DRAFT

RESEARCHSUPPORTBUILDINGANDINFRASTRUCTURE
MODERNIZATION

RISKMANAGEMENTPLAN

April2009
SLACI05007010002
 Risk Management Plan

Contents

1.0 INTRODUCTION............................................................................................................................................. 1
1.1 Scope......................................................................................................................................................... 1
2.0 MANAGEMENTAPPROACH ......................................................................................................................... 2
2.1 Responsibilities ....................................................................................................................................... 2
2.2 RiskManagementProcess ..................................................................................................................... 2
3.0 RISKIDENTIFICATIONANDASSESSMENT ................................................................................................. 4
3.1 RiskIdentification................................................................................................................................... 4
3.2 RiskCategories........................................................................................................................................ 5
3.3 RiskAssessmentandQuantification ................................................................................................... 6
3.4 RiskProbabilities .................................................................................................................................... 7
3.5 RiskSeverities ......................................................................................................................................... 8
4.0 RISKMANAGEMENTIMPACTANDCONTROLACTION............................................................................ 9
4.1 RiskHandling ......................................................................................................................................... 9
4.2 RiskImpactDetermination ................................................................................................................. 11
4.3 Abatement.............................................................................................................................................. 11
4.4 CostandScheduleImpactMonteCarloSimulation..11
5.0 RISKTRACKINGANDDOCUMENTATION ................................................................................................ 12
5.1 RiskRegistry.......................................................................................................................................... 13
5.2 RiskDocumentation ............................................................................................................................. 13
APPENDIXA:RISKREGISTRYREPORT..................................................................................................... 14

CONTENTS i
Research Support Building and Infrastructure Modernization

Revision History

Rev. No. Date Revision Description Pages Modified

Rev. 0 04.15.09 Initial Issue; Risk Management Plan for CD-1 Not Applicable

ii REVISION HISTORY
 Risk Management Plan

1.0 Introduction

1.1 Scope
This document, the Risk Management Plan (RMP), describes the management processes used on
the project to plan, identify, assess, categorize, quantify, handle and report/track risks associated
withtheachievementoftheprojectrequirementsandgoalsfortheResearchSupportBuildingand
Infrastructure Modernization (RSB) Project, which is being established at SLAC National
AcceleratorLaboratory.TheRSBRMPisconsistentwithDOEO413.3A,ProjectManagementforthe
Acquisition of Capital Assests, and strives to incorporate best practices from other large scale
constructionprojectsaroundDOEcomplex.
RSB management team believe that the risk is an inherent in all activities of any large scale
constructionproject. To besuccessful,ariskmanagementprocessisneededsuchthatriskcanbe
continuallyevaluatedandmanagedinordertominimizetheconsequencesofadverseevents.
Theultimategoalofriskmanagementistoincreasetheprobabilityofprojectandactivitysuccess
by focusing attention on problem areas early and reducing the amount of costly rework in the
future.Foreachandeveryrisk,thereisthepotentialimpactofcostoverruns,scheduledelaysand
compromises in quality and safety if the risk occurs. Hence, risk management will be applied
continuouslythroughouttheRSBprojectlifecycleandwillevolveandadapttoaccommodatethe
variousprojectphases.
Ariskisaneventthathasthepotentialtocauseanunwantedchangeintheproject.Ariskisas
follow:
Adefinableevent;
Withaprobabilityofoccurrence;and
Withaconsequenceorimpactifitoccurs.
Ameasureoftheseverityofriskis:
Severity=ProbabilityxImpact.
Forrisks,wehaveamitigationplan.Amitigationplaneitherlowerstheprobabilityand/orthe
impacttoreducetheseveritytoanacceptablelevel.
Managingriskisakeyelementoftheprojectmanagementprocessforboththeplanningandthe
performancephasesoftheRSBproject.Assuch,thisRMPdevelopsamethodologytoidentifyand
quantifyspecific riskstotheproject,determinetheirconsequenceandassociatedprobability,and
developmitigationstrategies.

