Capital Asset Management Framework: 3. Risk Management

Last updated on June 6, 2019

3.1 Risk Management

Risk is defined as uncertain events or conditions that if they occur, could have an impact, either positive or negative, on achieving the objectives and/or outcomes.

Risk management is the process of identifying, analyzing and addressing risks and opportunities on an ongoing basis – not only to avoid negative outcomes, but also to exploit emerging opportunities. It should be part of every public agency’s corporate and project-management culture.

In British Columbia the dollar value of a project is not used as the primary indicator of capital-related risk, rather a holistic approach is applied. This approach recognizes the broad range of factors that contribute to an agency's or project’s risk profile and acknowledges that these factors could change during an asset’s life cycle.

As part of this holistic approach, agencies are encouraged to:

  • support and promote a general system of risk management at every level throughout their organizations (referred to as enterprise- wide risk management, or ERM)
  • apply systematic risk management processes at both the program and project levels
  • manage risk effectively throughout the life cycle of all capital assets, from pre-planning through implementation, operation, maintenance and renewal or disposal, and
  • carry out post-project reviews to identify what worked and what did not with the lessons learned applied to future projects

Risk management is especially important when considering alternative service delivery or alternative procurement approaches such as public-private partnerships (P3s). New ways of doing business carry an inherent risk. At the same time, a defining feature of P3s is the opportunity to share or transfer risks.

Ultimately, risks should be allocated to those parties best able to manage them at the least cost while serving the public interest.

3.1.1 Standard Risk Management Process

Figure 3.1.1 summarizes the Government Enterprise-Wide Risk Management model that agencies should follow in developing or refining their risk management processes. The model identifies a sequence of steps appropriate for use at key points throughout the capital management process, at both the corporate and project levels.

Although the steps are consistent, the degree of rigour required in applying this or other models will vary according to the risk and complexity associated with each decision.  For specific direction on risk management, see the guidelines referenced in Section 3.3.

Figure 3.1.1

Figure 3.1.1 Risk Management Overview. Seven steps: 1. Establish the Context 2. Identify Risks 3. Analyze Risk 4. Evaluate Risks 5. Treat Risks 6. Communicate and Consult (continuous) 7. Monitor and Review

View the Province’s Enterprise-Wide Risk Management Guideline

3.2 Capital Project Risk

Every capital project carries a certain level of risk that must be identified and managed effectively throughout the project’s life. Life-cycle cost is just one of many factors agencies should consider in assessing levels of project risk. Other factors include the project's complexity, the agency’s experience with similar types of projects and the nature of any technology involved.

The key to success in capital projects is to analyze and manage risk effectively. This could also support agencies in identifying and benefiting from opportunities that might otherwise be judged too uncertain. Additionally, action can be taken to minimize the risks of adverse events as far as practicable. Risk is often most efficiently addressed by ensuring it is carried by the party best able to understand and manage it, at the lowest cost.

The risk profiles of individual projects vary by agency, sector and project type. For example, a multi-million dollar project may be considered routine in one sector while a project of the same cost may be considered high risk in another sector.

The degree of due diligence applied to a project should be equal with the projects’ risk profile. Therefore, the degree of effort, depth of analysis, amount of time and use of other resources committed to planning and managing a particular project should be determined by a project's risk profile. For example, a large, complex and costly project should be supported by a detailed business case and may require rigorous reporting and monitoring, whereas a small or routine project may require minimal justification and reporting.

To support agencies in successfully managing project risk, the following section provides:

  • examples of the types of risk categories to consider when assessing project risk and developing project-level risk management strategies
  • a discussion of, and a model for, rating project risk to help agencies assess a project’s characteristics, and to provide guidance in determining the level of due diligence that should be applied, and
  • a link to provincial risk-management policy and guidelines that agencies should follow

3.2.1 Project Risk Categories

Figure 3.2.1 provides examples of the project risk categories agencies should consider when planning and managing capital expenditures. It also provides examples of how these types of risks may be treated to reduce the likelihood or consequences of potential loss events.

Agencies are encouraged to address these categories – and develop targeted treatments to address the specific risks unique to each project – as part of their commitment to best management practices.

The categories listed here are among those Treasury Board considers in assessing project risk. (As discussed in Chapter 2, Treasury Board also considers a wide range of factors in assessing the risk profiles of public-sector agencies themselves.)

