Risk Management Process

407. MTRCL set out their risk management strategy in PIMS/P/04/A2, which is applicable to all MTRCL projects. MTRCL classify risk within the project environment at three levels according to the nature of their potential impact. These are:

• Enterprise Risks – A risk with a potentially significant impact on the corporate business (e.g. construction accident resulting in multiple fatalities, significant programme delay and media pressure on the Corporation; serious disruption to passenger services arising from works interfacing with the operating railway). ⁴⁰²

• Project Delivery Risk – A risk with potential impact on or resulting from project delivery (e.g. late design changes resulting in additional cost and programme delay).

These risks are categorised in the following risk areas (Health, Safety & Environment;

Business Disruption; Business Viability; Project Complexity; Cost Over-run;

400 Delay measured from Degree 1 original contractual milestones to MTRCL’s optimistic estimated completion of the Degree 1 milestones for contracts 826, 825, 824, 823A, 823B, 822, 821, 820, 811A, 811B, 810A and 810B.

401 Refer to paragraph 232 of this Report.

402 MTRCL PIMS – Risk Management (P/04/A2), Section 2.1, 09 March 2012

Programme Delay; Political/ Public/ Media Pressure; Technical Difficulty; Meeting Customer Expectations; Recovery/Crisis Management. ⁴⁰³

• Operational Hazard – A risk with a potential impact on the safety or service performance of the future or existing operating railway (e.g. infringement of structure gauge by newly installed trackside E&M equipment, leading to collision). ⁴⁰⁴

408. Key points relating to Project Delivery Risk Management include:

• The General Manager/Project Manager shall ensure that risk management processes are adequately applied throughout the relevant project stages, in accordance with the associated Practice Notes and Operational Division Procedures. ⁴⁰⁵

• Project delivery risks and mitigation measures shall be identified through a series of workshops and reviews, commencing in the feasibility stage. Stakeholders, with relevant expertise shall be involved in the workshops and reviews and shall include consultants and contractors, where appropriate. ⁴⁰⁶

• Focused workshops for specific high-risk systems/contracts shall be conducted as necessary during subsequent project stages, commencing during preliminary design. ⁴⁰⁷

• Regular reviews shall be arranged by the General Manager/Project Manager at least once per project stage, throughout the project to identify further project risks and mitigation measures and to update the identified risks. A typical project cycle would require at least one review during each of the following stages: feasibility; preliminary design and specification; detailed design; construction; testing and commissioning. ⁴⁰⁸

• Project delivery risks shall be rated before and after mitigation, using the Project Delivery Risk Matrix, and shall be recorded and updated in the respective risk register, which shall be maintained as a summary of project delivery risk throughout the project, from feasibility stage to testing and commissioning. ⁴⁰⁹

• Risks shall be allocated to Risk Owners for the purpose of implementing and monitoring mitigation. ⁴¹⁰

• Risk status reports shall be made by the Risk Owners, via one or more Risk Coordinator(s) to:

i. The General Manager/Project Manager, in the relevant monthly progress report and meeting; and

403 MTRCL PIMS – Risk Management (P/04/A2), Section 2.2, 09 March 2012

404 MTRCL PIMS – Risk Management (P/04/A2), Section 2.3, 09 March 2012

405 MTRCL PIMS – Risk Management (P/04/A2), Section 5.4, 09 March 2012

406 MTRCL PIMS – Risk Management (P/04/A2), Section 6.3, 09 March 2012

407 MTRCL PIMS – Risk Management (P/04/A2), Section 6.4, 09 March 2012

408 MTRCL PIMS – Risk Management (P/04/A2), Section 6.5, 09 March 2012

409 MTRCL PIMS – Risk Management (P/04/A2), Section 6.6, 09 March 2012

410 MTRCL PIMS – Risk Management (P/04/A2), Section 6.7, 09 March 2012

ii. Project Control Group, via Senior Engineer – Project Risk, on a 6-monthly basis, or with a frequency agreed with the respective group. ⁴¹¹

409. Similar procedures are noted for identification and management of Operational Hazards. ⁴¹² 410. Operational hazards and hazard mitigation measures shall be identified through design reviews,

review of contractors submissions (i.e. system-level hazard logs, application of past project experience and formal workshops) plus:

• Hazard controllers within the team shall be assigned to monitor the status of mitigation implementation and maintain updated hazard records for assigned hazards throughout the project.

