Governing document

Classification: Internal

Risk Management in projects

Risk management (RM) Work process requirements, WR2365, Final Ver. 3, valid from 2010-05-11 Owner:

Leading Advisor

Validity area: PRO/All locations/All value chains/On- and offshore

Governing document

Classification:

Risk Management in projects

1

Objective, target group and provision........................................................................................................................... 3

2

The Risk Management process ....................................................................................................................................... 3 2.1 Establish/define context .......................................................................................................... 3 2.2 Identify and analyse risks ........................................................................................................ 3 2.3 Evaluate risks........................................................................................................................ 4 2.4 Decide related actions ............................................................................................................ 4 2.5 Implement action, monitor, and follow-up risks............................................................................ 5 2.6 Interaction with cost- and schedule Risk analysis ........................................................................ 5

3

Implementation of risk Management in projects........................................................................................................ 6 3.1 Mindset and behaviour............................................................................................................ 6 3.2 Team Competency ................................................................................................................. 6 3.3 Implementation ...................................................................................................................... 6

4

Additional information ....................................................................................................................................................... 7 4.1 Definitions and abbreviations ................................................................................................... 7 4.2 Changes from previous version ................................................................................................ 7 4.3 References ........................................................................................................................... 7

Risk management (RM), Work process requirements, WR2365, Final Ver. 3, valid from 2010-05-11 Page 2 of 7 Validity area:

PRO/All locations/All value chains/On- and offshore

Internal

Governing document Risk Management in projects

1

Classification: Internal

Objective, target group and provision

This document objective is to define the minimum requirements for implementation of risk management in projects. Risk Management is a management tool and shall be implemented according to this working requirement for all Statoil operated investment development and execution projects; including larger maintenance, modification and repair projects (ref. FR05). The document is provided for in “Risk Management Process” (WR2404)

2

The Risk Management process

2.1

Establish/define context

When starting the risk management process the following shall be put in place: -

Schedule and frequencies for:  Updating risk register - minimium monthly,  Arranging risk workshops - minimum once before DGn,  Initiating a Cost- and a Schedule Risk analysis - minimum up to DG2 and DG3

2.2

Identify and analyse risks

Various approaches may be used to identify risks such as; group processes/workshops, interviews, checklist, experience databases, etc. Input shall be cross disciplinary and have a sufficient broadness and in-depth understanding with regards to the actual objectives (e.g. business case, project, sub-project). Moreover checklists for specific type of projects may be used. The risk identification in a project is a bottom to top process, utilising a cross discipline team, where all team members contribute together with representatives of the Asset Owner, which is usually initiated through sub projects/functions brainstorming sessions. Seaches in the experience databases for similar and/or analogue projects may also be a source where potential risks can be identified for incorporation into the risk session discussions. The identification process shall be a continuous process where individuals are encouraged to openly consult and communicate risks throughout the lifetime of the project, and where such an identification process shall be performed at a minimum of once per month. Risks shall be identified and described as early as possible. The risk title shall reflect the actual risk cause and the description of the risk shall address the event or circumstances related to the cause, and also specify the possible effect on project objectives. Impacts and probabilities shall be estimated for each risk. It is recommended that the Quality and Risk Manager facilitate risk identification workshops. Each sub project shall establish a risk register and define their list of “Sub Project Top 10” priorities. This list shall

Risk management (RM), Work process requirements, WR2365, Final Ver. 3, valid from 2010-05-11 Page 3 of 7 Validity area:

PRO/All locations/All value chains/On- and offshore

Governing document

Classification:

Risk Management in projects

Internal

then be reviewed by the Quality & Risk Manager and communicated to the Project management team/ Business Case Leadership Team. When all sub projects have shared their “Sub Project Top 10” list, the management team shall review their findings, analyze potential interface issues, and determine any potential knock-on effects, (i.e. multidimensional risk). 2.3

Evaluate risks

The outcome of the Risk Assessment process provides a ranking and prioritisation of risks according to risk level (the combination of impact and probability) including an evaluation of these risks towards a tolerance level. Sub projects rank their risks and define their “Sub Project Top 10” where it is then possible to define “Project Top 10” (Top 10 is a relative value). Once the assessment is complete, the management team shall define the “Total Project Top 10” list. This selection shall encompass the main threats and main opportunities and serve as a milestone for the Risk Management process. 2.4

Decide related actions

When all the risks have been identified and assessed, the overall negative risk exposure shall be lowered to a tolerable/minimum level and opportunities shall be pursued. The first step consists of identifying, for each risk, a set of actions. As a second step, since the risk could always materialize, it is critical to develop a back-up plan for relevant risk elements. Both actions and back-up plans shall be documented.

