National Project Management System Directive on Risk Management for Real Property Projects

1. Effective date

April 20, 2017 (updated October 11, 2017)

2. Cancellation

This directive supersedes the National Project Management System (NPMS) Real Property Procedure on Risk Management that came into effect in December 2010.

3. Authority

This directive is issued under the authority of the Director General (DG), Service Lead, Project Management Service Line, Real Property Branch (RPB), Public Services and Procurement Canada (PSPC).

4. Context

PSPC Policy on Integrated Risk Management (082) (2015) (available on Government of Canada network only), established the department’s commitment to employ integrated risk management (IRM) to address uncertainty and maximize opportunity in decision-making, priority setting and the achievement of organizational objectives with respect to internal projects. The policy is also applied to the management services provided by PSPC in their delivery of other government department’s (OGD) projects. The policy applies to all of the department’s projects, programs, activities (strategic, operational and transformational) and to the responsibilities and activities of all PSPC employees. IRM is defined as a continuous, proactive and systematic process to understand, manage and communicate risks from an organization-wide perspective. This policy refers to the PSPC Risk Management Guide (July 2014) and the PSPC Departmental Risk Profile for its application.

For the majority of projects delivered by PSPC, the principles and methodology for the management of projects are defined in the department’s National Project Management System (NPMS). The PSPC Policy on the National Project Management System (106) (available on Government of Canada network only) states that the Branch/Agency Heads and Regional Director Generals (RDGs) are responsible for reporting on project performance and risks. Risk identification is one of the NPMS principles that is applicable to all projects being delivered by PSPC as an assessment of the solution undertaken in order to ensure value and to meet internal business objectives and clients’ project requirements.

This directive is to be implemented in conjunction with the PSPC Policy on the National Project Management System (106) (available on Government of Canada network only), and the other related PSPC and RPB policy instruments that are noted within this directive.

5. Scope

This directive applies to all employees performing project management related activities for any projects that are funded by PSPC or OGD and that follow NPMS.

6. Purpose

In order to support the requirement for the consideration of risk, this directive has been prepared to provide the principles and the directions for risk management in the delivery of projects by PSPC employees. The outcome from the application of this directive is an effective management of risk that meets the requirements from the Treasury Board (TB) and PSPC, as well as improved decision-making, better allocation of resources, consistent and defendable risk management practices, and effective management of OGD’s projects.

7. Details of the directive

7.1 Risk management process

Risk management is an essential component in the delivery of projects. Its primary objective is to ensure that the risks to the outcome of a project are identified and managed in such a manner so that the negative effect(s) of the specific risk events can be reduced or avoided, and be controlled in a systematic manner throughout the project life. Conversely, the positive effects of risks should be exploited in order to enhance any opportunities. Although the intent of PSPC is to consider risks from the aspect of both its opportunity and threat, this directive will mainly address the negative (threat) effects of risks.

Risk management is a pro-active and continuous process that is applied systematically throughout all phases of a project. The process is described in the PSPC Risk Management Guide, which identifies five steps, consisting of communication and consultation, establishing the context, assessing the risks, responding to the risks, and monitoring and reviewing, as illustrated in Figure 1: Extract from Risk Management Guide.

Further details on the key objectives and considerations for each of the 5 steps of the risk management process can be found in Annex A: Risk Management Process in the Delivery of Projects. This annex also includes examples of the where to find the information within project documentation in order to fulfill the requirement of the risk management process, as well as the resulting risk documentation and deliverables.

Figure 1: Extract from Public Services and Procurement Canada Risk Management Guide

Figure 1: Extract from PSPC Risk Management Guide – Image description below.

Image description

Steps, performed iteratively, as warranted:

establish context
risk assessment:
- risk identification
- risk analysis
- risk evaluation
risk response

Continuous activities:

communication and consultation
monitor and review

7.2 Risk management plan

The key deliverable in the risk management process is a risk management plan (RMP), which serves to identify the approach, the management components, and the resources required to manage risks to the project. Due to the progressive nature of project development, with increasing amounts of information and levels of detail becoming exposed as project evolves from one phase to the next within the NPMS model, the RMP must be adaptable throughout the life of the project to encompass these changes. To ensure continuity and evolution in the consideration of risks to projects throughout each of the NPMS phases, the RMP must incorporate the following risk management process steps that form the mandatory deliverables of this directive:

Risk assessment

Risk assessment is a continuous process involving the identification, analysis and evaluation of risks, in order to determine the inherent risk profile of projects. It applies the risk assessment matrix (RAM) for the analysis of the identified risks, according to their likelihood of occurrence and the level of their impact on the project’s objectives. The acceptable RAM uses the departmentally-adopted approach that is based on a 5x5 configuration, with 5 levels or measure of likelihood and impact: low, medium-low, medium, medium-high and high. Risk assessment for any project is required to support the decision-making processes during the NPMS Inception and Identification stages and/or the development of the project plan during the NPMS Planning phase within the Delivery stage.

