Risk Register & Quantification

Section 1

Purpose

The Stage 3 Risk Register & Quantification exercise updates the Stage 2 Risk Register against the spatially coordinated design, and applies more rigorous quantitative risk analysis (QRA) techniques — in particular three-point estimating and Monte Carlo simulation — to derive defensible, statistically grounded risk allowances for inclusion in Cost Plan 2. This is a substantial step up in analytical rigour from the simpler EMV (probability × impact) approach appropriate at Stage 2.

RICS Management of Risk (1st edition, 2020) identifies a suite of quantification techniques suited to different project stages and risk types. At Stage 3, where the design is sufficiently developed to allow meaningful cost modelling of individual risk scenarios, three-point estimating generates a probability distribution for each risk's cost impact. Monte Carlo simulation then combines these distributions across all risks to generate an overall risk allowance at a stated confidence level — typically the P80 (80th percentile) value.

The Stage 3 Risk Register is also the instrument through which risks are formally allocated between the client, design team and future contractor. Risk allocation decisions made at Stage 3 directly inform the procurement strategy and contract conditions selected at this stage. An un-owned risk is an unmanaged risk: every line in the register must have a named owner and a documented response strategy.

Section 2

Key Principles

RICS Management of Risk (1st edition, 2020): primary RICS framework for risk identification, qualitative and quantitative assessment, response strategies, ownership and monitoring. Explicitly covers three-point estimating, Monte Carlo simulation, fault tree analysis and sensitivity analysis.
ISO 31000:2018 — Risk Management: Guidelines: international standard underpinning the RICS approach; defines risk as 'the effect of uncertainty on objectives' — covering both threats (negative) and opportunities (positive).
NRM 1 (2nd edition, 2012), Section 3.6 — Risk and Contingencies: requires the QS to carry risk allowance separately from design contingency; defines NRM risk categories: design development risks, construction risks, employer change risks, employer other risks.
HM Treasury Green Book (2022): for public sector projects, mandates quantified risk assessment (QRA) and optimism bias adjustment; the P80 Monte Carlo output is typically the basis for the approved risk allowance in HMT-compliant cost plans.
APM Body of Knowledge (7th edition, 2019): project risk management framework; complements RICS guidance on risk register structure, review frequency and escalation.
Construction (Design and Management) Regulations 2015 (CDM 2015): design risk register maintained by the Principal Designer must be cross-referenced to the QS cost risk register to ensure design hazards with cost implications are captured.

Section 3

Practical Application

Step 1

Update the Stage 2 Risk Register: for each risk, confirm whether it remains active, has been resolved (document how), has changed in probability or impact, or has been transferred (confirm to whom). Remove resolved risks; add newly identified Stage 3 risks.

Step 2

Re-categorise risks using NRM 1 categories: (i) Design development risks — residual uncertainty in the coordinated design, outstanding specialist input; (ii) Construction risks — ground conditions, existing services, interface with live operations; (iii) Employer change risks — brief amendments, programme acceleration/deferral; (iv) Employer other risks — funding, statutory consents, third-party agreements.

Step 3

For each risk, apply three-point estimating: assign three cost impact values — Optimistic (O, best case), Most Likely (ML) and Pessimistic (P, worst case). Calculate the weighted mean: EMV = (O + 4ML + P) ÷ 6, multiplied by the probability (%). This produces a single expected cost value per risk that is more statistically robust than a single-point estimate.

Step 4

For the highest-value risks (those with EMV >1% of construction cost, or where the P-O spread is large), prepare an individual sensitivity analysis: show how the risk allowance changes as probability moves across the full range. This quantifies which risks have the greatest influence on the total risk allowance.

Step 5

Run a Monte Carlo simulation across all risks in the register. Assign a probability distribution (typically triangular, based on O/ML/P values) to each risk's cost impact. Run 10,000+ iterations. Extract the P50 (median), P80 (80th percentile) and P90 (90th percentile) outputs. The P80 is typically used as the risk allowance in Cost Plan 2.

Step 6

Confirm risk ownership: for each risk still in the register, confirm whether it will be retained by the client (and funded within the risk allowance), transferred to the contractor (via contract conditions), transferred to an insurer, or shared (provisional sum/quantity). Align risk allocation with the procurement strategy being finalised at Stage 3.

Step 7

Update risk response strategies: for Red risks still in the register, confirm that mitigation actions are in progress and set a target review date. For risks proposed for transfer to contractor, identify the contract mechanism (provisional sum, schedule of rates, risk schedule in NEC4 Option X80, or lump sum risk premium).

Step 8

Issue the updated Risk Register as an appendix to Cost Plan 2. Include: the full itemised register; three-point estimates for material risks; Monte Carlo output chart (showing probability distribution of total risk cost); P50/P80/P90 values; and total risk allowance cross-referenced to the CP2 risk allowance line. Review frequency: minimum at each RIBA stage gateway.

Section 4

Common Mistakes to Avoid

Continuing to use simple EMV (single-point probability × impact) for all risks at Stage 3 — for material risks, this understates uncertainty. Three-point estimating and Monte Carlo analysis are proportionate to the stage and provide a defensible P80 risk allowance.
Including contractor-held risks in the client's pre-contract risk allowance without a clear transfer mechanism — once the contract is placed, retained risks become the contractor's; the client's risk allowance should reflect only risks that remain with the client post-contract.
Failing to cross-reference the CDM Principal Designer's design risk register with the QS cost risk register — design hazards with cost implications (asbestos, contamination, structural fragility) may be captured in CDM documentation but missing from the cost register.
Conflating issues (near-certain events already occurring or about to occur) with risks (uncertain future events) — issues require immediate management action and separate budget provision, not a probability-weighted risk allowance.
Presenting Monte Carlo output without explaining the confidence level — stating 'risk allowance: £X' without specifying P50/P80/P90 gives the client insufficient information to make an informed risk budget decision.
Not reviewing the register at Stage 3 gateway — a register issued at Stage 2 and not updated is not a live risk management document; it provides no audit evidence of ongoing compliance with RICS obligations.

Section 5

APC Competency & Quick Reference

APC Competencies: Cost Management (L2) | Design Economics & Cost Planning (L2) | Legal & Regulatory Compliance (L1) | Programming & Planning (L1)

What is three-point estimating and why is it superior to single-point EMV at Stage 3?

Three-point estimating assigns Optimistic (O), Most Likely (ML) and Pessimistic (P) cost impact values to each risk. The weighted mean is: (O + 4ML + P) ÷ 6, multiplied by probability. This captures the asymmetry of risk impact distributions (risks rarely materialise at exactly their most likely value), producing a more statistically robust expected value than a single-point estimate.

What is the P80 value in a Monte Carlo risk analysis?

The P80 (80th percentile) is the cost at which there is an 80% probability that the total risk cost will be at or below that figure. It is the standard risk allowance benchmark for cost plans: it represents a prudent but not worst-case provision. The P50 (median) represents only a 50/50 position; the P90 represents a more conservative contingent provision.

How do NRM 1 risk categories relate to procurement risk allocation?

NRM 1 defines four risk categories: (i) Design development — retained by client/design team pre-contract; (ii) Construction risks (ground, services) — typically transferred to contractor via the contract; (iii) Employer change — retained by client; (iv) Employer other (funding, third-party) — retained by client. The procurement strategy determines which categories transfer to the contractor and at what cost.

Section 6

Risk Register & Quantification Checklist

☐

Stage 2 Risk Register updated: resolved risks removed, status of live risks confirmed

☐

New Stage 3 risks identified and categorised (NRM 1 categories)

☐

Three-point estimates (O/ML/P) prepared for all material risks

☐

Sensitivity analysis prepared for risks with EMV >1% of construction cost

☐

Monte Carlo simulation run (10,000+ iterations); P50/P80/P90 outputs extracted

☐

Risk ownership confirmed and aligned with procurement strategy

☐

Risk response strategies updated (Avoid/Reduce/Transfer/Accept)

☐

Risk allowance (P80) cross-referenced to Cost Plan 2 risk provision

☐

CDM design risk register cross-referenced to QS cost risk register

☐

Updated Risk Register issued as appendix to Cost Plan 2

Section 7

CPD Learning Outcomes

Apply three-point estimating (O/ML/P) and Monte Carlo simulation to derive a statistically grounded risk allowance at Stage 3, and explain the significance of P50, P80 and P90 confidence levels to a client.
Update a Stage 2 Risk Register to Stage 3, applying NRM 1 risk categories, reassessing risk scores against the developed design, and aligning risk ownership with the Stage 3 procurement strategy.
Distinguish between risks, issues and opportunities in a project cost risk register, and apply appropriate management responses to each in accordance with RICS Management of Risk (2020) and ISO 31000:2018.

Section 8