NOT
MEASUREMENT
SENSITIVE
DOE G 413.3-7A
Approved 1-12-2011
Chg 1 (Admin Chg) 10-22-2015
Risk Management Guide
[This Guide describes suggested non-mandatory approaches for meeting requirements. Guides
are not requirements documents and are not to be construed as requirements in any audit or
appraisal for compliance with the parent Policy, Order, Notice, or Manual.]
U.S. Department of Energy
Washington, D.C. 20585
AVAILABLE ONLINE AT: INITIATED BY:
https://www.directives.doe.gov Office of Project Management
Oversight & Assessments
DOE G 413.3-7A i (and ii)
1-12-2011
FOREWORD
This Department of Energy Guide is for use by all DOE elements. This Guide intends to provide
non-mandatory risk management approaches for implementing the requirements of DOE O
413.3B, Program and Project Management for the Acquisition of Capital Assets, dated 11-29-
2010. DOE programs may adopt other acceptable risk management approaches/methods as
determined appropriate for the type of project and program maturity by the line management for
the specific program. Guides are not requirement documents and should not be construed as
requirements. DOE Guides are part of the DOE Directives Program and provide suggested ways
of implementing Orders, Manuals, and other regulatory documents.
DOE G 413.3-7A iii
1-12-2011
TABLE OF CONTENTS
1.0 PURPOSE .................................................................................................................................1
2.0 SCOPE ......................................................................................................................................1
3.0 RISK MANAGEMENT ORGANIZATIONAL BREAKDOWN STRUCTURE, CONCEPT,
AND RESPONSIBILITIES .............................................................................................................2
3.1 Risk Management Organizational Breakdown Structure............................................................................ 2
3.2 Risk Management Organizational Concept ................................................................................................ 3
3.3 Risk Management Organizational Responsibilities .................................................................................... 4
3.3.1 Federal Project Director ......................................................................................................................... 5
3.3.2 Integrated Project Team ......................................................................................................................... 5
3.3.3 Contractor Project Manager ................................................................................................................... 6
3.3.4 DOE/National Nuclear Security Administration Headquarters ............................................................. 6
4.0 RISK MANAGEMENT PROCESS WITHIN THE PROJECT LIFE CYCLE .......................7
4.1 Project Phase Integration ............................................................................................................................ 7
4.2 Risk Planning.............................................................................................................................................. 9
4.3.1 Risk Identification ............................................................................................................................... 10
4.3.2 Assignment of the Risk Owner ............................................................................................................ 14
4.3.3 Assignment of Probability and Consequence ...................................................................................... 14
4.3.4 Assignment of Risk Trigger Metrics .................................................................................................... 15
4.3.5 Risk Register ........................................................................................................................................ 15
4.3.6 Risk Analysis ....................................................................................................................................... 16
4.4.1 Acceptance ........................................................................................................................................... 28
4.4.2 Avoidance/Exploit ............................................................................................................................... 28
4.4.3 Mitigation/Enhance .............................................................................................................................. 29
4.4.4 Transfer/Share ...................................................................................................................................... 30
4.6.1 Risk Monitoring Process Considerations ............................................................................................. 31
4.6.2 Risk Monitoring Methods .................................................................................................................... 32
5.0 RISK DOCUMENTATION AND COMMUNICATION ......................................................35
6.0 TAILORING OF RISK MANAGEMENT ...........................................................................399
7.0 APPLICATION OF CONTINGENCY AND MANAGEMENT RESERVE FOR NON-
M&O CONTRACTS .....................................................................................................................40
8.0 ATTACHMENTS .............................................................................................................
Attachment 1: Risk Breakdown Structure ................................................................................... 1-1
Attachment 2: Risk Status Report ................................................................................................ 2-1
Attachment 3: Risk Responsibility Assignment Matrix .............................................................. 3-1
Attachment 4: Probability Scale/Schedule Consequence Criteria ............................................... 4-1
Attachment 5: Risk Register ........................................................................................................ 5-1
Attachment 6: Cost/Benefit Analysis........................................................................................... 6-1
Attachment 7: Opportunity Matrix .............................................................................................. 7-1
Attachment 8: Risk Identification Checklist ................................................................................ 8-1
Attachment 9: Risk Monitoring Checklist ................................................................................... 9-1
Attachment 10: Management Reserve or Contingency Use Report .......................................... 10-1
Attachment 11: Risk Identification, Development and Use of Contingency and Management
Reserve ....................................................................................................................................... 11-1
Attachment 12: Cost and Schedule Contingency Development Process ................................... 12-1
Attachment 13: Contingency Estimate Inputs and Interface Needs (Supplementary Information)
.................................................................................................................................................... 13-1
iv DOE G 413.3-7A
1-12-2011
Attachment 14: Management and Reporting of MR and Contingency ..................................... 14-1
Attachment 15: Glossary............................................................................................................ 15-1
List of Appendices
APPENDIX A: REFERENCES .................................................................................................. A-1
List of Figures
Figure 1. Critical Decision Phases with Continuous and Iterative Risk Management ....................8
Figure 2. Risk Management Process. Linear Representation of the Continuous and Iterative
Process .............................................................................................................................9
Figure 3. Qualitative Risk Analysis Matrix ...................................................................................18
Figure 4. Total Project Cost Breakdown........................................................................................18
Figure 5. DOE and Contractor Performance Baseline ...................................................................18
Figure 6. Example Output of Monte Carlo Analysis of Cost Risk Impacts ..................................18
DOE G 413.3-7A 1
1-12-2011
1.0 PURPOSE
The purpose of this guide is to describe effective risk management processes. The continuous
and iterative process includes updating project risk documents and the risk management plan and
emphasizes implementation communication of the risks and actions taken. The guidelines may
be tailored according to program guidance and the needs of projects. DOE programs may adopt
other acceptable risk management approaches/methods as determined appropriate for the type of
project and program maturity by the line management for the specific program. A program (e.g.,
Office of Science) that has a methodology to adequately govern risk management may continue
to use its own specific methodology.
This guide provides a suggested framework for identifying and managing key technical,
schedule, and cost risks and how it integrates with the development and consistent use of
government contingency and contractor management reserve. The DOE Order 413.3B states that
risk management is an essential element of every project.
Risk management for this purpose is the handling of risks through specific methods and
techniques within the bounds of project management. The definition of risk for this guide is a
factor, element, constraint, or course of action that introduces an uncertainty of outcome that
could impact project objectives. The risks to be handled should be comprised of threats and
opportunities. Threats are risks with negative consequences, and opportunities are risks with
positive benefits.
The suggested risk management process set forth in this guidance demonstrates a continuous and
iterative process. This framework meets the requirements of the Order to be forward looking,
structured, and informative. The issue of the establishment of technical design margins to
address the uncertainties or unknowns associated with the design is addressed in greater detail in
the DOE Guides
1
; however, the risk and its uncertainty arising from designs are addressed by
this Guide as are the necessities of increased technical oversight requirements. Further, this risk
management process has been developed to meet the overall monitoring and reporting
requirements, and to allow one to continue to monitor those technical uncertainties.
2.0 SCOPE
This guide may be used by all Department of Energy (DOE) offices and the National Nuclear
Security Administration (NNSA), their respective field operations, operations’ contractors, and
subcontractors as specified in their respective contracts.
This guide suggests processes for the initiation, planning, execution, monitoring, and close-out of
the risk management throughout the life cycle of the project. As such, the concepts and practices
in this guide may be tailored based upon:
1
For example: DOE G 413.3-1, Managing Design and Construction Using Systems Engineering, for use with DOE
O 413.3B, dated 11-29-2010.
2 DOE G 413.3-7A
1-12-2011
The project complexity.
The size and duration of the project.
The initial overall risk determination of the project.
The organizational risk procedures.
The available personnel and their skills levels for performing risk management.
The available relevant data and its validation.
The final determination for risk management tailoring should be with the Integrated Project
Team (IPT) or the Contractor Project Manager (CPM) as described in the project risk
management plan. Tailoring of the risk management process generally includes selection of what
risks to actively manage based on risk level, determination whether to perform a quantitative
analysis, types of analysis to be performed, communication plan requirements, and types and
frequency of reporting and monitoring.
This guidance and advice should be intended to meet, but should not be limited to, the following
objectives:
Identify the risk management processes.
Identify the steps necessary to facilitate the implementation of those processes.
Provide life-cycle risk management guidance.
Provide risk management documentation guidance.
Provide risk management monitoring and reporting guidance.
This guide should not be intended to replace assessment processes developed for nuclear safety
and environmental, safety, health, and quality (ESH&Q). It should also not be intended to
replace assessment processes developed for safeguards and security. This guidance also
recognizes the benefit and necessity of early consideration and integration of safety related
project risk into the project risk management process.
3.0 RISK MANAGEMENT ORGANIZATIONAL BREAKDOWN
STRUCTURE, CONCEPT, AND RESPONSIBILITIES
3.1 Risk Management Organizational Breakdown Structure
Using the organizational breakdown structure (OBS) in the Project Execution Plan (PEP) or
Project Management Plan (PMP), the risk management team should be identified along with
DOE G 413.3-7A 3
1-12-2011
roles and responsibilities of the team members. Whenever the PEP or PMP is updated, the risk
management plan should also be updated, if changes have been made to the OBS.
The organizational breakdown structure should serve three purposes in risk management. These
purposes, as well as illustrations for each purpose, are shown as follows:
Highlights the chain of authority, communication structure, and management framework
with which risk management and the decision processes will occur.
- Assists with identifying organizational risks and/or external risks.
- Assists with identifying where certain risk management ownership and decision
processes reside.
- Reduces time for critical risk communication.
- Allows for documentation of risk communication chain.
Provides a means to map risks organizationally to determine where the greatest number
of risks resides and/or the highest-rated risks reside.
- Can provide a format for the development of a Risk Breakdown Structure (see
Attachment 1, Risk Breakdown Structure).
- Provides a means of identifying risk owners.
The risk management organizational structure assists in integrating risk management into the
procedures and processes of the organization. It also assists in developing the responsibility
assignment matrix for key risk management roles and responsibilities in a structured and formal
manner, and facilitates the communication process suggested in this guide. It provides a means to
link the risk breakdown structure with the organization for risk management to determine where
the risks reside and who is responsible for them.
3.2 Risk Management Organizational Concept
Programs and projects are of varied types and of differing complexity. The risks may span
multiple levels of organizational management, crosscut multiple organizations, and/or crosscut
different sites within the complex. For risk management to be effective, it should be an integral
part of the organization’s corporate enterprises-governance (e.g., standards, procedures,
directives, policies, and other management documentation).
In order to implement the risk management principles
2
and processes successfully, an
organizational process perspective should be considered within which the risk management
2
OMB M-07-24, Memorandum for the Heads of Executive Departments and Agencies, ―Updated Principles for
Risk Analysis,‖ September 19, 2007. (Text cited only for the universal risk management principles and not the
context they are presented within the memo.)
4 DOE G 413.3-7A
1-12-2011
processes could operate. The processes and procedures, along with applicable tools to be used for
performing risk management functions should be carefully considered, established, and well
defined when implemented. The risk management processes described later in this guide should
be carefully tailored to involve and meet the needs of the organization’s internal planning,
assessment, project controls, risk monitoring, reporting, and decision-making processes at the
different levels of risk management.
A clearly defined integrated risk management framework should consider the structure and
interactions of the management organization(s) and management levels. These should be charted
or mapped out and institutionalized (process-wise) in order to help:
Align the organization(s) to accomplish the mission, in concert with the established
requirements, policies, strategic plans, roles and responsibilities aligned via clearly
defined and well-understood processes and procedures. This alignment should be done in
order to meet the goals and objectives of the Department at all levels of the
organization(s) supported by risk management-based decision making knowledge.
Increase the interaction and communication between upper management and functional
contributors, and to better understand all types of project risks, such as: political,
economic, social, and technological, policy, program, project, financial, resource-based,
health and safety, safeguards and security, and operational. Without this interaction,
identification of risks and the communication and handling of risks cannot be adequately
accomplished, or be well understood.
Apply a consistent integrated systematic risk management process approach at all levels
of risk management to support decision-making and encourage better understanding and
application of the risk management process. For example, the same risk can exist in
different organizational levels such as the contractor, the site DOE Offices, and Program
Headquarters (HQ) Offices. This risk may be shared by all of the organizations and may
be managed by all utilizing different perspectives. This risk can also be within the same
site and crosscut and affect other capital, cleanup, information technology, or operating
projects, etc.
Build a culture that fosters risk management related learning, innovation, due diligence,
responsible leadership, management participation and involvement, lessons learned,
continuous improvement, and successive knowledge transfer.
The risk management framework should be completely integrated into the procedures and
processes of the organization. The risk management processes and procedures should be
supported by management through self-assessments, lessons learned, and a continuous
improvement environment.
3.3 Risk Management Organizational Responsibilities
The key roles, roles which have a significant impact upon the risk management of the project,
and responsibilities are the highest level of project risk authority and responsibility. A complete
DOE G 413.3-7A 5
1-12-2011
responsibility assignment matrix for risk management roles and responsibilities should be
included in the risk management plan.
3.3.1 Federal Project Director
As per DOE O 413.3B, the Federal Project Director (FPD) is responsible for leading the IPT.
Throughout the project life cycle, the FPD should:
Apply a continuous, iterative risk management process.
Document and manage risks.
Develop, maintain, and provide required risk documentation, and report to appropriate
project and program management personnel. This includes providing configuration
management for this documentation.
Ensure a tailored approach to risk management.
Ensure that the sponsoring program office continues to be informed of the status of
project risks with potentially large cost and schedule impacts as soon as they are
recognized.
Formally accept or reject any risks that are proposed to be transferred from the
contractor to the federal government (DOE or NNSA).
Oversee acceptance and closure of risks owned by the FPD.
Oversee the roles and responsibilities of each IPT member with respect to risk
management.
Coordinate with the project’s Contracting Officer early in the acquisition process and
throughout the project for contract-related risks.
Serve as the focal point of communication between the contractor and DOE-HQ for all
risk-related issues.
Develop an environment in which lessons learned are encouraged from project
experience and risk management, and develop new lessons learned as appropriate.
3.3.2 Integrated Project Team
Throughout the project life cycle, the IPT, in support of the FPD, should:
3
Apply the continuous risk management process.
3
Additional information on the IPT roles and responsibilities is provided in DOE Guide 413.3-18, Integrated
Project Team Guide.
6 DOE G 413.3-7A
1-12-2011
Document and manage the risk management process contained within the risk
management plan and the risk management communication plan (see Section 5.3, Risk
Management Communication Plan).
Provide documentation and management of risks throughout the project life cycle via the
project risk register (see Section 4.3.5, Risk Register, and Attachment 1, Risk
Breakdown Structure).
Develop and provide the project risk status report (see Attachment 2, Risk Status
Report) to management.
3.3.3 Contractor Project Manager
For non-M&O contracts, the CPM manages risks under the Contract Budget Base (see
Attachment 11, Figure A-1) independently subject to the requirements set in the procurement
contract. The risk management responsibilities of the CPM, unless otherwise directed by the
contract terms and conditions as they bound the project life cycle, should be to: (see Section 7
and Attachments 11-14 for a discussion on contractor’s risks and their management under the
Contract Budget Base)
Apply a continuous, iterative risk management process for all contractor risks.
Document and manage contractor risks and transfer to the Government, with FPD
concurrence, risks that are not the contractor’s responsibility.
Develop, maintain, and provide required risk documentation (using configuration
management) and reporting to appropriate project and program management personnel.
This includes providing configuration management for this documentation.
Ensure the project’s Contracting Officer continues to be informed of the change control
process and that the supporting documentation is generated for managing risks within
the Contract Budget Base.
Coordinate with the FPD in the development of a tailored approach to overall project
risk management.
Coordinate with the FPD in the process of recognition, acceptance and closure of key
project risks.
3.3.4 DOE/National Nuclear Security Administration Headquarters
Headquarters program office personnel should:
Provide guidance on the risk management process.
Provide support to site office programs in the evaluation, analysis, assessment, and
reporting of risk.
DOE G 413.3-7A 7
1-12-2011
Provide support to site office programs for training and education in risk management.
Facilitate information sharing on risk management best practices, trends, and
publications.
Interface with the FPD and IPT for risk.
4.0 RISK MANAGEMENT PROCESS WITHIN THE PROJECT LIFE
CYCLE
4.1 Project Phase Integration
This risk management guide is integrated with DOE O 413.3B, but it also suggests process steps
beyond those stated in DOE O 413.3B in some specific instances, such as the Risk Register. The
risk management process is a continuous, iterative process that is performed as early in the
project life cycle as possible.
Wherever possible, the project phases in DOE O 413.3B should be aligned with the risk
management process to allow an integrated view (Figure 1). Figure 1 provides a view of the
steps of the risk management process against the Critical Decision Phases of a project. While this
view presents a static view of risk management, it is not meant to infer that the process is static.
Instead it is meant to demonstrate when one should initiate for the first time certain process
steps.
The risk management plan should be included in or referenced in the preliminary project
execution plan during CD-1 (see Section 5.2, Risk Management Plan).
8 DOE G 413.3-7A
1-12-2011
Figure 1. Critical Decision Phases with Continuous and Iterative Risk Management
While the process flow appears linear, the process itself is iterative and not necessarily
consecutive. The risk planning step, for example, is continuous throughout the project life cycle,
as is the need for risk communication and documentation. The pattern that is represented by the
linear process diagram (Figure 2) demonstrates that certain steps generally precede others;
however, as the project proceeds, the review processes do not necessarily progress in the same
manner.
DOE G 413.3-7A 9
1-12-2011
Figure 2. Risk Management Process. Linear Representation
of the Continuous and Iterative Process
4.2 Risk Planning
The risk planning process should begin as early in the project life cycle as possible. Planning sets
the stage and tone for risk management and involves many critical initial decisions that should be
documented and organized for interactive strategy development.
Risk planning is conducted by the IPT
4
(if assembled by this time) and a FPD or an assigned lead
federal employee if the FPD is not yet assigned. Risk planning should establish methods to
manage risks, including metrics and other mechanisms or determining and documenting
modifications to those metrics and mechanisms. A communication structure should be developed
to determine whether a formal risk management communication plan should be written and
executed as part of the tailoring decisions to be made in regard to the project (see Section 5.3,
Risk Management Communication Plan, and Section 6.0, Tailoring of Risk Management). Input
to the risk planning process includes the project objectives, assumptions, mission need statement,
customer/stakeholder expectations, and site office risk management policies and practices.
The team should also establish what resources, both human and material, would be required for
successful risk management on the project. Further, an initial reporting structure and
documentation format should also be established for the project.
4
For a discussion and guidance on the types of skill sets (which include Subject Matter Experts in Risk
Management) that should be represented on an IPT see DOE G 413.3-18, Integrated Project Teams Guide, dated
9-24-08.
Feedback
Risk
Planning
Risk
Handling
Risk
Monitoring
Risk
Identification
Risk
Analysis
Risk Documentation
10 DOE G 413.3-7A
1-12-2011
Overall objectives for risk planning should:
Establish the overall risk nature of the project including recognizing the relative
importance of the project to the office with the DOE or the NNSA (to include its priority
ranking within the organization).
Establish the overall experience and project knowledge desired of the IPT.
Establish the technical background and risk knowledge desired of the IPT.
An initial responsibility assignment matrix with roles and responsibilities for various risk
management tasks should be developed (see Attachment 3, Risk Responsibility Assignment
Matrix). Through this Responsibility Assignment Matrix, gaps in expertise should be identified
and plans to acquire that expertise should be developed.
The result of the risk planning process is the Risk Management Plan (see Section 5.2, Risk
Management Plan). The Risk Management Plan (RMP) ties together all the components of risk
management i.e., risk identification, analysis and mitigation into a functional whole. The plan
is an integral part of the project plan that informs all members of the project team and
stakeholders how risk will be managed, and who will manage them throughout the life of the
project. It should be part of the initial project approval package. A companion to the RMP is a
Risk Register which is updated continuously and used as a day-to-day guide by the project team.
4.3 Risk Assessment
Risk assessment includes the overall processes of risk identification and analysis. The risk
assessment process identifies, analyzes, and quantifies potential program and project risks in
terms of probability and consequences. Risk analysis is a technical and systematic process that is
designed to examine risks, identify assumptions regarding those risks, identify potential causes
for those risks, and determine any relationships to other identified risks, as well as stating the
overall risk factor in terms of the probability and consequence, if the risk should occur. Risk
identification and analysis are performed sequentially with identification being the first step (see
Attachment 5, Risk Register).
4.3.1 Risk Identification
As with each step in the risk management process, risk identification should be done
continuously throughout the project life cycle. As projects changeparticularly in terms of
budget, schedule, or scopeor when a mandatory review or update is required, the risk
identification process should be iterated, at least in part. Post CD-1, the Risk Register should be
evaluated at least quarterly.
To begin risk identification, break the project elements into a risk breakdown structure that is the
hierarchical structuring of risks. The risk breakdown structure is a structured and organized
method to present the project risks and to allow for an understanding of those risks in one or
more hierarchical manners to demonstrate the most likely source of the risk. The risk breakdown
structure provides an organized list of risks that represents a coherent portrayal of project risk
DOE G 413.3-7A 11
1-12-2011
and lends itself to a broader risk analysis. The upper levels of the structure can be set to project,
technical, external, and internal risks; the second tier can be set to cost, schedule, and scope.
Each tier can be broken down further as it makes sense for the project and lends itself to the next
step of risk analysis. To be useful, the risk breakdown structure should have at least three tiers.
Such a breakdown is just one methodology, as the type of project or project organization may
dictate the best risk breakdown structure to apply. Templates for project types may be found in
the literature for software projects, construction projects, and others; however, these templates
should be modified based upon the specifics of the project being undertaken. The reason for this
statement is that the taxonomy to be used is often project specific and scope dependent (see
Attachment 1, Risk Breakdown Structure).
Whenever using the Risk Breakdown Structure, it is important to remember to consider the use
of a category called ―other.‖ This category will promote further brainstorming during the process
and provide another opportunity for risk identification.
The risk breakdown structure can be used to inform the following:
Updates of the risk management plan.
Work breakdown structure.
Cost estimates.
Key planning assumptions.
Preliminary schedules.
Acquisition strategy documents.
Technology Readiness Assessment (TRA) information.
Project Definition Rating Index (PDRI) analyses.
Safety-in Design considerations per DOE-STD-1189-2008.
Safety analysis assumptions.
Environmental considerations such as seismic, wind and flooding.
Safeguards and security analysis assumptions.
Requirements documents or databases.
Subject matter expert interviews.
Stakeholder input.
12 DOE G 413.3-7A
1-12-2011
Designs or specifications.
Historical records.
Lessons learned.
Any legislative language pertaining to the project.
Other similar projects.
Pertinent published materials.
