Risk management under PMO governance
Disasters are generally unpredictable but an advanced PMO may be able to assist governance by raising risk management to the next level.
In most successful projects, the project manager identifies risks and monitors them closely. The project manager usually rates and prioritises the risks: for example, a risk with a ‘very high’ likelihood and a ‘very high’ impact may rate as an ‘extreme’ risk. One with a ‘very low’ likelihood and a ‘very high’ impact may be rated as a ‘moderate’ risk. Usually a project manager focuses on those risks rated ‘extreme’, ‘very high’ or ‘high’ over the life of the project.
Although program managers may take both broader and longer perspectives, they still focus on the higher rated risks, particularly those that are escalated, or affect multiple projects. Even program managers spend little time worrying about operational risks. Yet, from a corporate perspective, the foremost aim of the business must be to stay in business even if disaster strikes.
Unless the organisation has a dedicated risk management unit, the expertise in risk management often belongs in an advanced PMO that covers the enterprise portfolio of projects. The specialist field of looking at those risks that occur very infrequently, but can have a catastrophic impact, is called business continuity planning. In business continuity planning, we look at risks that affect the existence of a business, its continuity through and beyond a disaster.
Performing business continuity planning is a fundamental governance practice, and should be performed regularly. Analysis can become quite complex, as many causes can lead to the same result, and many catastrophic failures result from not one event, but multiple triggers, events and circumstances occurring simultaneously or in rapid succession. For example, an airliner crash is rarely the result of a single failure. Size is not always protection; the global financial crisis saw many giants topple, but other factors also contributed to their downfall, including errors in strategic directions.
A good business continuity plan, and the subsequent project to mitigate the dangers, can demonstrate positive value by reducing the expected losses before and after mitigation.
When catastrophic impact risks are identified, the first approach should be to see if the danger can be managed with reasonable steps to decrease impact. Where this first approach is not feasible, the second plan is to create disaster recovery plans that cover different scenarios and scope.
The role of an advanced PMO working at the level of an enterprise portfolio is to ensure the right things are done: this includes projects to mitigate risk or to prepare contingent plans and other components. Often these plans are subordinate to a crisis management plan in the case of a short-term but intense event.
A disaster recovery plan must allow for business continuity to occur within a critical timeframe called the maximum tolerated outage, determining during business continuity planning analysis. The final step to recovery back to normal operations invokes business resumption plans that are left as an afterthought, or forgotten.
The risk management and governance roles in a PMO can assist in the whole gamut of disaster recovery plans, acting as a centre of excellence if given the chance and development. However, a PMO can also perform a more pragmatic role once the plans are developed.
Plans need to be stored, protected from disasters, and frequently updated to keep contact details and roles and responsibilities current. This role would normally be performed in conjunction with a service desk or call centre under the guidance of an executive board or committee.
Perhaps an advanced PMO cannot prevent all disasters, but its expertise may help to prepare for disasters and play a part in keeping an organisation alive through and after a disaster by following best practice in governance and advanced risk management.