STATOILHYDRO GOVERNING DOCUMENT

Risk Management in projects

Project development Work process, WR2365, Final Ver. 1, valid from 2008-05-19 Publisher:

Head of QRM Processes

Classification: Internal Validity area: PRO/All location/All value chains/On- and offshore

StatoilHydro governing document Risk Management in projects Project development, Work process, WR2365, Final Ver. 1, valid from 2008-05-19

1

Introduction ....................................................................................................................................................... 3 1.1 Objective................................................................................................................................................. 3 1.2 Warrant ................................................................................................................................................... 3 1.3 Guidelines and requirements .................................................................................................................. 3

2

The Risk Management process........................................................................................................................ 4 2.1 Risk Identification.................................................................................................................................... 4 2.2 Risk Assessment .................................................................................................................................... 5 2.3 Risk response action .............................................................................................................................. 6 2.4 Risk monitoring and control .................................................................................................................... 6 2.5 Interaction with cost- and schedule Risk analysis................................................................................... 7

3

Implementation of risk Management in projects ............................................................................................ 7 3.1 Mindset and behaviour............................................................................................................................ 7 3.2 Team Competency ................................................................................................................................. 7 3.3 Implementation ....................................................................................................................................... 7 3.4 Integration with monitoring activities (verification and follow-up activities).............................................. 8 3.5 Leveraging StatoilHydro knowledge through external parties ................................................................. 8

4

Additional information ...................................................................................................................................... 9 4.1 Definitions and abbreviations.................................................................................................................. 9 4.2 Changes from previous version .............................................................................................................. 9 4.3 References ........................................................................................................................................... 10

Validity area:

PRO/All location/All value chains/On- and offshore

Classification:

Internal

Page 2 of 10

StatoilHydro governing document Risk Management in projects Project development, Work process, WR2365, Final Ver. 1, valid from 2008-05-19

1

Introduction

1.1

Objective

Risk Management is a management tool and shall be implemented according to this working requirement for all StatoilHydro operated investment development and execution projects; including larger maintenance, modification and repair projects (ref. FR05). Risk Management is a continuous process to be summarized and described at each decision gate. The risk profile shall be the basis for the customized process and key risk areas shall be main focus both in continuous work and in steering committee meetings. The key elements of the Risk Management process include identification, assessment, response action and response control of the different types of risks that could impact the project objectives. As a whole, the objective of this working document is to guarantee a better understanding of threats and the potential opportunities facing projects. Once risks are identified and assessed, a specific set of actions needs to be taken to mitigate threats and pursue opportunities. Risk Management activities, in turn, should be controlled by project management and risk owners. 1.2

Warrant

Ref. Chapter 2.2.2 in the steering document “Project Development” (FR05) (StatoilHydro group/All locations/On-and offshore). Quality and Risk Management, PRO PRC QRM, is responsible for updating and publishing this document. The purpose of the update of WD0622 is to describe the StatoilHydro approach to Risk Management in project. 1.3

Guidelines and requirements

Even though the overall responsibilities of establishing and coordinating Risk Management reside with the project manager, the establishment and implementation of a Risk Management System in a new project will be the responsibility of the Quality and Risk Manager (QRM) from DG2. The Risk Management process shall be used actively to secure that projects presenting an exceedingly high exposure of threats are either rejected or that their intrinsic risks are mitigated to reasonable corporate standards before being implemented. Additionally the Risk Management Process will ensure that emerging opportunities are identified, quantified, and utilized. This requires: Nominating a Quality & Risk Manager (QRM) as early as possible in the project planning phase. • • • • • • •

Providing a comprehensive Risk Management implementation and execution plan for the total project life cycle. Project Management is responsible for this. Training the project team to follow the Risk Management Process in all of the project phases. Following the defined process of risk identification, assessment, response action and response control during the various phases of the project development. Incorporating all sub projects/disciplines in the Risk Managment process. Institutionalizing PimsWeb as the single corporate QRM tool in StatoilHydro from DG 2 Including Risk Management as part of all contractual agreements and purchase orders across all contractor, suppliers and service companies. Reporting Risk Managment progress, KPI’s (if applicable), Top 10 risk matrix, response action and response control update as part of the institutionalized “Project Monthly Report”

Validity area:

