Risk & Issue Management: A Complete Guide Tutorial For FREE | CHECK-OUT

Last updated on 08th Jul 2020, Blog, Tutorials

Risk

• Risk can be defined as an uncertain event or a set of events which have an impact on the achievement of the objectives. This effect need not be detrimental.
• A risk can either be a threat, an uncertain event with a negative impact on benefits, or an opportunity, an uncertain event that could have a favorable impact on the objectives or benefits.
• Risk should be described by including the cause of the risk, the event, which is the description of the threat or the opportunity and its effect which provides the summary of the likely impact on the program and its projects.

Issue

• The issue can be defined as an unplanned event that has happened, which requires management actions. When risks actually happen, they become issues.
• The aim of program risk and issue management is to support better decision-making through a good understanding of risks and issues and their likely impact.
• In the next section, we will discuss the sources of risk identification.

Sources of Risk Identification

Risks can be identified from multiple sources. Some of the sources of risk identification are:

• Benefits management and transition activities, costs, scope, and timescales;
• Dependencies, constraints, assumptions, quality of operations, resources and program deliverables;
• Anything that cannot be resolved by the project, or issues common to more than one project, stakeholders, organization, program staff and third parties;
• Degradation of operational performance staff and third parties;
• Degradation of operational performance beyond acceptable levels.
• Risks can also occur due to the lack of knowledge of the team about the “as-is” or the current state, interim state and the desired end state of an organization.
• In addition, the risk may arise from organizational strategies, other projects and influence of external programs.

Risk Management Perspectives

• Programs also interface with other organizational perspectives like strategy, programs, projects and operational. To anticipate risks at an early stage and tackle issues appropriately, it is important to understand these perspectives and continuously evaluate them during a program’s life.
• Following are some risk management perspectives; Let us begin with the strategic level perspective.

Strategic level

Strategic level changes can affect the program, its interdependencies with other initiatives, its outcomes and benefits realization.

The strategic level changes are driven by:

• The external factors, such as political, economic, social, legislative, environmental and technical,
• Inter-program dependencies,
• Internal political pressure, and
• Cross-organizational initiatives, including working with third party suppliers, can be grouped under this level.

Program Level

• A program focuses on delivering benefits to the organization, which affects both internal and external stakeholders in a positive or negative way.
• Risk management for a program must be designed to work across organizational boundaries in order to ensure that all different interests are accommodated and stakeholders are engaged effectively.

The principal areas of risk and issues within a program are driven by:

• Aggregating threats from projects,
• Lack of direction from leadership group,
• Lack of clarity about expected benefits and buy-in from stakeholders,
• The complexity of the outcomes,
• The complications associated with working across the organizational boundaries are also factors to be considered,
• Resource availability,
• Lack of certainty about funding and
• Unrealistic timelines that are risks to program delivery are included as well.

Project Level

Project outputs within a program help in delivering the program outcomes and benefits.

• It is important to focus on the risk and issue management on project perspective.
• Areas, where project risks and issues arise, include resource constraints, scheduling issues, and scope creep.
• If the project is unsure of what it is delivering, it may lead to risks and issues.

Operational Level

• As projects deliver the outputs, the transition to new ways of working and new systems can lead to further sources of risk.

Areas that can be included in the operational level perspective are:

• The quality of benefit-enabling outputs from projects within program,
• Organisational and cultural issues,
• Transfer of outputs to operations and ability to cope with new ways of working.
• Further, risks can be identified in stakeholder support,
• Industrial relations and
• Resource availability to support changes.

M_o_R risk management principles

The following are the M_o_R (read as M-o-R) risk management principles at a program level.

• Aligns with objectives, which means that risk management should be aligned with the strategies and objectives of the organization.
• Fits the context, which indicates that risk management should fit the context in which it is being applied.
• Engages the stakeholders, which helps in risk identification and mitigations.
• Provides clear guidance, as in, the risk management should provide clear guidance on how to manage risk.
• Risk management should inform the decision-making group about impending risks and their impact.
• Facilitates continual improvement, which means that risk management should be able to facilitate continual improvement in the way risks are identified and managed.
• Creates a supportive culture, that is, instead of blaming ‘who’ the emphasis should be more on ‘why’.
• Achieves a measurable value, which indicates that risk management should be able to return the measurable value in terms of benefits or avoid loses due to risks.
• Application of these principles is necessary for the implementation of a good program risk management principle. These are informed by proven corporate governance principles and the international standard for risk management, that is, ISO 31000:2009(read as I-S-O Thirty-one thousand – Two thousand nine).

Risk Management Framework

• Risk management framework comprises a cycle of steps that are repeated throughout the life of the program.
• The following are the steps involved in the risk management framework. Let us begin with the first step, that is, identify.

Identify

Program risk management starts with the identification of uncertain events which are either threats or opportunities.

• The first activity is to explore the program context in an effort to understand the scope, objectives, assumptions, stakeholders and internal and external environment.
• This knowledge helps to identify risk methodically and devise the best possible countermeasures.
• The second activity is to identify risks, both threat, and opportunities and enter them in the risk register.

Assess

Assessment of risk can be done in two steps:

• The first step is to estimate the threats and opportunities in terms of probability, impact, and proximity.
• The second step is to evaluate the net aggregated effect of identified risks on the program.
• Evaluation is important for programs, where the risks in smaller projects can quickly aggregate to risks at the program level.

Plan

The primary goal of this step is to prepare specific management responses to threats and opportunities that have been identified with an attempt to remove or reduce their impact.

• It is common for risk responses to be only partially effective and leave residual risk.
• It is important to analyze the impact of the residual risk as well, as the impact can be considerable.

Implement

• The goal of this step is to ensure that the planned actions for managing risks have been implemented and monitored to ensure their effectiveness. In case the responses are not as effective as planned, corrective measures need to be taken.

This step also has to ensure that risk owner and risk actionee should be identified in advance.

• The risk owner is responsible for management and control of all aspects of risks assigned to them including managing, tracking and reporting the implementation of selected actions.
• The risk actionee is responsible for implementing the risk responses. They support and take directions from the risk owner.
• All the above-mentioned steps are supported by communicating and embed and review activities. Let us look into communicating first. 

Communicate

Effective communication is important for the identification of new threats and opportunities.

• This is an activity which is carried throughout the risk management cycle.
• Implementation of risk management is dependent on participation and participation, in turn, is dependent on good communication.

Embed and Review

This step ensures risk management is appropriately and successfully handled within the program and across the organization. It must also ensure that the risk management strategy is being followed.

• It looks at each step of the framework to determine its contribution to the overall quality or risk management.
• It provides controls over the process with reviews and health checks to gain maximum value for the investment in risk management.

Managing Risks in a Program

Before the risk management cycle can operate, specific arrangements are made for managing risks.

Arrangements to manage risks in a program –

The following are the various arrangements used in managing risks in a program:

• Risk management strategy
• Risk appetite
• Tolerance thresholds
• Assumptions
• Early warning indicators
• Risk register
• Threats and opportunities
• Evaluating risks
• Risk aggregation
• Proximity and
• Progress reporting.

Risk Management Strategy

• Risk management strategy is created and approved in ‘defining a program’ and describes the approach to risk management in a program.

The following are a few functions of risk management strategy:

• The risk management strategy should reflect the organization’s risk policies and process guidance. These may define the priorities to be observed by the program to ensure it is compliant with the organization’s risk governance arrangements. Building on corporate standards, the program has to set its own risk appetite and culture for managing risks.
• Risk management strategy should clarify how opportunities will be managed
• Describe how the interface with benefits management approach will be handled as defined in the benefits management strategy.
• Risk management strategy should clarify and explain how information flows will work in the program.
• It also manages project assumptions by defining how projects will manage their risks.
• It also defines how project, program, and operation work together to manage risks as described in risk management strategy, and ensures awareness of the risk impact and its response.

Risk Appetite and Tolerance Thresholds

The following are a few facts about risk appetite and tolerance thresholds. Let us begin with risk appetite.

Risk Appetite

• It is the amount of risk that an organization is willing to accept. It helps in defining the tolerance levels. It is essential for a program to understand the corporate risk appetite to devise a successful risk management strategy, steer project risk activities and define aggregation and escalation rules.
• Now, let us understand tolerance thresholds.

Tolerance Thresholds

• It translates the risk appetite into guidelines that steer program and project behavior. Tolerance thresholds define the exposure to risks on one level that, if exceeded, requires escalation and reaction from the higher hierarchy.

Threats and Opportunities

The following are a few facts about threats and opportunities:

• Risks are normally threats or negative impact on a program but some risks actually provide opportunities to improve a program’s outcomes. It means that such risks have a positive impact.
• The same event can have a different impact on different constituent projects.
• Also, the aggregation of threats or opportunities at the program level may change the resulting effects again.
• There can be multiple triggers for a single threat or opportunity. It is important to differentiate between the threat and opportunity to focus on risk response as both will have a different type of response.
• Risk management and benefits management can overlap in a scenario, where an opportunity becomes a potential benefit.
• It may not be possible to remove the threat or opportunity always, however, it might be possible to avoid or remove events that will trigger the risk.

Evaluating Risks

• The uncertainty associated with risks is expressed as their probability of becoming issues that can potentially impact a program’s cost, time and benefits. Probability is defined as the chances of risk occurrence.
• The following are different ways to evaluate risks in a program.

Probability Impact Grid

The main points under the probability impact grid are given as-

• The impact is the positive or negative effect of risk in a program.
• These impacts can be shown in the form of a probability impact grid, giving criteria to each level within a scale that is very high to very low.
• Probability and impact values can be attributed to these ratings so that the ranking values can be calculated for each cell of the grid.

Expected value

Expected Value is explained as-

• Expected value is a way of estimating the financial exposure of risks by discounting the total cost of their impact against the probability of their occurrence.
• It is calculated by multiplying the estimated average risk impact by the estimated probability to give a weighted risk.

Other Methods

The other methods that can be used to evaluate risk include:

• Estimated monetary value calculation, which records the weighted average of the anticipated impact;
• Net present value calculation, which uses an accepted discount rate and
• Risk model, which aggregates the risks together using a simulation technique.

Probability Impact Grid

The image below represents the probability impact grid.

The following are a few important information about the probability impact grid.

• Probability impact grid contains ranking values that may be used to rank threats and opportunities qualitatively.
• The probability scales are measures of the probability of occurrence of the risk, expressed in percentages, and impact scales reflect the level of impact on a project.
• The values within grids are multiplication values of probability and impact. These are used to provide an assessment of the severity of the risks and rank them accordingly to help the management in making an informed decision.
• For example, the Program Board may set a tolerance of 0.18 (read as zero point one eight), so all risks below this level will be managed by projects while risks above this level are escalated to the program.
• We will next discuss risk aggregation in the following section.

Risk Aggregation

Risks can be interdependent and have a cascading effect. They can grow and accumulate into a critical mass.

Following are the facts on risk aggregation:

• At the project level, a small risk can have a limited impact but if the risk is combined with other risks in adjacent projects, it can produce a significant impact at the program level. Also, in some cases, the sum of risks is smaller than the individual parts.
• Prepare a summary risk profile that provides a visual explanation of aggregations and interdependencies. When crafting a risk response, it is always useful to focus on the mitigation of the root cause so that it lessens more than one risk at once.
• To manage aggregation, the Program Manager should be aware of the level of risk impact on each operation or project. The Program Manager should have details of the cost of contingency that needs to be planned.
• Mitigation plan should be prepared to minimize the risk.
• The Program Office should play a central role in building and maintaining efficient, effective and consistent two-way flows of information between the program and its projects.

ADVANTAGES OF RISK MANAGEMENT

• Benefits of risk identification
• Benefits of risk assessment
• Treatment of risks
• Minimization of risks
• Awareness about the risks
• Successful business strategies
• Saving cost and time
• New opportunities
• Protecting resources

DISADVANTAGE OF RISK MANAGEMENT

• Complex calculations
• Unmanaged losses
• Ambiguity
• Depends on external entities
• Mitigatio
• Difficulty in implementing
• Performance
• Potential threats

Steps of Risk Management Process:

• Here are a few things that you need to take care of while dealing with the risk management process.
• Everybody who is in the planning process relating to the project should mandatorily identify and understand the risks
• Once the risks are distributed to every team member, they again need to be combined in a single sheet to avoid any duplication.
• Evaluate the impact of the risk with the help of a matrix
• You need to divide the whole team into subgroups where each group will be working on recognizing the triggers that shoot out project risks.
• Every team should come up with a plan, that can clear off all the risks identified.

Finally, plan the risk management process where you need to identify the triggers and then find a solution for it.