Implementing Risk Management at Crossrail

Document type: Case Study
Author: Nikki Underwood
Publication Date: 13/03/2018

  • Abstract

    The robust management of risk has played a significant part in the delivery of Crossrail. This case study explains the approach to risk management that was adopted, the rationale behind it and the outcomes that were experienced. It covers all aspects of risk management in Crossrail and how risk management was integrated into the different areas of the Crossrail organisation. It covers from the start of the project implementation phase in 2009 to part way through testing and commissioning in January 2018 when the project was approximately 90% complete.
    It would be of interest to any major programme or project professionals looking to develop, implement or change risk management within their organisation.

  • Read the full document

    1. Introduction

    The robust management of risk has played a significant part in the delivery of Crossrail. This case study explains the approaches that were adopted, the rationale behind them and the outcomes that were experienced. It covers from the start of the project implementation phase in 2009 to part way through testing and commissioning in January 2018 when the project is approximately 90% complete.
    Risk management has taken some tried and tested methods applied previously as well as several relatively, (for large UK projects), new ones. In the main the new methods have brought about significant benefits, although in a few cases there have been unintended consequences.
    At all times, the implementation of risk management has maintained a simple message – that consideration of risk requires three simple steps: Identify, Assess and Respond – and that managing risk is a day job activity.

    2. Background of UK Major Projects – Lessons for Crossrail

    In the late 20th and early 21st century UK client organisations did not have a record of success in delivering major projects. In terms of rail and tunnelling projects there were a number of notable examples:

    • Jubilee Line Extension – significantly over cost and time; amongst the root causes – a poor understanding of integration risks between contractors.
    • West Coast Route Modernisation – significant cost and time over runs in the initial phase, despite de-scoping.
    • Heathrow Express Rail Link – delivered late and over-cost; a Health and Safety Executive report concluded that managers ‘overlooked risk’ concerning the use of Sprayed Concrete Lining.
    • The Channel Tunnel – 80% over budget and 20% longer than planned; scope change a particular issue.

    Where risk management had been applied to UK major projects it was often sporadic, with risk management gaining favour only for it to be marginalised as project priorities or personnel changed. Because of examples such as the Channel Tunnel, cost over-runs were generally regarded as more of a concern by government and the media than time delays.
    In all four examples above cost increases occurred after the letting of construction contracts. The implication being that the Optimism Bias mechanism of project promoters deliberately under-estimating costs was not the cause. This lesson implied that it was important that Crossrail not only had a good understanding of costs when agreeing funding, but also needed thorough cost control through the life of the project.
    Hence there were clear lessons to show that Crossrail needed to adopt a number of approaches covering procurement, cost monitoring, value management and risk management. This document covers risk management.

    3. Background to Crossrail Implementation

    The Project Development Agreement

    The Project Development Agreement (PDA), between the Joint Sponsors and the Client organisation Crossrail Limited (CRL) acknowledged the level of uncertainty associated with delivering a project of this level of complexity and scale, and established a requirement to report the Anticipated Final CRL Direct Cost (AFCDC) at a number of different confidence levels.
    The funding limit was established at the 95th percentile confidence level of the AFCDC (P95 AFCDC),  which itself was an output of the cost risk analysis that had been carried out prior to the start of implementation.

    Delivery Contracts

    Contracts were let to Tier 1 contractors to deliver individual aspects of the project. Predominately these were engineering and construction target price contracts with performance payments based around quality and on-time delivery.
    The Project Delivery team is currently organised around key sectors e.g. Civils, Stations, Utilities & Logistics, and Systemwide. In the earlier years, for simplicity of contract scaling, the project was organised into areas; West, Central and East. During the tunnelling phase of the project, when the heavy civils aspect of the stations was being built, the interfaces between each sector or area was limited, or if they did overlap then the demarcation was very clear. As the project moved into fitting out of the tunnels and stations, major interfaces between Stations and Systemwide contracts have developed. For instance at each new station several rooms have been constructed by the station contractor, for the Systemwide contractors to fit out with signalling equipment. Post installation of systems equipment then stations and systems contractors needed to integrate testing and commissioning. There is also a significant interface between Systemwide and the Rolling Stock and depot contract, (procured by Transport for London), especially as there is in-cab signalling.

