Overview of Risk and Issue Management Tutorial

Hello and welcome to lesson 12 of the Managing Successful Programmes Certification course offered by Simplilearn. In this lesson, we will look into the governance theme, risk and issue management. Successful programme management needs to manage uncertainty, complexity and ambiguity, which is achieved through risk and issue management. Let us begin with the objectives of this lesson in the next screen.

By the end of this lesson, you will be able to: ? Define risk and issue ? List the sources of risk identification ? Explain the risk management perspectives ? Describe the steps involved in risk management framework Let us move on to the next screen to discuss the MSP® framework.

Risk and issue management, is a part of governance theme and is positioned in the middle circle of the MSP® framework. Risk and issue management ensures that the programme can manage and tolerate uncertainty, complexity and ambiguity. It also helps in the achievement of programme objectives. Let us look into the definitions of risk and issue in the next screen.

The following are some important information about risk and issue: Risk can be defined as an uncertain event or a set of events which have an impact on the achievement of the objectives. This effect need not be detrimental. A risk can either be a threat, an uncertain event with a negative impact on benefits, or an opportunity, an uncertain event that could have a favourable impact on the objectives or benefits. Risk should be described by including the cause of the risk, the event, which is the description of the threat or the opportunity and its effect which provides the summary of the likely impact on the programme and its projects. Issue can be defined as an unplanned event that has happened, which requires management actions. When risks actually happen, they become issues. The aim of programme risk and issue management is to support better decision-making through a good understanding of risks and issues and their likely impact. In the next screen, we will discuss the sources of risk identification.

Risks can be identified from multiple sources. Some of the sources of risk identification are: benefits management and transition activities, costs, scope and timescales; dependencies, constraints, assumptions, quality of operations, resources and programme deliverables; anything that cannot be resolved by the project, or issues common to more than one project, stakeholders, organisation, programme staff and third parties; degradation of operational performance staff and third parties; and degradation of operational performance beyond acceptable levels. Risks can also occur due to the lack of knowledge of team about the “as-is” or the current state, interim state and desired end state of an organisation. In addition, risk may arise from organisational strategies, other projects and influence of external programmes. In the next screen, we will understand the risk management perspectives.

Programmes also interface with other organisational perspectives like strategy, programmes, projects and operational. To anticipate risks at an early stage and tackle issues appropriately, it is important to understand these perspectives and continuously evaluate them during a programme’s life. Let us begin with the strategic level perspective. Strategic level changes can affect the programme, its interdependencies with other initiatives, its outcomes and benefit realisation. The strategic level changes are driven by the external factors, such as, political, economic, social, legislative, environmental and technical. Other factors such as inter-programme dependencies, internal political pressure and cross organisational initiatives, including working with third party suppliers, can be grouped under this level. The next perspective of risk management is programme level. A programme focuses on delivering benefits to organisation, which affects both internal and external stakeholders in a positive or negative way. Risk management for a programme must be designed to work across organisational boundaries in order to ensure that all differing interests are accommodated and stakeholders are engaged effectively. The principal areas of risk and issues within a programme are driven by aggregating threats from projects, lack of direction from leadership group and lack of clarity about expected benefits and buy-in from stakeholders. The complexity of the outcomes and the complications associated with working across the organisational boundaries are also factors to be considered. Resource availability, lack of certainty about funding and unrealistic timelines that are risks to programme delivery are included as well. The third perspective of risk management is project level. Project outputs within a programme help in delivering the programme outcomes and benefits. It is important to focus the risk and issue management on project perspective. Areas where project risks and issues arise include resource constraints, scheduling issues and scope creep. If project is unsure of what it is delivering, it may lead to risks and issues. The fourth perspective of risk management is operational level. As projects deliver the outputs, the transition to new ways of working and new systems can lead to further sources of risk. Areas that can be included in the operational level perspective are the quality of benefit-enabling outputs from projects within programme, organisational and cultural issues, transfer of outputs to operations and ability to cope with new ways of working. Further, risks can be identified in stakeholder support, industrial relations and resource availability to support changes. In the next screen, we will introduce the risk management process.

The following are the M_o_R (read as M-o-R) risk management principles at a programme level. Aligns with objectives, which means that risk management should be aligned with the strategies and objectives of the organisation Fits the context, which indicates that risk management should fit the context in which it is being applied Engages the stakeholders, which helps in risk identification and mitigations Provides clear guidance, as in, the risk management should provide clear guidance on how to manage a risk Risk management should inform the decision-making group about impending risks and their impact Facilitates continual improvement, which means that risk management should be able to facilitate continual improvement in the way risks are identified and managed Creates a supportive culture, that is, instead of blaming ‘who’ the emphasis should be more on ‘why’ Achieves measurable value, which indicates that risk management should be able to return the measurable value in terms of benefits or avoid loses due to risks Application of these principles is necessary for the implementation of a good programme risk management principle. These are informed by proven corporate governance principles and the international standard for risk management, that is, ISO 31000:2009(read as I-S-O Thirty one thousand - Two thousand nine). In the next screen, we will focus on risk management framework.

Risk management framework comprises a cycle of steps that are repeated throughout the life of the programme. The following are the steps involved in the risk management framework. Let us begin with the first step, that is, identify. Programme risk management starts with the identification of uncertain events which are either threats or opportunities. The first activity is to explore the programme context in an effort to understand the scope, objectives, assumptions, stakeholders and internal and external environment. This knowledge helps to identify risk methodically and devise best possible counter measures. The second activity is to identify risks, both threat and opportunities and enter them in the risk register. The second step is to assess. Assessment of risk can be done in two steps. The first step is to estimate the threats and opportunities in terms of probability, impact and proximity. The second step is to evaluate the net aggregated effect of identified risks on the programme. Evaluation is important for programmes, where the risks in smaller projects can quickly aggregate to risks at the programme level. The next step is to plan. The primary goal of this step is to prepare specific management responses to threats and opportunities that have been identified with an attempt to remove or reduce their impact. It is common for risk responses to be only partially effective and leave residual risk. It is important to analyse the impact of the residual risk as well, as the impact can be considerable. The fourth step is implement. The goal of this step is to ensure that the planned actions for managing risks have been implemented and monitored to ensure their effectiveness. In case the responses are not as effective as planned, corrective measures need to be taken. This step also has to ensure that risk owner and risk actionee should be identified in advance. Risk owner is responsible for management and control of all aspects of risks assigned to them including managing, tracking and reporting the implementation of selected actions. Risk actionee is responsible for implementing the risk responses. They support and take directions from risk owner. All the above mentioned steps are supported by communicate and embed and review activities. Let us look into communicate first. The fifth step is to communicate. Effective communication is important for the identification of new threats and opportunities. This is an activity which is carried throughout the risk management cycle. Implementation of risk management is dependent on participation and participation in turn is dependent on good communication. The final step is to embed and review. This step ensures risk management is appropriately and successfully handled within the programme and across the organisation. It must also ensure that risk management strategy is being followed. It looks at each step of the framework to determine its contribution to the overall quality or risk management. It provides controls over the process with reviews and health checks to gain maximum value for the investment in risk management.

Let us summarise what we have learnt in this lesson: Risk can be defined as an uncertain event or a set of events which, should it occur, will have an impact on the achievement of the objectives. Issue can be defined as an unplanned event that has happened and requires management actions. Some of the sources of risk identification include benefits management activities, quality of operations, programme deliverables, stakeholders, degradation of operational performance staff and organisational strategies. The various risk management perspectives are strategic level, programme level, project level and operational level. The steps involved in risk management framework are identify, assess, plan, implement, communicate and embed and review. Next, we will focus on risk management.