Risk response plan

A risk response plan is the next process after risk assessment. It involves the identification of a specific risk response, potential risk response strategies, and then followed by the re-assessment of the risk events after application of the chosen response strategies. The outcome of this process is the resultant risk profile of the project, which provides the following:

the reference point from which risks to the project shall be managed and monitored
sufficient information in order to determine an appropriate contingency value (risk allowance - refer to section 7.3 Managing risk allowances) that will be used to offset the impact of the risks should they occur

Monitoring and review

The monitoring and review process is a continuous task that is required throughout the life of the project to assess the effectiveness and efficiency of the applied risk response plan. This process also enables the identification any changes/revisions in the risk profile of projects.

In order to meet the above requirements in the development of a RMP, it is necessary to have a consistent methodology and documentation that clearly demonstrate the 3 key processes. For this reason, the Risk Management Plan Guide has been prepared as a supplement to this directive. It provides detailed guidance and information on the use of the templates in the development of the RMP, which includes a combination of a project risk assessment and/or a risk register, and a monitoring record.

Further direction on the specific conditions for mandatory completion of the RMP documentation, and their acceptable contents, can be found in Annex B: National Project Management System deliverables for risk management.

It is important that the RMP be viewed as an evolving document that changes throughout the life of the project, with the risks increasing, decreasing, and/or lapsing/expiring. Therefore, continuous reviews and updates to its documentation (i.e. the combination of a project risk assessment and/or risk register) at the applicable and recommended project milestones (refer to section 7.4 Risk management process by National Project Management System phase) are critical in order to reflect the latest status of the risk events and the risk response strategies. The monitoring record must also be maintained and updated, as applicable, to reflect the changes made in the project risk assessment and/or risk register. Together, they enable effective planning and management of the project within its set objective(s), and baseline cost and time target(s).

7.3 Managing risk allowances

Risk allowances are the impact that risk events have on the project’s objective. In order to respond to risks, the values in terms of financial and/or time required to offset the risk event occurring must be quantified to provide the total potential impact on the project’s budget and/or schedule. Contained within the listing of all applicable risks to the project (as documented in a risk register), the risk allowances are developed for the risk events both before applying the risk response (that is the inherent risk allowance) and after the risk response (residual risk allowance). The latter is the key value that is taken into consideration when developing or confirming the project budget and/or schedule.

In order to effectively manage risk allowances, their definition and purpose must be clearly specified so that they can be understood in the same manner by all stakeholders. Each must be distinguishable from, and not duplicate, all other contingencies or allowances that may be included within the project budget. This helps in the continuous review and update of the risk register where timely identification of the sufficiency and validity of each residual risk allowance is crucial for the successful completion of the project. For example, any remaining residual risk allowance (funds) for risks that are no longer valid (lapsed/expired) and/or have been successfully mitigated may either be reassigned to an updated or new risk, or be released from the project budget altogether.

Additionally, as part of the business process for the PSPC financial system SIGMA, the residual risk allowances for RPB projects is required to be reported in SIGMA as per the Real Property Business Rules: Risk Allowance Planning and Forecasting.

7.4 Risk management process by National Project Management System phase

Described in the following sub-sections are the processes that must be considered at each of the nine NPMS phases. It is important to refer to the National Project Management System Directive for Real Property Projects for the relevant NPMS phases that apply to the project stream that is being considered. For example, for the projects carried out for, and funded by, OGDs, the applicable NPMS phases for the risk management process will normally begin at the Planning phase (section 7.4.6 Planning phase).

7.4.1 definition phase

A preliminary risk assessment must be conducted based on consultation with the key stakeholders and the assessment of the problem/opportunity presented. The result from the preliminary risk assessment at this NPMS phase is used to support the decision on whether the project should be initiated, and must therefore include, as a minimum, the identification of the following:

complexities, difficulties and uncertainties that are associated with the defined problem/opportunity
potential challenges and uncertainties associated with the development of the solution

The results from the risk assessment are documented in the Risk consideration section of the statement of requirements (SoR). In addition, the SoR must identify the potential impacts of not proceeding with the project. The impacts of not proceeding with the project are not usually related to the project risk considered in the preliminary risk assessment.

During this phase, a communication and approval protocol relating to the planning and management of the identified risks should be established as part of the risk management process. This information should be used to supplement the NPMS deliverables: SoR, project charter, and preliminary project plan (PPP).

7.4.2 initiation phase

The preliminary risk assessment from the definition phase must be reviewed in order to verify and update the risks, taking into consideration the project’s objective, and the approach to be taken to develop the solution. Key considerations when reviewing and updating the preliminary risk assessment are:

the parameters of the project
the required resources and their availability
other organizational priorities

The Risk management section within the PPP must be completed to verify the key risks identified in the SOR, as well as to identify other potential risks.

7.4.3 Feasibility phase

During this phase, the project’s requirements are finalized and viable options for the solution are developed. The risk assessment completed in the initiation phase must be re-validated, taking into consideration any new or additional information gathered to support the definition of the project’s requirements.

For each of the proposed viable options, a risk assessment in terms of scope, time, cost, and other considerations surrounding the project must be conducted, including, for example, the physical structure, location, infrastructure, technical compatibility, security, and economic, political, legal, organizational, and/or social factors. Other special requirements must also be taken into account if they exist, such as whether the project includes: work on a heritage building; enhanced security requirements of a highly sensitive department; or whether clients’ accommodation includes special purpose space (SPS).