Figure 3.2.1

Sample Project Risk Categories and Treatments
Risk Category Description Treatment Examples
General Risks General risks include high-level concerns related to the decision to undertake a project.
  • documenting how a project fits with established strategic objectives
  • assessing the requirements for a new corporate structure
  • enhancing the project’s profile with the public, media and governments
  • working collaboratively to enhance labour and industrial relations
Policy Risks These include the likelihood that a project represents, or may be affected by, a major shift in government or agency policy, or change in legislation.
  • assessing the impact of any potential policy or legislative changes on the project
Management or Organizational Risks These include the complexities associated with partnerships, investments and management
  • managing dependencies on linked funding and contingent investments
  • ensuring the availability of qualified project managers
  • ensuring the project development team has access to appropriate expertise when undertaking a new type of initiative
Design/Construction, Commissioning, Partnership or Supplier Risks Examples include sponsor risk (e.g. the likelihood that a private partner may be unable to deliver) and general supplier/market capacity
  • ensuring the availability of material and equipment supplies
  • ensuring that experienced designers, contractors and trades are available in the required time frame; anticipating the need for community permits and approvals, 
  • designing construction windows to avoid delays due to adverse weather
Site Risks These include the risks associated with site selection and acquisition.
  • ensuring that the site is available at an affordable price
  • evaluating site challenges such as soil contamination or potential flooding, and
  • ensuring the desired site is free of potential land-claim issues
Financing Risks Financing risks relate to the agency’s ability to draw the required financial resources – and the overall financial viability of the project.
  • ensuring that financing is available at the appropriate time
  • anticipating the impact of interest rate increases, and
  • evaluating the credit- worthiness of any potential partners
Cost, Economic or Market Risks These include all possible events that could affect cash-flow during project development.
  • planning for contingencies in the market such as a drop in demand for services
  • anticipating the potential for labour or material cost escalations
  • ensuring funding is available to cover operations, maintenance and administration, and
  • assessing the potential for competing facilities
Ownership & Operations Risk The risks associated with owning and operating an asset include labour relations, maintenance, technical and asset obsolescence risks.
  • taking steps to keep maintenance in line with forecast levels, and
  • taking appropriate measures to address the likelihood of abandonment
Other Risks

Other risks which could be substantive and require resolution and/or management prior to commitment to the expenditure, or during delivery, include uncontrollable “force majeure” risks such as weather and global uncertainty.

  • developing contingency plans to avoid or reduce construction delays due to emergencies or disasters, and
  • ensuring that business continuity plans address a wide range of potential events

3.2.2 Due Diligence & Risk Rating

Due diligence refers to the degree of effort, depth and breadth of analysis, and amount of time and other resources that should be committed to a project or a project phase. Levels of due diligence should be equal with the degrees and types of risk present.

To ensure they apply the appropriate levels of due diligence, agencies should develop processes to:

  • assess the overall risk and complexity associated with each project, throughout its life cycle
  • assess risk in the earliest stages of planning, when only rudimentary estimates of costs and impacts may be available, and
  • continually review and update risk assessments at every stage of a project’s life cycle, adjusting levels of due diligence as needed

The Province’s enterprise-wide risk management process provides a risk-rating system to help determine the level of due diligence that should be applied to activities such as:

  • risk-management processes
  • strategic options analysis
  • business-case analysis
  • oversight, reporting and monitoring during implementation, and
  • the application of post implementation performance reviews

Evaluating risk can also help central agencies assess risk exposure and establish approval or reporting requirements for individual projects.

Figure 3.2.2 below provides an overview of some of the critical risk management tasks agencies need to consider at key milestones during project development.

Figure 3.2.2

Summary - Risk Management at Key Project Phases
Strategic Options  Analysis (SOA) Business Case Procurement

A preliminary (i.e. strategic level) assessment of project risk is made at this stage, primarily based on qualitative analysis. This includes an initial identification of project risk categories, an assessment of the likelihood that certain types of risks will occur, and their potential consequences. Relative risk priorities should also be established.

Thorough identification, analysis, valuation (e.g. quantification of the economic or other impacts of each risk on deliverables) and risk treatment strategies are required at this phase, building on the work done to develop the SOA. This typically includes the development of a comprehensive risk register.

It also includes development of a detailed project risk management strategy covering risk treatment, optimal risk transfer, and risk monitoring through project implementation.

Further assessment and refinement of risk information and the agency’s risk management strategy are required before the procurement phase is initiated.

Solicitation documents should include the risks identified by government.

The risk management strategy is then implemented. Risks are treated throughout the various phases of the project.

Risk Rating: Throughout the planning and implementation phases, agencies can conduct regular risk- ratings to provide "snap-shot" assessments of whether the project’s underlying risk characteristics have changed.

The tool-kit section at the end of this chapter provides guidance and examples of how risk ratings should influence the due diligence required for each phase of capital management, from pre-planning through operation to renewal/disposal.

Risk-rating is not a substitute for a comprehensive approach to managing project risks. For guidance in developing a comprehensive risk-management strategy, see the references in Section 3.3.

3.3 Risk Management Guidelines

As described in the preceding sections, public-sector agencies have a responsibility to ensure that risk management strategies are in place at both the corporate (agency or enterprise) and program/project levels.

For corporate-level risk management, agencies should follow the Province’s Enterprise-Wide Risk Management Guidelines.

For project-level risk management, agencies should follow the Province's Project Risk Management Guidelines.

For assistance in using these guidelines, contact the Risk Management Branch of the Ministry of Finance. For contact information, or to view the guidelines, view the Risk Management Branch Web

For assistance in using these guidelines, contact the Risk Management Branch of the Ministry of Finance or view Government Finances website

3.4 Risk Management Tools

2. Governance & Oversight < Previous | Next >  4. Planning