Risk Analysis

Risk and uncertainty affect projects throughout planning, procurement, delivery and operation. It is important to test the robustness of proposed projects by understanding how they will perform under different conditions that may eventuate. In particular, infrastructure projects need to have budgets that allow for the possibility of negative outcomes, through appropriate contingency allowances.

The Project Team is required to identify project risks initially within Stage 1 – Develop of the Capital Framework, documenting these risks in a preliminary Risk Register. The Project Team should continue to develop the Risk Register, add any other project risks it identifies and then analyse, quantify and allocate all risks within Stage 2 – Prove of the Capital Framework as part of developing the project and its Business Case. The Project Team must then develop an appropriate contingency allowance to include within the cost estimates, based on the quantified risks.

The Project Team must also review, update and maintain the Risk Register, and associated contingency allowances, throughout the remainder of the Infrastructure Investment Lifecycle. This is a critical activity as risk Consequences and/or Likelihoods may change over the life of the project or additional risks may become apparent.

The Capital Framework process

Overview of the Capital Framework and the key questions, activities and documents of each stage. The risk analysis process is undertaken throughout Stages 1-5 of the Infrastructure Investment Lifecycle, however it is primarily detailed within the Business Case in Stage 2 - Prove. The Business Case (for a project, program or a precinct) sits within Stage 2 - Prove of the Capital Framework and helps to answer the key questions of this stage: "What is the recommended project option? How well does it meet the service need, align with Government policy and optimise the balance between risk, benefits and cost? What is the proposed scope, budget and timeline?"

Tier requirements

The Project Team should undertake the risk analysis process documented in these Guidelines for projects in all three Tiers, to the level of detail appropriate for the project’s Tier. However, the risk quantification methodology used by the Project Team depends on the project’s Tier.

For Tier 1 projects, the Project Team should quantify risks using stochastic techniques⁠ (Footnote: A method of determining contingency in which the contingency is estimated using a probabilistic method based on the expected Consequence (cost and delay) and Likelihood of each risk, as the approach to developing contingency allowance Table describes. ) based on quantifications of the Consequences of risk events and of their Likelihoods (probabilities) of occurrence, in order to develop a project contingency allowance. The Project Team should develop a contingency allowance for each shortlisted project option. It is likely that the Project Team will be able to use much of the analysis for the recommended project option to estimate the contingency allowances for the other shortlisted project options.

For Tier 2 projects, the Project Team is also recommended to quantify risks using stochastic techniques. However, the Project Team should tailor the approach to suit the requirements of the project. Projects that are ‘Business-as-Usual’ may instead elect to use a deterministic⁠ (Footnote: A method of determining contingency in which it is estimated as a predetermined percentage of the base estimate, as the approach to developing contingency allowance Table describes. ) approach if there are good data on project cost outturns compared to budget for similar projects. If the Project Team wishes to use a deterministic method to quantify risks, the team should discuss this with iCBR, FABG and ICA during the Early Presentation of Project.

For Tier 3 projects, the Project Team normally can quantify risks using deterministic techniques.

For Programs and Precincts, the Project Team must undertake the risk analysis process documented in these Guidelines for the full Program or Precinct, including the development of a Risk Register. The Project Team should discuss the method to develop contingency allowances for the Program and Precinct with iCBR, FABG and ICA.

Purpose of this section

The purpose of this section is to provide guidance on the robust risk analysis process that the Project Team should undertake in the development of a Business Case. It provides information to support the Project Team to identify, analyse, quantify, allocate, document and review risks.

Objectives of risk analysis

Risk analysis is critical for all investments. The primary purpose of risk analysis is to identify and assess the risks and uncertainties that are associated with a project, understand how they may affect the outcomes, and apply risk management strategies to reduce or manage their Impact.

The key objectives of the risk analysis process are to:

  • Identify the risks that could arise during a project’s lifecycle, through planning, design, procurement, construction, operations, maintenance and decommissioning, which could prevent the project from delivering its objectives
  • Identify the Consequences should the risks eventuate (including on the project’s timelines, costs and quality) and the Likelihood of each Consequence occurring
  • Establish Controls and/or Treatments to manage, modify or reduce the Consequence and/or Likelihood of each risk
  • Quantify the contingency allowance (both cost and time) to be included in the capital cost and whole-of-life cost estimates and timeline, so as to be able to develop a proposed project budget that has a high level of confidence attached to it.

Hazards are future events that may affect the project and result in different outcomes than predicted. These outcomes are often expressed in terms of cost, time and quality but hazards may also affect other outcomes such as work health and safety issues, environmental impacts, cultural and heritage impacts, reputational impacts, breach of legislation or regulations, or failure to deliver critical services.⁠ (Footnote: Refer to the ACTIA Risk Matrix for additional risk Consequences which may affect project objectives (including implicit objectives). )

Risks are hazards that have probabilities of occurrence that are predictable and outcomes that can be estimated with some confidence.⁠ (Footnote: As defined by Infrastructure Australia Guide to risk and uncertainty analysis ) Risk is usually expressed in terms of risk sources, resulting risk events, their Consequences (including impacts on cost, time, quality, reputation, work health and safety, etc.) and their Likelihoods of occurring.

The risk source is an element that, alone or in combination, has the potential to give rise to a risk event.⁠ (Footnote: As defined by the AS ISO 31000:2018 Risk management – Guidelines ) The risk source differs from the risk itself in that it represents the underlying set of circumstances or factors that give rise to the possibility of the risk occurring.

Risk events are the occurrences of risks, the consequence of which could affect the project in achieving its objectives (including implicit objectives such as those outlined above), at least in part. For example, a risk source may be unknown contamination on a project site, and the risk would be contamination being identified on the project site. The risk event is the occurrence of contamination requiring remediation as part of the project.