    4. Overall Approach to CRL Risk Management

    Crossrail implemented risk management using a number of standard approaches applied to other major projects in the UK. In particular-

    1. Project specific processes and procedures developed, with a risk tool suitably configured.
    2. Risk ownership determined by who (both organisation and individual) was best placed to mitigate the risk.
    3. Dedicated risk management team to manage the process and to ensure compliance.
    4. Regular quantification of overall risk picture.

    Five key differences between CRL and the typical UK major programme risk management approach are set out below in the following sections: Governance, Process, Organisation and Culture, Risk Management Tools and Reporting and Analysis.


    Figure 1 –  Key Events in Risk Management


    5. Governance

    Risk Sub-Committee

    The Crossrail Board has delegated to the Risk Sub-Committee (RSC) the task of reviewing the implementation and performance of risk management as well as areas of specific risk. The RSC was formed in early 2010. It is chaired by the Finance Director and attended by the Programme Director, Commercial Director and Programme Controls Director as well as representatives from across the programme. The RSC meets every four weeks as part of the Crossrail’s governance calendar, with support provided by the Board Secretariat. By giving risk management the platform of the RSC, effective Director level focus has always been maintained on risk, with the Secretariat there to ensure that an effective agenda, minutes and follow up of actions are in place.
    By gaining agreement to specific policies and initiatives from the RSC it means that their roll-out is smoother.
    The RSC conducted a risk maturity self-assessment with input from across the organisation in 2010. This was carried out against the Alarm Risk Maturity Model[1], which was at the time, the model preferred by Transport for London, Crossrail’s parent company and Sponsor. This assessed the organisation as Level 1 Risk Naïve/ Level 2 Risk Aware and identified a number of areas to target in order to raise maturity to Level 4 Risk Managed/ Level 5 Risk Enabled / Driving. The following diagram illustrates the levels of risk maturity.

    Figure 2 – Risk Maturity Levels

    The actions to raise maturity were carried out (many of which are covered in this case study). A number of further self-assessments were carried out – the last one in 2016 which confirmed a rating of Level 4/5 (white circles in the figure below) :

    Figure 3 –  Risk Maturity Assessment 2016

    Key Risk Concept

    An important initiative overseen by the RSC is Key Risks. These were introduced in 2012 in order to further drive the effectiveness of risk management, and to provide a demonstrable reduction in exposure to risks. These risks are selected in conjunction with Project Managers and Area/Sector Directors based on risk severity score and whether significant mitigation can be achieved within the financial year.
    Crossrail has a discrete set of approximately 100 ‘key risks’ which are monitored throughout the year. Risk owners individually commit to improving the assessed position of a subset of risks within their control and declare post mitigation targets and fixed end dates against which their performance can be measured. Risk owners are required to report their progress (in 10% increments every four weeks) and progress is monitored and reported widely across the organisation.
    This focus on mitigation targets and fixed end dates proved popular for the project manager audience and moved the focus of risk management from identification and assessment to mitigation and control. The process gave line management better visibility of risk management performance and allowed them to focus on the important risks. Clearly, focus on this defined set of risks has not been allowed to detract from the identification, assessment and mitigation of new and emerging risks, but the consistent focus on a defined set of key risks makes it possible to measure performance consistently across the organisation.
    The process surrounding key risks has significant benefits for the whole organisation as it provides greater clarity and focus. In addition it has enabled the RSC to engage with the risk process at a suitable level – neither rolled up and high-level or, at the other extreme, small scale and detailed.

    Governance Learning Points

    Given the nature of risk governance on many other UK major projects, for Crossrail this is a key area of achievement. The success factors for providing governance to the risk process are:

    1. Ensure Board buy-in to the need for governance.
    2. Governance process needs to cover substantial areas of risk. For instance c.100 very specific risks are likely to be more informative and result in better actions than 10 rolled up risks.
    3. Risk governance to be part of the complete suite of project governance.
    4. Secretariat support helps to ensure compliance at meetings, thorough documentation and follow-up.

