I’m getting slightly obsessed with NEC3.  As I’ve posted before, here and elsewhere, these forms of contract are intended to promote good practice in project management but, as far as risk is concerned, do not lay out very clearly what is intended.  This is reinforced by what I see in my travels which is a surprising amount of confusion, variation and misunderstanding.  Perhaps some of this is down to man’s eternal quest for commercial advantage – disingenuousness to the fore – but I’m sure that’s not the whole story.  Hence my obsession: why does something so apparently straightforward get into so much trouble?

The basic concepts are: a Risk Register, Early Warnings and Risk Reduction Meetings.  These are supposed to work in a way which is independent of contractual responsibility.  They are an attempt to encourage cooperative working on issues which arise and ensure they are addressed in the best way for the project overall.  So what are the causes of confusion?

1. The mindset of commercial people makes it difficult to avoid responsibility issues.  Their attitude to any matter arising is fundamentally shaped by who is going to pay.  Thus they get bogged down in other contractual concepts: Employer’s Risks, Contractor’s Risks, Compensation Events and Disallowed Costs.  They also invent concepts which don’t exist – or are not supposed to – principally the Employer’s Risk Register and the Contractor’s Risk Register.
2. NEC3, like other contracts, takes an event-based view of risk.  It is increasingly realised that risk encompasses uncertainty (or as I would prefer to put it, you should talk about uncertainty not risk).  So it is not necessarily clear how you deal with a risk such as the concrete quantities being a lot more than you thought.
3. The advent of project risk management has led to a complicated set of activities which have a potentially confusing relationship with the contractual provisions.  So clients putting projects out to tender will typically specify the risk management approach and/or processes to be adopted.  These will often involve some form of risk listing, colour-coding and quantification.  Clients may also ‘helpfully’ provide a risk list and ask the tenderer to supplement it.  And of course the client wants a price, a concept which is inextricably liked to ‘who pays.’  The successful bidder then has to implement a risk management plan which sets out the various risk lists (some of which may be managed by each party), the risk review meetings, the reporting and all the other trappings of ‘good practice’ risk management.  So the confusion is then whether any of the risk lists in the risk management plan are the Risk Register.  Does the risk list run by the Contractor contain only Contractor’s Risks?  Are any of the risk review meetings Risk Reduction Meetings?  What’s the relationship between the Starter for 10 and the risks listed in Contract Data Part 1?  What is the purpose of the tenderer listing more risks in Contract Data Part 2.  And what about opportunities?  We all have to adhere to the conventional wisdom that risk management is just as much about opportunities as threats.

The way clients approach this is typically very poor.  I have recently seen a risk register format with 65 columns (honestly, I am not making this up).  The ‘helpful’ starter for 10 is often full of dross and in case not designed to help the tenderer provide a price.  And sometimes they do not seem to understand the distinction between quantification in general and quantification aimed at developing a price.  They are also seemingly unaware that the  best way to quantify uncertainty may not be to apply a set of high/medium/low numbers to a long list of risks.

(But one helpful piece of standard practice does seem to be emerging in the context of NEC3 Option C, the target cost approach which shares Contractor’s Risk.  It is expected that the allowance for risk which appears in the Prices will be the expected value {of Defined Cost if no Employer’s Risks materialise to be technical about it}.  Thus any risk premium above the expected value has to be in the Management Fee.  This provides some welcome clarity though I have not seen it stated as explicitly as I have done here.  I plan to do another post covering quantification of the the various risk amounts in NEC3 shortly.)

What’s the best way to resolve the confusion arising from the three points above?  Let’s start with the simple world I guess the authors of NEC3 would have envisaged.  The client would put a set of risk events in Contract Data Part 1.  The successful tenderer would have done the same in Contract Data Part 2.  This would be completely without prejudice as to responsibility.  The two lists of risks would be pulled together to form the Risk Register.  NEC3 makes no provision for the Risk Register to be reviewed regularly;  I think it’s just assumed to be the right list from Day 1.  In parallel the contractor will have assessed how much to allow for the Contractor’s Risks element and built that into the Prices, explicitly or implicitly.  I don’t think there is any fundamental reason to tell the client how much it is or how it is worked out, though invariably they want to know.

If one of the risk events starts to look more likely an Early Warning is raised.  To determine this you might set a trigger level on a Key Risk Indicator.  More likely you have identified a situation where you know something is going to happen and you are moving from a situation where you are reducing the probability to reducing the impact.  Alternatively you can identify a specific occurrence of a continuing risk.  This makes clear, contrary to what is sometimes argued, that the Risk Register is not the Early Warning register.  Early Warnings should be on a separate list and Risk Reduction meetings are called specifically for them.

This suggests that the Risk Register is a redundant concept for contracts where the client is going to require systematic and visible risk management to be carried out.  Instead the Works Information should set out the standards to be achieved and the tenderer will say how he will comply with them, for example by submitting an outline risk management plan.

Contract Data Part 1 can be used by the Employer to set out the risks for which he would specifically like to see the tenderer’s management plan, but this could equally be in the Works Information.  The bidder will prepare a risk analysis to inform his Prices which the client will probably want to see.  Once the contract gets under way the risk management will get into full swing with whatever registers, review meetings or the like have been specified in the Risk Management Plan.

So it would be clearer to dump the Risk Register as a contractual term and – possibly, if the parties agree – adopt the concept of an Accepted Risk Management Plan, analogous to the Accepted Programme.  The focus shifts to process from content which I think makes more sense than trying to do all the risk management as part of tendering.

Turning back to the three points of confusions above, the commercial stuff is deferred until an Early Warning is given and some consideration has to be given as to whether it might be a Compensation Event.  Secondly, the management of uncertainties would benefit from the use of KRIs of the sort employed in risk management in business-as-usual operations.  This can be provided for in the Risk Management Plan.  Lastly the new set of contractual terms seem much more comprehensible and unambiguous.

Another way of putting this is that common practice risk management these days is too flexible and adaptive to fit within the constraints of NEC3 as currently drafted.  The contracts will have to develop to accommodate this.