Risk

Managing risk

This briefing provides an outline of risk management to help organisations to put in place effective frameworks for taking informed decisions about risk. The guidance provides a route map for risk management, bringing together policy and guidance from HM Treasury, NAO and OGC. It outlines a recommended approach that will help to achieve more robust risk management.

Why management of risk is important

A certain amount of risk taking is inevitable if your organisation is to achieve its objectives. Effective management of risk helps you to manage innovation and improve performance by contributing to:

  • increased certainty and fewer surprises
  • better service delivery
  • more effective management of change
  • more efficient use of resources
  • better management at all levels through improved decision-making
  • reduced waste and fraud, and better value for money
  • innovation
  • management of contingent and maintenance activities.

The key areas that have to be addressed are:

  • the requirements of corporate governance – these include more focused and open ways of managing risk
  • the need for a ‘risk owner’ at senior level, such as the Senior Responsible Owner (SRO) role, for an activity (strategy, programme or project) and the need for risk owners at everyday working levels as appropriate for the activity and risk exposure
  • consideration of the organisational capability to successfully achieve the required outcome
  • the need for improved reporting and upward referral of major problems
  • the need for shared understanding of risk and its management at all levels in the organisation with partners and key stakeholders, combined with consistent treatment of risk across the organisation.
  • managing project risk in the wider context of programmes of change and the business.

Critical success factors for management of risk

The key elements that need to be in place include:
  • nominated senior management individuals to support, own the risk management process and lead on risk management
  • risk management policies, and the benefits of following them, clearly communicated to all staff
  • existence and adoption of a framework for management of risk that is transparent and repeatable
  • existence of an organisational culture that supports well thought-through risk taking and innovation
  • management of risk fully embedded in management processes and consistently applied
  • management of risk closely linked to achievement of objectives
  • risks associated with working with other organisations explicitly assessed and managed
  • risks actively monitored and regularly reviewed on a constructive ‘no-blame’ basis.
Appropriate use of business continuity plans and contingency plans is an important element of the management of risk. So there are likely to be success criteria identified with regard to:
  • building in a risk allowance based on the risk assessment. These funds need to be included in the financial provision. Unused funds for risk allowance can then be redeployed when the activity completes or if the exposure to the related risk disappears
  • existence of continuity plans which consider how the business will survive should the outcome not be achieved (this would include looking at if a service should fail to come on stream at the required time, or if the users refuse to make use of the service).
Joint working and partnerships often involve more complex types of risk that can adversely affect the delivery of business services. For example, if part of the service provided by one organisation is delayed or of poor quality, the success of the whole collaboration can be put at risk. You must make sure that your organisation knows about the risk management approaches of your partners. Sharing information about risk management means that risks in collaborative programmes can be identified and managed in a proactive way.
 

Essential elements of risk management

Risk includes the probability of both good and bad outcomes; the consideration of risk has to be set in the context of opportunity. The task of risk management is to limit the organisation’s exposure to an acceptable level of risk by taking action on the probability of the risk occurring, its impact or both. The principles of risk management can be directed both to limiting adverse outcomes and achieving desirable ones.
 
Your organisation will have a set of key objectives. Risks (ideally not more than 10-15) should be identified against these objectives, at the highest level. These high-level risks should then be considered and managed by senior management.
 
Management of risk involves having processes in place to monitor risks; access to reliable, up-to-date information about risks;an appropriate level of control in place to deal with those risks; and decision-making processes supported by a framework of risk analysis and evaluation. Risks must be managed in an integrated way at four key levels in order to manage interdependencies – these levels are strategic, programme, project and operational, see the risk management workbook for a detailed step-by-step approach to the management of risk.
 
At a high level, risks can be categorised as follows:
  • business risk – whatever affects your ability to meet business objectives . These risks are managed by the business and cannot be transferred
  • service/operational risk – includes design/build/finance/operate; project risk; these are managed by the party best placed to do so. Providers and customers share detailed plans for managing risks
  • external risk – outside your control, such as legislation, changes in provider marketplace; providers and customers produce and maintain plans for mitigating these risks.
The table below shows the levels of risk and examples of typical risks occurring at each level.
Level
Examples of typical risks considered at this level
Strategic/corporate
Commercial, financial, political, environmental, strategic, cultural, acquisition, political and quality risks
Programme, project and operational risks should be escalated to this level against set escalation criteria - e.g. not acceptable, outside agreed limits, could affect strategic objectives
Programme
Procurement/acquisition, funding, organisational, projects, security, safety, quality and business continuity risks
Project and operational risks should be escalated to this level against set escalation criteria - e.g. not acceptable, outside agreed limits, could affect programme objectives
Project
Personal, technical, cost, schedule, resource, operational support, quality and provider failure
Strategic and programme related risks should be communicated to this level where they could affect project objectives.
Project managers should communicate information about project risks to other projects and operations as appropriate
Operations
Personal, technical, cost, schedule, resource, operational support, quality, provider failure, environmental and infrastructure failure.
Higher management levels will agree criteria under which an activity is managed. When risks exceed these set criteria – e.g. not acceptable, outside agreed limits, information needs to be escalated so that decisions can be taken.
 

A risk management framework

The minimum requirements for a risk management framework are:
  • existence of the organisation’s risk policy
  • clear identification of main stakeholders
  • clarification of the main approaches to be used to identify; assess and report on risks; as well as look at actions to deal with risks
  • clear assignment of responsibilities for managing risk and reporting to senior management, especially risks which cut across core business activities and organisational boundaries
  • clear audit trail of decisions to ensure that risk management reflects current good practice, with quality assurance of key decisions as input to audit.
Figure 1 shows a strategic framework for the management of risk
 
A framework for management of risk sets the context in which risks will be identified, analysed, controlled, monitored and reviewed. It must be consistent with processes that are embedded in everyday management and operational practices. It addresses:
  • how risks are identified
  • how information about their probability and potential impact is obtained
  • how risks are quantified
  • how options to deal with them are identified
  • how decisions on risk management are made, such as further risk reduction
  • how these decisions are implemented
  • how risks are subsequently tracked and managed
  • how actions are evaluated for their effectiveness
  • how appropriate communication mechanisms are set up and supported
  • how stakeholders are engaged throughout the process.
The following text looks at the key steps involved in the risk management process and looks at the major issues for those steps. Annex A gives a healthcheck so that you can assess how well your organisation has adopted the risk management framework.
 

Risk ownership

  • Allocate responsibility at a senior level for managing key risks
  • Ensure that every risk has an owner; there may be separate owners for the actions to mitigate the risks
  • Ensure anyone allocated ownership has the authority to take on the responsibility and that they are aware that they are the designated owner
  • Adopt a mechanism for reporting issues – ultimately to the individual who has to retain overall responsibility

Embedding the risk management policy

  • Ensure that risk management is an intrinsic part of the way the organisation works and that this is reflected in the policy
  • Keep the policy up to date through review by senior management

Risk identification

  • Look at what is at risk and why
  • Consider the opportunities opened up by the current activity (e.g. programme or project) as that may also clarify where risk lies
  • Aim to identify the 20% of risks that would have 80% of the potential impact
  • Ensure that everyone involved has a sound understanding of the mission, aims and objectives and plans for delivery
  • Check that there are realistic plans for how providers could deliver the outcomes sought from the activity; check that there is shared understanding of the risks, whilst recognising that customers’ and providers’ perspectives on risk will not be the same.

Risk analysis

  • Assess the probability of risks occurring and their potential impact.
  • Set tolerances for individual risks, with reporting arrangements for escalating problems if risks exceed agreed tolerances. Use the Summary Risk Profile (see later) to inform the analysis, support risk referral and subsequently to monitor progress.
  • To determine the degree of review required (internal or external) on major projects use the Project Profile Model (part of the Gateway process) to identify the likely exposure to risk.

Response to risk

Address each risk as appropriate:
  • transfer it to the party best placed to manage it (note that business and reputational risk cannot be transferred)
  • tolerate it
  • terminate it
  • treat it by addressing the probability or impact and so contain it to an acceptable level.
Put in place processes that will actively encourage cooperation and open dialogue between customers and providers. Ensure that providers share information about problems at the earliest opportunity so that small issues do not escalate.
 

Communication strategy

You will need to ensure that appropriate communication mechanisms exist and are adopted. The strategy for communicating risk should cover all stakeholders and, where directly affected, the public:
  • identify who you need to establish channels of communication with, through which you can convey good, and bad, news
  • identify whose opinions, positions and interests you should be aware of so that you can tailor the management of issues accordingly and more readily take advantage of opportunities, e.g. identify if the outcome is likely to be adopted by those it is intended to help.

Techniques to assist the management of risk

A wide range of techniques is available to assist in managing risk; for example to analyse risk, to help you to determine your organisation’s current capability to manage risk, to assess the complexity of projects that are proposed or currently underway or to assess uncertainty relating to the project.
A major concern is the appropriate communication of risk information, in particular where escalation is required. The ‘summary risk profile’(SRP) is a simple mechanism to increase visibility of risks. It is a graphical representation of information normally found on a risk register. This graph should be updated in line with the risk register on a regular basis. The profile shows risks in terms of probability and severity of impact with the effects of mitigating action taken into account.
The SRP is often referred to as a probability/impact matrix. Each risk (indicated by * on the diagram) would normally have a number or other reference and supporting details. The position of the risk tolerance line would depend on the organisation and its project. See figure 2 for an example SRP.
Use the risk management healthcheck to assess your organisation's provision for managing risk. See the techniques section for further tools for managing risk.
Figure 2: Example of a Summary Risk Profile
 

Further Information

The approach described in this briefing complements OGC’s guidance on programme and project management and is frequently updated to reflect current thinking. This approach, branded by OGC as M_o_R(Management of Risk), is documented in the ‘Management of Risk: Practitioners Guide’ published through The Stationery Office. That publication is supported by training and qualifications.
 
See the descriptions of risk management strategy and risk log; see also the Risk Management Guidelines and the Achieving Excellence Guides: value for money in construction projects.
 
For more detailed guidance on related topics, see also the OGC publication Managing Successful Programmes. Guidance on risk from related central sources includes HM Treasury's Management of Risk: A Strategic Overview (The Orange Book), the Green Book, NAO's Supporting Innovation: Managing Risk in Government Departments, and the Cabinet Office's Successful IT: Modernising Government in Action.
 
See also the risk management checklist
 

Other sources