Chapter 11
In This Chapter
Understanding the principles of risk management
Taking a perspective on risks in different parts of the programme
Using the risk-management approach
Applying the risk-management process
By definition, any activity (such as your shiny new programme) that seeks to achieve benefits through change is going to include a certain level of uncertainty ‒ in other words, risk. You can't avoid this reality. Risk isn't something to avoid at all costs (like saying, ‘Do you want me to drive?’ when your partner is fuming behind the wheel after taking yet another wrong turn), which is why I call this chapter ‘Managing Risk in Your Programme’ and not ‘Avoiding Risk in Your Programme’.
Risk management is a big subject, and in this chapter I take a broad look at risks in the context of a programme. Plenty of risks can arise within a typical programme, so as well as covering the principles and terminology used, I also discuss the perspectives, which are the different parts of the business in which risks can appear (this practice is quite different from project risk management). When running a programme you're constantly judging whether you need to manage risk in one perspective or another.
In addition, I cover the risk management approach (another name for all the risk documents that you can use) and I look at the processes you can follow when you're managing risks.
Crucial to dealing effectively with the risks that your programme faces is understanding the difference between a risk and an issue:
You calculate the size of a risk as follows:
Probability of Threat or Opportunity × Magnitude of Impact
Sitting at the centre of the programme you're interested in are risks and issues that matter to you and come from those parts of the environment where the programme is having an effect. Here are a few examples:
A programme's context is necessarily complex, dynamic and uncertain. Indeed, you want to maintain a certain level of uncertainty within the programme in order to maximise innovation and allow for a flexible boundary (I discuss the boundary to the programme in more detail in Chapter 4 about principles, and Chapter 7, where I look at the documents where you describe the programme boundary). Therefore you need to manage and tolerate uncertainty, complexity and perhaps even ambiguity.
I audit lots of Risk Registers (which I define in the later section ‘Gotcha! Capturing risks with the Risk Register’) and one of the largest and most common mistakes I see is that the risks aren't stated in a clear and unambiguous way. Therefore I find the basic language of risk, as shown in Figure 11-1, invaluable. If you're already an expert on risk, you can skip this section.
Figure 11-1 is called a probability impact grid on which you can plot the likelihood of the risk vertically and the impact of the effect of the risk horizontally. When you add the risks it's called a Summary Risk Profile.
You use a scale or standard, which you need to define, using terms such as very low, low, medium, high and very high. Each of those bands doesn't have to be of equal size. For example, very low probability can be from 0 per cent to 20 per cent, while very high probability can be a smaller band running from 95 per cent to 99.9 per cent. Also on the impact scale you need to have different standards for each class of risk. So reputational risk can have one set of definitions and financial risk a different set.
The stepped risk tolerance line indicates the point above which risks must be escalated to the next level of management.
I describe the programme management principles in Chapter 4 and a similar set of principles are associated with risk management. I share some of them with you in this section.
The principles of risk management are taken from a sister method to MSP called M_o_R (Management of Risk). These principles fit nicely with the way you want to run your programme and the principles of programme management as follows:
You can never mitigate all risks; all you can ever do is select certain risks and mitigate them even though some still occur.
Several pieces of useful terminology exist in connection with risk management.
Risk appetite is the amount of risk an organization is willing to accept. In other words, is the organization comfortable taking risks or is it risk averse? When you know the organization's risk appetite you can create your programme Risk Management Strategy (for detail, see ‘Defining required activities: Risk Management Strategy’ later in this chapter). The risk appetite steers risk management activities because it helps you define your delegation and escalation rules. This approach helps you insulate the programme from unwelcome surprises and define clear risk tolerances.
Therefore, when you state a set of assumptions they help to clarify the boundary of the programme. You can consider assumptions to be potential sources of risks. Because assumptions are related to the programme boundary, you probably want to review the related risks at programme level.
Early warning indicators are performance indicators that lead, rather than lag, a change in the situation. They're used for all sorts of purposes throughout business as usual.
If you're going to take the time and trouble to track early warning indicators, remember that they're of value only if:
The same event can be both a threat and an opportunity and therefore give rise to several risks. As you think more about risks you begin to separate events from effects. One event can trigger several effects, and an effect can be triggered by several different events. In the same way, the causes of a risk can lead to several different risks, or the same risk can arise from several different situations.
Also, an event can have different effects in different parts of the programme.