Various techniques that can be used to elicit risks include brainstorming, interviews and diagram
techniques. Regardless of the technique, the result should not be limiting and should involve the
greatest number of knowledgeable participants that can be accommodated within their
constraints. In addition, the participants need to address risks that affect the project but are
outside of the project ability to control. Examples include:
Closure of Waste Isolation Pilot Plant.
National repository not ready.
Congressional funding reductions.
DOE funding reductions.
Re-programming.
Stakeholder changes.
Site mission changes.
Regulatory and Statutory changes.
DOE directives.
Once the process of initial risk identification is completed, the IPT should follow up with the
self-assessment process noted in Section 4.7.2.2, Self Assessment, using the Risk Identification
Checklist in Attachment 8.
As the team identifies risks, it is important that they are aware of biases that may influence the
information. Typical biases the facilitator of the risk identification should be aware of include the
following:
Status quostrong bias toward risks already identified.
DOE G 413.3-7A 13
1-12-2011
Confirming evidence biasinformation that supports existing points of view are
championed while avoiding information that contradicts.
Anchoringdisproportionate weight is given to the first information provided.
Sunk costtend to make choices in a way that justify past choices, unwillingness to
change direction.
When identifying a risk, it should be stated clearly in terms of both the risk event and the
consequences to the project. The format for the risk identified should generally be
cause/risk/effect.
One may choose to record cause, risk, and effect in separate fields to facilitate grouping of risks
into categories based on commonality of these attributes.
This format should be employed whether the risk is a threat to the project or an opportunity,
which is a risk with a benefit. Documentation should be done in affirmative termsas if the risk
will occurto enable the IPT to draft a definitive risk handling strategy. The information should
be captured in a risk register to facilitate tracking and reporting (see Attachment 1, Risk
Breakdown Structure).
Examples of risks captured in the affirmative are:
Discovery of classified material in landfill delays removal of transuranic material and
impacts schedule resulting in higher than expected project costs.
Delay in signing a cooperative research and development agreement impacts availability
of specialized research personnel in statistical analysis of nano-scale stress data of
carbon-based metals, delaying project by one year resulting in higher than expected
project costs.
Seismic site analysis area is expanded due to adjacent construction site seismic reports,
resulting in new drilling and reporting that delays site preparation by six months
resulting in higher than expected project costs.
Project complexity and size limits the number of contractor proposals competing for the
work, project costs are based on a limited number of proposals for work, resulting in
higher than expected project costs.
Risks should be linked to activities or Work Breakdown Structure as much as possible. The
linkage is important, especially if the risk owner is different as the risk owners may need to
coordinate their efforts on the risk handling strategies.
The IPT should capture both opportunities and threats. Opportunities are often shared between
and among projects. It should be noted that opportunities for one participant could be detrimental
to another; therefore, they should be worked cooperatively. Examples of opportunities include:
14 DOE G 413.3-7A
1-12-2011
Available human resources with flexible scheduling can be shared to the advantage of
two or more projects.
A crane is available at another site at a lower cost than purchasing a new or a used one.
Additional bench scale testing shows that the process flowsheet can be simplified.
In addition to identifying a risk in terms of the causal event and consequence, the pertinent
assumptions regarding that risk should be captured in the risk register to aid in future reporting of
the risk. These assumptions might include items such as, but not limited to, interfaces among and
between sites, projects, agencies, and other entities; dependencies on human resources,
equipment, facilities, or other; and historically known items that may impact the project either
positively or negatively. The assumptions should be kept current and should be validated through
various methods including documentation and subject matter experts.
4.3.2 Assignment of the Risk Owner
Before assigning a qualitative assessment to the dimensions of a risk (probability and
consequence), a risk owner should be identified. The risk owner is the team member responsible
for managing a specific risk from risk identification to risk closeout, and should ensure that
effective handling responses or strategies are developed and implemented, and should file
appropriate reports on the risk in a timely fashion. The risk owner should also validate the
qualitative and quantitative assessments assigned to their risk. Finally, the risk owner should
ensure that risk assumptions are captured in the risk register for future reference and assessment
of the risk and to assist possible risk transfer in the future.
Any action taken in regard to a risk should be validated with the risk owner before closure on
that action can be taken.
4.3.3 Assignment of Probability and Consequence
Risk analysis has two dimensionsprobability and consequence. Probability is the likelihood of
an event occurring, expressed as a qualitative and/or quantitative metric. Consequence is the
outcome of an event. The outcome of an event may include cost and/or schedule impacts. The
initial assessments should assume that no risk handling strategy has been developed (see Section
4.3.6.1, Qualitative Risk Analysis and Section 4.3.6.3, Project Learning Analysis). After the risk
mitigation approach is identified and a decision made to implement the mitigation, the mitigation
cost becomes part of the line item cost and not the contingency. Only the remaining residual risk
should be included in the risk register and contingency analysis. During the qualitative analysis,
the probability and consequence scales can be categorical. However, it is often useful to assign
quantitative metrics to the qualitative categories to help ensure consistent assignment of
probabilities and consequences across a project (see Attachment 4, Probability Scale/Schedule
Consequence Criteria). This approach works well for probability and consequence.
DOE G 413.3-7A 15
1-12-2011
4.3.4 Assignment of Risk Trigger Metrics
A risk trigger metric is an event, occurrence or sequence of events that indicates that a risk may
be about to occur, or the pre-step for the risk indicating that the risk will be initiated. The risk
trigger metric is assigned to the risk at the time the risk is identified and entered into the risk
register. The trigger metric is then assigned a date that would allow both the risk owner and the
FPD to monitor the trigger. The purpose of monitoring the trigger is to allow adequate
preparation for the initiation of the risk handling strategy and to verify that there is adequate cost
and schedule to implement the risk handling strategy.
4.3.5 Risk Register
The risk register is the information repository for each identified risk. It provides a common,
uniform format to present the identified risks. The level of risk detail may vary depending upon
the complexity of the project and the overall risk level presented by the project as determined
initially at the initiation phase of the project.
The fields stated here are those that should appear in the risk register, whether the risks presented
are a threat or an opportunity. Other fields that are suggested to be considered are contained in
Attachment 5, Risk Register, and are suggested to be included as they allow a much better view
of the full field of options available:
Project title and code (denotes how the project is captured in the tracking system used by
the site office and/or contractor).
Unique risk identifier (determined by the individual site).
Risk statement (consider separate sub-fields to capture cause/risk/effect format to
facilitate automated search capabilities on common causes of risks).
Risk category (project, technical, internal, external, and any sub-category that may be
deemed unique to the project such as safety or environment).
Risk owner.
Risk assumptions.
Probability of risk occurrence and basis.
Consequence of risk occurrence and basis.
Risk cause/effect.
Trigger event.
Handling strategy (type and step-wise approach with metrics, who has the action,
planned dates, and actual completion dates). Include the probability of success for the
16 DOE G 413.3-7A
1-12-2011
risk handling strategy and consider probabilistic branching to account for the handling
strategy failing.
Success metric for overall handling strategy.
Residual risks.
Secondary risks.
Status (open/closed) and basis.
The risk register may also include back-up strategies for primary risks, risk handling strategies
for residual and secondary risks, the dates of upcoming or previous risk reviews, and a comment
section for historical documentation, lessons learned, and subject matter experts’ input.
4.3.6 Risk Analysis
Risk analysis should begin as early in the project life cycle as possible. The simplest analysis is a
cost and benefit review, a type of qualitative review. The qualitative approach involves listing
the presumed overall range of costs over the presumed range of costs for projected benefits. The
result would be a high level overall assessment of the risks on the project (see Attachment 6,
Cost/Benefit Analysis, for an alternative quantitative approach that can be used when enough
information is available).
After CD-1 approval, two forms of risk analysis may be performed: Qualitative and quantitative.
These analyses serve as the foundation for continuing dialog about future risk realizations and
the need for the application of the contingency and management reserve, which are subjects
addressed in other DOE G 413.3-series guides that handle cost and contingency calculations.
4.3.6.1 Qualitative Risk Analysis
The purpose of qualitative risk analysis is to provide a comprehensive understanding of known
risks for prioritization on the project. Qualitative risk assessment calls for several risk
characteristics to be estimated:
Assumptions.
Risk probability.
Risk consequence.
Trigger metrics or conditions.
Affected project elements.
Others, as appropriate.
DOE G 413.3-7A 17
1-12-2011
These items should be captured in the risk register. The initial qualitative assessment is done
without considering any mitigation of the risk, that is, prior to the implementation of a handling
strategy.
Qualitative analysis, or assessment as it is sometimes referred, is the attempt to adequately
characterize risk in words to enable the development of an appropriate risk handling strategy.
Additionally, qualitative analysis assigns a risk rating to each risk, which allows for a risk
grouping process to occur. This grouping of risks may identify patterns of risk on the project.
The patterns are indicative of the areas of risk exposure on the project. The qualitative analysis
may be the foundation for initiating the quantitative risk analysis, if required.
4.3.6.1.1 Qualitative Matrices Analysis
One of the tools used to assign risk ratings is a qualitative risk analysis matrix, also referred to as
a probability impact diagram or matrix (see Figure 3, Qualitative Risk Analysis Matrix). Risk
ratings are also often referred to as risk impact scores. The matrix shown in Figure 3 is an
example of the tool and could be modified by site and contractor, or any other category as
required.
The matrix combines the probability and consequence of a risk to identify a risk rating for each
individual risk. Each of these risk ratings represents a judgment as to the relative risk to the
project and categorizes at a minimum, each risk as low, moderate or high. Based on these risk
ratings, key risks, risk handling strategies, and risk communication strategies can be identified.
18 DOE G 413.3-7A
1-12-2011
Figure 3. Qualitative Risk Analysis Matrix.
Note: Matrix is suggested only, as each site may have a site-specific matrix.
Consequence
Probability
Negligible
Marginal
Significant
Critical
Crisis
Cost
Minimal or no
consequence.
No impact to
Project cost.
Small increase
in meeting
objectives.
Marginally
increases costs.
Significant
degradation in
meeting objectives
significantly
increases cost; fee
is at risk.
Goals and objectives are
not achievable.
Additional funding may
be required; loss of fee
and/or fines and
penalties imposed.
Project stopped.
Funding withdrawal;
withdrawal of scope,
or severe contractor
cost performance
issues.
Schedule
Minimal or no
consequence.
No impact to
Project
schedule.
Small increase
in meeting
objectives.
Marginally
impacts
schedule.
Significant
degradation in
meeting objectives,
significantly
impacts schedule.
Goals and objectives are
not achievable.
Additional time may
need to be allocated.
Missed incentivized
and/or regulatory
milestones.
Project stopped.
Withdrawal of scope
or severe contractor
schedule performance
issues.
Very High
>90%
Low
Moderate
High
High
High
High
75% to 90%
Low
Moderate
Moderate
High
High
Moderate
26% to 74%
Low
Low
Moderate
Moderate
High
Low
10% to 25%
Low
Low
Low
Moderate
Moderate
Very Low
<10%
Low
Low
Low
Low
Moderate
DOE G 413.3-7A 19
1-12-2011
As with a threat, an opportunity should also be assessed using a risk assessment framework (see
Attachment 7 for an example of an opportunity matrix). Risk ratings should be assigned via a
matrix to the risk, threat or opportunity, based upon the risk classification. Typical risk
classifications are low, moderate, or high. Another option could be to use numerical values for
ratings. The numerical value could be tailored to the project or standardized for a program.
Risks that have a determinative impact upon project cost or schedule will generally rate towards
the higher end of the qualitative scale. However, there may be little or no correlation between a
risk’s determinative impact and the qualitative risk rating, so caution with the lowest rated risks
in the qualitative analysis.
Care should be taken when comparing project risk scores of different projects as the project risk
scores are a result of a subjective process and are prepared by different project teams.
Qualitative risk analysis could also be performed on residual risks and secondary risks, but only
after the handling strategy has been determined for the primary risk. Again, the risk owner
should validate and accept the risk rating.
As the information is gathered and finalized, the data should be analyzed for bias and perception
errors. While the data will not be systematically used for a quantitative analysis, it should still be
analyzed and perceptions scrutinized.
Following the completion of the qualitative analysis, one should do a review of Section 4.3.6.3,
Project Learning Analysis.
4.3.6.1.2 Other Qualitative Techniques
One qualitative technique that may be used is to search on the risk register for common causes of
risks. By looking for risks with common causes, one can attempt to find opportunities within the
handling responses or strategies as well as commonalities in monitoring triggers, risk owners, or
other shared items. Further, it may be that changes can be made to the scope to avoid the risks
that were not apparent when viewing the risks individually.
Another qualitative technique for analyzing risks is to use a network diagram. Using a network
diagram to show what tasks bear the high and moderate risks and where they exist in regard to
the critical path can be a powerful tool in analyzing how much contingency should be set aside
for the risk to ensure that the critical path is not impacted or the risk to the critical path is within
a manageable range for the FPD. The diagram is used to determine the impact to successor tasks,
especially those that either impact the critical path directly or will have an impact upon a critical
input to the critical path.
The risk breakdown structure methodology provides the option of demonstrating patterns of risk
placement or risk groupings. For instance, rather than specifying the risk, the risk is captured as a
mark on the grid and grouped together, then cut across with another matrix technique such as the
work breakdown structure or the cost breakdown structure. (See reference Hillson, D. A.
(2007), ―Understanding risk exposure using multiple hierarchies,‖ published as part of 2007 PMI
Global Congress EMEA Proceedings Budapest).
20 DOE G 413.3-7A
1-12-2011
The risk is mapped to the work breakdown structure element that would be impacted if it
occurred. The pattern that emerges allows one to either use the assigned expected value score or
to count the number of risks associated with the element. This method allows attention to be
focused on specific areas of risks.
Again, a review of Section 4.3.6.3, Project Learning Analysis, should be done.
4.3.6.2 Quantitative Risk Analysis
Quantitative risk analysis should be used to estimate the impact of risks on project cost and
schedule. Quantitative risk analysis is a numerical or more objective analysis of the probability
and consequence of individual risks that also addresses the extent of the overall project risk
through the use of a model. The purpose of the quantitative risk analysis is to provide budget and
completion date estimates of the effect of the risks on the project using statistical modeling
techniques such as Monte Carlo, Quasi-Monte Carlo, sensitivity simulations, and other stochastic
methodologies, depending upon the project data. The simulation produces a Probability
Distribution Function (PDF) for a range of possible project outcomes and a Cumulative
Distribution Function (CDF) that represents the likelihood that a given probability the project
cost or duration will be at or below a given value (see Attachment 12, Cost and Schedule
Contingency Development Process, Figure A-3). Quantitative risk analysis could provide a view
of which risks or groups of risks should receive more focused attention. It allows a numerical
evaluation of risk on the project at a point in time. The simulations could also assist in projecting
the future cost and schedule of the project, if no other actions are taken, as well as allow for
projections to be run based on options the project could implement. Quantitative analysis could
also provide a method to determine the level of cost contingency, management reserve, schedule
contingency, and schedule reserve, when combined with cost uncertainty calculations, that is
required to complete the project within the level of confidence required by the DOE or NNSA
program office.
In general, quantitative analysis is an attempt to determine how much combined risk the project
contains and where and when that risk exists to enable the project team to focus the project
resources appropriately. Quantitative risk analysis has in the past been reserved for multi-year,
large, and/or complex projects or projects where the program or executive management desires a
more informed decision as to the amount of risk that exists on the project. Some DOE offices
allow for tailoring with respect to quantitative risk analysis. The reason for this type of tailoring
is that quantitative analysis allows for the use of different scenarios and alternatives to the base
case. However, for overall low risk projects, as determined by the qualitative analysis, it may be
determined that quantitative analysis is not warranted.
Quantitative analysis, when done, could be restricted to only those risks that are ranked higher
than low as the overall risk ranking from the qualitative analysis process. When this is done, the
magnitude of the underestimation should be addressed. The critical path for the project and the
approved budget serve as the primary basis for the risk model and for the project analysis.
It is important to model both risk threats and opportunities. It is suggested that the two types of
risk are modeled separately to allow for separate analysis given the different project impacts that
the two forms may have.
DOE G 413.3-7A 21
1-12-2011
4.3.6.2.1 Quantifying Probabilities and Impacts for Quantitative Risk Analysis
A complete and well executed qualitative analysis is essential to a quantitative analysis. It will
serve as the base for developing the data for input into a simulation model for quantitative
analysis.
For each risk, a percent or percentage distribution is assigned to the probability (how likely it is
the risk will occur), a dollar value or dollar value distribution is assigned to the cost impact, and
a schedule duration impact or duration distribution is assigned to the affected activity in the
schedule. Depending upon the software modeling program being used, the percent may need to
be within a specified range. A variety of probability distribution shapes are available for
modeling cost and schedule risk, including triangular, lognormal, beta, uniform, normal
distributions, etc. Definitions and a more thorough discussion of the various distribution shapes,
and their applicability, are available in Chapter 14 of the GAO Cost Assessment and Estimating
Guide, March 2009.
In general the basic concept is implemented as:
EV = ∑P
Ri
x CI
Ri
(or SI
Ri
)
Where: EV = Expected Value of cost impact (or duration impact) of all risks
P
Ri
= Probability distribution function of a risk occurring
CI
Ri
= Cost Impact distribution function of a risk occurrence
SI
R i
=
Schedule Impact distribution function of a risk occurrence.
[Note: ∑ is not the summation of individual expected values for each risk, but
represents a stochastic process (e.g., Monte Carlo simulation) using the collective
probabilities and cost/schedule impacts for all identified risk events.]
Inputs for the calculation include, but are not limited to:
Risk Register.
Historical records (especially where similar risks were handled).
- Actual costs.
- Time impact.
Subject matter experts.
- Delphi techniques.
- Interviewing staff, crafts, retirees, and others familiar with similar work efforts at the
site or other sites.
22 DOE G 413.3-7A
1-12-2011
Technical records such as safety analysis documents including the risk and opportunity
assessment, quality assessments, safeguards and security analyses, and environmental
assessments.
As information is gathered and finalized, it should be reviewed for bias and perception errors.
These findings should be captured in the analysis that accompanies the Monte Carlo simulations.
Consideration should also be given to the success of the identified risk handling strategy and
how the potential failure of the handling strategy will be reflected in the risk impact modeling
strategy. The preferred method for analyzing this risk could be to explicitly include the
probability of mitigation success in the quantitative analysis (See Section 4.3.5, Risk Register).
Another item that should be considered in this analysis is a review of any project constraints that
may impact the cost and schedule ranges assigned to the risks. Examples of project constraints
include the bounding assumptions identified in the risk management plan and/or risk analysis,
which might limit the impact of certain risks. If some of the bounding assumptions are unrealistic
and introduce risks to the project, then these risks should be included in the risk analysis. While
some of the constraints may be hard to measure, they should still be captured, for significant
risks, in the text of the analysis so that the risks are considered as they make decisions regarding
the future handling of the risks and any contingency requests or management reserve
applications.
The inputs into a Monte Carlo simulation process are normally continuous probability
distributions; however discrete probability distributions can also be used, where the need for
distinct values can be described. The most common methodology is to use a cost and schedule
range, expressed as the optimistic view, the most likely view, and the pessimistic view of the
impacts. However, if no central tendency exists for a distribution, a two-point estimate could also
be used.
For schedule impact evaluation, the logic-linked project schedule should be utilized as input to
allow the random sampling process to be tied to the critical path analysis. The project schedule
should contain sufficient logic linkage between the activities to clearly identify critical path and
near-critical path activities. The Monte Carlo simulation process simulates the full system and its
variables (risks) by random sampling the variables many times from its probability distribution.
Each time it develops a modified duration for each risk-related task or activity and determines
the project length based on the re-analyzed critical path. The results of the independent system
realizations are assembled into probability distributions of possible outcomes. As a result the
outputs are not single values, but probability distributions. A similar process can be executed for
cost using the project cost estimate or a detailed cost loaded schedule. Both threats and
opportunities should be analyzed.
While the use of the Monte Carlo simulation is one of the standards of the DOE/NNSA, it does
not mean that other forms of quantitative analysis are discouraged. Other forms of quantitative
analysis may be used. Suggested other forms of quantitative analysis that may be considered are:
decision trees, influence diagrams, system dynamics models, neural networks (see Attachment
15, Glossary, for definition of terms), and others.
DOE G 413.3-7A 23
1-12-2011
4.3.6.2.2 Additional Points of Analysis That Should be Included
The purpose of providing the additional analysis is two-fold. First, simulation graphs should
be supported with assumptions and data input (cost and schedule ranges, and probability
distributions) captured for each risk, and sensitivity analysis conducted to provide the
necessary information to enable an increased understanding of a project’s risk exposure.
Second, it provides decision-makers with a basis to engage the project team in discussions
relevant to project risks.
4.3.6.2.2.1 Planning Assumption Validation Analysis
Analyses accompanying Monte Carlo simulation data, including graphs, should include the
review of assumptions that serve as the basis for planning the budget and schedule of the
project from which risks arose. Since assumptions have a basis in fact, but are not facts
themselves, they should ensure they are still operable and as accurate as possible.
4.3.6.2.2.2 Cost and Schedule Quantification Range Assumption Data - Gathering
Process and Validation Analysis
As the costs and schedule ranges are captured for each risk for input into the Monte Carlo
simulation runs, the assumptions that formed the basis for those ranges should be captured.
The risks that are input may include low risks. The reasons for capturing those assumptions
are to form an historic database for future projects, an historic database for the current
project, a reference to substantiate how the projected federal contingency or the contractor
management reserve/contingency was derived, and as a basis to determine the possible range
of error that may exist in the data upon which the Monte Carlo data is based.
4.3.6.2.2.3 Alternative Run (Sensitivity) Analyses
A project may choose to execute further Monte Carlo simulations beyond the overall
schedule and cost runs. These may include targeted runs pertaining to specific risks or key
risks and their effects on various planned activities or the overall project. Further groupings
of risks may be chosen and the affects simulated against the schedule and cost of the project.
Chapter 13 of the GAO Cost Estimating and Assessment Guide provides a more thorough
discussion of the benefits of sensitivity analysis, including the steps for performing
sensitivity analysis.
In choosing to make these runs, it is important to identify the correlation factors
(interdependencies and relationships between risks), especially when those have become
more apparent when the runs are done after the project has been in the execution phase for
several months or years. The constraints of how various risks or similar risks will impact a
project will demonstrate characteristics that can be identified and captured as assumptions.
While risks are independently identified in most cases, they operate within the confines of
the project and have interdependencies, relationships, both positive and negative, as well as
dependencies to other projects within the same program area. In other words, there are
defined relationships that should be explored. These relationships can give rise to other latent
risks or risks that have remained undiscovered to date until these systematic relationships are
24 DOE G 413.3-7A
1-12-2011
reviewed. Chapter 14 of the GAO Cost Estimating and Assessment Guide offers a relevant
discussion of correlation and interdependencies.
