Strategic Risk Management
Author: Rob Halstead
Publication Date: 14/03/2017
From an early stage of the project, managing risk and uncertainty was identified as being critical to the successful delivery of the Crossrail project. The project’s senior management were strongly supportive and actively engaged in implementing the risk management process, which facilitated the creation of a dedicated risk management sub committee within the overall governance structure. This paper describes Crossrail’s approach to strategic risk management, and will be of interest to any organisation defining how risk management fits within a governance structure, as well as to major infrastructure programmes which are required to deal with a multitude of external factors, reputational risks and other strategic risks.
Read the full document
Introduction and Context
From an early stage of the project, managing risk and uncertainty was identified as being critical to the successful delivery of the Crossrail project. The project’s senior management were strongly supportive and actively engaged in implementing the risk management process.
As part of Crossrail’s mobilisation into delivery in 2009, the organisation put in place a Risk Hierarchy structured around Strategic, Programme and Project risks. The objectives of this structure were to:
• Ensure that the benefits of managing uncertainty and risk were captured at all levels of the organisation;
• Ensure that all parts of the organisation were able to engage with risk management at an appropriate level; and
• Organise the wealth of risk information that was being produced on the programme.
Figure 1 – Risk Management Hierarchy
Crossrail Ltd was established as a wholly owned subsidiary of Transport for London with two sponsors, the Department for Transport and Transport for London, and an independent Board structure in line with best practice corporate governance.
In early 2010, the Crossrail Executive formed a risk sub-committee, chaired by the Finance Director and attended by the Programme Director and Commercial Director as well as representatives from across the programme. The committee met monthly as part of the organisation’s governance calendar and considered the implementation and performance of risk management as well as key areas of specific risk.
High Level Engagement
In order to engage the senior leadership in the risk management process, and to satisfy corporate governance requirements, Crossrail developed a strategic risk process. This was developed with reference to the StratRisk approach developed by the Actuarial Profession and the Institute of Civil Engineers.
A series of workshops were held with the Crossrail Executive to develop a strategic risk register consisting of around 10 – 12 high level risk areas. These were a combination of both external risks e.g. political, economic threats to the project but also included internal risks such as organisational competency, technical challenge and financial performance.
Figure 2 – High Level Risk Areas
Strategic Risk Assessment
Strategic risks were reviewed in detail by the Crossrail Executive in the risk sub- committee.
In order to promote recognition and engagement with the broader risk management process, the format of the information captured for strategic risks followed the same format as other risks in the risk process.
Each strategic risk had an executive level owner. In line with the broader risk management process, those owners were responsible for assessing the risk using qualitative assessment criteria and developing and implementing mitigation actions. In practice, the committee format ensured that assessments were based on a broad consensus of views, and mitigation actions drew on inputs and capabilities from across the programme.
On a semi-annual basis, the Executive participated in a ‘Horizon Scanning’ brainstorming session to specifically focus on external risks which may impact the programme.
Horizon Scanning Report indicates:
- Key Crossrail Milestones
- Dates of Local and National Elections
- Sponsor Milestones
- External Events
- Other Milestones: National Infrastructure Plan Projects, Industry Partner Projects
Figure 3 – Horizon Scanning
In addition, a number of focussed risk identification exercises were carried out with the risk sub-committee to provide prompts for the strategic risk process. These included:
- Extreme Risks: External low probability high impact risk events which could disrupt tunnelling or construction activities;
- Reputational Risks: Reference to stakeholder maps to identify local reputational risks at sites across the route as well as generic risks associated with the reputation of Crossrail as a whole;
- Safety Risks: Analysis of the changing safety risk profile associated with changing nature of works being undertaken.
The Crossrail Board was fully engaged in the strategic risk process and the set of strategic risks was reported to the Board on a monthly basis. The Board carried out a focussed review of one strategic risk every month and often suggested new strategic risks or areas for mitigation. In some cases, the members of the Board were able to lend their support to mitigation activities.
From an early stage of the project, managing risk and uncertainty was identified as being critical to the successful delivery of Crossrail. The project’s senior management were strongly supportive and actively engaged in implementing the risk management process, which facilitated the creation of a dedicated risk management sub committee within the overall governance structure in order to formalise the management of strategic risks. This was underpinned by the strategic risk process.
During the six years of peak delivery, the executive met monthly at the Risk Sub Committee. This was critical in ensuring senior engagement in the management of strategic risks, and enabled emerging strategic risks to be identified and managed appropriately as the programme progressed.
The Strategic Risk Register proved to be a useful tool to communicate key risks and mitigations to the Board, Sponsors and other external stakeholders. It allowed the Executive team an opportunity to consider the significant risks facing the programme and allowed them to develop strategic mitigations.
Recommendations to Other Projects
- Develop a strategic risk management process
- Ensure the strategic risk management process is underpinned with an appropriate governance structure, with the right level of senior leadership involvement
- Have a clear process to categorise different levels of risk, and assign ownership of strategic risks with a member of the Executive
- Include strategic safety risks, reputational risks and low-likelihood, extreme risks as part of the strategic risk management process
- Regularly review strategic risks, and undertake a regular workshop to identify emerging external risks
 StratRisk Approach, [online], available at – http://www.stratrisk.co.uk/index.aspx
 Actuarial Profession and Institution of Civil Engineers, “Strategic Risk: A Guide for Directors” Thomas Telford Ltd, May 2006
Rob Halstead was Head of Risk Management for Crossrail from 2009 to 2016. During that period he led the development and implementation of a comprehensive risk management framework, developing the policy, process, systems and tools required to effectively manage risk on this infrastructure mega-project. He is now a Director of Turner & Townsend Infrastructure.
Prior to joining Crossrail, Rob worked in various risk management roles at London Underground and Network Rail. Rob has an engineering background, is a member of the Institute of Risk Management and a regular contributor on risk management and quantitative risk assessment and its use in the financial appraisal of major projects.