RISK MANAGEMENT PROJECT

INDEX
INTRODUCTION
11 Objectives and Benefits
12 What is meant by Risk
13 The Project Risk Management Process
14 ThreeTiered Scalability
15 Organization
16 Roles and Responsibilities
17 Managing the Risk Register
18 Communication in General
PLANNING PROJECT RISK MANAGEMENT
11
21 Creating the Projects Risk Management Plan
22 The Project Risk Management Team
23 Incorporating Project Risk Management Activities
into the Project Schedule
24 The First Project Risk Management Meeting
RISK IDENTIFICATION
31 The Risk Register
32 Identifying Project Risks
33 Examples of Risk Statements
34 Entering Data into the Risk Register
QUALITATIVE RISK ANALYSIS LEVEL 1
41 Risk Assessment
42 Entering Assessment into Risk Register Columns
QUALITATIVE RISK ANALYSIS LEVEL 2
51 Probability and Impact Ratings for Level 2 Projects
52 Performing Qualitative Risk Analysis
53 Entering Assessments into the Risk Register
QUANTITATIVE RISK ANALYSIS LEVEL 3
61 Quantifying the Risks
62 Entering Quantifications into the Risk Register
63 Producing the Risk Probability Curves 24
RISK RESPONSE
71 Risk Response Strategies
Examples of Risk Responses
Responding to Risks
74 Entering Risk Responses into the Risk Register
RISK MONITORING
11 Risk Review and Updating
12 Updating the Risk Register
13 Lessons Learned
COMMUNICATION AND ACCOUNTABILITY
21 Communication and Accountability Checkpoints
32
22 What Happens at a Communication Checkpoint
23 What Happens at an Accountability Checkpoint
24 What Happens at the Performance Measure
Checkpoint
APPENDIX A ACRONYMS AND DEFINITIONS
APPENDIX B RISK MANAGEMENT PLAN TEMPLATE
APPENDIX C RISK REGISTER CERTIFICATION FORM
APPENDIX D PD09 PROJECT RISK MANAGEMENT
APPENDIX E PROJECT RISK MANAGEMENT
STRUCTURE
APPENDIX F ACKNOWLEDGEMENTS
Preface
The Project Risk Management Process, described herein, is
intended to result in the effective
management of project risks and opportunities during the
entire project life cycle from project
inception to completion of construction. The project
manager, project sponsor, and project team
members jointly develop a risk register that enables them to
identify, assess, quantify, prepare a
response to, monitor, and control project risks.
This document provides information to project managers
and project teams that will help with their risk
management efforts in the following ways:
Provide a consistent methodology for performing project
risk management activities.
Provide techniques and tools for project risk
management.
Identify data requirements for risk analysis input and
output.
Provide information on how project risk management fits
into the overall project management
process at Caltrans.
Provide guidance on how to proactively respond to risks.
Project risk management is a scalable activity commensurate
with the size and complexity of the project
under consideration. Simpler projects may use simple
analysis, whereas larger more complex projects
may use more robust analysis techniques.
This Scalable Project Risk Management Handbook, which
may be revised and updated from time to time,
is applicable to all projects. The level of project risk
management depends on the total cost of the
project, as well as other considerations (see Chapter 1,
Section 14).
Chapter 1 gives an overview of project risk management, the
three levels of project risk management,
and the process, roles, and responsibilities.
Chapter 2 is designed to help the project manager plan the
risk management process, form the project
risk management team, and prepare a budget for project risk
management activities.
Chapter 3 provides instruction about risk identification and
starting the risk register. It is applicable to
all scalability levels.
Proceed to the risk analysis chapter for the level of your
project:
Level 1 Chapter 4
Level 2 Chapter 5
Level 3 Chapter 6
Chapters 7 through 9 are common to all projects. Chapter 7
details risk response, and Chapter 8 is about
risk monitoring.
Chapter 9 addresses the required communication
checkpoints for all projects and explains the required
accountability checkpoints where deputies must sign off on
the risk register. It also includes the Risk
Management Performance Measure requirements.
Introduction
11 Objectives and Benefits
Project Risk Management Objectives
The Project Risk Management Handbook has been designed
to:
Be simple and easy to use
Be scalable to project size and complexity
Pull communication of risks across project milestones
and phases
 Actively manage risk to enhance project success
Integrate into the current project delivery process, and
Involve all functional units in the management of risks.
Project Risk Management Values
Identifying, communicating, and managing project risks
requires a risk management culture. This
culture is defined by the values in which we operate. The
following attributes depict PRM values
required for the development of a successful risk
management culture.
Risk decisionmaking based on balancing project values
such as cost, schedule, and quality
Stewardship
Efficiency
Teamwork
Joint ownership of risks and responsibilities
Accountability
Benefits to the Project Team
Caltrans project risk management helps the project manager
and the other project members to manage
project risks over the life of each project, enlisting the
support and effort of all of the functional units as
the project moves along the delivery cycle. This includes:
Better ability for the project team to focus time and effort
on highest rated risks
 A scalable approach, consistent with existing processes
Enhanced coordination and transparency with functional
units, which facilitates early
identification of critical risks
Bridging of functional stovepipes to maintain focus on
project success by all functional units
Support of the project managers mission through the
management accountability process
12 What is meant by Risk
The meaning of the term risk must be understood clearly
for effective project risk management. In the
context of a project, we are concerned about potential
impacts on project objectives such as cost and
time. A general definition of risk in this context is:
Risk is an uncertainty that matters; it can affect project
objectives negatively or positively.
The uncertainty may be about a future event that may or
may not happen and the unknown magnitude of the impact
on project objectives if it does happen. Thus, a risk is
characterized by its probability of occurrence and its
uncertain impact on project objectives.
The kinds of risks appearing in a risk register are shown
below based on when they might occur during the life cycle
of a project.
Throughout the project life cycle, a future event that
may occur at any time in a projects lifecycle is a risk.
It has a probability of occurrence and an uncertain
impact if it does occur.
 During Planning and Design, uncertainty in the total
cost estimate, due to uncertain quantities and unit
prices is a risk. In this case the probability is 100%
(the estimate and its uncertainties exist), and the
uncertainties impact the project cost.
During construction, a Notice of Potential Claim (NOPC)
has a probability of becoming a Contract
Change Order (CCO) and an uncertain cost/time impact if
this happens. This risk is retired from
the register if the claim is dismissed or if it is replaced by a
CCO.
During construction, a CCO which has occurred (100%
probability) is a risk, but its cost/time
impact may be uncertain. If there is an estimate in the CCO
Log of the project, the uncertainty is
expressed as a range around the estimate. This risk is retired
from the register when the CCO is
executed with the contractor.
These examples are collectively referred to as risks in this
Handbook, and would all be included, when
applicable, in the projects risk register because they contain
uncertainty that affects project objectives.
Specifics about identifying risks are in Chapter 3, including
examples of risk statements.
Risk and issue are two words that are
often confused when it comes to their
usage. Actually there is some
difference between them.
A risk is an uncertain event that has a
probability associated with it. An issue
does not have this attribute. Issues
are problems right now that the
project team has to do something
about.
Think of risk management as a
proactive activity, while issue
management is reactive.
13 The Project Risk Management Process
The Basic Process
All approaches to project risk management strive to
maximize both efficiency and effectiveness. Although the
details of risk processes may differ depending on the
project, risk management has three important parts:
identification, analysis, and action. Before risk can be
properly
managed, it must first be identified, described,
understood, and assessed. Analysis is a necessary step,
but it is not sufficient; it must be followed by action. A
risk process which does not lead to implementation of
actions to deal with identified risks is incomplete and
useless. The ultimate aim is to manage risk, not simply to
analyze it.
The project risk management process (Figure 1) is not
difficult. It simply offers a structured way to think about
risk and how to deal with it. A full project risk
management endeavor includes these processes:
1. Risk Management Planning Deciding how
to approach, plan, and execute the risk management
activities for a project.