4.3.6.3 Project Learning Analysis
A section of the Monte Carlo simulation written analysis should focus on the incorporation of
project learning, or, in other words, lessons learned. If the project is new, this section may be
the transference of learning from other projects. If the analysis is an update of the Monte
Carlo simulation analysis, it should include learning from prior periods. This analysis should
include insight into how risks have thus far presented themselves, how accurate the
assumptions and estimations have been, how those assumptions may or may not impact the
simulation results, and any other observations that the team finds are relevant to the
projections. If the analysis represents lessons learned that are applicable to other DOE
entities, the learning should be distributed by submitting lessons learned.
In the quantitative analysis, one should discuss whether bias and perception errors could have
influenced the data. Such errors in regard to the incorporation of information from lessons
learned can arise from both an overly optimistic or pessimistic view of project status. This
view can result in a misunderstanding of the applicability of the lesson to the project in
question, caused by the bias of the project team to the lesson presented or by a variety of
sensitivities to the data. The results of reviewing the data and questioning of whether any bias
or misperception could have occurred should appear in the written analysis that accompanies
the data. This analysis is often best provided by independent subject matter experts.
In regard to the impact on the simulation results, the analysis should focus on the calculation
of the contingency values. The usefulness of this analysis is in the follow-on risk discussions
that occur during the monthly reviews of risks wherein the impacts of risks are reviewed
along with the various assumptions as lessons learned are applied. By bringing the learning
together with the analysis, the FPD and CPM are potentially better prepared for how risks
will react on the project or how handling strategies will potentially mitigate the identified
risks.
This process of applying lessons learned is also recommended for projects, which perform
only qualitative analysis.
4.3.6.4 Error and Variance Analysis
Depending upon the size of the project and data bank being entered for any given simulation,
it may be necessary to subjectively estimate extreme values to bound the magnitude of
possible outcomes. If this case situation arises, it could introduce random errors into the
simulation, which could potentially impact the results. If this occurs, it should be disclosed
and any error or bias should be discussed, as well as any methodologytriangle distribution,
for exampleused to reduce such an impact (see Attachment 15, Glossary, for definition of
triangle distribution).
Risk attitude, the position that can be stated or unstated that the organization holds towards
risk, is one factor that can influence how risk is handled and how values are assigned, and
DOE G 413.3-7A 25
1-12-2011
should be included in the analysis. For example, it influences how one views the ranges of the
values and whether future values are considered and how, when considered, they are bounded.
This line of reasoning should be a subject of group discussion in the analysis in an effort to
mitigate biases or estimating errors.
Given that most risk impacts are estimates, some error is expected, and the introduction of
some range of error should be discussed. Even though the values generated by the Monte
Carlo simulation may be carried to several decimal points, it is important to remember that
these numerical values are indicators, not absolute values.
One suitable methodology for analysis purposes is variance analysis. Generally, variance
analysis is a tool that is used once the project has been under way for a period of time and has
some data from which the project manager and subject matter experts can use for determining
the expected values that are used to calculate the variance analysis.
Quantitative and qualitative analyses serve as the foundation for continuing dialog about
future risk realizations and the need for the application of the contingency and management
reserve. The written analysis that is derived from the quantitative and qualitative analyses
should address how policy has impacted the outcome of the data; the evaluation of the
reliability, software relevant issues, other variances which may have been introduced, how a
pattern has been applied, what it is and what choices were made to remain consistent in the
application thereof and the impact. The benefits of this approach, relative to other potential
approaches, should be addressed.
4.3.6.5 Contingency Adequacy Evaluation
Numerous tools exist to analyze the adequacy of the contingency valuation that has resulted
from the qualitative and/or quantitative analysis of the risks. Various cost estimating guidance
documents have been compiled by industry and are available in texts and journals (e.g. such as
the Association for the Advancement of Cost Engineering International), and are updated on a
regular basis. These references provide percent ranges of the base that a contingency should
represent in order to be considered adequate. Further, the contingency value should be
commensurate with the maturity and type of the project, project size, and risks, including
technical and technology uncertainties. It should be cautioned that the recommended
contingency levels in these documents do not provide a basis for the recommended confidence
levels (70 90 percent) in this Guide for the derivation of contingency and management
reserve by quantitative risk analysis.
If a quantitative risk analysis will not be conducted, estimates for cost contingency and
schedule contingency should be provided. As a general rule, the project should use various
inputs to determine those values. Those inputs may be, but should not be limited to:
Historical records.
- Actual costs.
- Time impact.
26 DOE G 413.3-7A
1-12-2011
Subject matter experts.
- Delphi techniques.
- Interviewing staff, crafts, retirees, and others familiar with similar work efforts at the
site or other sites.
Technical records such as safety analysis documents including the risk and opportunity
assessment, quality assessments, and environmental assessments.
As the information is gathered and finalized, the data should be analyzed for bias and perception
errors. While the data will not be systematically used for a quantitative analysis, it should still be
analyzed and perceptions scrutinized.
Note: It is suggested that the project’s initial estimated total cost and schedule contingency
should exceed the amount estimated to account for the known risks, in order to plan for the
potential cost of handling unknown or unpredictable risks that may manifest themselves during
the project life cycle.
4.4 Risk Handling
Risk handling covers a number of risk strategies, including acceptance, avoidance, mitigation,
and transfer. When weighing these approaches, the following should be taken into account:
The feasibility of the risk handling strategy.
The expected effectiveness of the risk handling strategy based upon the tools used.
The results of a cost/benefit analysis, i.e., how do the costs of the handling strategy
compare to the benefits derived from not realizing the risk event?
The impacts of the strategy on other technical portions of the project.
Any other analysis deemed relevant to the decision process.
The risk handling strategies should be compatible with the appropriate DOE or NNSA office’s
risk management policy and the appropriate risk management plan.
Many parameters of the project can change over time that can impact the risk handling strategies
(e.g., scope of the project, available resources, internal and external environments, technical
advancements, et al.). Thus, risk handling should be an iterative process. One or more of these
items can change a step in a risk handling strategy, or even the complete strategy, which then
changes the cost and/or the schedule for implementation of the risk handling strategy.
Risk handling strategies should consider the probability and consequence of the risk and, if
deemed necessary by the risk owner, should allow for a back-up risk handling strategy that is
documented in the risk register. If back-up risk handling strategies are documented in the risk
DOE G 413.3-7A 27
1-12-2011
register, they should be documented at the same level of detail as the primary risk handling
strategy. Documentation at the same level as the primary strategy will ease implementation if the
primary risk handling strategy is deemed unsuitable or inadequate. Further, the cost and
necessary schedule for the back-up risk handling strategy should be calculated and noted in the
risk register.
The cost for the risk handling strategy for the primary risk should typically be included in the
baseline as direct project costs if the handling action will be performed (see further discussion in
the following paragraph). The process includes identifying the scope, cost, and schedule
associated with implementing the risk handling strategy, and assigning a unique work breakdown
structure number and activity to the strategy so that it can be tracked and monitored. The project
team should develop the risk handling implementation plans with the appropriate level of detail.
The project activities should include the detailed work plans (for whichever phase the project is
then in) with the associated budget and schedule identified in the project Work Breakdown
Structure (WBS). At the appropriate time in the project life (Critical Decision 2), the handling
actions become part of the project baseline.
Some project teams make the mistake of thinking that all handling costs should be part of the
project contingency. If the handling actions will be performed, then DO NOT include the costs
of these handling actions in the risk contingency [or contractor Management Reserve (MR)].
These are known, identified project work activities and need to be planned accordingly, and
included as part of the direct project costs.
However, if the handling action will not occur until some event that may or may not occur, e.g.,
a risk trigger event, then it is appropriate to assign those costs to project contingency (contractor
MR). If the triggering event occurs, then the project would process a change using the project
change control system, to take cost/schedule from contingency (or MR) and assign it to the
project handling activities. This latter approach is more the exception than the rule.
There may be occasions when a primary risk is not added to the baseline until a change control
action occurs, such as when it is predicted during a monthly project review or a review of lessons
learned.
Risk handling strategies should be regularly reviewed throughout the project life cycle for their
affordability, achievability, effectiveness, and resource availability as described in the reporting
requirements of the risk management plan.
If questions arise about a risk or its handling strategy’s potential impacts on the technical goals
and objectives of the project, a more comprehensive analysis should be conducted.
Major/Key risks should be analyzed to examine the inter-relationships between other risks, as
well as other projects. This could lead to common risk handling strategies. The specific method
of analysis may include:
Pictorial modeling.
Fish-bone diagramming.
28 DOE G 413.3-7A
1-12-2011
String diagramming.
―What if‖ analysis systems modeling.
Time-specific sequencing simulation modeling.
4.4.1 Acceptance
Acceptance as a risk handling strategy should be a deliberate decision and documented in the
risk register. Acceptance of the risk does not mean that the risk is ignored. The risk should be
included in the cost and schedule contingency impact analysis.
Examples of risks that might be accepted include:
There will be fewer bidders on a design-build request-for-proposal than desired, but
there will still be some competition.
Funding for the next fiscal year is delayed due to Continuing Resolution.
4.4.2 Avoidance/Exploit
Avoidance, as a risk handling strategy, is done by planning the project activities in such a way as
to eliminate the potential threat. Avoidance should be considered the most desirable risk
handling strategy. However, avoidance should be analyzed for its cost/benefit to the project
within the current funded boundaries of the project. The cost/benefit analysis should also take
into consideration the impact on the overall project and the available funding for handling the
other identified risks. The decision processes used to determine whether or not to pursue the
avoidance risk handling strategy for risks on the project should be documented.
Avoidance strategies often involve a change in requirements, specifications, or practices to
eliminate the risk. Avoidance can also be the rejection of an approach to doing a piece of scope,
as the risk involved in the approach cannot be reduced to an acceptable level. In general, to
exercise this approach, another approach that meets the cost/benefit approach should be
available. Examples of risks that might be avoided include:
The design specifies using an untested material of construction in this application.
The design specifies a non-conventional/untested glove-box in a nuclear facility.
The term exploit is used for positive benefit risks. To exploit an opportunity is to attempt to
ensure that it occurs. As in the avoidance of the negative consequence risk, the thrust of the
handling strategy is to ensure that uncertainty is removed and the opportunity definitely happens.
In addition to avoidance, exploitation should be analyzed for its cost/benefit to the project.
Examples of exploitation strategies include:
Remove the uncertainty of whether or not human resources will be available for an
action at a certain time, one may extend the contract and have the resources available
DOE G 413.3-7A 29
1-12-2011
and working on other efforts at the site. Thus, it is ensured that the resources will be
available for the project.
Pursue a new process configuration that eliminates the requirement for Building A in the
project scope.
4.4.3 Mitigation/Enhance
Mitigation is a risk handling strategy that is taken to reduce the likelihood of occurrence and/or
impact of an identified negative risk or threat. Enhancement is a risk handling strategy used to
increase the likelihood of occurrence and/or benefit of an identified positive risk or opportunity.
The goal of a mitigation risk handling strategy is to reduce the risk to an acceptable level.
In regard to the introduction of technologies or technologies needing further development, the
technology development plan should be linked directly with the risk handling strategy for risks
associated with technology development or availability. Deployment or implementation of a
technology may introduce risk that requires specific risk handling strategies.
The risk’s mitigation strategy should be developed as a step-wise plan that can be included in the
project baseline. The mitigation plan should be analyzed to ensure that it is feasible and that
resources are available. An example of a step-wise risk mitigation strategy for a primary risk
might be as follows:
Establish weekly requirements and interface meetings for design teams (set date).
Establish a separate design review for the interfaces for where technology interfaces
occur (set date).
Establish a separate design review for any rework that should occur for technology
interfaces (set date).
Establish separate contractor and DOE walk-down of facility once technologies are
on-site to determine that visual interfaces concur with designs (set date).
Establish walk-down of facility with technical staff to ensure quality, design, safety, and
other necessary requirements for staff concurrence with all interface design features as
physically installed (set date).
The term enhance is used for positive benefit risks. The necessity of identifying the trigger event
is highlighted by attempting to enhance the opportunity by reinforcing the conditions identified
in the trigger event. An example of an enhancement strategy is:
Restructure the project scope/contracts to make the project more attractive to potential
bidders, thus increasing the pool size of responsive bidders.
Mitigation and enhancement, as risk handling strategy decisions, should also be based on the
results of a cost/benefit analysis. The rule for mitigation is not to spend more on the handling
30 DOE G 413.3-7A
1-12-2011
than what the risk event would cost if it occurs. Likewise, it makes little sense to spend more on
the enhancement costs than the cost savings realized from the opportunity.
4.4.4 Transfer/Share
The risk handling strategy of transferring risk operates differently within the DOE or NNSA than
within private industry. In private industry, transferring risk often involves the purchase of
insurance or bonds as the transference of the risk. The risk is passed to the insurance company
that accepted the risk for a fee. For non-M&O type contracts, the actual risk is transferred
between the FPD and the CPM via the contract or from one project to another, or to a program
office. Risk transference indicates a transfer of ownership, and therefore written acceptance of
the risk should be obtained before transfer is complete. An example of a risk that might be
transferred from DOE to a contractor includes:
Contractor assumes material cost escalation up to 10% above current prices.
An example of risks that might be transferred from the contractor to DOE include:
DOE is responsible for material cost escalation exceeding 10% of current prices.
Site utilities are available for tie-in to the project.
When risk has been transferred, the transfer of the risk should be reviewed to ensure it did
not create other risks and that it does not impact the project mission and objectives.
Therefore, as was done for the acceptance strategy, an analysis review should be
conducted to fully understand inter-relationships.
The term ―share‖ is associated with risks that present positive consequences. For instance, a risk
could be shared between the FPD and the contractor, between and among various projects, or a
combination thereof. In general, the risk benefits should extend to the parties that shared the risk.
If a risk is ―shared‖ it should be split such that each ―owner‖ is responsible for the appropriate
portion of the risk. An example of a shared risk might be:
Incentivized contracts that allow for sharing of any cost savings derived from
implementation of contractor value engineering suggestions. Note: The appropriate
portion of the opportunity should be assigned to each party affected so there is a clear
owner and benefit.
4.5 Residual Risk
Residual risk (post-mitigated risk) is the risk that remains after the risk handling strategy
(accept, avoid, mitigate, or transfer) has been performed to the original primary risk to which
they had been assigned in the risk register. A residual risk may end up being the same risk as
the original risk (pre-mitigated risk) if the risk handling strategy does not reduce or mitigate
the risk or the risk is one that recurs. The fact that residual risk remains does not mean that the
risk handling was not effective, only that it did not completely avoid a risk remaining. It is up
to the risk owner to decide whether the residual risk will be moved to a primary risk position.
DOE G 413.3-7A 31
1-12-2011
This remaining or residual risk should be qualitatively analyzed. Through this process a
decision should be made as to when the risk planning process should stop. Those residual risks
for which no risk strategies are planned are accepted and should be clearly communicated to
the team and management.
Once it has been determined that the residual risk will remain after the implementation of the
primary risk’s risk handling strategy, the primary risk should be closed. The residual risk should
be moved to a primary position on the risk register. The purpose of this suggested move is to
provide focus attention to this risk through the risk register. Once moved to the primary risk
position, the risk handling strategy for the risk should be reviewed and updated, if necessary. If
a back-up strategy was also logged into the risk register at the time the residual risk was
captured, it should be reviewed for applicability also and determined if it is the better risk
handling strategy or if the two risk strategies should be merged, blended, or completely
redrafted. All steps that were conducted with primary risks in regard to the baseline will need to
be accomplished with the new primary risk, if necessary, in regard to the baseline. In other
words, a review of the baseline should be done for change in cost and schedule contingency to
be made at the discretion of the FPD and/or CPM in consultation with the IPT.
4.6 Risk Monitoring
Risk monitoring involves the systematic, continuous tracking and evaluation of the effectiveness
and appropriateness of the risk handling strategy, techniques, and actions established within the
risk management plan. Monitoring is performed for individual risks per the risk metrics and
overall project risk status. The risk monitoring process should provide both qualitative and
quantitative information to decision-makers regarding the progress of the risks and risk handling
actions being tracked and evaluated.
Risk monitoring may also provide information that can assist in identifying new risks or changes
in the assumptions for risks captured previously on the risk register. These results should be used
to initiate another risk identification process.
4.6.1 Risk Monitoring Process Considerations
The Risk Monitoring process should be tailored to the project, and be described in the risk
management plan. The risk monitoring process should be more than a risk tracking
documentation process and should include the following items:
Ensure that the risk owner is current and performing his or her role and responsibilities.
Ensure that risk identification is current with the parameters of the project. Ensure that
risks, including accepted and low risks, have not changed since first identified.
Ensure that avoidance strategies are implemented according to schedule, and that metric
indicators are showing that the risk is not presenting itself.
Ensure that risk handling strategies are being implemented and executed to meet or
exceed metrics for success.
32 DOE G 413.3-7A
1-12-2011
Review any back-up plans for applicability and determine if any other plans need to be
put into place based upon performance of the current handling strategies.
Review the cost and schedule contingency calculations for the current handling
strategies that are being implemented and those that will be implemented in the near
future based upon recent project performance for projected accuracy. That is, compare
current risk handling performance with the corresponding risk handling plans in the risk
register (before the implementation) to measure current performance. Make adjustments
to those risks handling actions that will be implemented in the near future based on
recent performance for projected accuracy.
Review any necessary risk management communication that may be necessary for any
current or near-term risks for executive management, customers, stakeholders, or others
and review such communication against the risk management communication plan.
Ensure the recognition of the benefits and necessity of early consideration and
integration of safety and security-related project risk into the project risk management
process.
Ensure that the risk register and other risk-related forms are up-to-date.
Conduct integrated metrics management and reporting (see Attachment 6, Cost/Benefit
Analysis).
4.6.2 Risk Monitoring Methods
The following are not the only methods available and do not exclude the use of other methods
acceptable to the Program Office.
4.6.2.1 Risk Owner Monitoring
The risk owner has a significant role in risk monitoring. As part of the risk monitoring process,
the risk owner should update information in the risk register through an agreed upon process as
stated in the risk management plan. Any changes that a risk owner makes to the risk register
should be discussed at the risk meetings to ensure that changes in the conditions of one risk do
not impact another risk or create another potential risk. It may be necessary to conduct an
analysis study depending upon the extent of the impact of the change to the risk register.
4.6.2.2 Self Assessment
At various junctures during the project, there might be a need to assess the risk management
processes that have been implemented. In such a case, the respective manager may wish to
use a review document designed for the particular project or a generic checklist (see
Attachment 8, Risk Identification Checklist, and Attachment 9, Risk Monitoring Checklist).
DOE G 413.3-7A 33
1-12-2011
4.6.2.3 Integrated Risk Monitoring
Integrated risk monitoring occurs when risk management metric monitoring is integrated with
other standard project metrics such as earned value or safety metrics. The determination as to the
root cause of any negative or positive impact upon a metric should include a determination as to
whether it involved a risk including whether it involved the positive benefit risk known as an
opportunity. The output of the reporting process can be the input to the risk management process
for further risk identification, analysis of consequence and impact ratings, and the analysis of the
handling strategy as planned or as being implemented.
If the project is subject to DOE-STD-1189-2008 for integration of safety into design, the key
risks should be tracked and reported per the requirements of the standard and in relationship to
the maturity of the project and technical studies that are ongoing. The DOE-STD-1189-2008
provides for the development of risk and opportunities assessments relative to safety in design
issues and decisions. Given the potentially significant costs associated with safety decisions, the
integration of safety into the design process needs to include also a strong link between the
development of Safety-in-Design and identification of project technical and programmatic risks.
With anticipated risks, early identification of possible opportunities to address potential risks
allows the project to define appropriate cost range estimates. Comprehensive risk identification,
coupled with an appropriately conservative safety design posture, affords the project the
opportunity to execute within the range estimate with a higher degree of reliability. The project’s
risks and opportunities assessments are intended to be inputs to its Risk Management Plan and to
be managed accordingly.
4.6.2.3.1 Safety Metrics
Safety metrics should be used to measure the effectiveness of the safety program, and various
administrative, personnel protection, and engineering methodologies being used to achieve
worker and public safety. Various metrics are used in the program offices. Among those metrics
are the measures of the occurrence of certain events including electrical safety events, industrial
events, radiological events, and near miss events, etc. For the purposes of risk management, the
performance assessment that is done in regard to safety should involve a review of events to
determine whether or not the event involved a risk, an event that could have been predicted and
thus could have been avoided.
If such a risk is determined to have been part of the safety event, lessons learned should be
conducted in accordance with the applicable safety order. All related projects should undergo a
review for an exact risk or similar risk and the application of the lessons learned.
If the project is subject to DOE-STD-1189-2008, the key risks should be tracked and reported
per the requirements of the standard and in relationship to the maturity of the project and
technical studies that are ongoing.
Nothing in this section eliminates the risk assessment metrics for safety that may exist in other
safety management orders or guides.
34 DOE G 413.3-7A
1-12-2011
4.6.2.3.2 Quality Metrics
Quality metrics should be used to measure quality assurance and quality control processes.
Project activities and processes should have a set of metrics. If a metric is not met, an analysis of
this shortcoming should be done to determine the reason. If the reason for the non-achievement
of the metric is a realized risk, an analysis of the risk should be initiated to determine whether the
risk was identified, and, if not, why it was not identified. Additionally, a reflective analysis
process may be needed to determine if the risk was hidden or latent due to other risks or perhaps
other project factors. Lessons learned should be gathered and applied to the project and other
similar projects.
If the risk was identified, the analysis should determine if the risk operated as predicted per the
assumptions surrounding the risk, or the handling strategy or response was inadequate, or the
residual risk was greater than anticipated, or the accepted risk was greater than what was
anticipated. Again, a full analysis should be done and shared with the project participants and
other similar projects. If the risk only allowed for partial achievement of the metric, then the
handling strategy should be reviewed, especially if the risk is one that could recur or is one that
is found on other projects.
Nothing in this section eliminates the risk assessment metrics for qualitative assurance that may
exist in other quality management regulations, directives, and orders.
4.6.2.3.3 Safeguards and Security Metrics
Safeguards and security metrics should be used to measure the implementation of the safeguards
and security requirements for a given project. These compliance and performance assessment
metrics as defined in DOE G 413.3-3, Safeguards and Security for Program and Project
Management, dated 11-15-07, could be established and integrated early in the project planning.
Using these metrics on a monthly basis to highlight either the avoidance of an identified risk or
the mitigation of a risk in this area of project integration will form a basis for continuous and
iterative risk feedback. Further, if a risk in the area of safeguards and security is realized that was
not previously captured on the risk register, it should be reviewed and analyzed. This reflective
analysis process may be needed to determine if the risk was hidden or latent due to other risks or
perhaps other project factors. Lessons learned should be gathered and applied to the project and
other similar projects.