The completed risk assessment for each viable option provides valuable information regarding the inherent risks and the key differences between the selected options. The risk assessment of each option is to be documented in the Analysis of non-financial factors / Preliminary risk assessment section of the feasibility report.

7.4.4 Analysis phase

All of the key risk events and their possible risk response strategies identified in the risk assessment for all options must be considered during completion of this phase (as applicable to the project). The risk assessments provide valuable information to aid in the evaluation and the selection of a preferred option. The risk assessments must also take into account any revised project parameters, and any new information such as the building condition reports.

The updated risk assessment for the preferred option must be attached to support the completion of the Risk assessment section in the investment analysis report (IAR) for the project.

Once the preferred option is identified, the risk response plan process must be carried out to identify the response strategies and the monitoring requirements for each assessed risk event. This process must be documented using the project risk assessment or risk register template (refer to Annex B: National Project Management System deliverables for risk management for direction). Some of the main considerations when completing the risk response plan for the project include departmental and Government of Canada current priorities, the pressures of project constraints, sources of funding, fixed timelines, assumptions made, and other sources of uncertainty and vulnerability in the delivery (including consultants’ services and construction works) and operation of the project solution. The completed risk response plan must be attached to the IAR.

The Risk management section in the PPP must also be updated to provide a summary of the key risk factors based on the latest risk assessment and the completed risk response plan.

The project cost plan and schedule are to be validated to ensure that they account for the appropriate contingencies and the residual risk allowances calculated as part of the risk response plan. There must be no duplication between the residual risk allowances and any other contingencies included within the project budget.

7.4.5 Identification close out phase

During this phase, an identification close out document (ICOD) must be prepared so that it identifies the completion, and the file location, of the current RMP (include a combination of a project risk assessment and/or risk register and a monitoring record) which clearly define the risks and their response strategies for the chosen option. These documents must take into account the project approval /expenditure authority (PA/EA) decision obtained in the Analysis phase.

7.4.6 Planning phase

The risk assessment and risk response plan must be revalidated at this phase to ensure that all key risks events, risk responses, and residual risk allowances are clearly defined, and are still relevant for the remaining phases in the project delivery stage. The RMP documentation (i.e. the project risk assessment and/or risk register) must be updated accordingly.

Note

For OGD projects, this phase is the usual starting point of the NPMS process, and therefore the first RMP for the project is completed during this phase. Even though this is a later phase in a project life, a risk assessment is still required as the initial process in the completion of a RMP. Refer to Annex B: National Project Management System deliverables for risk management for specific deliverable requirements and the process map.

Some of the key considerations in this phase when developing or reviewing and updating the RMP are:

the review of additional or updated project information made available at this phase, and assessment of their impact on the project scope, time and costs (for example the requirements for security, environmental and health and safety for the project)
inclusion of changes in the departmental and Government of Canada priorities and the project parameters, if any
the review of the contents of any resourcing plan developed to advance the project right up to the implementation Phase. The availability of internal labour resources, and the need for external expertise and what impact this work arrangement could have on the project milestones must be considered

Within the project management plan (PMP), the risk management section must be completed and accompanied by the latest RMP documentation.

The project cost plan and schedule must be re-validated, as necessary, to ensure that that they account for the appropriate contingencies and the residual risk allowances without any duplication.

7.4.7 Design phase

In light of the design development work to be undertaken in this phase, and taking into consideration the involvement of other service providers such as consultants that are usually engaged for project during this phase, the updated risk assessment must be reviewed to ensure that all potential risks have been identified, assessed and appropriately quantified. It is also important that the risk response plan is re-evaluated for its effectiveness, as well as to verify the validity and adequacy of the residual risk allowances. The RMP (i.e. the project risk assessment and/or risk register, and monitoring record) must be updated accordingly, following the review and re-evaluation.

The review of the risk assessment and risk response, and updating of the RMP should take place at two separate events: once prior to the procurement of consultant services, and the other after the completion of the design development documentation.

7.4.7.1 Procurement of consultant services

Key risk factors for consideration in preparing for the procurement of consultant services for design include the potential constraints and impacts related to:

availability of resources
schedule for the procurement of the consultants
completeness and clarity of the project information and clients’ requirements
schedule for the design development works
expectation of the approval timeframe from clients
changes in the departmental and/or Government of Canada priorities and the project parameters, if any

7.4.7.2 Design development documentation

Key risk factors to be considered during the completion of the project design development documentation include the potential constraints and impacts related to:

availability of resources to advance the project to the end of the Delivery Close Out phase
completeness and accuracy of the substantive class B construction cost estimate
completeness of the design and other project documents required to proceed to construction/tender documentation
expected timeframe for approvals
method of procurement for the construction work
potential issues due to complexity in construction, and the extent of unknown site conditions
market conditions, that is availability of trades, and any trends in the construction materials’ prices
changes in the departmental and/or Government of Canada priorities and the project parameters, if any

The Real Property Contracting Directorate (RPCD), of the Procurement Branch, must be consulted for their procurement requirements, which may require the provision of a separate risk register for risks attributable to the contracting of services.