INTRODUCTION 1
Research Support Building and Infrastructure Modernization

2.0 ManagementApproach

2.1 Responsibilities
RSB project management has established specific roles andresponsibilities to support project risk
management processes and control over the life cycle of the project. The specific responsibilities
relatingtotheRSBRMPareasfollows:
RSBProjectManagerTheRSBProjectManagerisresponsibilityformanagingcostand
schedule contingency, consistent with the change control process and thresholds
described in the PEP. The objectives are to maintain contingency commensurate with
project risk through project completion and to ensure that the full project scope is
achievedonscheduleandonbudget.
RSBProjectRiskManagerTheRSBProjectRiskManagerisassignedresponsibilityfor
implementing the overall Risk Management Program and ensuring that it meets the
intent of DOE Order 413.3A and is assigned responsibility for working with risks,
qualityandsafetysubjectmatterexpertstoexecutetheriskmanagementprocess.The
ProjectRiskManagerisalsotheRiskManagerPointsOfContact(POCs)oftheproject.
RSBProjectRiskManagerisresponsible,butnotlimitedto,forthefollowing:
o Elicitingrisks,loggingrisksintheriskregister.
o Performinganalyses,reportingonriskexposuretoProjectManager.
o Identifyingabatementstrategies,abatementactionsandtrackingtheireffectiveness
atreducingriskexposure.
o ReportingabatementresultstotheProjectManager.

2.2 RiskManagementProcess
RSBprojectriskmanagementprocessissummarizedinthefollowingsteps.
Risk Management Planning Prior to the initiation of risk management, activities in the
proposedbaseline(scope,schedule,andcost)areevaluatedtodeterminetheirpotentialfor
risk. This evaluation (or risk screening) assesses all activities against a set of screening
categories typically in the areas of construction, interface control, safety, regulatory and
environmental, security, design, resources, space migration etc. Activities which are
identifiedasprojectriskswillbetrackedwithintheRSBRMP.
RiskIdentificationIdentifyrisksthatmayimpactthesuccessfulcompletionoftheproject.
Risksareidentifiedfortheentirelifecycleoftheproject.Riskassociatedwithprojectwork
scope, cost, and schedule are identified by systematically challenging the assumptions,

2 MANAGEMENT APPROACH
 Risk Management Plan

logic, and scope of the project and examining the identified uncertainties associated with
eachstageoftheproject.
RiskAssessmentAssesstheriskstodeterminetheirlikelihoodandimpactontheprojects
cost,schedule,and/orworkscope.Thisincludesaqualitativeandquantitativeassessment
oftheconsequences(impact)oftherisksaswellastherisksprobabilityofoccurring.
RiskHandlingDeterminetheriskhandlingstrategy,whether(inorderofpreference)itis
toeliminate,transfer,prevent,mitigate,orassume(accepttherisk).
RiskManagementImpactandControlActionsAssessestheriskimpactontheprojectand
the effect of the risk handling strategies. Risk handling strategies will be reflected in the
projectsbaseline,whereasresidualriskswillbereflectedintheprojectcontingency.
RiskReportingandTrackingRiskreportingandtrackingisthedocumentationoftherisk
managementprocess.
Riskmanagementisaniterativeprocessinwhichtheeffectivenessofcontrolactionsisconstantly
evaluated, new risks are discovered, and existing risks are reassessed. New or revised control
actions are implemented as needed. By managing risks, the process helps minimize cost impact,
scheduledelays,ortheimpactofotherissuethatcouldimpedeaprojectsprogress.Theiterative
processcontinuesuntilalltherisksareclosedortheprojectiscompleted.

MANAGEMENT APPROACH 3
Research Support Building and Infrastructure Modernization

3.0 RiskidentificationandAssessment

3.1 RiskIdentification
Risk identification requires a methodical process to ensure that the list of identified risks is
comprehensive. In this process, the Risk Project Manager, Project Manager, Integrated Project
Team, Safety Subject Matter Experts, and Control Account Manager are asked to identify project
risksintheirareaofresponsibility.Theriskidentificationprocessisusingagradedapproach,the
Risk Management process begins with the team evaluating potential risk for each technical
equipmentitemandsubsystemthatexceeds$100K,isonornearthecriticalpath,orthatposesa
particulartechnicalchallenge.Commonriskareashavebeendevelopedasatooltoassisttheteam
inidentifyingareasofprojectrisk.Inaddition,theProjectRiskManagercanidentifyprojectrisks
thatmaynothavebeenidentifiedinanyofthesubprojectriskanalyses.Thecommonriskareasare
shownintable1:

