Risk Management

What is risk management?

Risk management is all about protecting your program.

A risk is a future potential issue that will disrupt the progress and success of the program.

You own risk management across the entire program. Your primary responsibility is to drive ownership and collaboration with those best equipped to handle the risk.

Risk management can include technical risks, such as the risk of a system failure, as well as nontechnical risks, such as the risk of a delay in project delivery due to unforeseen circumstances, like employee attrition. By proactively managing risks, you can minimize the potential negative impacts of these risks on the program and keep it on track for success.

There are a few key components of effective risk management:

• Clearly defining what the risk is.

• Risk prioritization by effectively articulating the potential impact and the likelihood of it occurring.

• Identifying ownership for mitigation actions.

• Understanding the timeline of when the risk needs to be taken care of.

Note: A risk that is not taken care of through proper mitigation efforts can become an issue.

Proactive vs. reactive risk management

Reactive risk management is constantly trying to put out fires and deal with issues. It is essentially issue management. This is a hazardous way to try to manage risks. We'll talk about issue management in the next lesson.

Proactive risk management is the way we attack future risks. It properly addresses risks as future issues.

If risk management and issue management are treated the same in your program, you will experience more severe issues. Your teams will burn out, program focus will be destroyed, and the probability of on-time delivery plummets. The bad news is that you can't avoid unplanned issues. The good news is that you can significantly reduce it with some good planning and communication.

Risk management culture

Risk and issue management is a team sport, not a solo adventure.

You partner with workstream owners to drive workstream-local risk and issue management best practices. Within your program team meetings, ask about risks that your team sees on the horizon. By asking these questions, your team will begin proactively thinking about risks.

You drive the ways that the program team will identify, assess, and prioritize potential risks that may affect the program.

If you attempt to personally discover and manage all the risks associated with a program, not only will you burn out but you will likely also fail. Risk management is best achieved in collaboration with cross-functional workstream owners.

Your focus is not on creating a comprehensive risk management strategy for your entire company; your focus is on risk management for your program, in partnership with the core organization(s) or team that may own the risk management strategy for your company. For example, you may consider building relationships with some of these partners within your company (if your company is sufficiently large):

• A cyber security organization to review your solution design and inform your program team on cyber security requirements.

• A data management office for best practices around data storage, management, permissions, and privacy.

• A legal team for any other nontechnical risks that you should be aware of regarding your product or process.

Top-notch proactive risk management is when your entire program team (not just you) actively brings up potential risks on a regular basis.

Risk Management culture is built with trust within the program team. How you plan for and react to risk will shape the culture of risk management throughout all the contributing workstreams or projects.

Risk prioritization

The imagination is a wonderful thing until you ask your imagination to imagine every possible thing that could go wrong! The list can be endless.

Not all risks are created equally. Nor should they be treated equally. As the technical program manager, you need to lead the program team in prioritizing risks.

Enter the risk management matrix.