• Hazards shall be rated before and after mitigation, using the Risk Matrix for operational hazards and shall be recorded and updated in the project operational hazard log, which shall be maintained as a summary record of hazard and mitigation status throughout the project, from preliminary design to testing and commissioning.

411. The procedure for flagging and control of Enterprise-level risks is summarised as:

• General Manager/Project Manager shall ensure that relevant enterprise risks in the divisional Enterprise Risk Register are reviewed and given due consideration during preparation of the project delivery/ Design for Safety and Constructability (DSC) risk registers, and the operational hazard logs, to help ensure coverage of relevant high consequence risks. ⁴¹³

• The Project Risk Co-ordinator / Senior Engineer – Project Risk shall organise a regular meeting, on a quarterly basis, to review with the General Manager/Project Manager on any high risk items (e.g. P1/P2 risks, or severity class “Critical” or “Catastrophic”) and determine whether they should be flagging up as enterprise risks. The status of the existing enterprise risks shall also be reviewed. The Enterprise Risk Matrix shall be followed. Senior Engineer – Project Risk shall arrange to submit the updated existing enterprise risks and the potential enterprise risks requiring corporate attention to the Enterprise Risk Committee (ERC). ⁴¹⁴

412. A procedure is also outlined in relation to design risks, stating “A design for safety and constructability review process shall be followed in each design stage to engage competent reviewers with experience of constructing similar works to review and identify the construction risks associated with the design. All hazards identified shall be recorded in a construction hazard file for review in the subsequent design stages. These hazards shall be designed out or otherwise maintained in the construction hazard file for incorporation into the construction contracts for the contractors to manage under their safety management system.” ⁴¹⁵

411 MTRCL PIMS – Risk Management (P/04/A2), Section 6.8, 09 March 2012

412 MTRCL PIMS – Risk Management (P/04/A2), Section 7.2 – 7.5, 09 March 2012

413 MTRCL PIMS – Risk Management (P/04/A2), Section 9.1, 09 March 2012

414 MTRCL PIMS – Risk Management (P/04/A2), Section 9.2, 09 March 2012

415 MTRCL PIMS – Design Management (P/09/A2), Section 9.3, 24 January 2011

413. Regarding Risk Review during the construction period:

• “The [Construction Manager/Senior Construction Engineer] shall continuously review and update the risk register throughout the Project life in order to mitigate the delays and minimise additional costs to the Project as a result of all potential risks associated with the works such as unforeseen ground conditions, inclement weather and specific construction method-related hazards.” […]

• “To control and manage the outturn cost of the project, costs will be assigned to the significant risks identified in the risk review process and measures taken to mitigate them if possible. Review of the risks and budgetary figures allocated is to be undertaken at regular cost review meetings to provide control of costs and growing certainty on the outturn price.”⁴¹⁶

414. In relation to reporting of risks, it is noted that the Project Control Group should “receive the project risk summary reports and review the trend in significant project risks for the projects” ⁴¹⁷ 415. The procedures also describe the role of the Project Risk & System Assurance Section, which,

amongst other things, “is responsible as a centre of expertise in Project Delivery Risk Management (PDRM). This section is responsible for ensuring that full and proper consideration has been given to PDRM during design, construction and commissioning phases of new railway projects.” ⁴¹⁸

416. Based on our discussions with MTRCL, ⁴¹⁹ we understand that the following risk quantification occurs:

• Each period, contract risk registers are reviewed by the cost management team. Those risks (P90) in the register which have a cost impact are extracted for inclusion in the quantified risk register;

• On a periodic basis, the risks are reviewed and updated, and a Monte-Carlo simulation is run to generate a range of cost impacts. The risk (P90) value is recorded in the Project cost report; and

• Contingency is calculated as the budget/authority less the Estimated Final Cost and risk (P90). MTRCL do a sense check of the value of contingency by comparing it to the cost of proposed Delay Recovery Measures not yet in the programme and potential claims pipeline.