PRO/All location/All value chains/On- and offshore

Classification:

Internal

Page 3 of 10

StatoilHydro governing document Risk Management in projects Project development, Work process, WR2365, Final Ver. 1, valid from 2008-05-19

2

The Risk Management process

The Risk Management process is a cornerstone of project success. As projects become more and more complex (level of technology, new geographies, risk environments, etc.), it is critical for project managers and for StatoilHydro leadership to understand and properly assess the risk exposure and capture opportunity potential. Risk Management should be a fit-for-purpose consistent process, which requires both corporate guidelines and adequate control system. This will ensure that decisions made in project teams are in line with corporate guidance, regulations and take into account public expectations. The figure below shows the RM process between decision gates through all project phases in the Capital Value Process (CVP):

Presentation and communication of the projects risks should be presented in a standard report and with standard definitions. The Risk Management process is a continuous exercise performed in four major steps (see figure below) with an initial planning phase. Risk management planning is the process of deciding how to approach and plan Risk Management activities for the project. RM cycle applies through all project phases and all decision gates. 1. 2. 3. 4.

Identification Assessment Response action Monitoring and control

All risks must be registered in a spreadsheet until Decision Gate 2. After passing of DG2, the risk register shall be imported into PimsWeb Risk Management module for the project definition and execution phase. 2.1

Risk Identification

The pupose of risk identification is to assess which risks might affect the project and to document their characteristics. This is a bottom to top process in the project team where all team members contribute together with representatives of the Asset Owner.

Validity area:

PRO/All location/All value chains/On- and offshore

Classification:

Internal

Page 4 of 10

StatoilHydro governing document Risk Management in projects Project development, Work process, WR2365, Final Ver. 1, valid from 2008-05-19

The purpose of this step is to identify both the threats and opportunities that can affect the project objectives. Each risk must be well defined and relate specificly to an undesired event (threat) or to a desired event (opportunity) Usually initiated through sub projects/functions brainstorming sessions, the identification process needs to be ongoing and individuals are encouraged to openly communicate risks. It is critical that each sub projects as well as personnel from the Asset Owners’s organisation (i.e. total value chain) participate in this effort. Risks need to be described as punctilious as possible. It is advisable to use the assistance of the Quality & Risk Manager when running identification workshops, categorizing risks and when prioritizing a “Project Top 10” priority list. To secure a satisfactory identification of risks, both an appropriate level of expertise and sufficient experience are required from the project team. The project should continuously evaluate identified risks and search for new risks. The risk Register shall be updated at regular intervals, as the project develops, and not just prior to passing each decision gate (DG1, DG2, DG3, and DG4). 2.2

Risk Assessment

The outcome of the Risk Assessment process is a ranking of risks according to their potential effect on project objectives. For project according to FR05, this process is carried out over the following four sub-processes: 1. 2. 3. 4.

Qualitative assessment Sub projects prioritization Assessment of “Sub Project Top 10” lists Definition of “Total Project Top 10” list

2.2.1

Qualitative assessment of the identified risks

Based on a thorough assessment, each risk should be scored over 2 dimensions: probability of occurrence, potential consequences (i.e. impact) of the risk (and of its outcome). Additionally a monetary valuation or schedule impact of the risk should be assessed. 2.2.2

Sub projects prioritization of risks

Each sub project shall establish a risk register and define their list of “Sub Project Top 10” priorities. This list should then be reviewed by the Quality & Risk Manager and brought forward to the project management team. 2.2.3

Assessment of “Sub project Top 10” lists

Once all sub projects have shared their “Sub Project Top 10” list, the management team should review their findings, analyze potential interface issues, and determine any potential knock-on effects, (i.e. multi-dimensional risk). 2.2.4

Definition of “Total project Top 10” list

Once the assessment is complete, the management team should define the “Total Project Top 10” list. This selection should encompass the main threats and main opportunities and serve as a milestone for the Risk Management process.

