GDF 002 (H)_PMC AMP_Risk Management

GDF 002(H) – PMC AMP – Risk Management
(refer to GDD 002 – section 5.1.4)

[CLIENT NAME & PROJECT NAME]
RISK MANAGEMENT
Procedure No. X-XX-XX-X-048
Version [v0]
Reviewed by:
Program / Project Director: Date
Approved by:
General Manager: Date
Rev. Description Author Date

V0 First draft to be approved Hubert LABOURDETTE
V1
V2
V3
V4
Procedure No. Revision No. Date Author Page

X-XX-XX-X-XX 0 Page 1 of 14
GDF 002(H)_R0
1. This policy and procedure is controlled and centralized by the Quality Assurance Department.
2. Only the controlled electronic version is true and correct.
3. All printed or other copied versions are uncontrolled and should be destroyed when finished with.
4. The user is responsible for consulting the latest electronic version online.

GDF 002(H)_R0
CONTROL OF MODIFICATIONS
Version Page Modifications
V0.1

GDF 002(H)_R0
CONTENTS
1. Purpose..........................................................................................................................................4
2. SCOPE............................................................................................................................................4
3. DEFINITIONS AND ABBREVIATIONS...............................................................................................4
4. RESPONSIBILITIES AND AUTHORITIES............................................................................................5
5. POLICY AND PROCEDURE...............................................................................................................6
5.1 RISK MANAGEMENT PROCESS...............................................................................................6
5.1.1 Risk Identification..........................................................................................................6
5.1.2 Risk Analysis...................................................................................................................6
5.1.3 Treatment - Risk Mitigation...........................................................................................8
5.1.4 Update Risk Register....................................................................................................10
5.1.5 Risk Review..................................................................................................................10
5.1.6 Risk Closure..................................................................................................................10
5.1.7 Communication............................................................................................................10
5.1.8 Periodic Status Meetings.............................................................................................11
5.1.9 Lessons Learned...........................................................................................................11
5.2 RISK MEETING......................................................................................................................11
5.3 RISK SOFTWARE TOOLS........................................................................................................11
5.3.1 Preferred Software Tools.............................................................................................11
6. ATTACHMENTS............................................................................................................................12
7. REFERENCES................................................................................................................................12

GDF 002(H)_R0
1. PURPOSE
The purpose of this procedure establishes the Risk Management Process (RMP) for the project. The
purpose of risk management is to identify threats to project success and to mitigate or eliminate the
negative impacts to the project.
2. SCOPE
This Procedure provides guidance on how risks are identified, quantified, analysed and managed
through all phases of the project. In addition, the procedure covers who is responsible for managing
risks, how risks shall be tracked throughout the project and how mitigation and contingency plans
are developed and implemented.
Risk can be defined as a “combination of the probability or frequency of occurrence of a defined
threat or opportunity and the magnitude of the consequences of the occurrence”.
Risk is considered exclusively as a future phenomenon and risk management is a vital, fundamental,
and integral part of the project management process that has a direct impact upon the project’s
probability of success.
The risk strategy shall be to:
 Define the risk management team and responsibilities (Section 3.1),
 Describe the process i.e. how risks will be identified, quantified, analysed, managed and
controlled (Section 3.2),
 Determine the frequency of risk review meetings (Section 3.3),
 Stipulate the software tools and techniques to be employed (Section 3.4).
3. DEFINITIONS AND ABBREVIATIONS

