BSBPMG632 Manage Program Risk

Business, Accounting and Finance
BSBPMG632 Manage program risk
Learner Materials and Assessment Tasks

Table of Contents
About BSBPMG632 Manage program risk ......................................................................................................... 4

Identify potential, actual and residual risks ......................................................................................................... 8
Select and modify program risk methodology to match the context for risk ......................................... 15
Activity 1 ......................................................................................................................................................................28
Consult with relevant stakeholders and identify, document and analyse program level risks ...........52
Support and mentor project managers in the analysis, evaluation and treatment of risks ................56
Activity 2 ..................................................................................................................................................................... 71
Confirm risk management is transparent and dynamic across the program so that risks are
assigned and managed in a timely manner ..................................................................................................... 73
Activity 3 ..................................................................................................................................................................... 75
Develop and maintain a program risk-management system for effective management and
communication of risks, controls, treatments and outcomes to stakeholders across the program . 78
Activity 4 ..................................................................................................................................................................... 97
Direct management of the program in accordance with agreed program risk-management plans
..................................................................................................................................................................................... 102
Review progress, analyse variance and initiate risk responses to achieve program objectives in
dynamic risk environments .................................................................................................................................. 103
Activity 5 ................................................................................................................................................................... 122
Activity 6 ................................................................................................................................................................... 124
Confirm risks are monitored and assessed across the program at agreed intervals .......................... 138
Activity 7 ................................................................................................................................................................... 139
Direct response to actuated program risk and confirm remedial actions are authorised with impact
analysis according to program objectives ...................................................................................................... 147
Activity 8 .................................................................................................................................................................... 151
Identify and document program residual risk and communicate to stakeholders any transferred
liability at program completion .......................................................................................................................... 153
Review and analyse program outcomes to assess the effectiveness of the risk-management
methodology ........................................................................................................................................................... 157
Activity 9 ................................................................................................................................................................... 163
Seek feedback and respond to relevant stakeholders on risk management ........................................ 165
Activity 10.................................................................................................................................................................. 168
Analyse, document and recommend lessons learned for application in other programs ................ 170
Activity 11 .................................................................................................................................................................. 172
Activity 12.................................................................................................................................................................. 179
ASSESSMENT........................................................................................................................................................... 182
2|Page
Assessment Outcome record ............................................................................................................................ 220
3|Page
About BSBPMG632 Manage program risk
Application
This unit describes the skills and knowledge required to manage risks that might affect program
deliverables and organisational objectives. It covers directing the planning and management of
program risks, managing risks to the overall program and assessing risk management outcomes
for the program and the organisation.
The unit applies to individuals who are program managers, managing or directing a suite of
projects (a program) and/or senior project managers.
No licensing, legislative or certification requirements apply to this unit at the time of publication.
Unit Sector
Business Competence – Project Management
Elements and Performance Criteria

ELEMENT PERFORMANCE CRITERIA
Elements describe the Performance criteria describe the performance needed to
essential outcomes. demonstrate achievement of the element.
1. Direct planning of 1.1 Identify potential, actual and residual risks
program risk
management 1.2 Select and modify program risk methodology to match the
context for risk
1.3 Consult with relevant stakeholders and identify, document and

analyse program level risks
1.3 Support and mentor project managers in the analysis, evaluation

and treatment of risks
1.4 Confirm risk management is transparent and dynamic across the

program so that risks are assigned and managed in a timely
manner
1.5 Develop and maintain a program risk-management system for

effective management and communication of risks, controls,
treatments and outcomes to stakeholders across the program
2. Manage program risk 2.1 Direct management of the program in accordance with agreed
program risk-management plans
2.2 Review progress, analyse variance and initiate risk responses to

achieve program objectives in dynamic risk environments
4|Page
2.3 Confirm risks are monitored and assessed across the program
at agreed intervals
2.4 Direct response to actuated program risk and confirm remedial

actions are authorised with impact analysis according to program
objectives
3. Assess program risk- 3.1 Identify and document program residual risk and communicate
management outcomes to stakeholders any transferred liability at program completion
3.2 Review and analyse program outcomes to assess the

effectiveness of the risk-management methodology
3.3 Seek feedback and respond to relevant stakeholders on risk

management
3.4 Analyse, document and recommend lessons learned for

application in other programs
Foundation Skills
This section describes language, literacy, numeracy and employment skills incorporated in the
performance criteria that are required for competent performance.
SKILL DESCRIPTION
Reading • Applies appropriate strategies to construct meaning from complex
texts
Writing • Documents results of consultations clearly and accurately to inform

risk-management planning
• Documents risk-management outcomes using format and
terminology appropriate to the audience
Oral • Participates in verbal exchanges using clear and detailed language

Communication and appropriate features, to provide relevant information
• Uses active listening and questioning techniques to confirm
understanding
Teamwork • Identifies requirements of important communication exchanges,

selecting appropriate channels, format and content to suit purpose
and audience
Planning and • Develops systems and plans for complex, high impact activities that
organising involve a diverse range of stakeholders with potentially competing
demands
• Sequences and schedules complex activities, monitors
implementation, and adjusts activities or resources as required
5|Page
• Reviews outcomes considering results from a range of perspectives
and identifying key concepts and principles that may be adaptable
to future situations
Unit Mapping Information
Supersedes and is equivalent to BSBPMG616 Manage program risk.
Assessment requirements
Modification History
Release Comments
Release 1 This version first released with BSB Business Services Training
Package Version 7.0.
Performance Evidence
The candidate must demonstrate the ability to complete the tasks outlined in the elements,
performance criteria and foundation skills of this unit, including evidence of the ability to:
• manage program risk on at least one occasion.
In the course of above, the candidate must:
• direct the planning of program risk management, including:
• assessing and selecting risk methods to suit risk context

• directing identification, documentation and analysis of risks as basis for planning
• directing, supporting and mentoring project managers in analysing, evaluation and
treatment of risks
• confirming risk management is transparent and timely
• developing and maintaining a risk management system across the program
• manage program risk, including:
• managing the program

• reviewing progress, analysing variance and initiating risk responses
• confirming risks are assigned and monitored across the program at agreed intervals
• assessing issues are for impact and remedial actions
• assess project and program risk-management outcomes, including:
• identifying and documenting residual risk

• reviewing and analysing program risk outcomes
• documenting, analysing and recommending lessons learned
6|Page
• respond to risk within complex programs that are subject to unpredictable contextual
pressures.
Knowledge Evidence
The candidate must be able to demonstrate knowledge to complete the tasks outlined in the
elements, performance criteria and foundation skills of this unit, including knowledge of:
• the use of risk management tools, frameworks, systems, methodologies and standards
• the use of a dynamic risk register across a program.
7|Page
Identify potential, actual and residual risks
Successful program managers have a common trait – they identify and manage risks. Let's look at
seven tools and techniques to identify program risks1.
Often program managers start with a splash. They get their teams together, identify lots of risks,
and enter them into an Excel spreadsheet. However, the risks are never discussed again.
What's the result? Risks are not identified and managed. Threats morph into costly issues. And, the
teams miss golden opportunities. Furthermore, project teams fail to achieve the project objectives.
When to Identify Risks
The risk exposure is greatest at the beginning of programs. The uncertainty is high because there
is less information in the beginning of projects. Wise program managers start identifying risks early
in their projects. Additionally, capture your top risks in your project charter.
Want to know how to improve your risk identification? Identify risks:
• Early in the program

• In an iterative manner
• On a consistent frequency such as weekly
• When change control is performed
• When major milestones are reached
For agile projects, here are some additional times for identifying risks:
• Sprint planning
• Release planning
• Daily standup meetings
• Prior to each sprint
Ways to Identify Program Risks
There are numerous ways to identify risks. program managers may want to use a combination of
these techniques. For example, the program team may review a checklist in one of their weekly
meetings and review assumptions in a subsequent meeting. Here are seven of my favourite risk
identification techniques:
1. Interviews. Select key stakeholders. Plan the interviews. Define specific questions.
Document the results of the interview.
2. Brainstorming. Plan your brainstorming questions in advance. Here are questions I like to
use:
1
Source: Project Risk Coach, as at https://projectriskcoach.com/7-ways-to-identify-risks/, as on 17th February,
2021.
8|Page
o Program objectives. What are the most significant risks related to [program
objective where the objective may be schedule, budget, quality, or scope]?
o Program tasks. What are the most significant risks related to [tasks such as
requirements, coding, testing, training, implementation]?
3. Checklists. See if your company has a list of the most common risks. If not, you may want
to create such a list. After each program, conduct a post review where you capture the
most significant risks. This list may be used for subsequent programs. Warning – checklists
are great, but no checklist contains all the risks.
4. Assumption Analysis. The Project Management Body of Knowledge (PMBOK) defines an
assumption as “factors that are considered to be true, real, or certain without proof or
demonstration.” Assumptions are sources of risks. Project managers should ask
stakeholders, “What assumptions do you have concerning this project?” Furthermore,
document these assumptions and associated risks.
5. Cause and Effect Diagrams. Cause and Effect diagrams are powerful. Program managers
can use this simple method to help identify causes--facts that give rise to risks. And if we
address the causes, we can reduce or eliminate the risks.
6. Nominal Group Technique (NGT). Many program managers are not familiar with the NGT
technique. It is brainstorming on steroids. Input is collected and prioritized. The output of
NGT is a prioritized list of risks.
7. Affinity Diagram. This technique is a fun, creative, and beneficial exercise. Participants are
asked to brainstorm risks. I ask participants to write each risk on a sticky note. Then
participants sort the risks into groups or categories. Lastly, each group is given a title.
Variety is the spice of life. One sure way to have an unengaged team is to use the same risk
identification technique repeatedly. Additionally, mixing it up occasionally will help your team think
in new ways and improve the identification process.
Write Clear Risk Statements
As you identify risks, you will need to write and capture risk statements in your risk register. One
simple and powerful way to do this is to use the If-Then Risk Statements. The metalanguage is: If
[Event], Then [Consequences]. For example: If the electrical system is not installed per the
specifications, then there may be additional cost and an adverse impact to the schedule.
Risks are anything that can potentially disrupt your project or your team. Since every project is
unique, no two projects are likely to have the same risks2.
It’s up to managers and their teams to identify risks, prioritize their impact, and create
mitigation plans where appropriate in case those risks become real issues. But it’s important
that you also have to understand what is meant by the word analyze in reference to project risk
management.
2
Source: Project Manager, as at https://www.projectmanager.com/training/how-to-analyze-risks-project, as
on 17th February, 2021.
9|Page
Risk Analysis vs. Risk Identification vs. Risk Management
People frequently confuse risk analysis with risk identification and risk management. Let’s clear
that up before we continue.
What Is Risk Analysis?
Risk analysis is the process that figures out how likely that a risk will arise in a project. It studies
uncertainty and how it would impact the project in terms of schedule, quality and costs if in fact
it was to show up. Two ways to analyze risk is quantitative and qualitative. But it’s important to
know that risk analysis is not an exact science, it’s more like an art.
What Is Risk Identification?
Risk identification is also a process, but in this case it lists all the potential project risk and what
their characteristics would be. If this sounds like a risk register, that’s because your findings are
collected there. This information will then be used for your risk analysis. Though this process
starts at the beginning of the project, it’s an iterative process and continues throughout the
project life cycle.
What Is Risk Management?
Finally, risk management is the overall process that project managers use to minimize and
manage risk. It includes risk identification, risk assessment, risk response development and risk
response control.
Benefits of Risk Analysis
To understand risk analysis, note the importance of examining risk in methodical detail. Why?
There are several reasons.
• Avoid potential litigation

• Address regulatory issues
• Comply with new legislation
• Reduce exposure
• Minimize impact
Project managers who have some experience with risk management in projects are a great
resource. We culled some advice from them, such as:
• There’s no lack of information on risk

• Much of that information is complex
• Most industries have best practices
• Many companies have framework
• Risk analysis is done in extremes
How to Evaluate Project Risk
10 | P a g e
The process of evaluating project risk begins in the planning stages, but it must continue
through every stage of the project. But to dig deeper, you need to perform both qualitative and
quantitative risk analysis.
Qualitative Risk Analysis
Qualitative risk analysis is the process of prioritizing risks for further analysis or action. You do
this by determining each risk’s likelihood or probability of occurring, as well as rating its impact
on the project.
The scale used is commonly ranked from zero to one. That is, if the likelihood of the risk
happening in your project is .5, then there is a 50 percent chance it will occur. There is also an
impact scale, which is measured from one to fine, with five being the most impact on the
project. The risk will then be categorized as either source- or effect-based.
Qualitative risk analysis is beneficial because not only do you reduce uncertainty in the project,
but you also focus mostly on high-impact risks, for which you can plan out appropriate
mitigation responses.
Quantitative Risk Analysis
By contrast, quantitative risk analysis is a statistical analysis of the effect of those identified risks
on the overall project. This helps team leaders to make decisions with reduced uncertainty, and
supports the process of controlling risks.
Quantitative risk counts the possible outcomes for the project and figures out the probability of
still meeting project objectives. This helps with decision-making, especially when there is
uncertainty, and creates cost, schedule or scope targets that are realistic.
Determining Impact
Through qualitative and quantitative risk analysis, you can define the potential risks by
determining impacts to the following aspects of your project:
• Activity resource estimates

• Activity duration estimates
• Schedule
• Cost estimates
• Budget
• Quality
• Procurements
11 | P a g e
Risk Identification Mistakes
Think about it. Ninety percent of all risks can be eliminated or greatly reduced through basic risk
management.
Take note of these risk identification mistakes:
1. The failure to recognize risks early when it is less expensive to address.

