APPENDIX X4
PROGRAM RISK MANAGEMENT CONTROLS
X4.1 THE PURPOSE OF PROGRAM RISK MANAGEMENT CONTROLS
The purpose of risk management within a program is to secure optimal realization of intended program benefits. Risk management controls help to achieve that by seamlessly integrating risk practices into the program life cycle and within all of the performance domains. This approach ensures that risk management becomes a natural part of program management and helps achieve success in benefits delivery by the program.
The selection, tailoring, implementation, and monitoring of particular controls in a given program are a part of the program governance activities. Sections X4.2 through X4.7 provide risk management controls for program risk management along with examples of factors to consider for some of the controls.
X4.2 RISK MANAGEMENT CONTROLS FOR PROGRAM STRATEGY ALIGNMENT
Table X4-1 provides risk management controls for program strategy alignment.
Table X4-1. Risk Management Controls for Program Strategy Alignment
| Control ID | Control Objective |
| PG.STR.1 | Overall risks that could have a substantial impact on the program's business case are identified early and addressed in the program business case. |
| PG.STR.2 | Risks related to the program risk management approach are identified and actively managed throughout the entire program life cycle. |
| PG.STR.3 | Environmental assessments are conducted regularly in order to identify program-level risks. Special attention is given to those elements of the environment that could impact the program's critical success factors (CSFs). |
The following factors should be considered when identifying overall risks related to the program's business case (Control PG.STR.1):
- Market trends,
- Emergent technologies,
- Emerging products or services alternatives to those delivered by the program,
- Potential regulatory changes, and
- Trends in key cost elements, (e.g., labor, materials, or core services).
The following factors should be considered when identifying risks related to the program risk management approach (Control PG.STR.2):
- Ability to align with the organization's strategic risk appetite,
- Ability to deal with expected program complexity,
- Fit to the organizational culture,
- Level of risk transparency,
- Ability of key stakeholders to follow the approach,
- Fit to the organization's risk tolerance,
- Fit to the categories and level of risk expected in the program,
- Clarity of integration with the risk management approach at the component level,
- Clarity of integration with the risk management approach at the portfolio level, and
- Organization's decision cycle as it relates to the speed of change within the program environment.
X4.3 RISK MANAGEMENT CONTROLS FOR PROGRAM BENEFITS MANAGEMENT
Table X4-2 provides risk management controls for program benefits management.
Table X4-2. Risk Management Controls for Program Benefits Management
| Control ID | Control Objective |
| PG.BNF.1 | Opportunities for new benefits that help to meet program objectives are regularly identified and actively managed throughout the entire program life cycle. |
| PG.BNF.2 | Opportunities to realize program benefits in a more efficient and/or effective way are regularly identified and actively managed throughout the entire program life cycle. |
| PG.BNF.3 | Threats that could potentially affect realization of the program benefits are regularly identified and addressed as required before program closure. |
| PG.BNF.4 | Threats that could potentially affect sustainability of the program benefits are regularly identified and addressed as required before program closure. |
The following factors should be considered when identifying risks that could potentially affect realization and sustainability of the program benefits (Controls PG.BNF.1, PG.BNF.2, PG.BNF.3, and PG.BNF.4):
- Market conditions,
- Changes in political climate,
- Continuity in leadership after the component completion, and
- Availability of resources to perform operations or other components necessary to realize benefits.
X4.4 RISK MANAGEMENT CONTROLS FOR PROGRAM STAKEHOLDER ENGAGEMENT
Table X4-3 provides risk management controls for program stakeholder engagement.
