Risk Management Guidelines

Exploration & Production
risk management guidelines

for major projects
EPTF Projects & Engineering

BP Exploration
Chertsey Road
Sunbury on Thames
Middlesex
TW16 7LN
Date of publication 1 July 2005

contents
The identification, assessment and systematic Overview 5
management of risks, uncertainties and Summary 7
opportunities is essential for effective project The Process

Initiate 12
control and performance Identify 15
Assess 17
Respond 21
l Opportunity and risk must be actively managed throughout project life. Control 24
Upside opportunity must be addressed as aggressively as downside Learn 26
risk, and should be expressed in financial terms wherever possible.
The Supply Chain 31
l Assessments should be holistic, fully investigating impact and
likelihood of occurrence. Attachments
Attachment 1 - Glossary 35
l Action plans to take advantage of opportunities and mitigate risks Attachment 2 - Risk Rating 40
should be established in Appraise and reviewed and updated Attachment 3 - Risk Identification Events 45
throughout the life of the project. This should include the carry-forward, Attachment 4 - Risk Register 48
in some cases beyond sanction, of continuing uncertainty in reserves Attachment 5 - Risk Reporting 50
or market understanding, maintaining viable contingency plans. Attachment 6 - Risk Categorisation 54
project principles lead by example
2004-2005 BP International Limited risk management guidelines

risk management - overview
Effective management of risk is recognized across all BPs Segments as a key

component for the delivery of world class projects. The Group Project Principles and
the E&P Major Projects Common Process both identify risk management as a discrete
element of projects excellence, and define, expectations for what should be achieved,
by project teams at key project stages.
This document provides guidance on how to achieve these expectations. It sets out
to establish the basic processes by which risks will be identified, evaluated, managed
and communicated within individual projects and across the organisation. The processes
described are well tried and tested and for many this will be a reaffirmation of what
they are already doing. Nevertheless these guidelines should drive a common
language and consistency of approach which will provide a basis for learning and
improvement in project delivery and the techniques used for managing project risks.
2004-2005 BP International Limited risk management guidelines 5

risk management - summary
The prime objective of risk management is to improve business (project) performance

by avoiding surprises and reducing the frequency of poor outcomes.
The effective management of risk is critical to the continual improvement in project

performance both in individual projects and BPs overall Project Portfolio. The major
challenge to a successful implementation lies primarily in the behaviours of leadership
and teams rather than the processes and tools. However, a common process is
important in creating alignment and rigour.
Scope of Process
The management of risk in a project takes place at two levels. Most of the detailed
work takes place at the discipline level, with individual functions continuing to use
established (or emerging) processes. Each of these has supporting tools, standards,
and a variety of outputs to help communicate detailed understanding of risk. At the
project level, the key risks are managed holistically, so that they can be prioritized,
their inter-relationships understood, and their combined effect on project value estimated.
This project level risk management process, the tools which are available to support it,
and the forms of output which it generates are the subject of this booklet.
The project risk management process contains a number of key elements without
which the process would not function, or significant value would be lost. These can
be summarised in six key points.
1. Project Leadership demonstrates visible commitment to managing risk and establishes

clarity around the roles and responsibilities of the team in implementing the process.
2. There is a systematic, documented and adequately resourced project-wide risk

management process which follows the standard Four Step Cycle (see figure 1).
l Identify the risks using holistic techniques to avoid surprises.
l Assess the risks using rigorous techniques to ensure reliable prioritisation.

All significant risks must have an owner.
l Respond to the risks by implementing fully resourced and effective plans with
action owners.
l Control the risks through regular tracking of risk and action progress, and
communicate throughout the project organisation.

risk management - summary risk management - summary
3. A Project Risk Register is maintained for documenting the results of this process. The cycle should be performed continuously, throughout each CVP stage, with risks
identified, assessed and actions implemented routinely by individuals and their teams
4. All significant risks are expressed in terms of their potential impact on project value on a regular basis. Holistic cross functional reviews of status should be held every
(risk monetization) and probability of occurrence. few months.
5. Each significant risk has an associated response, that is a set of actions that should To be effective there should also be an Initiate phase to establish the risk management
be understood in terms of its effect on probability and/or impact. Project NPVs process in the team and a strategy for the transfer and implementation of ongoing
should be accompanied by the list of the key risks along with their probabilities learning both within the Project and across the external project community.
and impacts, both pre and post response. Any risks that have been excluded from
project response plans should be clearly identified. Best practice is to embed risk management into the work processes for the project;
it will then form a powerful means of focussing work and resources on delivering those
6. Appropriate use is made of those discipline-specific risk processes that are objectives that underpin project performance and value.
themselves mandatory for technical assurance within each discipline.
A glossary of terms is given in attachment 1 but there is one definition which should
figure 1 four step cycle be emphasised:
Risk: An event (or set of circumstances) that, should it occur, would have a material
identify effect, positive or negative, on the final value of a project. Risks with a positive impact
are called opportunities while those with a negative impact are called threats.
It is also important to distinguish between risk and uncertainty.

Risk
control assess
Register Uncertainty derives from imperfect knowledge, and can be represented as a range of
possible values or outcomes. Only if the range of possibilities could cause key decisions
to change (eg lower than anticipated hydrocarbon volumes lead to a reduction in the
required facilities capacity) will the uncertainty translate into a specific risk event.
respond
The risk management process can be applied equally to opportunities or threats.
However as a project moves through the CVP stage gate process there is a drive
to achieve a scope freeze. As flexibility is reduced, opportunity realisation becomes
more difficult. Hence risk management must be initiated early in the project lifecycle
so that opportunities can be realised effectively.
8 risk management guidelines 2004-2005 BP International Limited 2004-2005 BP International Limited risk management guidelines 9
risk management - summary figure 2 step by step process
Initiate
Risk Close-out Workshop l Confirm use of risk management
common process
A risk can appear as either a threat or an opportunity depending on the current l Select risk register tool
Learn l Define roles and responsibilities
project assumptions. For example, if there is a risk of a fabrication delay through a
l Capture what the team learned l Define probability and impact scoring scale Risk Identification Event
labour dispute and 4 weeks have been built into the project schedule for this, then
l
about risks in this type of project Event held near the start of each
Define risk acceptance process
and how best to manage them
incurring only a 2 week delay is an opportunity but an 8 week delay is a threat. l
CVP stage, before any major Project
l
Document risk management plan
Update corporate knowledge milestones. Covers Identify and
base of project risks l Secure team engagement parts of Assess and Respond steps
Benefits of good risk management