2. Not identifying risks in an iterative fashion.
3. Risks are not identified with appropriate stakeholders.
4. Not using a combination of risk identification techniques.
5. Risks are not captured in one location.
6. The failure to make the risks visible and easily accessible.
7. Risks are not captured in a consistent format (e.g., Cause -> Risk -> Impact).
Which types of risks exist?3
In addition to the main risk inherent in any project, positive or negative, individual activities may
involve secondary and residual risks.
Let’s take a look at secondary and residual risks and their definitions.
Secondary risks
The PMBOK Guide defines secondary risks as “those risks that arise as a direct result of
implementing a risk response to a specific risk”.
In other words, when you identify a risk, you have a response plan that can deal with that risk.
Once this plan is implemented, the new risk that could arise from the implementation represents a
secondary risk.
For example, the project manager for a construction project might know, from past experiences,
that one of the main risks is that the sand supplier will not be able to deliver the goods in time. In
the risk management plan created, the project manager will therefore already have taken this risk
into account. The action he takes if this happens could be to get the sand from a different
supplier. However, a potential risk that the project manager may encounter in this case, is that
there may be differences in the sand provided by the former compared to that provided by the
second supplier, which would be a secondary risk.
3
Source: TW Project, as at https://twproject.com/blog/residual-secondary-risks-deal/, as on 17th February,
2021.
12 | P a g e
Residual risks
Residual risks are the remaining risks, ie the minor risks that remain.
The PMBOK Guide defines residual risks as “those risks that are expected to remain after
implementing the planned risk response, as well as those that are deliberately accepted”.
What is residual risk?4
According to ISO 27001, residual risk is “the risk remaining after risk treatment”.
Here is how it works: first you have to identify the risks, and then you need to mitigate the risks
4
Source: 27001 Academy, as at https://advisera.com/27001academy/knowledgebase/why-is-residual-risk-so-
important/, as on 17th February, 2021.
13 | P a g e
you find unacceptable (i.e. treat them). Once you treat the risks, you won’t completely eliminate
all the risks because it is simply not possible – therefore, some risks will remain at a certain level,
and this is what residual risks are. The point is, the organization needs to know exactly whether
the planned treatment is enough or not.
Residual risks are usually assessed in the same way as you perform the initial risk assessment –
you use the same methodology, the same assessment scales, etc. What is different is that you
need to take into account the influence of controls (and other mitigation methods), so the
likelihood of an incident is usually decreased and sometimes even the impact is smaller.
Residual risks are acceptable for the organization’s level of risk tolerance or, in some cases, a
residual risk does not have a reasonable response.
Project managers therefore simply accept them as they are. If they must occur, they will occur,
and there is not much they can do about it.
These risks are identified during the planning process and an emergency reserve is set up in order
to manage risks like these.
Although residual risks are not particularly worrying, organizations cannot completely ignore them
and should address them through:
• Identification of relevant governance, risk, and compliance requirements.

• Recognition of existing risks.
• Determination of the strengths and weaknesses of the organization’s control framework.
• Planning for appropriate contingencies.
For example, you could identify a risk in the possible rainy weather forecasted during an event
lasting an hour or two, where this weather condition could interrupt some of the scheduled
meetings. To manage this risk, the other meetings will be scheduled with a buffer of a couple of
hours. In this way, even if it rains for two hours, the other plans will not be interrupted or
postponed.
This, however, does not eliminate the risk that the program needs changes. Simply reduces it.
What is the difference between secondary and residual risks?
• Secondary risks are those that occur as a direct result of implementing a risk response. On
the other hand, it is expected that the residual risks will remain after the expected risk
response.
• The emergency plan is used to manage primary or secondary risks. The backup plan is
used to manage residual risks. Note that if an identified risk occurs, the emergency plan is
implemented and, if it becomes ineffective, the reserve plan is implemented.
• If residual risks and secondary risks do not require a response plan, they will be monitored
as they occur.
Example of a situation that contains both risks
14 | P a g e
Take for example a future project manager who is studying for one of the exams to obtain the
official PM certification.
When the future PM plans the study program for the exam, the main risks that can affect it are:
• suddenly he will commit himself full time to a new project that will not leave enough time
to study
• He will get sick during the exam preparation
An activity to respond to the first risk – not find enough time for the study due to the professional
commitment – would be to start the preparation for the exam in a low working season, taking into
consideration the work model of previous years.
The residual risk for this risk response would be that an unexpected large-scale project would
present itself during the preparation for the exam. In that case, it may be necessary to postpone
the exam, so as to find enough time to study in the future. This could be connected with an extra
cost that can be covered thanks to the contingency reserve.
In the second case, the risk response activity to avoid getting sick during the exam preparation,
would consist in doing the vaccination for five of the most common contagious diseases at the
time of the preparation for the exam.
The secondary risk of this risk response would be that the vaccines themselves can cause side
effects or even cause infections.
Risk management is an integral part of project management. It includes the identification, analysis,
and monitoring of all these types of risks.
Understanding how to identify and manage risks is part of everyone’s life, even in the life of a
project manager.
It is important that all types of risks are identified, analyzed, monitored, and cared for during the
entire project.
For a project manager, learning to distinguish and plan for different types of risks will be a
valuable aid to manage resources, time, and guide the project to success more efficiently.
Select and modify program risk methodology to match the context for risk
It would come as no surprise that the first recommendation when planning and controlling a
Program of work is that standards be adopted. A standard approach to scheduling, standard use
of fields, consistent use of Issues and Risk logs, standard reports and reporting cycles are all
necessary. Standards aren’t popular with some Project Managers but can save Program Managers
15 | P a g e
from a great deal of pain when trying to consolidate and integrate plans and reports across the
Projects associated with their Program5.
The approach to scheduling is perhaps the most difficult to achieve, particularly when advanced
updating techniques and float calculation may not be well understood by some.
Definition6
Risk management is a process that allows individual risk events and overall risk to be
understood and managed proactively, optimising success by minimising threats and maximising
opportunities.
General
All projects, programs and portfolios are inherently risky because they are unique, constrained,
based on assumptions, performed by people and subject to external influences. Risks can affect
the achievement of objectives either positively or negatively. Risk includes both opportunities
and threats, and both should be managed through the risk management process.
Risk is defined at two levels for projects, programs and portfolios. At the detailed level, an
individual risk is defined as ‘an uncertain event or set of circumstances that, should it occur, will
have an effect on achievement of one or more objectives’. In addition, at the higher level of the
project, program or portfolio, overall risk is defined as ‘exposure of stakeholders to the
consequences of variation in outcome’ arising from an accumulation of individual risks together
with other sources of uncertainty.
The high-level process, as illustrated in figure 3.12 starts with an initiation step that defines the
scope and objectives of risk management. A key output from the initiation step is the risk
management plan, which details how risk will be managed throughout the life cycle.
Figure 3.12: Risk management process
Risks are then identified and documented in the risk register. The relative significance of
identified risks is assessed using qualitative techniques to enable them to be prioritised for
further attention. Quantitative risk analysis may also be used to determine the combined effect
of risks on objectives.
5
Source: Core Consulting, as at http://coreconsulting.com.au/wp-content/uploads/2015/06/Program-
Management-fundamentals-Risk-and-Interdependencies.pdf, as on 27th March, 2017.
6
Source: Association for Project Management, as at https://www.apm.org.uk/body-of-
knowledge/delivery/risk-management/, as on 17th February, 2021.
16 | P a g e
The process continues with risk response planning, aiming to avoid, reduce, transfer or accept
threats as well as exploit, enhance, share or reject opportunities, with contingency (time, cost,
resources and course of action) for risks which cannot be managed proactively. The final step is
the implementation of agreed responses.
The whole process is iterative. For example, assessment or response planning can lead to the
identification of further risks; planning and implementing responses can trigger a need for
further analysis, and so on.
It is also important to identify and manage behavioural influences on the risk process, both
individual and group, since these can have a significant impact on risk management
effectiveness.
Risk management at project, program or portfolio level must not be conducted in isolation and
must interface with the organisation. Risks at project level may need escalation to program and
portfolio. Risks can also be delegated from higher levels to lower levels.
In addition, P3 risk management must contribute, as appropriate, to both business risk

assessments and organisational governance requirements. The P3 manager must be aware of
risks that have an effect outside their scope of responsibility, e.g. those that could affect the
organisation’s reputation.
The management of general health and safety risks is usually excluded from P3 risk
management, as the management of these risks is traditionally handled by a separate function
within the organisation.
Project
Risk management at project level is most often focused on individual risks that, should they
occur, will affect the project’s objectives. It is, however, also important for the project manager
to understand the overall risk exposure of the project, so that this can be reported to the
project sponsor and other stakeholders.
Risk management must be closely aligned to schedule management. Cost, time and resource
estimates should always take risks into account.
The project manager is accountable for ensuring that risk management takes place. Depending
on the size and complexity of the project, a specialist risk manager may be appointed to
oversee and facilitate the risk management process.
Program
The program will establish a common framework and standards for risk management across the
program. This will enable comparison of risk, reduce the time taken to initiate management
processes at project level, and help identify interdependencies between risks across the
program. The common framework will be set out in the program risk management plan.
17 | P a g e
Program risk management is made up of two distinct areas of focus:
• project risk escalation and aggregation;

• wider business risk and risks to benefit achievement.
Program risk management addresses any individual risks at project level that, if realised, will
have a wider impact. Project risks that cannot be effectively managed within projects and within
contingency are escalated to the program for attention and/or action. In addition, related or
common risks within individual projects may combine or aggregate to have an effect at
program level, in which case they also need to be escalated.
Program risk management also considers any risks delegated from the portfolio or strategic
level, as well as risks arising directly at the level of the program itself. Program risks are likely to
focus on prioritisation of program components, allocation of resources, interfaces and
interactions between program components, the ability to deliver change management activities
within the program, and cumulative risks arising from the combined impact of the project risks.
Portfolio
Risks at portfolio level are often of such scale that they may have significant impact on the
ability of the organisation to operate. Portfolio risk management will focus on two areas:
• risks escalated from projects or programs and from areas of day-to-day business;
• risks that impact upon the objectives of the portfolio and the host organisation.
Project and program risks that cannot be effectively managed at their originating level may be
escalated to the portfolio for responses unavailable at project or program level.
The portfolio will establish common frameworks and standards for risk management, which will
be cascaded to projects and programs to ensure a common approach and reporting structure.
This enables effective comparison of risk, reduces the time taken in initiating risk management
processes, and assists with identification of potential conflict in selected responses across the
portfolio.
The consideration of risk efficiency is of particular importance to portfolio risk management. The
principles of risk efficiency have been established in financial portfolios for many years. They are
equally relevant to portfolios of projects and programs. Ensuring that the portfolio does not
expose an organisation to too much risk and is efficient is an important function in the ‘balance’
phase of the portfolio life cycle.
Focus on Interdependencies
Assuming the scheduling standards are adhered to, one would assume that a Program simply
needs a very large schedule. Project Managers who move into Program Management soon find
18 | P a g e
that is not the case. Try making sense of, and keeping up to date, several thousand tasks across
multiple schedule files, it soon becomes overwhelming.
One way to manage a large Program of work is to use a Master and Sub Project structure,
delegating responsibility for creation and maintenance of Sub Projects to Project Managers
(and/or their schedule support staff). Focus everybody on interdependencies between sub
projects and ensure the producer of the outgoing dependency has ownership of the product and
the consequences of any delay.
The interdependencies can be identified very early in the planning process, well before a detailed
schedule exists. The following steps may help:
1. Interdependencies are often associated with deliverables. Interdependencies should be

