Managing Risks and Issues

Risk Management

Risk is any uncertainty, potential threat or occurrence that may prevent you from achieving your objectives. It may affect timescale, costs, quality or benefits. All programmes are exposed to risk in some form, but the extent of this will vary considerably.

The purpose of risk management is to ensure that:

• Risks on programmes are identified and evaluated in a consistent way.
• Recognised risks to programme success are addressed.

You cannot use risk management to eliminate risk altogether, but it will enable you to avoid it in some instances or minimise the disruption in the event of its happening in others. When a programme sponsor approves a programme, he or she does so in full knowledge of the stated risks, and accepting the consequences should things go wrong.

The steps are:

• Identify: Log all the risks that may potentially jeopardise the success of the programme.
• Estimate: Review each risk in turn:
  • assess the likelihood of the risk occurring;
  • assess the severity of the impact on the programme if it occurs.
• Evaluate: Use a risk matrix to determine the 'risk category' (high, medium or low) to help you assess how acceptable the risk is.

Depending on the risk category, take action as follows:

• High risk: Take definitive action to prevent or reduce risk. Reconsider the viability of the programme before proceeding further.
• Medium risk: Take action to prevent or reduce risk where appropriate. Prepare a contingency plan if risk cannot be reduced. Manage risk and implement contingency plan where necessary.
• Low risk: Take action to reduce risks if cost effective. Monitor risk — it may become more significant later.

Taking positive steps to reduce the possible effects of risk is not indicative of pessimism, but is a positive indication of good programme management. Many possible options exist for reducing risk, including:

• Prevention, where countermeasures are put in place either to stop the threat or problem from occurring or to prevent it having any impact.
• Reduction, where the actions either reduce the likelihood of the risk developing or limit the impact on the programme to acceptable levels.
• Transference, which is a specialised form of risk reduction where the impact of the risk is passed to a third party via, for instance, insurance.
• Contingency, where actions are planned or organised to come into force as and when the risk occurs.
• Acceptance, where the organisation decides to go ahead and accept the possibility that the risk might occur and is willing to take the consequences.

Consider also:

• bringing risky activities forward in the schedule to reduce the impact on the programme outcome if they are delayed;
• modifying the programme requirement to reduce aspects with inherently high risk, for example, new, leading-edge technologies;
• allowing appropriate time and cost contingencies;
• using prototypes and pilots to test the viability of new approaches.