Nothing in this section eliminates the risk assessment metrics for safeguards and security that
may exist in other safeguards and securities orders or guides.
4.7 Risk Reporting
Although reporting (see Attachment 10, Management Reserve or Contingency Use Report, and
Attachment 9, Risk Monitoring Checklist, for suggested format) can be either formal or informal,
this guide will focus on suggested formal risk reporting, but acknowledges that informal risk
reporting occurs in the field through casual conversations and interactions. While there are
thresholds for reporting requirements stated in this guide, each project might vary based upon
tailoring and risk communication requirements that will be stated in the risk management plan
DOE G 413.3-7A 35
1-12-2011
and the risk management communication plan. In addition, the FPD is encouraged to work with
the appropriate DOE program office (i.e., EM, SC, NNSA, etc.) to establish the specific
reporting requirements for the individual project.
4.8 Risk Feedback
Risk feedback is a continuous and iterative activity throughout the risk management process.
Participants in the risk management process should provide feedback throughout the project.
This feedback process begins with the initial identification of the overall risk of the project at the
mission need phase of the project, CD-0, to the project close out, CD-4, and the capture of the
final lessons learned (see Section 4.3.6.3, Project Learning Analysis). This process should begin
as early as possible in the project and should be a thorough risk and requirements feedback
process.
The process of providing feedback can be done either in a formal or informal mannereither in
a written or oral format. However, it is recommended that wherever possible, feedback should be
provided in a formal, written format to ensure that it is captured, and that it is recorded and
received by the appropriate project official, whether it is the risk owner or the FPD and/or the
CPM.
The risk management plan may prescribe the method for certain types of risk feedback and
presentation. The types of risk feedback that the risk management plan should prescribe, but are
not limited to, include reporting, official responses to reports, and maintenance of the risk
register.
5.0 RISK DOCUMENTATION AND COMMUNICATION
5.1 Project Execution Plan
The risk management plan should be included in or referenced in the project execution plan.
5.1.1 Baseline Management
Changes to the baseline due to risks not identified will generally result in the filing of a change
control document. When a baseline update has occurred, a full review of the risks should be
done to ensure that the baseline change has not resulted in other risks that may occur in the
future due to the change either in schedule, budget, or scope. Those risk handling strategies
not part of the project baseline will have cost and schedule impacts, if implemented at a later
date.
If the project has had scope changes or other impacts that have resulted in changes to the
project’s risk profile, the risk identification process should be re-initiated and the risk register
resubmitted either in hard copy or electronically during the reporting period when the changes
are noted.
36 DOE G 413.3-7A
1-12-2011
5.1.2 Phase Integration
Risk management and its processes should be tailored to the specific project phase. For example,
risk management should be started on a project when it should have the most impact, which
means, generally, at the development of the mission need statement. The degree to which it can
be started will depend upon each project and the knowledge possessed at the time.
It is recommended to ensure that risks are represented and risk handling actions are suitable for
the phase of the project. In other words, the response should satisfy a cost/benefit analysis for the
phase or timing of the implementation of strategy whether it is early in the project or late, and
that the schedule to implement can be done within the project without impacting other milestones
or critical activities.
5.1.3 Acquisition Strategy
The FPD should enlist the assistance of the Contracting Officer early in the initial development
of the Acquisition Strategy in order to identify the risks to the procurement of the project
resulting from key project decisions. When developing the acquisition strategy documentation,
the FPD and the Contracting Officer should direct attention to risk identification, consistent with
FAR 34, in the following areas as input to the acquisition decisions:
Costas it relates to the facility, technology, or system to achieve the project’s mission
objective(s).
Design and Engineeringas it relates to the facility, technology, or system to achieve
the design and/or engineering objectives.
Functionalas it relates to the facility, technology, or system to perform or meet
project requirements.
Integrationas it relates to the integration of any hardware or software for various
systems for the facility, technology, or system and the demonstration of this integration
to meet project requirements.
Procurement Vehicles/Processas it relates to the procurement decision process,
contract requirements, available competition, market conditions, and other constraints.
Regulatoryas it relates to the physical site, environmental conditions and process
needs, facility requirements, and any other project specific regulatory requirements.
Other risk categories may need to be reviewed within the acquisition strategy and planning
activity and, as they are captured; they should be tracked in the risk breakdown structure under
the appropriate category and in the risk register.
5.2 Risk Management Plan
DOE G 413.3-7A 37
1-12-2011
The risk management plan is the governing document for the risk management process on a
project. The risk management plan includes by reference the risk register, risk analysis, and other
risk data and risk database information that is updated more frequently, but is not reissued
whenever such data is changed or updated. Results from the risk analyses (MR, contingency,
confidence level) are recommended for inclusion in monthly progress reports if the analyses are
updated more frequently than annually.
Note: Tailoring the risk management plan is based upon criteria such as the size, complexity,
budget, risk level, resources, technical maturity level, and other considerations deemed relevant.
The risk management plan should include the following sections:
I. Introduction (may be contained in project execution plan)
a. Project summary
b. Responsibility assignment matrix (see Attachment 3, Risk Responsibility
Assignment Matrix)
c. Key definitions
d. Key requirements documents and regulatory drivers
e. Assumptions and constraints
II. Risk and opportunity management process
a. Risk planning
b. Risk assessment
c. Risk identification
d. Risk analysis
e. Risk and opportunity handling
f. Risk monitoring
g. Risk feedback
III. Risk documentation and communication
IV. Conclusion
5.3 Risk Management Communication Plan
Communication is identified in DOE O 413.3A as a key principle to project success. To ensure
project success the risk management plan should address how information related to risk, and
risk status is communicated to the project team and stakeholders. This communication
38 DOE G 413.3-7A
1-12-2011
information could be addressed in either the project execution plan or a communication plan or
could be included in the risk management plan. A separate risk management communication plan
could also be developed as part of the tailoring decisions. The risk management communication
plan should also specifically address the integration points with the DOE enterprise-wide lessons
learned systems.
It is recommended that the risk management communication plan should contain the following
sections:
I. Background and purpose
a. Responsible office and key individuals
b. Necessary oversight and signatory responsibilities
II. Project overview
III. Target objectives
a. Development of standard, and as needed, communication formats and messages
for identified risk stakeholders
b. Development of communication flow diagrams
IV. Strategy
a. Statement of overall strategy elements
b. Assumptions and uncertainties
c. Process for validating and verifying assumptions and uncertainties
V. Key target stakeholders
a. Identification process
b. Known stakeholders
VI. Identified communication channels for each target stakeholder grouping
a. Process for identifying key points of contact
(1) Primary point-of-contact
(2) Back-up point-of-contact
b. Process for identifying key points of contact for emergency communications
VII. Key messages
DOE G 413.3-7A 39
1-12-2011
a. Site communication requirements
(1) Goals and objectives
(2) Processes
b. When certain communications may be issued
c. Definition of various modes of communication
d. Situational requirements
e. Definition of special circumstances
f. Definition of special approval channels
g. Communication development
(1) Who should be involved in construction of communications
(2) Who should review
h. Standard messages
i. Key interfaces
j. Communication distribution and feedback
VIII. Roles and responsibilities
a. Identify all parties
b. Responsibility assignment matrix
IX. Overview metrics for responsible persons
X. Message approval process
Revisions and updates
6.0 TAILORING OF RISK MANAGEMENT
Programs may adopt other acceptable methods/approaches as deemed appropriate. The process
could be tailored based upon the complexity, size and duration of the project; initial overall risk
determination; organizational risk procedures; available personnel and their skill levels for
performing risk management; and available relevant data and its validation.
40 DOE G 413.3-7A
1-12-2011
7.0 APPLICATION OF CONTINGENCY AND MANAGEMENT
RESERVE FOR NON-M&O CONTRACTS
7.1 Explanation of the Terms
This section provides clarification guidance for the definition, derivation and consistent
application of the terms government contingency and contractor management reserve (MR) in
risk management for DOE capital asset projects. This clarification guidance is in accordance
with the requirements of DOE Order 413.3B and the Federal Acquisition Regulations (FAR).
This clarification guidance is also consistent with Acquisition Letter 2009-01, ―Management
Reserve and Contingency,‖ dated October 6, 2008 from the DOE Office of Procurement and
Assistance Management. Contingency management should be an integral part of the DOE capital
asset project risk management process, providing project managers with the tools to respond to
project risks and uncertainties that are inherent in all DOE projects. With appropriate
management and funding of projects, coupled with well-administered Federal and contractor
Risk Management Plans and Change Control processes, project baselines should be well suited
to deal with anticipated project risks. The government cost estimate should include contingency
for all risks that will impact the project during the development of performance baselines.
When the government issues a solicitation for work to be performed, the terms of the contract
establish which work scope risks are borne by the contractor. The offeror and/or contractor is
expected to account for the contractor’s risks when proposing quantities, costs and schedules in
their response to the RFP. As a part of the execution of the work, certain of these risks will be
realized, certain risks will be mitigated, and additional risks within the contractor’s responsibility
could emerge.
The terms ―contingency‖ and ―MR‖ are often used interchangeably in Project Management and
Contract Management activities during the execution of the work scope creating confusion about
its proper accountability. Using these terms interchangeably should be discouraged. And, while
MR is a form of contingency, its application is the responsibility of the contractor. Contingency
derivation and management is the responsibility of the project team. It is advisable that all parties
understand the differences and manage each funding source accordingly.
7.2 Contracting Approach for Non-M&O Contracts
―Contingency‖ and ―management reserve‖, as defined in DOE O 413.3B, are not synonymous
with those provided in the FAR. In fact, the term ―management reserve‖ is not used in the FAR,
and is not considered a discrete element of cost. Within the FAR, the term ―contingency‖ refers
to contractor contingency and not Government contingency, as defined by DOE O 413.3B. If
MR is not recognized as a discrete element of cost such as labor, overhead, materials, etc., how
then is it factored into a contractor’s cost proposal and negotiated into the contract? The answer
is that the FAR does allow for contractors to price in contingencies that meet specific conditions,
i.e., ―those that may arise from presently known and existing conditions, the effects of which are
foreseeable within reasonable limits of accuracy‖, such as escalation for out-year prices,
anticipated costs of rejects and defective work, etc. In fact, FAR 31.205-7 states that
DOE G 413.3-7A 41
1-12-2011
―contingencies of this category are to be included in the estimates of future costs so as to provide
the best estimate of performance cost.‖ As a general matter, in a cost proposal, contractor
contingency should be tied to specific work scope and be proposed as standard cost elements
recognized by the FAR. What this implies is that the contract price is not allowed to explicitly
call out a separate budget for management reserve, since reserves for uncertainties within the
scope of the contract are expected to be included within the contractor price. Management
reserve is carved out after the contract value has been negotiated.
While DOE Acquisition Letter 2009-01 provides an extensive discussion of pricing of contractor
reserves, a source of confusion has been the interpretation of certain guidance stated in AL 2009-
01 with respect to the DOE O 413.3B project management model. Specifically, AL 2009-01
states ―Contracting officers shall not include in the contract price any amount (for management
reserve, contingency, etc.) to cover prospective requests for equitable adjustments, changes, or
risks that might or might not occur during performance.‖ Equitable adjustments, changes to the
contract pursuant to the Government Changes Clause (FAR 52.243-1, 2, 3, 4, 5, or 6), and other
unknown risks do not satisfy the requirement that contractor contingencies that are priced into a
contract must be those that arise from presently known and existing conditions, the effects of
which are foreseeable within reasonable limits of accuracy. Changes to the contract, equitable
adjustments, and other unknown risks simply cannot be reasonably priced. Changes of this
nature are generally handled through the "Changes" clause after contract award as long as the
change is within the general scope of the contract.
FAR 31.205-7 also requires that contingencies, ―the effect of which cannot be measured so
precisely as to provide equitable results to the contractor and to the Government; e.g., results of
pending litigation‖, are to be excluded from cost estimates and should be disclosed separately
(including the basis upon which the contingency is computed) to facilitate the negotiation of
appropriate contractual coverage. The expectation is that the contractor’s proposal includes a
clear statement of assumptions and risks that are part of the contractor’s proposal to perform the
work listed in the solicitation that may have either a positive or negative effect on the
Government’s proposal evaluation.
7.2.1 Contract Considerations for Non-M&O Contracts
The discussion thus far is primarily focused on cost reimbursement contract types. However,
additional discussion on the relationship between risk and contract type is warranted, especially
with respect to firm fixed price contracts. Firm fixed price contracts are frequently utilized for
capital asset projects throughout the Government. The issue of risk assumes a different
complexion in a fixed price environment because the cost risk is wholly borne by the contractor,
the contractor is generally not required to provide cost data to the Government, and they are not
required to provide visibility into the formulation and use of their MR. Projects that can be
priced on a firm fixed price basis will tend to be well-defined and characterized in terms of work
scope. Cost overruns are absorbed by the contractor, not the Government.
42 DOE G 413.3-7A
1-12-2011
Under a cost reimbursement contract, the tools, processes, and systems that are required to award
and administer the contract reflect efforts to mitigate cost and performance risk that in a cost
reimbursement environment are primarily borne by the Government.
An additional consideration with respect to managing risk on a capital asset project is whether it
will be performed by the prime contractor, a first tier subcontractor, or a lower tiered
subcontractor. FPDs and Contracting Officer’s Representatives (CORs) should always be
mindful that the Government only has privity of contract with the prime contractor, and not with
subcontractors, therefore, the Government’s desire to manage a project should carefully account
for the role of the prime contractor in directing subcontractors and managing risk for the work
scope that has been subcontracted.
7.3 Project Management Approach for Non-M&O Contracts
DOE O 413.3B prescribes a project management model that supports effective contract
management. To comply with DOE O 413.3B, the contractor will establish a Performance
Measurement Baseline (PMB) for the contractor’s scope of work and a Management Reserve
(MR) for managing contractor risks. The cost element of the PMB is the total time-phased
budget plan of the work breakdown structure (WBS) elements with the contractor’s estimate of
the planned cost and schedule to accomplish each WBS element. It depicts the schedule for
expenditure of the resources allocated to accomplish contract scope and schedule objectives and
is formed by the budgets assigned to control accounts and summary-level planning packages, if
any, plus any undistributed budget. The PMB cost plus the MR equals the contract cost (or
Contract Budget Base). The contract cost plus the contract fee equals the contract price. The
contract price is the total estimated cost for the contract (see Figures 4 and 5, and Figure A-1 in
Attachment 11).
Figure 4. Total Project Cost Breakdown
Note: CL = Recommended Confidence Level
DOE G 413.3-7A 43
1-12-2011
Figure 5. DOE and Contractor Performance Baseline
A performance baseline (PB) as established in DOE O 413.3B is established after sufficient
design has been accomplished to provide sufficient certainty the scope of work can be
completed within cost and schedule. The FPD defines a cost, schedule, performance and scope
baseline. The Government will define a scope of work to be accomplished by the contractor in
a solicitation and determine the risks to be assigned to the contractor. As outlined above, the
offeror and/or the contractor’s proposal in response to the solicitation will propose a technical
approach and incorporate the necessary quantities, cost and schedule to accomplish the work
and handle the risks to accomplish its proposed approach. And then, after the contract is
awarded, the contractor will prepare a PMB and MR.
The FPD also assigns certain risks to the Government, such as government furnished services
and items (GFS/I), significant revisions to regulatory requirements, etc. Through analysis of
these risks, the FPD establishes needed contingency. This contingency is often referred to as
DOE contingency to provide clarity from ―contingency‖ referred to in DOE Acquisition Letter
2009-01. And the ―contingency‖ in DOE Acquisition Letter 2009-01, is MR in DOE Order
413.3 guidance.
Risks for all capital asset projects should be analyzed using a range of 70-90% confidence
level upon baselining at CD-2 and reflected in funded contingency, budgetary requests, and
funding profiles. Projects should contact their sponsoring program office for additional
program and project-specific guidance on the confidence level to be used for analysis. If a
project has a performance baseline change, the FPD should consider reanalyzing the risks at a
higher confidence level and then reflecting this in budgetary requests and funding profiles.
DOE does not provide confidence level guidance for the determination of MR by the
contractor. Consistent with DOE O 413.3B, the contractor is expected to complete the full
contracted scope of work. The work for a Federal Project can have multiple contracts for the
execution of the work. Also, a single contract can execute work for multiple Federal Projects.
In establishing the PB when contracts are in-place, the PB will comprise the contractor’s price
Government (DOE) Other Direct Project Costs
Profit/Fee
Contractor Performance Baseline
Management Reserve
Government (DOE) Contingency
Schedule Reserve
Schedule Contingency
DOE Total Project Cost
Contract Price
Contract Budget Base
TIME
44 DOE G 413.3-7A
1-12-2011
(PMB plus MR plus fee) plus contingency and any Government other direct costs (see Figures
4 and 5 above). The confidence in the PB will be reflected in budgetary requests, and funding
profiles.
The amount of MR should correlate with the quantification of the uncertainties and risks
identified by the contractor in their Risk Management Plan. During execution, the contractor
inherently challenges each of their cost account managers, as well as managers responsible for
executing the work (i.e., cleanup, demolition, design, procurement, construction) to
accomplish the PMB within the cost and schedule for each work element. The MR provides
the contractor with a mechanism to fund a risk should it be realized.
MR should be maintained separately from the PMB and is utilized through the contractor’s
change control process. MR is established after contract award by the contractor. MR should
be risk based, and quantitatively derived and justified. Thus, the MR is a project management
tool which allows the contractor to manage risks and uncertainties. Through the risk planning
and assessment process, the contractor forecasts the realization and/or mitigation of risks and
the utilization of MR. MR should not be managed by the government nor deducted from the
total estimated contract price, since the underlying costs were supported through the
contractor’s proposed scope, cost and schedule to execute the work and evaluated by the
Government.
When a pre or post award integrated baseline review (IBR) is required in accordance with
FAR Subpart 34.2 and 52.234, the contractor should demonstrate the ability of the PMB to
successfully execute the project and attain cost objectives. This demonstration can best be
achieved by identifying the threats and opportunities that the contractor has priced in its bid
proposal and the approach to be used in managing the associated budget for those threats and
opportunities.
During project execution, the contractor evaluates the attainment of the PMB utilizing their
Earned Value Management System (EVMS). The contractor’s change control process deals
with proposed scope, cost and schedule changes by the cost account managers, as well as the
work execution managers. For potential changes within the contractor’s responsibility,
sometimes called trends, the contractor will address the change as a potential variance to the
work element. This permits the condition to be highlighted and potentially mitigated.
However, if the condition cannot be mitigated, the contractor will typically process the change
and utilize MR for the change. Typical uses of MR include funding recovery from the impacts
of realized risk events, implementing and executing opportunities to accelerate remaining
work in the PMB to increase confidence in schedule commitments. MR is not used to resolve
past variances (positive or negative), unless to correct errors, routine accounting adjustments,
or to improve baseline integrity and accuracy of performance measurement data. Use of MR
should follow EVMS rules per ANSI/EIA-748B.
DOE authorization should not be required for the contractor to use MR. However, DOE
requires contractors subject to compliance with ANSI/EIA 748B, Earned Value Management
System (EVMS), to report the use of MR as part of the monthly reporting of performance
against the established PMB (the EVMS is not required to be used for firm fixed-price
contracts - DOE O 413.3B). MR should be monitored and evaluated as part of the ongoing
DOE G 413.3-7A 45
1-12-2011
project control and oversight functions. The use of MR for scope, cost and schedule mitigation
should be planned, reported, and managed over the project duration to ensure successful
project completion.
7.4 Project and Contract Changes for Non-M&O Contracts
Changes can occur on two levels: changes within the contractor scope and changes outside the
contract scope. Changes within the contract scope are accomplished through the contractor’s
change control process. The FPD should be cognizant of this process and the contractor’s
monthly status report should provide a status of executed and pending changes, as well as the
status of MR utilization.
If the contractor believes a change has occurred and the change is outside the contract scope,
the contractor should immediately notify the Contracting Officer (CO) and the FPD in writing
in accordance with the applicable Changes clause prescribed by the FAR and included in the
contract. If the FPD and CO concurs, the FPD/CO may determine the impacted work is not
necessary, and the CO will formally notify the contractor of this decision. If the FPD/CO
determine the work is necessary, and in conjunction with the Federal Budget Officer (FBO)
that funds are available (typically through the use of contingency, i.e. DOE contingency), the
CO will follow the established change control process that leads to issuing a modification to
the contract. If the CO, through consultation with the FPD, determine that some of the work is
necessary to be executed (to preclude a stop work condition), while the contractor is preparing
their proposal, the CO may authorize a unilateral change order modification that clearly
establishes a ―not-to-exceed‖ estimate, a definitization schedule, and the revised language for
the specific change in the contract scope. Pursuant to the modification, the contractor will
prepare a proposal for that specific ―changed‖ scope of work, correlating what has changed
from the current contract. The contractor will also determine if the amount of fee is affected. It
is critical the contractor shows the correlation of the scope, cost and schedule change to the
contract, not the PMB. The contractor’s proposal will factor-in risks, just as the contractor’s
response to the RFP considered risks. The proposal does not show the change to the PMB. The
PMB will be adjusted after the modification is finalized, just as the PMB and MR were
established after the contract was awarded. When the contractor’s proposal is received by the
Government, the FPD/CO/FBO will evaluate the proposal and determine if the modification
has merit. If so, the FPD/CO/FBO will determine if contingency (i.e. DOE contingency)
should be used to support the modification. If the level of the scope, cost and schedule change
is within the authority of the FPD for the Project Baseline and contingency utilization, and of
the CO to perform the contract change, the modification is executed. If the change is above
either the FPD or CO approval authority, the change is forwarded to DOE Headquarters for
approval by the Acquisition Executive and/or the Head of Contracting Authority (HCA). If
approval is received, the modification is executed. Then, the PMB is revised accordingly.
7.5 Derivation of MR and DOE Contingency (Example)
This section illustrates an example of procedural guidelines for deriving both contractor MR
and DOE Contingency for a hypothetical DOE project. Other valid methods exist. This is a
fictitious project, but the steps are extracted and summarized from actual DOE projects as well
46 DOE G 413.3-7A
1-12-2011
as various resource documents, including this guide. The project illustrated here is
conventional construction of a new office and laboratory building (non-nuclear), with a base
cost estimate (no contingency or MR) of $150 million. The shaded areas represent the new
information required at each step of the risk management process.