represented as Milestones, particularly in the recipient schedule.
2. Clearly define the expected state of the dependency (eg draft, final, signed off) to ensure there
is no misunderstanding
3. The producer and recipient need to formalise the agreement, there must be a personal
commitment involved
4. Once agreed, change must be controlled (eg deletion, descriptions, Baseline date)
5. Uniquely identify the outgoing dependency in the incoming file (difficult with MS Project, but
there are work arounds), this will help with electronic data exchange
6. Consider whether to actually link via inter project linking, whether to just pass through forecast
(perhaps into another field) or rely on manual updating
7. Include Interdependency dates in reporting, focus on any shifts in forecasts since the previous
report
19 | P a g e
Shown below is an example of how a schedule might show dependency forecasts on an incoming
dependency and leave the rescheduling decision up to the Project Manager. Note the Project
Manager has identified the item in the producer’s schedule.
There are several implications of a focus on dependencies when managing schedules which will
need to be considered:
• The tendency for dates to continually drift unless Project Managers are made accountable
to the affect of delay on recipients
• Time needed within reporting cycles for corrective action planning
• The complexity of whole of Program critical path analysis
Include the Resource dependencies
What is often more difficult to model in schedules is resource dependency. Whether the resources
are unique but shared resources, generic resources or specific infrastructure (such as a test
environment) modelling a resource dependency can be difficult.
In Project scheduling, concepts such as the Critical Chain Method were developed to formalise
resource dependencies within a Project Schedule. Applying such a method across a Program
would prove extremely complex and would be unlikely to provide the desired outcome. A better
approach would be to model just the key resource dependencies, making them obvious through
the use of Milestones and interdependencies as outlined above. Descriptions should be very clear
and agreement from the Resource manager sought.
Allocating resources in schedules can provide much value if done in a standard way by people
who know how to drive the scheduling tools. Consistent rules (eg Fixed Duration, Effort driven off
for those who use MS Project) are needed along with accurate effort based % resource allocation.
By tying all schedules to a common resource pool, the overall utilisation and achievability of the
program can be determined. Such an assessment may then lead to the need to prioritise or
supplement resources.
Actual effort tracking in scheduling tools still remains complex and tedious, rarely worth the
scheduling effort. Resourced schedules can however assist in the Estimate to Complete and hence
financial reporting when combined with Timesheet data. Resource models need to align to both
the schedule as well as the timesheet and cost control systems, another area of complexity.
Adopt a Program view of Issues, Risk and Change
20 | P a g e
On first glance, managing Program Issues, Risk and Change would appear to be similar to the
approach used when managing a Project. The Program must consistently use common control
tools, assessment criteria and metrics for tracking Issues and Risks similar to those used on a
Project. The subtlety comes in the overall context, especially the assessment of impact.
The following diagram shows the interrelationship between Program, Project, Operational and
Strategic risks.
While a delay may appear to be high impact to the Project Manager, to the business as a whole
the delay may not be such a large problem. Conversely a relatively small delay, in the Project
Managers opinion, may have a significant affect on the business. The Program Manager must
have the strategic view, especially judging impact based on the Business benefits the Program
needs to deliver. Program Risk management will be more affected by organisational risk
procedures and risk tolerance than individual projects, most likely with the involvement of
corporate Risk and audit people.
The key to Program Risk management is to centralise but separate the Project and Program risks.
An escalation process will need to exist so that a Project level risk can be escalated to the Program
level. Program level risk response plans need to be able to be allocated back to the projects and
tracked accordingly. Any common Project risks need to be able to be summarised and
represented at the Program level.
Issue Management would also appear similar. The difference comes in the volume of Issues, and
because of the immediate nature of dealing with them, the need to prioritise. Issues and Change
are often closely aligned since change of scope or plans are often part of the response plan for an
Issue. Change must be managed from a Program rather than Project perspective, with a focus on
impact to Benefits delivery.
Remember the Risk and Contingency budgets
When considering risk within a Program, one often misunderstood area is the level of
Contingency and how that Contingency should be shown. Program Managers may distribute the
financial contingency reserves or centralise them across the Program. When centralised, the
21 | P a g e
process for requesting and distributing needs to be carefully thought through. The representation
of schedule contingency is also complex, once again standards and a defined process will help.
Options for contingency may include one or more of:
• Holding contingency outside Program Manager’s control (usually controlled by the

Sponsor)
• Creating a centralised risk/contingency budget, estimated based on the Risk response plan
costs and allowance for impact of unknowns, controlled by the Program Manager (but
perhaps authorised by the Steering Committee)
• Creating within each Project a risk/contingency budget, controlled by the Project Manager
(but perhaps authorised by the Program Manager)
• Burying a level of contingency within detailed plans
Management culture will impact the treatment of risk and contingency budgets, particularly where
the contingency is mistakenly perceived as “fat” rather than factored in budget which will be used.
Program Managers will often need to educate senior management and the Steering Committee
on managing risk and contingency budgets.
Developing an open and honest culture, where Risks and Issues can be raised without fear, is
important. Program Managers provide the leadership role to the Project Management team and
are the link to senior management and business strategy. Success of a program is more often
than not aligned to achieving the benefits, benefits to outcomes, outcomes to deliverables,
deliverables to projects. Projects are managed by Project Managers who are part of the Program
Manager’s team. The team exists to deliver the Program, not a series of disconnected deliverables.
Teamwork includes working together in a consistent way, following a standard approach.
So managing a program is not the same as managing a project, it needs a different approach and
a great deal of experience.
What is the project risk management process?7
The project risk management process is well known. With initiate the project, identify the risks,
asses the risks, plan risk reduction measures, implement the responses. These processes apply to
the different levels of an organisation project, program and portfolio, it is just the ways of
application that are different.
Differences in impact?
The main difference is the level of the impact.
7
Source: Project Accelerator, as at http://www.projectaccelerator.co.uk/what-is-the-difference-between-
project-program-and-portfolio-risk-management/, as on 27th March, 2017.
22 | P a g e
In a Project Management environment the impact being considered is the impact on the project
success criteria, typical time, cost and quality but also issues such as quality and safety. These are
quite tactical project objectives.
In a Program risks will have an impact on the program benefits. Will the organisation receive the
benefits from the completion of the projects in the program. Typically this will include the user
application of the system or the increased sales of a service.
In a Portfolio the risks are associated with the future health and growth of the organisation. Risks
at a portfolio level include things such as the lack of competitiveness or innovation within the
organisation or increased competition in particular markets.
The basic risk process is the same at each level, but the way it is applied is different for each level.
For example a brainstorming workshop might be appropriate for a small project team however for
senior directors a series of face-to-face meetings followed by a board presentation may the more
appropriate and cost effective.
How is risk management best achieved?8
Risk management is best achieved through a systems approach rather than a silo approach. The
reason for this is that risks do not respect organisational boundaries.
Ideally there needs to be an organisation level policy and process guide for risk management,
then for each program and project organisation you can if necessary have a risk strategy that is
tailored, while at the same time being aligned with the company/corporate risk management
approach.
The illustration below will show the different perspectives from which risk management should be
addressed. Each perspective has a different but complimentary set of objectives. By understanding
the objectives of each perspective individuals and teams will be able to focus on managing risk in
8
Source: Don Lowe, as at http://www.donlowe.org/risk-management/, as on 27th March, 2017.
23 | P a g e
a structured and effective way.
Use a common process
The illustration below represents a simple process that can be used across the organization for
identifying and managing risk.
24 | P a g e
By following a simple process as illustrated here you will have a tremendous impact on reducing
the threats to projects and maximising the possibilities of exploiting opportunities.
Communication is central to identifying new risks, and changes in existing risks. Effective risk
management is dependent on participation, and participation in turn is dependent on
communication.
Effective risk management will contribute to improving the realisation of strategic, program,
project and operational objectives through:
• Reducing the number of surprises

• More efficient use of resources
• Reduced waste
• More focus on doing the right things properly
By having a systems approach to risk management it easier to escalate or delegate risks and
manage risks more effectively.
As a rule of thumb manage the risk from where it will have an impact. If the risk will have an
impact outside the project but within a program then the ownership of the risk will be at the
program level, it may well be that the risk actionee (the person who is delegated to take care of
the risk) is in the project team, so the risk owner and risk actionee must collaborate to ensure that
agreed actions are taken to manage the risk.
Objectively measure if your risk management is working
25 | P a g e
It is important that you have a well thought through set of performance indicators to determine if
your risk management process is effective and working. Having risk management policies,
processes and strategies does not mean that you have effective risk management. You also need
an effective measurement process to prove your risk management is working.
Risk management from the project perspective:
The primary objective of a project is the output in the form of a product or service that will give
the organisation the capability to achieve the desired outcomes and realise benefits.
The following objectives can be used to identify risks to the project.

Cost: (Deliver the project within the budgeted cost.)
Time: (Deliver the project within the budgeted time.)
Scope: (Deliver the project output with the required features so that we have the right capability.)
Quality: (Deliver the project with the quality mentioned in the project and product definition.)
Benefit: (Ensure that at the end of the project it is still feasible to realise the targeted benefits.)
Team work: (Have a well-functioning team, as a dysfunctional team will result in not achieving the
above performance variables.)
Who should work with risk management at the project level?

Everyone who is involved in the project organisation. When necessary the project manager will
raise risks to the program or portfolio level.
Risk management is a theme throughout the project lifecycle. Everything you do has an impact on
risk management. If you tailor the project processes and do everything correctly you minimise the
possibilities of uncertain events occurring.
Risk management from the program perspective
At the program level you will want to be aware of and take ownership of risks that will have an
impact across the projects within the program. These risks are likely to affect the capability of the
organisation and the realisation of benefits that the program was set up to realise.
Who should work with risk management at the program level?

Those who are in the program board such as the program executive or senior responsible owner,
the program manager, business change manager and personal in the program office. The
program manager can raise risks to the program sponsoring group or the portfolio if the risk(s)
will have a strategic impact.
Risk management from the portfolio or strategic perspective
At this level risks that impact on the organisations objectives and critical success factors should be
managed and monitored. We are talking about risks that impact on the organisations reputation,
financial security, capability to continue supplying a relevant service or product to the market.
26 | P a g e
Who should work with risk management at the portfolio or strategic level?
At this level the portfolio manager will monitor risks on a day-to-day basis. The CEO, CFO, COO
and other senior managers should be activly involved in risk management.
Examples how this model of Lean & Agile Project Management works with risk management.
The following examples will illustrate how this project management model has evolved to mitigate
threats and exploit opportunities.
Risk: The product owner does not know exactly what output will be most suitable to achieve the
business objectives.
The business case description highlights the business strategy that should be fulfilled and the
outcomes and benefits that will be achieved as a result of the project delivering the most
appropriate output.
The Product Based Planning structure combined with Rolling Wave Planning enables the product
owner to create a high level Project Product Description and then progressively build up the detail
through Component Product Descriptions and User Scenarios & Acceptance Tests. Each of these
documents will specify quality expectations and acceptance criteria at the appropriate level of
detail.
These processes reduce the risk of scope creep, time wastage and poor quality. At the same time
we optimise the opportunity of learning from experience and exploiting new knowledge to
develop an improved project product.
Risk: The product owner will not sign off on the final product.
The practice of allocating work in the form of work packages made up of User Scenarios &
Acceptance Tests and time-boxing the development of each work package to a period between 1
and 4 weeks ensures that the product owner or a representative with the project manager must
review the work packages and validate that change requests as well as deliverables meet the
documented acceptance criteria. They also need to verify the work package deliverables include
all the expected (documented) functionality.
The compounded result of signing off on each work package makes it easier to pin point and
resolve any valid discrepancies related to signing off on the project, thus reducing the chance of
the final project product not being accepted.
Risks:
The project will not deliver an acceptable working product within agreed time tolerances.
Re-prioritisation of projects will result in some project outputs not being usable and the time spent
working on those projects does not contribute to achieving the business goal.
By using the Product Breakdown Structure to focus on defining the Component Products, we are
then able to determine what combination of Component Products and Features using MoSCoW
prioritisation and flow/network diagrams that can be built up iteratively to deliver the most
business value as early as possible.
This gives us the possibility to exploit various opportunities;

• Deliver a good enough output that has business value early on so that users can test the output
and give feedback on improvements.
27 | P a g e
• Deliver a good enough output that has business value early on so that when business interests
favour a change in plan we can close the first project, yet still deliver business value by use the
limited edition output. Start and deliver the second project the re-start the first project and deliver
the fully specified output. This lets us change project prioritisation based on business value while
at the same time maximising the value of the work done.
• Increase revenue generation or reduce operating expenses due to the benefits derived from the
limited editions of working project outputs.
We avoid the following threats.

• A situation where projects are constantly being started and unacceptable amount of work is
always in progress, but there is no output that can deliver business value.
• The business going bust because it cannot take payment for uncompleted work.
Risk: Late delivery of project products and cost overruns.
Critical Chain scheduling of prioritised activities and work packages enables the identification of
the chain of activities that is a constraint on delivering the project in a shortest time frame. By
identifying the critical chain you can verify that all activities in the chain are absolutely necessary.
By using the concept of feed buffers and a project buffer to place the time related safety factor at
the end of each chain of activities (or US&ATs) we remove time wastage related to Parkinson’s
Law and Student Syndrome. Once this is done you ensure that the cost budget is in line with the
work that needs to be done before starting the work.
The result of the above practices optimises the opportunity of delivering the project product
within time and budget tolerances.
Risk: Not all stakeholders understand what is required or expected.

We handle this scenario from two angles.
The principle of “Defined Roles & Responsibilities” is followed and we have documented roles and
responsibilities that are suitable for each project. At a minimum every person in the project will
know which role is responsible for carrying out specific activities.
The use of templates (Management products) enables a consistent presentation of information

and distinguishes management products. This means that those responsible for creating the
management products can ensure they do not miss out important sections and stakeholders can
quickly learn where to look for information. This reduces the threats from poor information
distribution. It also reduces time wastage thus improving time management.
Sample for individual risk register
The “Defined Roles & Responsibilities” when implemented correctly will improve organisational
structure leading to improved time management as individuals will be able to focus on work
within their area of responsibility.
The templates will improve communication, quality assurance and quality control.
28 | P a g e
Activity 1
How does risk management differ in a project and program?
29 | P a g e
Activity 1
30 | P a g e
Activity 1
Risk Management Process Overview9
Outline
In Broadleaf we normally advocate an approach to managing risk that is based on ISO

31000:2009. The process is depicted in outline below.
9
Source: Broadleaf, as at http://broadleaf.com.au/resource-material/risk-assessment-and-risk-treatment/, as
on 17th February, 2021.
31 | P a g e
The risk management process
Continuous process elements
Communication and consultation
Managing risk necessarily involves people because:
• The interests of people are part of the organization’s objectives

• People will need to take (or not take) particular actions in order for risk to be managed
effectively
• People have most of the knowledge and information on which effective risk management
relies
• Some people might have a right to be informed or consulted.
Communication and consultation are therefore key supporting activities for all parts of the risk
management process. Communication and consultation are processes and not outcomes. They
normally take place with stakeholders, defined as those persons or organizations that can affect,
be affected by or perceive themselves to be affected by a decision or activity.
Monitoring and review
Monitoring and review are two distinct processes intended to detect change and determine the
ongoing validity of assumptions. Both are necessary to ensure that an organisation maintains a
current and correct understanding of its risks, and that those risks remain within its risk criteria.
Both require a systematic approach, integrated into an organisation’s management systems, that
reflects the speed at which change occurs within the internal and external environment.
Step-wise process elements
32 | P a g e
Establishing the context
Before any risk management activity takes place and especially before risk assessment occurs, the
external, internal and risk management contexts should be established.
A key aim of the ‘establish the context’ step in the risk management process is to identify the
organization’s objectives, and those external and internal factors that could be a source of
uncertainty, so that risks can be identified more readily.
Establishing the context also provides the information that allows the other steps of the risk
management process to occur.
Risk identification
Carried out thoroughly, the risk identification step reveals what, where, when, why and how
something could happen or occur and the range of possible effects on objectives. In some cases,
these effects or consequences might only occur at some future point or they might be
experienced, at a fixed or variable rate, over time.
Risk identification would normally occur in a workshop involving appropriate stakeholders. A

trained facilitator and recorder should normally be present.
Risk analysis
Risk analysis investigates and draws upon:
• The information on risks generated during risk identification

