6

RISK MANAGEMENT IN THE CONTEXT OF PROGRAM MANAGEMENT

The purpose of risk management within the program domain is to secure optimal realization of program benefits. This purpose is achieved by combining the management of opportunities and threats.

One of the key characteristics of a program is complexity, and risk management addresses this aspect. Risk management practices within a program use opportunities to reduce complexity and address threats that occur as a result of complexity.

Programs consist of related projects, subsidiary programs, and program activities managed in a coordinated manner to obtain benefits not available from managing them individually. Risk management ensures that all of these components have effective processes to manage the entire risk management life cycle.

6.1 PROGRAM RISK MANAGEMENT LIFE CYCLE

The life cycle of risk management as described in Section 4 generally applies to program management. However, there are a number of additional considerations for the corresponding processes that need to be taken into account in this context.

6.1.1 PROGRAM RISK IDENTIFICATION

Risk identification at the program level focuses on identifying the risks that could have an impact on the delivery of expected benefits. It also focuses on the ability of the organization to take over and use the results of the components that are part of the program scope.

There are three levels where risks relevant to the program can be identified:

• Risks cascading from the portfolio or enterprise level that can affect the achievement of program objectives;
• Risks identified directly at the program level and triggered by program activities, their interdependencies, and activities related to the integration of the components’ results to generate the expected benefits; and
• Risks escalated from the program components.

The program domain risks are identified from their operational and contextual perspectives:

• Operational risks. Risks at the operational level are those risks directly triggered by program activities, such as integration of the results of projects and their related transition, change management, and triggering of operational activities. In addition, some operational risks may result from the escalation of the components’ risks when these risks have an impact that expands beyond the perimeter of accountability of the component managers or their specific budgets.
• Contextual risks. Contextual risks are those risks resulting from the strategic and organizational environment of the program, from the stakeholders, and variations in the strategy or the evolution of the business environment or program's business case. Some contextual risks can also be escalated from the program components when their impact and treatment exceed the boundary of accountability of the components’ managers.

Some risks identified at the program level or escalated from the project may need to be escalated to the enterprise or portfolio domain. These are the risks that have an impact on the business and operational performance generated through the exploitation of the business capabilities created by the program. Escalated risks follow the same processes of analyses as other risks identified at the program level (see Section 6.1.2).

6.1.2 PROGRAM RISK QUALITATIVE AND QUANTITATIVE ANALYSES

Evaluation of the risks at the program level is performed by taking into account the depth of each risk's impact on the realization of the expected benefits or the development of the expected organizational capability. The aim of these analyses is to evaluate whether or not the impact can be contained within the limits of the program budget.

When the impact affects the ability of the program to deliver its benefits or organizational capabilities, then the risk is addressed at the program level.

When the impact affects the ability of the organization to deliver the performance and value expected to be obtained from the benefits and capabilities created by the program, then the risk and its treatment are escalated to the enterprise or portfolio domain. In addition, the risk and its treatment are escalated when the risk affects the expected financial and operational performance anticipated from the new capabilities beyond the agreed thresholds.

6.1.3 PROGRAM RISK RESPONSE STRATEGIES

In principle, all potential responses listed in Section 4.6 may be used when responding to risks at the program level.

Strategies developed at the program level to deal with risks consist of the activities agreed to in the risk management plan and budgeted for in the program's budget or contingency reserve. Some of the responses are also developed as a result of escalation from the component level.

These risk responses consist of adding program activities or components, updating the program baselines, or removing components from the program.

These new components are intended to maximize the creation of further business benefits or further enhance the development of organizational capabilities. Alternatively, the intent may be to maintain or reinforce the contribution of the program to achieve related strategic objectives or minimize threats to the organization's objectives and strategy.

6.1.4 IMPLEMENTING PROGRAM RISK RESPONSES

Implementation of risk responses within a program consists of:

• Triggering the risk responses as they have been defined in the risk management plan,
• Transferring the corresponding budget from the reserves into the budget at completion, and
• Updating the program baselines accordingly.

When new components are added, they become part of the regular program scope and subject to the application of the standard program delivery and deployment processes.