Validity area:

PRO/All location/All value chains/On- and offshore

Classification:

Internal

Page 5 of 10

StatoilHydro governing document Risk Management in projects Project development, Work process, WR2365, Final Ver. 1, valid from 2008-05-19

Risks involving “sensitive” domain (i.e. HSE, legal, company reputation, etc.) should be marked and communicated to the appropriate functional group (e.i. HSE group, legal, and public affairs) for additional review. 2.3

Risk response action

Once all the risks have been identified and assessed, the overall risk exposure has to be lowered to an acceptable/minimum level and opportunities are pursued. This first step consists of identifying, for each risk, a set of mitigating actions. As a second step, since the risk could always materialize, it is critical to develop a back-up plan for relevant risk elements. Both mitigating actions and back-up plans should be documented. Examples of possible risk response strategies include: Approach Action The action aims to reduce: 1 Eliminate, avoid Re-planning Probability Re-design 2 Reduce risk (mitigate), pursue Re-planning Probability opportunity Re-design 3 Transfer Re-planning Consequences 4 Accept and prepare Development of Consequences contingency plans 5 Ignore No action -2.3.1

Delegation of response action

Each risk is registered and managed under the responsibility of a Risk Owner. However various actions to efficiently mitigate this risk can be delegated to other team members who would then be assigned the responsibility of Action Owner. The Quality and Risk Manager will facilitate the follow up of mitigating actions. However, the satisfactory closure of these mitigating actions will remain under the responsibility of the Risk Owner and the Action Owner. 2.3.2

Action deadline

For each mitigating action a deadline (due date) shall be specified in the appropriate risk tool. It will be the responsibility of the Risk Owner to secure that actions are completed on time, and that action deadlines are not overdue. As a result of the risk assessment and suggested response actions, project plans should be updated and the response actions must have a due date to ensure high focus and high priority. 2.4

Risk monitoring and control

Risk monitoring and control is the process of keeping track of the identified risks, monitoring residual risks, and evaluationg their effectiveness in reducing risks. Status on risks, opportunities and response actions should be followed up and documented regularly in order to secure efficient and effective Risk Management control. The Quality and Risk Manager should establish standard routines for response control to ensure that all identified actions are mitigated with regards to action responsibility and deadline.

Validity area:

PRO/All location/All value chains/On- and offshore

Classification:

Internal

Page 6 of 10

StatoilHydro governing document Risk Management in projects Project development, Work process, WR2365, Final Ver. 1, valid from 2008-05-19

2.5

Interaction with cost- and schedule Risk analysis

The latest version of the risk register shall be taken into consideration when performing Cost Risk Analysis (CRA), Schedule Risk Analysis (SRA), Drilling Risk Analysis (DRA) (if relevant) and Owners Cost Analysis in the early phases, as well as in budget and plan updates during execution.

The figure above shows the interaction between risks and Cost Risk Analysis and Schedule Risk Analysis. All risks identified in the cost risk and schedule risk process including mitigating actions shall be registered and followed-up in the same way as risks deriving from the risk identification processes described in this working document. Cost- and schedule risk evaluation is described in work descriptions GL0187 and WR0057.

3

Implementation of risk Management in projects

3.1

Mindset and behaviour

Managing both project threats and opportunities is one of the primary duties of the project management. Therefore risk Management needs to regularly be part of the management agenda. To achieve best/recommended practices, Risk Management (RM) cannot be only a project management concern. Everybody dealing with threats/opportunities of the operational, commercial, or reputation aspects of a project needs to be familiar and pro-active. 3.2

Team Competency

A standardized RM training course is mandatory for every team member. After completing this training course, all participants will have both the necessary knowledge to participate in the Risk Management process and the basic skills needed to use PimsWeb. The involvement of external stakeholders is recommended (partners, sub-contractors, service companies etc.), to strengthen the team competency when risk identification sessions are conducted; however, the decision on such involvement is made by the project manager. 3.3

Implementation

Every project involves a unique task to be performed by a project organization. Such environment is naturally exposed to risk. To handle these risks, the project team needs to demonstrate the right mindset (see 3.1), follow the process (see paragraph 2 below) and procedures, and deliver end products in collaboration with the QRM network on time. The most important success criterias include: •

Demonstrating a recommended/best practise project performance mindset: o Keeping Risk Management high in the project management agenda

Validity area:

PRO/All location/All value chains/On- and offshore

Classification:

Internal

Page 7 of 10

StatoilHydro governing document Risk Management in projects Project development, Work process, WR2365, Final Ver. 1, valid from 2008-05-19

o o o o

Demonstrating a strong commitment in surfacing risks Fully acting and owning mitigating actions Promoting open communication within and outside the project group Ensure that review of the relevant risk registers is on the agenda at project/sub-project status meetings, both internally and with contractors.