• The effectiveness and reliability of controls
• Additional information from the statement of context
• Supporting statistical data, results of predictive modelling or expert judgement
• The risk criteria developed during establishing the context.
The aim of risk analysis is to gain an understanding of the nature of each risk, including the
magnitude of its consequences and their likelihoods, and therefore to derive the level of risk.
Risk analysis enables each risk (or group of risks when considered in the aggregate) to be
evaluated in order to determine whether risk treatment is needed.
Risk evaluation
Risk evaluation uses the information generated by risk identification and risk analysis to make
decisions about whether each risk falls within an organisation’s risk criteria and whether it requires
treatment.
Normally organisations specify the actions required by managers for risks at each level of risk and
the time allowed for their completion. They also specify which levels of management will be
permitted to accept the continued exposure and tolerance of certain levels of risk.
33 | P a g e
Risk treatment
At its simplest, risk treatment involves a process to modify a risk by changing the consequences
that could occur or their likelihood. This process requires creative consideration of options and
detailed design, both inputs being necessary to find and select the best risk treatment.
Once implemented, risk treatments will either create new controls or amend existing controls.
Risk treatment takes place in two distinctive contexts:
1. In the proactive context, where an organisation has successfully integrated risk

management into a system of management, risk treatment is integral to and effectively
indistinguishable from decision-making. Therefore, at the time a decision is finalised the
risk created by the decision will be within the organisation’s risk criteria.
2. In a reactive context, the organisation is looking retrospectively at the risk created by
decisions taken and implemented previously, and so any risk treatments found necessary
will be remedial in nature.
In both contexts, those risks that the organisation judges are unacceptable should be treated.
Preparing for risk assessment
Establishing the context
It is impossible to conduct an efficient and effective risk assessment unless there is suitable
preparation. This involves the 'establishing the context' step of the risk management process,
which is normally conducted through discussions with the sponsor of the risk assessment and
selected stakeholders.
34 | P a g e
We would normally establish the context by considering the following discrete activities:
1. Gaining agreement on the scope and objectives for the risk management process
2. Analysing important stakeholders to determine their objectives and the preferred means
to communicate and consult with them
3. Identifying the significant factors in the external environment that give rise to uncertainty.
This could include, for example, the social, regulatory, cultural, physical, financial and
political environment, external stakeholders and key external organizational drivers.
4. Identifying the significant factors in the internal environment that give rise to uncertainty.
This could include, for example, the organisation’s culture, internal stakeholders, the
capabilities, strengths and weaknesses of he organisation in terms of resources, people,
systems and processes, and the relevant organizational goals and objectives.
5. Setting the scope and boundaries of a risk assessment by defining the organizational part,
project, activity or change and its goals and objectives, specifying the nature of the
decisions that have to be made based on the risk assessment outcomes, defining any
specific criteria that will be used as part of risk evaluation, defining the extent of the
change or activity or function in terms of time and location, and any boundaries,
identifying any scoping studies needed and their scope, objectives and the resources
required, and defining the depth, breadth and rigour of the risk assessment, including
specific inclusions and exclusions.
Establishing the context is normally conducted several days before risk identification. It is not
advisable to undertake it in the same session.
Briefing note
To ensure that those who participate in the risk assessment are properly prepared, it is normal
that the information gathered during 'establishing the context' is summarised in a briefing note
that is sent to them prior to the workshop.
The briefing note and the context information it contains should be preserved as part of the risk
assessment record.
Risk assessment
Identifying the risks
Risk assessment involves the identification of what, why, where, when and how events or situations
could either harm or enhance the ability of the organisation to achieve its objectives.
Comprehensive identification using a well-structured and systematic process is critical, because
risks not identified at this stage are excluded from further analysis and treatment. Identification
should include all risks, whether or not they are under the direct control of the organsiation.
Broadleaf uses many methods for risk identification from brainstorming to more rigorous and
highly-structured processes such as HAZOP and FMEA.
35 | P a g e
Whichever method we use, we follow the same general process for risk identification given below.
In all cases, the key element structure prepared during the context step should be followed.
What could happen, where and when?
Our aim is to generate a comprehensive list of events, situations or circumstances that might have
an impact on the achievement of each of the relevant objectives. The events or circumstances
might prevent, degrade, delay or enhance the achievement of the objectives. They are then
considered in more detail to identify what could happen.
How and why could it happen?
Having identified what might happen, we help our client consider possible causes. There are many
ways an event could occur or a circumstance might arise. It is important that no significant causes,
particularly root causes, are omitted.
This information is recorded in a risk register.
It is normally inefficient for one person to facilitate the workshop and record the outcomes at the
same time. We use Excel or Word templates to capture the information. It is normally not efficient
to attempt to input the information directly into a risk management database during the
workshop session.
Analysing the risks
Risk analysis is about developing an understanding of each risk. It provides an input to decisions
on whether risks need to be further controlled and the most appropriate and cost-effective
treatment actions to take.
Risk analysis involves consideration of the positive and negative consequences and the likelihood
that those consequences may occur. Factors that affect consequences and likelihood may be
identified. Risk is analysed by combining consequences and likelihood, taking into account the
existing controls.
Broadleaf uses a qualitative method of risk analysis to prioritise risks for attention, at least initially.
Even if quantitative analysis is required later, we normally find it efficient to use a qualitative
system for screening purposes.
Quantitative approaches can be used when more definition and rigour are needed. In general
they are only used:
• Where the most likely consequence is high

• Where reliable quantitative data is available or can be generated
• Where the level of definition required by decision makers is high.
36 | P a g e
We often conduct the risk rating process during the workshop used for risk identification.
However, sometimes it is preferable to analyse the risks at another time using subject matter
specialists, and then reconvene the original workshop team to agree and verify the ratings.
We always analyse the risk in terms of how the organisation currently operates, and in particular
taking into account existing controls and their effectiveness. We use control effectiveness (CE) to
take into account both the adequacy and effectiveness of the controls for a particular risk.
We also determine a measure of potential exposure (PE) that represents the total plausible
maximum impact on the organisation arising from a risk without regard to controls. This is
estimated by considering the consequences that could arise if all existing controls were ineffective
or missing. This measure is use to identify the key controls that should be subject to assurance
and, in particular, monitored continuously for effectiveness.
From the risk analysis output we can advise clients on:
• The preferred strategies for risk treatment

• The priority with which risks should be considered for treatment
• Those risks that should be the subject to senior level oversight, particularly in terms of
monitoring the progress of risk treatment plans
• The risks and the associated controls that should be subject to planned assurance,
particularly through continual monitoring as well as periodic review.
Risk treatment
Options
It is usually not cost-effective or even desirable to implement all possible risk treatments. It is,
however, necessary to choose, prioritise and implement the most appropriate combination of risk
treatments. Treatment options, or more usually combinations of options, are selected by
considering factors such as costs and benefits, effectiveness and other criteria of relevance to the
organisation. Factors such as legal, social, political and economic matters may need to be taken
into account.
Treatment of individual risks seldom occurs in isolation, and options should be considered
together as part of an overall treatment strategy. Having a clear understanding of a complete
treatment strategy is important to ensure that critical dependencies and linkages are not
compromised and to ensure the use of resources and budgets is efficient. For this reason
development of an overall treatment strategy should be a top-down process, driven jointly by the
need to achieve objectives and satisfy organizational and budgetary constraints while controlling
uncertainty to the extent that this is desirable.
We advise our clients to be flexible about risk treatment options and consult broadly with
stakeholders as well as with peers and specialists. Many treatments need be acceptable to
stakeholders or those who are involved in implementation if they are to be effective and
sustainable.
37 | P a g e
We often use bow-tie analysis to help our clients identify possible risk treatment measures based
on control gaps.
Cost benefit analysis
The primary consideration for most risks is whether the risk can be further treated in a way that is
reasonable and cost effective.
In general this involves considering:
• Whether the risk is being controlled to a level that is reasonably achievable

• Whether it would be cost-effective to further treat the risk
• The organisation’s willingness to tolerate risks of that kind.
Determining the cost-effectiveness of further treatment involves the application of cost benefit
analysis. This should consider all direct costs and ancillary costs (dis-benefits) as well as all the
direct benefits and ancillary benefits (opportunities). If most of the costs or the benefits are unlikely
to be experienced within the first year or so then it may be necessary to discount the benefits and
costs to allow the assessment to be made ‘in today’s money’.
We help our clients identify possible options for risk treatment and then test each of these using
cost benefit analysis. As with risk assessment, preparation for a risk treatment workshop is vital if it
is to be effective and efficient.
The table below contains an example of cost benefit analysis applied to risk treatment options.
Table 1: Treatment options associated with surface traffic accidents at a mine site
Treatment option Benefits Disadvantages Result Completion

date
Survey current rules Understand the current Will require some Yes 31-Jul-XX
and variations across situation and the effort to achieve.
company. Develop a potential for confusion. May conclude that
standard for safe Move to understand the the removal of
driving in mines and need for despatch or despatch is not
safe behaviours. the alternatives. desirable from a
Consider the role of Ultimately it will reduce safety perspective.
despatch on each the likelihood of
mine. accidents that can cause
death and serious injury
and plant damage.
Conduct a study to Currently there are no Will require effort Yes 31-Jul-XX
determine safe speeds standards or rules. Many to achieve (but
below and above vehicles do not have could be
ground. Develop a speedos. Speeds are conducted at the
strategy to limit speeds enforced by removal of same time as 1).
38 | P a g e
through blocking gears which places
gears etc. motors under stress.
Survey pedestrian and Development of a Will take some Maybe 31-Dec-XX
vehicle interactions solution that is suitable effort to achieve.
below and above for all mines. Will lead to some
ground. Consider Consistency between opposition as it
proximity devices as mines and avoidance of may restrict where
part of the solution. ambiguity. Provide a people walk.
Develop standards in basis for training and
terms of delaminated enforcement of
areas, walking areas standards.
etc. Train all mine staff
on rules and enforce.
Risk treatment plans
We help our clients generate and record potential options for risk treatment as that shown above.
For each option, the benefit and costs or disadvantages are expressed and a decision is placed in
the final column. The decision is either ‘yes’ because the risk treatment option is value accretive, or
‘no’ because it is not. If the evaluation in inconclusive, a ‘maybe’ is recorded and more detailed
benefit-cost analysis may be required.
All those options marked ‘yes’ go ahead as risk treatment measures and plans are developed for
their implementation.
ISO 31000:200910
The components of ISO 31000
3.1. One vocabulary for risk management
It soon became clear to the working group that the definitions of all the terms used in risk
management had to be consistent with the underlying processes and vice versa to ensure the
guidance in the standard was coherent and practical. For the standard to lead to greater clarity
and a wider understanding of risk management, many of the pre-existing terms and definitions for
process elements that had arisen from different forms of risk and applications of risk management
had to change. Fortunately, ISO combined the creation of the standard with a revision of the
existing ISO/IEC1 vocabulary for risk management in Guide 73:2002 and both documents were
published at the same time and will be updated together in future.
In that Guide 73 is actually a standard for standards makers and ISO 31000:2009 is a paramount
standard, all other ISO and IEC standards that concern themselves with aspects of risk and risk
management must now start a process of alignment. Obviously, this process will take some time
10
Source: Broadleaf, as at http://broadleaf.com.au/resource-material/iso-31000-2009-setting-a-new-
standard-for-risk-management/, as on 17th February, 2021.
39 | P a g e
and the compromises needed by those who apply these standards will, in some cases, be quite
difficult.
3.2. Performance criteria
There are some clear performance requirements that, if followed, ensure that risks are managed
both effectively and efficiently. The principles of effective risk management in ISO 31000 are that it
should:
1. Create and protect value;