4 RISK IDENTIFICATION AND ASSESSMENT

 Risk Management Plan

Table1CommonRiskAreas
Project Risk Areas Significant risks
Facilities and Major equipment development
Equipment Inadequate planning for long lead items and vendor support.
Design Design relies on immature technologies or exotic materials to achieve
performance objectives.
Design not cost effective.
Requirements Operational requirements not properly established or vaguely stated.
Requirements are not stable.
Testing/Evaluation/ Test planning not initiated early in program (Initiation Phase).
Simulation Testing does not address the ultimate operating environment.
Test procedures dont address all major performance specifications.
Facilities not available to accomplish specific tests, especially system-level tests.
Insufficient time to test thoroughly.
Project lacks proper tools and modeling and simulation capability to assess
alternatives.
Schedule Funding profile not stable from budget cycle to budget cycle.
Schedule does not reflect realistic acquisition planning.
Schedule objectives not realistic and attainable.
Resources not available to meet schedule.
Supplier Capabilities Restricted number of available vendors.

Cost Realistic cost objectives not established early.

Funding profile does not match acquisition strategy.
Fluctuations in cost of raw materials.
Technology Technology has not been demonstrated in required operating environment.
Technology relies on complex hardware, software, or integration design.
Management Acquisition strategy does not give adequate consideration to various essential
elements, e.g., mission need, test and evaluation, technology, etc.
Subordinate strategies and plans are not developed in a timely manner or based
on the acquisition strategy.
Proper mix (experience, skills, stability) of people not assigned to the project.
Effective risk assessments not performed or results not understood and acted
upon.

3.2 RiskCategories
RiskstotheRSBprojectareidentifiedaccordingtothefollowingcategories:
Management
o ConfigurationProcesses
o InterfaceManagement
o ProcurementsandProcurementProcess
o Programmatic
Technical
o DesignFunctionalRequirements

RISK IDENTIFICATION AND ASSESSMENT 5

Research Support Building and Infrastructure Modernization

o DesignMaturity/Complexity
o DesignandEquipmentComplexity.
o InstallationandIntegrationComplexity
Environment,Safety&Health(ES&H).
o RegulatoryandEnvironmentalControls
o SafeguardsandSecurity
Schedule
Cost(includescurrencyandinflation)
o Resources(FundingandStaffing)
ES&H hazards associated with the RSB Project are well within the range of normal SLAC
operations. The project management will apply SLACs Integrated Safety & Environmental
Management(ISEMS)SystemforhandlingalltheES&HrisksentailedintheRSBProject.However,
ES&H impacts that increase the risk severity level of technical parameters or facilities will be
includedintheprojectsRiskManagementRegistry.

3.3 RiskAssessmentandQuantification
Risk level assessment is done by determining the probability of the occurrence and cost and
scheduleconsequenceofeachrisk.Consequencemustconsiderforeseeablecumulativeimpacton
projectscope,costandschedule.
Intermsofriskconsequences,eachriskcategoryhasthreeassessmentlevels:

2.3.1 TechnicalConsequenceLevel
Iftheriskoccurs:
Level0 negligibleornoimpactonfulfillmentofmissionneed
Level1 lowlevelofimpactonfulfillmentofmissionneed
Level2 moderateimpactonfulfillmentofmissionneed
Level3 considerableimpactonfulfillmentofmissionneed

2.3.2 ScheduleConsequenceLevel
Iftheriskoccurs:
Level0 potentialdelaytomilestoneofupto1month
Level1 potentialdelaytomilestoneofupto2months
Level2 potentialdelaytomilestoneofupto3months
Level3 potentialdelaytomilestoneofgreaterthan3months

6 RISK IDENTIFICATION AND ASSESSMENT

 Risk Management Plan

2.3.3 CostConsequenceLevel
Iftheriskoccurs:
Level0 estimatedcostofimpactconsequenceis<$10K
Level1 estimatedcostofimpactconsequenceis<$100K
Level2 estimatedcostofimpactconsequenceis<$500K
Level3 estimatedcostofimpactconsequenceis>$500K

2.3.4 OverallConsequenceLevel
An overall consequence level is derived using the greatest of the technical, schedule and cost
consequencelevels.
Table2OverallConsequenceLevel
Level 0 Level 1 (Low) Level 2 (Moderate) Level 3 (High)
Overall (Negligible)
Level

Risk Area
Technical Negligible Low degradation. Significant technical Technical performance
degradation. effectively useless for
attaining physics objectives.