2. Risk Identification Determining which risks might affect
the project and documenting their
characteristics.
3. Qualitative Risk Analysis Prioritizing risks for
subsequent further analysis or action by
assessing and combining their probability of occurrence and
impact.
4. Quantitative Risk Analysis Analyzing probabilistically
the effect of identified risks on overall
project objectives.
5. Risk Response Developing options and actions to
enhance opportunities and to reduce
threats to project objectives.
6. Risk Monitoring Tracking identified risks, monitoring
residual risks, identifying new risks,
executing risk response plans, and evaluating their
effectiveness throughout the project life
cycle.
At its foundation, project risk management involves asking
and answering a few simple questions:
 What risks might negatively (threats) or positively
(opportunities) affect achieving the project
objectives? (Risk identification)
Which of these are most important? (Qualitative risk
analysis)
How could these affect the overall outcome of the project
in probabilistic terms of cost and
schedule? (Quantitative risk analysis)
What can be done about it? (Risk response)
Having taken action, how did the responses effect change,
and where is the project now? (Risk
monitoring)
Who needs to know about this? (Communication)
FIGURE 1 PROJECT RISK MANAGEMENT PROCESS
While these questions are listed sequentially and are usually
conducted in this order, they are often
combined, repeated as the project progresses, or may even
be performed out of sequence.
The questions constitute a process, shown in Figure 1,
indicating how the different elements of project
risk management interact and describing how risk
management can be implemented. The process has a
circular form to highlight that it is a continuous process
throughout the life cycle of a project.
The arrows signify the logical flow of information between
the elements of the process. Communication
is the core of this process. It is the means by which all the
information flows and the project team
continuously evaluates the consistency and reasonableness
of risk assessments and their underlying
assumptions.
14 ThreeTiered Scalability
A recent analysis of the total cost (capital and support) of the
Departments current contracts revealed
the following breakdown. Sixtyseven percent of contracts
are under $5 million, 30 percent are in the
range of $5 $100 million, and 3 percent are over $100
million. Accordingly, three ranges were selected
for the scalability levels of Project Risk Management. The
risk management requirements are listed in
Table 1.
TABLE 1 RISK MANAGEMENT REQUIREMENTS BY
SCALABILITY LEVEL
Scalability
Level
Estimated Cost
(Capital and Support) Risk Management Requirements
Minor A, Minor B, and other
projects less than $1 million Risk register encouraged
1 Less than $5 million Risk register
2 $5 million to $100 million Risk register with qualitative
analysis
3 Greater than $100 million Risk register with quantitative
analysis
The requirements per scalability levels are minimum
requirements. The project team may choose to
work at a higher scalability level than required or work at a
lower level if approved by the SFP. However,
the project team should consider other factors to determine
what level of risk management effort is
needed. These factors may include:
Political sensitivity
The type of the project
Location of the project and the community it serves
Duration of the project
Stakeholders of the project
The sponsors sensitivity to the primary objectives of the
project (cost and schedule).
Any of these factors may warrant employing a higher
scalability level.
The activities for each Scalability Level are shown in Table 2.
TABLE 2 LEVELS OF PROJECT RISK
MANAGEMENT SCALABILITY
Risk Management
Process
Level 1
Cost to $5 M
Level 2
Cost $5100 M
Level 3
Cost over $100 M
Risk Identification Yes Yes Yes
Qualitative Analysis Risk Rating Probability/Impact
Matrix n/a
Quantitative Analysis n/a n/a Yes
Risk Response Yes Yes Yes
Risk Monitoring Yes Yes Yes
Communication Yes Yes Yes
The levels differ in the Qualitative and Quantitative Analysis
processes. All levels perform the other
processes. Level 3 quantifies risks in probabilistic forecast
terms of cost and time, whereas Levels 1 and
2 do not.
Irrespective of the projects total cost, Level 3 might be used
if any of the following activities are
contemplated for the project:
Validating the projects contingency allowance
Justifying and requesting additional contingency above
5%
During construction, checking the adequacy of the
remaining contingency
During construction, requesting supplemental funds
Allocating risks of a designbuild project
Establishing the budget and/or completion target date to
a desired level of confidence
More complex projects might request exemptions depending
on the Level 3 probabilistic cost. Level 3
analysis may be used in support of revisions to the projects
programming dollar amount.
Need more Contingency?
According to PD04, there is a process to request more
contingency:
"Contingency Approval Process When the 5 percent
project
contingency must be increased or decreased, the project
engineer must
prepare a memorandum justifying the need and requested
percentage
for contingencies. A fully developed risk management plan
with a
quantitative risk assessment would be an acceptable
document to help
justify an exception to the 5 percent contingency."
Source: PD04 Project Contingencies and Supplemental
Work, Appendix A
According to the RTL Guide, the memorandum to request
more contingency
must have the approval of the District Director.
15 Organization
The Project Risk Management Team (PRMT) is the core
group performing, updating, and reviewing risk
management activities under the direction of the Project
Risk Manager (PRM), who has been trained in
the processes. The PRMT will include members of the PDT,
but not necessarily all members. The PRMT
risk management meetings may be scheduled to follow the
PDT meeting.
The PRMT comprises Caltrans project personnel from
Design, Construction, Project Management, and
the Functional Units involved in the project. The members of
the PRMT should collectively have all of
the expertise required to identify, assess, and respond to
risks of the project. However, they should not
hesitate to draw on the extensive talent pool available to the
project for assistance. Representatives
from other agencies, if any, may be invited to participate at
PRMT meetings to ensure that all parties are
fully informed, and thus avoid surprises.
The PRMT is directed by the PRM. The project manager
generally acts as the PRM for Level 1 and 2
projects.
In scheduling PDT meetings, the project manager should
indicate when risk discussions will be on the
agenda so that PRMT members can plan to attend for risk
discussions as well as other agenda items.
Discussing Risks as a Team has Value
Conducting risk management meetings as a team has value.
The team
listens to its members discuss risks, and the team can
provide input from
different perspectives. This cannot occur in oneonone
discussions of risk.
In discussing risks, the work of individual team members
can have an
impact on the work of the rest of the team. Listening to team
members, and
discussing their challenges, provides a greater likelihood
that the impact of a
risk will be assessed properly.
16 Roles and Responsibilities
TABLE 3 PROJECT RISK MANAGEMENT ROLES
AND RESPONSIBILITIES
Role Responsibilities
Project
Managers
With input from the Project Development Team (PDT),
determine the projects risk register
requirements based on project estimate and complexity, and
the need for a written project
Risk Management Plan.
Promote and direct risk management for the project.
Request projectspecific changes to minimum risk
management requirements.
Populate and maintain the project risk register with risks
developed by functional units and
the PRMT.
Ensure proactive response to all risks and opportunities that
will impact the successful
delivery of the project.
Produce risk management reports for sponsors.
Inform Department management about risk management
results, major issues, and
concerns.
 Schedule and conduct project risk meetings.
Monitor and update risks.
Ensure quality of the risk data in the risk register.
Track and monitor the effectiveness of risk response actions.
Elevate issues to district management for resolution as
necessary.
Take lead role in obtaining signoffs at accountability check
points.
District Risk
Management
Coordinator
Assist project managers with the implementation of PRM
requirements.
Provide expertise, direction, and assistance.
Obtain expert services as needed.
Liaise with Headquarters risk management.
Project Delivery
Team Member
Identify and assess risks.
Develop responses to risks.
Document risk response actions and report to project
manager for inclusion in risk
management updates.
 Communicate with project manager about newlyidentified
risks, risk assessments, and
retirement of risks.
Project Risk
Manager
(Generally the
project manager
for Level 1 and 2
projects)
Promote and direct risk management for the project.
Schedule and conduct project risk meetings.
Perform risk monitoring and updating.
Ensure quality of the risk data in the Risk Register.
Document risk response actions.
