Project Impact High Moderate Low
Cost Closely monitor cost and Closely monitor cost and Monitor cost,
spending spending schedule and
Obtain Multiple bottoms-up Obtain at least two spending
independent cost estimates bottoms-up independent
Perform Value Management cost estimates
Vendor visits
Schedule Increase lead time Increase lead time by Monitor cost,
substantially by initiating initiating procurements 2-4 schedule and
procurements 6-8 weeks weeks early spending
early Vendor visits and oversight
Vendor visits and oversight
4.4 CostandScheduleImpactMonteCarloSimulation
TheCrystalBallsoftwarepackagewillbeusedtomodelprobabilitysimulationstodeterminethe
mostlikelyriskexpenditureandscheduledelay.Themodelwillusesimulationrangestakenfrom
theOptimistic,Pessimistic,andMostLikelyriskestimates,usingatriangularlinearmodel.
The80%MonteCarloSimulatedRiskCostwillbeusedtovalidatetheexpertsanalysisofriskcost
fortheproject,andprojectedlevelofprojectcontingency.
The80%MonteCarloSimulatedScheduleDelaywillbeusedintheMasterProjectScheduletoaid
intrackingtheoverallcriticalpathdelay.
ThemethodsandresultsasdeterminedbytheCrystalBallMonteCarloSimulationareincluded
intheRSBProjectContingencyAnalysisReport.
5.0 RiskTrackingandDocumentation
5.1 RiskRegistry
TheRSBRiskRegistrytracksandmonitorsthestatusofallprojectrisksincludingeachriskPOC,
probabilityandconsequenceofeachrisk(preandpostmitigation)anddetailsontheriskcontrol
actions.TheRiskManagerisresponsibleforidentifyingandassessingofrisks.Thisresponsibility
includesprovidingregularreevaluationandastatusupdateofriskentriesviatheRSBProjectRisk
Registry.TheRiskRegistryisalivingdocumentusedthroughoutthelifeoftheproject.
Project risks and the management actions to control them are reviewed and updated monthly by
RSBRiskManager,RSBProjectManagerandtheIntegratedProjectTeam.Newandimminentrisks
areaddedintotheregistrywhenidentified.Risksareclosedwhentheriskisnolongercredibleor
whentheriskhasbeenrealizedandnoresidualriskremains.
TheRiskManagerisresponsibleformaintenanceoftheRiskregistryforensuringthatRSBProject
teammembersaremonitoringandreassessingrisksregularly,andthattheRiskHandlingPlansare
beingimplementedinatimelyandeffectivemanner.
Items with risk severity level of 2 or greater must be entered in the RSB Contingency Analysis,
which is the product of the impact and the risk probability. This is to provide a roughly
quantitativeassessmentoftherelativerisksidentifiedbytheproject
5.2 RiskDocumentation
EachidentifiedriskshallbedocumentedusingtheRiskAssessmentWorksheet.Consequencesand
probabilities will be described as detailed as possible to support the level of assessment. The
approachtoeachidentifiedriskshallbedocumentedusingtheRiskManagementWorksheet.
AppendixA:RiskRegistryReport