X4.1 THE PURPOSE OF PROGRAM RISK MANAGEMENT CONTROLS
The purpose of risk management within a program is to secure optimal realization of intended program benefits. Risk management controls help to achieve that by seamlessly integrating risk practices into the program life cycle and within all of the performance domains. This approach ensures that risk management becomes a natural part of program management and helps achieve success in benefits delivery by the program.
The selection, tailoring, implementation, and monitoring of particular controls in a given program are a part of the program governance activities. Sections X4.2 through X4.7 provide risk management controls for program risk management along with examples of factors to consider for some of the controls.
X4.2 RISK MANAGEMENT CONTROLS FOR PROGRAM STRATEGY ALIGNMENT
Table X4-1 provides risk management controls for program strategy alignment.
Control ID | Control Objective |
PG.STR.1 | Overall risks that could have a substantial impact on the program's business case are identified early and addressed in the program business case. |
PG.STR.2 | Risks related to the program risk management approach are identified and actively managed throughout the entire program life cycle. |
PG.STR.3 | Environmental assessments are conducted regularly in order to identify program-level risks. Special attention is given to those elements of the environment that could impact the program's critical success factors (CSFs). |
The following factors should be considered when identifying overall risks related to the program's business case (Control PG.STR.1):
The following factors should be considered when identifying risks related to the program risk management approach (Control PG.STR.2):
X4.3 RISK MANAGEMENT CONTROLS FOR PROGRAM BENEFITS MANAGEMENT
Table X4-2 provides risk management controls for program benefits management.
Control ID | Control Objective |
PG.BNF.1 | Opportunities for new benefits that help to meet program objectives are regularly identified and actively managed throughout the entire program life cycle. |
PG.BNF.2 | Opportunities to realize program benefits in a more efficient and/or effective way are regularly identified and actively managed throughout the entire program life cycle. |
PG.BNF.3 | Threats that could potentially affect realization of the program benefits are regularly identified and addressed as required before program closure. |
PG.BNF.4 | Threats that could potentially affect sustainability of the program benefits are regularly identified and addressed as required before program closure. |
The following factors should be considered when identifying risks that could potentially affect realization and sustainability of the program benefits (Controls PG.BNF.1, PG.BNF.2, PG.BNF.3, and PG.BNF.4):
X4.4 RISK MANAGEMENT CONTROLS FOR PROGRAM STAKEHOLDER ENGAGEMENT
Table X4-3 provides risk management controls for program stakeholder engagement.
Control ID | Control Objective |
PG.STK.1 | Risks related to key program stakeholders are regularly identified and actively managed throughout the entire program life cycle. |
PG.STK.2 | Decisions to engage certain stakeholders at the program or component level are evaluated from a risk perspective. |
PG.STK.3 | Risks related to potential scope creep caused by key project stakeholders are regularly identified and actively managed throughout the entire program life cycle. |
PG.STK.4 | Risk attitude of key program stakeholders is regularly assessed. Whenever there are differences between the stakeholders’ attitudes and expected program risk levels, related risks are identified and actively managed. |
PG.STK.5 | Risks related to potential interactions, conflicts of interest, and shared interests among key program stakeholders are regularly identified and actively managed throughout the entire program life cycle. |
PG.STK.6 | Risks related to the selected categorization approach and methods for stakeholder analysis are identified and addressed when planning Program Stakeholder Engagement. |
PG.STK.7 | Risks related to selected communication techniques and related communication infrastructure are identified and actively managed throughout the entire program life cycle. |
PG.STK.8 | Risks related to the scope, frequency, and form of communications at the program level are identified and actively managed throughout the entire program life cycle. |
The following factors should be considered when identifying risks related to key program stakeholders and their potential influence on the program scope (Control PG.STK.1 and PG.STK.2):
The following factors should be considered when evaluating decisions to engage certain stakeholders at the program or component level from the risk perspective (Control PG.STK.3):
The following factors should be considered when identifying and dealing with differences between the stakeholder's risk attitude and expected program risk levels (Control PG.STK.4):
The following factors should be considered when identifying risks related to potential interactions, conflicts of interest, and shared interests among key program stakeholders (Control PG.STK.5):
The following factors should be considered when identifying risks related to selected communication techniques and related communication infrastructure (Control PG.STK.7):
X4.5 RISK MANAGEMENT CONTROLS FOR PROGRAM GOVERNANCE
Table X4-4 provides risk management controls for program governance.