RISK: Risk is anything that may happen that impacts the achievement of an organization’s objectives.
It encompasses the following three dimensions:
 Hazard: preventing an exposure from turning into a loss;
 Uncertainty: coping with volatility and change; and
 Opportunity: harnessing opportunities to one’s advantage.
Risk is an event having a cause and a consequence that could be either positive or negative
RISK MANAGEMENT: The process of identifying, assessing, and developing management strategies
to deal with risks. It is measure in terms of probability and impact
PROBABILITY: a qualitative description of the likelihood and/or frequency of a risk occurring.
IMPACT: The outcome of an event expressed in qualitative or quantitative terms (for example,
financial or reputational) being a loss, injury, disadvantage, or gain.
RISK ANALYSIS: A systematic use of available information to determine how often specified evens
may occur and the magnitude of their consequences
GDF 002(H)_R0
RESIDUAL RISK: the degree of risk left after mitigation factors have been identified.
RISK REDUCTION: A selective application of appropriate techniques and management principles to
reduce either the likelihood of an occurrence or its consequences, or both.
RISK RETENTION: Intentionally or unintentionally retaining the responsibility for loss or financial
burden or loss within the organization.
RISK RESPONSE: The decision to accept a risk, decline a risk, treat, or mitigate a risk or share a risk
with another party
RISK ACCEPTANCE: the informed decision to accept the consequences (impact) and the likelihood of
a particular risk
RISK AVOIDANCE: An informed decision not to become involved in a risk situation
RISK MITIGATION: The processes built into the controls environment, such as policies, frameworks,
accountabilities etc. to lower the residual risk
RISK SHARING: Sharing the responsibility for the impact of a risk with another party such as through
an outsourcing contract or insurance policy
MONITORING AND ACCOUNTABILITY: The processes used to manage the Risk Management
Framework on an on-going basis to reduce risk and take advantage of risk as an opportunity
4. RESPONSIBILITIES AND AUTHORITIES

PROJECT DIRECTOR: The Project Director is responsible for the generation, approval and
promulgation of the Risk Management Plan and has ultimate responsibility for the final decision on
risk actions.
PROJECT RISK MANAGER: The Project Risk Manager is responsible to the Project Director for:
 Creating, maintaining, and developing this RMP,
 Ensuring that project staff adhere to this RMP,
 Training all project staff on their risk responsibilities when they join the project,
 Ensuring Project risk analysis is completed,
 Ensuring risk contingency plans are executed successfully,
 Taking responsibility for the final decision on risk actions, in coordination with the
 Project Director,
 Briefing staff on any changes to the risk management process,
 Leading the programme risk management effort,
 Developing programme risk mitigation and contingency strategies,
 Sponsoring project risk identification activities,
 Facilitating the identification of new risks through Risk Workshops,
 Facilitating the proposal of mitigation strategies and contingency plans,
 Ensuring Project Risk Registers are maintained, and the statuses assigned to risks and risk
activities are current.

GDF 002(H)_R0
PROJECT TEAM: The Project Team participates in the risk identification process, and discusses risk
monitoring and mitigation activities at risk workshops and team meetings. The Project Team
comprises stakeholders from PMC team and customer. Representing person will be defined in the
RMP.
THE RISK OWNER: The Risk Owner shall be the entity identified in the Risk Register as responsible for
managing an allocated individual risk with the accountability and authority to take actions to apply
mitigation actions. The Risk Owner may be PMC team member or customer team member. External
Risks (outside control of project) are identified and registered as such.
5. POLICY AND PROCEDURE
5.1 RISK MANAGEMENT PROCESS
5.1.1 Risk Identification

Risk identification is an on-going task throughout the project lifecycle and consists of both a formal
and informal approach. All the project team is responsible for identifying risks. The Project Risk
Manager has the primary responsibility for sponsoring risk identification activities and collecting the
identified risks for analysis.
Risk Workshops (Formal Approach):
The Project Risk Manager is responsible for conducting Risk Workshops and prior to the workshop, in
consultation with the Project Director, should carefully prepare the list of attendees.
In most cases the best method of identifying project risks is through a brain storming session in a
formal workshop, however, other methods, as listed below, may be appropriate and should be used
to supplement the workshops.
 Structured interviews,
 Design reviews and design appraisals,
 Project documentation,
 Assumptions,
 Historic information.
The success of the workshop will manifest in the identification of all key risks and, therefore,
adequate preparation is essential, and this can only be achieved if key personnel and stakeholders
are included in the workshop.
Informal Risk Identification:
Informal risk identification occurs as a result of normal project business. Any person associated with
the project is expected to identify a potential risk including the client. All project status meetings
include a topic for discussion of possible risks.