Track and monitor the effectiveness of risk response actions.
Report to the project manager on all matters related to risk
management.
Compile the lessons learned in the area of risk management.
Produce risk management reports for the project manager.
Populate the project risk register with risks developed by
functional areas.
Project Delivery
Team Members
and Task
Managers
 Identify and assess risks and determine the risk owners.
Develop responses to risks.
Document risk response actions and report to project
managers for inclusion in risk
management updates.
Communicate new risks to project managers.
Retire risks.
17 Managing the Risk Register
The projects project risk manager facilitates the risk
management process, ensures that the PRMT fully
vets the risk register, and makes sure that disputes are
resolved.
Communication with Functional Units
The project manager initiates the project risk management
process and owns it until the project is
completed. The project manager should involve all
functional units and Construction in the risk
management process from inception to project completion.
Communication and Accountability Checkpoints
Although risks can and should be discussed with project
team members and management at any time
during the course of a project, it is desirable to have
checkpoints to ensure the project does not
unnecessarily proceed on a course of action that may not be
feasible and may be changed later by a
decisionmaker.
The communication and accountability checkpoints are
detailed in Chapter 2. They are relative to the
existing standard milestones in the Caltrans Work
Breakdown Structure. The latest risk register is
communicated at each checkpoint. The risk register is to be
approved and signedoff by the Deputies at
the accountability checkpoints.
18 Communication in General
Communication and consultation with project stakeholders
are a crucial factor in undertaking good risk
management and in achieving project outcomes that are
broadly accepted. It helps everyone to
understand the risks and tradeoffs that must be made in a
project. Communication ensures that all
parties are fully informed, and thus avoids unpleasant
surprises.
Regular reporting is an important component of
communication. Reports on the current status of risks
and risk management are required for managers and other
parties to understand the risks. They
complement other management reports in developing this
understanding. The project risk manager
will prepare and issue periodic risk management reports as
required by the project manager
To ensure a clear audit trail, the project risk manager will
ensure that the risk management process is
documented in such a way that it can be reviewed, the
structure and assumptions can be examined, and
the reasons for particular judgments and decisions can be
identified.
Planning Project Risk Management
21 Creating the Projects Risk Management Plan
A written Risk Management Plan is not required for all
projects. It depends
on the project size and complexity and the amount of risk
management
effort that will be required. The project manager and the
PDT may decide if
it is necessary.
The Risk Management Plan (RMP) defines the level at which
risk management will be performed for the
project and the frequency of risk management meetings and
risk register updates. It lists the members
of the Project Risk Management Team by the various
disciplines involved in the project and sets a
budget for the risk management activities. The RMP should
be completed early in project planning,
since it is crucial to successfully performing the other
processes described herein.
A Project Risk Management Plan template is shown in
Appendix B and may be downloaded from:
http://onramp/riskmanagement
This step will ensure that the level, type, and visibility of risk
management are commensurate with
both the risk and importance of the project to the
organization, provide sufficient resources and time
for risk management activities, and establish an agreedupon
basis for evaluating risks.
First steps:
Determine the scalability level for the project.
 Download the risk register for the scalability level from:
http://onramp/riskmanagement.
Determine the frequency of risk meetings for the project
and the applicable communication and
accountability checkpoints.
Decide who will be on the Project Risk Management
Team.
If significant effort or outside consultants will be
involved, include estimates for project risk
management activities in work plans.
If applicable, obtain the necessary approvals for the
written RMP.
22 The Project Risk Management Team
The Project Risk Management Team (PRMT) is the core
group performing, updating, and reviewing risk
management activities under the direction of the project risk
manager. The PRMT will include members
of the PDT, but not necessarily all members.
The PDT may not continue regular meetings after RTL.
Emphasize that the
PRMT is expected to stay together to manage risks until
project completion.
Incorporating Project Risk 23 Management Activities
into the Project Schedule
The project schedule (work plan) should incorporate the
following:
Dates for project risk management meetings
 Time to allow team members to prepare for review of the
risk register and risk responses
Milestones for communication and accountability
checkpoints (see Chapter 2)
24 The First Project Risk Management Meeting
The first time that the PRMT meets, the project manager
should brief the team about the following:
The importance and objectives of the project risk
management process
The process itself
The roles and responsibilities
The risk register
The communication and accountability check points
Risk management activities in the project schedule
Time charge codes for risk management activities
The expectation that risk will be managed, documented,
and reported
At this first meeting, elicit risks from the team members. If
working to Level 2 scalability, determine the
impact and probability definitions so that the team has the
same understanding of the meaning of the
word descriptions. (See Table 5 on page 20 for guidance.)
The PDT may include external stakeholders and agencies in
addition to
Caltrans personnel. At PDT meetings, after regular PDT
business is
concluded, the PRMT members from the PDT can remain to
conduct a
project risk management meeting.
Risk Identification
Risk identification determines what might happen that could
affect the
objectives of the project and how those things might happen.
It produces a
deliverable the project risk register that documents the
risks and their
characteristics. The risk register is subsequently amended
by the qualitative
or quantitative risk analysis, risk response, and risk
monitoring processes.
Risk identification is an iterative process because new risks
may become
known as the project progresses through its life cycle,
previouslyidentified
risks may drop out, and other risks may be updated.
Risk Includes Threats and Opportunities
The concept of risk can include positive and negative
impacts. This means that the word risk can be
used to describe uncertainties that, if they occurred, would
have a negative or harmful effect. The same
word can also describe uncertainties that, if they occurred,
would be helpful. In short, there are two
sides to risk: threats and opportunities.
Projects in design have the greatest potential for
opportunities because the project is still open to
changes. Risk reduction and avoidance are opportunities, as
are value analyses, constructability
reviews, and innovations in design, construction methods,
and materials.
Once a project enters construction, the project objectives
(scope, time, and cost) are fixed contractually,
so opportunities to save money and time are fewer. Any
changes must be made using a contract change
order (CCO), and only a negative CCO such as one resulting
from a Value Engineering Change Proposal
by the contractor would still afford an opportunity to save
money and time. Otherwise, CCOs add cost
and/or time to the project. So, the risk management focus
during construction is on reducing or
eliminating risks.
31 The Risk Register
What it is
A risk register is a tool that project teams can use to address
and document project risks throughout the
project life cycle. It is a living document a comprehensive
listing of risks and the manner in which they
are being addressed as part of the project risk management
process. The risk register is maintained as
part of the project file that also includes information related
to uncertainties in the cost estimate and
schedule.
Risk register templates for each scalability level can be
downloaded from:
http://onramp/riskmanagement
Why use it
A new project team is formed for every project and
disbanded when the project is complete. Although
not desirable, project team members sometimes change, and
the project experiences change over the
course of the project. Communication among project team
members about the project objectives, costs,
risks, etc., is vital. The risk register communicates project
risks and helps the team members understand
the status of the risks as a project moves from inception
toward completion.
Managers should view the risk register as a management
tool through a review and updating process
that identifies, assesses, manages, and reduces risks to
acceptable levels.
Monitoring
& Control
Response
Planning
When to use it
A risk register is required to be prepared in conjunction with
the first published cost and schedule
estimate of a project (at the PID phase). Thereafter, a full
review and update of the risk register should
be undertaken at the beginning of each subsequent phase of
the project. The register will be updated at
least quarterly during the construction phase of the project.
How to use it
A risk register is best used as a living document throughout
the projects entire life cycle, from PID
through construction, to record the evolution of project
risks. There is no prescription for how extensive
a projects risk register should be. The project team decides
the most beneficial use of the risk register,
with the objective of minimizing the risk impact.
Resolving Disputes
Successful implementation of a risk mitigation measure is
one of the most important aspects of project
risk management. When PRMT members are at odds on
whether or not these measures can be
implemented, the dispute should be elevated to assist in its
resolution. The team should have a Dispute
Resolution Ladder (DRL) that outlines when and how
disputes will be elevated and subsequently
resolved. The DRL should be created in the initial PRMT
meeting and used throughout the life of the
project.