2. Be an integral part of all organisational processes;
3. Be part of decision making;
4. Explicitly address uncertainty;
5. Be systematic, structured, and timely;
6. Be based on the best available information;
7. Be tailored;
8. Take into account human and cultural factors;
9. Be transparent and inclusive;
10. Be dynamic, iterative, and responsive to change;
11. Facilitate continual improvement of the organisation.
A second list of attributes, in an annex to the standard, contains unavoidable characteristics of

managing risk effectively that are also powerful indicators of risk management performance.
These include key outcomes, which, while being pretty straightforward, actually describe the
ultimate result of effective risk management activity: namely, that the organisation will have a
current, correct, and comprehensive understanding of its risks and those risks are within its risk
criteria. Obviously, if an organisation finds on an objective basis that it is not achieving these
outcomes, more will need to be done.
The annex also contains the important characteristics of advanced risk management that:
• An emphasis is placed on continual improvement in risk management through the setting

of organisational performance goals, measurement, etc.;
• There is comprehensive, fully defined, and fully accepted accountability for risks, controls,
and risk treatment tasks;
• All decision making within the organisation involves the explicit consideration of risks and
the application of risk management to some appropriate degree;
• There is continual communication with external and internal stakeholders, including
comprehensive and frequent reporting of risk management performance, as part of good
governance;
• Risk management is viewed as central to the organisation’s management processes, such
that risks are considered in terms of effect of uncertainty on objectives.
3.3. The process for managing risk
After considering numerous options and variants, ISO 31000:2009 largely adopted the same broad
process as AS/NZS 4360:2004 for managing risk as shown in Fig. 1. While the process is essentially
steplike, in practice there is considerably iteration between the steps and between the
40 | P a g e
continuously applied elements of communication and consultation and monitoring and review.
Drawing a picture of this is obviously difficult and for this reason, the diagram used in the standard
was deliberately not shown as a flow chart. Its purpose is to show the relationship between clauses
of the standard that describe the process.
Fig. 1.
The risk management process from ISO 31000:2009.
There are two elements of the process that can be considered as continually acting. These are:
• Communication and consultation with internal and external stakeholders, where

practicable, to gain their input to the process and their ownership of the outputs. It is also
important to understand stakeholders’ objectives, so that their involvement can be
planned and their views can be taken into account in setting risk criteria.
• Monitoring and review, so that appropriate action occurs as new risks emerge and existing
risks change as a result of changes in either the organisation’s objectives or the internal
and external environment in which they are pursued. This involves environmental scanning
by risk owners, control assurance, taking on board new information that becomes
available, and learning lessons about risks and controls from the analysis of successes and
failures.
The central spine of the risk management process is concerned with preparing for and then
conducting risk assessment leading, as necessary, to risk treatment. The process starts through
defining what the organisation wants to achieve and the external and internal factors that may
41 | P a g e
influence success in achieving those objectives. This step is called establishing the context and is
an essential precursor to risk identification.
Risk assessment under ISO 31000 comprises the three steps of risk identification, risk analysis, and
risk evaluation. Risk identification requires the application of a systematic process to understand
what could happen, how, when, and why.
In ISO 31000, risk analysis is concerned with developing an understanding of each risk, its
consequences, and the likelihood of those consequences. Whether the end result is expressed as
a qualitative, semi-quantitative, or quantitative manner, gaining this understanding requires
consideration of the effect and reliability of existing controls and any control gaps. ISO 31000 does
not express a preference for either a quantitative or qualitative approach to risk analysis, as both
have a role. Rather, it advises that:
• The way in which consequences and likelihood are expressed and the way in which they
are combined to determine a level of risk should reflect the type of risk, the information
available, and the purpose for which the risk assessment output is to be used. These
should all be consistent with the risk criteria.
• The confidence in determination of the level of risk and its sensitivity to preconditions and
assumptions should be considered in the analysis, and communicated effectively to
decision-makers and, as appropriate, other stakeholders.
• Risk analysis can be undertaken with varying degrees of detail, depending on the risk, the
purpose of the analysis, and the information, data, and resources available. Analysis can
be qualitative, semi-quantitative, quantitative, or a combination of these, depending on
the circumstances.
Risk evaluation then involves making a decision about the level of risk and the priority for attention
through the application of the criteria developed when the context was established.
Risk treatment is the process by which existing controls are improved or new controls are
developed and implemented. It involves evaluation of and selection from options, including
analysis of costs and benefits and assessment of new risks that might be generated by each
option, and then prioritising and implementing the selected treatment through a planned process.
If this process is followed, the systematic way in which the risks have been assessed means that
risk treatment can proceed with confidence.
There is a great deal of iteration between risk evaluation and risk treatment as each set of risk
treatment options is tested until the preferred set is found that yields the greatest benefit for the
least cost.
ISO 31000:2009 gives a set of general options to be considered when risk is treated. The order of
the list reflects preference. Importantly, the options deal with both risks that have downside and/or
upside consequences. The options are:
1. Avoiding the risk by deciding not to start or continue with the activity that gives rise to the
risk;
2. Taking or increasing the risk in order to pursue an opportunity;
3. Removing the risk source;
42 | P a g e
4. Changing the likelihood;
5. Changing the consequences;
6. Sharing the risk with another party or parties (including contracts and risk financing);
7. Retaining the risk by informed decision.
3.4. The framework for managing risk
One of the recurrent themes in IS0 31000 is that to be effective, risk management must be
integrated into an organisation’s decision-making processes (which, of course, is how risk is
generated). This is easily said but many organisations struggle to achieve this in practice. If the
number of pages indicates some measure of the importance of a subject, then more of the
standard (nine pages) is concerned with the implementation of risk management than with the
process (seven pages).
Clause 4 of the standard concerns implementation of the risk management process through
integration by using a management framework, which consists of the policies, arrangements, and
organisational structures to implement, sustain, and improve the process. The standard not only
describes the important elements that are required in such a framework but also describes how an
organisation should go about creating, implementing, and keeping these elements up to date and
relevant.
Each organisation needs to design or revise the risk management components of its management
system to suit its business processes, structure, risk profile, and policies and this is the purpose of a
risk management plan. This implementation plan may extend over a considerable time as
introducing soundly based risk management usually requires alignment with and even changes to
the organisation’s culture and processes. Large or complex organisations may require a hierarchy
of risk management plans but there should always be an overall plan for the organisation that
describes the broad strategies to be pursued.
The framework described in ISO 31000 can also be adapted and applied to managing risk
associated with projects. Although projects often require a different timescale and specialised
criteria, they are a source of risk to the organisation’s objectives and this risk needs to be
managed to ensure that projects deliver the value for which they are being undertaken.
43 | P a g e
ISO 31000 is a generic risk management standard. It can be used by any organization no matter
what size it is or what it does. It can be used by both public and private organizations and by
groups, associations, and enterprises of all kinds. It is not specific to any sector or industry and
can be applied to any type of risk. ISO 31000 can be applied to the achievement of any and all
types of objectives at all levels and areas within an organization11.
It can be used at a strategic or organizational level to help make decisions and can be applied
to all types of activities. It can be used to help manage processes, operations, projects,
programs, products, services, and assets.
This page presents an overview of ISO 31000 2009. It doesn't provide detail. It starts with
section 3 because the ISO 31000 2009 guidelines start there.
3. RISK MANAGEMENT PRINCIPLES
3(A) RISK MANAGEMENT SHOULD CREATE AND PROTECT VALUE
• Use risk management to create and protect value.

o Create and protect value by using risk management to help achieve
your organization’s objectives and improve its performance.
3(B) RISK MANAGEMENT SHOULD BE PART OF ALL PROCESSES
• Make risk management part of every process at every level.

• Make risk management a responsibility of every manager.
3(C) RISK MANAGEMENT SHOULD BE PART OF YOUR DECISION MAKING
• Make risk management part of decision making at all levels.

o Use risk management to make informed choices.
o Use risk management to prioritize actions.
3(D) RISK MANAGEMENT SHOULD BE USED TO HANDLE UNCERTAINTY
• Use risk management to address the uncertainty that you face.

o Use risk management to identify and define the nature and
type of uncertainties that your organization must deal with.
o Use risk management to figure out what you can do
to address your organization’s uncertainties.
3(E) RISK MANAGEMENT SHOULD BE SYSTEMATIC AND TIMELY
• Make sure that your organization’s approach to risk management is systematic,

structured, and timely.
11
Source: Praxiom, as at http://www.praxiom.com/iso-31000.htm, as on 17th February, 2021.
44 | P a g e
o Make sure that your approach contributes to efficiency.
o Make sure that your approach generates reliable results.
3(F) RISK MANAGEMENT SHOULD BE BASED ON THE BEST DATA
• Make sure that the inputs you use to manage risk are
based on the best available information sources.
• Make sure that decision makers understand and consider the
limitations and shortcomings of the data they use to manage risk.
3(G) RISK MANAGEMENT SHOULD BE TAILORED TO YOUR ENVIRONMENT
• Make sure that your organization’s approach to risk management

is aligned with its unique internal and external context.
• Make sure that your organization’s approach to
risk management is aligned with its risk profile.
3(H) RISK MANAGEMENT SHOULD CONSIDER HUMAN FACTORS
• Make sure that your approach to risk management recognizes

and considers the human and cultural factors that can influence
the achievement of your organization’s objectives.
o Consider how human capabilities can facilitate
or hinder the achievement of your objectives.
o Consider how human perceptions can facilitate
o Consider how human intentions can facilitate
3(I) RISK MANAGEMENT SHOULD BE TRANSPARENT AND INCLUSIVE
• Make sure that your approach to risk management is transparent.

o Make sure that your organization’s approach to
risk management is open, visible, and accessible.
• Make sure that your approach to risk management is inclusive.
o Involve your organization’s stakeholders.
o Involve decision makers from all parts of your organization.
3(J) RISK MANAGEMENT SHOULD BE RESPONSIVE AND ITERATIVE
• Make sure that your organization’s approach to

risk management is dynamic and responsive.
o Make sure that your approach to risk management
continually senses change and responds to it.
• Make sure that your approach to risk management is ongoing.
o Repeat your risk management process whenever
and wherever objectives need to be achieved.
45 | P a g e
3(K) RISK MANAGEMENT SHOULD SUPPORT CONTINUAL IMPROVEMENT
• Use risk management to improve all aspects of your organization.

• Develop strategies to improve your approach to risk management.
4. RISK MANAGEMENT FRAMEWORK

4.1 ESTABLISH A RISK MANAGEMENT FRAMEWORK
• Make risk management part of your management system.

o Establish an effective risk management framework.
o Use your framework to support risk management process.
4.2 MAKE A COMMITMENT TO RISK MANAGEMENT
• Define your organization’s risk management policy.

• Establish risk management performance indicators.
• Formulate risk management objectives.
• Assign risk management responsibilities.
• Allocate risk management resources.
• Communicate risk management benefits.
• Support your risk management framework.
4.3 DESIGN YOUR RISK MANAGEMENT FRAMEWORK
4.3.1 Understand your organization's context
• Evaluate and understand your organization’s external context and

then use this knowledge to design your risk management framework.
o Evaluate and understand your external environment.
o Evaluate and understand your external stakeholders.
o Evaluate and understand your external influences.
• Evaluate and understand your organization’s internal context and
then use this knowledge to design your risk management framework.
o Understand your organization’s internal stakeholders.
o Understand your organization’s governance.
o Understand your organization’s capabilities.
o Understand your organization’s culture.
o Understand your organization’s standards.
o Understand your organization’s contracts.
4.3.2 Formulate your risk management policy
• Establish a risk management policy for your organization.

o Make a clear commitment to risk management.
o Define your risk management objectives.
o Explain how your policy will be implemented.
• Communicate your risk management policy.
46 | P a g e
4.3.3 Make people accountable for managing risk
• Identify your organization’s risk owners.

• Give risk owners the authority to manage risk.
• Make risk owners accountable for managing risk.
• Establish risk management performance measurement methods.
• Develop risk management reporting and escalation processes.
4.3.4 Build risk management into your organization
• Make risk management a part of all processes and practices.

• Develop an organization-wide risk management plan.
4.3.5 Allocate resources for risk management
• Allocate appropriate resources to support your

organization’s risk management activities.
o Consider providing people who can support
your organization’s risk management activities.
o Consider providing resources needed to support
each step of the risk management process.
o Consider providing information and knowledge
management systems to support risk management.
o Consider providing risk management procedures and processes.
o Consider providing appropriate risk
management methods and tools.
4.3.6 Establish internal communication mechanisms
• Establish internal risk management communication

and reporting processes and mechanisms.
4.3.7 Develop an external communication plan
• Develop a plan that describes how you intend to

communicate with your external stakeholders.
• Implement your risk management communication plan.
4.4 IMPLEMENT YOUR APPROACH TO RISK MANAGEMENT
4.4.1 Implement your risk management framework
• Develop a strategy to implement your organization’s framework.

