Guidance for Managing NEPA-Related and Other Risks in Project Delivery, Volume 1: Guide for Managing NEPA-Related and Other Risks in Project Delivery (2012)

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

8 | P a g e 2 Risk Management Framework While a variety of approaches can be used to reasonably identify, assess, and manage project risks, some approaches work better than others for highway projects. However, these approaches, which range from completely ad-hoc to very formal, all share a few fundamentals. Most importantly, the primary objective for any of these risk management approaches is to improve the performance of either individual projects or programs of projects. Each approach also seeks to anticipate risks and opportunities and then develop management strategies to minimize undesirable performance. Figure 2: Risk Management Framework While ad hoc risk management can provide some value, a formal framework with multiple participants providing different perspectives can maximize the benefits of risk management by leaving less to chance and simply improving the likelihood that all significant occurrences will be considered at various times throughout a project or program. A summary of these steps is shown in Figure 2 and provided below: 1. Structuring: Before risks can even be identified, much less managed, the agency must adequately define the “base” project. This base consists of the planned project scope, strategy, and key conditions, as well as a set of assumptions regarding those aspects that are not yet known for certain. Generally, this base project description is developed at a relatively broad level of detail simply via facilitated discussions with the project team. 1. Structuring • Project Management Plan • Scope • Schedule • Estimates • Documentation 2. Risk Identification 3. Risk Assessment (Qualitative) 4. Risk Analysis (Quantitative) 5. Risk Response Planning 6. Risk Monitoring and Control Risk Management is at the heart of project management and is an ongoing activity until completion of the project

9 | P a g e 2. Risk Identification: Once the base assumptions have been established and the project has been “structured” (in Step 1), the agency must adequately identify the risks and opportunities relative to that base. The intent is to identify a comprehensive and non-overlapping set of risks and opportunities. To help accomplish this, the risks are often categorized (e.g., in terms of the project phase in which they generally might occur). Generally, a combination of techniques, ranging from facilitated group brainstorming to “risk checklists” is used, considering all readily available information. As the project develops and conditions change, additional risks might be identified, while some existing risks will be retired. The updated list of risks is maintained in a project risk register. 3. Risk Assessment: Once the agency has identified risks and opportunities (in Step 2), it should adequately assess the relative severity of the risks and opportunities so that they can be prioritized for subsequent management (Step 5). If the agency chooses to quantify uncertainty in project performance through risk analysis (Step 4), then the risk factors must also be adequately quantified, from which their severity and prioritization can be determined. The risk factors (i.e., the impacts if the event occurs and the probability of that event occurring) are assessed, either qualitatively or quantitatively, using a variety of techniques, ranging from statistical analysis to facilitated expert group opinion, considering all readily available information. As the project develops and conditions change, the risk factors for previously identified risks might change and need to be reassessed, while the factors for any new risks must be assessed. The updated assessments of factors describing the severity of each risk are maintained in the project risk register. Figure 3: Example of a Qualitative Risk Assessment Matrix Pr ob ab ili ty Im pa ct VH H M L VL VL L M H VH Pr ob ab ili ty Impact Qualitative Display of Most Likely Impact Risk Matrix H ig h V er y H ig h V er y Lo w

10 | P a g e 4. Risk Analysis: If the risk factors have been assessed quantitatively (in Step 3), the agency can use the risk factors in conjunction with the base performance to determine total project performance. For some performance measures, such as un-inflated costs that are additive, this is a relatively simple analysis. However, for other performance measures, such as schedule that are not simply additive, this is a relatively complex analysis. Typically, numerical models are developed to adequately calculate each performance measure as a function of various input factors (e.g., the “base” and “risk”). The overall “mean value” (i.e., probability weighted average value) of the performance measure can then be approximated by using the mean value of each input factor, which for one risk would simply be its probability times its impact. The uncertainty (which is expressed by a probability distribution) in a performance measure can be approximated (e.g., typically by Monte Carlo simulation) by using the uncertainty for each input factor appropriately considering any relationships (correlations) among those input factors. This can be done at various levels of detail and complexity, considering risks explicitly or implicitly. If risks are treated explicitly, their severity can be calculated and used to meaningfully prioritize the risks. As the project (or program) develops and the risks (and their factors) change, the project (or program) performance must be reanalyzed. 5. Risk Response Planning: Once the agency has evaluated and prioritized the risks (in Step 3 and possibly more definitively in Step 4), the agency should identify and adequately evaluate proactive ways to manage those risks and select those that will be cost-effective. This is a crucial step in project risk management. The agency should then develop adequate plans to accomplish those activities. Budgets and milestones that adequately account for the remaining residual risks must then be established (e.g., through use of contingency), based on agency policy regarding the appropriate level of conservatism. Adequate procedures must be established to control expenditure of that contingency, so that the project does not automatically “consume” the allocated contingency. Ways to meet budget or milestones if that contingency turns out to be insufficient (e.g., reduction in scope) at various milestones must be identified and adequately evaluated to select those that will be implemented if necessary. Adequate plans and decision criteria must be Figure 1: Example of a Quantitative Risk Assessment Matrix Ty pe Pr ob ab ili ty Es tim at ed E xp ec te d Ri sk Im pa ct ($ M ) ([ m in + (4 X M L) + m ax ] X [p ro ba bi lit y] )/ 6 MIN $1.0M MAX $12.0M Most Likely $7.0M MIN 0.0 Mo. MAX 4.0 Mo. Most Likely 3.0 Mo. Quantitative Analysis Risk Impact ($M or Months) 70%Co st Sc he du le $4.8M 1.9 Mo.