Disputes should be elevated once all relevant information is
known, and agreement is not reached or a
decision cannot be made.
Example Dispute Resolution Ladder
PM facilitates resolution and elevation
If unresolved among PRMT members Elevate to Functional
Manager(s)
If unresolved by Functional Manager(s) Elevate to Deputies
It is important to note that the dispute may be resolved by
the Department accepting the risk and not
implementing the mitigation measure.
32 Identifying Project Risks
The first time that risk management is applied to a project,
the project risk manager convenes the PRMT
to identify and assess risks. Risk identification documents
risks that might affect the project and their
characteristics of probability and impact.
A common challenge in risk identification is avoiding
confusion between causes of risk, genuine risks,
and the effects of risks. A risk may have one or more causes
and, if it occurs, one or more effects.
Causes are definite events or sets of circumstances which
exist in the project or its
environment, and which give rise to uncertainty. Examples
include the need to use an
unproven new technology, the lack of skilled personnel, or
the fact that the organization
has never done a similar project before. Causes themselves
are not uncertain since they
are facts or requirements, so they are not the main focus of
the risk management
process.
Risks are uncertainties which, if they occur, would affect
the project objectives either
negatively (threats) or positively (opportunities). Examples
include the possibility that
planned completion targets might not be met, escalation
rates might fluctuate, or the
chance that requirements may be misunderstood. These
uncertainties should be
managed proactively through the risk management process.
Effects are unplanned variations from project objectives,
either positive or negative,
which would arise as a result of risks occurring. Examples
include early milestone
completion, exceeding the authorized budget, or failing to
meet agreed quality targets.
Effects are contingent events, unplanned potential future
variations which will not occur
unless risks happen. As effects do not yet exist, and they may
never exist, they cannot be
managed directly through the risk management process.
Including causes or effects in a list of identified risks
obscures genuine risks, which may not
receive the appropriate degree of attention they deserve.
One way to clearly separate risks from
their causes and effects is to use a description with required
elements to provide a threepart
structured risk statement: As a result of <definite cause>,
<uncertain event> may occur, which
would lead to <effect on objective(s)>.
Examples include:
As a result of using a new technology (a definite
requirement), unexpected design
problems may occur (an uncertain risk), which would lead to
overspending on the
project (an effect on the budget objective).
Because our organization has never done a project like
this before (fact = cause), we
might misunderstand the requirements (uncertainty = risk),
and our project would not
meet the performance criteria (contingent possibility =
effect on objective).
At the risk identification stage, the impacts on cost and time are
not analyzed that happens in the
qualitative risk analysis (Chapter 4) or quantitative risk analysis
(Chapter 5) processes.
The team members identify the potential risks (threats and
opportunities) using any combination of:
Brainstorming,
Challenging of assumptions,
Looking for newness (e.g. new materials, technology, or
processes),
Their knowledge of the project or similar projects,
Consultation with others who have significant knowledge
of the project or its environment,
Consultation with others who have significant knowledge
of similar projects, and
The experience of project stakeholders or others in the
organization.
A list of typical risks from the previous Caltrans risk
management handbook
may be downloaded from:
http://onramp/riskmanagement
The list is for guidance only. It is not intended as an
exhaustive list, nor is it
a substitute for other methods of identifying risks. Some of
the items are
issues and not risks (The difference is explained in the
sidebar on page 4).
In identifying risks, the team considers and documents:
What may happen or not go according to plan,
What the impacts to the project objectives would be
should the risk arise,
What the assumptions and current status are that
support the assessment of the risk,
What action, if any, has been taken to respond to the risk,
and
What further options might be available for responding
to the risk?
The information is entered into the risk register. Each risk is
assigned to a member of the PRMT who
becomes its Risk Owner. The risk register is reviewed and
updated throughout the project.
The project manager, at his option, may elicit initial risk
registers from the functional units and
consolidate the contributions into a single project risk
register. Alternatively, the project risk register
may be developed during a PRMT meeting.
DIFFERING SITE CONDITIONS
Access to all areas of a project site may not be available prior
to
construction. This makes it difficult to determine
environmentally
sensitive areas or subsurface information needed to design
roadways and
foundations. The team needs to recognize the uncertainty
that arises
from this lack of information and provide the means to
address it in the
construction phase.
Some options for addressing the risks from unknown
conditions:
1. Execute a service contract to determine the information
during the
design phase, and revise contract documents accordingly.
2. Provide language in the Special Provisions for the
contractor to
provide access to the job site for the Department's personnel
as a first
order of work.
3. Provide language in the Special Provisions for the
contractor to hold
off on ordering materials whose quantity may be impacted
by this
new information.
4. Provide resources for design personnel to perform a
timely
design/assessment using the new information.
33 Examples of Risk Statements
TABLE 4 EXAMPLE RISK STATEMENTS FROM
CALTRANS PROJECTS
Risk Statement
Design
Inaccuracies or incomplete information in the survey file
could lead to rework
of the design.
A design change that is outside the parameters
contemplated in the
Environmental Document triggers a supplemental EIR which
causes a delay
due to the public comment period.
Environmental
Potential lawsuits may challenge the environmental report,
delaying the start of
construction or threatening loss of funding.
Nesting birds, protected from harassment under the
Migratory Bird Treaty Act,
may delay construction during the nesting season.
R/W
Due to the complex nature of the staging, additional right of
way or
construction easements may be required to complete the
work as
contemplated, resulting in additional cost to the project.
Due to the large number of parcels and businesses, the
condemnation process
may have to be used to acquire R/W, which could delay start
of construction by
up to one year, increasing construction costs and extending
the time for COS.
Construction
Hazardous materials encountered during construction will
require an onsite
storage area and potential additional costs to dispose.
Unanticipated buried manmade objects uncovered during
construction require
removal and disposal, resulting in additional costs.
IMPORTANCE OF SITE VISITS
Site visits during the design phase are an effective risk
management step.
Not visiting the site creates uncertainties about conditions,
which must be
recognized as risks.
For example, a project in South San Francisco used the as
builts for the
contract to determine the existing conditions. The project
team was
unaware that the work was part of a corridor project
constructed under
several contracts. The plans neglected to show the alignment
of several
ramps in the previouslyconstructed interchange. This risk
could have
been prevented with a site visit. In this instance, the design
was
performed by another district, and travel to the job site was
deemed
impractical. Consequently, risks stemming from site
conditions were not
identified. Fortunately, the impact of omitting asbuilt
conditions was
quickly identified and mitigated in construction. While this
timely action
reduced delays to the project, significant contingency funds
were
expended, necessitating a request for supplemental funds.
34 Entering Data into the Risk Register
The images herein are from the spreadsheet version of the
risk register
for each scalability level.
A workbook containing a sheet for each scalability level risk
register may be
downloaded from:
http://onramp/riskmanagement
At this stage, complete the information in the following risk
register columns:
Column Contents
Status Select Active or Retired. A risk is retired when it has
no
further possibility of impacting the project.
ID # Enter a unique identifying number for the risk.
Risk Type
(Levels 1 and 2 only) Enter either a Threat or an
Opportunity,
Category
Select one of the categories for the risk.
(Environmental, Design, R/W, DES, Construction, External,
Organizational, or PM)
Threat/Opportunity Event Provide a descriptive title for the
risk.
Description
Write a complete description of the event and its potential
impacts on the project if this risk were to occur. See Section 32
for the structure of the risk statement.
Current Status/Assumptions If applicable, describe what
we currently know about the risk
and any assumptions made.
Risk Owner Enter the name of the PRMT member responsible
for this risk.
Updated Enter the date the risk was created.
Other columns in the risk register will be completed or
updated by the qualitative (Chapter 4) or
quantitative (Chapter 5) risk analysis and risk response
processes in Chapter 7.