Companies who have good risk management practices embedded in their work Identify
processes consistently deliver more successful projects. The No Wrecks review l Capture project opportunities & threats
l Use people based & List based
carried out within E&P in 2002 highlighted that one of the major causes of project techniques
wrecks was poor risk management. The UK document 'Internal Control: l Describe risk events and the
nature of their consequences
Guidance for Directors on the Combined Code (Turnbull Report) and The Public
l Update risk register
Company Accounting Reform and Investor Protection Act (Sarbanes-Oxley Act) in
the US identified the need for a clear auditable risk management process as part
Assess
of responsible corporate governance. Control
Risk Register
l
l Risk Owner Rate probability and impact
Risk 1 M VH
(semi-quantitative)
Risk 2 L H
l
Manages and delivers
When implemented properly it: response plan Risk 3 VH M Divide risks into highly rated
Risk 4 L VH (require more analysis) and lowly
l
Monitors risk (is it becoming more Risk 5 M M rated (no further work)
Improves the likelihood of success through smarter decision making
l
likely? Does response appear Risk 6 H L
adequate? etc) For highly rated risks:
Encourages forward thinking, minimizes sudden shocks and unwelcome surprises. Risk 7 L H
Reports status to Project Manager Risk 8 VH M Assign risk owner
l l
Risk 9 L H Analyse risk for probability
Increases visibility of risk Team works response actions,
(numerical) and impact (monetized)
l Update risk register and/or
Involves all stakeholders, thus raises risk awareness and enhances accountability. action tracking system Assess manageability (what
response strategies are available?)
l Enhances communication of risk Respond l Update risk register
Improves the basis for planning, performance management and decision making. l Risk Owner
Develops response strategy, defines
l
actions (and develops contingency plans),
Adds focus to technical work delegates responsibility to action owner
Demonstrates how project and team activities play into the business risks, Assesses post-response probability
(numerical) & impact (monetized)
providing a better basis for the allocation of resources.
l Project Manager
Compares residual risks (ie their
post-response ratings) using
acceptance process
Core risk process Accepts (residual) risks, or requires that Ongoing risk activity
they be reworked
Updates budget and manpower plans
Supporting process Discrete risk activity
l Update risk register and/or
action tracking system
risk management process - initiate risk management process - initiate
Initiate The (Project) Team is responsible for performing the risk management activities,
executing the risk responses, and reporting on the status of risks. All projects will
Key outputs benefit from appointing a Risk Champion, responsible for:
l
l Risk Management Plan/Strategy fully documented Facilitating the risk management activities, not performing them on behalf of the team.
l Risk Management Roles and Responsibilities l Developing the Risk Management Plan.
l
l
Risk Acceptance Process Developing and maintaining the information system which supports it.
l Engagement of Project Team
l Providing training to the team.
l Leading and energizing the risk management activities.
The purpose of the Initiate phase is to establish risk management as one of the routine
work processes for the team. It requires that the team:
The Project Manager should give consideration to making the Risk Champion role a full
l Understand the risk management process described here. time position. This decision will be based on project size, complexity and degree of risk
l List the current risk management activities, and where they fit into the process eg exposure.
Integrity Management, risk workshops, RUSM, DCUS, TAM, cost & schedule risk analysis.
figure 3 risk management roles and responsibilities
l Define activities to fill any gaps.
l
l
Single Point Accountability
Select the most appropriate tool to support each activity. l Process Owner
Project
Manager
l
l Identify Risks
Describe the what, who and when of the process in a documented Risk Management Plan.
The project should develop the risk scoring system that will be used in the Assess step l Assign Risk Owners
of the process and include this in the plan (see attachment 2). The plan will also need l Regular Review
- Project Risk Exposure Management l Process Facilitator
to identify stakeholders and determine the reporting requirements for external assurance - Risk Response Progress Team l Risk Register Status
and for communication across the team, BU and other projects (see attachment 5). l Identify Risks - Completeness
- Accuracy
Risk
Champion l Risk Ranking Consistency
The Risk Champion needs to educate the team about the Plan, demonstrating its l Response Plans l Peer Challenge
importance and value and seek their commitment to following it. l Assign Action Owners l Risk Reports
Risk l
l Review and Report Plan Identify Risks
Progress Owner
There are two important principles: l Identify Risks
l Build the Plan around existing activities.

l
l
Implement Response
Avoid labour-intensive tools or processes that the team will not be able to sustain. Action
l Review and Report Action Relationship Types
Action Progress Owner Direct report
Roles and Responsibilities for risk management must be clear: (see figure 3). The
l Identify Risks
(Project) Manager (or Single Point of Accountability) is responsible for initiating and leading Information support
the risk management process, and integrating the activities into the wider project.
Visible Leadership commitment is crucial for risk management to be effective.
risk management process - initiate risk management process - identify
Risk Acceptance The Risk Acceptance Process is a necessary part of project assurance. Identify
It is not there to absolve Project Managers of responsibility for managing risk, nor to
imply limits to the competence or judgement of the project team. Key outputs
l Team Alignment around Project Objectives

Accepting a risk means deciding that, conditional on the risk response being executed l Documented Assumptions
as planned, the project should proceed despite the presence of the risk. This decision l Risk Register containing the Risks (Threats & Opportunities) identified
must be made at the appropriate level in the company and is just good project control.
To achieve this without overburdening senior management with unnecessary detail,
The purpose of the phase is to ensure that all significant risks are identified so that
it is necessary to define a Risk Acceptance Process: - the process which ensures action can be taken to capture the opportunities and mitigate the threats. Many wrecks
that the project cannot proceed until all remaining risks have been fully understood occur through a poor understanding of the risks.
and acknowledged at an appropriate level. The Risk Acceptance Process must be
understood by the Project Manager and BU leadership and the acceptance thresholds Risk identification techniques fall into 2 main categories:
agreed and inserted in the process steps below: People-Driven - Functional peer assists, peer reviews, team discussions, individuals,
formal risk identification events, 3rd party input.
l Threats whose post-response rating is (for example) High or Very High require
formal discussion with and acceptance by the BUL (or delegate). Those rated
Data-Driven - Examination of history, No Wrecks study, project close-out reports,
Medium or lower may be accepted by the Project Manager.
Cost and Schedule Reviews, risks identified on analogous projects, contractor
l By accepting a risk, the Acceptor acknowledges that he or she has decided that, performance.
conditional on the risk response being executed as planned, the project should
proceed despite the presence of the risk and takes responsibility for the In general the broader and deeper the collective knowledge applied to the risk identification
consequences of that decision. A risk can also be accepted without any response the more effective and comprehensive it will be. Risk identification should aim to uncover
being planned or executed. anything which might impact the objectives of the project. It will include HSSE, engineering
and technical risk, commercial, markets and financial risk, subsurface and wells risk,
l This risk acceptance conversation may happen at any time between completing project definition, execution and operational risk to name but a few. See attachment 6
the risk response plan and making the decision (eg an investment) that brings the
for a list of risk categories. This can be used as a prompt for brainstorming risks.
risk into play.
l After formal risk acceptance, any change in the risk status (better understanding Risks are future events, not current issues and should be clearly articulated in terms
of the threat or the likely efficacy of the planned response) will be subject to a of their cause and consequence.
Management of Change process, and re-acceptance.
Because data driven methods are concerned with not recreating the past, they generally
l A record of risk acceptance (by who and when) will be made in the Risk Register.
focus around threats. People driven methods are largely about imagining the future
and encourage brainstorming of opportunities and threats, some of which might not have
been seen before. For this reason the best approach begins with brainstorming and
follows up with a review of a checklist of historical risks.
risk management process - identify risk management process - assess
There should be a formal risk event towards the start of each stage of the CVP process, Assess
tailored to that stage and project environment. It is recommended that the Select stage
risk identification event be externally facilitated and include holistic cross functional Key outputs
project participation with appropriate peer challenge. For other stages the project can
l Prioritised list of Risks for Response Planning
choose to hold events facilitated by the Risk Champion. Guidance on the format
l Qualitative Risk Data (High, Medium, Low)
(eg process, typical attendees, tools etc) for such events is given in attachment 3.
l Quantitative Risk Data (Three Point estimates)
l Risk-weighted Project Performance Metrics, eg NPVs
For the Execute stage risk events should be held at key milestones, eg at the start
l Risk Register updated with assessment results
of detailed design, start of fabrication, start of installation, or start of commissioning,
to focus on risks that are particularly pertinent to those phases.
The purpose of the Assess phase is to rank the risks in terms of potential importance
figure 4 mapping of risk interventions against CVP and decide which ones are active and thus require response plans. The first step of
Assess is to filter out risks that are thought to be trivial and discard them from the
Event Facilitation Access Appraise Select Define Execute
Start of Start of Start of Start of risk register. The second step is to identify risks that are not relevant at the current
Recommended a
Detailed Design Fabrication Installation Commissioning
stage of the project, but which may become important later. Such risks are classed as
TAM/EE Review Internal u dormant in the risk register; these dormant risks should be reviewed periodically by
Risk identification event Internal u u u u u the risk champion so they can be reactivated at the appropriate time. The remaining
Risk identification event External u risks that are deemed both important and relevant at this project stage are classed as
u1
Start-up active in the risk register and then taken forward for more rigorous assessment and
efficiency review External
response planning (see figure 5).
1. SUE review workshop ca 12 months before project start-up
Each risk on the active list should be assessed to determine:

