Guidebook on Risk Analysis Tools and Management Practices to Control Transportation Project Costs (2010)

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

16 3.1 Introduction This chapter defines risk management in terms of cost esti- mating and cost management and provides formal definitions for risk management and cost estimating terms for application throughout the Guidebook. The chapter focuses on the risk management process and presents each of the five risk manage- ment steps in detail with illustrative examples. The chapter concludes with a discussion of risk management policies and performance measures. A cost estimate that directly addresses uncertainty and risk is at the core of a comprehensive risk management program. However, risk management must be viewed as a comprehen- sive management process, not as simply a tool or set of tools for cost estimating. The output of a risk-based cost estimate supports identification of critical cost containment issues and helps to effectively inform the design team about risks as proj- ects move through the development phases. “Risk management” is the term used to describe a sequence of analysis and management activities focused on creating a project-specific response to the inherent risks of developing a new capital facility. Various organizations and mission agen- cies such as the Project Management Institute, the AACEI, or the Department of Energy use very similar steps, but slightly different terms, to describe their risk management approach (PMI 2004; AACEI 2000; DOE 2003). The process step terms that this Guidebook will use are: 1) risk identification; 2) risk assessment/analysis; 3) risk mitigation and planning; 4) risk allocation; and 5) risk monitoring and control. The Guidebook provides risk analysis tools and manage- ment practices to help control transportation project costs. Proper risk management will facilitate agency efforts to avoid, mitigate or better plan for costs that result from identifiable risks during the project development process. Table 3.1 pro- vides examples of typical risks and expected outcomes of applying risk management tools to the project development process. The risk management process is shown in Figure 3.1 and forms the framework for this Guidebook. Of particular note is that the overall risk management process is repetitive and cyclical. As the project evolves, some risks will be resolved or diminished, while others may surface and thus be added. The five fundamental risk management steps can be applied throughout the project life cycle. The extent of application of each step varies as the methods and tools used to support these steps depend on the project development phase and project complexity. Brief descriptions for each of the five steps follows with complete descriptions and examples provided in Section 3.3 of this chapter. 1. Risk identification is the process of determining which risks might affect the project and documenting their character- istics using such tools as brainstorming and checklists. 2. Risk assessment/analysis involves the quantitative or quali- tative analysis that assesses impact and probability of a risk. Risk assessment assists in deriving contingency estimates. Quantitative and qualitative risk analysis procedures are applied to determine the probability and impact of risks. 3. Risk mitigation and planning involves analyzing risk re- sponse options (acceptance, avoidance, mitigation, or trans- ference) and deciding how to approach and plan risk man- agement activities for a project. 4. Risk allocation involves placing responsibility for a risk to a party – typically through a contract. The fundamental tenants of risk allocation include allocating risks to the party that is best able to manage them, allocating risks in alignment with project goals, and allocating risks to pro- mote team alignment with customer-oriented perfor- mance goals. 5. Risk monitoring and control is the capture, analysis, and re- porting of project performance, usually as compared to the risk management plan. Risk monitoring and control assists in contingency tracking and resolution. C H A P T E R 3 Risk Management Overview

17 As discussed in Chapter 2, contingency is linked integrally to risk management in the context of cost estimating and cost control. However, contingency application is not listed as one of the five risk management steps. The application of contin- gency is part of the risk mitigation and planning step. If an agency chooses to accept an identified risk, it should include an appropriate contingency amount in case that the risk is re- alized. Tracking and resolution of contingency is part of the risk monitoring and control step. These five risk management steps provide the framework for the discussion of risk management practices and tools in the remainder of this Guidebook. Each of these five steps is discussed in the context of project complexity and the proj- ect development phases. 3.2 Risk Management in Support of Cost Estimating and Cost Management Uncertainty and risk can play a major role in causing cost escalation if not properly treated during project develop- ment. Cost estimating methods and tools must relate and adapt to the various phases of project development. When es- timating costs, particularly on large and complex projects, this becomes even more profound. In the Planning and Pro- gramming Phases of project development, estimators have very little information with which to develop a project cost, and the information that they do have is often fraught with uncertainty. The Washington State Department of Trans- portation (WSDOT) developed a cost estimate classification system based on a similar system developed by the Associa- tion for the Advancement of Cost Engineering International (AACEI). This system has five classifications and provides an expected range of accuracy for each classification given proj- ect maturity and a representative estimating methodology. Table 3.2 shows the estimate classification system as it cor- responds to the project development phases described in this Guidebook. Planning estimates are based upon the lowest Project Phase Planning Programming Design Typical Risks Fatal or significant environmental economic impacts Funding uncertainty Uncertain political and public support Competing interests and competing projects Changes in design requirements Costs of environmental compliance Right of way acquisition delays Technical uncertainties Funding uncertainty Changes in design requirements Market conditions, permit requirement changes Expected Outcomes Better understanding of environmental, engineering, and construction issues facing each project alternative Order of magnitude risk costs and possible total cost range for each option List of major project risks Reasonable estimate of risk costs, and probable total project costs and duration Long list of risk mitigation strategies Preliminary risk manage ment plan, focused on design and constructability risks Preliminary risk allocation planning Prioritization of risks based on impacts to total project cost and duration Costs / benefits of risk mitigation and risk allocation strategies Risk management and allocation plan Risk Management ProcessAllocate Monitor and Control Identify Assess/ Analyze Mitigate and Plan Figure 3.1. Risk management process framework (varies by project development phase and complexity). Table 3.1. Typical risks and outcomes across the project phases.

18 level of project definition, and Final Design Phase estimates are closest to full project definition and maturity. Table 3.2 conveys several key concepts. First, it describes a number of end usages for estimates, which relate directly to the risk management practices and tools described in this Guidebook. Second, it describes the methodological approach to the estimate as either stochastic2 or deterministic, depend- ing upon the level of design and information available. While deterministic cost estimating methods have been the prevalent estimating method in highway development, they do not support robust risk management analysis and contingency estimation. This is an important concept and change. Figure 3.2 depicts how identifying, quantifying, and manag- ing cost uncertainty relates to cost management. Two primary points are illustrated in Figure 3.2, which applies to situations where the scope is unchanged and where an estimate includes uncertainty. The first point is that there should be a reduction in the range of cost uncertainty as a project proceeds from con- cept to completion. The reduction in estimated cost is a result of better cost variable definition and eliminating uncertainty as cost factors are ultimately incorporated in the project budget. The second point is that, if the problems or uncertainties in- cluded in the early stages of a cost estimate do materialize, then a higher range of the cost estimate will be expected. In contrast, when risk management and other cost control processes are used effectively, a lower range of expected costs will likely result. To help describe contingency, Figure 3.3 presents three basic types of cost estimate information or lack of knowledge. At any point in the project development process, an estimate should account for these three types of information. First, the estimate should clearly describe the known and quantifiable costs (also referred to as the known/knowns). Estimators should prepare their estimates considering what is defined in the project scope or drawings and apply the appropriate estimating method to determine the base estimate costs. A second type of costs con- sists of the known but not quantified costs (also referred to as the known/unknowns). These are the costs that are known to be in the project scope, but for which there are no defin- able quantities at the point in project development when the Project Development Phase Project Maturity (% project definition completed) Purpose of the Estimate Estimating Methodology Estimate Range 0 to 2% Conceptual Estimating – Estimate Potential Funds Needed (20-year plan) Parametric (Stochastic or Judgment) -50% to +200% Planning 1% to 15% Conceptual Estimating – Prioritize Needs for Long Range Plans (HIP – 10-year plan) Parametric or Historical Bid- Based (Primarily Stochastic) -40% to +100% Scoping (Programming) 10% to 30% Design Estimating – Establish a Baseline Cost for Project and Program Projects (HIP and STIP) Historical Bid- Based or Cost- Based (Mixed, but Primarily Stochastic) -30% to +50% Design 30% to 90% Design Estimating – Manage Project Budgets Against Baseline (STIP, Contingency) Historical Bid- Based or Cost- Based (Primarily Deterministic) -10% to +25% Final Design 90% to 100% PS&E Estimating – Compare with Bid and Obligate Funds for Construction Cost-Based or Historical Bid- Based Using CES. (Deterministic) -5% to +10% Table 3.2. Cost estimate classification system (WSDOT). 2 Stochastic estimates combine traditional estimating methods for known items and quantities with risk analysis techniques to estimate uncertain items, uncer- tain quantities, and risk events. The stochastic portion of the estimate typically focuses on a few key uncertain variables and combines Monte Carlo sampling and heuristics (rules-of-thumb) to rank critical risk elements. This approach is used to establish the range of the Total Project Cost Estimate and to define how contingency should be allocated among the Stochastic estimates apply only to most complex (major) projects, as explained later in this Guidebook.