For approval of the project expenditure authority (EA), if required, the PMP must have updated content contained within the Risk management section and include the up-to-date RMP.

The project cost plan and schedule must be revalidated again to ensure that that they account for the appropriate contingencies and the residual risk allowances, without any duplication in the project budget.

7.4.8 Implementation phase

During this phase, the construction work is tendered in order to select the contractor who will perform the work according to the completed design. The majority of the effort for risk management during this phase is on the monitoring of the RMP (i.e. the project risk assessment and/or risk register, and monitoring record).

When preparing to tender the construction work, RPCD must be consulted for their procurement requirements, which may require the provision of a separate risk register for risks attributable solely to the contracting of services.

Before the commencement of construction, the risk assessment and risk response plan are to be reviewed, and the RMP updated as needed. The following factors that may affect the risks must be considered:

any additional and updated project information made available during tender and at contract award
any variance between the value of the awarded construction contract and the substantive construction cost estimate in the approved EA or project budget (this is required in order to determine the need to re-evaluate any of the residual risk allowances)
any changes in the departmental and/or Government of Canada priorities and the project parameters

During construction, the project must be monitored in order to respond to risks as needed. It is important that the RMP is updated regularly to reflect:

any newly-identified risk events or mitigation strategies
revisions to existing risk response strategies
deletion of risk events that are no longer applicable to the project
the latest status of the residual risk allowances for the remaining duration of the project, taking into account the deleted risks, the draw down to offset the occurrence of risks including changes orders issued for the contract, any potential new risks, and revised risk response strategies

A change order log must be maintained to facilitate cost control on contracts, as well as to monitor the remaining residual risk allowances to ensure that:

they are adequate for the completion of the project
they are still valid for the remaining activities of the project

Upon issuance of the Certificate of Substantial Performance, the Risk management section of the PMP must be updated. The following must be documented in the PMP:

the risks that have occurred
the effectiveness of the risk response strategies
the status of the remaining un-used residual risk allowances

7.4.9 Delivery close out phase

Once the project is complete, the RMP (i.e. the project risk assessment and/or risk register, and monitoring record) must be updated to summarize all risks that occurred during the project, as well as how they were addressed according to the risk response strategies undertaken. Completion of the updated RMP, along with its file location, must documented on the close out document (COD).This will form the basis of the final lessons-learned document.

8. Responsibilities

All parties responsible for developing RMPs are strongly encouraged to consult with other project leaders/managers and senior project directors when developing the RMP. It is also recommended to seek advice from relevant technical experts, as required, according to the project scope, including areas like Heritage and conservation, Environment, Cost Management, Risk Management, and Project Time Management.

Individuals performing a project leader role are responsible for:

initiating a continual process to formally and consistently assess project risks
developing and maintaining the RMP in consultation with the Project Manager
ensuring that cost estimates reflect the assessment of risk throughout the various phases of the project life cycle
ensuring that the preferred investment option of a particular project takes into consideration the project risk profile and risk tolerance
preparing an outline of the plan to deal with actual project contingencies, and specifying these measures in the risk management sections of the project approval documentation
preparing and revising project approval documentation when the project risk assessment changes significantly
preparing an outline of a communications plan for high-risk activities that may attract media or public attention, including the appointment of a spokesperson

In the absence of a Project Leader, the Project Manager would typically take on this role. Individuals performing a project manager role are responsible for:

providing input to the RMP
effectively using resources allocated to implement the mitigation strategies by assigning and detailing responsibilities regarding the risk management process
reviewing the project risks, and applying effective surveillance to identify any new or changing risks
communicating risk activities to the project team through regular reports to ensure that risks that cannot be addressed by the project team are directed to the appropriate authority