The identification should be complimented by appropriate peer discussions, as required,
l The probability of the risk event occurring.
to focus on particular functional risk issues. It is the responsibility of all the team to
identify risks, and ensure that they are clearly understood at the appropriate level. l The potential impact of the risk if it occurs.
The Risk Management Plan, created in Initiate, will detail any formal mechanisms in the
l The ranges of uncertainty in impact and probability.
project for raising awareness, documenting the risk and how to gain approval to assign
resources to progress further actions. l The risk rating (a function of probability and impact).
l How easily the risk can be managed.
The identified risks should be captured in a risk register - a comprehensive list of project
risks, presented in a way which facilitates their management (see attachment 4 for Assessment techniques are described in attachment 2. Risks that are deemed active
guidance on risk registers). should be assessed using quantitative approaches. These risks should be monetized
as stated in the Project Principles, ie expressed in terms of NPV impact. This will
Hints and Tips
It is good practice to establish some key dates to enable the risks to be managed appropriately promote quality conversations on risk, enabling effective ranking and development of
and to determine the window of opportunity to undertake cost effective management. realistic (rather than optimistic) project performance metrics.
(See attachment 1 for definitions of Decision date, Assessment date, Trigger and Expiry dates
and Target Resolution date).
risk management process - assess risk management process - assess
figure 5 the life cycle of a risk Assessment techniques are implemented in two main ways:
Discard Trivial l In a Risk Identification Event to focus teams quickly on what are the key project
active Risk live and Identify
Risks
needs further work risks and gain common understanding and alignment.
accepted
Risk live and needs l As part of an ongoing programme of work to gain a better understanding of risk
no further work than Assess
Periodic
already planned
Review
dormant (prioritise) probability, its impact and the uncertainty in those assessments.
No work currently required

dormant - review periodically Assessment results from the risk workshops and work programmes should be fed into
active the risk register and updated when better information becomes available. Assessment
closed
Risk no longer considered
Response techniques to understand more fully the impacts of risk and uncertainty on hydrocarbon
capable of further impact
Ineffective Plan
Responses resources/cost/schedule/drilling performance are usually carried out by risk expertise
No
accepted within the discipline functions. Typically, these functions develop their own tools to
Seek
model the risk and uncertainty in their area of expertise, eg Sub-surface (Risk 2000),
Risk Process Action Acceptance
Cost (Brisk) & Schedule (Predict Risk Analyser), Drilling, HSSE etc. The results should
active
Risk Status Yes be fed into the risk register.
accepted
Response
Implement
Yes
Risk
Effective
Implement
Functional Stage entry requirements are given in the Major Projects Common Process.
Occurs? Control
Contingency Plan Responses This document does not seek to detail all the functional risk processes that can be
No applied and to find out more about a particular process/tool contact the relevant function
closed directly.
The outputs of these various functional processes are expressed in a variety of ways:
Whereas the project controls function can provide significant support in valuing risks cumulative probability curves, tornado sensitivity plots, text etc. To understand their
in terms of cost and schedule impacts, the commercial function should facilitate the combined effect on the project value these need to be translated into a common
process of converting risk impacts into monetized values. By performing sensitivity measure. Some projects are integrating these various types of risk information to produce
analyses on the project economic model, a common impact scoring scale can be created, risk-weighted NPVs along with associated accuracy ranges and to highlight those risks
which ensures that the ranking process is consistent. The matrix enables the team to and uncertainties which have the greatest impact. This enables them to provide better
compare commercial risk vs schedule risk vs cost risk vs operability risk etc, and should focus to their teams on the risks that drive project value. The outputs from the integrated
be made available across the project and used to assess each and every risk identified. model can be used to inform decision making through a better understanding of potential
outturns and the associated performance envelope. Further information is given on this
Active risks should therefore be assessed further to quantify their potential impact on technique on the Risk Forum website http://risk.bpweb.bp.com
project objectives and be included in the project outcomes, eg NPV, Capex, Schedule
etc. In some cases, the uncertainty around a risk may be so great that it is not initially
possible to determine its rating; in such cases the uncertainty should be flagged and
work should be performed to reduce the uncertainty range to a level where the risk
can be properly assessed.
risk management process - assess risk management process - respond
Following assessment, some risks may be accepted without the need for further Respond
work, whilst those that are still classified as active will require the development of
response plans. The ranking process will enable the project to prioritise the development Key outputs
of response plans.
l Documented Risk Response Plans - including opportunity capture, threat
mitigation and uncertainty reduction plans
Hints and Tips l Implement Response Plans
l
l Experience suggests that the more quantitative the assessment technique used, the Assigned Risk Owners and Action Owners
fewer the number of risks that are found to be really significant and worthy of attention l Key Decision Dates and Action Timelines
by the team. This helps with project workload. l Prioritised list of Residual Risks
l When applying quantitative techniques using probability distributions to describe impact and l Contingency Plans
l
uncertainty, remember the best distribution is one you can defend. Describe the scenarios
Risk Register updated with response information
that generate your worst, most likely and best input assumptions, and document them.
l Conversation that is focussed around scenarios almost always leads to a much clearer
articulation of the risk. Clear articulation leads to robust and focussed response plans.
The purpose of the Respond phase is to develop and implement effective risk responses
l Risk registers usually contain more threats than opportunities. If the probability of the that create or protect more value than the cost of the response.
threat is determined at well over 50% (see attachment 2) then the team believe the event
has far more chance of occuring than not. Consider including the threat impact in your
base case (ie add capex to your estimate, add time to your schedule, remove bbls from Every risk must be assigned an owner responsible for developing the response plan,
your resource estimate). The risk can now be described as an opportunity to add value monitoring its effectiveness and reporting its progress. The owner may delegate risk
with a probability less than 50%. This has the two beneficial effects of defining more
realistic base cases as well as providing opportunities to capture. response actions as necessary.
Each action to mitigate a threat or realise an opportunity must have an owner, a clear
set of deliverables and a timeline. It is good practice to identify a clear target resolution
date by which an active risk response should be complete or at least showing favourable
results.
Whenever a risk is neither eliminated nor reduced to insignificance, a contingency plan

