Talha Asif — Infrastructure & PMO Executive

Blog

  • Crossrail: The £4.1 Billion Overrun That Taught the World About Mega-Project Controls

    The Scale of the Problem

    Crossrail — now the Elizabeth Line — is London’s newest and most celebrated rail link. 100 kilometres of route, 41 stations, a 21-kilometre central tunnel section under the city, and the capacity to carry 200 million passengers annually. When it finally opened to the public in May 2022, it was genuinely transformational for London’s mobility.

    It was also, by the time of opening, £4.1 billion over its 2010 budget and three and a half years behind its original completion target. The story of how that happened is one of the most instructive case studies in mega-project delivery available to infrastructure professionals anywhere in the world.

    The Original Budget and Schedule

    The 2010 budget for Crossrail was £14.8 billion. By the time the project reached its 2018 construction completion milestone — the point at which the new stations had been built and the central section tunnelling was complete — the cost had grown to approximately £17 billion. The project management team advised Transport for London and the government that the project would open in December 2018.

    It did not open in December 2018. The systems integration phase — the process of integrating train control software, rolling stock, station fit-out, and signalling infrastructure into a functioning operational system — proved far more complex and time-consuming than the programme had anticipated. Opening was deferred, then deferred again, through 2019, 2020, and into 2021 before supply chain disruption from the pandemic added additional complications. The final cost was approximately £18.9 billion.

    The Optimism Bias Problem

    The first failure mode in Crossrail’s delivery was optimism bias — the systematic tendency for infrastructure programs to underestimate cost and schedule at inception. The UK’s Treasury Green Book has incorporated optimism bias adjustments into its guidance for infrastructure investment appraisal since 2004. Despite that guidance, Crossrail’s original cost estimates and schedule were developed with insufficient allowance for the complexity and uncertainty that a program of this scale inevitably contains.

    The 2010 budget was a point estimate — a single number — rather than a range reflecting the genuine uncertainty of a program that would not be complete for 12 years. The construction cost growth that occurred between 2010 and 2018 was not random. It was the systematic resolution of scope uncertainty in ways that added cost: utility diversions that proved more complex than the survey data indicated, ground conditions that varied from geotechnical assumptions, contractor performance that did not meet programme expectations, and design development that added scope as the technical requirements of the central section became better understood.

    The Systems Integration Underestimate

    The most significant single source of delay in Crossrail was the systems integration phase — and it is the lesson most directly applicable to Saudi Arabia’s mega-project programs. Systems integration on a complex railway involves testing and validating the interaction of train control software, rolling stock software, signalling infrastructure, station systems, and network control systems in a sequence that must demonstrate operational safety before passengers can be carried.

    On Crossrail, the systems integration challenge was compounded by the sheer novelty of the central section — a purpose-built tunnel environment with technical systems that had not previously been integrated in this combination. Testing revealed issues that required software modifications, which required re-testing. The cycle of test-find-fix-retest consumed far more time than the programme had allocated.

    The lesson for Saudi Arabia’s rail and transit programs — where new systems are being commissioned at pace and scale — is clear: the systems integration phase must be planned with adequate time, resources, and contingency from the beginning of the programme. It is not a compression opportunity. It is a sequence that cannot be rushed without safety consequence.

    The Governance Failure

    Independent reviews of the Crossrail overrun consistently identified a governance failure in how the project team and the sponsor bodies — Transport for London and the government — communicated about programme status. The project team was aware of integration challenges and schedule risk well before the December 2018 opening was publicly committed to. The information did not reach the programme’s governance structure in a way that enabled timely decision-making.

    This is the governance lesson that translates most directly to the Saudi context: major programmes need honest schedule and cost assessment that reaches the decision-making level, not filtered reporting that tells sponsors what they want to hear. Building that honesty into the reporting culture — which requires sponsors who are genuinely willing to receive difficult news — is as important as building the technical systems that generate accurate data.

  • P3 Governance: What Good Looks Like and Why Most Programs Do Not Have It

    What Governance Actually Is

    The most common misconception about P3 governance is that it is a passive function — the public authority monitoring compliance, reviewing reports, approving change orders, and waiting for things to go wrong. This misconception produces governance structures that are technically present but operationally ineffective.

    Effective P3 governance is active management of a long-term commercial relationship. The distinction is not semantic. Passive oversight asks: is the concessionaire meeting the contract? Active management asks: is the concession delivering the outcomes the public needs, and what can the public authority do to support and improve that delivery?

    An authority that only monitors compliance and processes deductions is performing a fraction of the governance function that a P3 concession requires. Over a 25-30 year concession term, the difference between passive oversight and active management compounds into an enormous gap in outcomes — for the public authority, for the concessionaire, and for the communities whose services depend on the asset.

