Engaging the Supply Chain in Risk Management

Document type: Micro-report
Author: Rob Halstead
Publication Date: 14/03/2017

  • Abstract

    Managing risk and uncertainty was identified as being a critical element from the start of the Crossrail project. The size, complexity, nature of the works, and ‘thin client’ operating model resulted in a requirement to extend risk management into the supply chain. This paper describes the process of doing this, along with the lessons learned, and will be of interest to any organisation designing risk management processes in the context of delivery models.

  • Read the full document


    From an early stage of the project, managing risk and uncertainty was identified as being critical to the successful delivery of Crossrail.

    The size and technical complexity of the project, combined with a high level of scrutiny from stakeholders required the implementation of a strategy to extend risk management throughout the supply chain into what is truly an ‘extended enterprise’. Crossrail did this by working with the supply chain and incorporating risk factors into the contracts. It also extended risk management to the supply chain through collaborative engagement with the main contractor teams to work together to increase risk management capability.

    Working with the Supply Chain

    During the procurement phase, Crossrail recognised the need to extend risk management across the supply chain and to ensure that this requirement was included in all main delivery contracts. There were three main drivers for this:

    1. It was recognised as good management

    Many of the programme’s critical risks – particularly those associated with the safe delivery of complex construction works to cost, time and quality targets – were best managed throughout the project organisation and down to site level.

    Crossrail’s project insurance was dependent on risk management being active and embedded within the day to day management of the job. Under the Joint Code of Practice for Risk Management of Tunnelling Works in the UK (JCOP)[1] , drawn up by the British Tunnelling Society and the Association of British Insurers, Crossrail and its Supply Chain are required to have put in place a formal risk management process and to able to provide evidence that this is working and effective.

    1. It was part of Crossrail’s model of efficient delivery

    Crossrail was configured as a lean client with an emphasis on contractor engagement. At its peak the programme had more than 60 live delivery projects with over 130 individual contracts. Main works contracts ranged from £5m to £500m. Success of the programme as a whole was reliant on a strong and capable supply chain to share the management workload.

    1. Risk management was seen as a collaborative tool

    Risk management is fundamentally a collaborative tool, based on the principles of open and honest information sharing and a focus on identifying and solving problems. The objectives of risk management: to support delivery; provide assurance; and inform decision making work equally well across different organisations as within them.  The tools of risk management including risk reviews and workshops can therefore be employed to build collaborative behaviours across mixed teams.

    The contractual relationship allocates specific categories of risk between the client and contractor, but active management of risk can provide a win – win outcome for both parties. Managing risk makes sense to the client, but it also benefits contractors by improving performance, reducing unforeseen costs, improving profits and helping to build a reputation for successful delivery.

    Risk Management in the Supply Chain

    Crossrail’s approach to extending risk management into the supply chain has three parts:

    • to mandate a consistent deployment of risk management into Tier 1 contracts
    • to engage and work with the contractor teams to develop their capability beyond the minimum requirements to the benefit of both parties
    • to monitor risk management effectiveness through the performance assurance process.
    Consistent Deployment

    Crossrail used the NEC3 form of contract which states that the parties shall act ‘in a spirit of mutual trust and co-operation’. The risk management process promotes this collaboration, enabling uncertainty, risk and opportunities to be managed together. Crossrail’s specific contract conditions for risk management required contractors to:

    • Nominate a suitably qualified Risk Manager
    • Develop a Risk Management Plan (References Crossrail’s Risk Management principles)
    • Develop a register of Significant Risks (The Contractor Risk Log)
    • Discuss risk with Client Project Manager (Regular reviews established between Project Managers)
    • Support Crossrail Cost and Schedule Risk Assessments.(Crossrail’s QRA procedure details complete procedure)

    Crossrail also mandated the use of a shared Risk Management database ‘Active Risk Manager’ (ARM) so that risks were visible and consistently captured across the programme.


    Figure 1 – Critical elements to supply chain risk management

    An industry press article on Crossrail’s use of this system, “Crossrail lowers risk through universal management system”, expands on how the process was used.

    Developing Risk Management Capability

    Crossrail’s risk team worked closely with the nominated risk leads from contractor organisations to share an understanding of key risks and mitigations, support communication and training to the contractor team and facilitate contractor use of Crossrail’s ARM database.

    Crossrail has also facilitated a number of forums to bring contractor risk managers together to improve communication between the parties and to share best practice. These forums were successful in explaining the rationale for and improving engagement across the supply chain and also allowed the sharing of new and emerging risks.

    Performance Assurance

    Under its Performance Assurance Framework, Crossrail implemented a process to engage with its supply chain in order to develop contractor capability across a range of disciplines. Within this, a matrix of Risk Management Maturity was developed to understand the capability of each contractor organisation and regular 360 degree reviews are undertaken to identify areas where improvements can be made and best practices shared. The objective was to progress the supply chain from a starting point of ‘contractual compliance’ to a performance recognisable as ‘world class’. The Performance Assurance Framework and Commercial Assurance learning legacy papers provide more information on how this was implemented.


    Crossrail successfully extended risk management into the supply chain, relying not only on the specific requirements included the contract, but also on active engagement and support to enable supply chain organisations to develop their capability together.

    Key Lessons and recommendations

    • Risk management should be seen as a collaborative process, utilising the skills and expertise of all parties to manage and mitigate risk
    • Risks should be owned by the organisation most able to manage the risk. This should be clearly documented in contractual information
    • The approach to risk management should align to the delivery model, and be supported by clear policies, processes, procedures and systems to enable consistency
    • Process maturity reviews should be used to drive performance improvement through collaboration and knowledge sharing

    [1] Joint Code of Practice for Risk Management of Tunnelling Works in the UK (JCOP)  [online], available at https://www.britishtunnelling.org.uk/?sitecontentid=881C32EC-21C8-41A9-8B7A-F8D530E7987E

  • Authors

    Photo of Rob Halstead

    Rob Halstead - Turner & Townsend

    Rob Halstead was Head of Risk Management for Crossrail from 2009 to 2016. During that period he led the development and implementation of a comprehensive risk management framework, developing the policy, process, systems and tools required to effectively manage risk on this infrastructure mega-project. He is now a Director of Turner & Townsend Infrastructure.

    Prior to joining Crossrail, Rob worked in various risk management roles at London Underground and Network Rail. Rob has an engineering background, is a member of the Institute of Risk Management and a regular contributor on risk management and quantitative risk assessment and its use in the financial appraisal of major projects.