9. Definitions

Certificate of Substantial Performance: means a certificate issued by Canada when the work reaches Substantial Performance (refer to General Condition (GC) 1 - General Provisions - Construction Services of the Standard Acquisition Clauses and Conditions (SACC) Manual).
Class 'B' (substantive) estimate: developed during the NPMS Design phase, this estimate must be in elemental cost analysis format latest edition issued by the Canadian Institute of Quantity Surveyors and based on design development drawings and outline specifications, which include the design of all major systems and subsystems, as well as the results of all site/installation investigations.
Financial risks: are risk events that can be quantified by monetary values. These risks directly impact the budget of a project and are key events that require mitigation.
Non-financial risks: are risk events that cannot be quantified by monetary values and may not be able to be quantified at all. They include schedule risks (time values) and all other non-quantifiable risks including strategic risks.
Non-quantifiable risks: are risk events that cannot be quantified by either monetary or schedule values. These risks can only be rated a level or score based upon their risk assessment of likelihood and impact.
Quantifiable risks: are risks that can be quantified by values, either monetary or time. These risks include only the schedule and cost risks that have a direct impact on the budget and schedule of the project.
Real property projects: include all real property asset acquisitions or improvements, including entering into a lease, fit-up of accommodation space, and construction, renovation and remediation of a built-work (building, bridge, dam, road, etc.) or Crown-owned land.
Risk: the uncertainty that surrounds the achievement of an objective. It is typically expressed in terms of the likelihood and impact of an event, with the potential to positively or negatively influence the achievement of the objective.
Risk allowance: the estimated cost or duration that quantitatively covers in full the effect of the risk exposure. Risk allowance is expressed in two ways: inherent risk allowance and residual risk allowance (RRA), which respectively represent the estimate before and after the application of the risk response plan strategies (mitigation). The RRA is typically used as a contingency in the approved project budget.
Risk assessment: involves analysing or quantifying any risks identified, and ranking them by priority. It includes three main processes: the identification of the risks, followed by their analysis/quantification (in terms of likelihood and impact, using the risk assessment matrix), and then an evaluation to determine their priority ranking.
Risk assessment matrix (RAM): the analysis tool to process the likelihood and impact of a risk and derive the overall rating of the risk event. This directive uses the 5x5 configuration that consists of the 5 levels or measures of the likelihood and impact (that is low, medium-low, medium, medium-high and high).
Risk management plan (RMP): provides information on the approach, the management components, and the resources to be applied to the management of risks. It is made up of three essential steps of the risk management process, namely the risk assessment, risk response, the monitoring and review, as well as a narrative as to the planned frequency of reviews, reviewing bodies, and key management concepts or processes.
Risk profile (of a project): an overview of a project’s risk events based on the completed Risk Assessment. It identifies the key risks (and opportunities), along with each of the risk triggers, their potential consequences, and possible risk responses. The risk profile is generally communicated as a single risk overall grading and/or score that can be related back to the RAM.
Risk rating: the quantification of the risks though the risk assessment that defines the overall grading of the risk events as either negligible, minimal, moderate, considerable or significant. Depending upon where the risk falls within the RAM, it can also be assigned a numerical value to accommodate the five risk levels, and to indicate severity within the level.
Risk register: an output from the risk identification process, the risk register documents the potential risks, including the risk statements, and identifies the source and symptoms of the risk (that is “how will we know when the risk is going to manifest, or has arisen”), as well as the probability and the consequences/impacts of the risk occurring. It is a dynamic document that must be updated as the project progresses so as to reflect the latest information on the risks. As a key document to support management of risks, the risk register must include as much detail as possible. Some of the pertinent information pertaining to the risk events may include owner of the risk, the risk response strategies, the risk profile, the estimated effects on schedule, costs and quality (that is risk allowance), and the duration of the risk or the cessation date of the risk’s effect.
Risk response: the possible strategies that can be undertaken to address risk that has been identified. For the purpose of this directive, the possibilities have been narrowed to 4: avoid/eliminate, mitigate/control, transfer/share, or retain/accept.
Risk response plan: is the complete identification of the risk response, the controls and mitigation strategies applied for that response, a re-assessment of the risk event after application of the controls and mitigation strategies, and the residual risk allowance (% and/or value) that remains of the inherent risk allowance as a result of the application of the risk response.
Stakeholder: any individual, group or organization that may affect, be affected by, or perceive itself to be affected by, the risk event.

10. References

Treasury Board publications

Public Services and Procurement Canada publications

Public Services and Procurement Canada Policy on Integrated Risk Management (082) (available on Government of Canada network only)
Risk Management Guide (2014) (please contact tpsgc.sngp-npms.pwgsc@tpsgc-pwgsc.gc.ca to obtain this guide)
Policy on National Project Management System Policy (106) (available on Government of Canada network only)
National Project Management System Directive for Real Property Projects
Statement of requirements Guidelines and Templates
Guide for the Preparation of investment analysis reports
Guidelines for the Preparation of Project Plans
Real Property Business Rules: Risk Allowance Planning and Forecasting (please contact tpsgc.sngp-npms.pwgsc@tpsgc-pwgsc.gc.ca to obtain this business rule)
Risk Management Plan Guide (please contact tpsgc.sngp-npms.pwgsc@tpsgc-pwgsc.gc.ca to obtain this guide)

11. Attachments

Annex A: Risk management process in the delivery of projects
Annex B: National Project Management System deliverables for risk management

12. Enquiries

Please direct enquiries about this directive to tpsgc.sngp-npms.pwgsc@tpsgc-pwgsc.gc.ca.

