Programme and project risk management

What is risk management?

Risk management refers to the systematic application of principles, approach, and processes to identify, and assess risks, and then to plan and implement a suitable response.

The uncertainty connected to risk is often thought of in terms of a threat or a negative impact but can also be considered as a potential opportunity or a positive impact.

The risk management processes can be applied equally at strategic or corporate, programme, project, and operational levels.

Purpose

The purpose of risk management is to support effective decision making by dealing with risk in a way that is visible, repeatable, and consistent. A meaningful risk management process will provide an organisation with a better understanding of risks and their likely impact. In turn, this helps to ensure that an organisation makes cost effective use of a process that is based on a series of well-defined steps.

The key elements in effective risk management are to:

• identify - considering risks in context, how they could affect an organisation’s objectives and describing them in enough detail to ensure a common understanding. A risk should be described and detailed using the cause-event-effect model (cause = why the risk is happening, event = the actual risk that happened, effect = the impact on the programme/project)
• assess - ensuring that risks can be ranked in terms of estimated impact, how soon they are to occurring, and gaining an understanding of the associated level of risk
• control - describing how to respond appropriately to identified risks and then authorising, monitoring, and controlling these responses

Risk management guidance

Programme or project risks can arise from a variety of sources and an understanding of the business context is an essential first step. Risk registers or lessons learned reports from previous projects will point to where potential threats may arise. Generic lists of risk types can be useful to bring to facilitated workshops, providing stakeholders with a good starting point in the risk identification process.

Three excellent sources of best practice risk management guidance are:

• NI Audit Office – Good Practice Guide – Innovation and Risk Management
• UK Government - The Orange Book – Management of Risk
• The Cabinet Office's Management of Risk
• Association for Project Management Body of Knowledge

Generic risk management awareness has been provided across many NICS departments. The requirements of corporate governance applied in the public sector demands that organisations maintain, and regularly review, corporate risk registers.

Roles and responsibilities within risk management

The main risk management roles and responsibilities are:

• Senior Responsible Owner (SRO) - the SRO has overall responsibility for putting in place an effective risk management policy and process
• Sponsoring Group or Board - has key oversight responsibility for risk management processes, and a prime role in setting policy and approving action in the mitigation of risks
• Programme Manager or Project Manager - day to day risk management responsibility rests here; the programme or project manager has a key role in implementing risk management policy
• Risk owner - the person best placed to direct or take mitigating action against individual risks
• All staff - risk management is the responsibility of all staff in the organisation - staff will adopt various roles at different stages in the programme or project