    The Four Functions of Effective P3 Governance

    Performance monitoring is the function that most programs establish first and most visibly. The public authority tracks availability metrics, performance indicators, and deduction calculations against the contract framework. On an availability payment P3, this is where the payment mechanism operates. The failure mode is over-complication: monitoring frameworks that track fifty indicators for a single facility generate data without generating insight. Design the monitoring regime around the metrics that drive payment outcomes and asset performance.

    Risk management is the function that governance frameworks most commonly underinvest in during the operational phase. The risk register was built during procurement. It gets reviewed annually if the program is disciplined, and ignored entirely if it is not. On a 25-year concession, risks that were theoretical at financial close will materialize in various forms: demand assumptions that prove wrong, technology that changes operational requirements in unexpected ways, geopolitical conditions that create force majeure events. Governance that treats risk management as a procurement-phase activity will always be reactive when these events occur.

    Relationship management is the governance function that receives the least formal attention and has among the highest impact on concession outcomes. The relationship between the public authority and the concessionaire across 25-30 years determines whether problems get solved collaboratively or litigated expensively. Governance structures should include mechanisms for regular senior-level engagement — not just performance reviews and deduction disputes, but genuine dialogue about operational challenges and emerging risks.

    The UK’s PFI experience demonstrates what happens when this dimension deteriorates. By the midpoint of many PFI concessions, the relationship between authority and operator had become adversarial enough that routine variation requests were treated as commercial battles. The governance framework had no mechanism to reset the relationship. The cost of that deterioration accumulated over years of sub-optimal concession management.

    Change management is the fourth governance function — technically the most complex and most consequential in rapidly changing markets. A hospital P3 signed in 2005 needs to manage new clinical technologies, changing bed configurations, updated infection control requirements, and evolving maintenance standards across its remaining concession period. Each change requires a variation mechanism that is pre-agreed, fairly priced, and fast enough to keep pace with operational reality. Programs that establish clear variation procedures at contract execution manage change as a normal operational activity. Programs that do not, renegotiate every change under conditions where the concessionaire holds significant leverage.

    The Metrolinx Governance Lesson

    The experience I described in earlier articles — where the Bowmanville CMAR program’s collaborative delivery model met Metrolinx’s traditional governance framework — illustrates this point clearly. The organization had rigorous oversight processes: multiple committee reviews, external advisors, approval layers designed to protect public expenditure. These served an important purpose. But when applied to a progressive contract model that required collaborative decision-making at the pace of design and construction, the oversight framework became a delivery constraint. Decisions that needed to be made in days took weeks. The contract was structured for collaborative speed. The governance was structured for sequential control. They were not designed to work together.

    That mismatch is not unique to Metrolinx. It is one of the most common delivery problems on complex programs globally. And it is entirely preventable if governance is designed as part of the delivery model, not imposed on top of it.

    What Saudi Arabia’s P3 Program Needs

    The NPS is creating a P3 program at scale. The transactions being procured now will require governance capability that many Saudi government entities are still developing. Several foundations are particularly important.

    Owner capability must be developed in parallel with transaction volume. Dedicated P3 governance units with appropriately skilled commercial managers, technical monitors, and legal advisors with concession experience need to be operational before the operational phase of the first concessions begins.

    Standardized governance frameworks across sectors reduce the cost of capability development and produce more consistent outcomes across the portfolio. The programs Saudi Arabia builds over the next decade will operate for 25-30 years each. The governance capability established at the start of that period shapes every outcome across its duration.

  • The PMO Gap in Saudi Construction: Why Project Management Office Capability Determines Program Success

    The PMO as the Backbone of Mega-Program Delivery

    Saudi Arabia’s Vision 2030 programs are among the most ambitious public investment commitments in history. NEOM. Diriyah Gate. Red Sea Project. Qiddiya. ROSHN. The giga-project portfolio collectively represents hundreds of billions of dollars of infrastructure investment being designed, procured, and delivered simultaneously across a country that is also managing the largest peacetime fiscal transformation in its history.

    The physical challenge of building at that scale is enormous. But the governance and management challenge — coordinating hundreds of concurrent projects, multiple delivery entities, thousands of contractors, and the interests of multiple government stakeholders across 10-30 year program horizons — is arguably greater. This is the challenge that the Program Management Office is designed to address. And it is the challenge where Saudi Arabia’s mega-programs are most consistently underequipped.

    What an Effective PMO Actually Does

    The misconception about PMOs in many organizations is that they are a reporting function — a team that collects status reports from project managers, compiles them into a dashboard, and presents the dashboard to leadership. This conception of the PMO is not wrong so much as it is insufficient. A reporting PMO is better than no oversight at all, but it is a fraction of what a high-performing program management office contributes.