Schedule Negligible Delays milestone or Delays milestone or Delays milestone or Project

potential for Project critical path by Project critical path by critical path by > 3 months
delay up to 1 month up to 3 months

Cost

$10K $100K $500K >$500K

3.4 RiskProbabilities
Thefollowingriskprobabilitylevelsareassessedforeachriskcategory.
RiskProbabilityLevel:
LevelP0 <1%probabilitythattheconsequencesoftheriskwillberealized
LevelP1 <10%probabilitythattheconsequencesoftheriskwillberealized
LevelP2 <25%probabilitythattheconsequencesoftheriskwillberealized
LevelP3 >25%probabilitythattheconsequencesoftheriskwillberealized

RISK IDENTIFICATION AND ASSESSMENT 7

Research Support Building and Infrastructure Modernization

3.5 RiskSeverities
Finally, a risk severity matrix determined from the Overall Consequence Level and the Risk
Probability Level provides the overall assessment of each identified risk to the RSB project, as
shownbelow:
Table3RiskSeverityMatrix

Risk Severity Levels in

Consequence Level
colored boxes

0 1 2 3
P0 0 0 0 0
Probability Level P1 0 1 2 3
P2 0 2 2 3
P3 0 3 3 3

Items with risk severity level of 2 or greater must be entered in the RSB Project Contingency
Analysis.

8 RISK IDENTIFICATION AND ASSESSMENT

 Risk Management Plan

4.0 RiskManagementImpactandControlAction

4.1 RiskHandling
Risk management is the process used to identify risks and implement actions to reduce the
likelihood of a risk materializing and/or to reduce or eliminate the potential consequences of
identifiedprojectrisks.Riskmitigationstrategiesgenerallyfallintooneoffourcategories:1)risk
avoidance, 2) risk transfer, 3) risk reduction or mitigation, and 4) risk acceptance. Each of these
strategiesisdescribedintable4,asaregeneralmethodsusedtomanageidentifiedrisks.
A management strategy of risk handling is selected for each identified risks. Control actions are
specifiedforeachidentifiedprojectriskbasedonthemanagementstrategyselected,unlesstherisk
isaccepted.Alsospecifiedforeachidentifiedriskisthedatebywhichthecontrolactionistobe
completed, the responsibleaction POC, probability and consequence of the risk (pre and post
handling),acostestimateofimplementingthecontrolactions,thestatusofeachcontrolaction,and
indicationastowhetherornottheriskisclosed.
Themanagementstrategyandcontrolactionsselectedforeachidentifiedriskaretrackedintherisk
register.Thebaselinebudgetincludesthefundingrequiredtoimplementthemitigationactionsfor
theriskstoachievetheconfidencelevelsetbytheproject.