GDF 002(H)_R0
5.1.2 Risk Analysis

Each risk is assigned to a risk owner for analysis. The risk owner analyses the risk to determine what
actions (mitigation, contingency or observation) should be taken (if any), to establish the priority of
the risk, and to identify the level of resources to commit to the risk action plans. The risk owner’s
analysis shall be discussed during the second workshop.
Qualitative Analysis:
The purpose of qualitative analysis is to prioritize the risks in terms of importance, without
quantifying them and should be carried out as part of the first workshop.
Quantitative Analysis:
Information needed to carry out the Quantitative Analysis shall be collected in the second risk
workshop where the objective is to develop a model to assimilate the risk outcomes and to
determine risk contingencies.
The following tables provide the probability and impact ranges for project cost and project
durations.
Impact Technical Cost Schedule
Minimal or no consequence to No delays on milestones
Negligible (1) <budget *0.01
technical performance (< 1 month)
Minor reduction in technical
>budget *0.01
performance or supportability, can > 1 month delay but < 3
Low (2) but < budget
be tolerated with little or no months delay
*0.1
impact on program
Moderate reduction in technical >budget *0.1
> 3 months delay but <
Medium (4) performance or supportability with but <budget
6 months delay
little impact on program objectives *0.2
Significant degradation in technical
<budget µ0.2
performance or major shortfall in >6 months delay but <1
High (8) but <budget
supportability; may jeopardise year delay
*0.4
program success
Severe degradation in technical
performance; cannot met baseline
or key technical supportability
Very High (16)
threshold; major shortfall in
supportability ; will jeopardise
program success
Likelihood of risk occurring

Value Description
Not credible (1) Probability of occurrence < 1%
Unlikely (2) Probability of occurrence >1% but <10%
GDF 002(H)_R0
Not likely (4) Probability of occurrence >10% but <30%

Likely (8) Probability of occurrence >30% but <60%
Highly Likely (16) Probability of occurrence >60%
As a minimum the probability of the risk occurring and five likely impacts of the risk should be
agreed in the workshop. Five likely impacts represent not credible, unlikely, not likely, likely, and
highly likely values of the risks. As far as possible, the impact values should quantified by absolute
values rather than percentages and the Risk Profile Sheet is to be updated with the information.
The cost impact ranges are applied to the overall project budget to calculate the Quantitative
Analysis.
For individual contracts, the risk register is filtered to remove any non-applicable risks and the
Quantitative Analysis applied purely to that contract.
Once the risks have been qualified the results shall be displayed in table format, like in the following
Probability Impact Table (PIT). This provides a conceptual diagram for a risk rating mechanism and
shall be compiled by the Project Risk Manager marking individual risks on the matrix to give an
overall pictorial view of the main risks affecting the project.

GDF 002(H)_R0
Risk Exposure:
5.1.3 Treatment - Risk Mitigation

Risk planning consists of the development of detailed plans for either mitigation and/ or contingency
actions for a specific risk. This is carried out in the second risk workshop. The mitigation plan is to be
agreed with the risk owners and aims to identify actions that would need:
 Avoidance,
 Reduction,
 Mitigation,
 Transfer,
 Retention of the risk.
It is not necessarily acceptable to do nothing or to defer mitigation on middle and lower range risks
(in terms of impact or probability). Even if a risk falls into the middle and lower range of risks it will
be needed to continue to reduce its probability and impact until the residual risk is insignificant.
Further effort to reduce the risk’s probability or impact is not likely to be required when the
resources applied are likely to be grossly disproportionate to the risk reduction achieved. The risk,
however, will still need to be monitored to ensure that it stays within this “safe” region.
Strategy / Actions – Plan Mitigation Actions:
A substantial part of the workshop should be used to develop mitigating actions that need to be
taken in response to the potential risks. The success of risk management depends on the quality of
the Risk Mitigation Plan. It is very important if not the most important aspect of the risk
management process to ensure a comprehensive mitigation plan is developed. The mitigation plan
shall also identify the risk owner who will be responsible for taking the planned actions.
The following information is documented in the risk mitigation plan:
 The risk to be mitigated,
 Selected mitigation strategies to be implemented,

