Risk Management Plan: New and Cascaded Fleet Introduction, 2019

Submitted by LewisMorgan on

Risk Management Plan New and Cascaded Fleet Introduction TfWRS/RMP/001

This risk management plan was published in 2019 and it is no longer applicable to TfW

1 Management of Risk

KeolisAmey Wales, trading as Transport for Wales Rail Services (TfWRS) is procuring new and cascaded fleets to replace existing fleets currently operating on the Wales and Borders franchise. The fleets to be introduced are expected to be operated in a range of different service types on infrastructure on the Wales & Borders (W&B) routes.

TfWRS plan to transform the passenger experience and provide the improvements in quality of service to meet the changing expectations of the passengers.

The new and cascaded fleets are listed below:

  • Class 37 / MK2
  • Class 170
  • Class 230
  • Class 769
  • Class 67/ MK4
  • CAF Civity DMU
  • Stadler CityLink Tram-Train
  • Stadler Flirt DEMU
  • Stadler Flirt Tri-mode

 

1.1 General

TfWRS's approach is to manage all risks relating to the introduction of new and cascaded rolling stock, so that its contractual requirements and business objectives are fully satisfied. The company therefore aims to identify and mitigate at the earliest juncture all risks which could affect the successful delivery of the new and cascaded rolling stock projects. Fundamental to this approach is a full understanding of all stakeholders' commercial and technical requirements, timescales and constraints.

All projects within TfWRS are underpinned by a robust risk management process. The approach of progressive risk management is used throughout each stage of the rolling stock projects lifecycle and ultimately to ensure that all new and cascaded Units are introduced to the required standards, and that they achieve and continue to meet TfWRS's contracted requirements in this regard.

 

1.2 Risks to the New and Cascaded Fleets Introduction Programme

The approach for identification and mitigation of risks relating to the introduction of new and cascaded fleets are mainly:

  • Maintaining the reliability of each Class of new and cascaded trains to be introduced to the franchise and mitigation of risks that could reduce that reliability
  • Ensuring that the number of Units required to deliver the passenger service timetable requirements are delivered and available on time to meet TfWRS and its client's needs and mitigation of risks that could affect such availability
  • Threats to the availability of maintenance facilities and activities
  • Changes to processes, e.g. as a result of changes to legislation
  • Perturbances which could affect TfWRS's ability to deliver on its contractual commitments
  • Anything that could affect the achievement of Safety, Environmental or Quality standards

In addition to TfWRS's pro-active identification of risks, the company shall employ standard embedded processes to ensure continuity of performance e.g. Suppliers, staff competency, best practice procedures, etc.

2 TfWRS Processes

This document outlines the general TfWRS processes that are adopted to provide an integrated approach to deliver the programme and operations. The strategy and the processes employed are designed to provide visibility of genuine progress and issues, enabling all aspects of delivery to be proactively managed. The Risk Management Plan is integral and complementary to wider general TfWRS processes.

The TfWRS Quality Management System (QMS) is used to manage the whole business. The QMS includes: Company Manuals, Strategy and Governance, Safety Management System (SMS) and the Risk Management Plan (RMP). These areas are divided into a hierarchy of many levels to provide a framework for commonality by functional areas within the business.

All TfWRS processes are controlled, reviewed and managed centrally for the entire organisation and, in the case of the Risk Management Plan, by the central Project Management Office (PMO).

Audits on the application of these processes are carried out against TfWRS accreditations (ISO standards) and through internal governance audits.

3 Risk Management Process

Risk Management is concerned with identifying, assessing and monitoring project risks before they develop into issues which impact projects, while Opportunity Management develops ideas that can have positive impact on projects. This document is concerned with risk management, but equally opportunities are managed in parallel, during project execution and make use of common processes and tools. This Risk Management Plan is the standard process to manage Risks and Opportunities and will be employed on all new and cascade rolling stock projects.

Risk Management on each project is supported by a Risk Register, into which all identified risks are input when first identified. All information on the historical development of the risks, including proposed, rejected, active and closed risks is retained in the Risk Register.