19 Figure 3.2. General refinement of a cost estimate. Pr oje ct Co st Project Development Process Planning Final Design Cost Range More Threats Realized Fewer Opportunities Realized High end of possible Total Project Cost Estimate Low end possible Total Project Cost Estimate Programming Design Figure 3.3. Need for estimate contingency. Pr oje ct Co st Project Development Process Planning Design Final Design Programming Unrecognized Cost (Unknown/Unknowns) Known but not Quantified Costs (Known/Unknowns) Known and Quantifiable Costs (Known/Knowns)

estimate is prepared. An example for this could be that an es- timator knows there is a need for noise walls on a project, but does not know the quantity that will be needed because a com- plete engineering study is not yet available. The final type of information is the unrecognized costs (also referred to as the unknown/unknowns). These are costs that an estimator typi- cally will not account for in an estimate because they are un- foreseeable or happen so infrequently that they would make the project estimate unrealistically high. Contingency is needed in an estimate to account for the known but not quantified costs and the unrecognized costs. Risk management practices and tools can assist in the calculation of appropriate contin- gencies to account for these costs. Figure 3.4 builds from Figures 3.2 and 3.3 to illustrate how contingency can be resolved throughout the project develop- ment process. Figure 3.4 illustrates three key points. First, an estimate at any given point is made up of a base estimate com- ponent and a contingency component as described in Chap- ter 2. As the project progresses in development, the contin- gency amount is expected to decrease because the project information is refined. Often the base estimate increases as some of the contingency is realized and included as part of the base estimate. The second point is the transition from a range estimate to a baseline estimate when moving from the Plan- ning to the Programming Phases. It is in the Programming phase that the baseline estimate is set and cost control begins. Third, Figure 3.4 illustrates a case where the final engineer’s estimate is equal to the baseline estimate. In this case, risks were identified during early contingency estimation and the estimate of the contingency was accurate. Figure 3.5 illustrates an excellent example of cost control and contingency management. Figure 3.5 illustrates a case where the engineer’s estimate is less than the baseline estimate. In this case, risks were identified during early contingency estimation in the Programming Phase, but these risk were mitigated (or not realized) in the Design and Final Design Phases. In this case, the SHA should have a policy on what the project team should do with the unused contingency. If the purpose and need of the project is met, this policy would ide- ally ask the project team to return the contingency to the over- all program instead of adding scope to the project baseline. Figures 3.2 through 3.5 show how risk and contingency can be incorporated into cost estimating and cost management (or cost control) throughout the project development process. A few key points from these figures are summarized here: • Use of Cost Ranges at the Planning Phase—Planning Phase estimates, particularly on a more complex (major) project should be communicated through a range. Planning Phase estimates contain the most uncertainty of any estimate 20 Pr oje ct Co st Project Development Process Planning Design Final Design Cost Range Programming Contingency Base Estimate Contingency Base Estimate Contingency Base Estimate Base Estimate Baseline Estimate & Engineer’s Estimate Figure 3.4. Refinement of a cost estimate with engineer’s estimate equal to the baseline cost estimate.

throughout project development. The FHWA and the FTA now allow the use of range estimates in Planning Phase documents. As depicted in the cost estimate column at the Planning Phase (see Figure 3.5), the contingency can be very large. In fact, the contingency can potentially be larger than the base estimate if very little is known about the proj- ect’s definition. • Application of a Baseline Cost Estimate at the Programming Phase—As stated in Chapter 2, the Programming Phase estimate is frequently used to establish a baseline cost esti- mate. The baseline cost estimate is the basis for cost man- agement. As delineated in Figures 3.4 and 3.5, the baseline cost estimate is made up of both a base estimate plus a contingency. • Contingency Resolution throughout the Design Phases—As the project matures from Programming through Final Design, the contingency is lowered and the base estimate amount increases. The percentage of the contingency to the base estimate is a function of the project complexity and the level of project definition. Procedures and tools for estimat- ing an appropriate contingency are provided throughout Chapters 5, 6, 7, and the Appendix A of this Guidebook. • Cost Management to the Baseline throughout the Design Phases—As stated in Chapter 2, the baseline estimate sets the stage for cost management. Figure 3.5 shows a project in which the Design and Final Design Phase cost estimates were less than the baseline cost estimate. What is not shown in Figures 3.4 and 3.5 is a case where the current es- timate exceeds the baseline cost estimate. Policies on this case will vary by SHA, but it is suggested that if the Design and Final Design Phase cost estimates are higher than the baseline, one of three options should be pursued: 1) the proj- ect’s definition (scope) would be reduced to meet the base- line cost estimate and the baseline would remain unchanged; 2) a formal scope change would be submitted to program management, approved, and the baseline increased ac- cordingly; or 3) a scope change would be submitted to pro- gram management, but not be approved and the project would be removed from the program due to the high po- tential for a cost overrun. 3.3 Risk Management Definitions As discussed in Section 2.3, having a common vocabulary for implementing any new process or procedure within an agency is a key to success. The following definitions were de- veloped with the intention of developing a common vocabu- lary and set of practices that promote learning and the ex- change of new tools, ideas, and innovations relating to risk management. The definitions rely heavily on published defi- nitions cited in Section 2.3.1 21 Figure 3.5. Refinement of a cost estimate with engineer’s estimate less than baseline cost estimate. Pr oje ct Co st Project Development Process Planning Design Final Design Cost Range Programming Base Estimate Contingency Base Estimate Baseline Estimate Engineer’s Estimate Contingency Base Estimate Contingency Base Estimate

3.3.1 Risk Analysis Terms Biases. A lack of objectivity based on the individual’s po- sition or perspective. There may be system biases as well as individual biases. Confidence Level. The probability that a range will con- tain the value under consideration. For example: “there is a 90 percent probability that the ultimate project cost will be less than $(number).” Probability. A measure of how likely a condition or event is to occur. It ranges from 0 to 100 percent (or 0.00 to 1.00). Qualitative Risk Analysis. Performing a qualitative analy- sis of risks and conditions to prioritize their effects on project objectives. It involves assessing the probability and impact of project risk(s) and using methods such as the probability and impact matrix to classify risks into categories of high, moder- ate, and low for prioritized risk response planning. Quantitative Risk Analysis. Measuring the probability and consequences of risks and estimating their implications for project objectives. Risks are characterized by probability distri- butions of possible outcomes. This process uses quantitative techniques such as simulation and decision tree analysis. Risk. An uncertain event or condition that, if it occurs, has a negative or positive effect on a project’s objectives. Risk Acceptance. This technique of the Risk Planning process indicates that the project team has decided not to change the project plan to deal with a risk, or is unable to identify any other suitable response strategy. Risk Allocation. Placing responsibility for a risk to a party through a contract. The fundamental tenants of risk al- location include allocating risks to the party that is best able to manage them, allocating risks in alignment with project goals, and allocating risks to promote team alignment with customer-oriented performance goals. Risk Assessment. A component of risk management that bridges risk identification and risk analysis in support of risk allocation. Risk assessment involves the quantitative or qual- itative analysis that assesses impact and probability of a risk. Risk Avoidance. This technique of the Risk Planning process involves changing the project plan to eliminate the risk or to protect the project objectives from its impact. Risk Documentation. Recording, maintaining, and re- porting assessments, handling analysis and plans, and moni- toring results. It includes all plans, reports for the project manager and decision authorities, and reporting forms that may be internal to the project manager. Risk Event. A discrete occurrence that may affect the project for better or worse. Risk Identification. Determining which risks might af- fect the project and documenting their characteristics. Risk Management. All of the steps associated with man- aging risks: risk identification, risk assessment, risk analysis (qualitative or quantitative), risk planning, risk allocation, and risk monitoring control. Risk Management Plan. A document detailing how risk response options and the overall risk processes will be carried out during the project. This is the output of risk planning. Risk Mitigation. This technique of the risk planning process seeks to reduce the probability and/or impact of a risk to below an acceptable threshold. Risk Monitoring and Control. The capture, analysis, and reporting of project performance, usually as compared to the risk management plan. Risk Planning. Analyzing risk response options (accep- tance, avoidance, mitigation, or transference) and deciding how to approach and plan risk management activities for a project. Risk Register. A document detailing all identified risks, in- cluding description, cause, probability of occurring, impact(s) on objectives, proposed responses, owners, and current status. Risk Transference. This technique of the Risk Planning process seeks to shift the impact of a risk to a third party together with ownership of the response (see also, Risk Allocation). Sensitivity. When the outcome is dependent on more than one risk source, the sensitivity to any specific one of those risks is the degree to which that specific risk (event or condition) affects the outcome or value. Simulation. A simulation uses a project model that translates the uncertainties specified at a detailed level into their potential impact on objectives that are expressed at the level of the total project. Project simulations use computer models and estimates of risk at a detailed level, and are typi- cally performed using the Monte Carlo technique. 3.4 Risk Management Framework This Guidebook will apply the five step risk management framework to the various phases of project development to provide a structure for the application of management tools and practices to control transportation project costs. Table 3.3 22