Previous editions of risk registers used in the Department
have a column for the risk trigger, but not
many risks have a clear trigger. So as not to take space from
a crowded risk register, if a trigger is
identified for a risk, it should be described in relation to the
risk response.
SCALABLE PROJECT RISK MANAGEMENT
Version 1 (June 2012) Page 19
Chapter 4 Qualitative Risk Analysis Level 1
Qualitative risk analysis includes methods for prioritizing
the identified
risks for further action, such as risk response. The PRMT can
improve the
projects performance effectively by focusing on high
priority risks.
Team members revisit qualitative risk analysis during the
projects lifecycle.
When the team repeats qualitative analysis for individual
risks, trends may
emerge in the results. These trends can indicate the need for
more or less
risk management action on particular risks or even show
whether a risk
mitigation plan is working.
41 Risk Assessment
Qualitative risk analysis for Level 1 projects assigns a Risk
Rating to each risk in the risk register. The
risk ratings determine where the greatest effort should be
focused in responding to the risks. They
facilitate structured risk response action and resource
allocation.
The three ratings for Level 1 projects are:
High First priority for risk response.
Medium Risk response as time and resources permit.
Low No risk response required at this time.
42 Entering Assessment into Risk Register Columns
The qualitative risk analysis of each risk is entered into the
following columns of the Level 1 risk
register.
Column Contents
Risk Rating Select High, Medium, or Low as a measure
of the
importance of this risk for response action.
Rationale Describe the reasons the PRMT selected this risk
rating.
Other columns in the risk register will be completed or
updated by the risk response process in Chapter
7.
Monitoring
& Control
Response
Planning
Qualitative Risk Analysis Level 2
Qualitative risk analysis includes methods for prioritizing
the identified
risks for further action, such as risk response. The PRMT can
improve the
projects performance effectively by focusing on high
priority risks.
Team members revisit qualitative risk analysis during the
projects lifecycle.
When the team repeats qualitative analysis for individual
risks, trends may
emerge in the results. These trends can indicate the need for
more or less
risk management action on particular risks or even show
whether a risk
mitigation plan is working.
Qualitative risk analysis for Level 2 projects assesses the
priority of identified risks using their
probability of occurring and the corresponding impact on
project objectives if the risks occur.
51 Probability and Impact Ratings for Level 2 Projects
Table 5 lists the Caltrans standard definition of risk
probability and impact ratings. The cost impact
ratings may be easier to apply if expressed in terms of
dollars. The ratings for the project serve as a
consistent frame of reference for the PRMT in assessing the
risks during the life of the project.
The table is intended as a guide the PRMT may define
dollar and time ranges as appropriate for the
project. The impacts are to the overall project. Schedule
delay applies to risks that are on the critical
path (the longest path). During the Planning and Design
phase, delay impacts to RTL may be of primary
interest. During construction, delays impact project
completion.
Cost impacts are based on the sum of Capital Outlay (CO)
and Capital Outlay Support (COS) costs.
TABLE 5 DEFINITIONS OF IMPACT AND
PROBABILITY RATINGS
Rating --> Very Low Low Moderate High Very High
Cost Impact of
Threat
(CO + COS)
Insignificant
cost increase
<5% cost
increase
510% cost
increase
1020% cost
increase
>20% cost
increase
Cost Impact of
Opportunity
(CO + COS)
Insignificant
cost
reduction
<1% cost
decrease
13% cost
decrease
35% cost
decrease
>5% cost
decrease
Schedule
Impact of
Threat
Insignificant
slippage
<1 month
slippage
13 months
slippage
36 months
slippage
>6 months
slippage
Schedule
Impact of
Opportunity
Insignificant
improvement
<1 month
improvement
12 months
improvement
23 months
improvement
>3 months
improvement
Probability 19% 1019% 2039% 4059% 6099%
Monitoring
& Control
Response
Planning
52 Performing Qualitative Risk Analysis
The PRMT assesses each identified risk in turn and assesses:
The rating for the probability of the risk occurring, and
The rating of cost and time impact of each risk, should it
occur.
The risk matrix in Figure 2 is used to determine the
importance of each risk impact based on the
probability and impact ratings. Each word descriptor of the
rating has an associated number; the
product of the probability number and impact number
defines the risk score.

FIGURE 2 CALTRANS RISK MATRIX

For a particular impact, the combination of the probability
rating of the risk occurring and the impact
rating positions the risk into one of the three colored zones
in the risk matrix. The color of the zone
indicates the priority of the risk for risk response: red zone
signifies high importance, yellow is medium
importance, and green is low importance.
For example, a risk having a Moderate probability and a
High impact falls into the red zone. Its
impact score is 3 x 8 =24.
53 Entering Assessments into the Risk Register
The qualitative risk analysis of each risk is entered into the
following columns of the Level 2 risk
register.
Column Contents
Probability Select the probability level from the dropdown
list.
Cost Impact Select the cost impact level from the dropdown
list.
Time Impact Select the time impact level from the dropdown
list.
Rationale Describe the rationale for these assessments.
The Cost Score is equal to the Probability number times
the Cost Impact number.
Probability
Rating
5 Very High
4 High
3 Moderate
2 Low
1 Very Low
1
Very Low
2
Low
4
Moderate
8
High
16
Very High
Impact Rating
The Time Score is equal to the Probability number times
the Time Impact number.
The risks in a colored zone may be further prioritized for
risk response according to their Cost and Time
Scores. The higher the score, the higher the priority for risk
response and monitoring.
Other columns in the risk register will be completed or
updated by the risk response process in Chapter
7.
Chapter 6 Quantitative Risk Analysis Level 3
Level 3 will require expertise and training. Please see the
District Risk
Management Coordinator for guidance.
Quantitative risk analysis is a way of numerically estimating
the probability
that a project will meet its cost and time objectives.
Quantitative analysis is
based on a simultaneous evaluation of the impact of all
identified and
quantified risks, using Monte Carlo simulation by @Risk,
Crystal Ball, or
Primavera Risk Analysis software. The result is a probability
distribution of
the projects cost and completion date based on the
identified risks in the
project.
Quantitative risk analysis simulation starts with the model of
the project and
either its project schedule or its cost estimate, depending on
the objective. The degree of uncertainty in
each schedule activity and each lineitem cost element is
represented by a probability distribution. The
probability distribution is usually specified by determining
the optimistic, the most likely, and the
pessimistic values for the activity or cost element. This is
typically called the 3point estimate. The
three points are estimated by the project team or other
subject matter experts who focus on the
schedule or cost elements one at a time.
Specialized simulation software runs (iterates) the project
schedule or cost estimate model many times,
drawing duration or cost values for each iteration at random
from the probability distribution derived
from the 3point estimates for each element. The software
produces a probability distribution of
possible completion dates and project costs. From this
distribution, it is possible to answer such
questions as:
How likely is the current plan to come in on schedule or
on budget?
How much contingency reserve of time or money is
needed to provide a sufficient degree of
confidence?
Which activities or lineitem cost elements contribute the
most to the possibility of overrunning schedule
or cost targets can be determined by performing sensitivity
analysis with the software.
61 Quantifying the Risks
The project risk manager leads the PRMT in quantifying cost
and schedule risks.
The probability of the risk occurring is expressed by two
values: Low and High that cover the
range.
Threepoint estimates are used for cost and schedule
impacts. The threepoint estimate consists
of determining the Low (optimistic), High (pessimistic)
and Most Likely values for the cost
and time. The most likely value may be omitted if it cannot
be established credibly.
The cost impacts include direct costs only; they exclude any
cost of delay (determined from the output
of a schedule risk analysis see Schedule Risk Analysis on
page 25). Schedule impacts are expressed
in days of potential delay due to the risk. Some risks may not
have both cost and schedule impacts.
Monitoring
& Control
Response
Planning
Qualitative
Analysis
SCALABLE PROJECT RISK MANAGEMENT
Version 1 (June 2012) Page 24
Potential project delivery schedule delays can impact RTL
and construction duration. The cost of
potential delay to RTL may be a risk item in the risk register.
The potential delay during construction is converted to cost
using a daily rate that includes timerelated
overhead and the direct costs associated with time
(equipment, etc.). It is carried in the risk register
separately from the RTL delay risk.
62 Entering Quantifications into the Risk Register
The qualitative risk analysis of each risk is entered into the
following columns of the Level 2 risk
register.
Column(s) Contents
Probability Enter the Low to High values.
Cost Impact
If there is a cost impact, enter a Low and High cost. If there
is reason for a credible Most Likely cost, enter it; otherwise,
leave this entry blank.
If no cost impact, leave these cells blank.
Time Impact
If there is a time impact, enter a Low and High time in days.
If there is reason for a credible Most Likely time, enter it;
otherwise, leave this entry blank.
If there is no time impact, leave these cells blank.
Rationale Enter the rationale for these assessments.
Probable Cost is calculated from the average value of the
Probability range multiplied by the
average value of the Cost Impact range.
Probable Time is calculated from the average value of the
Probability range multiplied by the
average value of the Time Impact range.
The risks are prioritized for risk response in descending
order of their Probable Cost and/or Probable
Time.
Other columns in the risk register will be completed or
updated by the risk response process in Chapter
7.
63 Producing the Risk Probability Curves
The quantifications in the risk register should be combined
to produce probability curves of the total
cost of the risks and the total delay to the project. This
requires knowledge of special risk modeling
tools such as @Risk, Crystal Ball, or Primavera Risk Analysis
for schedule risk modeling. The project risk
manager may perform these risk analysis tasks, if trained, or
they may be performed by a Department
specialist. The District Risk Management Coordinator can
obtain expert services as needed.
Cost Risk Curve
The Risk Cost (RC) is the probability distribution of the total
cost of all risks in the project risk register.
Figure 3 is an example of a projects Risk Cost probability
distribution.

FIGURE 3 RISK COST PROBABILITY DISTRIBUTION

The chart shows the curves for the current assessment and
the previous assessment, if available.
Selected values of RC at 90%, 50%, and 10% probability
levels accompany the chart. For the example
above, the table would indicate:
Current Previous
90% chance RC is greater than $ 144 M $ 164 M
50% chance RC is greater than $ 185 M $ 206 M
10% chance RC is greater than $ 226 M $ 248 M
Schedule Risk Analysis
Schedule risk analysis may be performed using a simple
model that combines delay risks on the critical
path to RTL and project completion. This simple version can
be modeled using @Risk. This approach is
satisfactory if a Critical Path Method (CPM) schedule is not
available.
If a CPM schedule is available, the schedule is imported into
Primavera Risk Analysis, and the delay risks
are inserted. This tool runs the simulation and produces
output probability curves for selected
milestones. Expert knowledge is required to use this tool.
The curve will look similar to Figure 3 except
the horizontal axis will be a time scale.
If none of the above approaches are available, the PRMT can
estimate the overall delay to RTL and
project completion, and quantify them in the risk register.
The cost of the potential delay to RTL and project
completion, determined by any of the above methods,
should be captured in the risk register as two specific risks.
Using the Probability Curves
The probability distributions of cost and schedule may be
used by Project Management to accomplish
the following:
For a project in the Planning and Design phase:
Set project cost and schedule targets
Evaluate if cost estimates and schedules are realistic
Evaluate the adequacy of contingency reserves
Request a contingency exceeding the standard Caltrans
allowance
Evaluate the probability (risk) of exceeding specific cost
and time targets
Determine the sensitivity of the output probability
distribution to input risks (Risk Sensitivity
Diagram), highlighting the main risk drivers.
For a project in the Construction phase:
Perform riskbased budget analyses and forecasting cost
at completion
Assess the adequacy of remaining contingency
Request supplemental funds
Evaluate the probability of meeting completion targets.
Chapter 7 Risk Response
Risk response is the process of developing strategic options,
and determining
actions, to enhance opportunities and reduce threats to the
projects
objectives. A project team member is assigned to take
responsibility for each
risk response. This process ensures that each risk requiring
a response has
an owner monitoring the responses, although the owner
may delegate
implementation of a response to someone else.
71 Risk Response Strategies
For Threats For Opportunities
Avoid. Risk can be avoided by removing the cause
of the risk or executing the project in a different
way while still aiming to achieve project
objectives. Not all risks can be avoided or
eliminated, and for others, this approach may be
too expensive or timeconsuming. However, this
should be the first strategy considered.
Exploit. The aim is to ensure that the opportunity
is realized. This strategy seeks to eliminate the
uncertainty associated with a particular upside
risk by making the opportunity definitely happen.
Exploit is an aggressive response strategy, best
reserved for those golden opportunities having
high probability and impacts.
Transfer. Transferring risk involves finding
another party who is willing to take responsibility
for its management, and who will bear the liability
of the risk should it occur. The aim is to ensure
that the risk is owned and managed by the party
best able to deal with it effectively. Risk transfer
usually involves payment of a premium, and the
costeffectiveness of this must be considered when
deciding whether to adopt a transfer strategy.
Share. Allocate risk ownership of an opportunity
to another party who is best able to maximize its
probability of occurrence and increase the
potential benefits if it does occur. Transferring
threats and sharing opportunities are similar in
that a third party is used. Those to whom threats
are transferred take on the liability and those to
whom opportunities are allocated should be
allowed to share in the potential benefits.
Mitigate. Risk mitigation reduces the probability
and/or impact of an adverse risk event to an
acceptable threshold. Taking early action to
reduce the probability and/or impact of a risk is
often more effective than trying to repair the
damage after the risk has occurred. Risk mitigation
may require resources or time and thus presents a
tradeoff between doing nothing versus the cost of
mitigating the risk.
Enhance. This response aims to modify the size
of the positive risk. The opportunity is enhanced
by increasing its probability and/or impact,
thereby maximizing benefits realized for the
project. If the probability can be increased to 100
percent, this is effectively an exploit response.
Acceptance. This strategy is adopted when it is not possible
or practical to respond to the risk by the
other strategies, or a response is not warranted by the
importance of the risk. When the project
manager and the project team decide to accept a risk, they
are agreeing to address the risk if and when it
occurs. A contingency plan, workaround plan and/or
contingency reserve may be developed for that
eventuality.
Monitoring
& Control
Response
Planning
Examples of Risk Responses
Table 6 repeats the example risk statements from Table 4 and
shows a risk response for each.
TABLE 6 EXAMPLE RISK RESPONSES
Risk Statement Risk Response
Design
Inaccuracies or incomplete information in the
survey file could lead to rework of the design.
Mitigate: Work with Surveys to
verify that the survey file is
accurate and complete. Perform
additional surveys as needed.
A design change that is outside of the
parameters contemplated in the Environmental
Document triggers a supplemental EIR which
causes a delay due to the public comment
period.
Avoid: Monitor design changes
against ED to avoid reassessment
of ED unless the opportunity
outweighs the threat.
Environmental
Potential lawsuits may challenge the
environmental report, delaying the start of
construction or threatening loss of funding.
Mitigate: Address concerns of
stakeholders and public during
environmental process. Schedule
additional public outreach.
Nesting birds, protected from harassment under
the Migratory Bird Treaty Act, may delay
construction during the nesting season.
Mitigate: Schedule contract work
to avoid the nesting season or
remove nesting habitat before
starting work.
R/W
Due to the complex nature of the staging,
additional right of way or construction
easements may be required to complete the
work as contemplated, resulting in additional
cost to the project.
Mitigate: Resequence the work
to enable ROW Certification.
Due to the large number of parcels and
businesses, the condemnation process may have
to be used to acquire R/W, which could delay
start of construction by up to one year,
increasing construction costs and extending the
time for COS.
Mitigate: Work with Rightof
Way and Project Management to
prioritize work and secure
additional rightofway resources
to reduce impact.
Construction
Hazardous materials encountered during
construction will require an onsite storage area
and potential additional costs to dispose.
Accept: Ensure storage space will
be available.
Unanticipated buried manmade objects
uncovered during construction require removal
and disposal resulting in additional costs.
Accept: Include a Supplemental
Work item to cover this risk.
Responding to Risks
Following identification and analysis of project risks, the
PRMT takes action in response to the risks to
improve the odds in favor of project success. Ultimately, it is
not possible to eliminate all threats or take
advantage of all opportunities but they will be documented
to provide awareness that they exist and
have been identified. Successful risk response will change
the risk profile through the project life cycle,
and risk exposure will diminish.
Risk response involves:
The PRMT determining which risks warrant a response
and identifying which strategy is best
for each risk.
 Assigning an action to the Risk Owner to identify options
for reducing the probability or impacts
of each risk. The Risk Owner takes the lead and can involve
experts available to the project.
Evaluating each option for potential reduction in the risk
and cost of implementing the option.
Selecting the best option for the project.
Requesting additional contingency, if needed (for
guidance, refer to Appendix A of Project
Delivery Directive PD04 Project Contingencies and
Supplemental Work).
Assigning an action to the Risk Owner to execute the
selected response action. The Risk Owner
is the lead and may assign specific tasks to other resources
to have the response implemented
and documented.
If the PRMT judges that a risk should be accepted, it may
assign an action to the Risk Owner to prepare a
contingency plan if deemed necessary.
A RISK PERSPECTIVE CAN ENHANCE DECISIONS
When considering risk mitigation methodology, it is
important to
recognize the impacts of the decision. The impact of
responding to a risk
may make sense in the short term (e.g. Saves design costs,
allows team to
meet schedule), but the impact of the risk needs to be taken
as a whole.
For example, the impact of just a few unknown conditions
can affect the
construction schedule to the point where an environmental
work window
requires the project to be suspended. It is important to
recognize how
much of an impact there would be in making a decision.
While the direct
cost of resolving the unknown condition may be less than
the cost of a site
visit, the overall impact of the change may be a significant
delay to the
contract if not recognized.
74 Entering Risk Responses into the Risk Register
The risk response action for each risk is entered into the
Response Actions column of the risk register.
Chapter 8 Risk Monitoring
Continuous monitoring by the project risk manager and the
project team ensures that new and changing
risks are detected and managed and that risk response
actions are implemented and effective. Risk
monitoring continues for the life of the project.
Risk monitoring and control keeps track of the identified
risks, residual risks,
and new risks. It also monitors the execution of planned
strategies for the
identified risks and evaluates their effectiveness.
Risk monitoring and control continues for the life of the
project. The list of
project risks changes as the project matures, new risks
develop, or
anticipated risks disappear. Risk ratings and prioritizations
can also change
during the project lifecycle.
Typically, during project execution, risk meetings should be
held regularly to
update the status of risks in the risk register, and add new
risks. Periodic project risk reviews repeat the
process of identification, analysis, and response planning.
If an unanticipated risk emerges, or a risks impact is greater
than expected, the planned response may
not be adequate. The project manager and the PRMT should
perform additional responses to control
the risk.
Monitoring also determines whether:
The PRMT is performing periodic risk review and
updating
Risk management policies and procedures are being
followed
The remaining contingency reserves for cost and
schedule are adequate
And it may involve recommending:
Alternative risk responses
Implementing a contingency plan
 Taking corrective actions
Changing the project objectives
11 Risk Review and Updating
Periodically, the PRMT will convene to review the projects
risk register and risk response actions, and
to update project risk information.
Before updating the register and recording changes, the
project risk
manager should make a copy of the risk register for the
project files, noting
its data date. The set of risk registers will document how
risks have changed
over the life of the project and provide an audit trail should
it be required.
Monitoring
& Control
Response
Planning
The review tasks of the PRMT include the following:
Identify, analyze, and plan response actions for newly
arising risks, and add them to the risk
register.
Review the execution of risk response actions, and
evaluate their effectiveness.
Reassess existing risks, verify that the assumptions are
still valid, and modify the previous
assessments as necessary.
 Assign additional risk response actions to the Risk
Owner.
Retire risks whose opportunity to impact the project has
elapsed, or whose residual impact on
the project is deemed to have reached an acceptable level.
The PRMT should discuss any risks for which response
actions are not being carried out effectively or
whose risk impact is increasing. If these cannot be resolved
within the PRMT, they should be escalated
to the project manager with recommendations for action.
12 Updating the Risk Register
Make any changes and additions to the risks and enter the
revision date into the Updated column.
13 Lessons Learned
When a risk is retired, the PRMT will review the history of
the risk to record any lessons learned
regarding the risk management processes used. The team is
essentially asking itself: What, if anything,
would we have done differently and why?
The project risk manager will conduct a periodic review of
all lessons learned with the PRMT.
Chapter 2 Communication and Accountability
Communication and consultation with project stakeholders
and sponsors are
crucial factors in undertaking good risk management and in
achieving
project outcomes that are broadly accepted. This helps
everyone to
understand the risks and tradeoffs that must be made in a
project and
supports the project managers efforts.
Regular reporting is an important component of
communication. Reports on
the current status of risks and risk management ensure that
all parties are
fully informed and understand the risks, thus avoiding
unpleasant surprises.
The project risk manager will ensure that the risk
management process is documented to ensure a clear
audit trail.
REFILE HANDOFF A VITAL COMMUNICATION
Communication is important in risk management. Resolving
uncertainties
is easier and has less impact than resolving surprises later. A
discussion
of the project between the design teams and the
construction teams is
imperative in the successful management of risk in a
construction project.
It is important that both teams agree on what risk remains
and commit to
managing it throughout the project.
A project in District 4 was on an accelerated delivery
schedule.
Discussions between Design and Construction identified
several issues
that needed to be addressed. Most of this information was
provided in
the RE Pending file in some form, but the construction team
could not
prioritize their efforts without detailed discussions with
Design.
21 Communication and Accountability Checkpoints
There are three kinds of checkpoints:
Communication Where the current risk register is
communicated to stakeholders, sponsors, and team
members to make them aware of the current status of risks.
Accountability Where the deputies sign off on the risks,
indicating that they have reviewed the risks
documented in the risk register and agree that they have
been managed to the extent possible by the
PRMT.
Performance Measure Where the DES OE validates the
required signatures and dates of the
accountability checkpoints before RTL.
Monitoring
& Control
Response
Planning
Figure 4 shows the checkpoints during the phases of a
projects life cycle. Communication checkpoints
are shaded gray and required accountability checkpoints are
in red. PID Approval and RE File Handoff
are recommended accountability checkpoints.
Project
Phase
Checkpoint
No. Deliverable or Communication Checkpoint
PID 1 PID [Recommended Accountability Checkpoint]
PA&ED 2
3
Draft Project Report (DPR)
Project Report (PR) [Required Accountability Checkpoint]
PS&E
4
4
4
4
5
6
7
30% Constructability Review (CR)
Type Selection
60% Constructability Review (CR)
90% Constructability Review (CR)
Foundation Report Approved (FR)
PS&E to DESOE [Required Accountability Checkpoint]
Performance Measure
R/W
8
9
10
Between M225 (Regular R/W) and M410 (R/W Cert)
Between M410 & M412 (Advertise and Award)
Approved Utility Relocation Plan approval
Construction
11
12
13
14
15
RE File Handoff [Recommended Accountability Checkpoint]
Between M500 (Approve Contract) and M600 (Contract
Acceptance)
CCOs
NOPCs
Supplemental Fund Request & G12s (SFR)
FIGURE 4 COMMUNICATION AND
ACCOUNTABILITY CHECKPOINTS
SCALABLE PROJECT RISK MANAGEMENT
Version 1 (June 2012) Page 34
22 What Happens at a Communication Checkpoint
The current project risk register is submitted by the project
manager at each checkpoint. The risk
register with a cover sheet will serve as the risk
communication medium for Level 1 and Level 2
projects. The cover sheet should summarize the changes to
the risk register since the previous
communication, such as:
Changes in risk priorities,
Risks that have been retired,
New risks identified, and
Risk response actions that have been completed.
Level 3 projects will require a more detailed report that
includes the probability curves and their
relation to project objectives and the risk outlook until the
next review period.
23 What Happens at an Accountability Checkpoint
The project manager will schedule the meeting, or the Single
Focal Point can arrange for multiple
projects to be discussed in one meeting. The goal is for the
deputies to review the project and its risks to
ensure that the PRMT has managed the risks acceptably.
The project manager will create a Risk Register Certification
Form to bring to the accountability
checkpoint meetings for signature by the deputies. The
signed form is kept in the project files for use at
each accountability checkpoint and is submitted to the DES
OE at the performance measure checkpoint.
The form is shown in Appendix B, and may be downloaded
from: http://onramp/riskmanagement.
24 What Happens at the Performance Measure
Checkpoint
The Design through Construction Subcommittee's
Performance Measures Task Group developed a
Performance Measure for Risk Management. It requires that
at RTL, the DESOE will validate the dates
and signatures on the Risk Register Certification Form of the
project.
Appendix A ACRONYMS AND DEFINITIONS
ACRONYMS
CCA Construction Contract Acceptance
CCO Contract Change Order
CCPSC Caltrans Construction Partnering Steering Committee
CPM Critical Path Method
CR Constructability Review
DES Division of Engineering Services
DOE District Office Engineer
DPR Draft Project Report
DRL Dispute Resolution Ladder
EIR Environmental Impact Report
EIS Environmental Impact Study
ERM Enterprise Risk Management
G12 General Delegation 12
HQ Headquarters
NOPC Notice of Potential Claim
OE Office Engineer
PCR Project Change Request
PDD Project Delivery Directive
PDT Project Development Team
PID Project Initiation Document
PM Project Manager
PMBOK Project Management Body of Knowledge
PR Project Report
PRM Project Risk Manager
PRMT Project Risk Management Team
PSR Project Study Report
PA & ED Project Approval and Environmental Document
PS & E Plans, Specifications, and Estimates
RC Risk Cost
RE Resident Engineer
RMP Risk Management Plan
R/W Right of Way
RTL Ready to List
SFP Single Focal Point (PM District Deputy Director)
SFR Supplemental Funds Report
TRO Time Related Overhead
SCALABLE PROJECT RISK MANAGEMENT
Version 1 (June 2012) Page 36
DEFINITIONS
Accountability Checkpoint
Points in time during the project life cycle where a formal
signoff
will occur. Signoff signifies that there is an understanding
and acceptance of the risks moving forward into the next
phase
of the project.
Communication Checkpoint A point in the project life
cycle where risks are communicated
to stakeholders, sponsors, and team members.
Dispute Resolution Ladder Outlines when and how a
dispute will be elevated and
subsequently resolved.
Enterprise Risk Management
The methods and processes used by organizations to
manage
risks, identify threats, and seize opportunities related to the
achievement of their objectives.
Project Life Cycle All phases of project delivery from
project initiation to project
closeout.
Project Objectives The agreedupon delivery targets, such
as cost, time, scope, or
quality.
Project Risk An uncertain event or condition that, if it
occurs, has a positive
or a negative effect on at least one project objective.
Project Risk Management A process for identifying,
communicating, and managing project
risks through all phases of project delivery.
Project Risk Manager Facilitates the risk management
process and acts as gatekeeper
for the risk register.
Qualitative Risk Analysis The process of prioritizing risks.
Quantitative Risk Analysis The process of
probabilistically analyzing the cost and time
effects of identified risks on overall project objectives.
Risk An uncertain event or condition that, if it occurs, has a
negative
or positive effect on at least one project objective.
Risk Cost The probability distribution of the total cost of all
risks in the
project risk register.
Risk Management
Performance Measure
A checkpoint where the SPF reviews each project and its
risks
to ensure that the PDT has adequately responded to the
highest
priority risks.
Risk Owner A member of the PRMT to which the risk is
assigned.
Risk Register
A document (typically a spreadsheet) that contains the
results
of a qualitative risk analysis and/or a quantitative risk
analysis
and a risk response.
Risk Response Actions taken to enhance opportunities
and reduce threats to
the achievement of project objectives.
Scalable Approach
Provides the minimum level of effort of project risk
management that is appropriate to a particular project
depending on its size and complexity.
Time Related Overhead Overhead costs primarily
proportional to the time to perform
work.
Time Related Overhead Plus The direct costs associated
with time.

Project risk management includes the following program

elements. Each element is important to
developing effective project risk management on Caltrans
projects.
A scalable project risk management process three levels
of effort based on the size and
complexity of the project
Clear communication and accountability checkpoints so
that project delivery is seen as one
process across multiple functions
A new updated howto style handbook
 Incorporation of project risk management into the
existing Functional Units guidance
Project Delivery Directive (PD09) and policies for
implementation
Training and subject matter experts from Headquarters
and Districts
Project Risk Management Overview
FIGURE 5 CALTRANS PROJECT RISK
MANAGEMENT
Figure 5 is an overview of the Project Risk Management
structure. It is divided into two levels:
Corporate and Project.
Corporate Level
The corporate level illustrates how project risk management
is overseen by the Project Delivery Board,
as they are responsible for the successful delivery of
projects. The Project Delivery Board and the Chief
Engineer have developed PD09 as their project risk
management policy that is to be carried out. All
Guidance for Project Delivery Functions are expected to
incorporate the project risk management
policies and requirements as outlined in this handbook.
Training in project risk management will be
developed and made available to all of those affected by the
new requirements.
The Project Management Division is responsible for
facilitating the risk management process and
ensuring that risks are managed on projects. Project
Management Division is responsible for providing
Headquarters Project Risk Management Coordination
(expertise) to projects and District Project Risk
Management Coordinators.
Project Level
Each District will provide risk management expertise
through a District Risk Management Coordinator
who will assist project teams in the implementation of the
project risk management process. At the
inception of risk management for a project, the project team
will determine the projects scalability level
as Level 1, 2, or 3. The requirements for each level are
presented in Chapter 1, Section 14.
The project manager facilitates the development and
management of a risk register from Planning and
Design phases through the Construction phase. The gray
boxes on the chart indicate where the
communication points are to occur. The red boxes are
accountability check points where a formal signoff
must occur. The green box indicates where the Design
through Construction Performance Measure
will occur. This measure ensures that the project risk
management process has been followed for the
project.
Project managers are not expected to identify all of the risks
by themselves. The Project Risk
Management Team (comprised of members of the PDT) will
work together to identify the project risks,
populate the risk register, and manage the risks until
completion of construction. Managing risks in a
workshop environment will ensure that all members of the
team understand the risks and their
potential impact on their functional areas.
The Project Risk Management Team is expected to stay
together to manage
risks until project completion.
Appendix F ACKNOWLEDGEMENTS
RISK MANAGEMENT TASK GROUP
The DesignConstruction Strategic Partnering Subcommittee
asked the Risk Management Task Group to
develop an effective Project Risk Management process for
Caltrans projects.
Task Group CoChairs:
Jon Tapping Toll Bridge Program, Risk Management
Rob Stott DES Structure Construction
Task Group Members:
Elizabeth Dooher Partnering Program Manager
Farhad Farazmand D4 Construction
Rich Foley Risk Manager with Toll Program
Anup Khant HQ Project Management Division
Roberto Lacalle DES, Project Management
Rein Lemberg CALTROP Corporation
Edmond Matevosian Project Management, Risk
Management