Organizations build adaptive frameworks to ensure alignment with environmental competitiveness and confront increasing complexity associated with goal attainment and decision making. Complexity is an inherent characteristic of portfolios, programs, and projects and their environment, which is difficult to manage due to various aspects involved in the workflow: human behavior, system behavior, uncertainty, and ambiguity. Complexity impacts stability, predictability, and capacity of both the organization and its activities to sustain its business. For additional information, refer to Navigating Complexity: A Practice Guide [5].
An integrated view of risk management is required to define the right construct in the organization's governance and operations. By establishing the appropriate framework, an organization is able to:
The purpose of establishing a framework is to align resources and processes to the organization's strategies and objectives. The risk management life cycle works within the risk management framework to ensure risks are managed in a structured manner regardless of the portfolio, program, or project life cycle approach.
4.1 INTRODUCTION TO THE RISK MANAGEMENT LIFE CYCLE
The risk management life cycle described in this section illustrates a structured approach for undertaking a comprehensive view of risk throughout the enterprise, portfolio, program, and project domains. Even though the way of managing risks differs between these domains and from one organization to another, an overall life cycle approach outlines a sequence of logical phases that can be iterated and includes the following processes:
The risk management life cycle is shown in Figure 4-1. It has a dedicated, procedural, and iterative workflow of activities and processes, supported and performed across the enterprise and within the portfolio, program, and project domains. Because of the evolutionary nature of risk, the risk management life cycle ensures a repeatable workflow of processes that supports strategic decision making. All these activities are performed in an integrated way within and across the portfolio, program, and project domains.
The iterative workflow of the risk management life cycle is embedded within a strategic execution framework where portfolio, program, and project management are linked to organizational cultural foundations, capabilities, and the use of organizational functions or performance domains. It is understood that once a portfolio, program, or project is closed, the risk management process terminates and the appropriate lessons learned are documented. The framework enables the overall risk processes to be implemented through a risk management plan within each domain as described in Sections 5, 6, and 7.
4.2 PLAN RISK MANAGEMENT
Effective risk management requires the creation of a risk management plan. This plan describes how the risk management processes are to be carried out and how they fit in with other processes. On a broader level, the risk management plan describes the relationships among the risk management processes; general portfolio, program, or project management; and the management processes in the rest of the organization. Initial risk management planning is carried out early in the overall planning of the work, and the corresponding activities are integrated into the overall management plan. The risk management plan may need to be adapted as the needs of the work and stakeholders become clearer or change.
The feasibility of risk management planning is dependent upon the features of the organization in which it is carried out. The rules and guidelines defined in the risk management plan reflect (a) the culture of the organization, (b) its capabilities regarding people and facilities, and (c) its values, goals, and objectives. The risk management plan identifies and describes relevant organizational procedures and any other enterprise environmental factors that apply, such as strategic risk management, enterprise risk management (ERM), and corporate governance processes.
4.2.1 PURPOSE OF PLAN RISK MANAGEMENT
The objectives of the Plan Risk Management process are to: develop the overall risk management strategy, decide how the risk management processes will be executed, and integrate risk management with all other activities. The risk management plan defines both the normal frequency for repeating the processes in addition to specific or exceptional conditions under which the corresponding actions are initiated. The corresponding risk management activities are integrated into the portfolio, program, or project management plan.
4.2.1.1 RISK APPETITE IN PLAN RISK MANAGEMENT
The level of risk that is considered acceptable depends on the risk appetite of the relevant stakeholders. The risk appetite of the stakeholders may be influenced by a number of factors. These factors include the stakeholders’ ability to tolerate uncertainty and the relative importance of achieving specific objectives. The output of this analysis is then considered when applying the risk management processes.
Guidelines and rules for escalating risk-related information to management and other stakeholders reflect the stakeholder's risk appetite and expectations. As the work evolves, maintaining effective communications with the stakeholders enables portfolio, program, and project managers to become aware of any changes in the stakeholders’ attitudes and adapt the risk management approach to take into account any new factors.