Table X4-3. Risk Management Controls for Program Stakeholder Engagement
| Control ID | Control Objective |
| PG.STK.1 | Risks related to key program stakeholders are regularly identified and actively managed throughout the entire program life cycle. |
| PG.STK.2 | Decisions to engage certain stakeholders at the program or component level are evaluated from a risk perspective. |
| PG.STK.3 | Risks related to potential scope creep caused by key project stakeholders are regularly identified and actively managed throughout the entire program life cycle. |
| PG.STK.4 | Risk attitude of key program stakeholders is regularly assessed. Whenever there are differences between the stakeholders’ attitudes and expected program risk levels, related risks are identified and actively managed. |
| PG.STK.5 | Risks related to potential interactions, conflicts of interest, and shared interests among key program stakeholders are regularly identified and actively managed throughout the entire program life cycle. |
| PG.STK.6 | Risks related to the selected categorization approach and methods for stakeholder analysis are identified and addressed when planning Program Stakeholder Engagement. |
| PG.STK.7 | Risks related to selected communication techniques and related communication infrastructure are identified and actively managed throughout the entire program life cycle. |
| PG.STK.8 | Risks related to the scope, frequency, and form of communications at the program level are identified and actively managed throughout the entire program life cycle. |
The following factors should be considered when identifying risks related to key program stakeholders and their potential influence on the program scope (Control PG.STK.1 and PG.STK.2):
- Interests aligned or conflicting with program objectives,
- Personal views and preferences,
- Areas of accountability and related program objectives,
- Impact of program benefits on stakeholders’ objectives,
- Type and level of decision power, and
- Ability to influence other stakeholders.
The following factors should be considered when evaluating decisions to engage certain stakeholders at the program or component level from the risk perspective (Control PG.STK.3):
- Stakeholders’ ability to influence the program's delivery of benefits,
- Ability to engage a given stakeholder at the program or component level,
- Opportunities and threats from dealing with a given stakeholder at the program level, and
- Opportunities and threats from dealing with a given stakeholder at the component level.
The following factors should be considered when identifying and dealing with differences between the stakeholder's risk attitude and expected program risk levels (Control PG.STK.4):
- Organization's and stakeholders’ risk attitude,
- Business models of the organization and program stakeholders,
- Potential benefits and threats to the organization's and stakeholders’ businesses, and
- Governance processes within and external to the program.
The following factors should be considered when identifying risks related to potential interactions, conflicts of interest, and shared interests among key program stakeholders (Control PG.STK.5):
- Shared and conflicting objectives,
- Existing or potential coalitions,
- Personal conflicts, and
- Organizational governance processes.
The following factors should be considered when identifying risks related to selected communication techniques and related communication infrastructure (Control PG.STK.7):
- Ability to transmit certain forms of information (e.g., visual, sound, or text),
- Noise level,
- Traceability of information,
- Authentication level,
- Familiarity of stakeholders regarding the use of required techniques and related technology,
- Reliability and availability of the required technology,
- Stakeholders’ access to the required technology, and
- Organizational governance processes.
X4.5 RISK MANAGEMENT CONTROLS FOR PROGRAM GOVERNANCE
Table X4-4 provides risk management controls for program governance.
Table X4-4. Risk Management Controls for Program Governance
| Control ID | Control Objective |
| PG.GOV.1 | Risks related to program governance structures, policies, and procedures are regularly identified, reflected in the program's governance and management documents, and actively managed throughout the entire program life cycle. |
| PG.GOV.2 | Risks resulting from program complexity are regularly identified, reflected in the program's governance and management documents, and actively managed throughout the entire program life cycle. |
| PG.GOV.3 | All program components have effective risk management in place and its effectiveness is monitored on a regular basis. |
| PG.GOV.4 | Clear risk escalation policies are in place in order to ensure the optimal management of program and component risks. These policies are reflected in the management plans at the component level. |
The following factors should be considered when identifying risks related to the program governance structures, policies, and procedures (Control PG.GOV.1):
- For program governance structures:
- Complexity of overall governance structure, including the number of oversight committees,
- Clearness of accountability,
- Level of interdependencies,
- Integration with other structures within the organization, and
- Degree of key stakeholders’ representation.
- For program policies and decision-making processes:
- Complexity of processes for making a final decision,
- Transparency,
- Involvement of key stakeholders,
- Fairness,
- Time to make decisions,
- Information management systems, and
- Quality mechanisms.
The following factors should be considered when identifying risks resulting from program complexity (Control PG.GOV.2):
- Governance and decision making;
- Amount and diversity of stakeholders and their interests;
- Geographical distribution;
- Amount, nature, and degree of agreement on the definition of benefits;
- Amount, nature, and dynamics of interdependencies;
- Amount, distribution, and dynamics of resources;
- Amount and nature of deliverables;
- Sophistication and dynamics of key processes; and
- Amount, nature, and dynamics of external factors influencing the program.