Where a risk has several consequences, the information is input to the Risk Register so that each consequence is a separate risk, even though there is a common condition/cause. This ensures that all impacts are considered, whilst maintaining simplicity of the Risk Register.

For each project, TfWRS appoints a dedicated Project Manager who has responsibility for identifying and managing all risks. In this capacity, the Project Manager will:

  • Support the wider project team in proactively managing issues with a potential impact
  • Ensure that actions and timescales are met
  • Manage the Risk Register
  • Authorise access to the Risk Register for team members
  • Ensure the input of risk data into the Risk Register
  • Ensure adherence to the Risk Management processes

Individual risks are assigned to the Project team members, who are each responsible for the management of their risks, inputting to the Risk Register and to the development of response actions related to their function. The Project Management team undertake risk management based on the philosophy of early identification of risks and continuous follow-up throughout the project execution. They will be proactive by anticipating future events that may affect the project and will take the necessary actions to decrease the Likelihood of a risk occurring and/or reduce the impact of the risk, should it occur.

The main success factors of the risk management process will be:

  • All the Project risks are comprehensively identified and assessed at Project launch and during the project execution phases.
  • An integrated team approach is adopted with the Project Manager having oversight of all risks from all functions and the promotion of information exchanges between these functions, partners and stakeholders.
  • The continuous management of risks throughout the project life.

The strategies aim to outline the high-level requirements of the system. From the strategies, project specific plans will be developed which will document the workstream in detail and how the requirement will be executed to ensure safe operation of the system.

 

3.1 Process Description

Risk Management consists of six distinct steps that evolve through the life of the project. The risk management process starts at the bid phase and finishes with project closure. The process steps are not project phase specific and are repeated over the life of the project, see Figures 1 and 2.

....it is iterative: starts during the Bid Phase and ends at Project Close Out

Step 1 Identification Identify, categorise and harmonise risks
Step 2 Assessment Evaluate and estimate possible impacts and interactions (this is quantified in terms of time or cost and probability)
Step 3 Response Planning Define mitigation actions
Step 4 Planning Response Implementation Implement the action plan and integrate it into the project
Step 5 Tracking & Reporting Provide visibility of risks
Step 6 Closing Transfer risks to the project scope if they occur and become issues. Close risks that have not occurred by the end of the impact phase.

 

3.2 Step 1 -Risk Identification

The first action of risk management is the identification of individual events that may be encountered during the project. The identification step comprises:

  • Identify the risks
  • Harmonisation of the risks identified
  • Assignment of ownership of individual risks

For reasons of efficiency, the full Project Team is involved in a series of reviews and workshops to identify, harmonise and assign ownership of risks on a project, namely:

  • Contract and commercial review to ensure all the necessary commercial and financial matters throughout the life of the project are managed
  • Risk Identification workshops involving all functions
  • Lessons learned and incorporation of "best practice" workshops
  • Assumptions workshops, where all the assumptions made by suppliers and sub- contractors are collated, validated and any associated risk mitigated
  • For new trains projects, critical items assessment workshops: identifying risk and documenting the Failure Mode and Effects Analyses (FMEAs) or other work to be undertaken during execution
  • Deep Dives and Gate Reviews, which are senior management-led and cover all aspects of the project

Each risk identified is described by a statement compiled under the "3C's" format (see Figure 3), thus avoiding ambiguity and introducing consistency into the process.

Condition
There is a risk that...		 Describe the condition or event or series of events that may happen
Cause
The risk is caused by... 		 ...Identify the generic cause area and describing the specific source of the event
Consequence
The direct impact of the risk occurring will be... 		 ...Describe the direct impact in terms of the effect on the work areas in which the event occurs (cost, schedule, performance & quality, payment milestone missed, liquidated damages, increase of inventories)

 

3.2.1 Identify

The identification of risks is performed throughout the project lifecycle and is not a 'one- of" exercise. As the project progresses, the Project Team gains additional knowledge, which can lead to the identification of further risks. Risks also change in scope as the project develops, with changes being communicated at regular risk meetings and the Risk Register being regularly updated to reflect current understanding.

