What is a program risk methodology?
Most of us are familiar with the process of risk management; identify, analyse, manage and so on- if you want more information it’s quite nicely bundled up within the International Standards for Risk Management: ISO 31000:2009. However, the concept of a program risk management methodology seems quite foreign to most.
A program risk methodology defines for an organisation the overview for the process of risk management. Rather than practically identifying risks; it states how risks should be identified, the methods that should be used, the people who should be involved and even the documents and templates which are appropriate.
Not all organisations adopt the same approach to risk management. I have found that whilst some organisations approach risk management with military precision, like an organised unit perfectly orchestrated to deliver results, others use a much looser approach, fumbling their way through the dark. The difference in these approached can be considered as the differences in the implementation of the risk management methodology.
Components of a program risk methodology
The program risk methodology runs parallel to the risk management process, and as it should; it defines it.
Risk Management Planning
The starting point is risk management planning, this will consider the context and operating environment of the organisation, the organisations risk appetite, the key risk areas and those categories which the organisation is more sensitive to than others.
The risk management plan aims for a consistent risk management process across the organisation. This is important to minimise misunderstandings and retraining of staff migrating across areas, to enable risk comparison across projects; such as risk ratings, as well as to enable the organisation to adopt a single language with clear meanings for otherwise ambiguous terminology.
The risk management planning process is generally conducted by senior management and embedded through the organisation in the form of risk management plans; becoming the practical document (or set) to manage risks at a project or program level.
Given the nature and complexity of the projects implemented by the organisation, there may be several project management plans in existence. These are often separated by a dollar value; generally, the total project’s investment. This separation allows organisations the ability to increase the rigour of risk management when they have a lot at stake, whilst keeping a more efficient process for lower value projects.
The risk management plan should provide:
- An overview of the risk management process
- Roles and responsibilities of key personnel
- Approval requirements and delegated authorities for risk acceptance
- Standard definitions for terms
- Processes for incorporating lessons learnt from past projects
- Processes for collecting and documenting lessons learnt for future projects
- Processes for establishing the context
- Methods for tracking and reporting risk
- Mechanisms for adjustment based upon context
- As well as those prescribed in the following sections; methods for:
- Risk Identification
- Risk Analysis
- Risk Treatment
Risk Identification
Risk identification is the iterative process of bringing risk events to light. The program risk methodology should prescribe the methods by which risks are identified. They should allow project or program managers to lead risk identification in a manner representative of best practice consistently across the organisation.
The following is a guide on what should be included in the program risk identification component;
- Provides a clear definition of a risk;
- For example, separates threats and opportunities or references a standard definition e.g. ISO 31000:2009
- Set the initial timeframe for risk identification
- For example, must be performed prior to approval
- Sets iterative timeframes for identification
- For example; monthly, in line with status reporting
- Provides an indication of the number and types of stakeholders who should contribute
- Provides tools and templates for risk identification
- For example: Risk registers, brainstorming, root cause analysis etc.
- Provides risk categories
- Provides historical project risk events
Risk Analysis
Risk analysis is the process of separating risks, to prioritise, treat, track and report. Commonly risks are analysed through the consideration of two dimensions; how likely they are to occur and the consequences if they do occur.
Since there are infinite ways of calculating risks, the program risk methodology needs to articulate exactly how risks will be analysed. This should be consistent across the organisation in order to compare project risk ratings.
Some of the instructions which should be included are:
- Consistent terminology
- For example; will we use consequence, impact, severity and probability, likelihood, chance etc.
- Risk analysis methods; qualitative and or qualitative
- The frequency of analysis to consider the changing environment
- The scales which should be used to determine probability
- The scales which should be used to determine consequence
- A guide on to the sources of information where reliable data can be accessed
- A guide on the number of and types people to reduce bias
Risk Treatment
Risk treatment is a decisive measure usually involving the application of effort to effectively lower the negative risks faced in a project. Risks are generally treated at project level through one of four methods: avoidance, mitigation, transfer or acceptance.
The program risk methodology should provide some practical guidance as to situations in which the different methods should be employed. The risk treatment section should consider the following:
- The risk category
- g. Financial vs Safety
- The organisations risk appetite
- The considerations and tests for adequate controls
- The authority required for risk acceptance based upon rating
- For example, who needs to authorise accepting a high risk
Risk Tracking
Risk tracking deals with monitoring the environment, risks and effectiveness of controls. This is based upon the fact that risks are dynamic and as the risk management approach needs to reflective of this. Some of the considerations of risk tracking include:
- Frequency of monitoring
- Methods for tracking risks
- Methods of documenting changes in risks
- Methods of communicating changes in risks
- Methods and frequency of scanning the operating environment
- Methods of tracking effectiveness of risks
- Methods of monitoring residual risks
- Methods for identifying and monitoring secondary risks
- Methods, frequency and personnel for communicating risk status
Risk Review
Risk review considers the effectiveness of the risk management process. The risk management plan should include a methodology for conducting an effective review. Some of the factors which should be considered include:
- When a review should be conducted
- For example: after a stage, approval gate, end of project
- The personnel who should be involved
- The authority who should sign off and accept
- How the review will be communicated
- How the lessons learned will be passed on to future projects