    6. Process

    Risk Management Policy and Process

    Crossrail implemented risk management across the programme engaging the whole organisation in the process and informing strategic planning and decision making at the highest level.
    The stated objectives of the risk management approach were:

    1. Supporting Delivery – Risk management is a key component of Project Management. Active identification, assessment and mitigation of risk is key to delivering projects successfully
    2. Providing Assurance – An active and robust approach to managing risk provides valuable assurance to internal and external stakeholders that the project is under control: that the project team understand the key risks and have plans in place to manage them
    3. Informing Decision Making – A good understanding of uncertainty and risk can be used to help the project to make better decisions. Options which superficially carry similar costs and benefits can carry significantly different levels of risk

    Crossrail implemented a comprehensive risk management process which was defined through published documentation:

    • Risk Management Policy : A statement of the organisations commitment to risk management, signed by the Chief Executive and displayed at all Crossrail offices
    • Risk Management Plan : A description of how risk management was implemented into the organisation including roles and responsibilities, process interdependencies, systems and tools
    • Risk Management Procedure : A statement of how risk management process was conducted including definition of terms, process steps, inputs and outputs
    • Other specific procedures describing in more detail the approach that was taken e.g. for Quantitative Risk Assessment

    A Risk Management Strategy was developed which described the implementation of risk management at the start of the delivery phase. This was discontinued once the target level of risk maturity was achieved.

    Figure 4 –  Risk Management Documentation

    The risk process introduced was based on four-weekly reviews and reporting of risks on a qualitative basis. This fundamental understanding of risk informed a quarterly quantitative risk assessment of cost (QCRA), which was developed at the contract level and aggregated across the programme (see further detail in Reporting and Analysis section below).
    A key principle was that risks should be managed by the party best able to mitigate them. Individuals were given accountability for managing the risk in their own areas and ensuring that where necessary, this responsibility was passed onto their teams and suppliers.
    A clear risk framework was established, describing risk in terms of:

    • Strategic
    • Programme
    • Area/Sector (i.e. Sub Programme)
    • Project
    • Contract levels

    The objective was to engage different parts of the organisation in the risk process at the appropriate level, to involve them in the activity of identifying, assessing and managing the risks that they were best placed to manage.

    Figure 5 –  illustrates how risk information is used to engage the organisation

    As on many projects it has, at times, been difficult to integrate cost and time risk information. This may have been partly due to the size of the schedule and the fact that schedule risk was, in the earlier stages of the programme (2009-2015), undertaken by one individual.
    In order to engage the senior leadership in the risk management process, and to satisfy corporate governance requirements, Crossrail developed a strategic risk process This was developed with reference to the StratRisk[2] approach developed by the Actuarial Profession and the Institute of Civil Engineers[3].
    A series of workshops were held with the Crossrail Executive to develop a strategic risk register consisting of around 10 – 12 high level risk areas. These were a combination of both external risks e.g. political, economic threats to the project but also included internal risks such as organisational competency, technical challenge and financial performance.
    By separating and describing a distinct set of strategic risks for example, the process was able to involve and engage the Senior Management and the Board in discussing risks and mitigations that were relevant to their role. Similarly, separating off those risks deemed as Strategic and Programme levels, allowed Project Managers to focus on the risks that they were best placed to manage.
    In this way, the risk process was aligned to the roles and responsibilities of the organisation, and in some cases informed the allocation of responsibilities, where risks were identified which were not obviously owned and managed by any one individual or team.
    Throughout the project regular reviews have been carried out with all Executive Directors. Positive feedback has been received from them regarding the usefulness of these reviews. In many cases new mitigation actions resulted from the reviews. Alongside the risk framework described above, was a set of defined rules for escalation and delegation. This used existing line management channels wherever possible in order to avoid a parallel set of risk discussions and to reinforce the accountability for risk as a core part of the ‘Accountable Manager’ model.
    The Crossrail Board and senior management regularly review the strategic risks to the programme.