At all stages care is taken to ensure the risks identified are not issues or concerns.

 

3.2.2 Risk Harmonisation

Harmonisation This evolves through the risk management process and has 3 goals:

  • Avoid duplication
  • Assess and rank all impacts
  • Define all response actions

At the identification stage, the Project Team ensures that there is no duplication of risks and that interfaces and interferences between risks and amongst functions are identified. Harmonisation is carried out to allow risks to be clustered by causes or consequences, to establish links between risks and the response actions

 

3.2.3 Define Ownership

All Project Team members are responsible for identifying risk, even outside their area. Therefore, the person or function that identifies a risk might not be the best resource to manage that risk to resolution. As the risks are reviewed, by the Project Manager and team, they use experience and judgement to allocate the management of particular risks, based on two considerations:

  • The function most impacted by the risks
  • The function best suited to manage the response actions

The risk owner then has responsibility for management of their risks and for the reporting of progress to the Project Manager at review meetings

 

3.3 STEP 2 - Assessment

Assessment of risks consists of evaluating the range of possible project outcomes, should the risk occur. This is carried out as follows:

  • Qualitative Assessment - Pre-Mitigation Assessment before execution of any response actions/ mitigations
  • Estimation of Risk Impact and Timing
  • Quantitative Assessment - Post-Mitigation Assessment based on the response actions being executed successfully and at the correct time (see Section 3.4.2)

The Project Team continuously review the Project risks to ensure that the full impact has been identified and estimated, updating the Risk Register as necessary.

 

3.3.1 Pre-Mitigation Assessment (Qualitative Assessment)

The pre-mitigation assessment is made by the risk owner and provides a rating for each risk. This allows an initial risk ranking to be made:

  • Giving visibility of the risk profile/ranking for the Project Team and management
  • Enabling the identification of the risks with highest potential, where immediate effort can be focussed

When completed, the qualitative assessment defines the risk ratings as HIGH, (H) MEDIUM (M) or LOW (L), based on the combined magnitude of the Impact and Likelihood of occurrence.
The level of precision is also input to the Risk Register, which is an indicator of the quality of information available when the estimate of Impact and Likelihood is made, namely:

  • H- knowledge of the risk Impact and Likelihood is adequate for all practical purposes
  • M - enough information is available to provide an estimate of the Impact and Likelihood
  • L - Insufficient information is available to make any useful estimate of either Impact or Likelihood

A risk categorised with H precision, allows actions to be formulated and implemented as soon as possible. Whereas with L precision of information, further investigation will be made into the risk to increase understanding. As the precision of information increases, with progression of the project and further understanding of the risks, the precision is updated together with changes to the Impact and Likelihood, if appropriate.

 

3.3.1.1 Pre-Mitigation Magnitude of Impact

The magnitude of a risk is related to the potential effect on the overall project, in terms of cost or potential delay, and is initially considered without the benefit of implementing any mitigation actions. Five bands are used to describe the potential effect of the risk being realised as shown in Figure 4. Similarly, the Likelihood of the risk occurring is also defined in bands, and through combining the Impact and Likelihood makes for a considered and achievable initial assessment of each risk, using a matrix approach.

 

RATING IMPACT 1 2 3 4 5
Low Minor Moderate Significant High

Cost (% of Project Value)

But no greater than (value in € or US$) 

<0,25%

1 m

0,25-0,5%

2.5 m

0,5-1%

5 m

1-2,5%

7.5m

>2,5%

10 m
Schedule No delay Delay, but can be mitigated during execution of delayed actions Delayed actions will cause the following actions to start delayed Will cause delayed completion of following actions Will cause delays for subsequent activities and impact a major milestone
  Unlikely Low Probability Possible Strong Probability Almost Certain
Pre-mitigation/Pre-Enhancement Probability of Occurrence 1-20% 20-40% 40-60% 60-80% 80-99%

 

3.3.1.2 Pre-Mitigation Risk Matrix

A matrix is used for visualisation of a risk, based on the Impact and Likelihood inputs, as listed in Figure 4. The resultant risk classification is displayed at a certain position on the matrix. The classifications are represented by different zones: with High risks denoted by the red, Medium by the yellow and Low by the green zone. The position of the risk on the matrix is designated by the Precision letter H, M or L which was input (see Figure 5, which is a screenshot from a Risk Register database).

