For Crossrail Risk and Assurance played a key role in keeping the organisation on track and within its project delivery targets. As a public sector funded project, Crossrail has to provide assurance to a number of external bodies in relation to its governance and effectiveness of delivery. This paper describes its approach to identifying risk exposure and the steps taken to actively manage and mitigate risks, and the assurance procedures put in place to assist with the process. This paper will be relevant to any project and specifically risk managers trying to develop and align their risk and assurance approach to their organisation
Read the full document
Risk and Assurance Context for Crossrail
As a public sector funded major project, Crossrail needed to provide assurance to a number of external bodies in relation to its governance and effectiveness of delivery. These included the Joint Sponsors Department for Transport and Transport for London as well as HM Treasury among others.
As part of implementing a comprehensive and robust approach to risk management, the need to provide assurance was identified as one of three key objectives:
- Supporting Delivery – Risk Management is a key component of Project Management. Active identification, assessment and mitigation of risk is key to delivering projects successfully;
- Providing Assurance – An active and robust approach to managing risk provides valuable assurance to internal and external stakeholders that the project is under control: that the project team understand the key risks and have plans in place to manage them;
- Informing Decision Making – A good understanding of uncertainty and risk can be used to help the project to make better decisions. Options which superficially carry similar costs and benefits can carry significantly different levels of risk
Audit and Risk Management
Risk Management theory generally identifies three levels of risk exposure (see figure below). These are: Inherent Risk (pre mitigation exposure), Current Risk (including mitigations currently included as part of management approach) and Forecast Risk (sometimes called ‘Target Risk’) and including future Risk Management Actions identified but not yet implemented.
Figure 1 – Three Levels of Risk
Assurance led risk processes capture risk information at ‘Inherent’ and ‘Current’ levels of severity and record the actions and controls in place to achieve the ‘Current’ level. Regular review of these ‘Management Controls’ is undertaken in order to provide assurance that the ‘Current’ level is being achieved.
At the transition to delivery, Crossrail identified a key priority to reduce its financial exposure to uncertainty and risk to within the funded envelope. An important decision made early in the development of risk management at Crossrail, was to focus management action on reducing risk from the ‘Current’ position to a lower ‘Forecast’ level through the development of additional Risk Management Actions.
This ‘Delivery Focused’ approach meant that Crossrail’s team of Risk Managers and Analysts worked with Risk Owners to identify and deliver new active mitigation measures. Management Controls were identified against key risks (although the ‘Inherent’ severity was not recorded) and assurance of these elements was carried out by the Internal Audit function.
Risk in the Assurance Model
Typically, Assurance is described in terms of ‘3 lines of defence’:
- First line provided by delivery teams’ self assurance,
- Second line provided by internal oversight functions, and
- Third line provided by independent, often external, assurance bodies.
Figure 2 – Three Lines of Defence
As shown in the figure below, the Crossrail Risk Management function has involvement at each level:
- In providing process and tools to the delivery tools to carry out self-assurance;
- As an internal oversight function in its own right, and working with other internal oversight functions including engineering, finance and safety;
- In providing information on risk and risk management performance to independent assurance bodies.
Figure 3 – Crossrail’s Three Lines of Defence
Crossrail’s risk management implementation was developed to:
- Support Delivery
- Provide Assurance; and
- Inform Decision Making.
The organisation configured its risk management approach to concentrate efforts on identifying its Current Risk Exposure and actively mitigating this down to a Forecast position. The Inherent – Current – Forecast model was developed to allow Risk Managers and Audit and Assurance functions to work together to assure Management Controls as well as Risk Management Actions.
In this way, risk management formed a key part of the 3 lines of the defence Assurance Model, by providing tools and techniques to Delivery Teams to conduct self-assurance, by providing information on key risks and risk management performance to independent assurance bodies, and as a second line function in its own right.
As explained above, at the transition to delivery, Crossrail identified a key priority to reduce its financial exposure to uncertainty and risk to levels which would enable delivery of the programme within the agreed funding envelope. This led to a need to embed active risk management at various levels within the organisation; at the project level, at the functional level and at the leadership level through the dedicated risk management sub-committee.
By making this important decision early, to focus management action on reducing risk from the ‘Current’ position to a lower ‘Forecast’ level, it ensured a focus on risk management actions. This enabled active management and mitigation, provided clarity on the risk position and allowed leaders of the programme to make decisions on a risk-based approach.
The three lines of defence were critical to establishing a robust risk management culture across the programme:
Level 1: defining base level requirements – systems, tools, forms, processes
Level 2: building capability in the delivery organisation through assurance and functional leadership
Level 3: effective and efficient integration between the risk management function and audit functions, directing attention on a risk-based approach.
Recommendations for Other Projects
- Risk management should be at the heart of the management of major programmes
- Clear delineation and integration should exist between the risk management function and audit functions. Processes should complement and facilitate a risk-based approach
- Three lines of assurance defence are key to establishing a risk management culture, driving performance improvement and enabling effective decision making
- The risk management function should focus on management and mitigation
Rob Halstead was Head of Risk Management for Crossrail from 2009 to 2016. During that period he led the development and implementation of a comprehensive risk management framework, developing the policy, process, systems and tools required to effectively manage risk on this infrastructure mega-project. He is now a Director of Turner & Townsend Infrastructure.
Prior to joining Crossrail, Rob worked in various risk management roles at London Underground and Network Rail. Rob has an engineering background, is a member of the Institute of Risk Management and a regular contributor on risk management and quantitative risk assessment and its use in the financial appraisal of major projects.