for its occurrence will be required. Thorough contingency planning is one of the keys to
effective risk management. It reduces the chances of poor decisions being made, in a
hurry, without adequate consultation.
The response plans, risk owners, action owners and any contingency plans along with
review dates and target completion dates should be documented in the Risk Register.
See attachment 4 for a comprehensive list of the types of information which should be
recorded.
risk management process - respond risk management process - respond
All risks classed as active require response plans. For some risks, the appropriate
Hints and Tips
response may be do nothing. When a plan has been developed the post response risk
l Make use of the risk workshop to formulate outline response plans to ensure the thoughts
rating should be determined by reassessing the probability of occurrence and impact of the challenge peers are captured.
assuming the responses will be successful. The risk owner should seek acceptance at l Work the risk responses in groups, two heads are better than one.
the appropriate level (determined in the Initiate phase) of both the response plan and l Engage appropriate functional experts and other projects to find best practice
residual risk. If the risk is accepted it requires no more work than that already planned (ie responses that worked and ones that didnt) and learn lessons.
in the response. l Reassess the response plans for new risks.
Risks classed as dormant do not require work at this time but should still be retained Contingency Planning (eg Emergency response)
in the risk register. They are periodically reviewed and may have their status changed l Contingency plans should form part of the project execution plan, be thought through
to active and thus require response plans. Figure 5 shows how the status of a risk equally carefully, and be documented to the same level of detail.
l Contingency plans must themselves be risk assessed. Do they introduce additional risks?
can change during its life.
l The range of circumstances covered by the plan must be clear. The team must recognise
when the situation is outside that envisaged by the plan, and needs reappraisal.
The planned responses should be commensurate with the importance of the risk they
l Everyone involved in its execution must understand the contingency plan.
are addressing. Risk response actions and contingency plans must be weighed against
l For some types of risk (eg sub-surface) it may be appropriate to develop a Surveillance Plan
the value they create or protect and also compared against the value created by to give an early warning that a risk is occurring. The Surveillance Plan should be appropriate
competing project activities. If the value is significant and no resources can be made to be able to identify the trigger condition and the costs of this surveillance should be
available then this should be used as justification for acquiring additional resources, included in the execution plan.
either internal or external. Risk response plans and contingency plans must be covered
in project budgets.
Response plans may include a combination of: proactive risk responses (eg opportunity
realisation, threat mitigation); reactive risk responses (eg contingency plans, intervention
strategies); or uncertainty reduction in cases where the risk is not yet adequately
defined. Most response planning focuses on either how to affect the probability of an
event occurring or affect the impact (reducing for threat and increasing for opportunity).
However, where there is high uncertainty in probability and/or impact the first step may
be to improve knowledge, eg drill more appraisal wells, shoot or re-process seismic,
take fluid samples, well tests, market surveys of contractors etc.
risk management process - control risk management process - control
Control (includes monitoring and reporting) Projects that cannot demonstrate progress in closing out actions to reduce uncertainties
and threats and realise opportunities are likely to be required to cycle back through that
Key outputs stage. Acceptable levels of risk and uncertainty will be determined by the accountable
manager in the Business line.
l Risk Reports
l Routinely Maintained Risk Register
l Updated Project data Hints and Tips
l The Project Manager must keep the project team fully engaged in the management of risk.
Risk should be discussed as an integral part of the regular project progress meetings and
The purpose of this stage is to ensure that risk management lives as a core element should be prominent on the agenda. High visibility and constant communication are
essential.
of everyday project management process. The control phase comprises the monitoring,
l Regularly - at least every 3 months, the project (Risk Champion) should undertake a
review and reporting of risks and their associated response plans to ensure that progress
comprehensive cross functional review of the risk register with the results communicated
is being made towards closing out risks. Experience shows that this is often where widely in the project.
l
teams slip in performance, thus making the risk management process much less effective. Do not attempt to review the whole risk register as part of a large cross functional meeting.
The attendees will soon become bored and disengaged. The risk champion should review
Action Owners are responsible for implementing the individual risk response actions and the risks in small functional groups and then formulate a hit list for discussion in a wider
forum.
for informing the Risk Champion and the Risk Owner of their status.
l Monitoring risks. Are there early warning signs that occurrence is becoming more likely?
Are the assumptions made during analysis still valid? Is the contingency plan ready to go?
Risk Owners are responsible for assessing the status of the risk, based on the
l Actions must be closely monitored with overdue action reminders, with regular (minimum
effectiveness and progress of the response plans and for informing the Risk Champion every month) risk meetings held to review actions (name and shame) and close-out risks
l
and the management team/project manager. The risk register should be a live document and if possible made available on line to all
(tools such as Risk Controller from Risk Decisions, provide this environment).
The Risk Champion is responsible for:
l Facilitating the risk process, updating the risk register and reporting to the PM
and management team (see attachment 5 for examples of reports).
l Coaching and supporting the Risk and Action Owners in their roles.
l Highlighting risks where actions are not being executed in a timely manner.
l Highlighting risks that are not responding to treatment.
The Project Manager is responsible for ensuring that:
l The PUL/BUL is kept fully appraised of the status of all risks for which they are
accountable as described in the acceptance process.
l All significant risks are described in FMs and stage gate documentation.
risk management process - learn risk management process - learn
Learn The risk register should be a key resource for capturing risk information that can be
shared across BP.
Key outputs
Every project should provide an electronic download of its risk register at project
l Lessons Learned
close-out. Consideration is being given to developing a central library of risks and
l Updated list of historical Project Risks
responses. The intention is to make this available to future projects and also use it to
l Successful Risk Response Strategies
update risk tools. The risk register should be sent to the segment Head of Projects,
l Failed Risk Response Strategies
who will ensure that this is included in the library.
l Improved Risk Management Process
The purpose of this stage is to ensure that lessons learned to date in the risk management Hints and Tips
of the project are correctly analysed, recorded and made available for future use. l Take time to record outcomes, successful or otherwise:
l What risks were identified in advance?
Capturing the knowledge accumulated in a project is essential for improving practices
l What risk events actually happened?
and avoiding repetition of mistakes in later stages of the same project or subsequent
l What was the impact?
projects. The learning process should be embedded in the ongoing risk management
l What was the project response? Was it effective?
process. However at the end of a CVP stage there should be a special effort to ensure
l What should be done differently next time?
knowledge is documented before moving on.
l Publicise key learnings inside and outside the project on a regular basis, eg with posters
in prominent places.
As the team approaches the end of each CVP stage it should: l Give people time and space to communicate learnings (Peer reviews to others etc). This
will involve making Learning a specific part of the project plan, with adequate resources
l Identify analogous projects that are about to enter that stage and offer a coaching allocated to it.
session to transfer risk lessons. l When choosing your risk register tool, consider how you will share learnings with relevant
sites and 3rd parties. Lesson transfer will be aided by using common tools and formats for
l Identify analogous projects that are nearing the end or have recently completed the the risk registers.
next CVP stage and request a coaching session to transfer their risk lessons.
Often there are significant changes in personnel when a project moves from one stage Improving Risk Management Maturity
to another, particularly as the project increases its manning levels and engages more Risk Management should be a learning process. To help projects understand how
consultants and contractors. Effective knowledge management is important for enabling to improve their effectiveness in managing risk, each project should conduct an
new team members to have a rapid and efficient learning curve. If team members leave, assessment of their Risk Management activities. This will include self-assessment
their knowledge must not leave with them. It is important that all new personnel are questionnaires to project team members and other interested parties and structured
briefed on the risk management process being used, the contents of the risk register interviews with key players. Risk Management Maturity should be reviewed annually,
and are encouraged to contribute to risk identification. gaps identified and plans put in place to close them. Teams should carry out the
assessment against a number of criteria (culture, process, experience and application)
to help them focus on where performance improvements can be made.
risk management process - learn
The review should be led by the Risk Champion with two other senior team members
and if possible a risk champion from another project. However, an external (to the project)
assessment is available to those projects who wish to access the benefits of an unbiased,
independent review.
Where teams believe they have achieved excellence in a particular area, eg Risk Management
Culture, they should share their success with other teams by running a coaching workshop.
To further help build capability, see the Project Management College website for the
latest course offerings in Risk Management.
28 risk management guidelines 2004-2005 BP International Limited

risk management - the supply chain
Typically 70% of the man-hours and over 80% of the costs associated with BP Major
Projects are expended by BPs contractors and suppliers. Their competence to manage
risk on our behalf is fundamental for successful project delivery. Effective management
of these risks requires early engagement to understand project risk (eg constructability),
assess their competence and capacity to manage such risks and to ensure they are
aligned with the optimised Project Contracting Strategy.
In developing any Major Project Contracting Strategy, a key part of the process is to:
l Establish the major risks associated with the project.
l Examine options for managing these risks.
l Select the best options for managing these risks.
l Identify key contractors/suppliers who have the capability and capacity to execute
and manage the risks.
In preparing pre-qualification questionnaires and tender invitation documents, it will be

necessary to reflect the project contracting strategy and to articulate specific project/
contract risks. This enables the contractor/supplier to plan, budget and provide adequate
resources for managing risk. Contract claims often arise because of a poor understanding
of contractual risk.
All contracts should be reviewed from the perspective of potential litigation and
appropriate levels of contract legal assurance applied.
During the supplier/contractor selection process, BP project teams should review and
request evidence of the maturity of the suppliers risk management processes, ie
the effectiveness, managerial capability, and track record in recent projects. Evidence
of the processes, tools and risk management capability used to manage risk within
their organisation can be sought by asking suppliers to provide a list of major risks
within their bids.
The allocation and ownership of risks in a contract is determined by a number of factors

including applicable law, contractual terms and any indemnities the parties may give
each other to alter the position at law. The financial impact of project risk can, in part,
be mitigated by transferring the liability for the financial consequences of risk from

risk management - the supply chain
BP to its contractors and suppliers. As a rule, contractual transfer of risk from BP to a

contractor should only occur if the Contractor/Supplier is able to manage that risk more
effectively than BP or the applicable law has established precedent, eg third party risks.
Prior to contract execution there should be a risk identification, allocation and alignment
meeting with senior level SPAs for the project and principal contractors to ensure that:
l Suppliers have identified risks (opportunities/threats) within their scope and
interfaces that may impact the success of the contract.
l Within the confines of the contractual relationship, BP has communicated any risks
they perceive and agreed ownership of those risks with the contractor.
l Adequate contract provisions are included to manage any risk and reward schemes
with clear understanding of liability.
l There is an agreed Management of Change (MOC) process for the contract scope.
l There is an early warning process for the contractors to highlight major delivery
risks to BP. The contractor will be expected to detail and gain agreement for any
proposed responses to those risks.
l Where appropriate (eg major/critical contracts) suppliers share their risk register
with BP and demonstrate that an effective, adequately resourced, risk management
process is being applied. This may involve regular reporting, meetings and audits
as required within contracts.
For each major contract a risk register should be maintained which documents risks,
their response plans and tracks the progress to close out. During contract execution
the BP project Risk Champion will ensure that the project team are kept apprised of
the status of any risks managed by any contractors/suppliers.
32 risk management guidelines 2004-2005 BP International Limited

attachment 1
risk management glossary
Accepted: The status of a live risk in Contingency plan: A planned and

which no further work needs to be documented set of actions to be taken
performed beyond what is already in response to a risk event when it has
planned. occurred. Usually related to threats rather
than opportunities and implemented
Active: The status of a live risk which if proactive response plans have not
requires further work. been identified or have failed to prevent
occurrence of the event and/or its
Assess: The phase of the projects risk impact. The cost of these reactive
management process in which further responses is met from contingency.
information is gathered about each
identified risk. Assessment will include Control: The phase of the projects risk
estimating the probability and impact of management process concerned with
specific risks and their combined effect, monitoring effectiveness and progress of
and their inherent uncertainties, using the risk management process, ensuring
qualitative, semi-quantitative or that the requirements and deliverables
quantitative techniques as appropriate. of the risk management plan are met.
Assessment date: The date before which Decision date: The date on which a
the risk MUST be assessed. decision needs to be made on
management strategy for the risk.
Capital Value Process (CVP): A gated
business process that is used to frame Decision tree: A branched diagram
in business decisions. It is a structured consisting of a sequence of nodes
and integrated approach to project (representing decisions or uncertainties)
selection, development and execution, and outcomes associated with each
resulting in enhanced Capital Productivity. branch. The purpose of a decision tree
is to define the set of scenarios and
Boston Grid: A diagram that plots the the sequence of events that guide the
risk rating (probability x impact) on the evaluation of risk and return.
y-axis vs the perceived manageability
of the risk. Deterministic Value: A single number
value, not accounting for uncertainty
Closed: The status of a risk no longer ranges.
considered to be able to impact the
project. Dormant: The status of a risk in which
no work is currently required. The risk
Contingency: See unallocated provision will be periodically reviewed for a change
(UAP). in that status.