RISK MANAGEMENT IMPACT AND CONTROL ACTION 9

SLAC Research Support Building and Infrastructure Modernization
Table4GeneralMethodstoManageIdentifiedRisks
MANAGEMENT
METHOD OBJECTIVE
Avoidance Riskiseliminatedoravoidedby
changingtheparametersofthe
project
Transfer Riskremainsviablebutisshiftedto
anotherprojectororganization.
Oftencalledriskallocation.
Mitigation Reducedlikelihoodand/or
consequencesofarisk(preferably
both)byseriesofcontrolactions.
Assumption Riskisrecognizedandsimplytaken
onbytheproject
10 RISK MANAGEMENT IMPACT AND CONTROL ACTION
FEATURES
*Maychangetheprojectplantoeliminateconditions
creatingtherisk(riskyrequirement,workscope,
technology,orcontractor)oreliminatetheriskentirely.
*Maytradeoneriskforanotherlesserrisk.
*Ifalowerriskoptionisavailable,revisebaselineto
favorit.
*Checkthatthelowerriskisthebetterchoice
consideringtheprojectasawhole.
*Iffulltransferisnotpossible,considerapartialshift
e.g.,insurances,performancebond,PI,warranty,or
contractguarantee.
*Often,resultsinriskbeingsharedbetweenprojectand
others.
*Oftenbestwithfundingrisks.
*Mustconsidercostsandbenefitsoftransfer.Must
ensurerecipientisbestequippedandpreparedto
assumetheriskinwholeorinpart.
*Riskisnotavoided.RecipientMustbewillingto
assumetherisk,inwholeorinpart.
*Mostcommonformofriskmanagement.
*Mustsystematicallyandcarefullyidentifyandattack
rootcausesoftherisk.
*Controlactionsarecomprehensiveandfeasible.
*EarlyactionsOftenrequiredforsuccess.
*Actionscanaffectcost,scope,andschedule.
*cost/benefitanalysiscanbeusefulinselectingbest
Controlactionfromalistofalternatives
*ConfidencelevelsforControlactionsderivedfrom
MonteCarlo,CrystalBall,orotheranalysiscanbe
useful,butarenotmandatory
*Lastoptionforcontrollingarisk.Nofeasiblemeans
tomitigateorotherwisecontroltheriskisavailable.
*Benefitisthatnochangesinprojectplansarerequired
toaddresstherisk.
*Sometimesusedwhenacompellinglylargereward
couldbegainedbytakingtherisk.
*Typicallyusedforobdurate,distant,orleast
predictableriske.g.fundinglevels.
*Residual(remaining)riskisalwaysaccepted.
*Requiresspecialdiligenceinmonitoring,because
nothingwasdonetoreducetherisk.
*Alternativeoracceptablefallbackpositionsare
especiallycrucialiftheriskiscriticaltoprojectsuccess.
*Worstcaseispassiveacceptance,whennofallback
plansareconsidered.
 Risk Management Plan

4.2 RiskImpactDetermination
Risk impact determination is the process of evaluating and quantifying the effect of risks on the
project.Riskimpactsaprojectintotwodifferenceways:
Handling strategy implementation. If the risk is handled using a risk reduction or
mitigation strategy, there may be a cost and schedule impact associated with the
implementation of that strategy. The implementation cost and schedule impacts of the
handlingstrategymustbeincludedinthebaselineprojectcostandschedule.
Residual risk. Even after riskhandling strategies have been implemented, there may be
remainingriskimpacts(residualrisks).Thecostandscheduleimpactofresidualrisksmust
beincludedinthecontingencycalculations.Thisisaccomplishedbydeterminingacostand
schedule impact probability distribution for each residual risk. These probability
distributionsarethencombinedstatisticallythroughaMonteCarloprocesstoproducethe
contingencyestimate.Atalltimes,theprojectsavailablecostcontingencyshouldbegreater
thanthestatisticalcalculationofresidualcostrisk.

4.3 Abatement
TheRiskManagerisresponsiblefordevelopingappropriateriskabatementstrategiestoacceptor
mitigateprojectrisk.
During risk elicitation, the Risk Manager will determine the abatement strategy for each of the
identifiedrisks.Theabatementstrategyisthegeneralapproachthatprojectmanagementwilltake
with regard to a risk. For risk that are deemed mitigate, abatement actions are developed.
Abatementactionsarethespecificactivitiesthatwillbeexecutedtoreducetheimpactoftherisk.
Thedatebywhichtheabatementactionistobecompleted,theRiskManagerusestheinformation
toensurethatabatementactionsarecompletedinatimelymannerandareeffectiveinreducingthe
risk. Additionally, the likelihood and consequence of the residual risk after abatement, and the
likelihoodofthesuccessoftheabatementactionsarereducedintheRiskRegister.
Table5commonriskareasandabatementstrategieshasbeenincludedbelowasatooltoassistin
addressingprojectrisks.
The three identified Risk types, Cost, Schedule, and Technical, all have different mitigation
strategiesthatcanbeusedtoreduceoreliminatetheirimpactorprobabilityofoccurrence.
Preparationofclearandconcisespecificationsandconstructiondrawings,judiciousdetermination
of subcontractor responsibility and approval of proposed lower tier subsubcontractors, and
implementationofQAprovisionswillminimizetechnicalrisk.
Useoffixedpricesubcontractsandcompetitionwillbemaximizedtoreducecostrisk.
In addition, the Project will be tracked monthly, with schedule changes carefully monitored and
approvedthroughachangecontrolprocessoverseenbyacombinationoftheProjectManagerand
theDOE.