    An effective PMO performs five distinct functions. Strategic alignment ensures that the portfolio of projects being delivered is consistently prioritized and resourced in alignment with the program’s strategic objectives — and that tradeoff decisions about which projects to accelerate, defer, or modify are made on the basis of strategic rationale rather than whoever is loudest in the project team meeting. Performance monitoring is the tracking function most PMOs perform — but done properly, it is not just status collection. It is the analysis of performance data to identify leading indicators of risk, compare actual performance against benchmarks, and surface issues before they become crises. Resource optimization addresses the allocation of the program’s shared resources — people, equipment, budget, contractor capacity — across competing project demands in a way that maximizes program throughput. Risk management at the program level identifies and manages risks that exist between projects — interface risks, shared resource constraints, cumulative schedule pressures — that individual project managers cannot see from their project vantage point. Knowledge management captures and shares lessons across the project portfolio, ensuring that the experience earned on early projects informs better decisions on later ones.

    The Gaps in Saudi Arabia’s PMO Capability

    The PMO capability gap in Saudi Arabia’s construction sector is real and well-understood by those working within it. It manifests consistently in several ways: project controls systems that generate data but not insight, reporting that describes what happened rather than predicting what will happen, interface management between concurrent projects that is reactive rather than proactive, and resource allocation decisions made by whoever applies pressure most effectively rather than by an analytical process.

    The root causes are organizational rather than technical. The tools to run an effective PMO — schedule management software, cost management systems, risk modelling tools, dashboard and reporting platforms — are available and often installed. The capability to use those tools for genuine analytical decision support — rather than compliance reporting — is the gap. That capability is a function of the people who run the PMO, the authority they have to access and analyze project data honestly, and the organizational culture that receives their output as decision-relevant information rather than as an accountability mechanism to be managed.

    Building PMO Capability for Vision 2030

    The path to effective PMO capability in Saudi Arabia’s infrastructure sector runs through several parallel investments. International PMO practitioners with giga-project experience provide the technical baseline. Saudi nationals trained in program management create institutional capability that persists through program transitions. Technology platforms — built specifically for construction PMO rather than adapted from corporate management frameworks — provide the analytical infrastructure. And organizational culture that treats honest, forward-looking program intelligence as valuable rather than threatening makes all of the above investments effective.

    Concept Dash’s PMO practice provides exactly this integrated capability for clients in Saudi Arabia. We design and staff PMO functions for major programs, implement project controls systems that produce genuine program intelligence, and build the local capability that allows Saudi program teams to manage these functions independently as programs mature. For an introduction to how we approach PMO design and implementation for programs at the scale of Saudi Arabia’s giga-project portfolio, visit pmo.conceptdash.ca.

  • PLAXIS Geotechnical Modelling in Saudi Arabia: Why Advanced Soil Analysis Matters for GCC Infrastructure

    PLAXIS Geotechnical Modelling in Saudi Arabia: Why Advanced Soil Analysis Matters for GCC Infrastructure

    Why Saudi Arabia’s Geology Demands Advanced Modelling

    The geotechnical conditions encountered on construction projects across Saudi Arabia are among the most complex and variable of any major construction market in the world. The Kingdom’s geology spans ancient crystalline basement rock in the western regions, deep sedimentary sequences in the Eastern Province, and the challenging near-surface soils of the central plateau — including sabkha deposits, gypsiferous horizons, and collapsible loess-type materials — that present significant engineering challenges for foundation and ground improvement design.

    Sabkha soils in particular — the evaporite-rich, saline, structurally sensitive soils found in coastal and near-coastal areas across the Arabian Peninsula — behave in ways that standard geotechnical design approaches were not developed to address. They are stiff when dry and heavily loaded, but vulnerable to collapse and significant settlement when wetted, or when load conditions change in ways that alter their moisture regime. Foundation designs that do not explicitly model this wetting collapse behaviour can fail to predict settlement magnitudes that lead to structural distress in the facilities built on them.

    What PLAXIS Does That Conventional Analysis Cannot

    Conventional geotechnical analysis — bearing capacity calculations, consolidation settlement estimates, simple slope stability analyses — produces useful design guidance for relatively uniform soil conditions under relatively straightforward loading scenarios. For the complex soil conditions and structural interactions of Saudi Arabia’s major infrastructure projects, conventional analysis has significant limitations.

    PLAXIS is a finite element geotechnical modelling platform that simulates soil and rock behaviour numerically, accounting for the complexity of soil-structure interaction that conventional methods simplify away. For a pile-raft foundation on a site with a complex layered soil profile, PLAXIS models the load distribution between the piles and the raft, the differential settlements that result, and the structural loads that those differential settlements generate in the raft structure — rather than treating the raft and the piles as separate elements with simplified interaction assumptions.

    For deep excavations — critical to metro station construction, basement development in urban Riyadh, and underground infrastructure in the giga-project programs — PLAXIS models the three-dimensional soil movements that surround the excavation, the interaction between the retaining structure and the surrounding ground, and the settlement impact on adjacent structures. This is the difference between knowing that the excavation support is structurally adequate and knowing how the surrounding ground will actually move as the excavation proceeds.