The risk management plan provides terminology used to describe risks, which allows participants to share a common understanding of the terms. The risk management plan also defines the critical values of risk management and the thresholds that serve as parameters in a manner consistent with the scope of the work and the attitudes of the stakeholders. Similarly, the risk management plan specifies the key numerical values required in quantitative analysis or for decision making in risk response planning or risk monitoring.
4.2.1.2 TAILORING AND SCALING THE RISK MANAGEMENT PLAN
Portfolios, programs, and projects are exposed to different types of risk, so each step in the risk management life cycle is tailored and scaled to meet the various risk characteristics. The management processes are also tightly integrated between the portfolio, program, and project domains.
The results from this initial step are documented and communicated, and subsequently reviewed by the stakeholders to ensure a common understanding of the scope and objectives for the risk management process.
The risk management plan includes the tailored risk management processes, which are based on the process maturity of the organization. Scalable elements of the process that are a part of risk management planning include, but are not limited to:
4.2.2 SUCCESS FACTORS FOR PLAN RISK MANAGEMENT
The criteria for a valid risk management plan include:
4.3 IDENTIFY RISKS
Once the risk management scope and objectives are agreed, the process of identifying risks begins, with care taken to distinguish genuine risks from nonrisks, such as concerns and issues. It is unlikely that all risks are, or even can be, identified at the outset. Over time, the level of risk exposure may change as a result of the decisions and actions taken previously and of externally imposed changes.
4.3.1 PURPOSE OF IDENTIFY RISKS
The purpose of risk identification is to identify risks to the extent practicable. The emergent nature of risk requires the risk management process to be iterative, repeating the risk identification activities in order to find risks that were not previously evident.
A variety of risk identification techniques is available, each with its own strengths and weaknesses (see Appendix X6 on Techniques for the Risk Management Framework). One or more techniques are selected, as appropriate, for meeting the needs of a specific portfolio, program, or project. The aim is to expose and document all knowable risks, recognizing that some risks are inherently unknowable and others emerge later in the work. Input is sought from a wide range of stakeholders when identifying risks, since each stakeholder may have a different perspective on the risks facing the portfolio, program, or project. Historical records and documents may also be reviewed to help identify risks.
When a risk is first identified, preliminary responses may be identified at the same time. These are recorded during the Identify Risks process and are considered for immediate action when such action is appropriate. When such responses are not implemented immediately, they should be considered during the Plan Risk Responses process.
All identified risks are recorded, and a risk owner may be identified at the same time. The risk owner is the individual responsible for monitoring the risk and for selecting and implementing an appropriate risk response strategy. It is the responsibility of the risk owner to manage the corresponding risk throughout the subsequent risk management processes.
4.3.2 KEY SUCCESS FACTORS FOR IDENTIFY RISKS
Success in achieving the objectives of Identify Risks includes, but is not limited to:
4.4 PERFORM QUALITATIVE RISK ANALYSIS
Qualitative risk analysis evaluates the importance of each risk in order to categorize and prioritize individual risks for further attention. It also provides a mechanism for evaluating the level of overall portfolio, program, or project risk.
4.4.1 PURPOSE OF PERFORM QUALITATIVE RISK ANALYSIS
Qualitative techniques are used to gain a better understanding of individual risks. Qualitative techniques consider a range of characteristics such as probability or likelihood of occurrence, degree of impact on the objectives, manageability, timing of possible impacts, relationships with other risks, and common causes or effects.
Assessing individual risks using qualitative risk analysis evaluates the probability that each risk, if it occurs, would have on the portfolio, program, or project objectives. As such, this assessment does not directly address the overall risk that results from the combined effect of all risks and their potential interactions with each other. This can, however, be achieved through the use of quantitative risk analysis techniques.
Qualitative risk analysis is applied to the list of risks created or updated by the Identify Risks process to provide management with the characteristics of the risks that have the most influence (positive or negative) on achieving the objectives. Risks that are assessed as high priority, which either threaten or enhance the achievement of objectives, are highlighted in the Plan Risk Responses process. These risks may be further analyzed using quantitative risk analysis.
