SCAM ALERTS: Refund email and Vehicle licence (rego) renewal phishing emails

ONLINE SERVICES: We currently have an issue with receiving some payments and are working to resolve this issue as quickly as possible. We apologise for any inconvenience.

EASTER WEEKEND – PLAN AHEAD: Heading away for the long weekend? Check our holiday journeys tool(external link)

COVID-19 SERVICES UPDATE: Information on Waka Kotahi services


Benefits of proactive risk management:

  • Aids decision making
  • Promotes comparison of solution alternatives
  • Increases communication
  • Generates common understanding
  • Promotes justification of contingency
  • Promotes credibility of solution.

The application of risk management is an integral part of project development and execution.

Consideration of risk and the application of risk management should begin at the earliest possible point in the project lifecycle, ie compilation of the strategic case. Project Managers should take note of risk management guidance provided in the Transport Agency’s corporate documentation.

The Project Manager has six primary responsibilities with regard to risk management throughout the project lifecycle:

  • To understand and comply with Transport Agency (corporate) and HNO risk management requirements
  • To include appropriate requirements within HNO requests for tender / contract documents
  • To maintain a project programme that takes due cognisance of project delivery risks thus enabling data provision to the National Programme Team for inclusion in the HNO projects portfolio delivery programme, as appropriate
  • To initiate appropriate risk management prior to, and between, supplier ownership of risk management provision as part of contract execution
  • To manage ongoing supplier delivery throughout the life of the contract in accordance with:
    • the contract, and 
    • supplier tender documents, and
    • good practice
  • To review, report and escalate as appropriate, risks arising from the execution of contracts in accordance with HNO requirements.

Getting started

A Project Manager taking on the management of a project is well advised to familiarise themselves with Transport Agency documentation, approach and requirements for risk management (both corporate and HNO). A sound understanding of the principles and practices of the discipline will amplify the Project Manager’s ability to guide project delivery from inception.

During the early phases of project development (strategic case) the principles of good risk management practice should be applied as part of project development, although it is unlikely that formal risk management documentation will exist. As the project moves forward into the phases involving contracted suppliers, the application of a more formal approach to risk management and development of the associated documentation should be a reflection of the project's increasing maturity.

Minimum standard Z/44 - risk management

Z/44 is applicable only within HNO Capital Projects and M&O contracts delivered through the SM030 suite of Contract Proforma. It provides suppliers with HNO specific requirements for the conduct of risk management. The intent of the standard is to promote consistent delivery from suppliers with regard to risk management services; including reporting and deliverables.

Minimum standard Z/44 - risk management

General or advanced approach

Project Managers must decide which approach to analysis is most appropriate to the project under consideration. Z/44 provides guidance, but this is solely based on project value, with the general approach being the default. However, the Project Manager must consider the level of risk perceived to exist to successful project delivery and therefore the level of detail considered appropriate in the representation of risk data and its subsequent analysis.

General approach

The general approach is applied in the early stages of the project lifecycle when maturity of project and risk data is low and application of the advanced approach with its greater degree of detail and complexity of analysis would not provide value for money. As the project evolves its low value, or more likely, low risk, may mean continued application of the general approach is the most suitable and cost effective solution. The general approach is characterised by the assignment of semi-quantitative risk scores which represent a consequential likelihood banding system whereby risks can be ranked by importance.

Contingency estimates utilising this approach are formed from assessment by specialist interpretation.

Advanced approach

The advanced approach includes the general approach (to enable ranking of risks) but looks at the risks in more detail using quantitative risk likelihood and consequence data. This data is used as input for computerised statistical analysis modelling from which contingency values can be determined for use in cost estimates.

Strategic case

The focus at this early phase of the project lifecycle will be around the strategic fit of the proposal. Risks identified will be high level, and data will be immature and lack detail. Sound application of risk management from this early phase is one of the factors that contribute to successful transition through the business case process to project implementation.