A risk position in the red zone results from a high Likelihood of occurrence and high Impact potential and is given high priority by the team, with timely development of robust mitigation actions.

 


3.3.2 Risk Impact Timings

Consideration is given to the point at which each risk will be realised, again to assist in prioritisation and to allow grouping of actions. The Risk Register has provision for recording Impact Date and Status Date, as inputs representative of the whole project. A Deadline Date is included to prompt regular updating and assessment of a risk to ensure effective management

Mitigation Action Actionee * Action Deadline Data Status
x to understand the scope of stop boards required   30.10.2017 closed
x and x to undertake vision pubs to understand the parameters for installations of stop boards   30.10.2017 closed
delivery of the stop boards   15.07.2018 open
x and x to clarify the responsibility of purchasing the stop boards   30.10.20117 closed

 

3.4 STEP 3 - Response Planning

3.4.1 Risk Mitigation

Response Planning is the process of mitigating the risks identified. Each risk owner is responsible for planning and implementing response actions with support from the Project Team.

  • A response plan for a particular risk can include multiple actions involving any team member.

  • All Project Team members, including partners and suppliers, may be requested to identify and develop response measures for identified risks, even if they are not the owner.

  • The Project Team member responsible for a risk will identify an appropriate Response Actionee.

  • After response actions are defined, the Project Team members will review the actions and the Project Manager will confirm these.

  • The risk owner will complete all the information required to be input to the Risk Register, including Action Deadline Dates and Action Description and Mitigation Action Cost.

  • The risk owner and the Project Team members will liaise with all action owners and ensure commitment and agreement on completion dates.

The cost of implementing mitigation actions are estimated to evaluate the cost versus benefit of an action as, in certain cases, the response action costs might exceed the Impact cost.

 

3.4.2 Mitigation Assessment

This assessment is a more detailed quantitative or numerical assessment of the individual risks for cost and/or schedule Impact. The assessment is carried out as soon as possible to maximise the effect of any mitigation. The mitigations that are identified to address risks specific to a particular project are identified as measures which are additional to those normally included in the standard TfWRS processes. The assessment includes:

  • Definition of the mitigation{s) for each risk
  • The phase and person responsible for implementing the mitigation action(s)
  • A calculation of the cost of the mitigation
  • Consideration of the level of success of the mitigation

The risk estimate after mitigation is assessed as follows:

  • Maximum Cost and Schedule Impact - this is not automatically the same as the pre-mitigation Impact, which assumes mitigation actions will not be successful
  • Minimum Cost and Schedule Impact — is not automatically the cost or delay of the risk not occurring - the minimum Impact is the estimated minimum cost Impact and delay if the risk does occur, but assuming most of the mitigation actions will be successful
  • Most Likely Cost and Schedule Impact - is calculated accurately under the assumption that mitigation actions provide a fair effect, which can be most likely achieved

The probable risk cost Impact for budgeting is determined by multiplying the Most Likely Cost by the Probability Post-Mitigation. For each input the reasoning/details of the costs and probability are input to the Risk Register.
These assessments and inputs are performed by the risk owner and then reviewed by the Project Manager, Financial Controller and Head of New Trains Projects.