• Implement your organization’s risk management framework.
4.4.2 Implement your risk management process
47 | P a g e
• Develop a plan that explains how you intend to apply
your organization’s risk management process (Part 5).
• Use your risk management plan to implement your
organization’s risk management process (Part 5).
4.5 MONITOR YOUR RISK MANAGEMENT FRAMEWORK
• Evaluate the ongoing effectiveness of your

organization’s risk management framework.
• Prepare reports on the effectiveness of your
4.6 IMPROVE YOUR RISK MANAGEMENT FRAMEWORK
• Study the results of your organization’s risk management

monitoring and review activities (see Part 4.5, above).
• Figure out how you’re going to improve your
5. RISK MANAGEMENT PROCESS
5.1 APPLY YOUR RISK MANAGEMENT PROCESS
• Apply your risk management process (see Part 5.2 to 5.6).

o Make your risk management process part of your organization’s management
approach.
o Make your risk management process part
of your organization’s unique culture.
5.2 COMMUNICATE AND CONSULT WITH YOUR STAKEHOLDERS
• Communicate and consult with stakeholders

during all stages of the risk management process.
• Use a consultative team approach to communicate
and consult with your organization’s stakeholders.
5.3 ESTABLISH YOUR UNIQUE RISK MANAGEMENT CONTEXT
5.3.1 Establish your risk management parameters
• Identify and understand the parameters and variables that

influence and control how your organization manages risk.
o Define your organization’s external context (see Part 5.3.2).
o Define your organization’s internal context (see Part 5.3.3).
5.3.2 Establish your organization's external context
48 | P a g e
• Identify and understand your organization’s external context
and consider the influence it could have on its ability to manage
risk and achieve its objectives.
o Identify and understand environmental conditions and
consider the influence they could have on your organization’s
ability to achieve its objectives.
o Identify and understand key external factors and consider
the influence they could have on your organization’s ability
to achieve its objectives.
o Identify and understand the relationships you have with
external stakeholders and consider the influence they could
have on your organization’s ability to achieve its objectives.
• Consider your organization external context when you develop
your organization’s risk criteria (see Part 5.3.5 for details).
o Consider the concerns, objectives, and perceptions of
external stakeholders when you formulate your risk criteria.
5.3.3 Establish your organization's internal context
• Identify and understand your organization’s internal context

and consider the influence it could have on its ability to manage
risk and achieve objectives.
o Understand your organization’s internal stakeholders.
o Understand your organization’s governance structure.
o Understand your organization’s capabilities.
o Understand your organization’s culture.
o Understand your organization’s standards.
o Understand your organization’s contracts.
5.3.4 Establish the context of your risk management process
• Establish the unique context of your risk management process.

o Adopt a risk management approach that is appropriate to
your circumstances and consistent with your context.
o Identify the organizational areas or parts that will
participate in your risk management process and make
sure you understand what they do and how they do it.
• Clarify how each specific risk management process
or activity should be organized and managed.
o Define the goals and objectives of the risk management
activities and projects you intend to carry out.
o Define the resources that your risk management
activities and projects will need.
o Define the risk management responsibilities
and authorities of all process participants.
o Define the focus of each risk management project
including where and when it will be carried out.
49 | P a g e
o Define the decisions that will need to be made
as you carry out each risk management process.
o Define the risk assessment methodologies that you intend
to use for each risk management process or project.
o Define how your risk management process is
related to your organization’s other processes.
o Define the studies that you intend to carry out
to support each risk management process.
o Define how risk management process performance
and effectiveness will be evaluated.
o Define the records that each risk management
process or activity should maintain.
5.3.5 Establish your organization's risk criteria
• Define your organization’s risk criteria.

o Consider your organization and how it
functions when you define your risk criteria.
o Consider the views of your organization’s
stakeholders when you define your risk criteria.
o Consider the nature and type of causes when
you define your organization’s risk criteria.
o Consider the consequences and impacts that
could occur when you define your risk criteria.
o Consider how likelihood or probability will be
determined when you define your risk criteria.
o Consider how the level of risk will be determined
when you define your organization’s risk criteria.
o Consider whether combinations of multiple risks should
be taken into account when you define your risk criteria.
• Review and periodically update your risk criteria.
5.4 CARRY OUT YOUR ORGANIZATION’S RISK ASSESSMENT PROCESS
5.4.1 Identify, analyze, and evaluate risks
• Carry out your risk assessment process.

o Identify your organization’s risks (see Part 5.4.2 for details).
o Analyze your organization’s risks (see Part 5.4.3 for details).
o Evaluate your organization’s risks (see Part 5.4.4 for details).
5.4.2 Identify your organization's risks
• Choose suitable risk identification tools and techniques.

• Select suitable people to identify your organization’s risks.
• Use your tools and techniques to identify the risks that could
affect the achievement of your organization’s objectives.
50 | P a g e
• Generate a comprehensive list of risks that could affect
the achievement of your organization’s objectives.
5.4.3 Analyze your organization's risks
• Analyze the risks that your organization faces.

• Estimate your organization’s level of risk.
• Specify how much confidence you have in your analysis.
• Use your risk analysis to understand your organization’s risks.
• Communicate the results of your risk analysis.
5.4.4 Evaluate your organization's risks
• Use your risk analysis results to evaluate your organization’s risks.

• Use your risk analysis results to consider your risk treatment options.
5.5 FORMULATE AND IMPLEMENT YOUR RISK TREATMENT PLANS
5.5.1 Explore your organization's risk treatment options
• Establish a cyclical risk treatment process.

• Consider your organization’s risk treatment options.
5.5.2 Select your organization's risk treatment options
• Select the most appropriate risk treatment options.

• Plan the implementation of your risk treatments.
5.5.3 Prepare risk treatment implementation plans
• Document your organization’s risk treatment plans.

• Discuss risk treatment plans with all participants.
• Carry out your risk treatment implementation plans.
5.6 MONITOR AND REVIEW YOUR RISK MANAGEMENT PROCESS
• Plan your risk management monitoring and review processes.

• Monitor and review all aspects of your risk management process.
• Record your organization’s monitoring and review results.
• Report your risk management monitoring and review results.
5.7 MAINTAIN A RECORD OF RISK MANAGEMENT ACTIVITIES
• Create and maintain records to support risk management process.

• Use your records to support your risk management process.
51 | P a g e
Consult with relevant stakeholders and identify, document and analyse
program level risks
Planning for success includes being aware of the hurdles to effective risk management and taking
action to avoid or mitigate them. Some of the common hurdles to effective risk management
include12:
Stifling innovation by failing to engage with risk
Innovation is critical to new policy implementation, but trying something new always involves
taking risks. Successful risk management is not about avoiding risks; it involves identifying,
assessing and determining appropriate strategies to manage them. Trials (or pilots) and phased
implementation provide opportunities to re-evaluate and reduce risk, and to test and refine
management and mitigation strategies.
Over-optimism and failure to see emerging risks
Risk assessments must not present government and participants with an over-optimistic view.
Rather, a good risk plan will take a hard-nosed view and give the full picture.
Having a positive risk culture is important. Leaders should ensure that agency culture encourages
escalation of risks and that appropriate assistance and support is provided to bring the initiative
back on track.
Failure to anticipate and manage transmitted risk
Some policy changes rely on new or existing non-government providers to deliver services. While
this practice is a form of risk sharing, the extent to which risk is distributed can depend on the
reliability and clarity of the sharing arrangements. Collaborative development of risk plans is one
way to mitigate this problem. However, Australian Government agencies cannot transfer all risks
as they have ultimate responsibility for delivering or maintaining service delivery and for
implementing contingency plans if risks materialise.
Inadequate skills or capability to manage risk
Risk management must be undertaken by skilled and senior personnel. If expertise in the
implementation of risk management is inadequate, consider bringing in capable risk managers or
sharing the risk (but not the accountability) with outside parties. However risks are managed, the
responsibility for them must be formally agreed and acknowledged.
12
Source: Department of the Prime Minister and Cabinet, as at
https://www.dpmc.gov.au/.../2014%2011%2014%20%20-%204%20Risk%20-%20Fin..., as on 28th March, 2017.
52 | P a g e
Focusing on operational risks at the expense of strategic risks
In pressure situations there is a tendency to manage only operational risks, and not strategic risks.
This can lead to a situation where the ‘operation was a success but the patient died’. That is, all
procedures for managing risks were followed but the intended outcome was not achieved.
Operational risks are important: a poorly implemented policy that does not fully consider and
track operational implementation risks may result in failure to achieve the end goal. However, risk
managers must understand the risk profile and dependencies of risks across the whole initiative—
strategic risks—to ensure its success.
Deprioritising risk management due to time constraints or political demands
Engaging with risk management frameworks can fall off the agenda when pressure arises to
implement an initiative quickly. Leaders should play an active role in using risk management as a
tool for effective delivery. It may also be necessary to brief the chief executive, for possible
ministerial attention, on significant risks to implementation, including appropriate treatments.
Focusing mainly on risks of not implementing the initiative rather than implementation risks
Decision-makers need to understand the risks of not implementing an initiative before a decision
has been made. Then, however, the emphasis should shift to the risks of implementing the
initiative.
Strategies for success

Effectively managing the risks associated with your project will ensure its success. Some of the
common strategies that will ensure effective risk management are:
Start early, and integrate structured risk management methods into your planning
Identification, assessment and, ideally, treatment of risks should occur as early as possible during
the policy development process.
Most agencies have enterprise risk management frameworks based on the best practice
guidelines in AS/NZS ISO 31000:2009. The risk management process and risk register are essential
elements in the implementation of a risk management strategy. Setting the context for each risk
and the overall risk profile, describing the evidence base (for identification, analysis and evaluation
of risk) and describing risk treatments are all important.
The commitment or announcement stage is often the point at which risk to government
crystallises. This may require policy developers to advise governments about difficulties in the
delivery of a proposed initiative in terms of consultation, planning or negotiation.
Use jointly developed risk plans for initiatives involving partnership arrangements
53 | P a g e
Delivery in partnership with other agencies or jurisdictions, or with the private sector, can improve
implementation. But it also changes the nature and management of implementation risks. Manage
these risks by applying a joint approach to risk management with frequent consultation. The lead
agency and key participants need a common view of the vision, the outcomes to be achieved and
performance against expectations.
Include a process to manage and review risks on a regular and ongoing basis
Track risks using a risk log on a regular basis and at major milestones. At each review, decide
whether to add any new risks, remove old ones, or downgrade or upgrade existing ones. At the
same time, review mitigation strategies to see if they are working.
Develop strategies for when and how risks should be escalated
High-level risks should be escalated up the governance structure. For extreme risks it may be
necessary to escalate to the Minister. It is also important that lessons learned from previous
initiatives or earlier phases of the initiative are taken on board and incorporated into reviews of
risks.
Make sure the risk approach is fit for purpose
Choose a risk management approach that is commensurate with levels of risk and can be adapted
to changes in the external environment. Additional steps may be required for larger initiatives and
a more streamlined approach for lower-risk initiatives. Eliminating risk is not the goal of a risk
management strategy. Consider alternative risk treatments, such as avoiding risks, minimising risks,
sharing or accepting risks; or changing their likelihood or consequences.
Treating Risks
Treating risks involves working through options to deal with unacceptable risks to your business.
Unacceptable risks range in severity; some risks will require immediate treatment while others can
be monitored and treated later.
Your risk analysis and evaluation will help you prioritise the risks that need to be treated. When
you are developing a plan for treating the risks, consider the:
• method of treatment
• people responsible for treatment
• costs involved
• benefits of treatment
• likelihood of success
• ways to measure the success of treatments.
54 | P a g e
How and why you have chosen to treat risks should be outlined in your risk management plan. It's
important to review your plan regularly to take into account any new risks associated with changes
in your business or improvements in techniques for treating risks. The following are different
options for treating risks.
Avoid the risk
If it's possible, you may decide not to proceed with an activity that is likely to generate risk.
Alternatively, you may think of another way to reach the same outcome that doesn't involve the
same risks. This could involve changing your processes, equipment or materials.
Reduce the risk
You can reduce a risk by:
• reducing the likelihood of the risk happening - for example, through quality control
processes, auditing, compliance with legislation, staff training, regular maintenance or a
change in procedures
• reducing the impact if the risk occurs - for example, through emergency procedures, off
site data backup, minimising exposure to sources of risk, or using public relations.
Transfer the risk
You may be able to shift some or all of the responsibility for the risk to another party through
insurance, outsourcing, joint ventures or partnerships. You may also be able to transfer risk by:
• cross-training staff so that more than one person knows how to do a certain task and you
don't risk losing essential skills or knowledge if something happens to one of your staff
members
• identifying alternative suppliers in case your usual supplier is unable to deliver
• keeping old equipment (after it is replaced) and practising doing things manually in case
your computer networks or other equipment can't be used.
Make sure you have adequate insurance
Speak to your insurer to find out if you have the right insurance cover for your business. Be sure
to clarify whether you are covered for the risks you have identified in your risk management plan.
Keep in mind that insurance policies may have different definitions for certain incidents (e.g.
flooding).
You should also check that you:
• have coverage for the loss of income you could incur if customers affected by the crisis
stop ordering your product or service
• have appropriate insurance to cover other related issues such as on-site injuries to staff or
visitors, or for loss of your customers' goods or materials
55 | P a g e
• have coverage in case your supplier/s are affected by a crisis and can't deliver necessary
supplies for your business
• are meeting your workers' compensation obligations in case any of your staff are injured
in a crisis.
Accept the risk
You may accept a risk if it can't be avoided, reduced or transferred. Other risks may be extremely
unlikely and therefore too impractical or expensive to treat. However, you will need to develop an
incident response plan and a recovery plan to help you deal with the consequences of the risk if it
occurs.
Support and mentor project managers in the analysis, evaluation and

treatment of risks
Evaluation of a Risk Management Plan13
A risk management plan can never be perfect. However, the degree of its success depends upon
risk analysis, management policies, planning and activities. A well-defined management plan can
be successful only if risks are properly accessed. And if not, the main objective of risk
management plan itself is defeated. Critical evaluation of a risk management plan at every stage is
very necessary especially at an early stage. It will allow companies to discover the flaws before it
gets into the action. Once you’re through the process, you can address the issues and then
introduce it.
The below mentioned steps can help in analyzing and evaluating a risk management plan:
▪ Problem Analysis: Keep a note of all the events and activities of a risk management plan.
Check out the problems arising from their implementation and assess if they have a
serious impact on the whole process. Make a note of those that have serious implications.
▪ Match the Outcomes of a Risk Management Plans with its Objectives: Ends justify means.
Check if the possible outcomes of a risk management plan are in tandem with its pre-
defined objectives. It plays a vital role in analyzing if the plan in action is perfect. If it
produces desired results, it does not need to be changed. But if it fails to produce what is
required can be a really serious issue. After all, an organization deploys its resources
including time, money and human capital and above all, the main aim of the organization
is also defeated.
▪ Evaluate If All the Activities in the Plan are Effective: It requires a thorough investigation of
each activity of a risk management plan. Checking out the efficiency of all the activities
and discovering the flaws in their implementation allow you to analyze the whole plan
systematically.
13
Source: Management Study Guide, as at http://www.managementstudyguide.com/evaluation-of-risk-
management-plan.htm, as on 17th February, 2021.
56 | P a g e
▪ Evaluate the Business Environment: A thorough study and critical evaluation of business
environment where a risk management plan is to be implemented is essential. Take time
to assess, analyze and decide what exactly is required.
▪ Make Possible Changes in Faulty Activities: After evaluating the effectiveness and efficiency
of all the activities, try to make possible changes in the action plan to get desired results. It
may be very time consuming but is necessary for successful implementation of your risk
management plan.
▪ Review the Changed Activities: After making changes in already existing activities and
events of a risk management plan, go for a final review. Try to note down the possible
outcomes of the changed activity and match them with the main objectives of the risk
management plan. Go ahead in case they are in line with them.
Analyse and evaluate the impact of risks14
Once you have identified the risks to your business or program, you need to assess the possible
impact of those risks. You need to separate minor risks that may be acceptable from major risks
that must be managed immediately.
Analysing the level of risk
To analyse risks, you need to work out the likelihood of it happening (frequency or probability)
and the consequences it would have (the impact) of the risks you have identified. This is referred
to as the level of risk, and can be calculated using this formula:
level of risk = consequence x likelihood
Level of risk is often described as low, medium, high or very high. It should be analysed in relation
to what you are currently doing to control it. Keep in mind that control measures decrease the
level of risk, but do not always eliminate it.
A risk analysis can be documented in a matrix, such as this:
Likelihood scale example

Level Likelihood Description
4 Very likely Happens more than once a year in this industry
3 Likely Happens about once a year in this industry
2 Unlikely Happens every 10 years or more in this industry
1 Very unlikely Has only happened once in this industry
Consequences scale example

Level Consequence Description
4 Severe Financial losses greater than $50,000
3 High Financial losses between $10,000 and $50,000
2 Moderate Financial losses between $1000 and $10,000
14
Source: Queensland Government, as at https://www.business.qld.gov.au/running-business/protecting-
business/risk-management/preparing-plan/analyse, as on 17th February, 2021.
57 | P a g e
1 Low Financial losses less than $1000
Note: Ratings vary for different types of businesses. The scales above use 4 different levels;
however, you can use as many levels as you need. Also use descriptors that suit your purpose
(e.g. you might measure consequences in terms of human health, rather than dollar value).
Evaluating risks
Once you have established the level of risk, you then need to create a rating table for evaluating
the risk. Evaluating a risk means making a decision about its severity and ways to manage it.
For example, you may decide the likelihood of a fire is 'unlikely' (a score of 2) but the
consequences are 'severe' (a score of 4). Using the tables and formula above, a fire therefore has
a risk rating of 8 (i.e. 2 x 4 = 8).
Risk rating table example

Risk rating Description Action
12-16 Severe Needs immediate corrective action
8-12 High Needs corrective action within 1 month
4-8 Moderate Needs corrective action within 3 months
1-4 Low Does not currently require corrective action
Your risk evaluation should consider:
• the importance of the activity to your business

• the amount of control you have over the risk
• potential losses to your business
• any benefits or opportunities presented by the risk.
Once you have identified, analysed and evaluated your risks, you need to rank them in order of
priority. You can then decide which methods you will use to treat unacceptable risks.
Role of the Project Manager15
One of the mistakes development organizations make is appointing a project manager only for
the depth of her technical skills. It is not unusual to find a good engineer being promoted to
project manager just for her technical competence. While it is true that one must have a good
understanding of the technical aspects of the project, the principal areas of competence that are
required in the management competence areas and these include communicating; planning,
negotiating, coaching, decision-making, and leadership. These skills are often overlooked at the
time of hiring or appointing a project manager; and they are supplemented by the functional
support provided by the organizations back-office operations, such as accounting, human
resource and logistics.
15
Source: PM 4 Dev, as at www.pm4dev.com/resources/docman/doc.../46-roles-responsibilities-and-
skills.html, as on 28th March, 2017.
58 | P a g e
Another common mistake is the poor definition of the role of the project manager, usually the job
descriptions are too vague and put too much emphasis on the technical competencies required
for the job, organizations make the mistake to assign the project manager the tasks and activities
designed for the project, this may be true for certain small projects but for most of them the role
of the project manager is one of integrator, communicator, and facilitator.
The project manager is the ultimate person accountable for the project she is the one whose job it
is to make sure the project is done, and would be the principal contact person for the donor,
beneficiaries and the key stakeholders. As responsible for the project she needs to make key
decisions regarding the management of the resources available to the project, and to do that the
organization’s senior management needs to appoint the project manager, and give her the
appropriate level of responsibility and authority for project direction and control.
A Project Manager is also accountable to the Program Manager or Organization Director,

depending on the size of the organization; and is accountable to the beneficiaries for delivering
the project as planned. The Project Manager has the delegated authority to commit the
organization on matters regarding performance that are within the scope of the project and the
contract with the donor.
Integrator
A key responsibility of the project manager is to ensure the proper integration of the project
management processes and coordinate the different phases trough the project management
cycle, that ensures that all areas of the project come together to deliver the project to a successful
conclusion. This is the main role of the project manager; it is not related to the technical
responsibilities of the project, which in most cases are managed by the project staff. The role of
integrator involves three specific areas of responsibility:
• Developing the project management plans, which involves the development of all
project planning documents into a consistent, coherent project plan document
• Implementing the project plan, which involves the execution of the project plan and
ensuring all activities are performed by all the people involved
• Monitor and control the plan, which involves measuring the initial results against the
intended objectives and coordinating all changes to the plans.
Project Plan Development
A project plan is the document used to coordinate all the project plans and used as a guide to
implement and monitor the project. Plans should be dynamic and the project manager role is to
ensure the plans have a level of flexibility to allow changes as the project makes progress or when
the project environment changes. A project plan is a tool the project manager uses to lead the
project team and asses the status of the project.
59 | P a g e
In order to create a good project plan the project manager needs to practice the art of
integration, since most of the information contained on the project plans come from many
sources, usually from subject matter experts and project stakeholders. The role of coordinating all
this information gives the project manager the opportunity to build a good understanding of the
overall project and how it will be used to guide its implementation.
Development projects are unique, and so are the project plans. A large project involving many
people over many years would require a detailed project plan with complete and in depth
information spanning many pages; on the other hand, a small project that involves a few people
over a couple of months might have a project plan a few pages long. The project manager will
tailor the project plan to fit the needs of the project; the plans are intended to guide the project
implementation, not to hinder it with too detailed instructions.
The content of a project plan can be used as a guideline for new projects or as a check list to
evaluate current project plans. Either way the project manager or the development organization
can decide the minimum content of the project plan. It is a good practice if the organizations
develop basic guidelines to help the creation of the project plan, since this document will be used
as a communication tool with the donor, beneficiaries, management and other key stakeholders.
Project Plan Implementation
Project plan implementation includes all the efforts necessary to achieve the activity outputs,
implementing the plan is essentially a guiding proactive role accomplished by a constant referral
back to the project plan. This is the place where the project will spend most of its resources and it
requires that the project manager manages and monitors the performance of the project activities
as described in the project plan.
Project planning and implementation are closely related and intertwined activities. Since the main
objective of developing a project plan is to guide the project implementation, a good plan should
help produce good outputs, which ultimately lead to good outcomes. A good approach to help
the coordination between project planning and project implementation is to have the same
people who plan the activities be the people who will implement them. The project team needs to
experience and build the skills to develop and implement a plan, the team that implements the
plan has a better chance at success if its part of the plan development. Although project
managers are responsible for developing the overall project management plan, they must solicit
inputs from the project team members for each process area.
Project implementation requires a different set of skills; such as leadership, communication,

facilitating and negotiating skills. Project managers must provide leadership to interpret the
project plans and the implementation guidelines, project managers must also be able to
communicate with the project team and stakeholders to develop and implement good project
plans. Project managers and their staff must posses the required expertise for successful project
implementation. If they don’t, it is the projects manager’s job to help develop the necessary skills,
or find somebody else who can to the job or alert the organizations management of the problem.
60 | P a g e
During implementation the best practices and good results from the early activities needs to be
documented as to benefit future activities and facilitate improvements to the project plan
Project Plan Monitoring and Control
Monitoring and controlling the project involves identifying, evaluating and managing changes
throughout the project management life cycle, the role of the project manager in this area
involves achieving the following objectives:
• Ensure that changes are beneficial and contribute to the project success; this is achieved
by influencing the factors that create changes and by making trade-offs among the
projects constraints such as scope, schedule, budget and quality.
• Communicate significant changes to management, beneficiaries and donors, specially the
ones that will impact the projects constraints.
• Update project plans and record changes.
Performance reports provide information to measure the status of the project against the original
plans or baseline. The purpose of the report is to identify any discrepancies or issues, the project
team is then responsible to determine the best corrective actions needed. Changes are common
in projects but they must be managed and properly documented, as they are the basis for project
audits and help inform the project evaluators as to the reasons for the changes. Part of this role is
to ensure that lessons learned are captured and shared with the organization to provide guidance
to current or future projects.
Communicator
This is another important role of the project manager, but one that is often overlooked and not
properly taken in consideration when assigning a project manager to a new project.
Communication is providing relevant, timely information to the right people about the project.
Communication is used to inform and educate the project stakeholders about the project
objectives, risks, assumptions and constraints.
The communication or informational role is the most critical role for the success of the project.
The organization functional managers, project staff, donors and key stakeholders need to make
critical decision about the project, and the information they receive must be relevant, on time and
accurate. Project managers in the role of communicators take three functions: to gather
information from project staff and other people involved with the project; distribute the
information to stakeholders, which includes the donor, beneficiaries, and the organizations
functional managers; and the last function is to transmit the information to the external
environment, such as the general public to gain support to the project.
Project managers spend most of their time communicating. They hold meetings; develop reports
(writing as well as orally) to the, donors, beneficiaries or senior management; they listen to issues;
solve problems; provide direction and constantly negotiate for resources. Project managers’
61 | P a g e
success depends greatly on their ability to communicate. The project manager uses two forms of
communication:
1. Formal communications which include progress reports and presentations to management or

the beneficiaries
2. Informal communications which includes email messages, telephone calls, and team meetings
The effectiveness with which this role is used is important to the success of the project and the
project manager.
Leader
A project manager is above all a leader; the team needs direction for the life of the project and
the project manager is responsible for leading the team to achieve the vision that the project has
created, a project manager does this by facilitating, coordinating and motivating the team to
achieve the project goals; this is a central role of the project manager and her ability to influence,
inspire, direct, communicate will determine her effectiveness as a project manager. Leading is a
central role; it involves working with and through others to achieve the objectives of the project. It
is through the project manager’s ability to lead will determine the success of the project.
The focus on this role is to ensure the project team and the project stakeholders have a clear
vision of the objectives the project aims to achieve. During the curse of the project is not unusual
that the team starts shifting its attention from the final objective; here is where the leadership role
is needed and the project manager needs to communicate and motivate the team to the ultimate
goal. The leadership role includes the facilitator, coordinator and motivator roles.
Facilitator
In this role the project manager acts as an individual who enables the project team to work more
effectively; helps them collaborate and achieve synergy. The project manager is not responsible to
do all the tasks of the project, that is the responsibility of the project team, the project manager
role is to create the right conditions that enable the project team to carry their duties.
The project manager also contributes by providing the framework to facilitate the interactions
among the different groups so that they are able to function effectively. The goal of this role is to
support the project team and the beneficiaries so that they can achieve exceptional performance.
The project manager encourages full participation from the project team, promotes mutual
understanding with the beneficiaries and cultivates shared responsibility among all project
stakeholders.
The facilitator role is mostly used when dealing with beneficiaries, since the project manager
doesn’t have any form of authority over this group he must provide an environment of trust
where beneficiaries feel comfortable about contributing ideas and provide input to the project
and discover the solutions that can help achieve the projects objectives.
62 | P a g e
Coordinator
Coordination means integrating the goals and activities of the people and groups involved with
the project. The functional units in the organizations, such as finance, human resources and
procurement; and the beneficiaries and the partners involved with the project, need their activities
be coordinated in away that benefit the project. This role demanded of the project managers is
needed to ensure all these groups are working towards the same goal. The project managers has
to inform each group about what is expected from the by the project, with out coordination these
groups will loose sight of their role with the project and may pursue their own interest at the cost
of the project.
The need for coordination depends on the extent to which they need to be integrated with the
activities of other groups; it depends on the degree of interdependence and the nature of
communication requirements. A high degree of coordination is needed when factors in the
project environment are changing and there exist a high level of interdependence among the
activities performed by the different groups. This is a case when one group requires an output
coming from another group in order to complete an activity.
Communication is the best tool to achieve an effective coordination, the project manager’s role is
to ensure that information is received by all groups at the right time; the greater the level of
complexity and uncertainty about the project objectives the greater the need for information.
The project manager needs to evaluate the best approach to coordinate formal or informal
communications. The approach has to match the project’s capacity for coordination with its need
for coordination; it is important to know if the need for coordination is larger than the ability to
coordinate then the project manager increases the resources to help him coordinate.
Motivator
Development projects are highly complex and demanding on the project staff, this is the reason
why the project manager has to act as a motivator to the team in times of difficulty. Working with
people is not always easy and the factors that provide them with motivation are different from
each other. The project manager’s role as a motivator is to identify the factors that serve as an
incentive for a project team to take the necessary action to complete a task within the project
constraints. The nature of development projects; difficult locations, high security risks, extensive
travel, limited accommodations and other factors contribute to the low motivation of the team.
The project team is an integral part of the project, lack of motivation can lead to high turnover
and low morale which results in poor performance. Even if the project is able to develop the best
plans and has all the resources needed if people are not motivated the project will fail. Project
Managers also foster teamwork among all project participants, they act as catalyst of change to
63 | P a g e
get the beneficiaries, donor, project team and management of the organization to work and meet
the project goals.
Responsibilities of the Project Manager
Responsibility is an agreement between two or more people for the intention of achieving a
desired result. A organization appoints a person as the project manager with responsibility to
undertake the project; but even as the organization has transferred the responsibility for the
project, the organization still retains full accountability for the final result. The project manager
must be sure that the assigned responsibility is clearly stated and the expected results are mutually
understood and accepted by all stakeholders.
Accountability comes as a result of the assigned responsibility. When an organization assigns

