Medecins Sans Frontieres Doctors Without Borders

Join the Community

Project Manager

Australia's online resource for project management professionals


Applying objective program risk management

Whether it is managing a group of inter-related projects that are linked to produce a strategic outcome or a group of related projects for which it is administratively convenient to manage as a group, there is a tendency within the program management discipline to characterise program risks as the sum of all the sub-project risks. That is, the program risk register is a single risk register on which the risks from each sub-project are documented.

The downside of this approach is that:

  • Risks are rated relative to the host sub-project and not the program as a whole, leading to a misrepresentation of program risks; and
  • Risks that affect multiple sub-projects are duplicated within the register, and different, potentially competing, risk treatments are enacted.

Proportionate risk management

Rarely addressed is the normalisation of sub-project risks across a program that consist of numerous sub-projects of differing size, complexity, sensitivity and contribution to the overall program outcomes. That is, it is likely that a high rated risk of a small sub-project may overshadow a low-rated risk of a large sub-project even though the latter would have a greater impact on the achievement of program outcomes if it were to eventuate.

This is because the consequence ratings are defined relative to a sub-project’s budget, schedule and outcomes (for example a severe cost consequence is one that would result in a >10% variance in that sub-project’s budget) and not the program’s budget, schedule, outcomes and benefits.

Now, a simplistic approach might be to centrally define a set of consequence ratings that apply to all sub-projects within a program. That is, the consequence ratings that apply to all sub-projects would be defined relative to the program’s metrics. For example, a severe cost consequence would be defined as one that would result in a >10% variance in the program’s budget.

Objective risk management

This simplistic approach would be counter-productive. Following this simplistic approach would mean that most, if not all, risks affecting a small sub-project would be rated ‘low’ even though they may have a high or extreme rating for that particular sub-project. As a consequence, risk management for small sub-projects may not be given the attention they require by the sub-project’s project manager/team.

What is required is for sub-project risks to follow a common assessment and rating system, and for all sub-project risks to be re-calibrated against program metrics at the program level.

For example, a sub-project risk that would have a major schedule consequence would have a minor or insignificant program schedule consequence if the sub-project were not on the program’s critical path; or  a sub-project risk that has a severe scope consequence, may still be rated as severe at the program level if that sub-project is a pivotal component of the program’s outcomes.

Objective assessment criteria would make it possible for this re-calibration to be done automatically within a program risk management tool thereby eliminating subjectivity at the program management layer.

Guy Wilmington is a leading portfolio, program and project manager dedicated not only to meeting his clients' needs through P3 Management Services, but also to building the profession by sharing his insights on various topics. He has twice been awarded the title of ACT Project Director of the Year by the Australian Institute of Project Management (AIPM).
has written 11 articles for us.

Comments from the community

  • I agree entirely. I presented a paper on program(me) risk management to a PMI congress in 2008 making exactly this point, that programme risk is more than the sum of project risks. The paper is freely available from the Publications area of the Risk Doctor website, or directly from

    Both PMI and APM have been promoting the concept of “overall risk” as distinct from “individual risks” for nearly 10 years, so this isn’t new!

    Thanks for raising this issue so clearly.