Consequences describe the outcome of a risk affecting project objectives,⁠ (Footnote: As defined by the AS ISO 31000:2018 Risk management – Guidelines ) such as a delay, a cost increase, a reduction in the quality or functionality of the project, or other implicit objectives such as those outlined above. A Consequence can be certain or uncertain and can have positive or negative and direct or indirect effects on project objectives.

The Project Team should not draft risks as Consequences, but rather should draft risks as events that result in Consequences. For example, the Project Team should not state a risk in the form ‘the risk that project costs are higher than anticipated’. The Project Team should frame the risk as the risk event that leads to the Consequence of higher costs. Following from the example above, the risk event is that contamination is identified on the project site. This risk may have a Consequence of a delay to construction and/or an increase in the project cost if additional remediation works are required to be undertaken. Refer to Example Consequence rating system table for an example Consequence rating system.

Particular Consequences may themselves be subject to risk. For example, it may not be realistic to specify the likely cost to rectify the impact of a risk event occurring as a single number. Instead, the Project Team should specify a probability distribution of possible costs, as described further in the Approach to developing contingency allowances table.

Likelihood is the chance (or probability) of the Consequences of a risk event occurring.⁠ (Footnote: As defined by the AS ISO 31000:2018 Risk management – Guidelines. ) Refer to the Example Likelihood rating system table.

Impact is the assessed effect of the risk on the objectives of the project (including the implicit objectives outlined above), based on its Consequence and Likelihood. Refer to the Risk Impact matrix table.

Controls and Treatments are measures that manage and/or modify the Consequenceand/or Likelihood of the risk. ⁠ (Footnote: As defined by the AS ISO 31000:2018 Risk management – Guidelines. ) Controls are agreed actions or measures that are currently in place, such as processes, policies and practices to modify the Consequence and/or the Likelihood of the risk.⁠ (Footnote: As defined by the ACT Government Risk Management Policy. ) Treatments are agreed actions or measures that need to be taken, such as processes, policies and practices to modify the Consequence and/or Likelihood of the risk.

Controls and Treatments generally have two forms: ‘preventative’ or ‘corrective’. Preventative measures are proactive and reduce the Likelihood of a risk occurring. Corrective measures are designed to restore a process, system, place or attribute back to the original state after a risk event has taken place, and therefore reduce the Consequence of the risk.

Uncertainties are hazards where outcomes (Consequences) and probabilities of occurrence (Likelihood) are difficult to predict, and are challenging to quantify.⁠ (Footnote: As defined by Infrastructure Australia, Guide to risk and uncertainty analysis. ) These uncertainties generally describe a risk event or change in conditions driven by external factors beyond the control of the Project Team or the private sector Contractor that are difficult to mitigate (though some mitigation may be possible). The Impacts of these events are uncertain, and the Project Team should qualitatively analyse and document these uncertainties. There is also the possibility that the Project Team will not have identified hazards that subsequently occur and affect the project in terms of its objectives. In this circumstance the hazard is also known as an uncertainty.The Project Team should not include these events within the contingency allowance of the expected project cost and whole-of-life cost estimates.

If an uncertainty is realised, it can invalidate the assumptions underlying the investment decision and influence the continued need for the investment. This type of uncertainty can be a significant issue and one objective of risk analysis is to reduce and, to the extent possible, remove the chance that there are any significant unknown events. Such events could include unpredictable climate changes, sudden global systemic shifts (such as a global financial crisis or a pandemic) or future policy changes. Sometimes, investigation or analysis of an uncertainty can enable it to be considered a risk and therefore quantified. For example, if there are uncertainties surrounding conditions at a particular site, the Likelihood of the hazard relating to them occurring can be reduced by a site investigation. The extent of the investigation can further clarify the Likelihood of a risk event (such as poor ground conditions being encountered) — but, until the site is fully excavated, there is still no absolute certainty.

In seeking to mitigate (reduce the Consequence and Likelihood of) risks and uncertainties using Controls and Treatments, the Project Team must consider and appropriately balance the trade-off between the cost of further detailed investigations and the Impact of the related risk.

Risk analysis is quantitative and qualitative. Quantitative assessment of risk involves both the estimate of the Consequences of a risk event occurring (for example, the likely cost to rectify the Impact or a delay to the timeline) and the Likelihood of those Consequences occurring. Uncertainties that have Consequences and Likelihoods that are difficult to predict or quantify should be analysed and documented qualitatively as part of the risk analysis process.

Further information on risk can be found on the ACT Government Intranet in the ACT Insurance Authority (ACTIA) Risk Matrix and the ACT Government Risk Management Policy. Further information can also be found in the relevant Australian Standards with individual access (AS ISO 31000:2018 and AS/NZS IEC 31010:2020).

Interdependencies

These Risk Analysis Guidelines have interdependencies with other activities undertaken by the Project Team in the development of the Business Case. The Project Team should consider these interdependencies, which are outlined in the table below.

Interdependencies with Business Case chapters

Business Case chapter

Relevance

Options Analysis

The Options Analysis section identifies the project options that will be analysed in this section.

Project Scope

The Project Team will need to determine the scope of the recommended project option to identify and analyse risks and, as a result, the appropriate level of contingency allowance.

Delivery Model Analysis

The Delivery Model Analysis informs the allocation of risks between Government and the private sector during the project’s planning.

For Integrated delivery models, more information can be found in the Guidelines for Public Private Partnerships.

Financial Analysis

The Project Team must develop the expected project capital cost and whole-of-life cost estimates for the project option(s), which must include contingency allowances. The process of quantifying risk to determine these allowances is described in these Risk Analysis Guidelines.

Other resources

In addition to these Guidelines, the Project Team should refer to the following documents on risk management processes. Some of these documents are available through the Government intranet:

Footnotes: