In addition, P3 risk management must contribute, as appropriate, to both business risk assessments and organisational governance requirements. The P3 manager must be aware of risks that have an effect outside their scope of responsibility, e.g. those that could affect the organisation’s reputation.

The management of general health and safety risks is usually excluded from P3 risk management, as the management of these risks is traditionally handled by a separate function within the organisation.

Risk management at project level is most often focused on individual risks that, should they occur, will affect the project’s objectives. It is, however, also important for the project manager to understand the overall risk exposure of the project, so that this can be reported to the project sponsor and other stakeholders.

Risk management must be closely aligned to schedule management. Cost, time and resource estimates should always take risks into account.

The project manager is accountable for ensuring that risk management takes place. Depending on the size and complexity of the project, a specialist risk manager may be appointed to oversee and facilitate the risk management process.

The program will establish a common framework and standards for risk management across the programme. This will enable comparison of risk, reduce the time taken to initiate management processes at project level, and help identify interdependencies between risks across the programme. The common framework will be set out in the program risk management plan.

Program risk management is made up of two distinct areas of focus:

• project risk escalation and aggregation;
• wider business risk and risks to benefit achievement.

Program risk management addresses any individual risks at project level that, if realised, will have a wider impact. Project risks that cannot be effectively managed within projects and within contingency are escalated to the Program for attention and/or action. In addition, related or common risks within individual projects may combine or aggregate to have an effect at Program level, in which case they also need to be escalated.

Program risk management also considers any risks delegated from the portfolio or strategic level, as well as risks arising directly at the level of the programme itself. Program risks are likely to focus on prioritization of Program components, allocation of resources, interfaces and interactions between Program components, the ability to deliver change management activities within the Program, and cumulative risks arising from the combined impact of the project risks.

Risks at portfolio level are often of such scale that they may have significant impact on the ability of the organisation to operate. Portfolio risk management will focus on two areas:

• risks escalated from projects or programmes and from areas of day-to-day business;
• risks that impact upon the objectives of the portfolio and the host organisation.

Project and programme risks that cannot be effectively managed at their originating level may be escalated to the portfolio for responses unavailable at project or programme level.

The portfolio will establish common frameworks and standards for risk management, which will be cascaded to projects and programmes to ensure a common approach and reporting structure. This enables effective comparison of risk, reduces the time taken in initiating risk management processes, and assists with identification of potential conflict in selected responses across the portfolio.

The consideration of risk efficiency is of particular importance to portfolio risk management. The principles of risk efficiency have been established in financial portfolios for many years. They are equally relevant to portfolios of projects and programmes. Ensuring that the portfolio does not expose an organisation to too much risk and is efficient is an important function in the ‘balance’ phase of the portfolio life cycle.