4.4.2 KEY SUCCESS FACTORS FOR PERFORM QUALITATIVE RISK ANALYSIS
Success in achieving the objectives of the Perform Qualitative Risk Analysis process includes, but is not limited to:
4.5 PERFORM QUANTITATIVE RISK ANALYSIS
The Perform Quantitative Risk Analysis process provides insight into the combined effect of identified risks on the desired outcome. This process takes into account probabilistic or component-wide effects, such as correlation between risks, interdependency, and feedback loops. It provides an indication of the degree of overall risk faced by the portfolio, program, or project.
4.5.1 PURPOSE OF QUANTITATIVE RISK ANALYSIS
The Perform Quantitative Risk Analysis process provides a numerical estimate of the overall effect of risk on the objectives. Results from this analysis are used to evaluate the likelihood of success in achieving objectives and to estimate any contingency reserves.
Analyzing uncertainty using quantitative techniques provides a more realistic estimate than a nonprobabilistic approach. However, quantitative risk analysis is not always required or possible. Therefore, during the Plan Risk Management process, the benefits of quantitative risk analysis should be weighed against the effort required to ensure that the additional insights and value justify the additional effort.
However, a partial risk analysis, such as qualitative risk analysis, prioritizes only individual risks and therefore does not produce measures of overall risk where all risks are considered simultaneously. Calculating estimates of overall risk is the focus of the Perform Quantitative Risk Analysis process. Specific risks are usually best understood and quantified at a detailed level. By contrast, objectives are specified at a higher level. An overall risk analysis, such as one that uses quantitative techniques, estimates the implication of all quantified risks. Thus, quantitative risk analysis and subsequent assessments of risks are enhanced by a comprehensive understanding of the individual risks and their relative importance with respect to objectives. The overall risk may determine the priority that should be placed on particular individual risks.
Estimating overall risk using quantitative methods helps to distinguish the quantified risks that threaten objectives beyond the tolerance of the stakeholders from those risks that are within acceptable tolerances even when the risk is considered. The risks that threaten objectives beyond the stakeholders’ tolerance may be targeted for vigorous risk responses aimed at protecting the objectives that are most important to the stakeholders.
4.5.2 KEY SUCCESS FACTORS FOR PERFORM QUANTITATIVE RISK ANALYSIS
Success in achieving the objectives of quantitative risk analysis includes, but is not limited to:
4.6 PLAN RISK RESPONSES
The Plan Risk Responses process determines the effective response actions that are appropriate for the priority of the individual risks and for the overall risk. This process takes into account the stakeholders’ risk attitudes and the conventions specified in the risk management plan, in addition to any constraints and assumptions that were determined when the risks were identified and analyzed. Once individual risks have been prioritized, appropriate risk responses are developed for both threats and opportunities. This process continues until an optimal set of responses has been developed. A range of possible responses exists for both threats and opportunities.
Five responses may be considered for dealing with threats:
Five responses may be considered for dealing with opportunities:
Responses are planned at a general, strategic level, and the strategy is validated and agreed prior to developing the detailed tactical approach. Once that is accomplished, the responses are expanded into actions at the tactical level and integrated into the relevant management plans. This activity may generate additional secondary risks, which need to be addressed at this time.
In addition to individual risk responses, actions may be taken to respond to overall portfolio, program, or project risk. All response strategies and actions are documented and communicated to key stakeholders and incorporated into the relevant plans.
4.6.1 PURPOSE OF PLAN RISK RESPONSES
The purpose of the Plan Risk Responses process is to determine the set of actions that provides the highest chance of success while complying with applicable constraints. Once risks have been identified, analyzed, and prioritized, plans are developed for addressing every risk that the team considers to be sufficiently important, either because of the threat it poses to the objectives or the opportunity it offers. The plans describe the agreed actions to be taken and the potential changes that these actions might cause.
