What is risk management?
The uncertainty connected to risk is often thought of in terms of a threat or a negative impact but can also be considered as a potential opportunity or a positive impact. Risk management is the term which refers to the systematic application of principles, approach and processes to identify and assess risks and then to plan and implement a suitable response.
The risk management processes can be applied equally at strategic or corporate, programme, project and operational levels.
Purpose of risk management
The purpose of risk management is to support effective decision making by dealing with risk in a way that is visible, repeatable and consistent. A meaningful risk management process will provide an organisation with a better understanding of risks and their likely impact. In turn, this helps to ensure that an organisation makes cost effective use of a process that is based on a series of well defined steps.
The key elements in effective risk management are to:
- identify - includes considering risks in context, how they could affect an organisation’s objectives and describing them in enough detail to ensure a common understanding
- assess - includes ensuring that risks can be ranked in terms of estimated impact, how soon they are to occurring and gaining an understanding of the associated level of risk
- control - includes describing how to respond appropriately to identified risks and then authorising, monitoring and controlling these responses
Risk management guidance
Programme or project risks can arise from a variety of sources and an understanding of the business context is an essential first step. Risk registers or lessons learned reports from previous projects will point to where potential threats may arise. Generic lists of risk types can be useful to bring to facilitated workshops, providing stakeholders with a good starting point in the risk identification process.
Three excellent sources of best practice risk management guidance are:
- NI Audit Office report titled Good Practice in Risk Management
- The Cabinet Office's Management of Risk
- Association for Project Management Body of Knowledge
Generic risk management awareness has been provided across many NICS departments. The requirements of corporate governance applied in the public sector demands that organisations maintain, and regularly review, corporate risk registers.
Risk management roles and responsibilities
The main risk management roles and responsibilities are:
- senior responsible owner - in a programme and project management context, the SRO has overall responsibility for putting in place an effective risk management policy and process
- sponsoring group or board - has key oversight responsibility for risk management processes and a prime role in setting policy and approving action in the mitigation of risks that are causing concern
- programme manager or project manager - day to day risk management responsibility rests here; the programme or project manager has a key role in implementing PPM related risk management policy
- risk owner - the person best placed to direct or take mitigating action against individual risks
- all staff - risk management is the responsibility of all staff in the organisation - staff will adopt various roles at different stages in the programme or project