attachment 1 attachment 1
risk management glossary risk management glossary
Event: Occurrence of a particular set of Manageability: An expression of the Probability: The likelihood that a particular statistical techniques, to determine a
circumstances. ability to mitigate a threat or leverage an risk event will occur, usually expressed range of likely outcomes, or to
opportunity, demonstrated by creating on a scale of 0 to 100 percent. Probability understand how variance in one or more
Expected value: The weighted average response plans that are expected to be may be expressed as a deterministic inputs is likely to affect the outcome.
outcome using the probabilities as effective. value (ie single value) or as a range/
weights. For decisions involving distribution of values incorporating Reactive risk response: An action or set
uncertainty, the concept of expected Mitigation: A Proactive risk response to uncertainty. of actions to be taken after a risk event
value provides a way of selecting the a threat. (see Proactive risk response) has occurred (as defined by the trigger
best course of action and of forecasting Probability distribution: A mathematical condition) in order to reduce or address
portfolio level performance. Monetized: A risk is said to be monetized relationship between possible values of a the effect of the threat, or maximize the
Note: Do not confuse expected value with most if the impact is expressed in financial variable and their associated probabilities. effect of the opportunity. The cost of
likely. If, for example, an event has a 90% chance terms, usually dollars. In cases where Typically, probability distributions are reactive risk responses is met from
of yielding $10 but a 10% chance of yielding zero, displayed as frequency or cumulative contingency (Unallocated provision).
then the expected value is $9 although in an
financial measures are not practical,
individual case this outcome is impossible and the oil volumes (eg in exploration) or other frequency plots. More usually applied to threats, and
most likely outcome is $10. appropriate quantitative units may be used. detailed within a contingency plan
Probability Impact Grid (PIG): A diagram
Failure: The outcome when expressly- Monte Carlo simulation: A statistical depicting the importance of a risk and Residual risk: A loose term that means the
defined project goals are not fully met analysis process that takes a random which plots probability on the x-axis and rating of the risk after the responses have
(cf. Success). In a project, it is critical to sample from each of the input probability impact on the y-axis. been executed.
set unambiguous success and failure distributions and combines the sampled
criteria. values according to the equations in a Project objectives: The measurable aims Respond: The phase of the project risk
model to produce an overall probability by which the success of the project will management process in which responses
Holistic: Consciously including all distribution for the output. be assessed. are planned and implemented.
relevant disciplines and influences which
might affect the project. Opportunity: A risk that, should it occur, Promise: A guaranteed outcome that has Risk: An event (or set of circumstances)
would have a positive impact. not yet occurred. that, should it occur, would have a
Identify: The phase of the projects material effect, positive or negative, on
risk management process in which Proactive risk response: An action or Qualitative assessment: An approximate the final value of a project. Risks with a
the risk events relevant to the project set of actions to reduce the probability assessment of risk using knowledge, positive impact are called opportunities
are identified and articulated as or impact of a threat (or delay its judgement and analogue information, but while those with a negative impact are
comprehensively as possible. occurrence), or increase the probability without quantitative analysis. Qualitative called threats. Risks may be
or impact of an opportunity (or bring techniques include the definition of risk, characterized by (1) their probability
Impact: The effect on the project forward its occurrence). Proactive risk the recording of risk details and relationships, of occurrence, and (2) the impact of
objectives if the risk event should occur. responses, if approved, are carried out and the categorization and prioritization occurrence on the project value
Ideally expressed in monetized terms. in advance of the occurrence of the risk. of risks relative to each other. (expressed in monetized terms where
They are funded from the project budget. possible). Either or both of these
Initiate: The phase of the projects risk (see Mitigation) Quantitative analysis: Combining actual parameters may be represented by a
management process in which the or estimated numerical values of inputs probability distribution where the true
scope, objectives and context for the Probabilistic: A modelling approach in with an assumed or known relationship value is uncertain.
risk management process are defined. which inputs are recognized to have between values, using arithmetic or
uncertainty, and consequently model
Intervention: See Reactive risk response. outputs also have uncertainty ranges.
risk management glossary risk management glossary
Risk acceptance: The documented support decision-making and increase Risk-weighted: The result of impacting Trigger condition: A definition of the
process by which management project value. one or more outcomes from an uncertainty circumstances in which a risk is deemed
demonstrates that the risks inherent in a assessment with risk(s). Risks might to have occurred, or upon which a
project are acceptable from a business Risk management plan: A document take the form of specific losses (ie, reactive response will be initiated.
perspective on the understanding that defining how risk management is to be costs), the impact of failure (failure to
response plans are completed. implemented in the context of a particular achieve a goal), or other representations. Trigger and Expiry dates: The range of
project. It is typically expressed in a risk-weighted dates over which the risk will impact if
Risk acceptance criteria: The criteria value such as a Net Risk-Weighted value, not managed.
which define for the project team those Risk rating: A measure of risk importance, an Economic-Risk-Weighted-Resource
risks which require specific acceptance usually using a combination of probability value, (or various other risk-weighted Unallocated provision (UAP): A sum of
by management. These criteria are and impact. May be expressed parameters), and/or by impacting the money to be included as an additional
developed in the initiate stage and are semi-quantitatively or quantitatively. Y-axis (probability) intercept of a cumulative provision in the project cost estimate,
usually defined using a matrix of -frequency curve on a cumulative used to cover goods and services
probability versus impact. This matrix is Risk register: A tool (spreadsheet or frequency plot. (See uncertainty that are currently undefined, but which
termed the Probability Impact Grid (PIG). database) containing all the risks assessment, risk, and probability the probabilistic estimate shows will
identified for a project, along with a distribution). be needed to achieve the project
Risk analysis: Assessment and synthesis description of each risk and a documentation objectives. This sum covers the
of the risks affecting a project to gain of information relevant to the ownership, Semi-quantitative: probability and implementation of risk contingency plans.
an understanding of their individual assessment and response of each risk. impact are expressed by a descriptor
and combined impact on the project (eg High, which is defined by a range of Uncertainty: A representation of the
objectives. This forms the basis for Risk response: Action taken to reduce values (eg 5%-15%, $100k-$500k). possible range of values associated with
prioritizing risk responses. the probability of a threat arising or to either (1) a future outcome or (2) the
reduce its impact if it were to arise. Stakeholder: An individual or organization lack of knowledge of an existing state.
Risk assessment: The process of For an opportunity, the response aims that has an effect on, or could be affected Uncertainty can be expressed as a
identifying and evaluating the risks to increase the probability of it arising by, the outcome of the project. deterministic quantitative value (ie a