•

Following RM process: o Integrating RM as an ongoing continuous process at the core of the project development scheme o Viewing the spread of the process along the total project value chain during the full project life cycle o Assigning all tasks and keeping each team member accountable for the quality and the timely closure of his/her identified and registered risks and actions o Use spreadsheet template before DG2 and PimsWeb as the single RM project tool during the definition- and execution phases (DG2 and DG3).

• •

Deliver end products in collaboration with the QRM network on time Project managers and network owner should facilitate knowledge sharing across the various StatoilHydro project The network should be active in RM training and “developing” project team members The network should provide regular feedback and recommendations to improve project performance and facilitate the gate review process.

• •

3.4

Integration with monitoring activities (verification and follow-up activities)

The project team shall integrate the risk actions with the monitoring activities (ref. FR05). Within PimsWeb a Quality Management module is designed for planning, reporting and follow-up of monitoring (Verification and Follow-up) activities. Integration between risk and quality module in PimsWeb:

3.5

Leveraging StatoilHydro knowledge through external parties

As new Risk Managment Processes, Tools and Techniques develop, it is necessary for StatoilHydro to remain abreast of these changes and evaluate implementation. The Network Owner is mainly responsible for identifying and promoting best/recommended practices and change within the organization. During project work, new learning opportunities are created Validity area:

PRO/All location/All value chains/On- and offshore

Classification:

Internal

Page 8 of 10

StatoilHydro governing document Risk Management in projects Project development, Work process, WR2365, Final Ver. 1, valid from 2008-05-19

through the numerous stakeholder interfaces (i.e. partners, suppliers, service companies, authority). When such opportunities are identified, the project group needs to inform the network owner, as a follow-up “knowledge transfer” should be organized between the various stakeholders in addition to other network meetings.

4

Additional information

4.1

Definitions and abbreviations

4.1.1

Abbreviations

CRA PimsWeb QRM RM SRA 4.1.2

= Cost Risk Analyses = Project Information Management System on web = Quality and Risk Management = Risk Management = Schedule risk Analyses

Definitions

Risk Management

Risk 1

Risk Management in projects is a project management knowledge area comprising management and control of risks and opportunities in the project.

“Any uncertainty that, if it occurs, would affect one or more objectives. Risk is the product of probability and consequence. “ Threat Any uncertainty that, if it occurs, would affect one or more objectives negatively. Oppurtunity Any uncertainty that, if it occurs, would affect one or more objectives positively.

Consecequences Minimal (C1) Project specific Small (C2) Serious (C3) Very serious (C4)

< 5% 5 - 20% 20 - 50% > 50%

A list of the most important risks (not necessarily 10)

Top 10 4.2

Probability Unlikely (P1) Less likely (P2) Likely (P3) Very likely (P4)

Changes from previous version

There are 3 major changes regard terms and processes from previous version: 1. Modification in use of terms, from uncertainty to risk Management. 2. Risk Management are more closely related to Quality Management. The risk manager is now a Quality Risk Manager. 3. Description of Risk Analyses is removed from this guideline.

1

David Hillson, “Effective oppurtunity management for projects"

Validity area:

PRO/All location/All value chains/On- and offshore

Classification:

Internal

Page 9 of 10

StatoilHydro governing document Risk Management in projects Project development, Work process, WR2365, Final Ver. 1, valid from 2008-05-19

4.2.1

Changes in use of tools:

1. Risk register in Excel before DG2 and PimsWeb after DG2. 2. Risk module and Quality module are more integrated in PimsWeb and the Quality module includes Quality System Audit and Verification processes. 4.2.2 1. 2. 3. 4. 4.3

Other changes:

Description of support and quality assurance is removed. Description of expectations for AP1, DG2 and DG3 is removed. Detailed check-lists are removed from this guideline. Manageability is removed from definitions. References

Project Development (FR05) Classification Requirements for Cost Estimates And Schedules (WR0057) Planning and scheduling in StatoilHydro (GL0187)

Validity area:

PRO/All location/All value chains/On- and offshore

Classification:

Internal

Page 10 of 10