    Learning Points for Policy and Process

    The Crossrail approach has been to adopt best practise commonly available elsewhere. The key learning points that are not covered extensively in risk management practise guides are –

    1. On a large project there is value in having a suite of documents – policy, plan, individual procedures. This allows the process to be developed and for each part to be agreed.
    2. A clear framework for the different types of risk – Project, Programme etc. is essential. This needs to be communicated clearly to aid readers of risk information.
    3. The process needs to be written in a manner that will result in the whole organisation engaging in risk management.
    4. A strategic risk process that is appropriate for the nature of the risks has a number of benefits including with respect to engagement.
    5. On a large project there is value in having risk resources that have the ability to undertake Schedule risk analysis. This creates stronger integration with costs associated with schedule delays and a deeper understanding of the mitigations required to deliver the works on time

    7. Organisation and Culture

    This section covers who carried out the risk management activities, accountability for risk management and various cultural aspects (which are usually the most challenging aspects to resolve on most projects).

    Risk Management Organisations

    A central risk management organisation, under a Head of Risk Management, was created, within the Crossrail Finance Directorate. This was principally resourced using staff appointments or individuals working for programme partners. The length of time most of the team were retained on the project meant their expertise grew and it reduced the need to recruit and train replacements.
    Initially the organisation was structured geographically (West, Central and East). In the civils orientated phase of the project this was effective as for Crossrail (like most construction projects) either civils contracts didn’t interface with each other, or if they did, the demarcation was very clear. A change was made in December 2014 when the project reached 60% complete so that the Central Risk Team became based around the new sector organisations as opposed to the old area construction. This provided increased focus on integration. A further change was made in the first half of 2016, when the project reached 73% complete, to adopt a completely centralised approach based on the 5 commissioning stages. This was critical because, in 2015 and 2016, the interfaces between projects increased significantly. Each of these interfaces could pose a risk to the approval to open any one (or more) commissioning stages.
    Each Tier 1 contractor was contractually obliged to appoint a Risk Manager. This was taken into account for sizing the Crossrail central risk team. Without the contractor Risk Managers the team would have needed to be larger.
    Further details on the late stages of the organisation are in the risk strategy late stages document.This includes the de-mobilisation of the risk processes and Central Risk Team.

    Establishing Clear Accountability for Risk Management

    The Tier 1 contractors were, via their Invitations to Tender, given clear instructions on the risk management they needed to perform. Their accountability for management of their risks was set out, along with the need to use the Crossrail Risk Database and to report risks in a specific manner.
    Within Crossrail a key aspect of the risk management approach implemented was the adoption of the principle of the ‘Accountable Manager’.
    The Accountable Manager is the individual who is accountable for delivering the scope (or in some cases, the service) as defined in their objectives. Typically, the key Accountable Managers in the organisation were the Programme Director, Programme Manager and Project Managers who, between them, carried the accountability for delivery of the physical scope of works.
    At the start of the project, there was a need to clarify the point that Accountable Managers were also accountable for managing the risk associated with their objectives. Crossrail employed risk professionals to provide support, but these roles often carried the misleading title of ‘Risk Manager’.
    A campaign of training and awareness was rolled out to all Accountable Managers. These presentations focussed on changing the way that the organisation thought about and acted upon risk.
    Crossrail’s senior management reinforced the importance of risk management by including different facets of risk in Corporate Objectives. Over the implementation of the project three different measures have been used –

    • Performance regarding managagemt of ‘key risks’
    • Anticipated Final CRL Direct Cost (AFCDC) forecasts – which include an element for risk
    • Stage Opening Schedule Forecasts incorporating risk analysis (see reporting and analysis section below)


    Crossrail’s risk maturity was measured using the Alarm Risk Maturity Model, the National Performance Model for Risk management in the Public Sector[1]. Within the Crossrail organisation there is a mature risk aware culture. The challenge concerning risk culture is with respect to managing contractors. Frequently joint risk reviews were carried out with both Crossrail and contractor staff. These were carried out in a collaborative manner, and some contractors demonstrated high levels of risk maturity. Where there is an excellent contractual and personal relationship between Crossrail and a contractor it is possible to argue that detailed risk information from the Contractor, using the Crossrail tool, is not essential. For situations where contractual relationships are more challenging many contractors have made the decision to use the risk data they provide principally to support their commercial case. In this regard the culture with respect to risk for these contracts has not been positive.