Through this early phase the Project Manager should:

  • Manage risks identified against the current business case phase
  • Regularly review the programme of work to understand the delivery risks 
  • Establish an Activity Risk File (repository for risk data)
  • Record identified risks; their exposure (current and target), likely treatment and where possible treatment costs; using a project Risk Register and Action Register
  • Implement treatment actions against risks identified against future phases where appropriate
  • Maintain risk data to ensure currency
  • Record applicable assumptions, constraints and exclusions
  • Ensure corporate and HNO reporting requirements are met
  • Lead in demonstrating and encouraging risk management good practice for the programme of work

This phase, (typically) directly executed by HNO staff, leads into the programme business case phase at which point external resources are likely to be engaged to deliver the subsequent phases.

Programme business case to implementation

As the project lifecycle transitions through the business case phases the increasing maturity of programme data and clarity of understanding should be reflected in an increasing depth of maturity in the level of risk management data and application of risk management practices.

Inclusion of formal risk management, associated processes, practices and reporting will form part of the risk management discussion within the management case. Contracts for the delivery of programme, indicative and the detailed business cases as well as the resultant implementation phases of the project will be placed with external suppliers through the SM030 series of Contract Proforma. Risk management requirements for external suppliers are provided for through Minimum standard Z/44 - risk management.

The diagram below reflects the relationship between the minimum standard, SM030 proforma and the Transport Agency suite of risk management documents.

If the Project Manager has applied appropriate risk management from project initiation along with good maintenance of risk data, then the transition to (and from) an external resource should be enabled with minimum disruption. A pragmatic approach to risk management should be taken at all times and the first point of reference for Project Managers should be Minimum standard Z/44 – risk management.

Although Z/44 is a minimum standard the emphasis is on the Project Manager making decisions on and being fully engaged with, the degree of application and the conduct of risk management internally and by external suppliers as the project matures. The intent being to identify, analyse and evaluate risks at the earliest point in time thus aiding in the reduction of exposure by encouraging proactive consideration and implementation of treatment solutions.

Relationship between NZ Transport Agency suite of risk management documents and Z/44 – Risk Management

It is the Project Manager’s responsibility to ensure risk management practices are effectively applied both in their role as a Transport Agency employee and as the manager for a HNO project in so far as their level of delegated authority enables.

Preparing contract documentation 

Contract documentation for the provision of services by external suppliers is provided through the Transport Agency’s contract proforma suite, namely SM030, SM031 and SM032. Minimum standard Z/44 is referenced within these proforma. Project Managers should ensure familiarity with Z/44 to ensure they are able to appropriately state their desired requirements for its application within the contract.

SM030 has content that stipulates requirements placed on the Professional Services provider regarding contractual compliance with Z/44.

SM031 has content that stipulates requirements placed on the contractor to liaise with the Professional Services provider to enable fulfilment of their contractual requirements under SM030 regarding compliance with Z/44.

SM032 has content that stipulates requirements placed on the contracted party(ies) regarding contractual compliance with Z/44.

Whichever contract proforma is utilised the Project Manager should consult Z/44 for guidance as to the level of application of risk management. Section 1 of Z/44 provides the following guidance:

  • This minimum standard is mandatory in M&O contracts
  • This minimum standard is mandatory in Capital Projects with an estimated total project delivery cost of more than $5 million
  • For Capital Projects of less than $5 million established controls may be considered to be adequate for the management of risk 
  • For Capital Projects which meet the requirements of the above point, aspects of this minimum standard may be applied as deemed appropriate by the client and will be stipulated within the suppliers contract.

The Project Manager must take a pragmatic approach to the application of Z/44 within each project under their management. For instance some projects may be considered low cost but may be high risk, typically for reasons relating to new/high technology or innovative content, or high profile/output criticality.

Z/44 has been written as a minimum standard, should the Project Manager wish to alter aspects of this, these amendments will need to be accommodated within the contract. It is anticipated that the minimum standard will satisfy the expectations of the Project Manager without the need for amendment clauses.

A component of the client supplied information to Tenderers under SM030 and 32 is the provision of the current Activity Risk File (ARF). As a project evolves through the early phase of the Business Case process (strategic), it is the Project Manager’s responsibility to create and maintain the ARF and its contents (however immature). As a project moves through its lifecycle, ownership of the ARF and therefore responsibility for its content and management will transfer between the Project Manager (as client) and the supplier. At all times the ARF is to be viewed as live and is to be maintained as such.