GDF 002(H)_R0
 The desired outcome of the mitigation activities,

 When each mitigation activity will commence (what is the trigger event)?
 How and when (frequency of) the mitigation activities will be tracked?
 Who is responsible for the mitigation activities?
 Who is responsible for tracking mitigation effectiveness and how is effectiveness measured?
 When will the mitigation activities cease (by a certain date or when a specific desired effect
has occurred)?
The planned mitigation activities shall then be entered on the Risk Register and published in a
Monthly Report.
Plan Contingency Activities:
For those risks where it is unlikely or uncertain that the mitigation will be effective, the risk owner
may develop a contingency plan. Contingency plans may be prepared in addition to a mitigation
plan, or in place of such a plan.
The following information is documented in the risk contingency plan:
 Description of the risk,
 Anticipated effects on project staff, users, and stakeholders,
 Anticipated effects on project schedule,
 Anticipated effects on project budget,
 Anticipated effects on work products or deliverables,
 Desired outcome of contingency activities,
 Communication strategy as risk becomes more likely,
 What activities will be executed to minimize the risk’s effects,
 Who is responsible for the activities?
 When will the activities occur (what is the trigger event)?
 How will the effect of the contingency activities be evaluated and tracked?
 When will the contingency activities cease (by a certain date or when a specific desired
effect has occurred)?
Planned contingency activities shall then be entered on the Risk Register.
5.1.4 Update Risk Register

The risk owner provides status updates to the Project Risk Manager who updates the Project Risk
Register and Risk Profile Sheet to reflect the actions being taken (actual date of trigger event, etc).
Action plan activities and their effectiveness are monitored in the monthly progress report to the
Project Director.
As well as the Risk Register capturing progress and effectiveness of mitigation strategies it will also
identify any adjustments to the mitigation strategies that have been agreed in order to reduce risks.
Updated Risk Registers shall be produced for individual contracts as well as the overall project. Any

GDF 002(H)_R0
impacts on contract or project schedules or budgets shall be monitored and reported in the Monthly
Report.
Individual supplier Contracts include a requirement for the Contractor to produce a Risk Register in
their Monthly Report. The individual contract Managers shall be responsible for reviewing the
Contractor’s Risk Register, filtering, and incorporating emerging risks. The Risk Manager then
updates the project risk register in conjunction with the contract Manager.
5.1.5 Risk Review

The Project Risk Manager presents the risk analysis for discussion at the Project Director monthly
progress meeting. At this time, the impacts and possible mitigation/contingency options are
discussed, and the risk’s exposure (severity) is decided.
The project management team then reviews the risk to establish its relative rank among existing
risks and to review the risk in combination with other risks (for example, with other risks in a similar
functional area or risks with similar impacts). The team may adjust resource assignments, action
plans, or other project priorities to ensure the risk is adequately addressed.
5.1.6 Risk Closure

Risks are closed when the risk event actually occurs or when the likelihood of the risk is reduced
such that it is not worth expending resources to track it. At this time, action plans are halted and
closed. If the risk could possibly arise again, the risk may be reduced to a “Watch” status and
evaluated periodically.
The risk owner and Project Director may recommend a risk for retirement and the Project Risk
Manager makes the final decision to retire a risk. In some cases, customer should be involved in the
decision to retire a risk.
Upon completion of the project the Project Risk Manager shall prepare a project completion report
which will detail how key risks were mitigated and report on the risk trends.
5.1.7 Communication
Communications regarding risks are continuous throughout the project’s life cycle both through
verbal and written reports.
The risk management process of review and progress assessment should be undertaken on a regular
periodic basis. Where monthly review meetings are deemed necessary, they may form part of the
project progress meetings under a separate agenda item.
Decisions taken and actions placed are to be recorded on the Risk Register.

