Applying objective program risk management
Whether it is managing a group of inter-related projects that are linked to produce a strategic outcome or a group of related projects for which it is administratively convenient to manage as a group, there is a tendency within the program management discipline to characterise program risks as the sum of all the sub-project risks. That is, the program risk register is a single risk register on which the risks from each sub-project are documented.
The downside of this approach is that:
- Risks are rated relative to the host sub-project and not the program as a whole, leading to a misrepresentation of program risks; and
- Risks that affect multiple sub-projects are duplicated within the register, and different, potentially competing, risk treatments are enacted.
Proportionate risk management
Rarely addressed is the normalisation of sub-project risks across a program that consist of numerous sub-projects of differing size, complexity, sensitivity and contribution to the overall program outcomes. That is, it is likely that a high rated risk of a small sub-project may overshadow a low-rated risk of a large sub-project even though the latter would have a greater impact on the achievement of program outcomes if it were to eventuate.
This is because the consequence ratings are defined relative to a sub-project’s budget, schedule and outcomes (for example a severe cost consequence is one that would result in a >10% variance in that sub-project’s budget) and not the program’s budget, schedule, outcomes and benefits.
Now, a simplistic approach might be to centrally define a set of consequence ratings that apply to all sub-projects within a program. That is, the consequence ratings that apply to all sub-projects would be defined relative to the program’s metrics. For example, a severe cost consequence would be defined as one that would result in a >10% variance in the program’s budget.
Objective risk management
This simplistic approach would be counter-productive. Following this simplistic approach would mean that most, if not all, risks affecting a small sub-project would be rated ‘low’ even though they may have a high or extreme rating for that particular sub-project. As a consequence, risk management for small sub-projects may not be given the attention they require by the sub-project’s project manager/team.
What is required is for sub-project risks to follow a common assessment and rating system, and for all sub-project risks to be re-calibrated against program metrics at the program level.
For example, a sub-project risk that would have a major schedule consequence would have a minor or insignificant program schedule consequence if the sub-project were not on the program’s critical path; or a sub-project risk that has a severe scope consequence, may still be rated as severe at the program level if that sub-project is a pivotal component of the program’s outcomes.
Objective assessment criteria would make it possible for this re-calibration to be done automatically within a program risk management tool thereby eliminating subjectivity at the program management layer.