Annex A: Risk management process in the delivery of real property projects

Steps in the risk management process
5 steps in the risk management process (as per Risk Management Guide, 2014)	Key objectives and considerations	Examples of the source of information	Examples of the outcomes and resulting documents
1. communication and consultation	To identify key stakeholders of the project and to establish ongoing communication and approval protocols relating to the planning for, and the management of, risks to the project.	Project charter statement of work organization of the project team	Project plans
2. establish context	To understand and define the overall risk management context for the project that is to determine the broad parameters to be taken into account when assessing and managing the risks. To consider the following: the department’s strategic plans, programs or initiatives the stakeholders’ responsibilities and their risk tolerance any external factors that may have impacts on the project’s objectives	PSPC departmental risk profile that is identifying the department’s risk appetite and tolerance building management plans Project approval requirements Project charter project statement of work current and anticipated conditions of the economy, political and legal influences, industry trends meetings and discussions with stakeholders	project risk and complexity assessment (PCRA) (limited to projects > $1 M per TB requirement) Investment analysis report (IAR) for the project – risk statement risk taxonomy
3. risk assessment
a) risk identification	To identify and understand the events that might threaten or enhance the achievement of the project’s objectives. The overall risk management context and parameters, is used to develop the relevant risk statements that is “There is a risk that …” Key considerations include: consultations with the project’s key stakeholders - their inputs and consensus on the risks identified the project’s objectives, scope, complexity and its exposure to risks links to the risk statement to certain drivers and potential impact(s) on the project objectives It is important to have a systematic methodology for registering the identified risks, which will facilitate progressive consultations with stakeholders for approval	risk taxonomy Project approval requirements Project charter project statement of work project plans – review of the clarity of the objectives review of the operational restraints other background information on the project for example site/building investigation reports relevant specialists / experts opinions	project risk assessment risk register IAR project plan
b) risk analysis	To develop a better understanding of the identified risks and to determine their potential impacts and the possible controls over them. The analysis enables rating of the risks based on the likelihood of their occurrence and the level of their impact	stakeholders expectations, concerns and risk tolerance lessons learned from similar projects any applicable audit reports relevant specialists / experts opinions PSPC 5x5 risk assessment matrix Project approval requirements	project risk assessment risk register Investment analysis report project plan
c) risk evaluation	To evaluate the risks in order to determine those that require responses. This facilitates prioritizing of the effort require to develop corresponding responses to the identified risks. Enables understanding of the risks driver, current controls, possible responses	stakeholders expectations, concerns and risk tolerance lessons learned from similar projects any applicable audit reports relevant specialists / experts opinions existing risk register	project risk assessment risk register Investment analysis report project plan
4. risk responses	To decide on the most appropriate responses for the risks, which can be any of the following, where treatment for negative effects of risks is concerned: avoid, transfer/share mitigate/control retain/accept	stakeholders expectations, concerns and risk tolerance lessons learned from similar projects any applicable audit reports relevant specialists / experts opinions	risk register Investment analysis report project plan
5. monitor and review	To review progressive status of the risks to the project: ensure each identified risk is up to date - relevancy and adequacy of the risks and their response strategies are verified in relation to the current project status and availability of project information any potential new risks to the project are identified; and the requirement of the residual risk allowances for the remaining duration of the project are review and confirmed	latest approved risk management plan latest project management plan project change orders log project cost plan SIGMA financial data on the planned, forecasted and actual project costs	iterations of risk register monitoring record on updates to the risk register project cost planning and forecast reports in SIGMA

Annex B: National Project Management System deliverables for risk management

Note

Independent to these charts, the Acquisition Branch, Real Property Contracting Directorate may requires the provision of individual risk registers to be submitted for the procurement of Service Contracts (consultant and construction) that exceed a specific threshold of the estimated contract value. Please contact Acquisition Branch, Real Property Contracting Directorate for further directions.

Asset, other government department and tenant service projects
NPMS “Full”		NPMS “Lite”		NPMS “Ultra-Lite”
Asset & Engineering Asset	OGD and Tenant Service	Asset & Engineering Asset	OGD and Tenant Service	Asset & Engineering Asset	OGD and Tenant Service
Project risk assessment (PRA)	PRA^{Table "Asset, other government department and tenant service projects" note 1}	PRA	PRA^{Table "Asset, other government department and tenant service projects" note 1}	PRA^{Table "Asset, other government department and tenant service projects" note 1}	PRA^{Table "Asset, other government department and tenant service projects" note 1}
Full risk register (F–RR)	F–RR^{Table "Asset, other government department and tenant service projects" note 1}	S–RR	S–RR^{Table "Asset, other government department and tenant service projects" note 1}	S–RR^{Table "Asset, other government department and tenant service projects" note 1}	S–RR^{Table "Asset, other government department and tenant service projects" note 1}
Monitoring record (MR)	MR	MR	MR	MR	MR
Table "Asset, other government department and tenant service projects" Notes Table "Asset, other government department and tenant service projects" note 1 In these instances (OGD or Tenant Service projects and NPMS Ultra-Lite for Leased or Crown Space) either the Project Risk Assessment (PRA) or Risk Register (RR) or both can be used along with the Monitoring Record as the risk management plan for the project. Regardless of which one is chosen (PRA and/or RR) to be used, the project team need to ensure that the documents commensurate with the complexity of the project, in order to enable them to adequately exercise the risk management process that is the assessment, response, monitor and review, and communication of the risks for the projects. Return to table "Asset, other government department and tenant service projects" note 1 referrer

Space projects
NPMS “Full”		NPMS “Lite”		NPMS “Ultra-Lite”
Lease/ Crown Space	Lease Renewal no fit-up	Leased/ Crown Space	Lease Renewal no fit-up	Leased/ Crown Space	Lease Renewal no fit-up
Project risk assessment (PRA)	PRA^{Table "Space projects" note 2}	PRA	PRA^{Table "Space projects" note 2}	PRA^{Table "Space projects" note 3}	PRA^{Table "Space projects" note 2}
Full risk register (F–RR)	S–RR^{Table "Space projects" note 2}	S–RR	S–RR^{Table "Space projects" note 2}	S–RR^{Table "Space projects" note 3}	S–RR^{Table "Space projects" note 2}
Monitoring record (MR)	MR^{Table "Space projects" note 2}	MR	MR^{Table "Space projects" note 2}	MR	MR^{Table "Space projects" note 2}
Table "Space projects" Notes Table "Space projects" Note 2 For Space Lease Renewal Projects; if upon completion of the risk assessment (using the PRA template), it is determined that there are no risks associated with the project, then there remains no requirement to complete a Risk Management Plan and therefore the remaining deliverables (Risk Register and Monitoring Record) are not required. Return to table "Space projects" note 2 referrer Table "Space projects" Note 3 In these instances (OGD or Tenant Service projects and NPMS Ultra-Lite for Leased or Crown Space) either the Project Risk Assessment (PRA) or Risk Register (RR) or both can be used along with the Monitoring Record as the risk management plan for the project. Regardless of which one is chosen (PRA and/or RR) to be used, the project team need to ensure that the documents commensurate with the complexity of the project, in order to enable them to adequately exercise the risk management process that is the assessment, response, monitor and review, and communication of the risks for the projects. Return to table "Space projects" note 3 referrer

Documentation requirements

Project risk assessment must use a mandatory template to provide the following:

assessment of key risks using the 5x5 risk assessment matrix (RAM) of likelihood and impact
risk grading resulting from the assessment indicating the level and score
additional details regarding the possible mitigation strategies for each risk event
the overall inherent risk profile of the project

“Simplified” risk register must contain the following basic information at minimum:

a header containing the project title and number, Project Leader and Manager, current NPMS stage of the project to which the register is linked, the date of completion of the register and the version number
a unique risk identifier (number – either family number or risk ID from risk taxonomy)
descriptions of each risk event identified
classification of the risks – project-related or Services/Work to be procured (that is consultant/construction contracts),
potential consequences of the risk event occurring
overall, pre-mitigated rating for each risk event (using the 5x5 RAM)
estimated inherent risk values for the impact of each risk – in terms of cost ($)
risk response for each identified risk – to be specified as one of the following:
- avoid/eliminate
- mitigate/control
- transfer/share
- retain/accept
overall, post-mitigated rating for each risk event (using the 5x5 RAM)
revised estimated allowances in terms of the monetary values (% and $) for inclusion to the project budget after the risks response strategies (residual risk allowance (RRA))
estimated validity period or milestones of risks identified to indicate expected expire or lapse
summary/totals of both the inherent and residual risk allowances for all risk events listed on the register

“Full” risk register must include all of the basic information for “Simplified Risk Register”, as well as the following:

identification as to which area(s) of the project are predominantly affected by the risk event – “cost” or “schedule”
pre-mitigated rating for each risk event as it pertains to schedule impacts (as applicable)
estimated inherent risk values for the impact of each risk event – in terms of schedule (days) – (as applicable)
overall, post-mitigated rating for each risk event as it pertains to schedule impacts (as applicable)
revised estimated allowances in terms of the schedule value (% and days) for inclusion in the project schedule after the risk response strategies (residual risk allowance (RRA)), (as applicable)
the name of individual or Office of Primary Interest (OPI) who will be tasked with the managing the risk

The “Full” risk register must also comply with the format and types of field content as per the template provided in the Risk Management Plan Guide.

Monitoring record must include the following information that is necessary to track updates to the risk allowances:

original issue and revision dates
version numbering
reference of current milestone of the project that is NPMS phases
total remaining value of Inherent and residual risk allowance
description(s) of the reason for the update

National Project Management System process map

National Project Management System process map – Image description below.

Image description

Real property project type: Asset and engineering asset project or lease/crown space project

Risk assessment step:

Process: use appropriate template as shown in NPMS deliverables table and as directed in the risk management plan (RMP) guide to identify, analyze and evaluate risk events for the project
Outputs:
1. inherent risk profile for use in statement of requirements (SOR), preliminary project plan (PPP) and/or feasibility report (FR) documentation
2. assessment of each solution option provides risk evaluation/rating, where applicable

Risk response step:

Process: use appropriate template as shown in NPMS deliverables table and as directed in the RMP guide to identify the controls, then re-analyze and re-evaluate the risk events, based on strategy
Outputs:
1. identification of additional scope elements (accepted risk events) and resultant planning updates
2. identification of top risk events that have most potential to affect project outcome/results (for IAR)
3. residual risk allowance (RRA) values ($/time) for incorporation into budget and/or schedule

Initial risk monitoring and management step:

Process: complete the monitoring record (MR) template as directed in the RMP guide
Outputs:
1. completed summary of the risk allowances as they relate to the project development stages
2. ability to compare the risk allowance values to the overall budget and against each other

Continual risk monitoring and management step:

Process:
1. review the risk management plan in full if any of the following apply:
  - change in risks or project scope
  - risk no longer valid
  - start next phase of NPMS
2. complete the MR template as directed in the RMP Guide
Outputs:
1. record of the changes in the RMP as they relate to the risk allowance values (inherent risk allowance (IRA) & RRA)
2. ability to calculate variance and compare risk allowance values to the overall budget and each other
3. understanding of the rationale behind the reduction of the RRA values over the project life cycle and identification of excess funds available for possible reallocation.

Risk management: close-out step:

Process: close-out RMP as part of the project close-out documentation and mark as complete

Project type: Other government department and tenant services project

Risk assessment step:

Process: use appropriate template as shown in NPMS Deliverables Table and as directed in the RMP Guide to identify, analyze and evaluate risk events for the project
Outputs: inherent risk profile for use in planning stage for specific service agreement (SSA) discussions and to develop project charter

Risk response step:

Process: use appropriate template as shown in NPMS Deliverables Table and as directed in the RMP Guide to identify the controls, then re-analyze and re-evaluate the risk events, based on strategy
Outputs:
1. identification of additional scope elements (accepted risk events) and resultant planning updates
2. identification of top risk events that have most potential to affect project outcome/results (for IAR)
3. residual risk allowance (RRA) values ($/time) for incorporation into budget and/or schedule

Initial risk monitoring and management step:

Process: complete the MR template as directed in the RMP Guide
Outputs:
1. completed summary of the risk allowances as they relate to the project development stages
2. ability to compare the risk allowance values to the overall budget and against each other

Continual risk monitoring and management step:

Process:
1. review the risk management plan in full if any of the following apply:
  - change in risks or project scope
  - risk no longer valid
  - start next phase of NPMS
2. complete the MR template as directed in the RMP guide
Outputs:
1. record of the changes in the RMP as they relate to the risk allowance values (IRA & RRA)
2. ability to calculate variance and compare risk allowance values to the overall budget & each other
3. understanding of the rationale behind the reduction of the RRA values over the project life cycle and identification of excess funds available for possible reallocation.

RMP close-out step:

Process: close-out RMP as part of the project close-out documentation and mark as complete

Project type: lease renewal without fit-up project

Risk assessment step:

Process: use appropriate template as shown in NPMS Deliverables Table and as directed in the Risk Management Plan (RMP) Guide to identify, analyze and evaluate risk events for the project
If risks present - Outputs:
1. inherent risk profile for use in SOR, PPP and/or FR documentation
2. assessment of each solution option provides risk evaluation/rating, where applicable
If no risk present – Output(s): Validation that risk assessment was completed and determined to be nil – proceed direct to RMP close-out step

Risk response step (risk(s) present):

Process: use appropriate template as shown in NPMS Deliverables Table and as directed in the RMP Guide to identify the controls, then re-analyze and re-evaluate the risk events, based on strategy
Outputs:
1. identification of additional scope elements (accepted risk events) and resultant planning updates
2. identification of top risk events that have most potential to affect project outcome/results (for IAR)
3. residual risk allowance (RRA) values ($/time) for incorporation into budget and/or schedule

Initial risk monitoring and management step (risk(s) present):

Process: complete the MR template as directed in the RMP guide
Outputs:
1. completed summary of the risk allowances as they relate to the project development stages
2. ability to compare the risk allowance values to the overall budget and against each other

Continual risk monitoring and management step (risk(s) present):

Process:
1. review the risk management plan in full if any of the following apply:
  - change in risks or project scope
  - risk no longer valid
  - start next phase of NPMS
2. complete the MR template as directed in the RMP guide
Outputs:
1. record of the changes in the RMP as they relate to the risk allowance values (IRA & RRA)
2. ability to calculate variance and compare risk allowance values to the overall budget & each other
3. understanding of the rationale behind the reduction of the RRA values over the project life cycle and identification of excess funds available for possible reallocation.

RMP close-out step:

Process: close-out RMP as part of the project close-out documentation and mark as complete

Report a problem or mistake on this page

Date modified:: 2019-11-06

National Project Management System Directive on Risk Management for Real Property Projects

1. Effective date

2. Cancellation

3. Authority

4. Context

5. Scope

6. Purpose

7. Details of the directive

7.1 Risk management process

Figure 1: Extract from Public Services and Procurement Canada Risk Management Guide

7.2 Risk management plan

7.3 Managing risk allowances

7.4 Risk management process by National Project Management System phase

7.4.1 definition phase

7.4.2 initiation phase

7.4.3 Feasibility phase

7.4.4 Analysis phase

7.4.5 Identification close out phase

7.4.6 Planning phase

Note

7.4.7 Design phase

7.4.7.1 Procurement of consultant services

7.4.7.2 Design development documentation

7.4.8 Implementation phase

7.4.9 Delivery close out phase

8. Responsibilities

9. Definitions

10. References

Treasury Board publications

Public Services and Procurement Canada publications

11. Attachments

12. Enquiries

Annex A: Risk management process in the delivery of real property projects

Annex B: National Project Management System deliverables for risk management

Note

Table "Asset, other government department and tenant service projects" Notes

Table "Space projects" Notes

Documentation requirements

National Project Management System process map

Real property project type: Asset and engineering asset project or lease/crown space project

Project type: Other government department and tenant services project

Project type: lease renewal without fit-up project