associated with a project. Risk assessment and to increase its beneficial impact. single number), a qualitative value (high,
should be semi-quantitative or quantitative, Proactive risk responses (mitigations) Success: The outcome where expressly- low, medium, etc), or as a probability
and should be conducted using accepted are funded from within the project defined project goals are fully met. distribution (ie a range of quantitative
professional methods and criteria. budget, while reactive responses Note: It is important that success values and the likelihood that any value
(interventions) are funded from criteria are clearly defined. in the range will occur).
Risk management: The overall process contingency.
whereby project risk is identified, Target resolution date: The date at Uncertainty assessment: The process
described, understood and responses Risk response plan: Documented plan which the active risk responses should of combining uncertainties, as with a
to the risks are formulated, justified, detailing a risk response. be completed or at least showing Monte Carlo Simulation, to generate
planned, initiated, progressed, monitored, favourable results. output parameters expressed as
reviewed, adjusted and closed. Risk status: At any point in the life of probability distributions. No involvement
a risk, it is either active, dormant, Threat: A risk that, should it occur, of risk is implied. Example: Multiplying
Risk management maturity: A measure accepted or closed. Transition would have a negative impact. ranges of possible lengths, and widths
of the extent to which a project or between these states is illustrated in to arrive at a range of resulting possible
organization formally applies effective figure 5 (Life Cycle of a Risk). areas. (see Monte Carlo simulation, probability
and efficient risk management to distribution, and risk).
risk rating risk rating
Probability and impact can be assessed in two ways: For Cost, Schedule, Production and Reserves, the same value based scale can be used
for both threats and opportunities. For Health and Safety, the base case is zero events,
Quantitative (recommended): probability and impact are expressed either as single
so that the scale need only refer to threats. Since real opportunities may exist for
numbers (eg 15%, $80k) or as simple distributions (eg min=5%, likely=15%, max=40%).
enhancing both Reputation and the Environment, alternative scales measuring this
impact will be useful. See figure 7.
Semi-quantitative: probability and impact are expressed by a descriptor (eg High,
which is defined by a range of values (eg 5%-15%, $100k-$500k).
Most risk events can have a variety of potential outcomes, so that the impact can only
be adequately described by a range or distribution. For the purposes of placing on a PIG,
Semi-quantitative assessment is a good way to quickly determine which risks are less
a single, deterministic impact value must be chosen. For consistency, this should
important and can therefore be excluded from further consideration. More important
represent the most severe likely consequence of the risk event.
risks should be analysed in more detail to improve understanding of their cause,
consequence and effect on project value.
For fully quantifiable impact types, the first step is to agree the gains or losses in Project
value (NPV) that could be classified as Very High impact eg a threat that erodes 50% of
Qualitative: assessments, using descriptors which are not referenced to values, are
the NPV. Further discussion should agree values for the High, Medium and Low categories.
not recommended since they preclude any further analysis of overall project riskiness.
The gains or losses should be equal and opposite as this ensures that opportunities and
threats are given similar priority. Then, using the project economic model or similar,
Impact scales for threats and opportunities
sensitivities should be run, by the commercial analyst, to permit a value-based assessment
Whether using quantitative or semi-quantitative assessment, risks should be placed
of how different impacts compare: what schedule delay or capex increase or production
on a Probability-Impact Grid (PIG), sometimes known as a Risk Rating Matrix.
gain/loss equates to the same gain/ loss of project NPV in the model. This provides a
By classifying probability and impact on an agreed scale, the PIG:
robust basis for the matrix. It is recommended that the matrix is expressed in terms of
l Creates alignment across the team on the relative importance of each risk. values rather than percentages eg NPV ($m), Capex ($m), Schedule (months), Production
l Provides a basis for prioritization of risks for response planning. (bbls) etc. Those impact types which are considered less appropriate to measure directly
by means of project NPV (eg Health and Safety) can have their levels described and agreed
l Generates a graphical snap-shot of project risks which can form the basis by discussion. In instances such as these, our Brand Values are elevated above a purely
of useful conversations. financial impact. Other Impact types such as reputation are thought to fall into the same
category as Health and Safety, but often these can be described with actual value based
The PIG classifies the impact of a risk against different, parallel scales representing impacts through understanding of the loss or gain in business opportunity. The PIG will
different value drivers: then be understood and agreed by the Project Manager.
Most commonly used scales
For consistency and comparability, semi-quantitative scales for both probability and impact
l Cost l Production should have at least four levels (see figures 6 and 7).
l Pre-sanction schedule l Reserves accessed
l Post-sanction schedule l Operability
l Reputation l HSSE
risk rating risk rating
Risks will primarily be identified and handled at functional team level. Some risk impacts Figure 7 scoring scale example - impact
will be significant enough to require attention at the Project Team level or Business Unit
Example NPV Capex Schedule H&S Environment Environment Reputation Reputation
level or even higher. The project may therefore need to develop a hierarchical suite of only (threats) (opportunities) (threats) (opportunities)
probability impact grids that provide the required granularity at these differing levels.
Very High More than Capex ($M) Schedule change One or more Damage Severe outrage. Commended
For example the most significant risk a functional team faces may have a value impact 50% of that would (months) that fatalities or long-term Prosecution. by NGOs at
project cause NPV to would cause multiple and/or Possible loss international level.
of $100k. At a project level where the impact threshold for a medium impact risk could NPV ($M) vary by more NPV to vary by permanent extensive of operating Worldwide
than 50% more than 50% injuries license recognition
be $500k this risk would be Low and may not even warrant discussion at this level.
It can be de-motivating for a team to have all its risks ranked as seemingly unimportant. High 10% to 50% Capex ($M) that Schedule change
of project would cause (months) that
Serious injury
or DAFWC
Short-term
damage
Long-term
and/or
Involvement
of regulator
Commended
by NGOs at
Whether or not risk responses are developed and implemented should be based on NPV ($M) NPV to vary by would cause
more than 10% NPV to vary by
HiPo within facility
boundary
extensive
improvement
national level.
Recognition
value gained versus cost of implementation. The functional team scoring system should but less than
50%
more than 10%
but less than 50%
within country
be based around appropriate thresholds to facilitate and encourage proper risk response Medium 2% to 10% Capex ($M) that Schedule change Recordable Rapid on-site Short-term Complaints Commended
of project would cause (months) that injury. First Aid. clean-up improvement from local by NGOs at
prioritisation. NPV ($M) NPV to vary by would cause NPV Serious within facility community a local level.
more than 2% to vary by more occurrence. boundary Recognition
but less than than 2% but less within area
figure 6 scoring scale example - probability 10% than 10%
Low Less than Capex ($M) Schedule change Minimal Minimal Minor Minimal Impact Recognised
2% of that would (months) that Impact Impact enhancement positive
Scale Description Probability Frequency project NPV cause NPV to would cause contribution
($M) vary by less NPV to vary by within BP
than 2% less than 2%
High Likely >25% Greater than 1 in 4 projects
experience this
Medium Less likely 5% to 25% Circa 1 in 10 projects will