    Learning Points for Organisation and Culture

    The key learning points are:

    • Clear accountability for risk management needs to be agreed. Within an organisation it should be included in documents such as job descriptions and management objectives. Between organisations it needs to be contractually specific. Inclusion of risk management accountabilities and responsibilities in Invitations to Tender makes it more likely that the contractor will engage effectively with risk management.
    • It is possible for other organisations, such as contractors, to make use of the client risk database. The benefits and drawbacks of doing so need careful evaluation. In particular consideration needs to be given to what may happen if the relationship deteriorates at all.
    • The Client risk management organisation needs to be specified and resourced to reflect the policy, procedures, nature of risks, and the contractual position with both clients and contractors with respect to risk. The organisation may need to be changed as the project moves from Civils to M&E and systems and to testing & commissioning. As integration between contracts becomes more important the very nature of risks change. The document Managing Risk in the  Later Stages of  Crossrail includes further detail.
    • There are benefits of retaining members of the risk management team within organisation for a reasonable length  of time period to retain their knowledge of the programme. This is more likely to be achieved by using staff appointments or individuals working for programme partners than by using individual consultant/contractors.
    • Joint risk reviews with both contractor and client staff are valuable and can help increase the level of risk maturity for both organisations. The single biggest threat to risk maturity is contractual difference. It is difficult to prevent risk management information from being influenced by contractual stances, given the degree to which judgement is an important part of risk identification and assessment. However working in collaboration helps to identify any differences early and mitigate the risks.

    8. Risk Management Tools

    Risk Management Database

    Crossrail has a risk management database in order to:

    – Provide a single source of risk information;
    – Allow sharing of risk information within and between organisations involved in delivery;
    – Enable the production of consistent registers and reports;
    – Make it easier for the Risk process to be implemented consistently;
    – Facilitate auditing and database quality monitoring.

    The requirements for the tool were defined in 2009 with reference to the risk processes described above. A comprehensive procurement process resulted in the selection of Active Risk Manager (ARM).
    The implementation of ARM was managed as a project, with the configuration being of critical importance. The outline configuration was developed in workshops. The approach taken was that managing risk is ‘fragile’ and that making it more difficult for users would result in lower engagement. The working assumption was that every extra piece of functionality could result in another user being turned off from using the system, so the benefits of extra functionality had to be significant. The resulting number of fields is somewhat less than in many other client organisations.
    ARM is a business critical system, in the same way that, for example, Primavera P6 is for scheduling. This has meant that all downtime for upgrades and maintenance has been out-of-hours.
    The quality of risk information – including status of risks, overdue actions and number of logins from different parts of the organisation, was reported both for contractors and the business sectors. Further details are shown in the Analysis and Reporting section below.
    ARM is used extensively, with around 100 users in any four week period at peak usage. The quality of risk data, as evidenced by KPI reporting and data reviews has been consistently high.

    Risk Analysis (Monte-Carlo Tools)

    The Monte Carlo tool in ARM has not been used on Crossrail. This was because of the increased flexibility of a spreadsheet based cost analysis tool, but also because few in the initial team had experience of the feature in the ARM tool. Instead @RISK was used for cost monte-carlo analysis and Primavera Risk Analyser (PRA) was used for schedule analysis.
    The linkage from Primavera P6 to PRA was set up and used every six months to undertake a QSRA. This was valuable given the scale of the schedules used (further details in the Analysis and Reporting section).
    How these tools were used and learning points concerning their use are included in the Analysis and Reporting section.

    Learning Points for Risk Management Tools

    Based upon Crossrail the success factors for the successful implementation of risk tools are:

    1. Thorough requirements and procurement processes.
    2. Database configuration agreed based on several experts inputs, making use of workshops.
    3. Extensive implementation of the database – to the broad project management community.
    4. Treat the database as a business critical application.
    5. Measure data performance, i.e. KPIs.
    6. For risk activities requiring large scale schedules consider the Primavera P6 to PRA linkage.

