The purpose of risk management within the program domain is to secure optimal realization of program benefits. This purpose is achieved by combining the management of opportunities and threats.
One of the key characteristics of a program is complexity, and risk management addresses this aspect. Risk management practices within a program use opportunities to reduce complexity and address threats that occur as a result of complexity.
Programs consist of related projects, subsidiary programs, and program activities managed in a coordinated manner to obtain benefits not available from managing them individually. Risk management ensures that all of these components have effective processes to manage the entire risk management life cycle.
6.1 PROGRAM RISK MANAGEMENT LIFE CYCLE
The life cycle of risk management as described in Section 4 generally applies to program management. However, there are a number of additional considerations for the corresponding processes that need to be taken into account in this context.
6.1.1 PROGRAM RISK IDENTIFICATION
Risk identification at the program level focuses on identifying the risks that could have an impact on the delivery of expected benefits. It also focuses on the ability of the organization to take over and use the results of the components that are part of the program scope.
There are three levels where risks relevant to the program can be identified:
The program domain risks are identified from their operational and contextual perspectives:
Some risks identified at the program level or escalated from the project may need to be escalated to the enterprise or portfolio domain. These are the risks that have an impact on the business and operational performance generated through the exploitation of the business capabilities created by the program. Escalated risks follow the same processes of analyses as other risks identified at the program level (see Section 6.1.2).
6.1.2 PROGRAM RISK QUALITATIVE AND QUANTITATIVE ANALYSES
Evaluation of the risks at the program level is performed by taking into account the depth of each risk's impact on the realization of the expected benefits or the development of the expected organizational capability. The aim of these analyses is to evaluate whether or not the impact can be contained within the limits of the program budget.
When the impact affects the ability of the program to deliver its benefits or organizational capabilities, then the risk is addressed at the program level.
When the impact affects the ability of the organization to deliver the performance and value expected to be obtained from the benefits and capabilities created by the program, then the risk and its treatment are escalated to the enterprise or portfolio domain. In addition, the risk and its treatment are escalated when the risk affects the expected financial and operational performance anticipated from the new capabilities beyond the agreed thresholds.
6.1.3 PROGRAM RISK RESPONSE STRATEGIES
In principle, all potential responses listed in Section 4.6 may be used when responding to risks at the program level.
Strategies developed at the program level to deal with risks consist of the activities agreed to in the risk management plan and budgeted for in the program's budget or contingency reserve. Some of the responses are also developed as a result of escalation from the component level.
These risk responses consist of adding program activities or components, updating the program baselines, or removing components from the program.
These new components are intended to maximize the creation of further business benefits or further enhance the development of organizational capabilities. Alternatively, the intent may be to maintain or reinforce the contribution of the program to achieve related strategic objectives or minimize threats to the organization's objectives and strategy.
6.1.4 IMPLEMENTING PROGRAM RISK RESPONSES
Implementation of risk responses within a program consists of:
When new components are added, they become part of the regular program scope and subject to the application of the standard program delivery and deployment processes.
Implementation of risk responses at the component level is aligned and performed in coordination with the responses that are implemented in the program domain. Any formally approved risk response becomes an integral part of the program management plan. The implementation of an approved risk response is not a change to the program that is initiated through a formal program change management procedure. However, any new responses planned to address emergent risks become part of the program change management procedure.
6.1.5 MONITORING PROGRAM RISKS
Monitoring the risks at the program level is both a tactical and strategic activity:
The monitoring of risk responses is conducted according to their quantitative and qualitative parameters, as defined in the management plans with consideration of the overall impact from the component to the enterprise level.
These risk responses are intended to be effective at treating the respective, specific risks and contribute to enhancing or maintaining the realization of expected benefits. It is important to perform a qualitative assessment to ensure that the risk responses are efficient and effective.
Monitoring risks at the program level also includes ensuring that risk-related elements of the governance framework are properly implemented by the program's component managers and that they are effective.
6.2 INTEGRATION OF RISK MANAGEMENT INTO THE PROGRAM MANAGEMENT PERFORMANCE DOMAINS
There are a number of risk management practices that can be applied across the program life cycle within all of the performance domains in order to achieve their objectives (see Figure 6-1). These practices typically cover the areas shown in Table 6-1.
Performance Domain | Areas Covered by Risk Management Practices |
Program Strategy Alignment | • Program business case • Program risk management approach • Environmental assessments |
Program Benefits Management | • Program objectives • Opportunities for new benefits • Efficiency and effectiveness of benefits realization • Sustainability of program benefits |
Program Stakeholder Engagement | • Methods for stakeholder identification, categorization, and analysis • Attitude of key program stakeholders • Interactions and conflicts of interests • Ways of engaging stakeholders • Scope, channels, techniques, and frequency of communications |
Program Governance | • Program governance structures, policies, and procedures • Assignment of individuals to key governance roles • Program complexity • Risk escalation policies • Effectiveness of risk management |
Program Life Cycle Management | • Program definition phase activities • Component authorization and planning • Component oversight and integration • Component transition |
6.2.1 PROGRAM STRATEGY ALIGNMENT
Program Strategy Alignment ensures that a program contributes to organizational strategy in the expected way. Risk management efforts in this domain address new strategic opportunities and threats. When necessary, these efforts lead to appropriate program redefinition or changes in the relevant program components.
6.2.2 PROGRAM BENEFITS MANAGEMENT
Program Benefits Management ensures that the program benefits described in the business case and other program governance documents are successfully realized. The main focus of risk management in this area is to (a) manage opportunities that could increase these benefits, (b) deliver opportunities more efficiently, and (c) manage threats that could potentially jeopardize the program's efforts to realize its benefits.
6.2.3 PROGRAM STAKEHOLDER ENGAGEMENT
Key stakeholders from the program perspective typically include program governance board members, the program manager, managers of program components, partners, key suppliers, and regulators impacting or being impacted by the program benefits. From this perspective, program risk management focuses on opportunities for increasing effectiveness in realizing program benefits and on minimizing threats that could potentially lower the ability to do so. It is realized by effective engagement of stakeholders at the program level and ensures consistency of stakeholder management strategies among program components.
6.2.4 PROGRAM GOVERNANCE
Program Governance uses the framework, functions, and processes by which a program is monitored, managed, and supported in order to meet organizational strategic and operational goals. Program Governance also addresses program complexity in an effort to reduce it. These activities are backed by risk management practices, focused on the analysis of various governance approaches from the risk perspective. In addition, the selection of individuals to perform key governance roles is supported by risk analysis.
A key element of Program Governance from the risk management perspective is the risk escalation process, which is integrated with processes within components and backed by program governance processes and structures.
6.2.5 PROGRAM LIFE CYCLE MANAGEMENT
Program Life Cycle Management ensures that program definition, delivery, and closure activities are effectively managed. This is accomplished to ensure program benefits are realized using the right set of components, in the right sequence, and with adherence to the program's business case and other governance documents.
Risk management in this area focuses on identifying and addressing program-level risks as early as possible. This is achieved by fully integrating risk identification, analysis, and response planning throughout all program and component activities.
6.2.6 SUPPORTING PROGRAM ACTIVITIES
Even though the management of program-level activities often differs significantly from the component level, risk management processes for the supporting program activities are similar in nature to the component projects.
Program Governance establishes policies on risk management between the program and its components, including escalation mechanisms. This ensures that there are no gaps between the component and program levels that are not covered by risk management practices.