Risk management (RM), Work process requirements, WR2365, Final Ver. 3, valid from 2010-05-11 Page 4 of 7 Validity area:

PRO/All locations/All value chains/On- and offshore

Governing document

Classification: Internal

Risk Management in projects

Examples of possible risk response strategies include: Approach Action 1

Eliminate, avoid

2 3 4

Reduce risk (mitigate), pursue opportunity Transfer Accept and prepare

5

Ignore

Re-planning Re-design Re-planning Re-design Re-planning Development of contingency plans No action

The action aims to reduce: Probability Probability Consequences Consequences --

Each risk shall be registered and managed which is the responsibility of a Risk Owner. However various actions to efficiently manage this risk can be delegated to other team members, who would then be assigned the responsibility of Action Owner. For each mitigating action a deadline (due date) shall be specified in the appropriate risk tool. It shall be the responsibility of the Risk Owner to secure that actions are completed on time, and that action deadlines do not become overdue. 2.5

Implement action, monitor, and follow-up risks

The Quality and Risk Manager shall monitor the follow up of actions. However, the satisfactory closure of these response actions shall remain the responsibility of the Risk Owner and the Action Owner. Risk monitoring and control is the process of keeping track of the identified risks, monitoring residual risks, and evaluating their effectiveness in influencing risks. Status on risks and response actions shall be followed up and documented regularly in order to secure efficient and effective Risk Management control. The Quality and Risk Managers shall ensure that all identified actions are followed up, based on responsibility and deadline. The outcome of this step is an updated risk register and plan. The project team shall integrate the risk actions with the monitoring activities (ref. FR05), using the recommended tool which is designed for planning, reporting and follow-up of monitoring (Audit, examinations, quality assurance and other Follow-up) activities. 2.6

Interaction with cost- and schedule Risk analysis

The latest version of the risk register shall be taken into consideration when performing Cost Risk Analysis (CRA), Schedule Risk Analysis (SRA).

Risk management (RM), Work process requirements, WR2365, Final Ver. 3, valid from 2010-05-11 Page 5 of 7 Validity area:

PRO/All locations/All value chains/On- and offshore

Governing document

Classification: Internal

Risk Management in projects

Figure 1

Figure 1 above shows the interaction between risks and Cost Risk Analysis and Schedule Risk Analysis. All risks identified in the cost risk and schedule risk process including mitigating actions shall be registered and followed-up in the same way as risks deriving from the risk identification processes described in this working document. During the process, an awareness of the risks/impacts defined in base case should be kept in mind to ensure that they are not duplicated. Cost- and schedule risk evaluations are described in WR0449 and WR0057.

3

Implementation of risk Management in projects

3.1

Mindset and behaviour

Managing project risks (both threats and opportunities) is one of the primary duties of the project management. Therefore risk management shall be included in the project management agenda. To achieve best/recommended practices, Risk Management (RM) cannot be only a project management concern. Everybody dealing with threats/opportunities of the operational, commercial, or reputation aspects of a project shall be familiar and pro-active. 3.2

Team Competency

QRM shall identify the competence level in the project regarding risk management and train or offer courses if required. This is a continuous process and the objective is that all participants have the necessary knowledge to participate in the Risk Management process and possess the basic skills needed to use a risk register tool. The involvement of external stakeholders is recommended (partners, sub-contractors, service companies etc.), to strengthen the team competency when risk identification sessions are conducted. 3.3

Implementation

Every project comprises of a set of unique tasks to be performed by a project organization. Such an environment is naturally exposed to risk. To handle these risks, the project team shall to demonstrate the Risk management (RM), Work process requirements, WR2365, Final Ver. 3, valid from 2010-05-11 Page 6 of 7 Validity area:

PRO/All locations/All value chains/On- and offshore

Governing document

Classification: Internal

Risk Management in projects

right mindset (see 3.1), follow the process (see paragraph 2 below) and procedures, and deliver end products in collaboration with the QRM network on time. The most important success criteria’s include: 

Demonstrating a recommended/best practise project performance mindset: o Keeping Risk Management high in the project management agenda o Demonstrating a strong commitment in identifying risks o Accepting responsibility for follow up and owning of mitigating actions o Promoting open communication within and outside the project group o Ensuring that a review of the relevant risk registers is on the agenda at project/sub-project status meetings, both internally and with contractors.

4

Additional information

4.1

Definitions and abbreviations

4.1.1

Definitions

Terms

Definitions

Action Owner

Person delegated the authority to handle action related too identified risk.

4.1.2

Abbreviations

CRA QRM RM SRA 4.2

= Cost Risk Analyses = Quality and Risk Manager = Risk Management = Schedule risk Analyses Changes from previous version

1. Changed from should to shall 2. Removed definitions already described in WR2404 3. Rephrased requirement regarding a standard risk course 4.3

References

Risk Management Process (WR2404) Project Development (FR05) Classification Requirements for Cost Estimates And Schedules (WR0057) Planning and scheduling in Statoil (WR0449)

Risk management (RM), Work process requirements, WR2365, Final Ver. 3, valid from 2010-05-11 Page 7 of 7 Validity area:

PRO/All locations/All value chains/On- and offshore