    Concept Dash’s PLAXIS Capability

    Concept Dash’s geotechnical team, led by Dr. Mahmoud Ibrahim, brings specialized PLAXIS modelling capability to infrastructure projects across Saudi Arabia and the GCC. Dr. Ibrahim’s expertise spans foundation design, ground improvement assessment, slope stability analysis, and the specific challenges of Saudi soil conditions — including sabkha behaviour, gypsiferous soil design, and the pile-raft foundation systems used extensively in Riyadh’s high-rise and heavy infrastructure programs.

    The PLAXIS capability we offer is not a modelling service applied generically to any geotechnical problem. It is a specialist service targeted at the problems where advanced numerical modelling produces design guidance that conventional analysis cannot provide: complex foundation systems, deep excavations in challenging ground, ground improvement design where the mechanism of improvement needs to be verified numerically, and slope stability analyses where the failure mechanism is not adequately captured by simple limit equilibrium methods.

    For infrastructure project teams in Saudi Arabia, the investment in PLAXIS analysis is typically recovered many times over in optimized foundation design, reduced ground improvement quantities, and confidence in design performance under the range of conditions the facility will experience. Foundation overdesign is expensive. Foundation underperformance is more expensive. Advanced numerical modelling closes the gap between the two.

  • Relocating to Riyadh: Learning an Entirely New Professional Operating System

    What I Prepared For and What Surprised Me

    When my family and I relocated to Riyadh in early 2025, I had prepared for the practical challenges: finding housing in a good school catchment area, sorting out the residency paperwork, researching the business registration requirements, lining up initial meetings before we arrived. I thought I was reasonably well prepared.

    What I was not prepared for was how different the texture of professional life would be. Not in ways that are better or worse than the Canadian professional environment I came from — just genuinely different in ways that take time to understand and genuinely adapt to, not just intellectually acknowledge.

    Decision-Making Pace

    The pace of organizational decision-making in the Saudi private and semi-private sector surprised me. When the right principal is in the room with genuine authority to act, decisions that would take weeks of committee review in a Canadian government context can happen in hours. For someone who spent years managing projects within Metrolinx’s governance framework — a structure designed for a provincial government agency with accountability to elected officials and public scrutiny — that speed is genuinely exhilarating.

    What takes longer is trust development. Business relationships in Saudi Arabia follow a different trajectory than their Canadian equivalents. In Toronto you can often move from initial meeting to commercial discussion in a relatively compressed timeline if the professional fit is clear. In Riyadh, the relationship needs to be established before business becomes a natural topic. That is not a cultural barrier. It is a different sequence — one where the investment in understanding each other as people comes first, and the professional collaboration follows naturally from that foundation. Professionals who try to skip that stage consistently underperform those who invest in it.

    The Language of Informal Relationships

    I arrived thinking that language would be my most significant barrier. I do not speak Arabic. I assumed that would be a constant obstacle in a country where Arabic is the language of government, daily life, and cultural life.

    In practice, the professional infrastructure and construction sector in Riyadh operates largely in English at the senior level. The language barrier I encounter is not in the formal meeting. It is in the informal conversation before and after the meeting — the human texture of relationship-building that happens in Arabic and that I cannot fully participate in. That matters more than I initially appreciated. Context gets built and relationships deepen in those informal moments. My Arabic deficit is felt there in a way it is not in the meeting room itself.

    My adjustment has been to invest in being present for those informal moments even when I cannot fully participate linguistically — to listen, to watch, to ask questions when appropriate, and to acknowledge honestly what I am still learning. It is a slower path. But it has been a more genuine one.

    Physical Scale and Ambition

    The physical scale of ambition in Riyadh has recalibrated my professional reference frame in ways that are difficult to convey without experiencing it directly. In Canada, a major infrastructure program at CAD 500 million is considered transformational. In Riyadh, programs at that scale are mid-tier. NEOM, Diriyah Gate, Red Sea Project, Qiddiya — these programs are operating at a scale that has no parallel anywhere else in the world right now.

    That recalibration changes what I bring to conversations. The framework I used for thinking about program complexity, risk management, and delivery governance needed to expand to match the scale of what is being attempted here. That expansion has been among the most professionally valuable aspects of the move.

    What I Would Tell Other Professionals Considering the Move

    It is more rewarding than it is difficult. But it is genuinely both. The professional opportunity in Riyadh for infrastructure and project management professionals with deep technical capability and the patience to build relationships properly is real and substantial. The scale of programs being delivered here creates demand for expertise that the Kingdom cannot yet fully supply domestically.

    Commit fully or do not come. The difference between professionals who are genuinely present in the market — living here, building relationships here, integrating into the city — and professionals who are passing through is visible and felt. My family is settled. My wife teaches. The children are in school. That commitment changes the quality of every professional relationship I have built here.

    Be patient with yourself and with the market. The recalibration takes time, and it should. A market that is building at this scale and this pace deserves professional humility from those of us who are learning it.