Implementation of risk responses at the component level is aligned and performed in coordination with the responses that are implemented in the program domain. Any formally approved risk response becomes an integral part of the program management plan. The implementation of an approved risk response is not a change to the program that is initiated through a formal program change management procedure. However, any new responses planned to address emergent risks become part of the program change management procedure.

6.1.5 MONITORING PROGRAM RISKS

Monitoring the risks at the program level is both a tactical and strategic activity:

• Tactical activity. Oversees the aspects related to the execution of the anticipative and responsive actions undertaken to respond to identified risks.
• Strategic activity. Addresses the evolution of the risk characteristics of each program component individually, the overall program's risk profile, and the impact of that evolution on the business benefits or organizational capabilities it is intended to generate. These risk profiles are regularly analyzed in order to identify any potential trends that indicate new risks or the inefficiency or ineffectiveness of the response strategies.

The monitoring of risk responses is conducted according to their quantitative and qualitative parameters, as defined in the management plans with consideration of the overall impact from the component to the enterprise level.

These risk responses are intended to be effective at treating the respective, specific risks and contribute to enhancing or maintaining the realization of expected benefits. It is important to perform a qualitative assessment to ensure that the risk responses are efficient and effective.

Monitoring risks at the program level also includes ensuring that risk-related elements of the governance framework are properly implemented by the program's component managers and that they are effective.

6.2 INTEGRATION OF RISK MANAGEMENT INTO THE PROGRAM MANAGEMENT PERFORMANCE DOMAINS

There are a number of risk management practices that can be applied across the program life cycle within all of the performance domains in order to achieve their objectives (see Figure 6-1). These practices typically cover the areas shown in Table 6-1.

Table 6-1. Areas of the Program Management Performance Domains Typically Covered by Risk Management Practices

6.2.1 PROGRAM STRATEGY ALIGNMENT

Program Strategy Alignment ensures that a program contributes to organizational strategy in the expected way. Risk management efforts in this domain address new strategic opportunities and threats. When necessary, these efforts lead to appropriate program redefinition or changes in the relevant program components.

6.2.2 PROGRAM BENEFITS MANAGEMENT

Program Benefits Management ensures that the program benefits described in the business case and other program governance documents are successfully realized. The main focus of risk management in this area is to (a) manage opportunities that could increase these benefits, (b) deliver opportunities more efficiently, and (c) manage threats that could potentially jeopardize the program's efforts to realize its benefits.

6.2.3 PROGRAM STAKEHOLDER ENGAGEMENT

Key stakeholders from the program perspective typically include program governance board members, the program manager, managers of program components, partners, key suppliers, and regulators impacting or being impacted by the program benefits. From this perspective, program risk management focuses on opportunities for increasing effectiveness in realizing program benefits and on minimizing threats that could potentially lower the ability to do so. It is realized by effective engagement of stakeholders at the program level and ensures consistency of stakeholder management strategies among program components.

6.2.4 PROGRAM GOVERNANCE

Program Governance uses the framework, functions, and processes by which a program is monitored, managed, and supported in order to meet organizational strategic and operational goals. Program Governance also addresses program complexity in an effort to reduce it. These activities are backed by risk management practices, focused on the analysis of various governance approaches from the risk perspective. In addition, the selection of individuals to perform key governance roles is supported by risk analysis.

A key element of Program Governance from the risk management perspective is the risk escalation process, which is integrated with processes within components and backed by program governance processes and structures.

6.2.5 PROGRAM LIFE CYCLE MANAGEMENT

Program Life Cycle Management ensures that program definition, delivery, and closure activities are effectively managed. This is accomplished to ensure program benefits are realized using the right set of components, in the right sequence, and with adherence to the program's business case and other governance documents.

Risk management in this area focuses on identifying and addressing program-level risks as early as possible. This is achieved by fully integrating risk identification, analysis, and response planning throughout all program and component activities.

6.2.6 SUPPORTING PROGRAM ACTIVITIES

Even though the management of program-level activities often differs significantly from the component level, risk management processes for the supporting program activities are similar in nature to the component projects.

Program Governance establishes policies on risk management between the program and its components, including escalation mechanisms. This ensures that there are no gaps between the component and program levels that are not covered by risk management practices.