    There are no Crossrail specific failure factors directly in relation to tools. However, there are several in the Analysis and Reporting section (below), some of which have a knock-on effect on the database.

    9. Reporting and Analysis

    Reporting of Risk Information

    Risk reporting is carried out directly from ARM, with additional reporting through a data warehouse. A number of ARM Crossrail specific reports were produced to supplement the standard ARM Reports. In the early stages of ARM use, the Central Risk Team benefited from having an ARM administrator with Microsoft SQL experience who had the ability to swiftly create and modify reports.
    Once this resource was no longer available, fewer improvements to reports were produced given the additional complexity of arranging improvements via an external organisation.
    This meant that over time some users expressed the view that the specific reports were less relevant, and in some cases superseded by standard ARM reports.
    For Programme Controls, a reporting data warehouse using SAP Crystal Reports was created that took data from each of the key Control tools including ARM, every 28 days. The concept of this is to:

    1. Allow a report to consist of data from multiple systems;
    2. Provide a consistent appearance or “house style” of reports;
    3. Reduce the need for spreadsheets, which can be prone to version control issues and formula errors;
    4. Reduce the need for reports being constructed in systems such as ARM;
    5. Provide trend analysis (the then version of ARM did not contain trending functionality).

    The benefits set out above have been partially achieved. Within ARM, no individual reports have been produced that merge ARM and other data. Instead the tool uses ARM solely to produce risk reports. One trend analysis report was produced for KPIs, to evaluate the quality and consistency of the data within ARM. Given the importance of risk management and the quantity of ARM data, in retrospect, more trending reports would have been valuable.
    The quality of ARM data was consistently high. For the contractor ARM data this was due to:

    • Data being subject to reviews by both contractor staff and Crossrail staff, including Crossrail Risk Managers
    • KPIs being published for all contractors, with this KPIs forming part of the overall Contractor KPI
    • For Crossrail ARM data the high quality was achieved due to a number of factors including:
    • Peer review of risks within the Central Risk Team
    • Wide publishing of KPI data and review of that data by the Risk Sub-Committee encouraged Risk Managers, risk owners and action owners
    • Good input from all levels, including Directors, to review individual risks
    • Risk Sub-Committee reviews of individual risks


    A particular drawback of the link from ARM to the reporting data warehouse relates to configuration. There is a need for the data warehouse to receive data in a fixed manner. Hence taking on board ARM upgrades or making configuration improvements to the system requires additional checks and testing. This has meant that fewer improvements to ARM configuration have been made than was desirable and ARM in 2018 looks very similar to ARM in 2009 even though the project has changed considerably.

    Figure 6 –  Example Report of ARM Metrics

    Risk Analysis

    Quantitative Risk Assessment (QRA) provides a way of measuring risk exposure and has been used extensively by Crossrail. QRAs make use of base information such as a schedule or cost estimate along with risk data. This data is then analysed using the Risk Analysis tools described above. QRAs are only of value if they feed into decision making or help to set business goals or contractual terms. QRAs have been used for the following:


    QRA Used for Type Description of Analysis
    Semi Annual Construction Report (SACR) Schedule The Level 1 Primavera P6 schedule risk is risk assessed. The probability of meeting key milestones, such as stage openings, is reported via the SACR to the sponsors. Given the P6 schedule typically include at least 4,000 current or future activities the assessment is very detailed. Earlier SACR analysis reported post mitigation values, with the 2017 SACR reports covering pre and post mitigation.
    Pre Tender Budget Authority, prior to issuing ITT Cost In general assessments employ detailed modelling and used a consistent QRA template; however a ‘Quick QRA’ format has been developed to streamline the process for contracts below £10m. Assessments at this stage are carried out using Crossrail’s own cost estimates and considered both pre and post mitigation levels.
    Investment Authority, prior to Contract Award) Cost and Schedule The ‘production line’ process developed for the pre tender budget authority was further developed and refined for the Contract Award phase. Detailed QRAs were carried out using common templates and learning on risk identification and assessment was applied to subsequent contracts. Assessments are carried out based on cost and schedule submissions provided by the selected bidders, with the ‘blind’ procurement process adopted by Crossrail ensuring that the identity of the each bidder is not known.
    Crossrail Works Potentially affecting National Rail Service Schedule ‘Possessions QRA’: Risk assessment of hour-by-hour schedule for Crossrail works that require a closure or electrical isolation of Network Rail lines. Assessments consider post-mitigation levels.
    Four weekly Cost Reporting to Crossrail Board Cost Forecasts for the 80th and the 95th percentile produced based on both issues that are not yet included in other cost reporting and risks that may or may not occur. The report is for the post-mitigation. Each quarter, more detailed risk analysis is carried out, which is reported to project sponsors.