  • Saudi Arabia’s OTCC Framework: What Regulators Require and What It Means for Infrastructure Projects

    The Regulatory Context

    Saudi Arabia has one of the most developed OT cybersecurity regulatory frameworks in the Middle East. The National Cybersecurity Authority’s Operational Technology Cybersecurity Controls — known as the OTCC — establish the baseline requirements that critical infrastructure operators in the Kingdom are expected to meet. This is not a voluntary standard or a best-practice guideline. It is a regulatory expectation, and the NCA’s enforcement engagement across sectors has been progressively increasing.

    The OTCC applies to organizations that own or operate critical national infrastructure in Saudi Arabia: energy, water, transport, communications, health, and financial services. If you are delivering or operating infrastructure in any of these sectors in the Kingdom, the OTCC defines your regulatory baseline for OT security.

    The Five OTCC Domains

    OT Cybersecurity Governance is the first domain and the foundational one. It covers the organizational policies, roles, and responsibilities that define how OT security is managed at the institutional level. This includes having a designated OT security function — not just relying on the IT security team — documented policies for OT asset management, change control, and risk management, and integration of OT security into the organization’s overall risk management framework. Governance means accountability: someone in the organization needs to own OT security, have the authority to make decisions about it, and have the resources to execute those decisions.

    OT Risk Management is the second domain. It requires formal OT security risk assessments conducted on a defined cadence, maintenance of an accurate and current OT asset inventory (which most organizations do not have), and implementation of a risk treatment plan that addresses identified vulnerabilities in a prioritized and documented way. The risk management discipline the OTCC requires is not a one-time compliance exercise. It is an ongoing management practice that needs to be embedded in the organization’s standard operating procedures.

    OT Security Controls covers the technical measures that protect OT environments. Network segmentation between IT and OT networks is the most fundamental control — and the one most frequently absent in older facilities. Access controls including multi-factor authentication for remote connections. Configuration management for controllers and systems, ensuring that changes to OT system configurations are tracked, approved, and reversible. Patch management processes designed for the OT environment, which often cannot be patched on the same schedule as IT systems without affecting process continuity.

    OT Security Operations covers the monitoring, detection, and incident response capabilities that enable organizations to identify threats and respond to them. This is the area where most OT environments are most exposed. Network monitoring that is standard in enterprise IT — intrusion detection, anomaly alerting, traffic analysis — is frequently absent in OT networks. The monitoring gap is significant: you cannot detect and respond to threats you cannot see.

    OT Supply Chain Security addresses the security of third-party vendors, integrators, and service providers who have access to OT systems. This is particularly relevant for infrastructure projects where the controls vendor, commissioning team, and ongoing support provider all typically have remote access paths into the OT environment. The OTCC requires that these access paths be managed — not just opened and forgotten.

    What This Means for Project Design

    For infrastructure projects in design or construction, OTCC requirements translate into specific design decisions that need to be made while the project is still being engineered. Network architecture must provide appropriate IT/OT segmentation. Control system design must accommodate the access control requirements the OTCC specifies. Commissioning procedures must include OT security validation alongside process safety validation.

    The critical point is timing. These are not features that can be economically retrofitted after commissioning. They are design decisions. A network segmentation architecture specified at 30% design completion costs a fraction of what the same segmentation costs after a system has been commissioned with a flat network architecture.

    At Concept Dash, our OT cybersecurity team — working through our partnership with our NACSA-licensed cybersecurity partner — helps project teams translate OTCC requirements into design specifications and commissioning requirements before the design window closes. Reach out for a complimentary gap assessment if your infrastructure project has not yet addressed OT security in the design scope.

  • Riyadh Metro: What the World’s Largest Metro Construction Program Teaches About Multi-Package Delivery

    The Scale of the Ambition

    When Saudi Arabia’s government awarded the Riyadh Metro contracts in 2013, the program represented one of the most ambitious urban transit delivery decisions in history. Six metro lines. 176 kilometres of route. 85 stations. More than SAR 60 billion of construction contracts awarded simultaneously to five international consortia. And a delivery timeline that required a significant portion of the network to be operational within a decade.

    The delivery structure divided the network by corridor. The BACS consortium — a joint venture bringing together Bechtel, Almabani, CCC, and Siemens — took responsibility for Lines 1 and 2, the north-south and east-west spines of the network. The ANM consortium covered Line 3, the northern connector. The FAST consortium — combining FCC, Alstom, Samsung, Strukton, and Freyssinet — delivered Lines 4, 5, and 6.

    This multi-package structure was a deliberate choice. A single program management contractor managing the full network would have been the alternative — but the scale was too large and the timeline too compressed for a single entity to absorb the delivery risk. Dividing by corridor distributed the execution risk while maintaining a unified technical standard managed by the Royal Commission for Riyadh City as the program authority.

    What Made It Work

    The technical integration challenge — six lines from five consortia that needed to work as a seamless operational network — was addressed through a rigorous interface management framework. System-wide standards for track gauge, electrification, signalling, and rolling stock compatibility were established before the contracts were awarded. Each consortium built to those standards. The integration was achieved at the level of technical specification, not through a single delivery entity.