A. Contractor’s Management Reserve
Remember that MR is controlled by the contractor, after contract award, for risk and
uncertainty within the contracted scope of work. Budget for contractor risks and uncertainties
is part of (embedded within) the contractor’s bid price. A method for reviewing contractor MR
is described below. DOE can follow this method when it develops the government estimate for
the project, as a means to initially evaluate contractor proposals and later during project
execution to assess the robustness of the contractor’s stated MR and management plan. Note
that MR is an estimate of the potential amount of additional budget the contractor may need to
execute the contractor’s scope of work, and is a combination of the costs derived from 1) risk
events, and 2) cost estimating uncertainty. Steps 1-4 below may be used to derive the MR
contribution from risk events. Step 5 may be used to derive the MR contribution from cost
estimating uncertainty.
1. Risk Identification.
The contractor team identifies the bounding (enabling) assumptions for the project,
based on the contract scope of work.
Examples:
Site utilities will be available in sufficient quantities.
The construction site is free from any contamination that will
require remediation prior to construction.
The contractor then identifies the risks (threats and opportunities) associated with
its contracted scope of work, and assigns a risk owner to each risk. The two risk
lists may resemble the following (only a few threats and opportunities are listed to
exemplify the process):
DOE G 413.3-7A 47
1-12-2011
Threats
ID
Threat
Owner
T-001
Labor unavailability due to competing projects will
delay project completion and increase project costs.
John Smith-Constr. Mgr.
T-002
Construction subcontractor bids come in significantly
higher than estimate which will increase project costs.
Mary Jones Contracts
Mgr.
T-003
Material prices rise higher than budgeted will increase
project costs.
Joe Adams
Procurement Mgr.
T-004
Stakeholder objections delay building permit and will
delay project completion and increase project costs.
Ann Johnson Project
Mgr.
Opportunities
ID
Opportunity
Owner
O-001
Shorten the construction schedule by adding shifts
which will reduce the project completion date and
reduce project costs.
John Smith-Constr. Mgr.
O-002
Obtain material discounts using prompt payment
provisions in procurement contracts and reduce
project costs.
Joe Adams
Procurement Mgr.
2. Risk Assessment Qualitative Analysis
Identify risk triggers and interdependencies.
Assign probabilities and consequences to each threat and opportunity based on
threshold guideline tables developed by the contractor.
Assign an overall risk rating to each threat and opportunity using a risk matrix based
on the probabilities and consequences.
Threats
ID
Threat
Trigger
Event
Affected
WBS
Elements
Probability
Consequence
Overall
Risk
Rating
T-001
Labor unavailability
due to competing
projects.
?
?
Low
Significant
Low
T-002
Construction
subcontractor bids
come in significantly
higher than estimate.
?
?
High
Critical
High
T-003
Material prices rise
higher than budgeted.
?
?
Moderate
Significant
Moderate
T-004
Stakeholder
objections delay
building permit.
?
?
Very Low
Marginal
Low
? = additional information to be filled in by contractor
48 DOE G 413.3-7A
1-12-2011
Opportunities
ID
Opportunity
Trigger
Event
Affected
WBS
Elements
Probabilit
y
Consequenc
e
Overall
Risk
Rating
O-001
Shorten the
construction
schedule by adding
shifts.
?
?
High
Significant
Moderate
O-002
Obtain material
discounts using
prompt payment
provisions in
procurement
contracts.
?
?
Moderate
Significant
Moderate
? = additional information to be filled in by contractor
3. Risk Handling
Decide on a risk handling strategy for each threat and opportunity, based on the
overall risk rating and professional judgment. Appropriate strategies for threats are
Accept, Avoid, Transfer, or Mitigate. Appropriate strategies for opportunities are
Accept, Exploit, Share, and Enhance. The process includes the following steps:
o Identify a handling strategy for each risk.
o Develop an implementation (mitigation) plan for the strategy, as
appropriate.
o Plan the implementation activities into the baseline project scope.
o Develop cost and schedule estimates for the planned activities and include
in project baseline.
o Document probability of mitigation success.
o Identify residual risks and secondary risks, if applicable.
o Document strategy and handling plan (briefly) on Risk Assessment Form.
DOE G 413.3-7A 49
1-12-2011
Threats
ID
Threat
Handling
Strategy
Mitigation
Strategy
Probability
of Mitigation
Success
Residual or
Secondary
Risk
T-001
Labor unavailability due to
competing projects.
Accept
None
-
Same as
primary
T-002
Construction subcontractor
bids come in significantly
higher than estimate.
Mitigate
Advertise
nationwide.
Have pre-bid
meeting with
bidders.
50%
Construction
contractor
bids come in
slightly higher
than estimate.
T-003
Material prices rise higher
than budgeted.
Transfer
DOE accepts
material price
escalation over
10% above
contractor
budget.
50%
Material
prices rise up
to 10% higher
than original
budget.
T-004
Stakeholder objections delay
building permit.
Accept
None
-
Same as
primary
Opportunities
ID
Opportunity
Handling
Strategy
Enhancement Strategy
Probability of
Enhancement
Success
O-001
Shorten the
construction schedule
by adding shifts.
Enhance
Re-plan the project to use multiple
shifts for work on or near the
critical path.
75%
O-002
Obtain material
discounts using prompt
payment provisions in
procurement contracts.
Enhance
Contact suppliers and fabricators
early in project to ensure discounts
are made available and included in
procurement contracts.
50%
4. Risk Assessment Quantitative Analysis
Estimate the cost and schedule impacts for each primary or residual risk, reported as
best case, most likely, and worst case.
50 DOE G 413.3-7A
1-12-2011
Threats
ID
Threat
Cost Impacts, $000s
Schedule Impacts,
weeks
Probability
Best
Case
Most
Likely
Worst
Case
Best
Case
Most
Likely
Worst
Case
T-001
Labor unavailability
due to competing
projects.
1,000
2,000
4,000
4
8
16
10-25%
T-002
Construction
subcontractor bids
come in slightly
higher than estimate.
0
5,000
20,000
0
0
0
75-90%
T-003
Material prices rise
higher than
budgeted.
500
1,500
3,000
0
0
0
26-74%
T-004
Stakeholder
objections delay
building permit.
1,000
2,500
4,000
4
10
16
<10%
Opportunities
ID
Opportunity
Cost Impacts, $000s
Schedule Impacts,
weeks
Probability
Best
Case
Most
Likely
Worst
Case
Best
Case
Most
Likely
Worst
Case
O-001
Shorten the
construction schedule
by adding shifts.
3,500*
2,000*
750*
16
10
4
75-90%
O-002
Obtain material
discounts using
prompt payment
provisions in
procurement
contracts.
3,000
1,500
0
0
0
0
26-74%
*These cost impacts represent the net savings of a shorter schedule (with lower hotel
loads, etc.) offset by higher costs resulting from added labor costs (shift differential)
and craft productivity impacts.
Input the cost impact ranges for both threats and opportunities into the Monte Carlo
analysis tool, along with the probability of occurrence, to estimate the cost
contingency associated with contractor risks.
Analyze the results from the Monte Carlo (distribution curves) to determine the cost
contingency at the desired confidence level. For example, assume the results for all
risks and opportunities (not just the ones shown above) show the following:
o Contribution to MR for Cost Risks - $23.77 million at 80% confidence level.
DOE G 413.3-7A 51
1-12-2011
Input the schedule impact ranges for both threats and opportunities into the Monte
Carlo analysis tool, along with the probability of occurrence, to estimate the schedule
contingency associated with contractor risks that affect the Critical Path.
Analyze the results from the Monte Carlo (distribution curves) to determine the
schedule reserve at the desired confidence level. For this example, assume the results
for all risks and opportunities (not just the ones shown above) show the following:
o Schedule reserve 5 months at 80% confidence level.
Calculate the cost impact due to schedule contingency using the hotel load. For this
example, assume hotel load is $250,000 per month.
o Contribution to MR from schedule risks 5 months x $250,000/month =
$1.25 million.
52 DOE G 413.3-7A
1-12-2011
Figure 6. Example Output of Monte Carlo Analysis of Cost Risk Impacts
Percentiles
Risk Cost
Impact ($M)
0%
6.11
10%
12.84
20%
14.79
30%
16.23
40%
17.65
50%
19.05
60%
20.50
70%
22.32
80%
23.77
90%
26.08
100%
35.35
DOE G 413.3-7A 53
1-12-2011
5. Cost Estimating Uncertainty
Using the project cost estimate, define the range of cost estimating uncertainty. This
is usually done at a summary level and may appear similar to the following:
Cost Estimate Uncertainty
WBS
Description
Cost Range, $ million
Best Case
Most Likely
(Baseline Cost)
Worst Case
2.1
Preliminary
Design
1
15
15
15
2.2
Final Design
9
10
12
3.0
Construction
85
92.5
115
4.0
Project
Management
9.5
10
11
5.0
Construction
Management
2
7.4
8% of
Construction
8% of
Construction
10% of
Construction
6.0
Title III Design
2
6.5
7% of
Construction
7% of
Construction
9% of
Construction
7.0
OPCs
6
8.6
11
Total
150
Notes: In actual practice, Cost Estimate Uncertainty can be modeled in a variety of ways.
This may be done using a lower level of the WBS or by breaking the project down into
key cost drivers (e.g., bulk commodities quantities and pricing; labor productivity and
rates; equipment pricing; engineering hours and rates; etc.).
1 Since Preliminary Design is assumed complete, this cost is frozen for purposes of this
example.
2 In an actual model, it may be better to use percentages of construction cost to model
these uncertainties in order to recognize the close correlation that exists.
Input the cost estimate ranges into the Monte Carlo analysis tool to estimate the cost
estimate uncertainty for the contractor.
Analyze the results from the Monte Carlo to determine the cost estimate uncertainty
at the desired confidence level. For this example, assume the results show a cost
estimate uncertainty of $5 million at the 80% confidence level.
54 DOE G 413.3-7A
1-12-2011
6. Contractor Management Reserve
Add the cost contingency (derived from the risk analysis) to the cost estimate
uncertainty contingency, at the same confidence levels, to derive the total MR for the
contractor. For example:
Contributions to MR from cost risks $23.75 million
Contributions to MR from schedule risks $1.25 million
Contributions to MR from Cost estimating uncertainty $5.0 million
Total MR $30.0 million
B. DOE Contingency
The DOE Contingency discussed here is the contingency needed to mitigate project risks that are
within the project baseline but are generally beyond the contractor’s control. It is additive to the
MR portion determined in Section A. The steps to follow for DOE Contingency are similar as for
MR. Projects should contact their sponsoring program office for additional general and project-
specific guidance.
1. Risk Identification.
The IPT defines the bounding (enabling) assumptions for the project.
Examples:
Funding will be available according to the funding profile.
There will be no extraordinary ES&H incident or other event that
causes an extended shutdown.
The IPT then identifies the risks (threats and opportunities) associated with the
project, and assigns a risk owner to each risk. The two risk lists may resemble the
following (only a few threats and opportunities are listed to exemplify the
process):
DOE G 413.3-7A 55
1-12-2011
Threats
ID
Threat
Owner
DOE-T-001
Adequate power is not available to the contractor resulting
in schedule delays and increased project costs.
FPD
DOE-T-002
The site requires some groundwater cleanup prior to
construction which will increase project costs.
ES&H Manager
DOE-T-003
GFS/I are delayed resulting in schedule delays and
increased project costs.
Contracting Officer
DOE-T-004
Construction contractor fails to meet performance
expectations which will result in schedule delays and
increased project costs.
FPD
Opportunities
ID
Opportunity
Owner
DOE-O-001
General contractors will consider fixed price, incentivized
contract which will reduce project costs.
Contracting Officer
DOE-O-002
Government provided equipment is available for sharing
with another project in the area which will reduce project
schedule and reduce project costs.
Contracting Officer
Follow Steps 2 and 3 above for MR (Example Section A, Steps 2 and 3).
4. Risk Assessment Quantitative Analysis
Estimate cost and schedule impacts for each primary or residual risk, reported as best
case, most likely, and worst case.
Input the cost impact ranges into the Monte Carlo analysis tool, along with the
probability of occurrence, to estimate the cost contingency associated with DOE
risks.
Input the schedule impact ranges into the Monte Carlo analysis tool, along with the
probability of occurrence, to estimate the schedule contingency associated with DOE
risks that affect the Critical Path.
Analyze the results from the Monte Carlo to determine the cost and schedule
contingency at the desired confidence level. Calculate the cost impact due to schedule
contingency using the hotel load. For this example, assume the results show the
following:
o Cost contingency due to cost risks - $15.5 million at 80% confidence level.
o Cost contingency due to schedule risks - $1.5 million.
o Schedule contingency 6 months at 80% confidence level.
56 DOE G 413.3-7A
1-12-2011
5. Cost Estimating Uncertainty
Determine cost estimating uncertainty for DOE costs that are outside of the contractor
scope, if applicable (e.g. other direct costs or services).
Using the cost estimate for DOE costs, define the range of cost estimating
uncertainty.
Input the cost estimate ranges into the Monte Carlo analysis tool to estimate the cost
estimate uncertainty for DOE costs.
Analyze the results from the Monte Carlo to determine the cost estimate uncertainty
at the desired confidence level. For this example, assume the results show a cost
estimate uncertainty of $3 million at the 80% confidence level.
6. DOE Contingency
Add the cost contingency (derived from the risk analysis) to the cost estimate uncertainty
contingency, at the same confidence levels, to derive the total MR for the contractor. For
example:
Cost contingency due to cost risks $15.5 million
Cost contingency due to schedule risks $1.5 million
Cost estimating uncertainty $3.0 million
Total DOE Contingency $20.0 million
Note: The preceding example represents a simplistic approach towards MR and DOE
contingency derivation. This example could have also incorporated a Monte Carlo analysis for
the cost and schedule contingency attributable to schedule estimate uncertainty. Good risk
management practice dictates that further sensitivity analyses should be employed in order to
determine the MR and DOE contingency contributions from individual cost risks, schedule risks,
and estimating uncertainty. This enables the IPT to assess and monitor where the greatest
potential impact to project performance baseline might originate. Chapter 13 of the GAO Cost
Estimating and Assessment Guide provides a more thorough discussion of sensitivity analysis,
including the steps for performing sensitivity analysis.
5
5
Reference for further examples for the application of the suggested Risk Management Process: Allan J. Chilcott,
Risk Management - A Developing Field of Study and Application, Cost Engineering, September 2010.
DOE G 413.3-7A 57 (and 58)
1-12-2011
C. Total MR and Contingency
Based on the assessment of all project risks and cost estimating uncertainty, the total project
contingency based on the simplified example is as follows:
Management Reserve $30 million
DOE Contingency $20 million
Total MR and DOE Contingency $50 million
This is added to the base costs of $150 million, which results in a Total Project Cost of $200
million.
8.0 ATTACHMENTS
The forms provided in this section are only suggested formats and may be modified as required
by the program office, site office, or the project. All forms can be modified to work with
numerous commercially available software programs. Fields suggested for forms may be
supplemented or deleted as necessary, although certain fields may be noted as necessary for the
purposes of analysis or reporting within the text of the guide regarding that type of reporting.
Before modifications are made to the fields on the forms, verify that the field is not one that is
considered necessary for the purposes of analysis or reporting.
Attachments 11, 12, 13, and 14 in this document provide suggested recommendations and
additional clarification guidance on the definition, derivation, and use of the terms contingency
and management reserve in risk management for DOE projects. Specifically:
Attachment 11 Risk Identification, Development and Use of Contingency and Management
Reserve (Supplementary Information)
Attachment 12 Cost and Schedule Contingency Development Process (Supplementary
Information).
Attachment 13 Contingency Estimate Inputs and Interface Needs (Supplementary Information)
Attachment 14 Management and Reporting Management Reserve and Contingency
(Supplementary Information).
DOE G 413.3-7A Attachment 1
1-12-2011 Page 1-1
Attachment 1: Risk Breakdown StructureExample One
See reference Hillson, D. A. (2007), ―Understanding risk exposure using multiple hierarchies,‖
published as part of 2007 PMI Global Congress EMEA Proceedings Budapest.
Project
Risk
Internal External
Schedule
Mechanical
Safety
Environmental
Human
Resources
Organizational
Structure
Management
Political
Funding
Legal
- Not well defined
- Tied to work at other
sites
Project
Scope
Cost
- Use of
mid-range values
- Reduced float
- Drawings are not
updated
- Delay in approval of SB
documents
- Delay due to questions on
assessments for related work
at other sites
- Delay in ROD signing
- Resources not
available
- Experience level
needed not available
- Contract rebid
- Management
reorganization
occurring
every few
months
- Delay in
appropriation
- Percent of
funding
withheld
- NOV filed
Safeguards and
Security
- Delay in approval of vulnerability
analysis
Technical
Attachment 1 DOE G 413.3-7A
Page 1-2 1-12-2011
Attachment 1: Risk Breakdown StructureExample Two
Level 0
Level 1
Level 2
Level 3
Project Risk
Project
Scope
Not well defined
Tied to work at other sites
Cost
Use of mid-range values
Schedule
Reduced float
Technical
Mechanical
Drawings are not updated
Safety
Delay in approval of SB documents
Delay due to questions on assessments for
related work at other sites
Safeguards and
Security
Delay in approval of vulnerability analysis
Environmental
Delay in ROD signing
Internal
Human Resources
Resources not available
Experience level needed not available
Organizational
Structure
Contract rebid
Management
Management re-organization occurring every
few months
External
Political
Delay in appropriation
Funding
Percent of funding withheld
Legal
NOV filed
DOE G 413.3-7A Attachment 2
1-12-2011 Page 2-1 (and Page 2-2)
Attachment 2: Risk Status Report
Item
Number
Comments
1
Risks Open
2
Risks Closed
3
Monitoring
Trigger Pending
Within Three
Months
4
Residual Risk
Handling
Response
Enacted
5
Residual Risk
Moved to
Primary
6
Secondary Risk
Moved to
Primary
DOE G 413.3-7 Attachment 3
1-12-2011 Page 3-1 (and Page 3-2)
Attachment 3: Risk Responsibility Assignment Matrix
Federal
Project
Director
1
Integrated
Project
Team
Subject
Matter
Expert
Contractor
Project
Manager
Other
Identify
2
Risk Planning
Risk Identification
Qualitative
Analysis
Quantitative
Analysis
Handling
Response
Monitoring and
Control
Risk
Communication
Legend
Responsible
Accountable
Reviews
Approves
Contributes
Prepares
Notes:
1. For M&O contracts, the FPD may be a Contractor Project Director.
2. Other could be Contractor Control Account Manager.
DOE G 413.3-7A Attachment 4
1-12-2011 Page 4-1 (and Page 4-2)
Attachment 4: Probability Scale/Schedule Consequence Criteria
Probability Scale Example
Very High >90%
High 75-90% Moderate/High 60-75%
Moderate 26-74% Moderate/Moderate 40-60%
Low 10-25% Moderate/Low 25-40%
Very Low <10%
Schedule Consequence Scale Example
Very High 12-24 months
High 12-18 months Moderate/High 9-12 months
Moderate 3-12 months Moderate/Moderate 6-9 months
Low 0-3 months Moderate/Low 3-6 months
Very Low 0-0.5 months
Cost Consequence Scale Example
Very High $10M-$100M
High $1-$10M Moderate/High $0.5-$1.0M
Moderate $100K-$1M Moderate/Moderate $250-$750K
Low $10-$100K Moderate/Low $100K-$250K
Very Low <$10K
Notes:
The criteria for each category may be adjusted depending on the size and duration of the project. For
instance, a 6-month impact may be Moderate for a 10-year project, but Very High for a 2-year project.
Similarly, a $1M impact may be very high for some projects where other longer/larger projects may have
risks that exceed $1B.
A category can be expanded to facilitate the elicitation of risks from subject matter experts. In the above
probability and schedule scales, the ―Moderate‖ scale was expanded.
Categories may be overlapping or non-overlapping.
DOE G 413.3-7A Attachment 5
1-12-2011 Page 5-1
Attachment 5: Risk Register
The risk register or risk log is a database often captured in a database such as Access or
Excel or other risk management software tool. The format is dictated by the size of the project
and the ease of compiling the necessary reports. Following are the names of the fields that should
appear in the risk register and a description of those fields. The database should be capable of
generating reports based upon querying various fields and dates for open risks and trigger dates
as well as handling responses that are currently operable.
Risk: Risk as identified and should include the cause, the risk likelihood, and the effect (consider
separate sub-fields for each to allow search capabilities on common causes of risks). The
preferred statement should be in the affirmative to gain the most effective risk handling
responses or strategies.
Risk Identification Number: Unique identification number for the risk.
WBS: Work Breakdown Structure identification number.
Risk Owner: Person responsible for tracking, monitoring, documenting, and ensuring the
handling response or strategy is implemented and reported upon.
Risk Category: Category assigned for grouping or from Risk Breakdown Structure analysis.
Risk Status: Open or closed.
Risk Assumptions: Any assumptions pertaining to the risk itself. The identification of
assumptions may be clues to other risks.
Risk Probability and Basis: Likelihood of this event occurring. Use the appropriate qualitative
risk analysis matrix.
Risk Consequence and Basis: Outcome of this event. Use the appropriate qualitative risk
analysis matrix.
Risk Level: The intersection of the probability and consequence on the appropriate qualitative
risk analysis matrix, which determines the overall potential risk impact to the project.
Risk Monitoring Trigger: Early warning signs that this risk is about to occur.
Success Metric: Measure by which the Federal Project Director or Contractor Project Manager
will know that the avoidance strategy or handling response or strategy has been successful.
Avoidance Strategy: If there is an avoidance strategy to eliminate risk completely it should go
in this field. Avoidance is a type of risk handling strategy.
Risk Handling Strategy: Step-by-step (similar to a project plan) approach to eliminating or
reducing the risk if no avoidance strategy is immediately available; includes the dates for
Attachment 5 DOE G 413.3-7A
Page 5-2 1-12-2011
completion. Include the probability of success for the risk handling strategy and consider
probabilistic branching to account for the handling strategy failing.
Cost (for risk handling strategy): Necessary cost for implementing the handling strategy.
Cost Assumptions: Assumptions that relate to the cost contingency values.
Schedule (for handling strategy): Necessary schedule for implementing the risk handling
strategy.
Schedule Assumptions: Assumptions that relate to the schedule contingency values.
Residual Risk: Remaining risk once the risk handling strategy is completed.
Risk Handling Strategy for Residual Risk: May be filled in depending upon the level of risk
perceived by the Federal Project Director or the Contractor Project Manager.
Residual Risk Probability and Basis: Likelihood of this event occurring. Use the appropriate
qualitative risk analysis matrix.
Residual Risk Consequence and Basis: Outcome of this event. Use the appropriate qualitative
risk analysis matrix.
Residual Risk Level: The intersection of the probability and consequence on the appropriate
qualitative risk analysis matrix, which determines the overall potential risk impact to the project.
Secondary Risk: Risk arising as a direct result of the implementation of a risk handling strategy.
Secondary Risk Probability and Basis: Likelihood of an event occurring. Use the appropriate
qualitative risk analysis matrix.
Secondary Risk Consequence and Basis: Outcome of an event. Use the appropriate qualitative
risk analysis matrix.
Secondary Risk Level: The intersection of the probability and consequence on the appropriate
qualitative risk analysis matrix, which determines the overall potential risk impact to the project.
Trigger Date: Early warning sign of the date that this risk is about to occur.
Trigger Metric: Event, occurrence or sequence of events that indicates the risk may be about to
occur, or the pre-step for the risk indicating that the risk will be initiated.
DOE G 413.3-7A Attachment 6
1-12-2011 Page 6-1 (and Page 6-2)
Attachment 6: Cost/Benefit Analysis
Often captured as Benefit/Cost = Return on Investment (or Investment Outcome).
For the purposes of this Guide, the steps are:
Identify the costs and benefits
Quantify in units
Calculate units into dollar value
Calculate costs and benefits into time
Project the net benefits and costs
These benefits and costs can be distributed over time using the same Monte Carlo simulation
methodology, if desired.
Reference: Boardman, Greenberg, Vining & Weimer, Cost-Benefit Analysis Concepts and
Practice, Prentice Hall, 3rd Edition, 2005.
DOE G 413.3-7A Attachment 7
1-12-2011 Page 7-1 (and Page 7-2)
Attachment 7: Opportunity Matrix
Consequence
Probability
Opportunity
Matrix
Negligible
Marginal
Significant
High Impact
Very High
Impact
Cost
Minimal or no
consequence.
No impact to
Project cost.
Small
increase in
meeting
objectives.
Marginally
increases
costs.
Significant
increase in
positive
chance to
meet
allocated
costs.
Goals and
objectives are
more
achievable.
Removes
serious
threats to
project costs.
Project
proceeds
without
threat to
budget
within the
mission
space.
Schedule
Minimal or no
consequence.
No impact to
Project
schedule.
Small
increase in
meeting
objectives.
Marginally
impacts
schedule.
Significant
increase in
positive
chance to
meet
allocated
schedule.
Goals and
objectives are
more
achievable.
Removes
serious
threats to
project
schedule.
Project
proceeds
without
threat to
schedule
within the
mission
space.
Very High
>90%
Low
Moderate
High
High
High
High
75% to 90%
Low
Moderate
Moderate
High
High
Moderate
26% to 74%
Low
Low
Moderate
Moderate
High
Low
10% to 25%
Low
Low
Low
Moderate
Moderate
Very Low
<10%
Low
Low
Low
Low
Moderate
Note: Matrix is suggested only, as each site may have a site-specific matrix.
DOE G 413.3-7A Attachment 8
1-12-2011 Page 8-1
Attachment 8: Risk Identification Checklist
Below is a list of risk areas within this Risk Identification Checklist. Below each risk area (i.e.,
Front-End Planning Risks) is a listing of related risks. Many of the risks listed in this attachment
can have significant impacts on a project’s technical performance, cost, and schedule status. Not
all listed risks will be applicable to every program. Not all risks are normally under the direct
control of the Federal Project Director.
Risk Areas
1. Front-End Planning Risks
2. Market Related Risks
3. Technical Risks (Hazard Category 1, 2, & 3 Projects)
4. Budget Risks
5. Contract/Specification/Statement of Work Risks
6. Site Risks
7. Staffing Risks (Federal and Contractor)
8. Organizational Risks (Federal and Contractor)
9. Project Execution Risks
10. Regulatory Compliance/Oversight Risks
11. Ineffective Governmental Oversight/Contract Administration Risks
Context for use of this checklist: This checklist may be used as a follow-up to a brainstorming
session or other methodology such as interviews, risk breakdown structures or diagramming
techniques to ensure that all currently identified DOE areas of concerns have been covered. It is
not intended as a complete checklist and may be used in conjunction with other checklists as the
user may see fit. The checklist should not be used in lieu of the brainstorming session and other
methods of risk identification, but as a checklist it is intended to check the work done by the risk
identification team members. Many of the risks listed in this attachment can have significant
impacts on a project’s technical performance, cost, and schedule. Note that not all listed risks
will be applicable to every project.
1. Front-End Planning Risks
Expectations and/or requirements that:
- Have not been identified.
Attachment 8 DOE G 413.3-7A
Page 8-2 1-12-2011
- Are unrealistic.
- Are incomplete.
- Are unstable.
- In conflict with each other.
Incomplete or inaccurate identification of constraints:
- Funding/budget resources.
- Political support.
- Staff and contractor resources.
- Procedural.
- Regulatory.
Unrecognized or underestimated complexities caused by:
- The number of systems, structures, components.
- The number of requirements and constraints.
- Technical challenges.
- Technical interfaces.
- Organizational and functional interdependencies.
- Nonlinearity.
- Unstable or dynamic environments.
- Schedule demands.
Excessive, unrealistic, or unrecognized assumptions.
2. Market Related Risks.
Limited vendor/contractor availability and/or interest because of external market
conditions.
- Availability of other work (the existence of a seller's market).
- Volatile prices.
- Limited or uncertain availability of materials, labor, components, and/or
construction equipment.
- Limited availability of financing to cover cash flow delays.
Reduced vendor/contractor interest because of contract imposed terms and conditions
that increase their risks.
DOE G 413.3-7A Attachment 8
1-12-2011 Page 8-3
- No recovery of damages for owner-caused delays.
- Full indemnity for damages.
- Ambiguous acceptance criteria.
- Financial responsibilities for force majeure.
- Cumulative impact of multiple change orders.
- Owner-mandated subcontractors.
- Differing site conditions.
- Transfer of design responsibility to constructors and suppliers.
- Waiver of claims due to time limits.
- Standards of care clauses such as ―highest and best industry standards‖ and
―in a workmanlike manner.
- Fixed price contracts.
Reduced vendor/contractor interest because of the uniqueness of the tasks or
performance requirements.
3. Technical Alignment Risks (Hazard Category 1, 2, & 3 Projects)
Technology maturity.
Safety-in-design (STD 1189-2008).
Design margins/degree of conservatism.
Definition, selection, and implementation of quality assurance requirements.
Safety-class and significant fire protection systems.
- Fireproofing of structural steel.
- Combustible loadings.
- Degradation of HEPA filters.
- Fire detection and suppression system activation mechanisms.
- Hydrogen & flammable gas generation/accumulation.
Seismic/structural.
- Ground motion.
- Snow load and wind.
- Adequacy of geotechnical investigations.
Attachment 8 DOE G 413.3-7A
Page 8-4 1-12-2011
- Soil settlement.
- Soil-structure interaction analyses.
- Load paths for seismic and settlement induced forces.
- Finite element analysis.
- Structural computer codes.
Confinement
- Strategy.
- Adequacy of confinement barriers.
- Magnitude of the radiological source term.
Criticality standards.
Chemical process safety.
Technical defensibility of calculations and designs.
Security
- Physical security.
- Cyber security.
- Information security.
4. Budget Risks
Incomplete or inaccurate funding/budget resources.
Decrements in funding/budget.
Funding profile changes that impact budget.
5. Contract/Specification/Statement of Work Risks
Unclear or Loose Technical Requirements:
- Built system does not meet Government requirements.
- Excessive rework following Government clarification of requirements.
- Contractor naming loose technical requirements to maximize profits.
Conflicting or Excessive Requirements
DOE G 413.3-7A Attachment 8
1-12-2011 Page 8-5
- Conflicting Requirements generate excessive rework or inefficient
operations.
- Failure to use performance based contracting.
Inadequate Incentives
- Incorrect Contract Type to promote effective contractor performance.
- Poorly developed performance based incentives or award fee plan.
6. Site Risks
Access constraints.
Underground/soil conditions.
Wind and flooding.
As-built conditions.
Utility availability/capabilities.
Coordination with other construction activities.
7. Staffing Risks (Federal and Contractor)
Inadequate staffing for the size, complexity, and/or challenges of the project.
Inadequate formal education/certification/training.
Personnel/organizations lack experience on similar projects.
Recruitment issues.
- Remote location.
- Moving Expenses.
Personnel turnover.
- High level of personnel turnover.
- Inadequate succession approach for key and critical personnel.
Unwillingness to seek out or utilize lessons learned by others.
Inadequate cognitive skills.
Attachment 8 DOE G 413.3-7A
Page 8-6 1-12-2011
- Lack of situational awareness.
- Inabilities to recognize evolving patterns (connect the dots) and/or recognize
warning signs.
- Inability to foresee and avoid the obstacles the project will experience.
- Inability to adjust to changing situations or environments.
- Inability to foresee the secondary effects or unintended consequences of
decisions or actions.
8. Organizational Risks (Federal and Contractor)
Lack of organizational alignment.
- Different organizational cultures.
- Different organizational priorities.
- Different levels of motivation.
- Contractor unfamiliar with Federal processes
Unclear or overlapping roles, responsibilities, and/or authority.
Organizational fragmentation/excessive outsourcing and use of subcontractors.
Lengthy decision/approval chains.
9. Project Execution Risks
Document, design, and/or construction rework:
- Design and Documentation Quality Issues.
- Inadequate Configuration Control.
- Design Integration and Scheduling Issues.
- Inadequate Testing.
Learning curves.
- Individual.
- Corporate.
Coordination/integration of individual tasks/efforts.
Iterative development.
- Evolving Requirements.
DOE G 413.3-7A Attachment 8
1-12-2011 Page 8-7
- Evolving Technology.
- Continued Integration with Related Systems.
- Waterfall vs. Spiral vs. Evolutionary Development.
Approval Process.
- Approval times.
- Imposition of Excess or Ineffective Requirements.
Logistics problems.
Supply chain management challenges.
- Long lead time procurements.
- Limited vendor availability.
- High-inflation for high-demand commodities/products.
- Vendor quality control.
Productivity and Efficiency Issues.
- Lack of applicable productivity, cost, and schedule data/benchmarks.
For cost estimates.
For probability distributions.
- Ineffective contractor management.
- Labor relations/labor productivity.
- Inadequate training.
- Improper Incentives (contract, management, and/or labor).
10. Regulatory Compliance/Oversight Risks
Changing regulatory requirements.
Regulator disapproval of proposed technological approach/design.
Regulator directed changes.
Excessive delays to obtaining regulator’s approvals.
11. Ineffective Governmental Oversight/Contract Administration Risks
Delayed problem recognition and resolution because of:
Attachment 8 DOE G 413.3-7A
Page 8-8 1-12-2011
- Inadequate systems for measuring performance.
- Construction/procurement releases before final designs are sufficiently
complete.
- Ineffective project reviews, inadequate use of project management tools.
- Lengthy/ineffective feedback loops.
- Imposition of Additional or Ineffective Requirements.
Change Control Issues.
Excessive number of changes.
Cost/benefit analyses of changes not analyzed and/or ineffective analysis.
Changes imposed at a less than optimal stage of design/construction.
Changes not identified/tracked.
Failure to expeditiously negotiate changes.
Ineffective negotiation process (poor cost estimating, inability to isolate cost
of changes, late negotiations).
Contractor uses changes process to hide poor technical, cost and schedule
performance.
DOE G 413.3-7A Attachment 9
1-12-2011 Page 9-1 (and Page 9-2)
Attachment 9: Risk Monitoring Checklist
Item
Number
Item
Yes/No
Comment
1
Risk handling strategy was implemented as
planned
2
Risk handling strategy was effective
3
Back-up risk handling strategy was required to be
implemented
4
Risk assumptions were valid
5
Project assumptions were valid
6
Risk monitoring trigger was valid
7
Risks were correctly noted in risk reports
8
Risk was on team meeting agendas
9
Risk monitoring was conducted per the Guide
10
Risk was integrated into Earned Value
discussions
11
Were unidentified risks discovered
12
Was contingency associated with a given risk
sufficient
13
Were risks captured in the risk register and
updated
14
Was a risk brainstorming session or scenario
planning session used to identify risks
15
Was a subsequent session for identification of risk
conducted to update the risks identified
16
Were lessons learned captured during the risk
process
17
Were lessons learned distributed during the risk
process to the project team
18
Were lessons learned distributed during the risk
process to other project teams
19
Were any systems analysis or decision analysis
methodologies applied, especially for such items
as technology readiness level implementation
DOE G 413.3-7A Attachment 10
1-12-2011 Page 10-1 (and Page 10-2)
Attachment 10: Management Reserve or Contingency Use Report
The CPM will generally use this as a management reserve report. If funds are applied outside of
risks captured on the risk register, the explanation should be captured on the report and accepted
by the site office FPD.
Risk Realized:
ID #, WBS #
Management
Reserve
Expended
Schedule
Contingency
Expended
Comments
DOE G 413.3-7A Attachment 11
1-12-2011 Page 11-1
Attachment 11: Risk Identification, Development and Use of Contingency and
Management Reserve (Supplementary Information)
This DOE Guide provides detailed guidance on an effective risk management process (programs
may adopt other acceptable methods/approaches as determined appropriate by the program
office). The contents under this Section should be interpreted as unqualified recommendations
and clarification guidance for the definition, derivation and use of the terms contingency and MR
in risk management for DOE projects. Contingency and Management Reserve (MR) are project
cost elements directly related to project risks and are part of the project cost estimates.
The specific confidence level (CL) used to develop the project performance baseline estimate is
determined by the project’s FPD/Integrated Project Team (IPT) and is approved by the
Acquisition Executive. The project confidence level should be based on but not limited to the
project risk assumptions, project complexity, project size, and project criticality. At a minimum,
project performance baselines should be estimated, budgeted, and funded to provide a range of
70-90 percent confidence level for DOE capital asset projects. Projects should check with their
program sponsor for additional guidance. The confidence level for Major Items of Equipment
may be significantly different from the construction of conventional facilities that will house the
equipment. If a project has a performance baseline change, the FPD should consider reanalyzing
the risks at a higher confidence level for budgetary requests and funding profiles to ensure
project completion.
This DOE Guide defines four categories of contingency, each of which were discussed
throughout the document.
DOE contingency budget is identified as funded contingency for use by the FPD.
Contingency is the risk based, quantitatively derived portion of the project budget that is
available for managing risks within the DOE performance baseline. At a minimum, DOE
capital asset project costs should be estimated to provide a range of 70-90 percent
confidence level.
DOE schedule contingency is the risk-based, quantitatively derived portion of the overall
project schedule duration that is estimated to allow for the time-related risk impacts and
other time-related project uncertainties. Project schedule contingency should be estimated
to provide a range of 70-90 percent confidence level.
Contractor management reserve budget is determined by the contractor and is the risk
based, quantitatively derived portion of the contract budget base (CBB) that is set aside
for management purposes to handle risks that are within the contractor’s contractual
obligations. Once the CBB has been established, it is allocated by the contractor to MR
and the Performance Measurement Baseline (PMB). The contractor’s determination of
MR is not intended to justify a post contract increase to the CBB. MR is maintained
separately from the PMB and is utilized through the contractor’s change control process.
MR is not used to resolve past variances (positive or negative) resulting from poor
Attachment 11 DOE G 413.3-7A
Page 11-2 1-12-2011
contractor performance or to address issues that are beyond the scope of the contract
requirements. Use of MR should follow EVMS rules per ANSI/EIA-748B.
Contractor schedule reserve is determined by the contractor, and is the risk based,
quantitatively derived portion of the overall contract schedule duration estimated to allow
the contractor time to manage the time-related impacts of contractor execution risks and
other contractor duration uncertainties within the contract period. Contractor schedule
reserve does not add time or schedule duration to the contracted end date.
The quantitative methodologies used to analyze DOE projects should use an objective analysis to
evaluate project cost and schedule estimate uncertainties and discrete project risks. The analysis
should aggregate the probability and consequences of individual risks, and cost and schedule
uncertainties to provide an estimate of the potential project costs.
The purpose of the quantitative risk analysis is to provide risk-based project budget and
completion date estimates using statistical modeling techniques such as Monte Carlo, Quasi-
Monte Carlo, sensitivity simulations, and other stochastic methodologies depending upon the
project data.
While the use of the Monte Carlo simulation is one of the standards used by DOE, the use of
alternate forms of quantitative analysis may be used in conjunction with Monte Carlo simulation
to validate contingency conclusions. Other recognized forms of quantitative analysis that are
often used include: decision trees, influence diagrams, system dynamics models, and neural
networks. Figure A-1 below shows the typical components of the DOE project performance
baseline representing the fundamental building blocks used in this protocol.
Figure A-1. Performance Baseline Components for Capital Asset Projects.
DOE G 413.3-7A Attachment 12
1-12-2011 Page 12-1
Attachment 12: Cost and Schedule Contingency Development Process
(Supplementary Information)
The contents under this Section should be interpreted as unqualified recommendations and
clarification guidance for the definition, derivation and use of the terms contingency and MR in
risk management for DOE projects.
DOE O 413.3B requires that DOE project estimates be developed based on qualitative and
quantitative analysis of project risks and other uncertainties. The DOE qualitative and
quantitative analysis process begins in the project’s planning stage with the identification of
project risks during the initial project planning phase prior to the first Critical Decision (CD)
point (approval of mission need). After CD-0, project development and planning documentation
are prepared that include the initial Federal Risk Management Plan (FRMP) as part of the
preliminary Project Execution Plan (PEP). During this phase of the project, the initial
development of the project risk register is initiated with the identification of potential project
risks and enabling assumptions.
At CD-1, the baseline scope is refined enough to develop a preliminary baseline cost range and
schedule. The FRMP continues to evolve as the project scope is refined, new risks are added to
the risk register and existing risks are re-examined and the project knowledge base increases.
In preparation for the CD-2 project phase, the project performance baseline estimate is refined to
include risk handling costs and evaluated to determine the project budget needed to provide an
appropriate confidence level (CL) to ensure the project’s success. The identified DOE project
risks are qualitatively and quantitatively evaluated to determine the likelihood of occurrence and
the potential impacts to the project should the risk events occur.
Quantitative Contingency Analyses
This DOE Risk Management Guide states that the purpose of the quantitative risk analysis is to
provide budget and completion date estimates that include the effects of the project risks and
other project uncertainties using statistical modeling techniques such as Monte Carlo analyses or
other similar methodologies. Other forms of quantitative analysis may be used in conjunction
with Monte Carlo simulation including: (projects may adopt other acceptable
methods/approaches as determined appropriate by the program office).
Decision trees.
Influence diagrams.
System dynamics models.
Neural networks.
This document assumes Monte Carlo methodologies will be used in the development of the cost
and schedule baseline models. The diverse and unique nature of DOE projects characterized by
Attachment 12 DOE G 413.3-7A
Page 12-2 1-12-2011
an assortment of distinct technologies, physical locations, project duration, and project size has a
significant impact on the risk profile of each DOE capital asset project that makes it impossible
to establish a prescriptive procedure or single quantitative risk model for determining a project’s
contingency needs. Consequently, only a basic framework is used to outline considerations
essential in the development of DOE contingencies.
Cost and Schedule Risk Models
DOE contingency risk models are used to evaluate the effects of risk impacts and estimate
uncertainties on project cost and schedule performance baselines. The results of the risk analysis
are used to establish the cost and schedule contingency needed by the project to provide a
suitable confidence level for DOE project success. The analyses may use one or more risk
models to evaluate the cost impacts and the associated schedule impacts.
For each risk, a percent or percentage distribution is assigned to the probability (the likelihood of
the risk occurring), a dollar value or dollar value distribution is assigned to the cost impact, and a
schedule duration impact or duration distribution is assigned to the affected activity in the
schedule.
In general the concept is implemented as:
EV = P
Ri
x CI
Ri
(SI
R1
)
Where: EV = Expected Value of cost impact (or duration impact) of all risks
P
Ri
= Probability distribution function of a risk occurring
CI
Ri
= Cost Impact distribution function of a risk occurrence
SI
R1
= Schedule Impact distribution function of a risk occurrence
[Note: ∑ is not the summation of individual expected values for each risk, but represents
a stochastic process (e.g. Monte Carlo simulation) using the collective probabilities and
cost/schedule impacts for all the identified risk events.]
Figure A-2 is a sample from a DOE construction project risk register showing the residual risk
data elements used for modeling the probability of occurrence (Probability %) and the triangular
distribution representing a three point estimate of the anticipated range of cost and schedule
impacts.
DOE G 413.3-7A Attachment 12
1-12-2011 Page 12-3
Figure A-2. Sample Risk Register.
The results of Monte Carlo analyses are generally summarized by a probability distribution
function (PDF) and a cumulative distribution function (CDF), as shown in Figure A-3. The PDF,
also described as a probability density function, represents the distribution of the analytical
model outcomes. As an example, the Monte Carlo analysis may be designed to estimate the cost
or duration of a project. The PDF represents the number of times a certain cost or duration is
achieved. The CDF is a statistical function based on the accumulation of the probabilistic
likelihoods of the analytical analysis. In the case of the DOE risk analysis, it represents the
likelihood that at a given probability the project cost or duration will be at or below a given
value. As an example, the x-axis might represent the range of potential project cost values
evaluated by the Monte Carlo simulation and the y-axis represents the project’s probability of
completion.
Figure A-3. PDF and CDF.
Contractor Budget Base
305
244
183
122
61
0
Frequency of Occurrence
Cumulative Probability
100 %
95 %
90 %
85 %
80 %
75 %
70 %
65 %
60 %
55 %
50 %
45 %
40 %
35 %
30 %
25 %
20 %
15 %
10 %
5 %
500
600
800
PDF Curve
500 600 700400300 800 900 1000 1100 1200
CDF Curve
Attachment 12 DOE G 413.3-7A
Page 12-4 1-12-2011
An advantage of an integrated cost and schedule risk model is the ability to capture schedule
related costs impacts, such as level-of-effort (LOE) support activities that increase project costs
as schedule related risk impacts delay or extend work efforts. Ideally, the integrated risk model is
based on a life-cycle resource loaded critical path schedule to which cost and schedule risks and
cost and schedule uncertainties are applied. Integrated risk models increase the flexibility of the
risk analysis and reduce the amount of manual coordination needed to model cost and schedule
risk impacts.
Project risks and the associated cost and schedule impacts are the primary inputs to the risk
model and are maintained within the project’s risk register. Figure A-4 depicts a conceptual risk
model showing typical inputs and outputs.
Figure A-4. Conceptual Risk Analysis Process.
Cost Risk Model
DOE capital asset projects should be estimated to provide a CL adequate to ensure project
success which includes evaluation of all project risks. Risk models should include contractor
execution risks and DOE project risks. The risk cost model should provide an estimate of the
Performance Baseline with a range of 70-90 percent confidence level for success
(recommended), which includes the contractor’s CBB, profit/fee, and government other direct
costs. The contractor MR is determined by the contractor and represents the amount of the CBB
that will be used for project management purposes for accomplishing the work scope within the
contractor’s contractual PMB.
When developing risk models, care should be exercised to assure the risk models are developed
using appropriate performance baseline information and project risk assumptions.
DOE G 413.3-7A Attachment 12
1-12-2011 Page 12-5
The recommended cost risk model should:
Include contractor execution risks, DOE risks, and all estimate uncertainties that are
within the project baseline.
Contain enough detail to allow segregation of contractor execution risks and DOE risks.
Contain enough detail to allow project risks to be associated with the Work Breakdown
Structure (WBS) they affect.
Include a provision for uncertainty ranges in cost escalation rates for the project.
Allow correlated DOE risks that affect multiple cost elements, e.g., escalation rates, to be
modeled at a high level to preserve the dependent relationship among correlated risks.
Include sufficient information to estimate costs associated with uncertainties in task
durations consistent with the schedule risk model.
Allow for inclusion of threats and opportunities.
Allow risk impacts to be placed in the appropriate fiscal year to support the identification
of annual contingency budgeting and reporting requirements.
DOE Schedule Risk Model
Schedule risk models should be based on the DOE project performance baseline schedule. If
practical, the DOE schedule risk model should be developed to include the schedule impacts of
the contractor execution risks and DOE project risks, as well as any schedule duration
uncertainties.
The recommended schedule risk model should:
Contain both contractor execution risks and DOE risks that fall within the project
baseline.
Contain enough detail to allow segregation of contractor execution risks and DOE risks.
Contain enough detail to distinguish among DOE schedule activities that have different
degrees of schedule uncertainty and should include estimate uncertainties.
Contain enough detail to allow specific DOE risk events to be associated with the
schedule activity that they affect.
Estimate the schedule impact on LOE activities so cost increases associated with
schedule slippages can be calculated and incorporated into the contingency estimates.
Attachment 12 DOE G 413.3-7A
Page 12-6 1-12-2011
Allow for alterations in activity duration that result from implementation of DOE risk
handling strategies or opportunities.
Determining Contingency Amounts
A common method used to evaluate risk model results is through the use of CDF curves, also
referred to as S-curves. As an example, for a cost risk model, the S-curve represents the
probability of completing the project at or below a given project cost. In this example the x-axis
represents the range of potential project cost values estimated by the Monte Carlo simulation and
the y-axis represents the probability of project completion. Figure A-5 illustrates two S-curves
for a hypothetical project. The S-curve on the left is based on the CBB and the S-curve on the
right is for the DOE capital asset project performance baseline and includes the contractor
execution risks and DOE project risks.
Figure A-5. S-Curves of Contractor CBB and DOE Performance Baseline.
Determining Schedule Contingency
The DOE schedule contingency is based on the same risks used in the development of the DOE
cost contingency. The DOE schedule contingency should be developed using a critical path
schedule. Schedule activities that are affected by an identified risk or duration uncertainty are
modeled in the schedule risk analysis with an appropriate probability distribution.
The calculation of schedule contingency is an iterative process requiring an initial analysis of the
schedule to determine the base schedule contingency values followed by a revision of the
schedule to adjust work scope to meet the existing selected key milestones and deliverable dates.
The FPD may alternately choose to apply the DOE schedule contingency to the end of
milestones and/or the project completion date to determine the expected completion date should
Probabilistic Projection of Cost using Monte Carlo Analyses
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Probability of Completion at
a given Project Cost
CBB
PB
Capital Asset Project Cost
Based on
Contactor
Budget Base
80% CL Includes all
Contactor Execution Risks &
DOE Project Risks
Probabilistic Projection of Cost using Monte Carlo Analyses
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Probability of Completion at
a given Project Cost
CBB
PB
Capital Asset Project Cost
Based on
Contactor
Budget Base
80% CL Includes all
Contactor Execution Risks &
DOE Project Risks
DOE G 413.3-7A Attachment 12
1-12-2011 Page 12-7
project risks be realized that delay the anticipated project completion. Note that this differs from
contractor schedule reserve, which cannot add time or schedule duration to the contracted end
date.
Risk Model Outputs
To support the required budgeting, management, and reporting requirements of the project, the
risk analysis should provide the following:
The risk analysis models should be able to produce a PDF and a CDF for the project.
The risk analysis models should be able to produce a PDF and a CDF for each selected
milestone.
The models should be capable of performing a sensitivity analysis for project cost and
schedule elements. Risk analysis sensitivity results are typically presented as tornado
diagrams that provide an analytical and visual representation of risk event impacts.
Ideally, the model should place resulting contingencies in a time frame to allow for fiscal
year budgeting of DOE contingency. Figure A-6 illustrates how contingency budget
projections can be depicted.
Figure A-6. Contingency Budget Projection.
Attachment 12 DOE G 413.3-7A
Page 12-8 1-12-2011
Updating Contingency Analyses
The IPT should analyze project risks and update the risk register on a continual basis.
Quantitative cost and schedule contingency analyses should be updated periodically throughout
the project life-cycle. At a minimum, the DOE quantitative analysis should be reviewed semi-
annually and updated if necessary. Monthly project performance reporting should include a
review of the use of MR and contingency.
As needed, the FPD should update the project contingency analysis to determine if scope
revisions or unanticipated risks present the potential for future budget shortfalls or extensive
project delays based on new information. The identification of new or unanticipated risks and
project uncertainties do not necessarily provide justification for increasing the project completion
date, the TPC, or the project budget and funding profiles originally established.
DOE G 413.3-7A Attachment 13
1-12-2011 Page 13-1
Attachment 13: Contingency Estimate Inputs and Interface Needs
(Supplementary Information)
The contents under this Section should be interpreted as unqualified recommendations and
clarification guidance for the definition, derivation and use of the terms contingency and MR in
risk management for DOE projects.
Development of cost and schedule contingency for capital asset projects requires rigorous
analysis of potential risks, mitigation plans, and opportunities. Collaboration and interfaces are
needed between the people who are knowledgeable and conversant with the specific risks of the
project and those who are familiar with the probabilistic methods to reduce bias and to produce
realistic quantification of projects risks. Thus close synergy is needed between the project people
who understand the risk and risk impacts, and the specialist (tool driver) who has intimate
understanding of simulation models, but may not know much about the project (see Attachment
12, Figure A-4, Conceptual Risk Analysis Process, for inputs into the quantitative cost and
schedule risk models).
Risk Management Input
The quantitative risk analysis inputs identified within the DOE Risk Management Guide may
include but are not limited to:
DOE and contractor risk management plans.
Historical records (especially where similar risks were handled).
Actual costs to date.
Critical Path analysis.
Subject matter experts.
Delphi techniques.
Interviewing staff, crafts, retirees, and others familiar with similar work efforts at the site
or other sites.
Technical records such as safety analysis documents including the risk and opportunity
assessment, quality assessments, safeguards and security analyses, and environmental
assessments.
Beyond the inputs proposed in the Risk Management Guide, the project schedules should
integrate the contractor and DOE schedules to allow the use of Monte Carlo simulation software.
Attachment 13 DOE G 413.3-7A
Page 13-2 1-12-2011
To facilitate Monte Carlo analysis, all schedules and cost estimates should include the following
characteristics:Activities in the schedules should be logically linked and should have a well
defined critical path.
Critical path and near-critical path activities should have duration uncertainties defined.
A resource loaded schedule is required by DOE O 413.3B and can be used for integrated
cost/schedule risk models.
LOE activities should be clearly identified, logically linked, and declared as a type LOE
activity, e.g., not a fixed duration activity. (Modeling requirements of scheduling details
will vary by application.)
Risks should be mapped to schedule activities or the lowest WBS element in a higher
level schedule.
Co-dependent risks should be clearly identified and evaluated to segregate impacts.
Complete DOE and contractor cost estimates should be available.
Schedule uncertainties should be defined for each WBS element.
If an integrated cost/schedule model is not being performed, hotel loads or minimum safe
conditions should be defined.
Estimate Uncertainty
Estimate uncertainties are fundamental contributors to cost growth and are expected to decrease
over time as the project definition improves and the project matures. Estimate uncertainty is a
function of, but not limited to, the quality of the project scope definition, the current project life-
cycle status, and the degree to which the project uses new or unique technologies. Estimate
uncertainties occur throughout the DOE baseline. One approach to account for estimate
uncertainty is to use uncertainty ranges established by the professional societies such as the
Association for the Advancement of Cost Engineering International (AACEI), Table A.1, or
other estimating guidance. Estimate uncertainty contributes to both cost and schedule
contingency. The Table A-1 could be used for both cost and schedule estimate uncertainty and
should be done separately for evaluating quantitative impacts on project contingency.
DOE G 413.3-7A Attachment 13
1-12-2011 Page 13-3
Class of Cost Estimate
Estimate
Uncertainty (Low
Range)
Estimate
Uncertainty (High
Range)
Class 5 Concept Screening
-20% to -50%
+30% to +100%
Class 4 Study or Feasibility
-15% to -30%
+20% to +50%
Class 3 Budget Authorization
-10% to -20%
+10% to +30%
Class 2 Control or Bid
-5% to -15%
+5% to +20%
Class 1 Check Estimate
-3% to -10%
+3% to +15%
Table A-1. Estimate Uncertainty Range as a Function of Estimate Class.
Risk Events
Risk events, by definition, include both threats and opportunities (see Attachment 15, Glossary).
These risk events may or may not happen at some future time. An example of a risk event
identified as a threat would be if a new technology fails to work as expected. An example of a
risk event identified as an opportunity would be the elimination of project work scope as a result
of a new technology.
Risk events can be represented as probabilistic distributions that identify the likelihood of the
risk event occurring with separate distributions that describe the consequence or impact to the
project if the risk event occurs. Risk events have schedule and/or cost consequences. One should
consider the impacts that realized risks might have on the critical path or near-critical path
resulting in increases to the overall project schedule affecting escalation of costs, overhead costs,
and other project execution costs associated with work scope delays and/or extensions.
In summary, when assessing the project risks the FPD, IPT, and Project Manager should:
Consider and distinguish between estimate uncertainty and risk events.
Quantify the risk likelihood, and the risk cost and schedule impacts.
Identify the activities in the schedule that are affected by the risks.
Estimate the cost of each risk handling strategy for consideration as additional baseline
work scope, and consider the ramifications of excluding the handling strategy in the
baseline work scope.
Consider the potential impacts of secondary risks resulting from specific risk handling
strategies.
Quantify the residual risks likelihood, and the residual risks cost and schedule impacts.
Attachment 13 DOE G 413.3-7A
Page 13-4 1-12-2011
Categories of Risk
Development and management of project cost and schedule contingency requires clarity
regarding risk ownership and risk characterization.
Project risks are potential threats or opportunities categorized as:
DOE program/portfolio risks.
DOE project risks.
Contractor execution risks.
Unknown-unknowns.
As described in this DOE Risk Management Guide, identification of contractor execution
(performance) risks, DOE project risks, and DOE programmatic risks are assessed by the IPT.
DOE Program/Portfolio Risks are risks that are owned and managed outside of the
project and cannot be managed within the project funding. These are typically associated
with the Enabling or Bounding Assumptions referenced in the Risk Management Plan.
Portfolio risks are owned and managed by DOE, and represent inter-dependent risks
common to more than one project. The cost and schedule impacts of program/portfolio
risks are not, and should not, be included in a project’s contingency calculation.
Examples include:
o Closure of Waste Isolation Pilot Plant.
o National repository opening later than anticipated.
o Congressional funding reductions.
o DOE funding reductions.
o Re-programming.
o Stakeholder changes.
o Site mission changes.
o Regulatory and Statutory changes.
o DOE directives.
DOE G 413.3-7A Attachment 13
1-12-2011 Page 13-5
DOE Project Risks are risks that are within the project baseline but are generally beyond
the contractor’s control and are managed at the project level. Risks cannot be effectively
shared between DOE and the contractor, and should be handled by partitioning them into
separate DOE and contractor risks. Examples of DOE risks include:
o Major technological failures.
o Coordination across site programs.
o Changes due to direction from Agency senior management.
o Unusual weather delays.
o Interpretation of Regulatory and Statutory requirements (how clean is clean).
o Procurement (government furnished services and items (GFS/I).
o Contractor performance (based on work history).
Contractor Execution Risks are those that may fall within the contractor’s contractual
obligations. Examples include:
o Material availability (non-GFS/I).
o Market pricing.
o Failure of the design (non-GFS/I).
o Labor availability.
o Productivity
o Procurement (supplier performance, and product availability).
o Subcontractor performance.
o Safety (compliance, occurrences and events, etc.).
o Basic process uncertainty.
o Normal weather delays.
Unknown-unknowns (can also be DOE project risks) are program risks that are identified
during the execution of the project through either routine risk management practices or
because they have been realized.
It is not possible to identify all risks at the onset of a project. As new risks are identified,
they should be added to the risk register. Unidentified risks might originally be
Attachment 13 DOE G 413.3-7A
Page 13-6 1-12-2011
unanticipated because the probability of the event is so small that its occurrence is
virtually unimaginable. Alternatively, an unidentified risk might be one that falls into an
unanticipated or uncontrolled risk event category. This would include Hurricane Katrina-
type events or an event that materialized because of other events outside the project
baseline control.
DOE G 413.3-7A Attachment 14
1-12-2011 Page 14-1
Attachment 14: Management and Reporting of MR and Contingency
(Supplementary Information)
The contents under this Section should be interpreted as unqualified recommendations and
clarification guidance for the definition, derivation and use of the terms contingency and MR in
risk management for DOE projects.
The integrated project baseline, cost, schedule, and risk analysis process is used to identify and
quantify the various risks and uncertainties that have the potential to affect project performance.
Use of Contingency
Contingency should be used to pay for, or recover from, the impacts of realized DOE project
risks, poor performance, and DOE estimating uncertainties and inaccuracies incurred in the
execution of the project baseline. DOE contingency is managed through a formal baseline
configuration change control process and utilization should be reported as the contingency is
expended. It is important to reiterate that contingency and MR should not be used to resolve past
negative variances resulting from poor contractor performance and MR is not to be used to
address issues that are beyond the scope of the contract requirements. Cost variances should be
preserved during project realignments and/or re-sequencing of project activities.
To a greater or lesser extent, the occurrence of a risk event or the impact of the risk event may be
mitigated at the direction of the FPD. The FPD may adopt various risk handling strategies that
decrease a risk’s likelihood of occurrence or decrease the anticipated risk impact should the risk
event occur. While all project budgets should include funds for risk management (including risk
mitigation strategies to reduce the probability and/or consequence of risk events) within their
budget, the project budget should not be viewed as the primary means to deal with risks after a
risk event occurs. These funds are intended to be used to pursue the selected mitigation strategies
in the FRMP. For example, conducting research and development to mitigate a specific risk does
not mean the funds are held as contingency until the event occurs. The funds are intended to be
used to prevent the event from occurring, or to reduce its impact. Consequently, the risk
mitigation effort should be an active work package within the WBS that is scheduled and
executed as part of the project work scope. Various risk handling strategies are discussed in the
DOE Risk Management Guide.
Project Change Control Processes
When a contractor risk is realized, the contractor uses the contractor’s change control process,
employing standard Earned Value Management System practices and procedures, to transfer
contingency or MR to the PMB. As contingency or MR is utilized, the PMB is adjusted to reflect
the change and the CBB remains unchanged. If a contractor opportunity is realized, contingency
or MR can be increased and the PMB is decreased accordingly, while the CBB remains
unchanged. The contractor’s change control process and the necessary approval thresholds are
documented in the contractor’s Project Management Plan.
Attachment 14 DOE G 413.3-7A
Page 14-2 1-12-2011
When a DOE risk is realized, contingency budget may be transferred to the project. However,
this should not occur until the impact of the realized risk has been determined, necessary changes
to the contract have been identified and coordinated with the contracting officer. The transfer of
contingency budget to the project PMB should not occur until the contract has been modified.
The FPD and the Contracting Officer use the Project and Contract Change Management
processes to ensure the project baseline and the contract remain aligned. The baseline change
control process and the necessary approval thresholds are documented in the PEP.
Monitoring and Evaluating
Since contractor cost and schedule reserves and DOE cost and schedule contingency are finite
resources, their use should be monitored, tracked, and evaluated as part of the ongoing project
control function. The reporting requirements for cost and schedule reserve and DOE cost and
schedule contingency usage can be tailored to meet the project needs.
Monitoring and Evaluating Contractor Reserves and DOE Contingencies
Contractors should plan the usage of MR and schedule reserves and FPDs should plan the usage
of DOE cost and schedule contingencies over time, based on the anticipated risk occurrences and
impacts. MR and DOE contingency should be time-phased over the project duration, allocated
by fiscal year. Trending usage of these resources may indicate larger unforeseen issues as latent
risks become visible. Figure A-7 is an example of a utilization curve showing the planned and
actual resource usage.
Figure A-7. Example of a Utilization Curve.
Summary of MR Reporting Elements
The following information should be considered as part of periodic project reports by the FPD:
(Note: The FPD should coordinate with their program office organization about their specific
guidelines and requirements which may vary depending upon the project size and complexity.)
MR and schedule reserve available at the beginning of the month.
An updated MR utilization curve.
Example Utilization Curve
0
5,000,000
10,000,000
15,000,000
20,000,000
25,000,000
2007
2007
2008
2008
2009
2009
= Projected Utilization
= Actual Utilization
DOE G 413.3-7A Attachment 14
1-12-2011 Page 14-3 (and Page 14-4)
An update of schedule reserve utilization, if applicable.
A list of realized risks (threats and opportunities) that required usage of MR and schedule
reserves (amount changed, Risk Identification (ID), and Title/Description of risk).
A list of risks that were realized and funded by delay of scope (amount, Risk ID,
Title/Description, Change Control ID #, and scope that was delayed).
A list of risk opportunities that were realized and the days of schedule that were gained
and/or MR gained.
Adequacy of remaining contractor MR and schedule reserves.
Cost Performance Index (CPI) and Schedule Performance Index (SPI).
Summary of DOE Contingency Reporting Elements
The following information should be considered as part of periodic project reports by the FPD:
(Note: The FPD should coordinate with their program office organization about their specific
guidelines and requirements which may vary depending upon the project size and complexity)
DOE cost and schedule contingency available at the beginning of the current month.
Updated DOE project contingency utilization.
Update of DOE schedule contingency utilization.
List of risks (threats and opportunities) that required use of cost and schedule
contingency (amount changed, Risk ID, Title/Description of risk, and previously
unidentified risks).
List of risks that were realized and funded by delay of scope (amount, Risk ID,
Title/Description, Change Control ID #, and delayed work scope).
List of risk opportunities that were realized and the days of schedule that were gained
and/or DOE project contingency gained.
Adequacy of remaining DOE cost and schedule contingencies.
List of closed project risks.
List of newly identified project risks.
List of risks nearing realization.
Updated risk register.
DOE G 413.3-7A Attachment 15
1-12-2011 Page 15-1
Attachment 15: Glossary
This glossary of terms is derived within the context of how terms are used in the guide.
Acquisition Strategy: A high-level business and technical management approach designed to
achieve project objectives within specified resource constraints. It is the framework for
planning, organizing, staffing, controlling, and leading a project. It provides a master schedule
for activities essential for project success, and for formulating functional strategies and plans.
Activity: An element of work performed during the course of a project. An activity normally
has an expected duration, an expected cost, and expected resource requirement.
Actual Cost: The costs actually incurred and recorded in accomplishing work performed.
Assumptions: Factors used for planning purposes that are considered true, real or certain.
Assumptions affect all aspects of the planning process and of the progression of the project
activities. (Generally, the assumptions will contain an element of risk.)
Avoid (Avoidance): A risk handling strategy in which project activities are planned in such a
way as to eliminate the potential threat. In general, avoidance is the most desirable risk
handling strategy.
Baseline: A quantitative definition of cost, schedule, and technical performance that serves as
a base or standard for measurement and control during the performance of an effort; the
established plan against which the status of resources and the effort of the overall program,
field program(s), project(s), task(s), or subtask(s) are measured, assessed, and controlled.
Bias: A repeated or systematic distortion of a statistic or value, imbalanced about its mean.
Bounding Assumption: Identified risks that are totally outside the control of the project team
and therefore cannot be managed (i.e., transferred, avoided, mitigated, or accepted). Bounding
assumptions are also referred to as ―enabling assumptions in the context of opportunity risks.
Brainstorming: Interactive technique designed for developing new ideas with a group of
people.
Capital Asset Projects: A unique effort to acquire or perform additions, improvements,
modifications, replacements, restorations, rearrangements and reinstallations, and major
repairs but not ordinary repairs and maintenance. The project acquisition cost of a capital asset
includes both its purchase price and all other costs incurred to bring it to a form and location
suitable for its intended use. Capital assets include the environmental remediation of land to
make it useful, leasehold improvements and land rights.
Change Control: A process that ensures changes to the approved baseline are properly
identified, reviewed, approved, implemented and tested, and documented.
Attachment 15 DOE G 413.3-7A
Page 15-2 1-12-2011
Co-dependent Risk: Co-dependent project risks are generated when intermediate deliverables
or outcomes (two or more projects or sub-projects at the same site) interlock in such a way
that if both projects are not successfully completed, neither can be successfully completed.
Communication Planning or Plan: Process and plan for determining the information and
communication needs of the project stakeholders. Identifies who needs what information,
when they will need the information, and how it should be presented, tracked, and
documented.
Confidence (Confidence Level): The probability that a cost estimate or schedule can be
achieved or bettered. This is typically determined from a cumulative probability profile (see
Cumulative Distribution Function‖) that is the output from a Monte Carlo simulation.
Consequence: Outcome of an event. (Normally includes scope, schedule, and cost.)
Contingency: The portion of the project budget that is available for risk uncertainty within the
project scope, but outside the scope of the contract. Contingency is budget that is not placed
on the contract and is included in the Total Project Cost. Contingency is controlled by federal
personnel as delineated in the PEP.
Contractor Project Manager (CPM): The contractor official who is responsible and
accountable for successful execution of the contractor’s project scope of work subject to the
contract terms and conditions. The CPM interfaces with the Federal Project Director.
Correlation: Relationship between variables such that changes in one (or more) variable(s) is
generally associated with changes in another. Correlation is caused by one or more
dependency relationships. Measure of a statistical or dependence relationship existing between
two items estimated for accurate quantitative risk analysis.
Cost Estimate: A documented statement of costs estimated to be incurred to complete the
project or a defined portion of a project.
Critical Path: A logically related sequence of activities in a critical path schedule having the
longest duration. The total float is zero. A delay in any activity will have a corresponding
impact on the completion date of the project.
Cumulative Distribution Function (CDF): A statistical function based on the accumulation
of the probabilistic likelihood of occurrences. In the case of the DOE risk analysis, it
represents the likelihood that at a given percentage the project cost or duration will be at or
below a given value. As an example, the x-axis might represent the range of potential project
cost values evaluated by the Monte Carlo simulation and the y-axis represents the project’s
probability of completion. (See figure A-3 and below.)
DOE G 413.3-7A Attachment 15
1-12-2011 Page 15-3
Decision Analysis: Process for assisting decision makers in capturing judgments about risks as
probability distributions, having single value measure, and putting these together with expected
value calculations.
Delphi Technique: Technique used to gather information used to reach consensus within a
group of subject matter experts on a particular item. Generally a questionnaire is used on an
agreed set of items regarding the matter to be decided. Responses are summarized, further
comments elicited. The process is often repeated several times. Technique is used to reduce bias
in the data and to reduce the bias of one person, one voice.
Decision Trees: A diagram that shows key interactions among decisions and associated chain
events as they are understood by the decision maker. Branches of the tree represent either
decisions or change events. The diagram provides for the consideration of the probability of each
outcome.
DOE Contingency: Cost contingency for risks that are within the project’s baseline but outside
the contractor’s management control. DOE contingency is held by DOE.
DOE Schedule Contingency: Duration allowance used to adjust schedule for realized risks that
are within the project baseline, and outside the contractor’s control.
Earned Value Management System (EVMS): Is the integrated set of processes used to
implement the standard and its criteria. In its simplest form, EVMS can be implemented without
any software. Software simply enhances productivity, allows the implementation of EVMS more
economically and facilitates managing complex projects. EVMS is not software.
Enabling Assumption: Identified risks that are totally outside the control of the project team and
therefore cannot be managed (i.e., transferred, avoided, mitigated, or accepted).
Estimate: Assessment of the most likely quantitative result. (Generally, it is applied to costs and
durations with a confidence percentage indication of likelihood of its accuracy.)
Estimate-at-Completion: The current estimated total cost for project authorized work. EAC
equals the actual cost to a point in time plus the estimated costs to completion.
Contractor Budget Base
305
244
183
122
61
0
Frequency of Occurrence
Cumulative Probability
100 %
95 %
90 %
85 %
80 %
75 %
70 %
65 %
60 %
55 %
50 %
45 %
40 %
35 %
30 %
25 %
20 %
15 %
10 %
5 %
500 600 700400300 800 900 1000 1100 1200
CDF Curve
Contractor Budget Base
305
244
183
122
61
0
Frequency of Occurrence
Cumulative Probability
100 %
95 %
90 %
85 %
80 %
75 %
70 %
65 %
60 %
55 %
50 %
45 %
40 %
35 %
30 %
25 %
20 %
15 %
10 %
5 %
500 600 700400300 800 900 1000 1100 1200500 600 700400300 800 900 1000 1100 1200
CDF Curve
Attachment 15 DOE G 413.3-7A
Page 15-4 1-12-2011
Estimate to Complete (ETC): The current estimated cost for remaining authorized work to
complete the project.
Expert Interviews: Process of seeking opinions or assistance on the project from subject matter
experts (SMEs).
Estimate Uncertainty: The inherent accuracy of a cost or schedule estimate. Represents a
function of the level of project definition that is available, the resources used (skill set and
knowledge) and time spent to develop the cost estimate and schedule, and the data (e.g., vendor
quotes, catalogue pricing, historical databases, etc.) and methodologies used to develop the cost
estimate and schedule.
External Risks: Risks outside the project control or global risks inherent in any project such as
global economic downturns, trade difficulties affecting deliverables such as construction
materials or political actions that are beyond the direct control of the project.
Feedback: System concept where a portion of the output is fed back to the input.
Fishbone Diagram: Technique often referred to as cause and effect diagramming. Technique
often used during brainstorming and other similar sessions to help identify root causes of an
issue or risk. Structure used to diagram resembles that of a fish bone.
Government Other Direct Costs: Government Costs that are needed for the project such as
government furnished services, items and equipment, government supplied utilities (if directly
metered), and applicable waste disposal fees.
Hotel Loads: A term used to identify the cost associated with level of effort activities and fixed
costs that will be incurred until a given piece of work is complete. These costs can include the
costs for project management and administration and other direct costs associated with generic
facilities, rentals, and other indirect costs that are not part of the direct production activities.
Impact Scores: Convergence of the probability and consequence scores.
Influence Diagram: A graphical aid to decision making under uncertainty, it depicts what is
known or unknown at the time of making a choice, and the degree of dependence or
independence (influence) of each variable on other variables and choices.
Initiation: Authorization of the project or phase of the project.
Internal Risks: Risks that the project has direct control over, such as organizational behavior
and dynamics, organizational structure, resources, performance, financing, and management
support.
Key Risk: Key risks are a set of risks considered to be of particular interest to the project team.
These key risks are those estimated to have the most impact on cost and schedule and could
include project, technical, internal, external, and other sub-categories of risk. For example on a
nuclear design project, the risks identified using the ―Risk and Opportunity Assessment‖ process
DOE G 413.3-7A Attachment 15
1-12-2011 Page 15-5
may be considered a set of key risks on the project. Key Risks should be interpreted to have the
same meaning as ―Critical Risks‖ as referred in DOE O 413.3B.
Lessons Learned: Formal or informal set of ―learning‖ collected from project or program
experience that can be applied to future projects or programs after a risk evaluation. Lessons
learned can be gathered at any point during the life of the project or program.
Level-of-Effort: Baseline scope of a general or supportive nature for which performance cannot
be measured or is impracticable to measure using activity-based methods. Resource requirements
are represented by a time-phased budget scheduled in accordance with the time the support will
likely be needed. The value is earned by the passage of time and is equal to the budget scheduled
in each time period.
Management Reserve (MR): An amount of the total contract budget withheld for management
control purposes by the contractor. MR is not part of the performance measurement baseline.
Milestone: A schedule event marking the due date for accomplishment of a specified effort
(baseline activity) or objective. A milestone may mark the start, an interim step, or the
completion of one or more activities.
Mitigate: To eliminate or lessen the likelihood and/or consequence of a risk.
Mitigation Strategy: The risk handling strategy used to eliminate or lessen the likelihood and/or
consequence of a risk.
Monte Carlo Analysis: A method of calculation that approximates solutions to a variety of
mathematical problems by performing statistical sampling experiments on a computer; applies to
problems with no probabilistic content as well as to those with inherent probabilistic structure.
Neural Networks: Information processing paradigms inspired by the way biological neural
systems process data.
Opportunity: Risk with positive benefits.
Primary Risk: Initial risk entry in the risk register. A residual or secondary risk can become a
primary risk if in the case of a residual risk the primary risk is closed and the Federal Project
Director and/or Contractor Project Manager determines the residual risk should be made the
primary risk or the risk entry in the risk register. The secondary risk can become the primary risk
in the risk register if the Federal Project Director and/or Contractor Project Manager determine
that it should become the risk entry based upon the realization of the trigger metric or other
determining factor.
Probability: Likelihood of an event occurring, expressed as a qualitative and/or quantitative
metric.
Attachment 15 DOE G 413.3-7A
Page 15-6 1-12-2011
Probability Distribution Function (PDF): A probability distribution, also described as a
probability density function, represents the distribution of the probability of an outcome. As an
example, the Monte Carlo analysis may be designed to estimate the cost or duration of a project.
The PDF represents the number of times a certain cost or duration is achieved. (See figure A-3
and below.)
Program: A portfolio of projects and/or other related work efforts managed in a coordinated
way to achieve a specific business objective.
Program Risks: Events identified as potential threats or opportunities that are within the
program baseline cost or schedule.
Project Execution Plan (PEP): DOE’s core document for management of a project. It
establishes the policies and procedures to be followed to manage and control project planning,
initiation, definition, execution, and transition/closeout, and uses the outcomes and outputs from
all project planning processes, integrating them into a formally approved document. A PEP
includes an accurate reflection of how the project is to be accomplished, resource requirements,
technical considerations, risk management, configuration management, and roles and
responsibilities.
Project Management Plan (PMP): The contractor-prepared document that sets forth the plans,
organization and systems that the contractor will utilize to manage the project. Its content and
extent of detail of the PMP will vary in accordance with the size and type of project and state or
project execution.
Project Risk: Risks that are captured within the scope, cost, or schedule of the project.
Qualitative Risk Analysis: Involves assessing the probability and impact of project risks using a
variety of subjective and judgmental techniques to rank or prioritize the risks.
Quantitative Risk Analysis: Involves assessing the probability and impact of project risks and
using more numerically based techniques, such as simulation and decision tree analysis for
determining risk implications.
Residual Risk: Risk that remains after risk strategies have been implemented.
Contractor Budget Base
305
244
183
122
61
0
Frequency of Occurrence
Cumulative Probability
100 %
95 %
90 %
85 %
80 %
75 %
70 %
65 %
60 %
55 %
50 %
45 %
40 %
35 %
30 %
25 %
20 %
15 %
10 %
5 %
500
600
800
PDF Curve
500 600 700400300 800 900 1000 1100 1200
Contractor Budget Base
305
244
183
122
61
0
Frequency of Occurrence
Cumulative Probability
100 %
95 %
90 %
85 %
80 %
75 %
70 %
65 %
60 %
55 %
50 %
45 %
40 %
35 %
30 %
25 %
20 %
15 %
10 %
5 %
500
600
800
PDF Curve
500 600 700400300 800 900 1000 1100 1200500 600 700400300 800 900 1000 1100 1200
DOE G 413.3-7A Attachment 15
1-12-2011 Page 15-7
Risk: Factor, element, constraint, or course of action that introduces an uncertainty of outcome,
either positively or negatively that could impact project objectives. This definition for risk is
strictly limited for risk as it pertains to project management applications in the development of
the overall risk management plan and its related documentation and reports.
Risk Acceptance: An informed and deliberate decision to accept consequences and the
likelihood of a particular risk.
Risk Analysis: Process by which risks are examined in further detail to determine the extent of
the risks, how they relate to each other, and which ones are the highest risks.
Risk Analysis Method: The technique used to analyze the risks associated with a project.
Specific categories of risk analysis methods are:
1. Qualitative - based on project characteristics and historical data (check lists, scenarios,
etc.).
2. Risk models - combination of risks assigned to parts of the estimate or project to define
the risk of the total project.
3. Probabilistic models - combining risks from various sources and events (e.g., Monte
Carlo, Latin hypercube, decision tree, influence diagrams, etc.).
Risk Assessment: Identification and analysis of project and program risks to ensure an
understanding of each risk in terms of probability and consequences.
Risk Assumption: Any assumptions pertaining to the risk itself.
Risk Breakdown Structure: Methodology that allows risks to be categorized according to their
source, revealing common causes of risk on a project.
Risk Category: A method of categorizing the various risks on the project to allow grouping for
various analysis techniques such as Risk Breakdown Structure or Network Diagram.
Risk Communication: An exchange or sharing of information about risk between the
decision-maker(s), stakeholders, and project team. (The information can relate to various
information sources such as the existence, nature, form, probability, severity, acceptability,
treatment, or other aspects of risk.)
Risk Documentation: The recording, maintaining, and reporting assessments, handling analysis
and plans, and monitoring results.
Risk Event: A potential (identified or unidentified) condition (threat or opportunity) that may or
may not occur during the execution of a project.
Risk Handling: Strategies developed with the purpose of eliminating, or at least reducing, the
higher risk levels identified during the risk analysis. The strategies may include risk reduction or
mitigation, risk transfer/share, risk avoidance, and risk acceptance.
Attachment 15 DOE G 413.3-7A
Page 15-8 1-12-2011
Risk Handling Strategy: Process that identifies, evaluates, selects, and implements options in
order to set risk at acceptable levels given project constraints and objectives. Includes specific
actions, when they should be accomplished, who is the owner, and what is the cost and schedule.
Risk Identification: Process to find, list and characterize elements of risk.
Risk Management: The handling of risks through specific methods and techniques.
Risk Management Plan: Documents how the risk processes will be carried out during the
project.
Risk Mitigation: Process to reduce the consequence and/or probability of a risk.
Risk Modeling: Creation of a physical representation or mathematical description of an object,
system or problem that reflects the functions or characteristics of the item involved. Model
building may be viewed as both a science and an art. Cost estimate and critical path schedule
development should be considered modeling practices and not exact representations of future
costs, progress and outcomes.
Risk Monitoring and Tracking: Process of systematically watching over time the evolution of
the project risks and evaluating the effectiveness of risk strategies against established metrics.
Risk Owner: The individual responsible for managing a specified risk and ensuring effective
treatment plans are developed and implemented.
Risk Planning: Process of developing and documenting an organized, comprehensive, and
interactive strategy and methods for identifying and tracking risk, performing continuous risk
assessments to determine how risks have changed, developing risk handling plans, monitoring
the performance of risk handling actions, and assigning adequate resources.
Risk Register: Database for risks associated with the project. (Also known as risk database or
risk log.)
Risk Threshold: Defined or agreed level of acceptable risk that risk handling strategies are
expected to meet.
Risk Transfer: Movement of the risk ownership to another organizational element. (However, to
be successfully and fully transferred, the risk should be accepted by the organization to which the
risk is being transferred.)
Schedule Baseline: Time phased project activity durations and milestone commitment dates by
which projects are accomplished. The approved project schedule is a component of the overall
project plan. The schedule baseline provides the basis for measuring and reporting schedule
performance.
Schedule Contingency: Time allowance used to adjust schedule for realized DOE risks; based
on the schedule risk analysis.
DOE G 413.3-7A Attachment 15
1-12-2011 Page 15-9
Schedule Reserve: Time allowance used to adjust schedule for realized risks within the
contractor’s baseline.
Secondary Risk: Risk arising as a direct result of implementing a risk handling strategy.
Simulation (Monte Carlo): Process for modeling the behavior of a stochastic (probabilistic)
system. A sampling technique is used to obtain trial values for key uncertain model input
variables. By repeating the process for many trials, a frequency distribution is built up, which
approximates the true probability distribution for the system’s output. This random sampling
process, averaged over many trials, is effectively the same as integrating what is usually a very
difficult or impossible equation.
String Diagram: Technique used to analyze the physical or proximity connections within a
process. Technique is often used to find latent risks.
System Dynamics Models: System Dynamics Modeling is a methodology for studying and
managing complex feedback systems. Feedback refers to the situation X affecting Y and Y in
turn affecting X perhaps through a chain of causes and effects. One cannot study the link
between X and Y and, independently the link between Y and X and how the system will behave.
Only the study of the whole system as a feedback system will lead to correct results.
Technical Risk: Risks that include disciplines such as mechanical, electrical, chemical
engineering, safety, safeguards and security, chemistry, and biology.
Threat: Risk with negative consequences.
Triangle Distribution: Subjective distribution of a population for which there is limited sample
data. It is based on knowledge of the minimum and maximum and an inspired guess as to what
the modal value might be. It is also used as an alternative to the Beta distribution in PERT, CPM,
and similar forms of project management tools.
Trigger Date: The date for which a trigger metric is forecasted to be realized.
Trigger Metric: Event, occurrence or sequence of events that indicates the risk may be about to
occur, or the pre-step for the risk indicating that the risk will be initiated.
Uncertainty: A term used to describe the inherent unknowns and inaccuracies related to costs
and schedule estimates, as differentiated from risks.
Unidentified Risks: Risks that were not anticipated or foreseen by the IPT or by DOE-HQ staff
members. Unidentified risks might originally be unanticipated because the probability of the
event is so small that its occurrence is virtually unimaginable. Alternatively, an unidentified risk
might be one that falls into an unanticipated or uncontrolled risk event category. (These risks are
also categorized as ―unknown-unknown‖ risks.)
Value Engineering: Value engineering (VE) is a structured technique commonly used in project
management to optimize the overall value of the project. Often, creative strategies will be
employed in an attempt to achieve the lowest life cycle cost available for the project. A VE effort
Attachment 15 DOE G 413.3-7A
Page 15-10 1-12-2011
is a planned, detailed review/evaluation of a project to identify approaches to providing the
needed assets.
DOE G 413.3-7A Appendix A
1-12-2011 A-1
Appendix A: References
ANSI/EIA-748B, Earned Value Management Systems, June 2007.
Association for the Advancement of Cost Engineering International Recommended Practice No.
18R-97, Cost Estimate Classification System As Applied in Engineering, Procurement and
Construction for the Process Industries.
DoD Acquisition, DoD Acquisition Risk Management Guide, Sixth Edition, Version 1, August
2006.
DOE CIO Guidance Cs-3, Risk Management Guidance, October 10, 2007.
DOE, Office of Environmental Management, Risk Management Policy, February 23, 2007.
DOE O 413.3B, Program and Project Management for the Acquisition of Capital Assets, dated
11-29-2010.
DOE G 413.3-Series Guides.
DOE-STD-1189-2008, Integration of Safety Into the Design Process, March 2008.
NASA Procedural Requirements 8000.4, Risk Management, February 1, 2007.
National Research Council of the National Academies, The Owner’s Role in Project Risk
Management, 2005.
OMB M-07-24, Memorandum for the Heads of Executive Departments and Agencies, ―Updated
Principles for Risk Analysis,‖ September 19, 2007.
United States Government Accountability Office, GAO Cost Estimating and Assessment Guide,
Best Practices for Developing and Managing Capital Program Costs, GAO-09-3SP, March
2009.
U.S. Department of Energy, Office of Procurement and Assistance Policy, Office of Procurement
and Assistance Management to Procurement Directors, Acquisition Letter 2009-01,
―Management Reserve and Contingency,‖ October 6, 2008.
U.S. Department of Energy, Contract and Project Management Root Cause Analysis, Corrective
Action Plan, Corrective Measure 3, Identification of Best Risk Management Practices and
Analysis of DOE Risk Management Plans. Summary Report, July 2009.
http://management.energy.gov/1602.html
Checklist References
http://www.risk-management-basics.com/risk-management-checklists.shtml, Risk Management
Basics, March 2006.
Appendix A DOE G 413.3-7A
A-2 1-12-2011
http://www.wiredforgrowth.com/risk-tools/risk-checklists/?cprofile=N, Wired for Growth, 2008.
http://it.toolbox.com/blogs/enterprise-solutions/risk-management-checklist-22039, Information
Technology Toolbox, 2008.
http://international.fhwa.dot.gov/riskassess/risk_hcm06_b.cfm, U.S. Dept. of Transportation,
Federal Highway Administration, November 2007.
http://www.calstate.edu/cpdc/cm/forms/, California State University, June 2008.
http://www.startwright.com/project1.htm, StartWright, January 2006.
https://www.construction-institute.org/scriptcontent/index.cfm, Construction Industry Institute
(CII).
General References
Baker, ―Analyzing Risks,PM Network, March 2003.
Chilcott, Allan J., Risk Management A Developing Field of Study and Application, Cost
Engineering, September 2010.
Conrow, Effective Risk Management: Some Keys to Success, 2d. American institute of
Aeronautics and Astronautics, Inc., Reston, VA. 2003.
Cooper, ―Toward a Unifying Theory for Compounding and Cumulative Impacts of Project Risks
and Changes,‖ Innovations: Project Management Research 2004, Slevin, Cleland, and Pinto,
eds. PMI, Newtown Square, PA. 2004.
Cooper, Grey, Raymond, & Walker, Project Risk Management Guidelines: Managing Risk in
Large Projects and Complex Procurements. John Wiley & Sons, Ltd., West Sussex, England.
2005.
Fundamentals of Risk Analysis and Risk Management, Molak, ed. Lewis Publishers, Boca Raton,
Fl. 1997.
Hillson, D. A. (2007), ―Understanding risk exposure using multiple hierarchies,‖ published as
part of 2007 PMI Global Congress EMEA Proceedings Budapest, www.pmi.org.
Hillson and Murray-Webster, Understanding and Managing Risk Attitude. Gower, Burlington,
VT. 2005.
Hoffman, W., ―Balancing Act,PM Network, Newtown Square, PA. May 2006.
Hoffman, E. ―NASA Reduces Uncertainty and Minimizes Risks with Project Methods,‖ PM
Network, Newtown Square, PA. June 2003.
Hutchins, ―Ready for Risk Reporting?‖ PM Network, Newtown Square, PA. November 2002.
DOE G 413.3-7A Appendix A
1-12-2011 A-3
Ingebretsen, ―Afraid of a Little Risk?‖ PM Network, February 2005.
Jedd, ―Risking Less,‖ PM Network, Newtown Square, PA. September 2005.
Kendrick, Identifying and Managing Project Risk: Essential Tools for Failure Proofing Your
Projects. AMA, New York, NY. 2003.
Levine, Project Portfolio Management: A Practical Guide to Selecting Projects, Managing
Portfolios, and Maximizing Benefits. Jossey-Bass, San Francisco, CA. 2005.
Logue, ―20/20 Foresight,‖ PM Network, Newtown Square, PA. September 2004.
Maytorena, Winch, Kiely, Clarke, and Dalton, ―Identifying Project Risks: A Cognitive
Approach,‖ Innovations: Project Management Research 2004. PMI, Newtown Square, PA.
2004.
Mulcahy, Risk Management: Tricks of the Trade® for Project ManagersA Course in a Book®.
RMC Publications, 2003.
Pfeffer and Sutton, The Knowing-Doing Gap: How Smart Companies Turn Knowledge into
Action. Harvard Business School Press, Boston, MA. 2000.
Project Management Body of Knowledge 2004 Guide. Newtown Square, PA. 2004.
Project and Program Risk Management: A Guide to Managing Project Risks & Opportunities,
Wideman, Editor. PMI, Newtown Square, PA. 1992.
Risk Management Maturity Level Development: Risk Management Research and Development
Program Collaboration: INCOSE RMWG and PMI Risk SIG, 2002.
Royer, P.S., Project Risk Management: A Proactive Approach. Management Concepts, Vienna,
VA. 2002.
Sood, ―Taming Uncertainty,‖ PM Network, Newtown Square, PA. March 2003.
Smith, ―A Portrait of Risk,‖ PM Network, Newtown Square, PA. April 2003.
Smith and Merritt, Proactive Risk Management: Controlling Uncertainty in Product
Development. Productivity Press, New York, NY. 2002.
―Universal Risk Project, Final Report,‖ Joint Project: INCOSE RMWG and PMI Risk SIG,
2002.
Ward, ―Developing Project Risk Management,‖ Innovations: Project Management Research
2004. PMI, Newtown Square, PA. 2004.
Williams and Parr, Enterprise Program Management: Delivering Value. Palgrave McMillan,
New York, NY. 2004.
Appendix A DOE G 413.3-7A
A-4 1-12-2011
Decision Analysis References
Conrow, Effective Risk Management: Some Keys to Success, 2d. American Institute of
Aeronautics and Astronautics, Inc., Reston, VA. 2003.
Schuyler, Risk and Decision Analysis in Projects, 2d. Project Management Institute, Newtown
Square, PA. 2001.
Baker, Dennis, et al., Guidebook to Decision Making Methods, Developed for the Department of
Energy, December 2001. http://emi-web.inel.gov/Nissmg/Guidebook_2002.pdf