experience this
Low Unlikely 1% to 5% Circa 1 in 50 projects will Risk Rating and Risk Acceptance Process
experience this The rating of a risk is a simple combination of probability and impact. It is, in effect,
Very Low Very unlikely <1% Less than 1 in 100 projects will a semi-quantitative scale of the probability-weighted impact. Both the probability and
experience this
the impact of a risk may change as a result of risk responses. These changes can be
usefully illustrated by means of pre-response and post-response PIGs.
The risk rating scale is useful in an important aspect of project governance known as
Risk Acceptance. This is the formal process by which management:
l Acknowledge the existence and size of (post-response) risks.
l Approve the adequacy of the response plan.

l Allow the project to proceed, despite the residual risk (which may still be very
significant).
risk rating risk identification events
Only the most important risks (for example those rated High or Very High on the For Major Projects there should be at least one integrated cross functional risk identification event
Post-response PIG) need to be formally accepted by management. in each of the CVP stages. These should consider the risks around the whole business case.
figure 8 probability impact grid (showing Risk Ratings) Figure 4 gives a matrix of risk identification events by CVP stage. The most frequent
Probability intervention will be an internally facilitated generic multi-disciplined workshop which
reviews the current risks identified and brainstorms further potential risks. For the Select
Probability Very Low Low Medium High
stage it is recommended that the workshop be externally facilitated, by a recognised risk
Very High Medium High Very High Very High coach, and as well as wide project participation will also include significant external peer
challenge. Some peer challenge is beneficial at all risk workshops.
High Low Medium High Very High
Impact
The event should be tailored to the particular stage. The Appraise stage event should
Medium Very Low Low Medium High have greater emphasis around country, commercial, marketing, new technology issues
and less on project design/execution and operability, whilst the Execute review will have
Low Very Low Very Low Low Medium
increased focus on execution and operability issues. This merely reflects that most risks
have a finite window for impact and there is an optimum time for responses to be effective.
The Execute stage is generally much longer than other CVP stages and it is recommended
Manageability is the ability to influence risk through risk responses (proactive or reactive) that events are timed around key milestones, particularly when there are significant
and is an important consideration when determining priority. It should be described as changes in project personnel, ie as new contacts are let when moving from design to
high, medium or low when plotted against risk rating on a matrix often referred to fabrication to installation and into commissioning.
in BP as a Boston Grid (see attachment 5).
These larger, holistic workshops should be supported as appropriate by smaller events
Manageability reflects the ease by which a risk can be mitigated or realised. It can be which focus on particular functional areas or work areas, eg subsea, topsides, drilling.
demonstrated directly by the use of pre and post-response PIGs: a threat which can be These should include a review of the relevant current risks held in the risk register. It is
moved from a high rating to a significantly lower one by appropriate risk response is recommended that these are facilitated by the Project Risk Champion, where practicable.
deemed to be highly manageable. This technique provides a more rigorous way to
assess manageability and is recommended (see attachment 5). In the Access stage Exploration use the TAM (Technical Assurance Memorandum)
Process to support their risk identification.
figure 9 scoring scale - manageability
An important risk event in Execute, for Major E&P Projects is the Start-Up Efficiency
High Within the control of the Project Management team. Can control probability and/or impact.
(SUE) review. The optimum timing for this review is 6 to 12 months prior to project
Medium Within the influence of the Project Management team. Can influence probability and/or impact. start-up, but this can stretch to 1 to 2 years for a large (>$1bn) project. It will build
Low Outside the influence of the Project Management team. Can only influence impact. upon the start-up issues already identified and held in the risk register to provide a
comprehensive opportunity and threat list complete with actions, owners etc. Although
the tool is self contained on an Excel spreadsheet, all threats and opportunities identified
should be held on the risk register. There is a great opportunity to generate SUE review
output directly from the risk register, integrating the whole process into the everyday
risk management of projects.
risk identification events risk identification events
The output from all these events should be used to populate the project risk register. l Introduce the list of potential risk sources to prompt further holistic identification of
risks. Suggest participants focus on opportunities first before moving onto threats.
Some guidance on holding a risk Identification workshop is given below: Risks should be articulated clearly with their cause and consequence.
l Use the risk categorisation to group all the identified risks from the brainstorming.
Workshop Preparation
l Through plenary or syndicate discussions sort the risks for duplicates and agree
l Pre-planning for the workshop is essential, especially setting boundaries, defining
objectives and identifying key participants. risk descriptions.
l Introduce the current project risk register, generic lists of risks from previous projects
l Set aside enough time for quality discussions to take place. A typical Major Project
should allow 1 to 2 days. Minor projects should allow a full day if possible. and current analogous projects, to ensure a complete list of risks is created.
l Use the scoring system to assess each risk for probability and impact. Ensure the
l Use a facilitator experienced in the risk process (eg the Project Risk Champion)
to encourage a forum which allows open and honest discussion. team gain a thorough understanding of where, how and when the risks may impact
the project objectives. Most risks do not have single value deterministic impacts.
l Be holistic, get all the right functions present including some quality external peer It is good practice for the team to discuss and capture the impact in terms of a max,
challenge. The mix will change according to the focus of the CVP stage. Typical most likely and min value. This will aid improved understanding, allowing incorporation
functions include Country risk, Government Affairs, Finance, Commercial, Marketing, into the various functional risk analysis work and to determine the overall project
HSSE (both safety and environmental experts), Facilities Engineers, Construction/ value. However the max impact should be assumed in the scoring to ensure the
Project Execution, Cost and Planning, Operations. potential significance of the risk is not underestimated. Using the impact scoring
scale the different types of impacts (eg capex, schedule, opex, production etc) can
l Agree the scoring scale to be used in the workshop. This will normally be already
be assessed and compared on a common basis.
described in the project Risk Management Plan.
l Plot the risk scores on a Probability vs Impact Grid (PIG) to generate outputs that
l Agree the risk categorisation (see attachment 6) to be used for grouping risks. This
clearly demonstrate the major risks. Projects can also choose to make an initial
can also be used as a list of risk sources to act as prompts in the brainstorming.
assessment of manageability using an agreed qualitative score such as High,
Compile lists of historic risks for use as a completeness check following the
Medium and Low. However, manageability can only truly be demonstrated by
brainstorm. The No Wrecks Review root cause list can provide a basis for this.
developing and implementing effective response plans. Assessing manageability is
l Make available any existing project risk registers. Look for analogous projects and therefore not considered an essential step in the workshop process and is best left
review their risk registers. until response plans have been developed.
l Dont leave the workshop without every risk and every action having an owner
Key Workshop steps (preferably someone who is present) and a timeline for completing the action.
l Understand and agree exactly what the business opportunity is and its alternatives l It is unlikely that there will be time in the workshop to develop risk responses. Dates
(particularly important in the Access & Appraise stages). should be agreed with risk owners to develop the responses. If access to the peer
l The Project team/PUL should articulate the context, status and key issues for this
challengers will be difficult after the event you may choose to capture their input to
some outline response plans.
Investment opportunity reflecting the current CVP stage.
l
l Commence with a short brainstorm (using post-it notes) of 5 to 10 minutes to enable
Capture all the risk information in the Project Risk Register and ensure appropriate
reports can be generated focussing on the most important risks (opportunities and
participants to articulate the risks which are foremost in their minds.
threats).
risk register risk register
Every project, from a minor site modification to a multi-billion dollar figure 10 risk register - recommended level of detail
development, must have a risk register.
Major Project E&P> $100m; Other Segments > $10m Minimum Better Practice
They can range widely in complexity and special features, but all will include:
l
General Information
A description of each risk. Risk ID
l
Risk Title
A measure or rating of its importance. Risk Status (active, dormant, accepted, closed)
Risk Status Agreed by
l Action(s) planned in response to it. Risk Status Date
Risk Owner
Risk Owning Organisation
Figure 10 contains the recommended data fields that should be included in the Project Project Area/WBS reference
Risk Register. The table shows minimum and good practice expectation levels with Risk Description/Type
Potential Causes
increasing granularity as the complexity and/or value of the project increases. Risk Trigger Dates
Risk Consequences
Associated Risks
The risk register should be held on a software environment that is appropriate. As a Risk Identified by
minimum this would comprise an Excel spreadsheet and good practice would be to Date identified
use a database.
Assessment Information
Pre Risk Response Probability
There is significant benefit in using a database tool, which will facilitate filtering and Impact Type eg Cost, Schedule etc
reporting and, most importantly, sharing across the team and with other projects. As stated Impact - Semi-Quantitative (eg VH/H/M/L) on defined scale
Impact - Quantitative 3 Point Estimate
in this document risk management is most effective when risk is communicated widely Post Risk Response Probability
and teams are actively engaged. Impact - Semi-Quantitative (eg VH/H/M/L) on defined scale
Impact - Quantitative 3 Point Estimate
Manageability
Use of a standard approach provides the added advantage that people are already familiar
with the tools and process to be used as they move from project to project. Using a Risk Response Information
common field format will enable risk data to be captured as part of corporate memory Response Actions - Description
Response Actions - Owner
allowing easier data mining and transfer of lessons learned eg what are the typical Response Actions - Status (closed, ongoing, not started)
risks faced by a DWD project and what risk treatments have proved to be successful. Response Actions - Start Date
Response Actions - Planned Completion Date
Response Actions - Actual Completion Date
For additional guidance on risk registers visit the Risk Forum website http://risk.bpweb.bp.com Response Actions - Action Cost
Acceptance
Risk (Response Plan) Accepted by
Risk (Response Plan) Accepted Date
Close-out
Learnings (what actually happened)
Most Recent Review Date

Audit trail of all Reviews/Changes to Risk Register
risk reporting risk reporting
During the Initiate phase it is important to agree with Stakeholders the type and Boston Grid This plots risk rating (probability x impact) against manageability. This is
frequency of reporting required. There are many types of output that can be generated shown as a 5x3 grid with the least important and highest manageability risks in the bottom
from risk data; this attachment considers a few standard plots that some projects have right and the most important and lowest manageability in the top left (see figure 12).
found helpful. The colour coding reflects the risk rating as determined solely by probability x impact.
The manageability of a risk should not influence the project view of its importance. However,
Qualitative Reports the most challenging risks to treat are those whose impact and probability of occurrence is
Probability Impact Grid (PIG) This plots probability of occurrence against risk impact. high and for which it is difficult to create effective response plans. The impact of risks can
This is shown as a 4x4 grid with the lowest probability and impact in the bottom left be highlighted by plotting them as circles of varying size depending on their value. Risk
(see figure 11). Plotting both pre and post response values of each risk is a good way response progress can be shown on this type of chart by showing pre and post-response
of visualising the effectiveness of risk response plans. Threats should have response markers. Changes to the manageability rating can be achieved by creating more effective
plans to reduce their importance by reducing probability and/or impact, whereas or additional response plans. Successful threat response plans move the risk vertically
opportunities have response plans which increase their probability and/or impact. from high to low and vice versa for opportunities. The goal is to move all the threats to the
Opportunities that, pre or post response implementation, sit in the top right of the bottom right and the opportunities to the top right.
grid should receive priority for project resources. Threats which sit in the top right
and can be moved significantly towards the bottom left, post response, should also figure 12 boston grid
receive priority. Threats which remain in the top right and dont respond to treatment
are potential causes of project wrecks. These should be highlighted to senior risk 1 threat
pre-response risk 2
opportunity
management and taken into account in any decision to progress the project. Very High
risk 6
figure 11 probability impact grid risk 9

risk 5
Probability High
Very Low Low Medium High threat
Risk Rating
risk 8
opportunity risk 1
post-response
risk 9 Medium
Very High risk 1
risk 5 post-response risk 7
risk 2 risk 8
pre-response
risk 1 Low risk 4