RISK MANAGEMENT IMPACT AND CONTROL ACTION 11

SLAC Research Support Building and Infrastructure Modernization

Table5CommonRiskAbatementStrategies
Project Risk Category
Project Impact High Moderate Low
Cost Closely monitor cost and Closely monitor cost and Monitor cost,
spending spending schedule and
Obtain Multiple bottoms-up Obtain at least two spending
independent cost estimates bottoms-up independent
Perform Value Management cost estimates
Vendor visits
Schedule Increase lead time Increase lead time by Monitor cost,
substantially by initiating initiating procurements 2-4 schedule and
procurements 6-8 weeks weeks early spending
early Vendor visits and oversight
Vendor visits and oversight

Performance Perform major redesign Moderate redesign as QA/acceptance

Evaluate alternate required testing.
technology QA/acceptance testing
QA/acceptance testing

4.4 CostandScheduleImpactMonteCarloSimulation
TheCrystalBallsoftwarepackagewillbeusedtomodelprobabilitysimulationstodeterminethe
mostlikelyriskexpenditureandscheduledelay.Themodelwillusesimulationrangestakenfrom
theOptimistic,Pessimistic,andMostLikelyriskestimates,usingatriangularlinearmodel.
The80%MonteCarloSimulatedRiskCostwillbeusedtovalidatetheexpertsanalysisofriskcost
fortheproject,andprojectedlevelofprojectcontingency.
The80%MonteCarloSimulatedScheduleDelaywillbeusedintheMasterProjectScheduletoaid
intrackingtheoverallcriticalpathdelay.
ThemethodsandresultsasdeterminedbytheCrystalBallMonteCarloSimulationareincluded
intheRSBProjectContingencyAnalysisReport.

12 RISK MANAGEMENT IMPACT AND CONTROL ACTION

 Preliminary Project Execution Plan

5.0 RiskTrackingandDocumentation

5.1 RiskRegistry
TheRSBRiskRegistrytracksandmonitorsthestatusofallprojectrisksincludingeachriskPOC,
probabilityandconsequenceofeachrisk(preandpostmitigation)anddetailsontheriskcontrol
actions.TheRiskManagerisresponsibleforidentifyingandassessingofrisks.Thisresponsibility
includesprovidingregularreevaluationandastatusupdateofriskentriesviatheRSBProjectRisk
Registry.TheRiskRegistryisalivingdocumentusedthroughoutthelifeoftheproject.
Project risks and the management actions to control them are reviewed and updated monthly by
RSBRiskManager,RSBProjectManagerandtheIntegratedProjectTeam.Newandimminentrisks
areaddedintotheregistrywhenidentified.Risksareclosedwhentheriskisnolongercredibleor
whentheriskhasbeenrealizedandnoresidualriskremains.
TheRiskManagerisresponsibleformaintenanceoftheRiskregistryforensuringthatRSBProject
teammembersaremonitoringandreassessingrisksregularly,andthattheRiskHandlingPlansare
beingimplementedinatimelyandeffectivemanner.
Items with risk severity level of 2 or greater must be entered in the RSB Contingency Analysis,
which is the product of the impact and the risk probability. This is to provide a roughly
quantitativeassessmentoftherelativerisksidentifiedbytheproject

5.2 RiskDocumentation
EachidentifiedriskshallbedocumentedusingtheRiskAssessmentWorksheet.Consequencesand
probabilities will be described as detailed as possible to support the level of assessment. The
approachtoeachidentifiedriskshallbedocumentedusingtheRiskManagementWorksheet.

 Preliminary Project Execution Plan

AppendixA:RiskRegistryReport