Programme & Project Risk Management

Programme risk management and project risk management are methods by which the total risk to the programme or project is identified, quantified and managed. Both form important parts of the wider Enterprise Risk Management (ERM) strategy that risk managers utilise to capture, analyse and manage the total risk to an organisation or business.


What is the difference between project risk management and programme risk management?

As their names suggest, programme risk management resides over and manages the total risk to a programme.

Where project level risk management is the process of managing the individual risk events of (individual) projects.  Project level risk management is most often focused on individual risk events. Project level risk management is ultimately the responsibility of the project manager.

In contrast, a programme is not simply a large project. It consists of a number of inter-related projects that together are working towards a shared objective. The processes involved in programme and project risk management are similar but more complex due to the requirement for effective escalation. Programmes also tend to require more in-depth contingency plans for risks that cannot be managed proactively.

Programme risk management should handle the escalated individual risks identified in projects that may have the wider potential to impact the programme as a whole. Risks that have the potential to impact the strategy of the business are escalated to the strategic risk level. Risks should also be identified at the programme level itself (ie not just escalated from projects).


What do businesses and organisations need programme and project risk management processes for?

Programme and project risk management are essential, as most large complex programmes and projects fail to meet their planned objectives on time, either by failing to deliver what was promised, sliding timeframes or exceeding their budgets – or all three.

Potential risks within major change programmes are the most difficult of all to identify, and therefore to take action on, because often the sheer complexity of the programme can make it difficult to “see the wood for the trees”.

Most organisations simultaneously work on several programmes of change at any one time, and these programmes may fundamentally change the way a company or organisation conducts its business. The failure to meet deliverable deadlines and other risks that result in potential problems can have a severe adverse effect on the overall business’s objectives, profitability and reputation.

So it is important to have a programme wide risk management plan in place for proper risk identification, risk analysis and risk prioritisation. Ultimately a programme “risk register” will need to be compiled so that the necessary risk mitigation and risk response steps can be coordinated.


Project management, project managers and risk assessment

According to the Project Management Body of Knowledge (PMBOK), risk management is one of the ten knowledge areas that a project manager must be competent.

It can be difficult for project managers to utilise project risk management correctly. Project, and particularly programme risk management is more complex than, say, operational risk management as it is by definition, the management of change-risks rather than steady-state risks.

Many project managers use project risk management tools to help them achieve their objectives and communicate with team members effectively.  However, an excellent risk tool without an effective risk management process is doomed to failure.

Negative and positive risk

Most people tend to think of risk as a negative thing, but not all risk is negative risk – think of why people gamble?

Positive risks are opportunities that can have a beneficial impact. If opportunities are managed, milestones could be completed ahead of time, objectives could be exceeded or it could finish with under-budget project costs.

Positive new risks can be exploited to encourage them to happen more often, or by increasing the benefits of the positive risk to others.

Both negative and positive risk should be accounted for in both programme and project risk management. In practice, traditional risk management approaches struggle to identify real opportunities. It is also important to note that positive risk can quickly switch into negative risk, and, likewise, sometimes negative risk can turn into a positive risk.


Programme risk management versus crisis management

Large programmes and projects are often chaotic, with objectives often unclear and plans/priorities constantly evolving and changing. It can be tempting to take these problems as they come, but this can cause a business to become caught up in crisis i.e. issue management instead of true risk management and risk avoidance.

To use an analogy, programme risk management is like knocking a missile out of the sky as it comes over the horizon, whereas issue management is like implementing a contingency plan for clearing up the mess from the resulting craters.


Transformation risk management

Any programme or project which significantly changes, or “transforms” the business operations of an organisation will expose the business to most risk. This is due to two reasons:

  • Risk is increased to current operations (which have to accept the changes whilst continuing to run the business).
  • Risk is heightened for the project which is trying to change those same business operations as there will often be push back at crucial stages such as testing.

For this reason, transformation risk management is the riskiest form of programme risk management in the ERM space, as you have the normal complications of a programme with all the additional complications of transformation.


The benefits of effective programme and project risk management

Programme and project risk management are challenging processes, as it effectively tries to carve a path through the uncertain events of “change” and into the future. And while it is true that we can never predict the future with complete certainty, risk management can provide an efficient, streamlined and formulated plan to help us navigate and recognise the likelihood of potentially harmful future events, while there is still time to do something about them.

Risk management not only helps to avoid crises but helps businesses to reflect on and learn from past mistakes.

Our programme and project risk management processes and techniques

The ABCD risk management process can be used for all projects and programmes; i.e. ABCD is fully scaleable, in that it handles all the hierarchies and escalations that traditional methods normally fail to address and therefore ensures that management can “see the wood for the trees”.

The ABCD Strategic Target Analysis technique can be used to assess the percentage confidence of achieving key programme milestones and showing the specific assumptions that need to be managed in order to recover timescales back to their original plan.

The Assure web-based toolset is the most effective way of embedding the ERM process into the business. Assure is the only toolset commercially available that has built-in prioritisation and escalation rules that ensure true enterprise risk management (ERM).

risky assumption


Why the De-RISK ABCD risk management process works

Projects are often impacted by common risks that were foreseen in the minds of key individuals, but were not communicated at the right time and therefore not managed by the project team. If a way can be found of unlocking the collective knowledge and viewpoints of all the key stakeholders around the project/programme, then a valuable insight into the true risks to the objectives would result. The ABCD risk management methodology provides both the insight and the means for effectively managing risk.

Our ABCD approach to programme and project risk management provides a simple, common, positive language for the communication of risk within a team or project hierarchy. This, in turn, facilitates a simple overview of complex risks for programme and project leaders/decision-makers – all within a rigorous and proven framework.

The implementation of ABCD also allows De-RISK to work with you to make the programme risk management process as flexible and adaptable as possible, ensuring significant and specific risks to the project or programme are identified and controlled at the correct time.

Finally, our non-intrusive and non-bureaucratic approach improves management discipline across the organisation and has a track record of being readily accepted by risk owners and embraced by project teams.


Want to know more about risk management? Then check out our glossary pages.

Check out our Why Is Risk Management? page, Enterprise Risk Management page, Strategic Risk Management page, and our Operational Risk Management (ORM) pages for more information on the different types of risk management and how they can help your business.

Visit our case studies page and see first hand the success we have had on major projects of all types. For little more about who we are, check out our About Us page.

Would you like to know more about risk management?

We are confident that just an initial call will provide enough information to create a new outlook regarding the impact of risk management on your business.