Programs must have a disciplined way to deal with risks. This plan, while a living document throughout the program, would normally remain somewhat static, defin-ing the processes that populate and manage the risk register, generate risk response plans, contingency plans, etc. It is prepared in the plan program risk management process in the Standard for Program Management—Second Edition (2008).
Program Risk Management Plan Instructions
The program risk management plan includes the following:
Purpose: A brief introductory statement defining the purpose of the risk man-agement plan, such as:
The risk management plan describes the process of determining how to approach, plan, and execute the program risk activities.
This plan recognizes that risks are a series of events that, if they occur, may have a positive or a negative impact on the program. At the program level, risks tend to occur from external factors or from individual components. If they are due to risks at the component level, the program management team must assess them for impact to other components or to the entire program.
The program management team must ensure that the level, type, and visibil-ity of risks are appropriate to the specific program since some programs may require greater attention to risk management than others, especially programs
128 Implementing Program Management: Templates for Success
that are new in numerous aspects to the organization, are considered com-plex, and involve new technologies and systems.
In the Standard for Program Management—Second Edition (2008), it is an output of the plan program risk management process. It is an input to the following processes:
Monitor and control program risks
Updates to the plan may result from the monitor and control program risks process.
Risk management approach: This section describes how the program manage-ment team will handle risk managemanage-ment in the program. It states the meth-odology to be followed, tools and techniques to be used, and any other data sources, such as a knowledge repository or lessons learned database, that may be helpful. It also describes whether a risk management planning meeting will be held, and if so, who will attend, and specific roles and responsibili-ties. If an organization-wide risk management approach is in place, it notes whether or not it will be followed or whether changes to it are warranted. It also describes how proposed changes will be identified and managed in order that they do not pose additional risks to the program. It notes the process for the program manager to learn of changes at the project level that may affect other projects in the program or the overall program in order that the program management team can then review these changes for possible new risks.
Program risk categories: This section describes specific categories of risks that may affect the program. Typically these categories may include external environmental risks, such as new regulations or standards or strategic issues;
program-level risks, such as ones involving program stakeholders, the gover-nance board, and how the program components are organized; project-level risks, while managed by the project manager, that may affect other compo-nents in the program; operational-level risks, such as ones that involve transi-tion of the program benefits into the overall operatransi-tions of the organizatransi-tion or to the customer or possible new systems in the organization that may affect program benefits; portfolio-related risks, since the portfolio level defines the organization’s strategic intent, which then may affect the overall priority of the program in terms of resources; and benefit-related risks, which involve the impact of risks from the component level to the overall delivery of program benefits. If a risk breakdown structure is prepared, it should be attached to this plan.
Roles and responsibilities: This section describes the roles and responsibili-ties of the program management team regarding risk management planning,
The Program Setup Phase 129
identification, analysis, response planning, monitoring, and control. It may be appropriate on certain projects to designate a member of the core team to focus on risk management at the program level and to work with the various project managers to review risks at the project level and to conduct project risk audits. This section describes how risks will be escalated from component managers to the program manager, and from the program manager, as appro-priate, to the governance board, to describe specific roles and responsibilities at each level. It also addresses roles and responsibilities for risk management of intercomponent risks and for analysis of root causes of these risks in order that an appropriate risk response can be provided.
Probability and impact matrix: This section describes definitions of probabil-ity and impact for use on the program. These definitions can be related to the program’s objectives or to the program’s expected benefits. Numeric and non-numeric approaches can be used. This matrix then serves as a table in which to show specific combinations of risk probability and risk impact that are then considered to be high, medium, or low in terms of importance to help plan appropriate risk responses. This matrix serves to help prioritize those risks that require the greatest attention from the program management team.
Risk management budget: This section describes the budget or contingency that will be set aside to focus on risk management throughout the program life cycle. It therefore provides a cost estimate for risk management at the pro-gram level to be used to determine the funding and resources required. It also describes the process to follow when it is necessary to allocate contingency reserve in order to respond to program-level risks.
Risk management schedule: Although risk management is a continual activity throughout the program, this section describes the specific risk management activities that should be included in the program’s schedule. Items such as when a program risk management planning meeting, program risk reviews or audits, and analysis of lessons learned from risk management initiatives in the program are planned are examples of activities to be part of the schedule.