High pre-response risk 3
risk 2
Impact
risk 3 post-response
Medium risk 7 Very Low

risk 6
risk 4
Low Medium High

Outside Within Within
Influence Influence Control
Low
Manageability
risk reporting risk reporting
Quantitative Reports Tornado Plot

Other useful plots are those produced from quantitative risk analysis (eg Monte Carlo This plot illustrates which risks and uncertainties are the major contributors to variance
analysis) often produced by the functions (Sub-surface, Drilling & Completions, Cost in the project outcome. The Tornado plot is derived from the same analysis as the S
and Schedule etc). curve.
Figure 14 pictures an S curve of project NPV, accompanied by a tornado plot of the

The S Curve (Cumulative Frequency Plot) This plot comes in two main variants:
key uncertainties.
(1) building up from the left, addresses What is my confidence of not exceeding a
number; an example of this is the output from Brisk for capex; (2) building up from
To understand how these plots are created and how to perform the underlying analysis,
the right addresses What is my confidence that I will get at least that number;
attendance on one of the recognised risk courses is recommended. Further information
an example of this would be hydrocarbon resource estimates.
is given on the Risk Forum website http://risk.bpweb.bp.com
figure 13 cumulative frequency curves figure 14 project risk summary
100 100
10
50
50 50
0 0 -100 90 100 200 300 400
0 500 1000 0 500 1000 P90=22 Mean =121 P10=258 NPV ($m)
In this case, we can say that we have In this case, we can say that we have
about a 65% chance of getting up to about a 45% chance of getting at least Oil price ($20) 15 25
400 (including 0). 550 or more.
Uncertainties (P10/90)
Reserves (825 mmbbl) 460 1515

It is conventional to highlight; the expected value (mean), P10 and P90 values.
The P10 to P90 range is a useful expression of the uncertainty of the outcome. Capex ($230m) 297 206
1st Oil (10/06) 02/07 07/06
Principal Risks & Opportunities

Primary export
route unavailable P=20%
Gas re-injection
facilities required P=25%
Lower sand
proven commercial P=15%
risk categorisation risk categorisation
Risk categorisation provides the structure to ensure that risks are identified and
Markets/Commercial Context E0
described systematically and to a consistent level of detail. This categorisation is often
referred to as a Risk Breakdown Structure (RBS). It should be used to prompt holistic
Partner (including State Partner) Alignment E1
risk identification in Risk workshops.
Partner Funding Constraints E2
Each risk in the risk register should be mapped against the project Work Breakdown Development of product markets (absolute & Market share) E3
Structure and also categorised against the Risk Breakdown Structure. This will facilitate
Sources of Value Complexity (eg Integration optimisation) E4
sorting of the risks for reporting purposes across the project and for communication
to the different functional team members. Whereas each project may have a different Feedstock & Product values E5
WBS, the RBS should be common across projects enabling sharing of risk information Product Differentials E6
between teams/projects/BUs. This will also facilitate the gathering of risk information
Managing Executive Management Performance Expectations E7
into a central library so that projects can understand how others have successfully
treated similar types of risks. Brand Issues E8
Competitive threats to economic success E9

The standard list to be used for categorisation is given below.
Feedstock availability/Product Offtake Agreements E10
Terms Uncertainty E11

Country Issues C0
Experience of operating in province C1 Health, Safety, Security & Environment H0

Political stability C2
Safety of design H1
Security of Proprietary Information C3
Emissions/Spills H2
Currency Risk (versus US $) C4
Environmental sensitivities H3
Fiscal policy/tax etc C5
Waste management H4
Safety & security of personnel (including UXO) C6
Differing Partner Standards H5
Regulatory Environment (Federal & local) C7
Health Sensitivities H6
Local culture (including Ecology & Indiginous Mix) C8
Construction Safety H7
Employment/Local sourcing expectations C9
Infrastructure C10
Group Reputation C11
Ethical conduct C12

Expropriation/Revenue Security C13
risk categorisation risk categorisation
Technical Challenge T0 Operability/Production Ramp-up Y0
Sub-surface delineation/complexity T1 Availability of experienced Operations staff Y1

Recovery Factor T2 Operating cost risk Y2
GOR/GCR/Water Production/Fluid Injection T3 Systems availability (eg Plant/Export/Wells) Y3
Reservoir Fluids characteristics T4 Level of New Technology Equipment Items Y4
Well Productivity T5 Sparing Philosophy (critical items) Y5
Terrain/Topography/Water Depth T6 Operability of design Y6
Seismology/Soil/Met Ocean conditions T7 Technical Integrity (including QA/QC) Y7
Facilities Concept (choice/know how/stretch) T8 Decommissioning philosophy Y8
Drilling Complexity T9 Planned rate of Ramp-up Y9
Completions Complexity T10
Mid-Stream/Export T11
Project Definition & Execution complexity X0
Availability of Key skills X1
Early Team Alignment (including Partner staff) X2
Modification/Revamp content X3
Scheduling Basis risk (to Beneficial production) X4
Estimating Basis Risk X5
Work fronts/Key interfaces X6
Quality of design basis/definition X7
Remoteness/Access/Logistics complexity X8
Climatic/Weather Windows X9
Contractor/vendor sourcing X10
Rig/Installation Vessels Availability X11
Labour Market X12
Project Strategy Development X13
58 risk management guidelines 2004-2005 BP International Limited 2004-2005 BP International Limited risk management 65

Risk Management Guidelines

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Risk Management Guidelines

Uploaded by

Copyright:

Available Formats

Exploration & Production

risk management guidelines

EPTF Projects & Engineering

Date of publication 1 July 2005

The identification, assessment and systematic Overview 5

management of risks, uncertainties and Summary 7

opportunities is essential for effective project The Process

project principles lead by example

2004-2005 BP International Limited risk management guidelines

Effective management of risk is recognized across all BPs Segments as a key

2004-2005 BP International Limited risk management guidelines 5

The prime objective of risk management is to improve business (project) performance

The effective management of risk is critical to the continual improvement in project

1. Project Leadership demonstrates visible commitment to managing risk and establishes

2. There is a systematic, documented and adequately resourced project-wide risk

l Assess the risks using rigorous techniques to ensure reliable prioritisation.

2004-2005 BP International Limited risk management guidelines 7

It is also important to distinguish between risk and uncertainty.

Benefits of good risk management

l Enhances communication of risk Respond l Update risk register

l Build the Plan around existing activities.

l Team Alignment around Project Objectives

Each risk on the active list should be assessed to determine:

No work currently required

Whenever a risk is neither eliminated nor reduced to insignificance, a contingency plan

l Highlighting risks that are not responding to treatment.

The Project Manager is responsible for ensuring that:

28 risk management guidelines 2004-2005 BP International Limited

In preparing pre-qualification questionnaires and tender invitation documents, it will be

The allocation and ownership of risks in a contract is determined by a number of factors

2004-2005 BP International Limited risk management guidelines 31

BP to its contractors and suppliers. As a rule, contractual transfer of risk from BP to a

32 risk management guidelines 2004-2005 BP International Limited

Accepted: The status of a live risk in Contingency plan: A planned and

2004-2005 BP International Limited risk management guidelines 35

Medium Less likely 5% to 25% Circa 1 in 10 projects will

l Approve the adequacy of the response plan.

Most Recent Review Date

figure 11 probability impact grid risk 9

Very Low Low Medium High threat

risk 1 Low risk 4

Medium risk 7 Very Low

Low Medium High

Quantitative Reports Tornado Plot

Figure 14 pictures an S curve of project NPV, accompanied by a tornado plot of the

figure 13 cumulative frequency curves figure 14 project risk summary

0 0 -100 90 100 200 300 400

Reserves (825 mmbbl) 460 1515

1st Oil (10/06) 02/07 07/06

Principal Risks & Opportunities

Competitive threats to economic success E9

Terms Uncertainty E11

Experience of operating in province C1 Health, Safety, Security & Environment H0

Group Reputation C11

Ethical conduct C12

Technical Challenge T0 Operability/Production Ramp-up Y0

Sub-surface delineation/complexity T1 Availability of experienced Operations staff Y1

Project Definition & Execution complexity X0

Availability of Key skills X1

Early Team Alignment (including Partner staff) X2

Scheduling Basis risk (to Beneficial production) X4

Estimating Basis Risk X5

Work fronts/Key interfaces X6

Quality of design basis/definition X7