Risk escalation policies (Control PG.GOV.4) are typically based on:
- Level of potential impact,
- Potential interdependencies between program components,
- Risk categories in relation to competencies to handle certain types of risk, and
- Authorization levels of particular program stakeholders.
X4.6 RISK MANAGEMENT CONTROLS FOR PROGRAM LIFE CYCLE MANAGEMENT
Table X4-5 provides risk management controls for program life cycle management.
Table X4-5. Risk Management Controls for Program Life Cycle Management
| Control ID | Control Objective |
| PG.LFC.1 | Program definition phase includes program-level risk identification, analysis, and response planning. All significant risks identified at this stage are addressed by the program governance and management documents and are an integral part of decisions regarding formulation of the program, its objectives, and scope. |
| PG.LFC.2 | Component authorization and planning activities include risk identification, analysis, and response planning. Major component risks are addressed at the earliest possible stage. |
| PG.LFC.3 | Component oversight and integration activities include regular risk identification, analysis, response planning, and monitoring. Program risks potentially caused by the components are identified and addressed as early as possible. |
| PG.LFC.4 | Component transition risks are addressed at the earliest possible stage, preferably before component closure. |
The following factors should be considered when designing risk management policies, processes, and structures covering the program life cycle at all levels (Controls PG.LFC.1, PG.LFC.2, PG.LFC.3, and PG.LFC.4):
- Risks resulting from the decided program life cycle itself,
- Nature of risks that could emerge within the program and the ability of dealing with them at various program levels,
- Program complexity and ability to reduce it by dealing with risks at the most effective levels,
- Potential effectiveness of the program and component management in regard to dealing with risk,
- Potential for unknown-unknowns,
- Potential for residual and secondary risks, and
- Effect of high-impact, very low-probability (black swan) events.
X4.7 RISK MANAGEMENT CONTROLS FOR SUPPORTING PROGRAM ACTIVITIES
Table X4-6 provides risk management controls for supporting program activities.
Table X4-6. Risk Management Controls for Supporting Program Activities
| Control ID | Control Objective |
| PG.SUP.1 | There are clear policies regarding handling risks within all supporting program activities. As part of these policies, relevant management controls are established within each area of supporting activities. |
| PG.SUP.2 | There are clear policies on what risks related to supporting activities are handled at the component versus the program level, including effective rules for risk escalation. |
| PG.SUP.3 | There are clear policies for integrating program risk activities with enterprise risk management. |
| PG.SUP.4 | There are clear policies for integrating program risk activities with operations risk management. |
The following factors should be considered with regard to handling risks within all supporting program activities whether at the program or component level or within the enterprise risk management processes (Controls PG.SUP.1, PG.SUP.2, and PG.SUP.3).
It is important to establish effective policies on risk management within all supporting program activities. Special attention is given to the rules regarding risk handling between the program and its components, including escalation mechanisms. This ensures that there are no areas between the component and program level uncovered by the risk management practices.
Supporting program activities include:
- Program change management,
- Program communications management,
- Program financial management,
- Program information management,
- Program procurement management,
- Program quality management,
- Program resource management,
- Program risk management,
- Program schedule management, and
- Program scope management.
Even though the management of these activities at the program level often differs significantly from the way in which these are managed at the component level, the risk management controls for the supporting program activities are similar in nature to those within the corresponding Knowledge Areas of the project (see Appendix X5).
Although operations generally are not part of program management, the risks associated with operations are addressed as part of program risk management. The integration of operations with a program's component projects is an important part of the benefits realization equation and becomes critical when dealing with certain agile practices where component work and operational tasks overlap. This is especially true in a mixed development and operations environment.
The following factors should be considered when managing risks associated with operations (Control PG.SUP.4):
- Mutual impact of the program on operations and value creation within the organization,
- Integration of project work with the operations environment,
- Decision authority of the project team versus the operations manager, and
- Decision authority of the program manager versus the operations manager.