11 | P a g e developed to accomplish those actions. As the project develops and the risks (and their factors) change, these plans must be reviewed and revised as necessary to optimize remaining project performance. The updated plans are maintained in the project Risk Management Plan. 6. Risk Monitoring and Control: Once the agency has developed the Risk Management Plan (in Step 5), it must be adequately implemented. This involves the following: • Implementing and monitoring progress on proactive risk reduction activities; • Monitoring risks and updating the risk register, partly in response to proactive risk reduction activities but also due to other changes in conditions (e.g., changes in the base); • Periodically reanalyzing risks, especially at major milestones or major changes in conditions; • Periodically reviewing and updating the Risk Management Plan; • Monitoring, controlling, and periodically revising contingency/float as necessary; and • Deciding on whether to implement established contingency plans at various milestones. Hence, as the project develops and the related Risk Management Plan changes, the plan must continue to be effectively implemented. The process described above can be applied at the project or program level. However, the focus and level of detail are different between the two. For example, a project-level risk assessment might consider the risk of a delay to completion of the project’s Environmental Impact Statement (e.g., due to newly-discovered resources). A program-level risk assessment might consider the risk to completion of one project’s EIS due to challenges received on a related project’s EIS. In other words, program-level risk management introduces program-level and multi-project risks into the equation. In addition, the program-level assessment might consider particular issues in less detail (i.e., at a higher-level view) than would be addressed in individual project assessments, and might not specifically address smaller project issues at all. In that sense, a program-level analysis should be viewed as an adjunct to, and not a substitute for project level analyses. The process can also be applied to specific elements of a project (scoping; design; the NEPA process as in this guidance; contract procurement; and construction). In practice, informal risk management efforts often occur as plans and specifications are finalized, focusing on risks to cost and schedule during construction. While important in their own right, these preconstruction assessments are unlikely to provide benefits for the NEPA phase. In addition, their ‘informality” represents a risk in and of itself, in terms of omitting or underestimating the likelihood or significance of risk factors. Formal risk management efforts tend to take a more comprehensive view and evaluate the overall project, which provides the benefit of identifying and managing what are often significant pre- construction risks. “Risk management is not a one-time event. A risk management plan is reviewed and updated throughout the life of the project as some risks are retired or new risks are identified. A risk management plan that is developed at the start of a project, but not referred to thereafter, is not a risk management plan at all” - NCHRP 20-24(71) Workshop Participant

12 | P a g e It is imperative to emphasize that risk management is a cyclical process, and the reanalysis of risk (and subsequent response planning, monitoring and control) must occur regularly, perhaps at major decision points in the project development process. This is because: • Old risks and opportunities might be dismissed. • New risks and opportunities might be identified. • For existing or new risks, project managers must reevaluate their likelihood of occurrence and potential impacts. While formal risk management processes have been around for some time, especially in the private sector, and in other fields and industries, its adoption by US-based highway agencies is only now beginning to gain momentum. Most highway agencies still do not have formal programs or policies related to risk assessment or risk management. Focusing on NEPA Risks In developing this guidance document, the research team did not have a specific project to evaluate through the six-step risk management framework outlined in this section. Instead, the research focused on the potential universe of NEPA risks, and potential actions to manage those risks. Since the research focuses on all NEPA risks, rather than a specific project, there is no qualitative or quantitative risk analysis. Instead, the focus is on steps 2 and 5 of the risk management framework: (NEPA) Risk Identification and (NEPA) Risk Response Planning, in a generic sense. The risk management framework graphic in Figure 5 below highlights this focus, with elaboration in the next chapter. Figure 5: Risk Management Framework, Highlighting the Focus Areas for NEPA Risk Identification and NEPA Response Planning 1. Structuring • Project Management Plan • Scope • Schedule • Estimates • Documentation 2. Risk Identification 3. Risk Assessment (Qualitative) 4. Risk Analysis (Quantitative) 5. Risk Response Planning 6. Risk Monitoring and Control Risk Management is at the heart of project management and is an ongoing activity until completion of the project