You normally express risk in terms of two factors: probability and impact (as I explain in the earlier section ‘Getting risk clear: Basic phraseology’). Sometimes, however, a third factor is useful: a time factor ‒ the proximity. You use it when the risk is expected to occur at a particular time. So the severity of the overall impact of the risk varies depending on when the risk occurs.
Knowing the proximity and factoring it into the assessment of the risk has an effect on the urgency with which you take action, the nature of the response, what triggers the response and the timing of the response.
Proximity is particularly useful because a programme is likely to be long and some risks you identify aren't going to happen for a long time. If you give them a low proximity score, you record them but don't have to deal with them yet (check out the nearby sidebar ‘Getting IT right’ for a real-life example).
As with so much in programme management, you want to be clear about terms:
For more detail about who's responsible for the different aspects of risk (and issue) management, check out Chapter 12.
As risks pass up to the strategic level and down to projects some of them stick at programme level. You have to gather together the effect of risks from different sources at programme level.
Also, apparently independent risks can have a cascade effect: they can trigger other risks or increase or diminish the effect of other risks. As Programme Manager you're the right person to examine carefully the aggregated risks.
You need to consider factors such as the timing of related risks and their overall impact. You need to look at the overall cost of mitigation actions and think about whether mitigation is to be carried out at programme level or locally.
Management of Risk (which I introduce in the earlier section ‘Meeting the principles: M_o_R’) looks at risk management from four perspectives: strategic (or corporate), programme, project and operational. See Figure 11-2 for an illustration of the hierarchy. You can add a fifth portfolio perspective if someone is running portfolio management in your organization.
I look at the types of risk that appear at each perspective and how in a programme you pass risks from perspective to perspective so that the right people can handle them.
Your programme doesn't have to deal only with programme risks; you may also need to get involved with risks that rightly sit in other perspectives. Here are some areas where different types of risks might arise:
Figure 11-3 is a simple diagram that allows you to consider the flow of risks and issues within the programme. But don't get too deeply into the detail of this diagram because it's not an explicit process model ‒ it's just a set of concepts.
I want to give you a feel for the complexity of risk and issue management at programme level. The following list gives you a little more insight into how risks move around within a programme:
You need a capability to assess all these risks or issues. Part of the assessment is considering where you can best manage the risks. You can deal with them at programme level or escalate them or delegate them. You can have a whole series of escalation and delegation routes that you have to document.
The risks and issues at your level can take different forms when assessed. Perhaps something is a programme issue that you need to manage, which may in turn trigger other risks and issues. This issue may be a change request that you need to manage, assessing it, considering it at the right body (a committee or working group, for example) and executing the change if action is approved.
If it's a programme risk, of course you use your risk-management process to manage it.
You need to be absolutely clear on the difference between programme and project risks and ensure that your projects have the same understanding. In Figure 11-4, I envisage risks as being like satellites moving between the Earth's and the Moon's orbit. Sometimes you need to boost the satellite out of the Earth's orbit into an orbit around the Moon; sometimes a satellite in orbit around the Moon needs to come back to the Earth (if this doesn't make sense, read Rocket Science For Dummies!).
The whole idea of risks passing between perspectives gets more complex than even the preceding three sections may imply, because not all risks pass through the programme. So, for example, they may pass directly between the strategic and operational perspectives. Take a look at Figure 11-5, where the diagonal black line indicates the boundary between change and business as usual.
I discuss the interrelations of the four perspectives in the following four sections.
Strategic risks and issues are going to be external to the programme. So they can be events that are externally triggered from beyond the business or just from outside your programme. If you're considering strategic risks from outside the programme, they can be triggered by other programmes just as you can be generating strategic risks for other programmes. Also certain risks and issues can occur between your programme and other programmes. Typically these involve inter-programme dependencies.
But other things that are going on in the business may not be as well structured as a programme. They may simply be cross-organizational initiatives: things happening across the business. For example, if the business is engaged with a third party and something happens in that third party, say a supplier goes bankrupt, that gives rise to strategic issues and risks that you have to consider within the programme.
Another category you need to consider is internal policies. By that I mean those internal to the business, internal to the organization if you like, not internal to the programme. For example, perhaps the finance director issues a new policy on accounting that gives rise to risks and issues in the way you carry out your financial management.
Here's quite a long list of sources of programme-level risks and issues:
The sources of project-level issues and risks can be ones that you delegate down to the projects. Or they may occur in the project and you need simply to ensure that you deal with them within the projects.
Examples of operational risks and issues may be that business as usual managers, perhaps those who aren't Business Change Managers but are their colleagues, regard the programme as being their biggest source of risks and issues.