 

3.5 STEP 4 - Response Action Implementation

The risk owner is responsible for mitigation action implementation, monitoring completion date and reporting the status of the response actions at the regular risk review meetings.
Response action implementation is considered under the change control process, where a proposal is comprehensively reviewed, budgeted and approved prior to implementation. The mitigation action owner is responsible for the execution of the tasks or activities to complete the response action. When a response action is completed, and the results accepted by the Project Manager, the risk owner updates the information in the Risk Register and the assessment is modified, as appropriate

 

3.5.1 Response Action Prioritisation

Risks which could affect the project, at any stage, are constantly kept under review by the Project Manager; sometimes many months in advance of the phase where they could be realised. At any point in the project, attention is focussed on the risks and actions relating to the current phase to ensure timely completion of activities. Where appropriate some actions are integrated into the Project Programme to ensure they are monitored and incorporated into the project activities. The Project Manager creates reports from the Risk Register showing the response actions in the current project phase and distributes and reviews these with the team.

 

3.6 STEP 5 - Tracking and Reporting

Risk Tracking and Reporting within TFWRS provides continual visibility of risks to the Project Team as it is integral to the project status. The risk owners report on the status of the response actions to the Project Manager through regular risk meetings carried out at all stages in the project lifecycle.
Routine risk tracking is carried out through:

  • Functional Reviews

  • Project Team reviews

  • Monthly Internal and External (e.g. with suppliers) Project Reviews

The Project Manager oversees risks input to the Risk Register and reviews/advises on the content to ensure the descriptions, explanations, costings and mitigations are accurate and understandable for the whole Project Team.
Reporting of risk management issues are carried out through monthly progress reporting, which includes up to 5 top risks that could impact TFWRS.

 

3.7 STEP 6 - Closure

The risk owners are responsible for recommending closure of a risk to the Project Manager. A risk is closed only when the item is not considered a risk to the project. When a risk is closed, the Project Manager will log all appropriate information in the Risk Register.
Even when a response action is implemented successfully, a risk can still have a residual Impact which requires further mitigation/control. Risks can be closed when:

  • The risk is duplicated elsewhere
  • The risk has been mitigated and poses no more threat
  • The risk did not occur
  • The risk occurred (and becomes an issue)

4 Roles and Responsibilities

4.1 The Project Manager

The Project Manager is responsible for day-to-day management of risks, ensuring quality, completeness and accuracy of all information on risks, assessments, costings and mitigations in the Risk Register.
The Project Manager’s role includes the following duties:

 

4.1.1 Start-Up Phase

  • Ensuring that risk management workshops are conducted as required

  • Management of the handover of risks and their ownership from/to Project Execution team

  • Ensuring risk harmonisation during the Project Launch process

  • Management of the alignment of the team with respect to understanding the project's risks

 

4.1.2 Project Execution Phase

  • Leading periodic risk management activities

  • Ensuring that risk management workshops are run regularly (planned as a minimum every month)

  • Management of Project risks in the Risk Register

  • Manage, with the support of the Project Team members, the actions and closure of identified risks

  • Provide monthly Project risk status and progress reports

 

4.2 Project Core Team Members

  • Coordinate identification, assessment and response implementation of risks within their own functional area and any interfaces with other functions

  • Manage and challenge the assessment of risks

  • Identify solutions to minimise risks

  • Implement response actions

  • Report evolution and status on all functional risks

 

4.2.1 Risk Owner

The risk owner will generally be the Project Team member best placed to manage the risk and formulate mitigation actions to reduce the Likelihood or Impact of the risk being realised, through:

  • Defining and implementation of response actions
  • Follow-up on response actions
  • Reporting the status of risks to the Project Manager
  • Providing closing information to the Project Manager
  • Managing and updating risk information in the Risk Register

 

4.2.2 Mitigation Action Owner

Responsible for:

  • The execution of mitigation actions
  • Reporting status of the mitigation actions to the risk owner
  • Pro-actively managing the actions and reporting on any change in schedule or budget agreed for an action

 

4.2.3 Functional Risk Coordinator

The Project Manager can also assign a functional coordinator to participate in the risk management activities. In such cases, the functional coordinator fulfils the tasks and responsibilities for a particular functional area.

5 Document Review

This document, together with any associated documents, should be reviewed as a minimum every three years, upon legislative change and at regular intervals during the project such as whenever there is a significant change in order to maintain its effectiveness.