Risk responses, when implemented, can have potential effects on the objectives and as such, can generate additional risks. These are known as secondary risks and are analyzed and planned for in the same way as those risks that were initially identified. There may be residual risks that remain after the responses are implemented. These residual risks are clearly identified, analyzed, documented, and communicated to all relevant stakeholders until they are satisfied.
4.6.2 KEY SUCCESS FACTORS FOR PLAN RISK RESPONSES
Success in achieving the objectives of the Plan Risk Responses process includes, but is not limited to:
4.7 IMPLEMENT RISK RESPONSES
Once the planning of risk responses is complete, all of the approved unconditional response actions are included and defined in the relevant management plans. These actions may be delegated to action owners as appropriate. The risk owner monitors actions to determine their effectiveness and to identify any secondary risks that may arise because of the implementation of risk responses.
The risk owners and risk action owners are briefed on any changes that may affect their responsibilities. Effective communications are maintained between the risk owners and the portfolio, program, or project managers so that the designated stakeholders (a) accept accountability for controlling the potential outcomes of specific risks, (b) apply their best efforts to track the associated trigger conditions, and (c) carry out the agreed responses in a timely manner.
In addition to the response actions and trigger conditions, a mechanism for measuring the effectiveness of the response is provided as part of the risk response planning. The risk action owner keeps the risk owner aware of the status of the response actions. The risk owner then decides whether the risk has been effectively dealt with, or whether additional actions need to be planned and implemented. This ensures that the agreed actions are carried out within the normal portfolio, program, or project execution framework.
4.7.1 PURPOSE OF IMPLEMENT RISK RESPONSES
The objective of the Implement Risk Responses process is to carry out the agreed risk response action should the risk occur. Proper attention to the Implement Risk Responses process helps to ensure that the agreed risk responses are executed accordingly.
4.7.2 KEY SUCCESS FACTORS FOR IMPLEMENT RISK RESPONSES
Success in achieving the objectives of the Implement Risk Responses process includes, but is not limited to:
4.8 MONITOR RISKS
The Monitor Risks process enables the portfolio, program, or project management team to reevaluate the status of previously identified risks; to identify emergent, secondary, and residual risks; and to determine the effectiveness of the risk management processes.
The portfolio, program, or project environment may change as some risks occur, whether foreseen or unforeseen, and other risks become or cease to be relevant. The management team ensures that the planning documents are kept current as additional information becomes available. Periodic risk reassessment using the risk management life cycle is repeated at reasonable intervals or in response to relevant events.
In the event of major organizational changes, risk management planning may need to be revisited prior to performing risk reassessment.
In addition to regular status reviews, periodic risk audits are performed to determine strengths and weaknesses in handling risks within the portfolio, program, or project. This entails identifying any barriers to effectiveness or keys to success in risk management, the recognition of which could help to improve risk management of the current or future portfolios, programs, or projects.
At the end of the program or project, an integrated analysis of the risk management process is carried out with a focus on long-term process improvements. This analysis consolidates the findings of the periodic audits to identify lessons that are applicable to a large proportion of the organization's future programs or projects, such as appropriate levels of resources, adequate time for the analysis, use of tools, level of detail, etc.
The result of the risk management process audit is consolidated with specific information with respect to the experience of risk in the portfolio, program, or project. The results are highlighted, and potential actions are proposed for applying them in the future. This includes any generally applicable guidelines for the organization, and the results can lead to an update of the corresponding organizational process assets.
4.8.1 PURPOSE OF MONITOR RISKS
The primary objectives of the Monitor Risks process are to track identified risks and maintain viability of response plans. In addition to tracking and managing the risk response actions, the effectiveness of all of the risk management processes are periodically reviewed to provide improvements to the management of the current work as well as future work with an activity such as lessons learned.
For each risk or set of risks for which a contingent response has been defined, the corresponding set of trigger conditions are specified. It is the responsibility of the risk owner to ensure that these conditions are effectively monitored and that the corresponding actions are carried out as defined in a timely manner.
4.8.2 KEY SUCCESS FACTORS FOR MONITOR RISKS
Key success factors related to maintaining risk awareness throughout the life cycle include, but are not limited to: