The Water Industry Development Project (WIDP) is an illustrative PHC project record informed by publicly available sector programmes, representative of the kind of regulated infrastructure delivery seen across the sector. The programme reflects a major step-up in water and wastewater infrastructure activity, with investment directed toward improving service resilience, protecting rivers and coastal waters, reducing storm overflow impact, upgrading treatment assets, developing new water resources, and strengthening long-term environmental performance.
This PHC project is a structured example showing how the PHC Service could support a large regulated infrastructure programme by improving visibility of risks, issues, actions, evidence, decisions, and delivery status across multiple projects, contractors, disciplines, and stakeholder groups.
Overall: Executive Summary
A practical 90-day mobilisation plan for strengthening major-project risk governance across a company programme-style delivery environment. The focus is to establish a reliable risk operating rhythm that connects risk identification, partner register integration, QSRA/QCRA, P50/P80 milestone confidence, mitigation follow-up, contingency advice and senior leadership reporting.
The aim is not to replace existing company PMO, Riskonnect/ARM, planning, cost, change or NEC processes, but to reinforce them by improving risk visibility, ownership, data quality, escalation and decision support.
[+] Purpose
Create a trusted major-project risk operating rhythm:
clear risk ownership
consistent partner risk integration
credible QSRA/QCRA inputs and outputs
visible mitigation follow-up
decision-ready P50/P80 and contingency reporting
The purpose is to make risk management active and useful: a practical control discipline that helps project teams, delivery partners and senior leaders understand what is changing, what needs attention, and where intervention is required.
[+] What “Success” Looks Like (by Day 90)
By Day 90, the company’s major-project leadership has a clearer and more trusted view of risk exposure across selected programme projects:
key project and partner risks are visible in one integrated view
risk registers contain clearer descriptions, causes, impacts, owners and mitigations
partner monthly updates are received, quality-checked and integrated consistently
QSRA/QCRA refresh requirements are understood and prioritised
P50/P80 milestone confidence and contingency implications are presented clearly
mitigation actions, overdue reviews and emerging issues are actively tracked
senior leadership reporting highlights movement, exceptions and decisions required
The overall success measure is that risk management is seen as a live delivery-control process, not just a periodic reporting exercise.
Phase 1: Days 1–30 (Stabilise & Baseline)
Phase 1 is about understanding the current risk environment and establishing a credible baseline. The first priority is to learn how the company’s major-project risk process currently operates: the risk framework, Riskonnect/ARM configuration, partner inputs, reporting rhythm, QSRA/QCRA practice, planning and cost interfaces, NEC early-warning links, and escalation routes.
The output is a practical baseline of current risk visibility, data quality, ownership, mitigation status and immediate control gaps.
[+] Objectives
Understand the current risk management framework, governance rhythm, tool usage and stakeholder expectations.
Establish a reliable baseline of key project risks, partner inputs, mitigation actions, review status and immediate decision needs.
Identify where risks are visible, where they are fragmented, and where mitigation follow-up may be vulnerable to drift.
Risk framework review: understand current risk standards, scoring rules, ownership model, escalation thresholds, reporting cadence and Riskonnect/ARM workflow.
Register quality check: sample key project and partner risk registers for clear descriptions, cause-event-effect logic, ownership, scoring, mitigation actions, review dates and residual exposure.
Partner update review: confirm how monthly external partner risk updates are submitted, challenged, integrated and reported.
QSRA/QCRA readiness scan: identify which projects require schedule/cost risk refresh, whether schedules and estimates are suitable, and what assumptions or data gaps exist.
Key stakeholders identified and engagement rhythm started.
Selected project and partner risk registers reviewed for data quality and completeness.
Immediate overdue reviews, weak mitigations and missing partner updates identified.
Initial QSRA/QCRA readiness and priority projects understood.
First risk-team working view established: what needs attention now.
Phase 2: Days 31–60 (Align & Standardise)
Phase 2 turns the baseline into a more consistent operating model. The focus is to standardise partner risk submissions, improve register quality, connect risks to schedule and cost drivers, and prepare or refresh QSRA/QCRA outputs where they are most valuable.
This phase establishes the practical link between risk data, mitigation action, P50/P80 milestone confidence, cost exposure and contingency advice.
[+] Objectives
Create a more consistent and integrated view of internal and external partner risks.
Improve the quality of risk descriptions, ownership, mitigations, review dates and residual exposure updates.
Refresh or prepare QSRA/QCRA processes so that quantified outputs support delivery decisions, not just reporting.
[+] Actions
Partner register standardisation: define a simple monthly submission standard covering risk description, cause, event, consequence, owner, score, mitigation, status movement and evidence.
Integrated risk view: combine partner and project risks into a coherent programme view while preserving source ownership and accountability.
Duplicate/gap review: identify repeated risks, missing interface risks, inconsistent scoring, unclear ownership and partner risks that affect more than one project.
QSRA refresh: test schedule readiness, confirm logic quality, identify constraints/lags, apply activity uncertainty and map discrete schedule risks to affected milestones.
QCRA refresh: review estimate readiness, basis of estimate, uncertainty ranges and discrete cost risks affecting contingency and outturn cost confidence.
Risk review workshops: challenge assumptions, agree ranges, validate risk impacts and confirm mitigation ownership with planners, cost leads, project managers and risk owners.
Dashboard working view: build a risk-team control surface showing overdue reviews, missing partner updates, weak mitigations, unowned actions, exposure movement and escalation points.
[+] Deliverables by Day 60
Partner Risk Integration Standard v1: submission rules, quality checks, update frequency and escalation route for missing or weak updates.
Integrated Programme Risk View v1: consolidated view of key project and partner risks, with ownership retained at source.
Monthly partner risk updates received and quality-checked against a common standard.
Key risk registers show improved descriptions, ownership, mitigations and review discipline.
Priority QSRA/QCRA refresh requirements agreed with planning, cost and PMO leads.
Risk-team dashboard highlights current exceptions and overdue follow-up items.
Mitigation actions are being tracked with clearer owners, dates and evidence expectations.
Phase 3: Days 61–90 (Embed & Improve)
Phase 3 embeds the risk operating rhythm so that risk management becomes a predictable part of major-project delivery. The focus is on leadership reporting, P50/P80 confidence, contingency recommendations, partner accountability, mitigation effectiveness and continuous improvement.
By the end of this phase, the risk process should be moving from individual effort to repeatable team capability.
[+] Objectives
Embed a sustainable risk review and escalation drumbeat across selected major projects and external partners.
Provide senior leadership with clear risk insights, P50/P80 milestone confidence, contingency implications and decisions required.
Ensure risk reporting shows movement, mitigation effectiveness and emerging exposure rather than static lists.
[+] Actions
Leadership risk pack: present key exposure movement, P50/P80 milestone confidence, contingency implications, top risks, weak mitigations and decisions required.
Contingency advice: link QCRA outputs, discrete cost risks, mitigation status and residual exposure to contingency drawdown or protection recommendations.
Mitigation effectiveness review: assess whether completed actions have genuinely reduced exposure or whether residual risk needs updating.
Partner performance rhythm: review monthly partner risk update quality, variance, late submissions and unresolved interface risks.
NEC/change link: strengthen connections between risk process, early warnings, compensation events, change control and schedule/cost impact.
Continuous improvement: refine templates, dashboard views, meeting cadence, escalation triggers and reporting format based on stakeholder feedback.
Sustainability: document the operating rhythm so that the process can continue without heroics or single-person dependency.
[+] Deliverables by Day 90
Major Projects Risk Operating Rhythm: review cadence, partner update cycle, escalation rules, ownership expectations and reporting calendar.