methodology
PROGRAM RISK MANAGEMENT PROCESS
Introduction
____ follows a risk management process that manages project, program, and portfolio risk. For a high-level overview of ____’s risk management process, click here. This document discusses program risk management only. For more detailed information on the complete risk management system at _____, see ______ Risk Management on the Project Management website.
Programs are a collection of related projects that when managed together achieve higher benefits than would be achieved if they were managed separately. Programs can have risks from the individual projects or from the program goals and program metrics.
Process
For program risk management to be successful, the program manager must establish program metrics at the beginning of the program. Program metrics can be indicators such as scientific impact, community satisfaction, program delivery, and quality.
Once metrics are in place, program risk management includes:
· Identifying Risk
· Assessing Risk
· Planning and Implementing Risk Response - Mitigation and Contingency Plan.
· Internal Risk Control
· Monitoring Risk
· Closing Program Risks
The program manager will write a risk management plan for the program (template here) and create a risk register (template here) at the beginning of the program. The program manager will also facilitate risk reviews through a program risk management advisory board, if needed. Once the program risk management plan and risk register are created, any project presented for inclusion into the program should be evaluated against the program metrics.
Identifying Risks
Program risk identification occurs in several ways. The program manager will review the program’s projects’ risk registers and consider any of the medium or high project risks for inclusion in the program risk register. The program manager will monitor the overall program’s projects’ performance to detect any areas of potential risk not originally identified. The program manager will also maintain status on the program metrics performance set at the beginning of the program. Finally, risk identification can also come from other program managers.
A program manager may also choose to create a program risk advisory board made up of project managers in the program and key functional leaders. The program risk advisory board would be responsible for identifying program risks, reviewing program risks in the risk register, reviewing mitigation plans and adjusting as necessary, and activating contingency plans. Program risk advisory boards should meet at an appropriate interval based on the length of the program.
Assessing Risk
Once the risks are identified, the program manager, with help from the program risk advisory board if applicable, will score the risks in the program risk register on a scale of 1-5 in two areas, impact and likelihood. The impact score reflects the impact to the category of the risks based on program metrics. For example, recommended instrument metrics are research knowledge base, program delivery, community satisfaction, public outreach, and quality. Likelihood reflects the probability that the risk will be realized. The program will follow the scales shown below for rating impact and likelihood of risks. The program manager is responsible for setting or changing any tolerances with respect to impact based on the risk tolerances of the stakeholders. All risks are categorized in the risk register as shown.
Impact
4-5 (High)
Research knowledge base < nn publications
Program delivery (schedule slip) > 10%
Public outreach < nn events
Project Risk
Community satisfaction unlikely
Quality guidelines will not be met
3 (Moderate)
Research knowledge base < nn publications
Program delivery (schedule slip) > 5%
Public outreach < nn events
Project Risk
Community satisfaction questionable
50% of the quality guidelines will not be met
1-2 (Low)
Research knowledge base < nn publications
Program delivery (schedule slip) > 10%
Public outreach < nn events
Project Risk
Community satisfaction likely with some negotiating
90% of the quality guidelines will be met
Likelihood
4-5 (High)
Realization of this risk is inevitable. Risk mitigation is weak; there is minimal to no effective contingency plan.
3 (Moderate)
Realization of the risk is likely. Risk mitigation does not cover all areas of the risk; contingency plan is inadequate.
1-2 (Low)
Realization of the risk is unlikely but still possible. Mitigation plan is strong, contingency plan is effective.
For ongoing program risk assessment, the program manager will periodically review the risks and make necessary changes to the risk register, as needed.
Planning and Implementing Risk Response
Mitigation Plan
When the program manager creates the risk register, he or she will create mitigation plans with help from the program risk advisory board, if applicable, and the program’s project managers. Periodically, the program manager will review the risk register to ensure the mitigation plans are correct and being applied at the appropriate program level. If a mitigation plan is not working as expected, the program manager will raise the concern to the appropriate project manager and adjust the mitigation plan accordingly.
Contingency Plan
Once a risk is identified, the program manager needs to create contingency plans and enter them in the risk register. Contingency plans should be created as soon as the risk is identified not when the risk is realized.
If a risk is realized the program manager will ensure that the appropriate contingency plan is activated. The exact steps to follow will depend on the documented contingency plan.
Internal Risk Control
The risk register includes a column for internal risk controls. These controls are organizational processes or procedures that are part of the organizational operations or culture and not program specific. If any internal risk controls exist, add the description to the risk register and rank its effectiveness. Effectiveness is rated on a scale of one to five with one being most effective and five having minimal effect.
Monitoring Risks
The program manager will regularly review the risks for his or her program with the program’s project managers and with the program risk advisory board, if applicable. The reviews will include review of mitigation and contingency plans and adjustments to the risk register when necessary. The program manager will report the status of the medium and high risks on the periodic program status report to the portfolio leaders.
Closing Risks
Once a risk is mitigated it will remain in the risk register but moved to the closed status. Once the program has ended, the program team will review the risk register at a program closure review as part of lessons learned. The program manager will ensure all risks are closed and archive the risk register.