    QRAs provide the following benefits to risk management:

    1. The detailed analysis and assessment provides a more detailed understanding of the risks themselves and assurance to stakeholders on best value for money. The risks are set out in the context of an estimate or schedule, often at an important decision point.
    2. Allowing the assessment of combined effects of risks, which informed the prioritisation; selection and execution of treatment plans that support the project objectives of delivery on time and on budget;
    3. Providing metrics which can allow prioritisation of risk management activity and support decision making e.g. when utilised as part of a scenario analysis;
    4. Informing the selection of economic and efficient mitigation actions;
    5. Informing affordability to Cost Management and Change Control process.
    6. Given the importance of the output of cost and schedule QRAs it results in improved engagement in risk from the Project Management organisation.

    The above benefits have been achieved. A number of issues have occurred, particularly –

    A. QRA process encompassing Unresolved Trends (URTs). The Central Risk team not only reports risks but URTs too. In the earlier stages of the project URTs were minor in relation to risk. As the project has progressed the balance has shifted meaning that members of the team have spent considerable time reporting URTs. This has, at times, detracted from their risk management work. There is a positive – as it improves consistency between risk data and issues (i.e. cost changes that will definitely happen). However, from a Risk Management perspective it is viewed negatively overall.

    B. Mismatch between Risks in ARM and Cost QRA Spreadsheets.
    ARM was reviewed and updated continuously for Period Reporting, whereas Cost QRA Spreadsheets were updated quarterly; furthermore Cost QRA was completed in Excel. This has meant a mismatch over time between the two types of registers. This mismatch was worsened by the iterative process of Cost QRAs, involving numerous cross-organisation reviews, leading to challenging version control.
    That is not to say the data in the QRA spreadsheet was necessarily wrong – but clearly the consequence is confusion. An alternative method that has been adopted elsewhere is to carry out the monte-carlo modelling in ARM. Should a more sophisticated analysis be required that considers the portfolio effect of sub-project interactions, then this can be taken into account by exporting a number of curves from ARM into an @RISK QRA model that addresses the portfolio effect.

    C. Integration of Schedule and Cost Risk Data
    Integration of the two sorts of data has often not been straightforward. This has been for a number of reasons. These include the early focus on cost risk at the expense of schedule risk, with the majority of the early members of the Central Risk team being specialists for one sort of risk but not both. Many cost impacts relate to a time impact, i.e. prolongation. Hence this is an important aspect of risk management. However over the life of the project it has been rare for risks to provide detail on root causes with respect to schedule. Only a few schedule QRAs were carried out at contract level. More would have added significant value to the quarterly cost risk analysis.

    D. SACR Schedule Analysis Complex Owing to Schedule Size.
    The Level 1 schedule used is the only Primavera P6 schedule that includes inter-project interfaces. At over 4,000 activities it means that the work to produce a whole project schedule QRA is very significant. This includes several working days to check and amend the import from Primavera P6. With QRAs, often less detail produces a better form of analysis. From a Risk perspective there would have been value in creating a stand-alone P6 schedule specifically for the QRA. The Learning Legacy paper Managing Schedule Risk details this further.