GDF 002(H)_R0
5.1.8 Periodic Status Meetings

Risk management activities are discussed at project team status meetings and include informal
identification and status of individual risk activities and assignments. Risks status is documented in
meeting minutes.
On a monthly basis, the Project Risk Manager solicits updates from the risk owners and updates the
Project Risk Register. All open risks and any action plans are reviewed with the project management
team. Current risk status and the results and effectiveness of mitigation/contingency actions are
reviewed, along with the status of risk trigger events and risk profiles.
5.1.9 Lessons Learned

The Project Risk Manager documents the result of risk actions (whether successful or unsuccessful)
and lessons learned in the Project Risk Register. At the end of a phase, the Project Risk Manager
discusses the results of the lessons learned sessions with the Programme Management Team for
inclusion in this RMP.
When a phase is completed, the Project Risk Manager leads a final risk review to document the final
status and results of mitigation and contingency actions and to identify lessons learned during that
phase. These lessons learned on risk management and risks to projects, are shared with project staff
and used to update the RMP policies, standards and templates, as appropriate.
5.2 RISK MEETING

The timing of the Risk Workshops and Project Risks Updates meetings is set out below:
Risk Meeting Frequency

Risk Workshop N°1 At start of each project phase, as a minimum
but interim Workshops need to be considered
as the Phase progresses.
Risk Workshop N°2 Within two weeks of Workshop N°1
Project risk updates Coincident with project progress reporting

requirements
Programme risk updates Coincident with Programme Communications

Strategy requirements
5.3 RISK SOFTWARE TOOLS
5.3.1 Preferred Software Tools

The information gathered in the second risk workshop shall be used to model the risk contingency

GDF 002(H)_R0
using the software for cost modelling e.g. Primavera Monte Carlo, @risk for Excel.
Time contingency calculations should only be calculated after careful consideration of suitability for
the project and by agreement with the Program Management Team. The preferred software for
project time calculations is Primavera Project Planner Enterprise (P6).
6. ATTACHMENTS
See Project Risk Register
7. REFERENCES

GDF 002(H)_R0

GDF 002 (H)_PMC AMP_Risk Management

Uploaded by

Copyright:

Available Formats

You might also like

GDF 002 (H)_PMC AMP_Risk Management

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

GDF 002 (H)_PMC AMP_Risk Management

Uploaded by

Copyright:

Available Formats

GDF 002(H) – PMC AMP – Risk Management

(refer to GDD 002 – section 5.1.4)

Program / Project Director: Date

General Manager: Date

Rev. Description Author Date

Procedure No. Revision No. Date Author Page

Procedure No. Revision No. Date Author Page

Procedure No. Revision No. Date Author Page

Procedure No. Revision No. Date Author Page

3. DEFINITIONS AND ABBREVIATIONS

4. RESPONSIBILITIES AND AUTHORITIES

Procedure No. Revision No. Date Author Page

5. POLICY AND PROCEDURE

5.1 RISK MANAGEMENT PROCESS

5.1.1 Risk Identification

Procedure No. Revision No. Date Author Page

5.1.2 Risk Analysis

Likelihood of risk occurring

Not likely (4) Probability of occurrence >10% but <30%

Procedure No. Revision No. Date Author Page

5.1.3 Treatment - Risk Mitigation

Procedure No. Revision No. Date Author Page

 The desired outcome of the mitigation activities,

5.1.4 Update Risk Register

Procedure No. Revision No. Date Author Page

5.1.5 Risk Review

5.1.6 Risk Closure

Procedure No. Revision No. Date Author Page

5.1.8 Periodic Status Meetings

5.1.9 Lessons Learned

5.2 RISK MEETING

Risk Meeting Frequency

Risk Workshop N°2 Within two weeks of Workshop N°1

Project risk updates Coincident with project progress reporting

Programme risk updates Coincident with Programme Communications

5.3 RISK SOFTWARE TOOLS

5.3.1 Preferred Software Tools

Procedure No. Revision No. Date Author Page

Procedure No. Revision No. Date Author Page

You might also like