Stakeholder tolerances for risk: This section describes the tolerance level of the key program stakeholders in terms of risk. The stakeholder analysis and stake-holder register can be used as this section is prepared, and interviews can be conducted with key stakeholders. The purpose is to show those stakeholders in terms of their influence on the program in generating and responding to program risk based on their tolerance for risk. It considers the culture of the organization in terms of its approach to risk management.
Risk reporting: This section describes the content and format for the program’s risk register, which will be used throughout the program for risk reporting and to assist in risk identification, analysis, response planning, and risk moni-toring and control. It also describes communication approaches to be used in the program with the various stakeholders and the governance board con-cerning risks.
130 Implementing Program Management: Templates for Success
Risk tracking: This section describes the process to track identified risks and to recognize any new risks that may affect the program. It also describes how the program’s risk management process will be audited and the frequency of the audits to be conducted. It describes the process for documenting lessons learned based on the program’s risk management activities.
Approvals: This section contains the written approval of the risk management plan by the program sponsor, program manager, program management office, members of the program board or governance board, and other stakeholders.
Program risk Management Plan Template
<Insert Program Name>
Risk Management Plan
Program name:
Program manager: PM’s email address here as a hyperlink Program sponsor:
Actual start date:
Approved end date:
Program no.:
Revision history:
Business unit:
A. PurPoSe
A brief introductory statement defining the purpose of the risk management plan, such as:
The risk management plan describes the process of determining how to approach, plan, and execute the program risk activities.
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
B. rISk MAnAGeMenT APProACh
This section describes how the program management team will handle risk man-agement in the program. It states the methodology to be followed, tools and tech-niques to be used, and any other data sources that may be helpful. It also notes whether a risk management planning meeting will be held. It further describes how proposed changes will be identified and managed in order that they do not pose additional risks to the program.
The Program Setup Phase 131
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
C. ProGrAM rISk CATeGorIeS
This section describes specific categories of risks that may affect the program. If a risk breakdown structure is prepared, it should be attached to this section.
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
D. roleS AnD reSPonSIBIlITIeS
This section describes the roles and responsibilities of the program management team regarding risk management planning, identification, analysis, response plan-ning, monitoring, and control. It also describes how risks will be escalated from component managers to the program manager, and from the program manager, as appropriate, to the governance board, to describe roles and responsibilities at each level. It shows roles and responsibilities for intercomponent risks and for analysis of root causes of these risks.
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
e. rISk MAnAGeMenT BuDGeT
This section describes the process to be followed to prepare a risk management cost estimate that then will be used for a risk management budget or contingency throughout the program life cycle. It describes the process to follow when it is nec-essary to allocate contingency reserve in order to respond to program-level risks.
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
F. rISk MAnAGeMenT SCheDule
This section describes the specific risk management activities that should be included in the program’s schedule.
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
132 Implementing Program Management: Templates for Success
G. STAkeholDer TolerAnCeS For rISk
This section describes the tolerance level of the program stakeholders in terms of risk to show those stakeholders based on their level of influence on the program in generating and responding to program risk. It also considers the organization’s culture regarding risk management.
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
h. rISk rePorTInG
This section describes the content and format for the program’s risk register. It also describes communication approaches to be used in the program with the various stakeholders and the governance board concerning risks.
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
I. rISk TrACkInG
This section describes the process to follow to track identified risks and to rec-ognize any new risks that may affect the program. It also describes how the pro-gram’s risk management process will be audited and the frequency of the audits, as well as the process to document lessons learned based on the program’s risk management activities.
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
j. APProvAlS
This section contains the approval of the risk management plan by the program sponsor, program manager, program management office, members of the pro-gram board or governance board, and other key stakeholders.
SignatureSand date approval obtained
Program manager ____________________________________
Program sponsor ____________________________________
Program management office director ____________________________________
Governance board chairperson ____________________________________
Governance board member 1 ____________________________________
The Program Setup Phase 133
Governance board member 2 ____________________________________
Governance board member N ____________________________________
Stakeholder 1 ____________________________________
Stakeholder 2 ____________________________________
Stakeholder N ____________________________________