Risk Management

Risk management is a process that allows individual risk events and overall risk to be understood and managed proactively, optimizing success by minimizing threats and maximizing opportunities.

All programs are inherently risky because they are unique, constrained, based on assumptions, performed by people and subject to external influences. Risks can affect the achievement of objectives either positively or negatively. Risk includes both opportunities and threats, and both should be managed through the risk management process.

Risk response planning aims to avoid, reduce, transfer or accept threats as well as exploit, enhance, share or reject opportunities, with contingency (time, cost, resources and course of action) for risks which cannot be managed proactively. The final step is the implementation of agreed responses.

The whole process is iterative. For example, assessment or response planning can lead to the identification of further risks; planning and implementing responses can trigger a need for further analysis, and so on.

Risk management at project, program or portfolio level must not be conducted in isolation and must interface with the organisation. Risks at project level may need escalation to program and portfolio:

P3 risk management

In addition, P3 risk management must contribute, as appropriate, to both business risk assessments and organisational governance requirements. The P3 manager must be aware of risks that have an effect outside their scope of responsibility, e.g. those that could affect the organisation’s reputation.

The management of general health and safety risks is usually excluded from P3 risk management, as the management of these risks is traditionally handled by a separate function within the organisation.


Risk management at project level is most often focused on individual risks that, should they occur, will affect the project’s objectives. It is, however, also important for the project manager to understand the overall risk exposure of the project, so that this can be reported to the project sponsor and other stakeholders.

Risk management must be closely aligned to schedule management. Cost, time and resource estimates should always take risks into account.

The project manager is accountable for ensuring that risk management takes place. Depending on the size and complexity of the project, a specialist risk manager may be appointed to oversee and facilitate the risk management process.


The program will establish a common framework and standards for risk management across the programme. This will enable comparison of risk, reduce the time taken to initiate management processes at project level, and help identify interdependencies between risks across the programme. The common framework will be set out in the program risk management plan.

Program risk management is made up of two distinct areas of focus:

  • project risk escalation and aggregation;
  • wider business risk and risks to benefit achievement.

Program risk management addresses any individual risks at project level that, if realised, will have a wider impact. Project risks that cannot be effectively managed within projects and within contingency are escalated to the Program for attention and/or action. In addition, related or common risks within individual projects may combine or aggregate to have an effect at Program level, in which case they also need to be escalated.

Program risk management also considers any risks delegated from the portfolio or strategic level, as well as risks arising directly at the level of the programme itself. Program risks are likely to focus on prioritization of Program components, allocation of resources, interfaces and interactions between Program components, the ability to deliver change management activities within the Program, and cumulative risks arising from the combined impact of the project risks.


Risks at portfolio level are often of such scale that they may have significant impact on the ability of the organisation to operate. Portfolio risk management will focus on two areas:

  • risks escalated from projects or programmes and from areas of day-to-day business;
  • risks that impact upon the objectives of the portfolio and the host organisation.

Project and programme risks that cannot be effectively managed at their originating level may be escalated to the portfolio for responses unavailable at project or programme level.

The portfolio will establish common frameworks and standards for risk management, which will be cascaded to projects and programmes to ensure a common approach and reporting structure. This enables effective comparison of risk, reduces the time taken in initiating risk management processes, and assists with identification of potential conflict in selected responses across the portfolio.

The consideration of risk efficiency is of particular importance to portfolio risk management. The principles of risk efficiency have been established in financial portfolios for many years. They are equally relevant to portfolios of projects and programmes. Ensuring that the portfolio does not expose an organisation to too much risk and is efficient is an important function in the ‘balance’ phase of the portfolio life cycle.