Risk and Assurance Context for Crossrail

As a public sector funded major project, Crossrail needed to provide assurance to a number of external bodies in relation to its governance and effectiveness of delivery. These included the Joint Sponsors Department for Transport and Transport for London as well as HM Treasury among others.
As part of implementing a comprehensive and robust approach to risk management, the need to provide assurance was identified as one of three key objectives:

1. Supporting Delivery – Risk Management is a key component of Project Management. Active identification, assessment and mitigation of risk is key to delivering projects successfully;
2. Providing Assurance – An active and robust approach to managing risk provides valuable assurance to internal and external stakeholders that the project is under control: that the project team understand the key risks and have plans in place to manage them;
3. Informing Decision Making – A good understanding of uncertainty and risk can be used to help the project to make better decisions. Options which superficially carry similar costs and benefits can carry significantly different levels of risk

Audit and Risk Management

Risk Management theory generally identifies three levels of risk exposure (see figure below). These are: Inherent Risk (pre mitigation exposure), Current Risk (including mitigations currently included as part of management approach) and Forecast Risk (sometimes called ‘Target Risk’) and including future Risk Management Actions identified but not yet implemented.

Figure 1 – Three Levels of Risk

Assurance led risk processes capture risk information at ‘Inherent’ and ‘Current’ levels of severity and record the actions and controls in place to achieve the ‘Current’ level. Regular review of these ‘Management Controls’ is undertaken in order to provide assurance that the ‘Current’ level is being achieved.
At the transition to delivery, Crossrail identified a key priority to reduce its financial exposure to uncertainty and risk to within the funded envelope. An important decision made early in the development of risk management at Crossrail, was to focus management action on reducing risk from the ‘Current’ position to a lower ‘Forecast’ level through the development of additional Risk Management Actions.
This ‘Delivery Focused’ approach meant that Crossrail’s team of Risk Managers and Analysts worked with Risk Owners to identify and deliver new active mitigation measures. Management Controls were identified against key risks (although the ‘Inherent’ severity was not recorded) and assurance of these elements was carried out by the Internal Audit function.

Risk in the Assurance Model

Typically, Assurance is described in terms of ‘3 lines of defence’:

• First line provided by delivery teams’ self assurance,
• Second line provided by internal oversight functions, and
• Third line provided by independent, often external, assurance bodies.

Figure 2 – Three Lines of Defence

As shown in the figure below, the Crossrail Risk Management function has involvement at each level:

• In providing process and tools to the delivery tools to carry out self-assurance;
• As an internal oversight function in its own right, and working with other internal oversight functions including engineering, finance and safety;
• In providing information on risk and risk management performance to independent assurance bodies.

Figure 3 – Crossrail’s Three Lines of Defence

Conclusions

Crossrail’s risk management implementation was developed to:

• Support Delivery
• Provide Assurance; and
• Inform Decision Making.

The organisation configured its risk management approach to concentrate efforts on identifying its Current Risk Exposure and actively mitigating this down to a Forecast position. The Inherent – Current – Forecast model was developed to allow Risk Managers and Audit and Assurance functions to work together to assure Management Controls as well as Risk Management Actions.
In this way, risk management formed a key part of the 3 lines of the defence Assurance Model, by providing tools and techniques to Delivery Teams to conduct self-assurance, by providing information on key risks and risk management performance to independent assurance bodies, and as a second line function in its own right.

Lessons Learned

As explained above, at the transition to delivery, Crossrail identified a key priority to reduce its financial exposure to uncertainty and risk to levels which would enable delivery of the programme within the agreed funding envelope. This led to a need to embed active risk management at various levels within the organisation; at the project level, at the functional level and at the leadership level through the dedicated risk management sub-committee.
By making this important decision early, to focus management action on reducing risk from the ‘Current’ position to a lower ‘Forecast’ level, it ensured a focus on risk management actions. This enabled active management and mitigation, provided clarity on the risk position and allowed leaders of the programme to make decisions on a risk-based approach.
The three lines of defence were critical to establishing a robust risk management culture across the programme:

Level 1: defining base level requirements – systems, tools, forms, processes

Level 2: building capability in the delivery organisation through assurance and functional leadership

Level 3: effective and efficient integration between the risk management function and audit functions, directing attention on a risk-based approach.

Recommendations for Other Projects

• Risk management should be at the heart of the management of major programmes
• Clear delineation and integration should exist between the risk management function and audit functions. Processes should complement and facilitate a risk-based approach
• Three lines of assurance defence are key to establishing a risk management culture, driving performance improvement and enabling effective decision making
• The risk management function should focus on management and mitigation