If you have approached your project or programme well, you will have developed a Risk Plan/Strategy document. Risk needs to be proactively managed, as opposed to allowing it to manage you and the environment around you.
Many people are afraid of risk management and some Project and Programme Managers are often reluctant to publicise risk to executive management. The reality is that things change, assumptions become false, expectations are not met and suddenly you can find yourself Risk Management facing a very different looking environment. For a risk plan to really help (and play its role) it needs to be accompanied by a 'proactive' approach by applying Risk Avoidance, Transference, Mitigation and Acceptance.
Most well run organisations will have risk managed at four distinct levels which are;
Corporate or Strategic
To do this effectively, a framework for managing risk needs to be designed and implemented to address the following list of 9 hows:
how risks are identified;
how information about their probability and potential impact is addressed;
how risks are quantified;
how options to deal with them are identified;
how decisions on risk management are made;
how all these decisions are implemented;
how actions are evaluated for their effectiveness;
how appropriate communication mechanisms are set up and supported;
how stakeholders are engaged on an ongoing basis
But this is just the beginning because it's all very well having a thorough framework documented and sitting pretty on the shelf with a tick in the box, but risk management needs to instilled within the people of the organisation. A healthy culture of risk management needs to exist and for this to happen, everyone involved needs help in appreciating and understanding risk within the organisation.
This often requires sponsorship from the top down and if leaders at the corporate level understand this too, they will take the time to ensure that risk is taken seriously and subsequently managed well. Setting up a good risk culture is a real challenge and the UK OGC suggests that it involves at least the following:
agreements and contracts;
communication techniques and information management;
staff matters, including how staff can be motivated and involved;
education opportunities and continual professional development;
continuous improvement and/or analytical techniques;
how the organisation is monitored and evaluated;
resource management, including equal opportunities and delegation.
The subject of risk management is vast and if you need help with some guidelines for a framework, a great place to start is the OGC's Guidelines for Managing Risk.
More detail can also be found in the following publications:
Managing Successful Programmes
OGC Management of Risk Guidelines
OGC's Achieving Excellence Guides
Management of Risk : Practitioner guide
Some if not all of these can be purchased from the TSO in London.
If you need a list of generic pain points that risk management will address to support your case for better risk management within your organisation, you could start with these:
increased certainty and fewer surprises;
better service delivery;
more effective management of change;
more efficient se of resources;
better management at all levels through improved decision making;
reduced waste and fraud and better value for money;
management of contingent and maintenance activities.
To build your case, don't forget the more specific pains that your organisation is already suffering.
I read an interesting article about risk and opportunity in the aerospace industry. Whilst PMBOK considers risk as both negative and positive, the folk in aerospace consider risk as negative and opportunity as positive. Good risk management is not about fear of failure, but removing barriers to success.
After all, project and programme management is success oriented, focused on producing products and services for customers. When the success orientation is combined with risk management, opportunity management emerges, which is the identification of opportunities Risk Management to help attain project goals, and the identification and implementation of actions to capture those opportunities.
Below are the keys to success taken from a Space Risk Management Symposium. Whilst their view on risk is slightly different from others, the points are not rocket science and can help most people who are responsible for complex projects or programmes.
Sound risk and opportunity management cannot save a poorly planned program with bad processes;
Prevent the competition between risks and opportunities;
Prevent unhealthy competition between teams;
Risk and opportunity management provide diminishing returns if overused;
The costs of pursuing opportunities and managing risks must be weighed against the expected benefits;
An environment should be created to encourage risk and opportunity management;
Risks and opportunities are not just normal variations in plan;
Recognise the difference between risks and opportunities;
Opportunities are not 'positive risks'.
No matter where you sit within the organisation, if you see that risk is not being appropriately addressed, take the initiative, pluck up the courage and set out to facilitate some change. Remember that managing risk is the alternative to being managed by risk.