Control ID | Control Objective |
PG.GOV.1 | Risks related to program governance structures, policies, and procedures are regularly identified, reflected in the program's governance and management documents, and actively managed throughout the entire program life cycle. |
PG.GOV.2 | Risks resulting from program complexity are regularly identified, reflected in the program's governance and management documents, and actively managed throughout the entire program life cycle. |
PG.GOV.3 | All program components have effective risk management in place and its effectiveness is monitored on a regular basis. |
PG.GOV.4 | Clear risk escalation policies are in place in order to ensure the optimal management of program and component risks. These policies are reflected in the management plans at the component level. |
The following factors should be considered when identifying risks related to the program governance structures, policies, and procedures (Control PG.GOV.1):
The following factors should be considered when identifying risks resulting from program complexity (Control PG.GOV.2):
Risk escalation policies (Control PG.GOV.4) are typically based on:
X4.6 RISK MANAGEMENT CONTROLS FOR PROGRAM LIFE CYCLE MANAGEMENT
Table X4-5 provides risk management controls for program life cycle management.
Control ID | Control Objective |
PG.LFC.1 | Program definition phase includes program-level risk identification, analysis, and response planning. All significant risks identified at this stage are addressed by the program governance and management documents and are an integral part of decisions regarding formulation of the program, its objectives, and scope. |
PG.LFC.2 | Component authorization and planning activities include risk identification, analysis, and response planning. Major component risks are addressed at the earliest possible stage. |
PG.LFC.3 | Component oversight and integration activities include regular risk identification, analysis, response planning, and monitoring. Program risks potentially caused by the components are identified and addressed as early as possible. |
PG.LFC.4 | Component transition risks are addressed at the earliest possible stage, preferably before component closure. |
The following factors should be considered when designing risk management policies, processes, and structures covering the program life cycle at all levels (Controls PG.LFC.1, PG.LFC.2, PG.LFC.3, and PG.LFC.4):
X4.7 RISK MANAGEMENT CONTROLS FOR SUPPORTING PROGRAM ACTIVITIES
Table X4-6 provides risk management controls for supporting program activities.
Control ID | Control Objective |
PG.SUP.1 | There are clear policies regarding handling risks within all supporting program activities. As part of these policies, relevant management controls are established within each area of supporting activities. |
PG.SUP.2 | There are clear policies on what risks related to supporting activities are handled at the component versus the program level, including effective rules for risk escalation. |
PG.SUP.3 | There are clear policies for integrating program risk activities with enterprise risk management. |
PG.SUP.4 | There are clear policies for integrating program risk activities with operations risk management. |
The following factors should be considered with regard to handling risks within all supporting program activities whether at the program or component level or within the enterprise risk management processes (Controls PG.SUP.1, PG.SUP.2, and PG.SUP.3).
It is important to establish effective policies on risk management within all supporting program activities. Special attention is given to the rules regarding risk handling between the program and its components, including escalation mechanisms. This ensures that there are no areas between the component and program level uncovered by the risk management practices.
Supporting program activities include:
Even though the management of these activities at the program level often differs significantly from the way in which these are managed at the component level, the risk management controls for the supporting program activities are similar in nature to those within the corresponding Knowledge Areas of the project (see Appendix X5).
Although operations generally are not part of program management, the risks associated with operations are addressed as part of program risk management. The integration of operations with a program's component projects is an important part of the benefits realization equation and becomes critical when dealing with certain agile practices where component work and operational tasks overlap. This is especially true in a mixed development and operations environment.
The following factors should be considered when managing risks associated with operations (Control PG.SUP.4):