    The scale of international expertise brought to the program was exceptional. The consortium structure allowed Riyadh to draw on the combined experience of firms that had delivered metro systems across Europe, Asia, and the Americas. That expertise was not available in a single company. The multi-package approach made it accessible.

    The speed of delivery — from ground-breaking to initial operations on Lines 1-3 in under a decade — was enabled by parallel construction across all six lines simultaneously. A sequential delivery approach — complete one line, then start the next — would have been operationally simpler but would have extended the program by years. Parallel delivery required exceptional program management capability from the Royal Commission, but it achieved a network opening timeline that would have been impossible through any other approach.

    The Lessons That Apply Beyond Riyadh

    Interface management at program scale requires a dedicated function, adequate authority, and pre-agreed resolution mechanisms. When five consortia are building systems that need to work together, interfaces between their work packages are the single most dangerous source of delay and dispute. The Riyadh Metro program established an interface management framework that identified interface events, assigned ownership, and tracked resolution. That function needs to be resourced as a first-class program management activity, not a secondary coordination role.

    Owner capability must grow with program scale. The Royal Commission for Riyadh City developed substantial program management capability through the Metro delivery. That institutional growth — in commercial management, technical oversight, and stakeholder management — was a program outcome as valuable as the physical infrastructure. It positioned the Kingdom for the next generation of urban transit programs with a depth of institutional experience that did not exist before.

    Rolling stock and systems integration timelines control operational readiness more than civil works timelines. The most common source of metro opening delays globally is the integration of train control systems, rolling stock, and civil infrastructure into a functioning operational system. Building the systems integration timeline into the master program schedule from the beginning — with appropriate float and staged commissioning sequences — is essential for realistic operational readiness planning.

    The Western Station — Riyadh Metro’s most architecturally significant station, now complete and operational — represents the program’s highest-profile delivery. Its opening marks a milestone in a program that has genuinely transformed the mobility infrastructure of one of the world’s fastest-growing cities. The lessons of how it was delivered will inform transit programs across the region for the next generation.

  • Schedule Risk in Mega-Programs: Leading Indicators That Prevent Delay

    The Schedule Failure Pattern

    After managing rail corridor projects, highway rehabilitation programs, and billion-dollar transit delivery at Metrolinx, I have observed a consistent pattern in schedule failures on large infrastructure programs: the delay is visible in the data long before it is acknowledged in the report.

    The projects that finish late almost always showed warning signs six to twelve months before the delay became undeniable. Those warning signs were present in the schedule data, in the procurement lead time tracking, in the RFI log, and in the change order trend analysis. But the systems that would have aggregated those signals into an early warning were absent, or the culture that would have surfaced the warning to decision-makers was not in place.

    The problem on most delayed mega-programs was not that the delay could not have been seen coming. It was that no one was looking for it systematically and honestly.

    The Difference Between Leading and Lagging Indicators

    A lagging indicator tells you what has already happened. Schedule performance index, actual progress against planned progress, percentage complete — these are lagging indicators. They tell you, with accuracy, that you are behind. They do not tell you why, or how far behind you will be at completion, or what to do about it.

    A leading indicator tells you what is likely to happen if current conditions persist. A leading indicator for schedule risk might be the trend in RFI response time — if the designer is taking three weeks to respond to RFIs that should be turned around in three days, that is a leading indicator of design coordination problems that will create field disruption in 4-8 weeks. Or the trend in planned versus actual drawing release dates — if drawings are consistently releasing two weeks later than the schedule requires, the construction activities dependent on those drawings are carrying two weeks of unplanned float that will eventually become a delay.

    Effective schedule risk management requires both, with an emphasis on leading indicators proportional to the time horizon of the program. A mega-program with 48 months of construction remaining needs a robust leading indicator system. A program with 6 months remaining needs lagging indicators — there is no longer enough time for leading indicators to produce actionable early warning.

    Critical Path Monitoring

    The critical path is the sequence of activities that determines the project’s completion date. Monitoring the critical path means monitoring the activities on that sequence — their progress, their resource loading, their dependencies, and the float that separates them from near-critical activities that could become critical if conditions change.

    On complex mega-programs, the critical path is not static. It migrates as work advances, as sequence changes are approved, as acceleration or de-acceleration of different work packages changes the relative timing of activities. A project control system that identifies the critical path at baseline and monitors it without reassessing which path is actually critical at any given point in the project lifecycle is providing false assurance.

    I built Project Management dashboards at Metrolinx that integrated critical path monitoring with a four-week lookahead schedule, current EAC variance reporting, and change order trend analysis. That integration — seeing critical path progress, near-term lookahead, cost trajectory, and commercial trend in a single view — is what enables proactive management rather than reactive reporting.

    Recovery Planning: When to Invoke It and How

    Recovery planning — the development and analysis of schedule recovery strategies — should be triggered by leading indicator signals, not by the point at which delay has become undeniable. When the leading indicators are trending negative and the critical path analysis shows a completion exposure, that is the time to develop recovery options — before the delay has materialized in the schedule record.

    Recovery options fall into several categories: acceleration of critical activities through additional resources or extended work hours; sequence changes that allow work to proceed in parallel rather than in series; scope adjustments that defer non-critical scope elements to reduce the critical path duration; and commercial mechanisms that realign incentives toward delivery performance.

    Each recovery option has a cost, a feasibility constraint, and a time horizon for effectiveness. Recovery planning is the analysis of which options are available, what they cost, and which combination produces the best balance of schedule recovery and cost exposure. It is a professional planning discipline, not a crisis response exercise. Treating it as the latter produces worse outcomes than treating it as the former.

    Building a PMO Control System That Catches Problems Early

    The organizational capability that makes leading indicator monitoring possible is the program management office — specifically, a PMO with the analytical capability to synthesize data from multiple systems into early warning signals, and the organizational authority to surface those signals to decision-makers without them being filtered by project teams protective of their schedule.

    The PMO design choices that matter most for schedule risk management are: independent reporting authority (the PMO should report to program leadership, not to the project team whose schedule it is monitoring), analytical depth (schedule analysts who can interrogate the programme rather than just read it), integration with procurement tracking (schedule risk almost always has a procurement component), and a cadence of honest schedule assessment that is separate from the project team’s status reporting.

  • What an OT Security Assessment Actually Involves: A Practical Guide for Infrastructure Projects

    Making OT Cybersecurity Practical

    Over the past weeks I have made the case that OT cybersecurity is an engineering design problem, not an IT department problem. This article makes that case practical: what does an OT security assessment actually involve, what does it produce, and what does it mean for the way a project is designed and delivered?

    What an OT Security Assessment Is

    An OT security assessment is a structured evaluation of the cybersecurity posture of an operational technology environment. It covers the systems that control physical processes — PLCs (Programmable Logic Controllers), SCADA systems (Supervisory Control and Data Acquisition), DCS (Distributed Control Systems), SIS (Safety Instrumented Systems), HMI workstations (Human Machine Interfaces), and the network infrastructure that connects them.

    For infrastructure projects, the most relevant international framework is IEC 62443 — the international standard for industrial automation and control systems security. In Saudi Arabia, the NCA’s Operational Technology Cybersecurity Controls (OTCC) establish the regulatory baseline. These two frameworks overlap significantly and together define what good OT security looks like in this region and market.

    Scope of a Comprehensive OT Assessment

    Asset inventory and identification is the starting point. This sounds simple; it rarely is. Most operational facilities do not have an accurate, current inventory of their OT assets — what controllers they have, what software versions they run, how they are connected, who has access to them. Building that inventory is a prerequisite for everything else. Without it, you cannot assess vulnerability, cannot prioritize mitigation, and cannot demonstrate compliance.

    Network architecture review examines how the OT network is structured and how it relates to the corporate IT network and external connectivity. The fundamental principle of OT network security is segmentation — the OT network should be separated from the IT network by a defined boundary (typically a demilitarized zone) that controls and monitors the flow of information between them. Many operational facilities, particularly those built before OT cybersecurity became a serious design consideration, have flat network architectures where IT and OT systems are on the same network segment. This is the condition that made the Triton attack possible: the attackers could reach the safety controllers from the corporate network because the segmentation boundary did not exist.

    Vulnerability assessment identifies specific known vulnerabilities in the OT assets identified in the inventory. OT systems run specialized software, including real-time operating systems, controller firmware, and HMI applications that often run on versions of Windows that are no longer supported by Microsoft — because the OT vendor’s engineering software has not been updated to run on current Windows versions and the vendor’s update schedule is not aligned with Microsoft’s. This creates a patching problem that is fundamentally different from IT security: in IT, the answer to an unpatched operating system is to update it; in OT, the update may break the process control application, and the update cycle is measured in years, not months.

    Access control review examines who has access to OT systems and how that access is managed. Remote access — used by controls vendors for monitoring and support — is one of the most significant and most undercontrolled access paths in OT environments. Many OT systems have remote access channels installed by vendors during commissioning that remain active, unmonitored, and without multi-factor authentication for the life of the system.

    Incident response assessment covers the organization’s capability to detect, respond to, and recover from OT security incidents. In most OT environments, this capability is underdeveloped or absent. There is no OT-specific incident response procedure. There is no OT network monitoring that would alert operations staff to anomalous activity. The water treatment attack in Oldsmar, Florida succeeded in reaching the SCADA system because there was no monitoring that would have detected the intrusion — it was caught by a human who happened to be watching.

    Assessment Output and Project Integration

    A properly scoped OT security assessment produces a risk-ranked findings report, a gap analysis against the applicable framework (IEC 62443 and/or NCA OTCC), and a remediation roadmap that prioritizes findings by risk level and provides specific technical and procedural recommendations for each.

    For projects in design or construction, the assessment findings translate directly into design specifications. Network segmentation requirements become network architecture drawings. Access control requirements become commissioning standards. Monitoring requirements become scope items for the control system integrator.

    This is where the design stage timing matters most. Incorporating OT security requirements into the design scope costs a fraction of retrofitting them after commissioning. A network segmentation architecture specified at 30% design becomes a standard part of the control system procurement. The same requirement identified after a system has been commissioned requires physical network modifications, software reconfiguration, and often a controls vendor engagement that costs 10-20 times what the original specification would have cost.

    Concept Dash’s OT cybersecurity team offers complimentary gap assessments for infrastructure operators in Saudi Arabia. If your facility or program has not addressed OT security in the design scope, reach out before the design is committed — not after.

  • Australia’s PPP Maturity Journey: 30 Years of Lessons for Saudi Arabia’s P3 Program

    The Early Failures: Demand Risk and the Toll Road Experience

    Australia was among the first countries to develop a substantial P3 program for infrastructure delivery, beginning in earnest in the 1990s. The early transactions were focused on toll roads — an asset class where the demand risk case for private sector financing seemed clear. Build a road, charge users, let the private sector earn a return from the traffic it generates.

    Several of these early transactions produced serious financial problems. The Sydney Cross City Tunnel, the Lane Cove Tunnel, and the Brisbane Airport Link all experienced demand shortfalls severe enough to push concession companies into administration or financial restructuring. Traffic forecasts — used to justify the project’s financial structure — proved significantly optimistic. The private sector had accepted demand risk under the assumption that traffic would follow the infrastructure. In several cases it did not, at least not quickly enough to service the project’s debt.

    The political response was significant. Governments had guaranteed minimum revenue on some transactions and were called upon to make payments that had not been budgeted. Public perception shifted toward skepticism about whether private sector involvement produced value for taxpayers or simply shifted risk to them through the back door.

    The Adaptation: Availability Payments and Social Infrastructure

    Australia’s response to the toll road failures was to shift P3 activity toward social infrastructure — hospitals, schools, courts, correctional facilities, and public transport — using availability payment structures rather than user fee concessions.

    The availability payment model addressed the demand risk problem directly. Instead of the private sector earning revenue from users — and bearing the risk that user demand would not materialize — the government paid a service fee conditional on the asset being available and performing to standard. Demand risk stayed with government. The private sector bore construction risk and performance risk — risks they could actually manage.

    This shift produced much more stable outcomes. Social infrastructure PPPs delivered under availability payment structures in New South Wales, Victoria, and Queensland delivered assets on time and on budget at rates significantly better than equivalent public procurement. Performance monitoring frameworks kept concessionaires accountable through the operational phase. The experience built institutional confidence on both sides — government procurers who understood how to structure transactions and concessionaires who understood how to deliver them.

    The National PPP Guidelines

    One of Australia’s most significant contributions to global P3 practice was the development of standardized national procurement guidelines — the National Public Private Partnership Policy and Guidelines — establishing a consistent framework across all Australian jurisdictions.

    These guidelines established standard risk allocation positions across infrastructure types, reducing the transaction cost of P3 procurement by giving bidders predictable starting points. They required public sector comparator analysis — demonstrating that private finance produced genuine value relative to public procurement — as a discipline against optimistic assumptions about the cost of risk transfer. They established market engagement principles requiring government to consult with potential bidders during transaction development to test market appetite and identify structural barriers to competition.

    The standardization produced genuine efficiency gains. Transaction costs fell as bidders became familiar with the framework. Bid preparation costs declined as document formats and due diligence requirements became predictable. Competition improved as the market developed a class of experienced bidders who could assess and price P3 risk reliably.

    The Financing Market Depth

    One of the most significant differences between a mature P3 market and an emerging one is the depth of the domestic financing market. Australia’s P3 program developed alongside a deep superannuation fund sector — large institutional investors managing retirement savings with long investment horizons and preference for stable, inflation-linked returns that align well with availability payment P3 cash flows.

    This domestic capital base reduced Australia’s P3 dependence on international financing markets and produced more competitive financing terms than programs that rely primarily on bank debt. It also created a class of sophisticated infrastructure investors who understand the asset class and can deploy capital efficiently on new transactions.

    The Most Valuable Lesson

    The most important lesson from Australia’s P3 maturity journey is that getting the framework right takes iteration. No market gets it perfectly right the first time. What distinguishes markets that develop strong P3 programs is not that they avoided mistakes — Australia made significant mistakes — but that they learned from them systematically and adapted their frameworks in response.

    Saudi Arabia is moving faster than Australia ever did. The 220-transaction NPS target by 2030 is an ambitious pace that creates opportunity and risk simultaneously. The opportunity is transformational public asset delivery. The risk is scaling faster than the institutional capability to manage the program develops. Australia’s experience suggests that investment in institutional capability — in the people, systems, and frameworks that govern P3 programs through their operational phase — is as important as investment in the transactions themselves.

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by