provides an overview of how each of the steps applies to the project development phases with some important notes on project complexity and the steps in the estimating process. The next section provides a detailed description of the steps in the risk management process. Their ultimate rela- tionships to the project phases and project complexity are de- tailed in Chapters 6 through 8. 3.4.1 Risk Identification 3.4.1.1 Objectives of Risk Identification The objectives of risk identification are to identify and cate- gorize risks that could affect the project and document these risks. The outcome of the risk identification is a list of risks. Ideally, the list of risks should be comprehensive and non- overlapping. What is done with the list of risks at that point de- pends on the nature of the risks and the nature of the project. On minor, low-cost projects with little uncertainty (few risks); the risks may simply be kept as a list of red flag items. The red flag items can then be assigned to individual team members to watch throughout the project development process and used for risk allocation purposes as described later in this document. On major, high-cost projects that are by nature uncertain (many risks), the risks can feed the rigorous process of assess- ment, analysis, mitigation and planning, allocation, and mon- itoring and updating described in this document. The risk identification process should stop short of assess- ing or analyzing risks, so as not to inhibit the identification of “minor” risks. The process should promote creative thinking and leverage team experience and knowledge. In practice, however, risk identification and assessment are often completed in a single step and this process can be called risk assessment. For example, if a risk is identified in the process of interviewing a team member or expert, it is logical to pursue informa- tion on the probability of it occurring, its consequences/ impacts, the time associated with the risk (i.e., when it might occur), and possible ways of dealing with it. The latter actions are part of risk assessment, but they often begin dur- ing risk identification. This document, however, will treat 23 Risk Management Step Planning Programming Design Risk Identification Identification of highest level risks to project scope and feasibility Complete and non- overlapping identification of risks for baseline project estimate Appraisal of identified risks Identification of new risks as design progresses Risk Assessment/ Analysis Initial ranking of risks Order of magnitude risk costs and total cost range Qualitative analysis/ ranking of risks on minor projects Detailed quantitative risk analysis on major projects Contingency for baseline cost estimate Updating of qualitative or quantitative risk analyses Updating/resolution of contingency Risk Mitigation and Planning Initial development of red flag list, risk register or formal risk management plan Finalization of risk register or risk management plan Tradeoff analysis for mitigation options Completion of risk management plan Continued tradeoff analysis for risk mitigation options Risk Allocation Initial analysis or selection of project delivery method Trade-off analysis for risk allocation (e.g., contract provisions for time, payment, delay, etc). Final risk allocation in contract provisions Risk Monitoring and Control Planning for risk monitoring and control Implementation of risk register or risk management plan Establishment of key risk management milestones Active management of risk register or risk management plan Active management and resolution of contingency Table 3.3. Risk management framework relationship to project phases.

the two activities of risk identification and assessment dis- cretely for clarity. 3.4.1.2 Risk Identification Process The risk identification process begins with the team compil- ing the project’s risk events. The identification process will vary depending upon the nature of the project and the risk manage- ment skills of the team members, but most identification processes begin with an examination of issues and concerns created by the project development team. These issues and concerns can be derived from an examination of the project description, work breakdown structure, cost estimate, design and construction schedule, procurement plan, or general risk checklists. Checklists and databases can be created for recur- ring risks, but project team experience and subjective analysis will almost always be required to identify project-specific risks. The team should examine and identify project events by re- ducing them to a level of detail that permits an evaluator to understand the significance of any risk and identify its causes, that is, risk drivers. This is a practical way of addressing the large and diverse number of potential risks that often occur on highway design and construction projects. Risks are those events or conditions that team members determine would adversely affect the project. Upon identification, the risks should be classified into groups of like exposures. Classification of risks helps to re- duce redundancy and provides for easier management of the risks in later phases of the risk analysis process. Classifying risks aids in creating a comprehensive and non-overlapping list. Classifying risks also provides for the creation of risk checklists, risk registers, and databases for future projects. Figure 3.6 shows an example from the U.S. Department of Energy (DOE) of their highest level classification. 3.4.1.3 Risk Characteristics During the risk identification step, risks can be character- ized to aid in later assessment and planning. It is often help- ful to think of risk in broader terms of uncertainty. Uncer- tainty involves both positive and negative events. Risk is de- fined in this document as an uncertain event or condition that, if it occurs, has a positive or negative effect on a project’s objectives (PMI 2004). However it is often helpful to separate uncertain events into those events that can have a negative ef- fect (risks) and those that can have a positive effect (opportu- nities). Case studies developed in this research with the FTA, the WSDOT, and the DOE use the terminology of both risk and opportunity to characterize uncertainty in their risk management programs. However, teams must be cautious not to overlook risk or focus on solving problems with using the risk/opportunity characterization during the risk identi- fication process. Engineers and project managers inherently have an optimistic bias when thinking about uncertain items or situations because they are, by nature, problem solvers. It is often better to focus on risks during the identification stage and explore opportunities during the mitigation process. Another characteristic of risks is that many have triggers. Triggers, sometimes called risk symptoms or warning signs, are indications that a risk has occurred or is about to occur. Triggers may be discovered in the risk identification process and watched in the risk monitoring and updating process. The identification and documentation of triggers early in the process can greatly help the risk management process. 3.4.1.4 Risk Identification Summary The risk identification process identifies and categorizes risks that could affect the project. It documents these risks and, at a minimum, produces a list of risks that can be assigned to a team member and tracked throughout the project development and delivery process. Risk identifica- tion is continuous and there should be a continual search for new risks that should be included in the process. The tools and techniques outlined in this section should support the risk identification process, but it will be the people in- volved in the exercises who are most critical to the success of the process. 24 Quality Cost Schedule Project Risk Nuclear Electrical Mechanical Technical Risk Reorganization Procedure Change Management Change Internal Risk Political Funding Regulatory External Risk Project Name Figure 3.6. Risk identification classification (DOE 2003).

3.4.2 Risk Assessment 3.4.2.1 Objectives of Risk Assessment Risk assessment is the process of quantifying the risk events documented in the preceding identification stage. Risk assess- ment has two aspects. The first determines the likelihood of a risk occurring (risk frequency); risks are classified along a continuum from very unlikely to very probable. The second judges the impact of the risk should it occur (consequence severity). Risks affect project outcomes in diverse ways. Risk effects are usually apparent in direct project outcomes by in- creasing cost or schedule. Some risks influence the project by affecting the public, public perception, the environment, or safety and health considerations. Risk can also affect projects in indirect ways by requiring increased planning, review, and management oversight activity. The risk assessment phase has as its primary objective the systematic consideration of risk events and their likelihood of occurrence and the conse- quences of such occurrences. 3.4.2.2 Conducting Risk Assessment Risk assessment is fundamentally a management activity that is supported by individuals familiar with risk management activities. Managers and analysts approach risk using different but complementary viewpoints. Managers tend toward quali- tative assessment of risks. They evaluate risks relative to their worst case effects and their relative likelihood of occurrence. What is more, managers tend to focus on strategies and tactics for avoiding risks or reducing a risk’s negative impacts. Ana- lysts, on the other hand, tend toward quantitative assessment of risks. They evaluate risk impacts in terms of a range of tan- gible results and they evaluate risk of occurrence in terms of probabilities. The analyst’s focus is on the combined tangible effect of all the risks on project scope, cost, and schedule. A comprehensive risk assessment combines both a qualitative assessment and a quantitative assessment. The qualitative assessment is useful for screening and prioritizing risks and for developing appropriate risk mitigation and/or allocation strategies. The quantitative assessment is best for estimating the numerical and statistical nature of the project’s risk exposure. This section will present qualitative risk assessments and the next section will discuss quantitative risk analysis. It should be noted that risk assessment techniques are scal- able. They can be applied to small highway reconstruction projects or to large corridor programs. An application of a risk assessment on a minor resurfacing project can yield a pri- oritized list of red flag items that should be monitored over the course of a projects development, design, and construc- tion. An application of a risk assessment on a major highway corridor project can yield the basis for a detailed probabilis- tic cost estimate, and a comprehensive risk management plan will be discussed later in this document. 3.4.2.3 Risk Screening – Risk Frequency and Severity Following the risk identification and qualitative risk assess- ment phases, a set of identified risks exists with individual risks characterized as to their frequency of occurrence and the severity of their consequences. Frequency and severity are the two primary characteristics that are used to screen risks and separate them into risks that are minor and do not require further management attention, and those that are significant and require management attention and possibly quantitative analysis. Various methods have been developed to help clas- sify risks according to their seriousness. One very common method is to develop a two dimensioned matrix that classifies risks into three categories based on the combined effect of their frequency and their severity. This matrix method is commonly referred to as a “Probability times Impact” (P x I) matrix. Figure 3.7 requires classifying risks into one of five likelihood states (remote through near certain) and into five states according to their consequences (minimal through un- acceptable). These assessments yield a five by five matrix that classifies a risk as either a “high” risk (red), a “moderate” risk (yellow) or a “low” risk (green). Risks that are characterized as low (green) risks can usually be disregarded and eliminated from further assessment. As risk is periodically reassessed in the future, these “low” risks are either closed, retained or elevated to a higher risk category. Moderate (yellow) risk events are either high likelihood/low consequence events or they are low likelihood/high conse- quence events. An individual high likelihood/low consequence event by itself would have little impact on project cost or sched- ule outcomes. However, most projects contain myriad such risks (material prices, schedule durations, installation rates, etc.); the combined effect of numerous high likelihood/low consequence risks can significantly alter project outcomes. Commonly, risk management procedures accommodate these high likelihood/low consequence risks by determining their combined effect and developing cost and/or schedule contin- gency allowances to manage their influence. Low likelihood/high consequence events, on the other hand, usually warrant individualized attention and management. At a minimum, low likelihood/high consequence events should be periodically monitored for changes in either their probabil- ity of occurrence or in their potential impacts. The subject of risk registers or risk watch lists is discussed in more detail later in this Guidebook. Some events with very large, albeit unlikely, impacts may be actively managed to mitigate the negative con- sequences should the unlikely event occur. High (red) risk events are so classified either because they have a high likelihood of occurrence coupled with, at least, a moderate impact or they have a high impact with, at least, moderate likelihood. In either case, specific directed man- agement action is warranted to reduce the probability of their occurrence or to reduce the risk’s negative impact. 25

3.4.2.4 Risk Assessment Summary The goal of risk assessment is not to eliminate all risk from the project. Rather, the goal is to recognize the significant risk challenges to the project and to initiate an appropriate man- agement response to their management and mitigation. This recognition of risk challenges is accomplished through an as- sessment of each risk’s likelihood of occurrence and the im- pact if it does occur. A comparison of each risk’s probability and impact yields a relative ranking of the risks that can be used for risk management or, if warranted by project com- plexity, a detailed quantitative risk analysis using probabilis- tic models to generate ranges of possible outcomes. 3.4.3 Risk Analysis 3.4.3.1 Objectives of Risk Analysis Typically, a project’s qualitative risk assessment will recog- nize some risks whose occurrence is so likely or whose conse- quences are so serious that further quantitative analysis is warranted. A key purpose of quantitative risk analysis is to combine the effects of the various identified and assessed risk events into an overall project risk estimate. This overall as- sessment of risks can be used by the transportation agency to make go/no-go decisions about a project. It can help agencies to view projects from the contractor’s perspective through a better understanding of their risks. More commonly, the overall risk assessment is used to determine cost and sched- ule contingency values and to quantify individual impacts of high risk events. Ultimately however, the purpose of quanti- tative analysis is to not only compute numerical risk values but to provide a basis for controlling transportation project costs through effective risk management strategies. There are many methods and tools for quantitatively com- bining and assessing risks. The selected method or tool will involve a trade-off between sophistication of the analysis and its ease of use. There are at least five criteria to help select a suitable quantitative risk technique. • The tool should help determine project cost and schedule contingency. • The tool should have the ability to include the explicit knowledge of the project team members concerning the site, the design, the political conditions, and the project approach. • The tool should allow quick response to changing market factors, price levels, and contractual risk allocation. • The tool should help foster clear communication among the project team members and between the team and higher management about project uncertainties and their impacts. 26 E D C B A Near Certainty Highly Likely Likely Unlikely Remote Likelihood Level e d c b a >10% 7-10% 5-7% <5% Minimal or no impact Cost and/or Can’t achive key team or major program milestone Major slip in key milestone or critical path impacted Minor slip in key milestones; not able to meet need date Additional resources required; able to meet Minimal or no impact Schedule Level A B C D E a L L L L M b L L L M M c L L M M H e d M L M M H M H H H H ASSESSMENT GUIDE RISK ASSESSMENT High (Red) Unacceptable. Major disruption likely. Different approach required. Priority management attention required Moderate (Yellow) Some disruption. Different approach may be required. Additional management attention may be needed Low (Green) Minimum impact. Minimum oversight needed to ensure risk remains low Li ke lih oo d Consequence Figure 3.7. Risk assessment process (Adapted from DOE 2003).

• The tool, or at least its output, should be easy to use and understand. 3.4.3.2 Risk Characterization for Risk Analysis There are three basic analyses that one can conduct during a project risk analysis. There is technical performance analysis (will the project work or is the scope sufficient?), schedule risk analysis (when will the project be completed?) and cost risk analysis (what will the project cost?). A technical performance risk analysis can provide important insights into technology- driven cost and schedule growth for projects that incorporate new and unproven technology. However, this discussion of quantitative risk analysis will concentrate only on cost and schedule risk analysis. The following section will discuss the various alternative methods that can be used for quantitative risk analysis. At a computational level there are two considerations about quantitative risk analysis methods. First, for a given method, what input data is required to perform the risk analysis? Second, what kind of data, outputs and insights does the method provide to the user? 3.4.3.3 Inputs for Risk Analysis The most stringent methods are those that require as inputs a probability distribution for the various performance, sched- ule, and costs risks. Risk variables are differentiated based on whether they can take on any value in a range (continuous vari- ables) or whether they can assume only certain distinct values (discrete variables). Whether a risk variable is discrete or con- tinuous, two other considerations are important in defining an input probability: its central tendency and its range or disper- sion. An input variable’s mean and mode are two alternative measures of central tendency; the mode is the most likely value across the variable’s range. The mean is the value where the variable has a 50 percent chance of taking on a value that is greater and a 50 percent chance of taking a value that is lower. The mode and the mean of two example continuous distribu- tions are illustrated in the Figure 3.8. The other key consideration when defining an input variable is its range or dispersion. The common measure of dispersion is the standard deviation which is a measure of the breadth of values that are possible for the variable. Normally, the larger the standard deviation the greater the relative risk. Probability distributions with different mean values and different standard deviation values are illustrated in Figure 3.9. All four distributions have a single high point (the mode) and all have a mean value that may or may not equal the mode. Notice too that some of the distributions are symmetrical about the mean while others are not. Selecting an appropriate prob- ability distribution is a matter of which distribution is most like the distribution of actual data. For transportation proj- ects, this is a difficult choice because historical data on unit prices, activity durations, and quantity variations are often dif- ficult to obtain. In cases where insufficient data is available to completely define a probability distribution, one must rely on a subjective assessment of the needed input variables. 3.4.3.4 Outputs of Risk Analysis The type of outputs that a technique produces is an impor- tant consideration when selecting a risk analysis method or tool. Generally speaking, techniques that require more rigor, demand stricter assumptions, or need more input data gen- erally produce results that contain more information and are more helpful. Results from risk analyses may be divided into three groups according to their primary output: • Single parameter output measures; • Multiple parameter output measures; and • Complete distribution output measures. The type of output required for an analysis is a function of the objectives of the analysis. If, for example, an agency needs approximate measures of risk to help in project selection 27 Cost or Duration Pr ob ab ili ty Cost or Duration Pr ob ab ili ty Probability Distribution (Normal) Probability Distribution (Lognormal) Mode Mean Mode Mean Figure 3.8. Mean and mode in normal and lognormal distributions.

studies, simple mean values (a single parameter) or a mean and a variance (multiple parameters) may be sufficient. On the other hand, if an agency wishes to use the output of the analysis to aid in assigning a contingency amount to a project, knowledge about the precise shape of the tails of the output distribution or the cumulative distribution is needed (com- plete distribution measures). Finally, when the identification and subsequent management of the key risk drivers is the goal of the analysis, a technique that helps with such sensitivity analyses is an important selection criterion. Sensitivity analysis is a primary modeling tool that can be used to assist in valuing individual risks, which is extremely valuable in risk management and risk allocation support. A “tornado diagram” is a very useful graphical tool for depicting risk sensitivity or influence on the overall variability of the risk model. Tornado diagrams graphically show the correlation be- tween variations in model inputs and the distribution of the outcomes. They highlight the greatest contributors to the over- all risk. Figure 3.10 is a tornado diagram for a portion of the San Francisco Oakland Bay Bridge project. The length of the bars on the tornado diagram corresponds to the influence of the items on the overall risk (in this case, risk to schedule duration). 3.4.3.5 Risk Analysis Methods The selection of a risk analysis method requires an analysis of what input risk measures are available and which types of risk output measures are desired. The following paragraphs describe some of the most frequently used quantitative risk analysis methods and an explanation of the input requirement and output capabilities. These methods range from simple, empirical methods to computationally complex, statistically based methods. Traditional methods for risk analysis are empirically devel- oped procedures that primarily concentrate on developing cost contingencies for projects. The method assigns a risk fac- tor to various project elements based on historical knowledge of the relative risk of various project elements. For example, pavement material cost may exhibit a low degree of cost risk, whereas acquisition of rights of way may display a high degree of cost risk. Project contingency is determined by multiply- ing the estimated cost of each element by their respective risk factors. Table 3.4 provides an example of a traditional risk analysis for the calculation of contingency through the ex- pected value of each identified risk. This method profits from its simplicity and the fact that it does produce an estimate of cost contingency. However, the project teams’ knowledge of risk is only implicitly incorporated in the various risk factors. Due to the historical or empirical nature of the risk assess- ments, traditional methods do not promote communication of the risk consequences of the specific project risks. Likewise, this technique does not support the identification of specific project risk drivers. These methods are not well adapted to evaluating project schedule risk. 28 Figure 3.9. Distributions for risk analysis. Cost or Duration Pr ob ab ili ty Cost or Duration Pr ob ab ili ty Continuous Distribution: Normal Continuous Distribution: Lognormal Cost or Duration Pr ob ab ili ty Continuous Distribution: Triangular Cost or Duration Pr ob ab ili ty Discrete Distributions

While traditional methods are quite simple, they do not re- flect the complexity of many highway projects. Risk analyses for major projects are most often modeled through simula- tion methods. Simulation models, also called Monte Carlo methods, are computerized probabilistic calculations that use random number generators to draw samples from probabil- ity distributions. The objective of the simulation is to find the effect of multiple uncertainties on a value quantity of interest (such as the total project cost or project duration). There are many advantages of Monte Carlo methods. They can deter- mine risk effects for cost and schedule models that are too complex for common analytical methods. They can explicitly incorporate the risk knowledge of the project team for both cost and schedule risk events. They have the ability to reveal, through sensitivity analysis, the impact of specific risk events on the project cost and schedule. However, Monte Carlo methods require knowledge and training for successful implementation. Input to Monte Carlo methods requires the user to know and specify exact proba- bility distribution information; mean, standard deviation, and distribution shape. Yet, Monte Carlo methods are the most common method for project risk analysis for they pro- vide detailed, illustrative information about risk impacts on the project cost and schedule. Figure 3.11 shows typical probability outputs from a Monte Carlo analysis. The histogram information is useful for under- standing the mean and standard deviation of analysis re- sults. The cumulative chart is useful for determining project budgets and contingency values at specific levels of certainty or confidence. In addition to graphically conveying information, Monte Carlo methods produce numerical values for common statistical parameters such as the mean, standard deviation, distribution range, and skewness. 3.4.3.6 Risk Analysis Summary The risk analysis process can be complex due to both the complexity of the modeling that is required and the subjec- tive nature of the data available to conduct the analysis. How- ever, the complexity of the process is not overwhelming and 29 0 5 10 15 20 25 30 35 40 45 50 SAS RFAB3 - Tower Lift 1 Fabrication SAS RFAB1 - Deck 1-6 Fabrication SAS R180A - Delays with PWS Installation SAS RBRG - Barge Crane PROG R17A - Corridor System conflicts - Eastbound OTD2 R16 - Elect/Mech completion issues Eastbound SAS R25A - Alignment of Tower Lift 1 SAS R40 - Shear Leg Barge Crane Commissioning delay SAS R11D - Conflicts over welding Deck 1W to 6W/7-14 Erect SAS R11F - Conflicts over welding Tower Lift 1 Erection SAS R120 - Removal of Temporary Towers A-C YBI1 R20B - Problems with Hinge KW completion SAS R190 - Camber error SAS R180B - Delays in Load Transfer SAS R11E - Conflicts over welding Deck 1E-6E Erection Relative Likelihood to Increase Schedule Duration Top 15 Corridor Schedule Risks Figure 3.10. Example sensitivity analysis with tornado diagram. Project Cost Element Estimated Impact Probability of Occurrence Cost Contingency Initial purchase of right of way $1,200,000 20 $240,000 Known hazardous substance 125,000 10 12,500 Coordination with railroad companies 50,000 10 5,000 Treatment of water discharged from site 400,000 3 12,000 Total $269,500 Table 3.4. Traditional risk analysis method example.

the generated information can prove to be extremely valu- able. There are many methods and tools for quantitatively combining and assessing risks. The selected method will in- volve a trade-off between sophistication of the analysis and its ease of use. Adherence to sound risk analysis techniques will lead to more informed decision making and a more transpar- ent allocation of project risk. 3.4.4 Risk Mitigation and Planning 3.4.4.1 Objectives of Risk Mitigation and Planning The objectives of risk mitigation and planning are to explore risk response strategies for the high-risk items identified in the qualitative and/or quantitative risk analysis. The process iden- tifies and assigns parties to take responsibility for each risk response. It ensures that each risk requiring a response has an owner. The owner of the risk could be an agency planner, engineer, or construction manager depending upon the point in project development or it could be a private sector contrac- tor or partner depending upon the contracting method and risk allocation. Risk mitigation and planning efforts may require that agen- cies set policies, procedures, goals, and responsibility stan- dards. Formalizing risk mitigation and planning throughout an agency will establish a risk culture that should result in bet- ter cost management from planning through construction. 3.4.4.2 Risk Response Options Risk identification, assessment, and analysis exercises form the basis for developing sound risk response options. There are a series of risk response actions that can help agencies and their industry partners avoid or mitigate the identified risks. Wide- man (1992), in the Project Management Institute standard, Project and Program Risk Management; A Guide to Managing Risks and Opportunities, states that a risk may be: • Unrecognized, unmanaged, or ignored (by default); • Recognized, but no action taken (absorbed by a matter of policy); • Avoided (by taking appropriate steps); • Reduced (by an alternative approach); • Transferred (to other through contract or insurance); • Retained and absorbed (by prudent allowances); or • Handled by a combination of the above. The above categorization of risk response options helps to formalize risk management planning. The Caltrans (Califor- nia Department of Transportation) Risk Management Hand- book (Caltrans 2007) suggests a subset of strategies from the categorization defined by Wideman. The Caltrans Handbook states that the project development team must identify which strategy is best for each risk and then design specific actions to implement that strategy. The four strategies and actions in the Caltrans Handbook include: • Avoidance—The team changes the project plan to elimi- nate the risk or to protect the project objectives from its impact. The team might achieve this by changing scope, adding time, or adding resources (thus relaxing the so- called “triple constraint”). • Transference—The team transfers the financial impact of risk by contracting out some aspect of the work. Transfer- 30 Figure 3.11. Typical Monte Carlo output for total costs. Cumulative Total Project Costs (Current $) Mean = 499.57 5% 90% 5% 437.98 566.93 0.00 0.25 0.50 0.75 1.00 400 500 600 700 Distribution for Total Project Costs (Current $) Mean = 499.57 5% 90% 5% 437.98 566.93 0.000 0.005 0.010 0.015 0.020 400 500 600 700

ence reduces the risk only if the contractor is more capable of taking steps to reduce the risk and does so. • Mitigation—The team seeks to reduce the probability or consequences of a risk event to an acceptable threshold. This is accomplished via many different means that are specific to the project and the risk. Mitigation steps, al- though costly and time consuming, may still be preferable to going forward with the unmitigated risk. • Acceptance—The project manager and the project team decide to accept certain risks. They do not change the proj- ect plan to deal with a risk, or identify any response strategy other than agreeing to address the risk if and when it occurs. Given a clear understanding of the risks, their magnitude, and the options for response, an understanding of project risk will emerge. This understanding will include where, when, and to what extent exposure will be anticipated. The under- standing will allow for thoughtful risk planning. 3.4.4.3 Risk Planning Risk planning involves the thoughtful development, im- plementation, and monitoring of appropriate risk response strategies. The DOE’s Office of Engineering and Construc- tion Management (2003) defines risk planning as the detailed formulation of a plan of action for the management of risk. It is the process to: • Develop and document an organized, comprehensive, and interactive risk management strategy; • Determine the methods to be used to execute a risk man- agement strategy; and • Plan for adequate resources. Risk planning is iterative and includes describing and sched- uling the activities and processes to assess (identify and ana- lyze), mitigate, monitor, and document the risk associated with a project. For minor or moderately complex projects, the result should be a risk register. For major projects or moderately complex projects with a high degree of uncertainty, the result should be a formal risk management plan. Planning begins by developing and documenting a risk management strategy. Early efforts establish the purpose and objective; assign responsibilities for specific areas; identify ad- ditional technical expertise needed; describe the assessment process and areas to consider; delineate procedures for con- sideration of mitigation and allocation options; dictate the re- porting and documentation needs; and establish report re- quirements and monitoring metrics. This planning should address evaluation of the capabilities of potential sources as well as early industry involvement. 3.4.4.4 Risk Planning Documentation Each risk plan should be documented, but the level of doc- umentation detail will vary with the unique attributes of each project. Major projects or projects with high levels of uncer- tainty will benefit from having detailed and formal risk man- agement plans that record all aspects of risk identification, risk assessment, risk analysis, risk planning, risk allocation, and risk information systems, documentation, and reports. Other projects that are smaller or contain minimal uncertain- ties may only require the documentation of red flag item lists that can be updated at critical milestones throughout the project development and construction. A red flag item list is created at the earliest stages of project development and maintained as a checklist during project de- velopment. It is perhaps the simplest form of risk identifica- tion and risk management. Not all projects will require a comprehensive and quantitative risk management process. A red flag item list can be used in a streamlined qualitative risk management process. The creation of a risk register is a more formal identification of risks than the simple red flag item listing. It is typically com- pleted as part of a formal and rigorous risk management plan. The risk register provides project managers with a listing of sig- nificant risks and includes information about the cost and schedule impacts of these risks. It supports the contingency res- olution process by tracking changes as a result of actual cost and schedule risk impacts, as the project progresses through the development process and the risks are resolved. A risk register is used as a management tool to identify, communicate, monitor, and control risks. It provides assis- tance in setting appropriate contingencies and equitably allo- cating risks. As part of a comprehensive risk management plan, the risk register can help to control cost escalation. It is appropriate for large or complex projects that have significant uncertainty. A risk register is based on either a qualitative or quantitative assessment of risk, rather than simple judgmen- tal decisions. The identified risks are listed with relevant infor- mation for quantifying, controlling, and monitoring them. The risk register may include relevant information such as: • Risk Description • Status • Date Identified • Project Phase • Functional Assignment • Risk Trigger • Probability of Occurrence (%) • Impact ($ or days) • Response Actions • Responsibility (Task Manager) 31

The most extensive risk planning, which is typically reserved for major projects, is through the creation of a formal risk management plan. The project development team’s strategy to manage risk provides the project team with direction and basis for planning. The formal plan should be developed dur- ing the planning and programming phases, and then updated during the preliminary and final design phases. Since the abil- ity of the agency’s and the contractor’s teams to plan and build the facility affects the project’s risks, industry can provide valu- able insight into this area of consideration. The plan is the roadmap that tells the project team mem- bers how to approach all phases of risk management at a cor- porate level. Since it is a map, it may be specific in some areas, such as the assignment of responsibilities for agency and con- tractor participants and definitions, and general in other areas to allow users to choose the most efficient way to proceed. A risk management plan should contain some or all of the fol- lowing items: 1. Introduction 2. Summary 3. Definitions 4. Organization 5. Risk management strategy and approach 6. Risk identification 7. Risk assessment and analysis 8. Risk planning 9. Risk allocation 10. Risk register and risk monitoring 11. Risk management information system, documentation and reports As previously stated, each risk plan should be documented, but the level of detail will vary with the unique attributes of each project. Red flag item lists, risk registers, and formal risk management plans provide flexibility in risk management documentation. 3.4.4.5 Risk Planning Summary Risk mitigation and planning utilizes the information from the risk identification, assessment, and analysis processes to formulate response strategies for key risks. Common strate- gies are avoidance, transference, mitigation, or acceptance. The mitigation and planning exercises must be documented in an organized and comprehensive fashion that clearly as- signs responsibilities and delineates procedures for mitigation and allocation of risks. Common documentation procedures frequently include the creation of red flag item lists, risk reg- isters, and formal risk management planning documentation. Risk mitigation and planning efforts may necessitate that agencies set policies, procedures, goals, and responsibility standards. Formalizing risk mitigation and planning through- out the agency will establish a risk culture that should result in better cost management from planning through construction. 3.4.5 Risk Allocation 3.4.5.1 Objectives of Risk Allocation The contract is the vehicle for risk allocation. Whether the contract is for construction, construction engineering and inspection, design, or design-build, or some other aspect of highway construction management, the contract by defining roles and responsibilities assigns risks. Risk allocation in any contract affects cost, time, quality, and the potential for dis- putes, delays, and claims. In fact, contractual misallocation of risk has been found to be a leading cause of construction dis- putes in the United States (Smith 1995). The Construction Industry Institute (CII) is a group of construction industry owners, contractors, and academics that study the industry and create best practices. In a 1990 study, CII states that: The goal of an optimal allocation of risk is to minimize the total cost of risk on a project, not necessarily the costs to each party separately. Thus, it might sometimes seem as if one party is bearing more of the risk costs than the other party. However, if both owners and contractors take a long-term view, and take into consideration the benefit of consistently applying an opti- mal method to themselves and to the rest of their industry, they will realize that over time optimizing risk allocation reduces everyone’s cost and increases the competitiveness of all parties involved. The objectives of risk allocation can vary depending upon unique project goals, but four fundamental tenets of sound risk allocation should always be followed. • Allocate risks to the party that is best able to manage them. • Allocate the risk in alignment with project goals. • Share risk when appropriate to accomplish project goals. • Ultimately seek to allocate risks to promote team align- ment with customer-oriented performance goals. 3.4.5.2 Allocate Risks to the Party Best Able to Manage Them A fundamental tenet of risk management is to allocate the risks to the party that is best able to manage the specific risk. The party assuming the risk should be able to best evaluate, control, bear the cost, and benefit from its assumption (ASCE 1990). For example, the risk of an inadequate labor force, a breakdown in equipment, or specific means of construction is best borne by the contractor, while a risk of securing of proj- ect funds or project site availability is best borne by the agency. 32

Following this principle of allocating the risks to the party that is best able to manage them will ultimately result in lowest overall price because contractors will not be forced to include contingency for possible financial losses or take gambles in an extremely competitive bidding environment. Inappropriate risk shifting from the owner to the contractor can result in mis- aligned incentives, mistrust, and an increase in disputes. A second CII study (CII 1993) discusses the concept of allocating risks to the party that is best able to accept them: Because of the advantages and disadvantages associated with efficient and equitable allocation of risk, each project should be assessed individually and to determine for each risk what alloca- tion consideration will reduce the overall cost to the project’s total cost of risk. 3.4.5.3 Risk Allocation in Alignment with Project Objectives Risks should be allocated in a manner that maximizes the probability of project success. The definition of a clear and concise set of project objectives is essential to project success and these objectives must be understood to properly allocate project risks. For instance, if the public needs a project com- pleted sooner than would be achievable under traditional contracting and risk allocation methods, the agency may be forced to ask the contractor to assume more risk for timely or expedited completion and the agency must be willing to com- pensate the contractor for assuming this risk. Allocating risks in alignment with project objectives begins with a clear understanding of the project objectives by the agency and clear communication of these objectives to the contracting, consulting, or design community. While this idea seems to be quite simple, in practice it is often difficult to identify and prioritize concise objectives due to the com- plex nature of many highway construction projects. The importance of clearly understanding and defining proj- ect objectives cannot be overemphasized. Project objectives directly determine optimum risk allocation strategies, or when project risk allocation is justified in deviating from traditional industry standards. Additionally, project objectives can affect the procurement methods and contracting strategies. The ob- jectives should be understood early in the project process and referred to before any important design, procurement, con- tracting, or construction management decision. 3.4.5.4 Share Risks Appropriately The concept of risk sharing is often used synonymously with the concept of risk allocation. The American Society of Civil Engineers has gone as far as to define risk allocation as “the process of identifying risks and determining how—to what extent—they should be shared” (ASCE 1990). However the term “risk sharing” can be somewhat mis- leading. In reality, there is no risk that is truly shared, but rather, exposure to the risk is split amongst the parties. Risk sharing is clearly defining the point at which the risk is trans- ferred from one party to the other. These transfer points should be scrutinized for appropriateness, and then explicitly and clearly addressed in the contract. For example, a risk that is commonly shared is the risk for unusually severe weather. A contract provision for unusually severe weather may grant the contractor a right to a time extension while not providing for additional compensation of costs. In this situation, the agency is allocated the risk of delay while the contractor is al- located the risk of additional costs. Another example of risk allocation comes from the WSDOT. The agency had traditionally maintained the risk for differing site conditions on drilled shafts for bridge piers. On a number of projects, they had experienced substantial cost growth for differing site conditions claims from contrac- tors who were using equipment that was insufficient to re- move small boulders in the drilled shafts. The agency deter- mined that they had two choices: 1) specify the equipment and method for drilling the shaft so that these small boulders could be removed when encountered; or 2) allocate the risk for removing these boulders to the contractor in hopes that they will choose the appropriate method for removing the rocks. Unfortunately, both of these options were not aligned with standard agency policy. Because the agency foresaw too much risk in prescribing the means and methods of construc- tion, they chose the second solution of allocating the risk of the differing site conditions to the contractor. Communication between parties is a key to any sharing of risk allocation. Risk sharing provisions should be written with the principle of risk management and alignment of projects objectives as described above. All nontraditional allocation of risk should be clearly pointed out to the contractors. 3.4.5.5 Risk Allocation in Alignment with Customer-Oriented Performance Goals The ultimate goal of risk allocation should be to help align the project team with customer oriented performance goals. A primary finding of the 2005 FHWA Construction Manage- ment Scan (FHWA 2005) was that the European highway community is allocating more risk to the private sector and this has resulted in better alignment of team goals with cus- tomer goals. For example, the Highways Agency in England has key performance indicators that deal with client satisfac- tion with the product, client satisfaction with the service, pre- dictability of time, predictability of cost, safety, and process improvement. They have found that traditional risk alloca- tion practices do not always align teams with these customer- oriented performance goals. 33

While the concept of allocating risks in alignment with customer-oriented performance goals may seem to be a sig- nificant departure from traditional practices in the United States, highway agencies are already doing this through the use of alternative contracting techniques. For example, A + B (cost + time) procurement is used on selected projects by many highway agencies in the United States. In essence, A + B procurement passes the risk for accurately setting the fastest construction completion date from the agency to the contrac- tor. In an extreme example, the use of Public Private Partner- ship techniques is shifting the risk for customer satisfaction almost entirely to the private sector. Agencies and the indus- try should strive to innovate and develop new risk allocation techniques that align all team members with customer goals. 3.4.5.6 Conclusions The rigorous process of risk identification, assessment, analysis, and mitigation described in this Guidebook allows for a more transparent and informed allocation of project risk. When risks are understood and their consequences are mea- sured, decisions can be made to allocate risks in a manner that minimizes costs, promotes project goals, and ultimately aligns the construction team (agency, contractor, and consultants) with the needs and objectives of the traveling public. 3.4.6 Risk Monitoring and Control 3.4.6.1 Objectives of Monitoring and Control The objectives of risk monitoring and control are to 1) sys- tematically track the identified risks; 2) identify any new risks; 3) effectively manage the contingency reserve; and 4) capture lessons learned for future risk assessment and allocation efforts. Risk monitoring and updating occurs after the risk mitigation and planning processes. It precedes the risk allo- cation process in the planning phase, but is performed in con- junction with allocation during programming and design phases. It must continue for the life of the project. Risks are dynamic. The list of risks and associated risk management strategies will likely change as the project matures and new risks develop or anticipated risks disappear. Periodic project risk reviews repeat the tasks of identifica- tion, assessment, analysis, mitigation, planning, and allocation. Regularly scheduled project risk reviews can be used to ensure that project risk is an agenda item at all project development and construction management meetings. If unanticipated risks emerge, or a risk’s impact is greater than expected, the planned response or risk allocation may not be adequate. At this point, the project team must perform additional response planning to control the risk. Risk monitoring and updating tasks vary depending upon unique project goals, but three tasks should be integrated into design and construction management plans: 1. Develop consistent and comprehensive reporting proce- dures; 2. Monitor risk and contingency resolution; and 3. Provide feedback of analysis and mitigation for future risk assessment and allocation. 3.4.6.2 Reporting Risk reporting involves recording, maintaining, and stating assessments. Monitoring results and assessing the adequacy of existing plans are critical. The DOE’s Office of Engineering and Construction Management (2003) states that primary cri- terion for successful management is formally documenting the ongoing risk management process. This is important because: • It provides the basis for program assessments and updates as the project progresses; • Formal documentation tends to ensure more comprehen- sive risk assessments than undocumented efforts; • It provides a basis for monitoring mitigation and alloca- tion actions and verifying the results; • It provides project background material for new personnel; • It is a management tool for the execution of the project; and • It provides the rationale for project decisions. A comprehensive risk register can form the basis of docu- mentation for risk monitoring and updating. Caltrans has de- veloped a standard risk register format that provides documen- tation for risk monitoring and updating. Table 3.5 provides a summary of the risk monitoring items contained in the Caltrans risk register template. The output of risk registers and risk information systems can be graphically oriented. Figure 3.12 provides one exam- ple of a status presentation of top-level risk information that can be useful to management as well as others external to the program. The example has been adapted from the DOE’s Of- fice of Engineering and Construction Management (2003) and populated with risks for a typical highway project. The most complex projects can employ a risk management information system. Risk management information systems can vary in form depending upon project or program needs, but the systems generally contain the same information that would be found in the most comprehensive risk registers in a database system that can be accessed by multiple users. Cal- trans has created a very sophisticated risk management infor- mation system for the San Francisco Oakland Bay Bridge Proj- ect and the Toll Bridge Seismic Retrofit Program. The graphic in Figure 3.13 shows an input screen for the program’s risk management information system. The risk management in- formation system provides Caltrans staff with a variety of input methods and reporting functions. Caltrans is using the risk management information system to actively manage its 34

35 Table 3.5. Selected monitoring items from Caltrans risk register (Caltrans 2007). Status Functional Assignment Risk Trigger Assessment (Qualitative or Quantitative) Monitor and Control Active = risk is being actively monitored Dormant = risk is not currently high priority, but may become active in the future Retired = risk has been resolved Capital delivery function (planning, design, right of way, environmental, engineering services, construction, etc.) Event that indicates risk has occurred Used to determine when to implement the risk response strategy Probability and impact of the risk This can be qualitative (very high, high, medium, etc.) or quantitative (involving a % probability of occurrence and impact in $ or days) Responsibility = name of manager responsible for the risk Status Interval or Milestone Check = point of review Date, Status and Review Comments Risk Plan # Risk Issue High Moderate Low Status/Comment T-01 Unexpected geotechnical issues Soils investigations ongoing T-02 Need for design exceptions Design nearly complete E-01 Landowners unwilling to sell All property successfully acquired E-02 Local community objections Outreach plan complete E-01 Inexperienced staff assigned Training in progress Closed Closed Figure 3.12. Example risk status report (Adapted from DOE 2003). Figure 3.13. Risk management information system example (Caltrans).

contingency for competing the San Francisco Oakland Bay Bridge Project and the Toll Bridge Seismic Retrofit Program. WSDOT developed an exceptional top-level risk status re- port, as seen in Figure 3.14 (Washington 2006). The “What’s Changed” also acts as a high-level monitoring report. The sta- tus report uses a one-page format to communicate important cost and risk issues to both the DOT personnel and external stakeholders. It communicates key project information, proj- ect benefits, and project risks. It reports cost and schedule in a range rather than a single point. It also communicates the project design status. In some high-profile projects, the report is completed annually and updates information from the pre- vious report. While the example shown is for a large corridor- level program, this format can be successfully implemented on smaller projects as well. 3.4.6.3 Contingency Resolution Any party assuming a risk must be prepared for the finan- cial burden associated with that risk. Figures 3.3 through 3.5 in this chapter graphically depicted how contingency is re- tired. Prudent contractors and agencies use the quantitative risk assessment techniques to estimate the contingency nec- essary to complete a project. Proper risk allocation will allow for the minimization of this contingency for both parties. As the project matures from programming through final design, the contingency is lowered and the base estimate in- creases. The percentage of the contingency to the base estimate is a function of the project complexity and the level of project definition. Procedures and tools for estimating an appropri- ate contingency amount are provided throughout the remain- der of this guidebook and the Appendix A. 3.4.6.4 Conclusions on Risk Monitoring and Control A successful risk monitoring and updating process will sys- tematically track risks, support the identification of new risks, and effectively manage the contingency reserve. The system will help to ensure successful completion of the project objec- tives. If documented properly, the monitoring and updating process will capture lessons learned and feed risk identifica- tion, assessment, and quantification efforts on future projects. 3.5 Risk Management Policies and Performance Measures A survey conducted as part of this research found that less than 10 percent of the SHA have policies regarding risk man- agement for cost control (Molenaar et al. 2009). Policies and performance measures will help to ensure consistent applica- tion of risk management processes and provide a means for documenting improvement. This section briefly describes policies and performance measures found in the research. 3.5.1 Policies Policies statements on the application of risk and cost man- agement will help to encourage better cost control. These poli- cies are perhaps as important as the steps of the risk manage- ment process in the successful integration of risk management procedures within the organization. The process of imple- mentation begins with the development of a policy statement. Figures 3.15 and 3.16 illustrate portions of policy state- ments on risk management. The example in Figure 3.15 from Minnesota Department of Transportation (Mn/DOT) was developed as part of the agency’s Cost Estimating Process Improvement and Organizational Integration initiative. It is one of five policies relating to cost estimating and cost man- agement. The policy statement makes clear the use of contin- gency estimates on all early estimates. The U.S. DOE policy statement highlighted in Figure 3.16 is an example of risk management policy that captures the essen- tial elements of safety and cost in analyzing risks as well as the benefits of a rigorous, systematic analysis. The policy acknowl- edges that risk management is part of sound project manage- ment and is designed to enable and enhance the procedures stated in DOE Order 413.3A. 3.5.2 Performance Measures Performance measures help keep projects and programs on track by ensuring that the risk management process is meeting its goals. Performance measures such as cost, schedule, and safety measurements can be taken at predetermined times, or at significant milestones to evaluate the accuracy and effective- ness of risk management and project management procedures. The development of risk management performance met- rics is essential to risk monitoring success. The establishment of a management indicator system that provides accurate, timely, and relevant risk information in a clear, easily under- stood manner is key to risk monitoring. Early in the planning phase of the process, the team should identify specific indica- tors to be monitored and information to be collected, com- piled, and reported. Specific procedures and details for risk reporting should be included in the risk management plans prepared by the agency and the contractor. Caltrans has proposed performance measures for its risk management program. They are considering 1) percent of projects with risk management plans during the project initi- ation document (PID) phase (is it happening), and 2) percent of project change requests (PCRs) due to unidentified risks (builds into the quality of the PCRs). These measures will be 36

37 Figure 3.14. Washington State DOT cost and risk status report.

tracked and reported by division headquarters of project man- agement (for the measure relating to PCRs) and planning (for the measure regarding PIDs). Performance measures can be project specific rather than programwide. These project risk performance measures can deal with the number or magnitude of risks that have been successfully mitigated. The project risk performance measures also can resemble traditional construction management per- formance measures such as cost variance, schedule variance, estimate at completion, design schedule performance, man- agement reserve, estimate to complete, or similar measures. Some examples of performance measures proposed for a state 38 Mn/DOT Uncertainty, Risk, and Contingency Policy The Total Project Cost Estimate for each of the project development phases will include an analysis of uncertainty and risk, and associated contingency estimates. Draft Policy Guidelines: a. Uncertainty, risk and associated contingencies will be acknowledged early for all projects in the project development process, starting with the planning phase, and updated in subsequent phases. b. With the exception of the Letting Phase cost estimate, where project contingency is zeroed out, contingency will not be incorporated in individual line item costs; instead, contingency will be maintained in a separate category. As more is known about the project, the amount of estimated contingency and the Base Estimate would change (contingency resolution). c. A contingency estimate based on a risk analysis will be developed for all projects. The level of risk analysis, including the possible use of a specialized risk-estimation unit or review panel, will be determined by each unique project’s complexity, local impacts, or political interest. Figure 3.15. Excerpt from MnDOT policy statement on uncertainty, risk, and contingency. DOE RISK MANAGEMENT POLICY STATEMENT 1) PURPOSE AND SCOPE. The EM Risk manage ment Policy strengthens accountability in project manage me nt decision-making processes and is designed to enhance and build upon DOE Order 413.3A by providing the platform to establish a formal, organized process to plan, perform, assess, and continually enhance risk management performance. 2) POLICY. It is the policy and practice of EM to conduct its operations in a manner that promotes overall risk planning including the assessment (identification and analysis of), implementation (or mitigation actions), monitoring, and documentation of risk. The objective of this policy is to safeguard the interests of the public, the environment, the worker, and the government during the conduct of operations in meeting the EM mission objec tives. It is also the objective of this policy to provide an accurate reflection of the bounding cost and schedule contingency requirements of the EM field operations. To accomplish this objective EM has established these implementing policy goals: a. Risk management policy, procedure, a nd processes apply to all work done by EM, its field offices, contractors, and subcontractors. b. The risk planning process is to be applied and documented in a step-wise process. All documentation is to be incorporated into the appropriate project managemen t documentation for the specific work to be done at the specific work site and is to be updated semi-annually and reviewed at least monthly depending upon specific regulatory or other site specific changes or risk factor changes. c. The first strategy to be taken in the handling of any identified risk is to take actions to prevent or mitigate risk factors if it can be accomplished within reasonable cost/benefit analysis within the approved funding profile. d. All risks identified by the field office or contractors must be monitored for change by the designated risk owner to protect the worker, the public, and the environment. Figure 3.16. Excerpt from DOE risk management policy.

department of transportation are 1) the degree to which risks are identified in early estimates; and 2) the degree to which contingency resolution is tracked. While the use of performance measures is critical to long- term process improvement and risk management program success, risk management should not be viewed purely as a measure of estimate accuracy. Comparisons of estimate accu- racy between a stochastically based range estimate from plan- ning and a deterministically based estimate at the end of design is not advisable due to the disparate nature of the information available in the estimates. Performance measures that deal with the number of magnitude of risks that have been mitigated during the project development process are likely a better indicator of program success. 3.6 Summary This chapter provides an overview of the risk management process with particular reference to contingency planning and the risk management steps. The chapter provides a foun- dation and vocabulary that is used throughout the remainder of this Guidebook. Definitions for risk management terms are provided. A series of figures describe the need for contin- gency and the contingency resolution process. Each of the risk management steps is discussed in detail, including risk identification, risk assessment, risk analysis, risk mitigation and planning, risk allocation, and risk monitoring and con- trol. The chapter concludes with a brief discussion of policies and performance measures relating to risk management. 39