Tender review

When reviewing tender submissions the Tender Evaluation Team (TET) is tasked with reviewing the submissions against the issued Request for Tender (RFT). It is incumbent upon the TET to ensure thorough evaluation of tender submissions in relation to the requirements stipulated for risk management within the RFT. It is fully appreciated that a tenderer's response to risk management requirements will not determine who the winning bidder is. The value placed upon risk management within the tender evaluation process is minimal, however, it should also be appreciated that the existence of risk is unavoidable and its management therefore has an important part to play in aiding successful project delivery. If the awarded supplier’s tender submission indicates a clear understanding of the risk management requirements within the RFT and a commitment to delivering good practice then the Project Manager can anticipate entering into a contractual arrangement with confidence regarding the conduct of risk management. However, if the winning bidder’s submission did not provide a good degree of confidence then the Project Manager must anticipate the need for a closer level of management and scrutiny of the supplier in this area of the contract. It is anticipated that Z/44 will drive the outcomes HNO require for risk management whatever the capabilities of the supplier, although a greater degree of Project Manager input may be required. 

Particular attention by the TET should be given to:

  • Identifying supplier acknowledgment of the requirement to comply with Z/44  
  • Understanding of and commitment to, providing required risk management deliverables
  • Evaluating risk management resources proposed – suitably qualified and experienced
  • Evidence of supplier commitment to continuous improvement in relation to risk management.

Contract execution

Throughout the contract execution period the Project Manager is expected to monitor the supplier’s risk management conduct, ensuring not only that contractual requirements are being met ie in compliance with Z/44, but also that the services, documents, data and innovations offered within the supplier’s tender are being delivered.

The PACE system enables the Project Manager to provide feedback both internally to HNO and to the supplier on their conduct of risk management within the contract.

Risk contingency in estimates 

Estimates will be required throughout the project lifecycle and will therefore need to consider a value of contingency defined by the risks identified at the time of the estimate. The maturity of estimates will be matched by the maturity of the risk data and that maturity will be reflected in the value of contingency proposed. 

Estimates are generally undertaken by external suppliers as part of their engagement.

Contract deliverables - activity risk file (ARF) 

SM030 and SM032 require the provision of risk management related contract deliverables from the supplier, these are defined within Z/44 and are to be held within the Activity Risk File (ARF).

Z/44 requires the maintenance and delivery at contract completion of the ARF. The ARF contains the risk related documentation and data associated with the project. The ARF will be maintained by, and passed between, client and supplier depending where the project is in its lifecycle.

All risk related documentation is to be contained within an ARF, where there is no existing ARF the Project Manager must initiate the creation of the ARF and ensure risk related data is captured and maintained. The expected content of an ARF is described within section 3 of Z/44. 

At all times the ARF is to be viewed as live and is to be maintained as such.

Project Managers must ensure that the content of the ARF is as complete and up to date as is reasonably practicable prior to both hand over to a supplier and when taking delivery of same from suppliers. Failure to ensure the validity of the content of the ARF is likely to lead to downstream problems, particularly when ARF responsibility is transferred to a supplier or Project Manager who has not previously been involved in the project.

Escalation and reporting of project risks

Escalation is the upward promotion of risk from one management level to another. This promotion is intended to engender consideration of, and where appropriate direction on, significant risks by a higher level of management. For HNO contracts this means the escalation of risks to a Regional Management Team (RMT) or Decision Making Team (DMT).  

Responsibility for initiation and management of risk escalation is the sole responsibility of the Project Manager. It is the Project Manager’s responsibility to review the project risk register and identify against the NZ Transport Agency corporate risk scoring system those risks requiring escalation.

Escalation within HNO contracts should be initiated where a risk:

  • May impact on the conduct of business objectives within HNO and/or the NZ Transport Agency
  • Exceeds a predefined Transport Agency risk score/level established to initiate escalation (as defined in the HNO Regional Risk Management Reporting & Review Hierarchy diagrams)
  • Has a consequence or requires action which is outside the delegated authority of the client representative (PM) responsible for the management of the contract.

Escalated risks are to remain within the contract risk register, and dependent on the delegated authority of the Project Manager may continue to be managed at the contract level, or management may transfer to a higher level within the Transport Agency.

The images in the hierarchy tab reflect the HNO review and reporting hierarchies for each of the regions and show the escalation path and review expectations for risks that exist within the two HNO work streams. 

Key steps

For further information contact