    Reporting and Analysis Learning Points

    The success factors for reporting and analysis are:

    1. Provision of a good quality suite of reports from the Risk Database is important as the reports are the “shop window” for the risk process. Even small issues can be viewed negatively given both senior managers and project managers are used to spreadsheets being modified swiftly. Hence a solution to enable this either in-house, or with a budget to procure new and modified reports, is essential.
    2. Reports showing trends are particularly valuable. Attention as to how the historic data is stored and accessed is important.
    3. Export of Risk Data into a Data Warehouse provides the opportunity to easily produce single reports from multiple systems, but results in a greater cost of change to the configuration of the Risk Database.
    4. How schedule and cost risk data can be integrated (or at the very least made consistent) needs careful consideration.
    5. For cost reporting how risks migrate into issues and then even more definite forecasts is important. Requiring a risk team to forecast trends as well as risks will detract from their risk management work. There is a positive – as it improves consistency between risks and issues (i.e. cost changes that will definitely happen). From a Risk Management perspective it is viewed negatively overall.

    10. Conclusions

    The Crossrail project has been enhanced by the use of risk management. There are a significant number of learning points listed above. In the vast majority of cases the strategy, policies and plans for risk management were set out when the project was implemented and have been very effective. Crossrail took on board a number of tried and tested approaches to risk management. The aspects where Crossrail has been more innovative have been in regard to –

    A. Governance
    A system of governance, particularly the Risk Sub-Committee, was introduced for risk management that involved Board level review and decision-making. The governance method and input from Board members has remained stable over time. This is in contrast to many other projects where either governance does not embrace risk management or, if it does, the governance arrangements don’t relate to the project status or the overall risk “picture”.

    B. Corporate Objectives – Risk Management enshrined in Crossrail’s objectives
    Crossrail agreed a set of risk management KPI’s linked to risk cost and schedule. These KPI’s are part of the corporate objectives for Crossrail. The risk management organisation objectives are agreed at executive level and cascaded down to responsible managers.

    C. Risk Management Team – A smaller core team than on many similar UK projects
    The Crossrail Central Risk Team is a relatively small team in comparison to similar UK projects. The team is made up of experienced risk management professionals. In the main, permanent staff have been appointed who have been retained on the project for far longer than on other UK major projects.

    D. Contractor Responsibility
    The need for very specific risk management processes were included in the works information documents. This is in contrast to other major projects where either risk management requirements are often very unspecific and/or introduced post contract award. There is also a requirement for the contractor to employ suitably experienced Risk Managers to engage with Crossrail. The contractor risk processes are measured, and KPIs have been used as part of the contractors’ remuneration.

    E. Shared Risk Management Database – ARM is used by Crossrail and its Tier 1 contractors.
    The Risk Database (ARM) was specified and constructed for use by both Crossrail and its Tier 1 contractors. The works information specifies the use of the ARM Database.

    The main aspect of risk management that could have done with more consideration is how a positive risk culture can be created particularly for the interfaces with others such as contractors.
    Lastly, the nature of risks needs to be constantly reviewed as it can have far reaching consequences. Most of Crossrail’s contracts were self-contained. During 2015 and 2016 they started to become far more linked. It took a while for the nature of the interface risks between contractors to be fully assessed. When those risks were assessed it demonstrated that on a project like Crossrail integration, particularly of schedule, is critical.


    [1] The Alarm national performance model for risk management in public services. What does good risk management look like?[Online] Available at . Accessed on 12 March 2018

    [2] StratRisk Approach, [online], available at – Accessed on 12 March 2018

    [3] Actuarial Profession and Institution of Civil Engineers, “Strategic Risk: A Guide for Directors” Thomas Telford Ltd, May 2006


  • Authors

    Photo of Nikki Gash

    Nikki Underwood - Crossrail Ltd

    Nikki Underwood (nee Gash) has been Head Of Programme Risk since December 2016. During this period she has led the development and implementation of programme risk management; rebalancing the focus on schedule risk as well as cost risk, redefining the processes, rebuilding the systems and aligning the strategy and governance to the delivery requirements during the final phase of the project.

    Prior to joining Crossrail, Nikki worked in various risk management roles both in the UK and internationally. She has worked on major projects such as West Coat Route Modernisation and Sharq Crossing in Doha. Nikki has 15 years experience of both risk management and project management on both contractor and client side working for organisations such as London Underground and Network Rail.

  • Peer Reviewers

    Will Boxall, Programme Risk Manager, Transport for London