You can group several of these topics together under a heading of the rate of change. Maybe the rate of change that you're imposing on operations is just too great.
The risk-management approach is just another term for the risk-management documentation. In this section I share with you the purpose and composition of three risk documents that you need in your programme.
For details on another document ‒ the Probability Impact Grid/Summary Risk Profile ‒ flip to the earlier ‘Getting risk clear: Basic phraseology’ section.
The purpose of the Risk Management Strategy is to define and establish the required activities and responsibilities for managing the programme's risks.
The typical content covers: how to identify risks, responses and actions; how to handle risk ownership; how to make and implement decisions (for example, the tolerance you're delegating to others); how to monitor and evaluate actions and communication mechanisms.
More specifically, the Risk Management Strategy features the following:
Figure 11-6 depicts the risk-management process, taken from M_o_R. The steps in this cycle and the transformational flow have no rigid links between them. I see each of these process steps happening on many occasions within each MSP transformational flow process. (I introduce the processes within the MSP transformational flow in Chapter 1.)
Communication is an on-going activity during risk management. By communicating with the relevant stakeholders you're constantly identifying new risks that you can feed into the identifying, assessing, planning and implementing cycle.
I suggest that you break identification into two steps:
If you're carrying out risk identification within part of the programme, you want to examine in detail the context of that part of the programme. When you understand the context, you can move onto the second step.
Having identified a set of risks, the next step is to assess them. You need to estimate each threat and opportunity. For each risk look at the probability, the impact and, if appropriate, the proximity.
Earlier in the ‘Getting risk clear: Basic phraseology’ section, I show you a Summary Risk Profile and suggest that behind it you need clear standards, which help everyone estimate probability and impact in a consistent way.
After you decide the magnitude of a series of risks, you can then evaluate the net aggregated effect of the risks:
So for each risk that you decide you need to deal with, prepare a specific management response to remove or reduce the threat or maximise the opportunity. The aim is to make sure that the programme isn't taken by surprise.
Your goal is to make sure that the risk-management actions are implemented and then monitored to ensure that they're having the effect you anticipate; that way, you can take corrective action if necessary.
When you implement risk-management actions, you're entering into an execution, monitoring, controlling and scanning cycle that can go on for a long time. That cycle may happen as part of the implement step or it may trigger re-identification of risks: the next step in the process.
Risk management is cultural: people have to want to do it. In the embedding and reviewing process you can ensure that risk management is used appropriately and that risks are successfully handled. Carry out some form of health check on your risk management (a questionnaire that asks if you have all the different bits of risk management in place) or perhaps even a risk management maturity review (a more sophisticated assessment that looks at how repeatable each of the elements of risk management within your organization is).
The important thing about both of these techniques is that after you've assessed where you are, if you're not happy with the situation you get some pointers on what actions you can take to improve your risk management.
Another element of embedding and reviewing is to make sure that you're looking at the post-action risk magnitude (the residual risk) and feeding that back into risk assessment to see whether you need to take more actions.
Therefore, embedding and reviewing can take place at several levels from the detail of individual risks to the overall effectiveness of your risk-management cycle.
You can use several types of risk response as part of the risk-management process. You may have the same or difference response types for threats and opportunities. I look first at the threat responses:
I regard contingency plans as being one of the poorer ways of dealing with risks. I reserve them for high impact, low probability risks.
The great value of risk management is that it enables you to look into the future and modify what's going to happen; in other words, to mitigate the risk. Contingency planning doesn't really mitigate the risk. Agreeing a contingency plan doesn't have any effect on the probability, it just slightly reduces the impact after the event. The only circumstances in which using a contingency plan makes sense is when the probability is already low, but the very large impact makes it necessary to do something. For lots of high impact risks, a better approach is to reduce that high impact, which brings down the overall size of the risk.
Here are a couple of risk responses that apply only to opportunities:
Table 11-1 provides a quick overview of the response options that apply to threats and opportunities.
Table 11-1 Generic Risk Response Options
Threat |
Opportunity |
Explanation |
Avoid |
Exploit |
Remove the risk by removing/implementing the cause. |
Reduce |
Enhance |
Action now to change the probability or impact. |
Transfer |
|
Pass part of the risk to a third party (an insurer?). |
Share |
|
Multiple parties (supply chain) share pain/gain. |
Accept |
|
Take the chance. |
Prepare contingency plans |
|
Prepare plans now to take action later. |
18.118.37.154