responsibility to a person to manage a project, the organization must hold that person
accountable for achieving the desired result or provide consequences for poor performance, such
as a negative employee performance rating, reassignment, probation, or termination. The
accountability must be consistent with the responsibility assigned.
Projects vary in duration, scope, and complexity. On a large or complex project, the Project
Manager may elect to appoint one or more Assistant Project Managers. The Project Manager may
delegate single or multiple responsibilities, including monitoring responsibility to an Assistant
Project Manager. The Project Manager may direct the Assistant Project Manager to control
different processes of the project; this may include controlling budgets, and monitoring progress.
When a project manager is given the authority over the project, it includes the appropriate access
to resources to complete the job, such as access to personnel or signature authority for the
expenditure of funds. Authority must be commensurate with the responsibility assigned and
appropriate to the accountability.
Successful organizations have written policies and procedures that define how responsibility,
accountability, and authority work in the project management environment. It is important to
define in writing the specific responsibilities and authority the project manager will have in terms
of personnel, equipment, materials, and funds. The organization must determine and explicitly
define the level of authority the project manager has to hire and terminate team members,
including the level of purchase authority over equipment and materials necessary to the project or
the level of signature authority over other project expenditures.
The project manager has specific accountability for three areas of the project, accountability to the
donor to provide timely and accurate information; accountability to the beneficiaries for delivering
the project outcomes; and accountability to the organization for managing the project and follow
policies and uphold its values.
64 | P a g e
In general terms the project manager responsibilities in the project are: planning, organizing,
directing and controlling the project. These they are part of the project manager’s main role as
project integrator.
Planning
Planning involves defining what the project will accomplish, when it will be completed, how it will
be implemented and monitored and who will do it. The project manager is responsible for
creating the project plans and defining the goals, objectives, activities and resources needed. The
project plans are the tactical blueprints under which the entire project will be implemented and
will serve as a map to guide the project team, beneficiaries, donors and management.
The project manager is also responsible for updating the plans as new changes or modifications
are approved, she is responsible for communicating all stakeholders on the changes and ensures
that the changes are being incorporated in the activities and tasks of the project team.
Organizing
This responsibility is to establish a structure that will maximize the efficiency (doing the things
right) and effectiveness (doing the right things) of the project. The project manager, once the
plans have been approved and distributed, has the responsibility to build and staff the project
organization that will be capable to carry out the plans. Here the focus is on coordination, control
of activities and the flow of information within the project. In this responsibility the project
manager distributes and delegates authority to project staff.
The project manager must have the ability to determine the type of project organization that will
fit the needs, constraints and environment of the project. An important element of organization is
to staff the project with qualified staff who can take the responsibility for specific elements of the
project.
Directing
Once the plans are made, the project organization has been determined and the project staffed,
the responsibilities of the project manager is to direct, lead and motivate the members of the
project to perform in a unified, consistent and manner. The project team may have people with
different skill sets and project experience; development projects bring together different expertise
from socials sciences to engineering, the team members may have not worked together in the
past and they may come in and out of the project at different times. By directing, the project
manager assumes the responsibility that the project team will follow the vision of the project and
all instructions, mandates and work orders.
Controlling
Controlling is a responsibility to ensure the actions of the project team contribute toward the
project goals; the project manager must establish standards for performance, measure
65 | P a g e
performance and compare it with the established standards; detect variations and make the
necessary corrections. This responsibility ensures that the project is on track.
Management Skills
The evolution of development projects has changed the skills required of project managers. Not
long ago the emphasis was placed on technical skills and project managers were hired by the
experience and proficiency in the technical area the project was involved in. In the last years the
nature of development projects has changed considerably, projects are not just one-dimensional
approaches focused on a single solution. Today’s’ development project use multi-dimensional
methods that include different approaches; these may include rights based, gender, and
partnership.
Project teams involve more and more stakeholders, and behavioral skills are becoming equally
important as technical skills are. In this new time, to be an effective project manager, may require
having an understanding of general management rather than being a technical expert. Projects
are becoming more complex that it is simply no longer possible for the project manager to
remain a technical expert in all aspects of the project. Project managers need to spend more of
their time planning, organizing, directing and controlling the project rather than providing only
technical direction.
Project management is both a science and an art; it’s a science because it requires the use of
quantitative analysis such as charts, graphs, financial data; and an art because it deals with
qualitative analysis such as negotiating, conflict resolution, political, interpersonal and
organizational factors. In order to perform the functions of management and to assume multiple
roles, project managers must be skilled in both the science and the art of project management.
There are five managerial skills that are essential to successful management: process, problem
solving, negotiating and conceptual skills:
Process Skills
The project manager must have skills to use management techniques, procedures and tools. She
must know how to interpret a budget report, know how to read a statistical analysis of a project
baseline data, and understand the correct application of the different management
methodologies. In addition to the above the project manager is expected to have skills in the
effective use of information and communication technology to help her be more effective in her
work.
Process skills are related to working with processes and tools. They refer to using specialized
knowledge and experience related to project management and the specific methodologies of the
project for implementing project activities. These skills are necessary to communicate effectively
with the project team, to assess risks, and to make trade-offs between budget, schedule, scope
and quality issues.
66 | P a g e
Since project managers do not do the actual work of the project, they do not need the same
technical skill level as the people performing the work. This is not to say that the project manager
doesn’t need a level of technical expertise, the more expertise the project manager has in the
process area of the project, the greater his effectiveness in managing the project. Process
expertise is essential to identify potential problems and increases the ability of the project
manager to integrate all aspects of the project.
The project manager must maintain a general perspective and not let her technical competence
lead to micro-managing or do the project work. She must concentrate on managing the project,
letting the project team members perform the technical work and limit her technical involvement
to evaluating the work of the team.
Problem Solving Skills
All projects are prone to encounter problems, problems that were not identified in the risk or
scope definition of the project and that needs to be managed accordingly. Problem solving
requires a good definition of the problem that is detected early enough to allow time to respond.
In many cases the original problem is a symptom or a larger problem.
Problem solving skills make use of different techniques, and by using these techniques the project
manager can start to tackle problems which might otherwise seem huge, overwhelming and
excessively complex. Techniques such as breaking problems down into manageable parts,
identifying root causes of problems, analyzing strengths, weaknesses, opportunities & threats,
must be mastered in order to solve problems.
Additionally the project manager needs synthesis and analysis thinking skills. A project manager
must be able to synthesize information—collecting and arrange disparate information into a
meaningful whole. A project manager must be able to see patterns in information and derive
meaning from distinct pieces of data. Analysis is the skill of breaking a whole into component
parts, much like decomposing work into a work breakdown structure (WBS.)
Negotiation Skills
Project managers spend a large portion of their time negotiating for resources, equipment or
other support, and if they do not have strong negotiating skills, their chances of being successful
are greatly reduced. A large part of negotiation takes place within the organization to get the
resources the project needs, resources that are being requested by other project managers.
Negotiation is the process of obtaining mutually acceptable agreements with individuals or

groups. Depending on the projects structure and the level of authorization the project managers
has to negotiate on behalf of the organization. Negotiation usually include making trade-offs
when stakeholders request changes or modifications to the project and its resources; negotiation
also includes dealing with vendors or consultants who are bidding for a specific good or service,
67 | P a g e
this area may require the assistance of specialized staff such as representatives from legal or the
procurement department.
Negotiation skills also come handy when dealing with project beneficiaries and building
agreements that will benefit both the project and the beneficiaries. Beneficiaries have in many
instances other priorities and participating in the project activities may not be a main priority. The
project manager must be able to find the best approach to develop common understanding and
align the interest of the beneficiaries with those of the project.
Conceptual Skills
Conceptual skills is the ability to coordinate and integrate all the projects efforts, it requires for the
project manager to see the project as a whole and not just the sum of its parts, ability to
understand how all the parts relate and depend on one another. This skill is useful for its ability to
anticipate how a change on one part of the project will affect the entire project. The bigger and
more complex is the project, the larger is the need for this type of skill. This skill helps the project
manager keep a clear vision of the ultimate goal of the project and understand its relationships
and dependencies with the project’s environment.
Conceptual skills refer to the ability to see the "big picture." Project managers with good
conceptual skills are well aware of how various elements of the project environment or ecosystem
interrelate and influence one another. They understand relationships between projects, the
development organization, the donor organization, the beneficiaries and its environment, and
how changes in one part of the environment affect the project. Conceptual skills are necessary to
appropriately deal with project politics and to acquire adequate support from top management.
Interpersonal Skills
Although technical expertise is important, project managers do not need to be expert in the
project’s technical area. In fact, it is better that the project manager be a generalist rather than an
expert. The reason is that experts tend to be very narrow in their views. Experts leading a project
are less likely to consider any other view than their own. The tendency is for experts to believe
their solution is the right one, and therefore the only choice. A generalist, on the other hand, is far
more open to the views and suggestions of the team members. On balance, the results of projects
led by a generalist tend to yield much better deliverables than a comparable project led by an
expert in one technical area.
The most proficient project management skills in the world will not compensate for a procedural
blunder caused by not understanding the company culture, policies, personalities, or politics. The
project manager negotiates with many people and needs to know their personalities, needs, and
desires. The more he knows about the organization, the better equipped that manager is to
maneuver around pitfalls and get what is needed for the project. Every organization has a unique
culture and individual divisions within an organization often have their own personalities.
Understanding these cultures and personalities can help a project manager be more successful.
68 | P a g e
Interpersonal skills require understanding people, their attitudes, and human dynamics. They
represent the ability of a project manager to work effectively as a project team leader and to build
cooperative effort with the project members and all other groups with which the project team
interacts. They are most critical for effective performance in a project environment. Major
interpersonal skills include: communication, team building, coaching, directing, motivating,
training, persuading/influencing, negotiating, and supporting those involved in the project.
The project manager must be sensible to the cultural differences when dealing with diverse
people and their opinions, values, and attitudes. This is particularly true for the international
projects that consist of the people of diverse cultures. Good interpersonal abilities build trust and
confidence between members of the project team and help create good relations and a good
working environment. The important interpersonal abilities required to handle projects are
leadership; communication, behaviour and negotiation:
Leadership Skills
Leadership skills are essential for project managers because project managers must influence the
behavior of others. Project managers require leadership skills for the simple reason that they
accomplish their work through people. Leadership is the predominant contributor to the success
of the project manager. In small projects, good leadership can succeed even in a climate of
otherwise unskilled management. This skill gives the project manager the ability to articulate a
clear vision and provide direction.
Communication Skills
The second most important skill, and the one in which they will spend most of their time during
the life of the project. Good communications skills include verbal and non verbal communications
that enables a project manager to convey project information in a way that it is received and
understood by all project stakeholders.
This skill is important in any endeavor but is absolutely crucial in project management. It has been
estimated that project managers spend 80 percent of their time just communicating: with the
project team, the customer, functional managers, and upper management.
Communication is only successful when both the sender and the receiver understand the same
information as a result of the communication. By successfully getting the message across, you
convey your thoughts and ideas effectively. When not successful, the thoughts and ideas that are
sent do not necessarily reflect what is intended, causing a communications breakdown and
creating roadblocks that stand in the way of the project goals.
Behavioural Skills
Behavioural skills are the skills that give the project manager the ability to work with people, and
the ability to motivate people involved in the project. Behavioural skills are also known as people
69 | P a g e
skills and these skills are needed in development projects due to the large and varied number of
people the project interfaces with.
Behavioural or people skills, it’s the ability to build cooperation between the project team, other
project stakeholders, and the project organization. These skills require an understanding of the
perceptions and attitudes, which help improve the morale of individuals and groups.
Influence and Power of the Project Manager
Project managers are vested authority on the project by the organization, the authority provides a
level of influence on the project and its members and the project manager can use to establish its
power.
Power is the ability to influence the behaviour of the project team to do the things they will not
normally do. A project manager can use five different types of power:
• Coercive power is a negative approach to power, it uses some form of punishment or

penalty treat to get people to do things. A project manager can threaten to fire a team
member if they don’t follow a specific assignment or change a behaviour. This approach is
usually used as a last resort when all other forms of influence have failed and should be
done in coordination with the organizations management and never used as the only
influence factor due to its negative impact on the team’s motivation.
• Reward power involves the use of incentives such as money, status, promotions, official
recognition or special work assignments; these are used as a reward to get some desired
behaviour or assignment. The project manager can use these type of incentive based on
the resources available to the project and polices of the organization.
• Expert power is the use of personal expertise to influence the team to follow directions. If
the team recognizes the project manager as a relevant expertise and has demonstrated
this knowledge, then they will be more likely follow the project manager’s directions or
suggestions on how work must be done.
• Legitimate power is based on authority, and uses the power vested on the project
manager by the organization to make decisions without involving the project team.
Excessive use of this type of power can lead to project failure, the role and position plus
the support given by management to the project manager are part of this part of type of
power.
• Referent power is based on the personal charisma of the project manager, it is based on
the leadership qualities of the project manager and how she has built a good level of trust
with the team. This is a type of power that must be earned before it is used and it’s the
best type of power to influence the team.
Placing roles, responsibilities and skills together
Project managers are expected to accomplish project objectives by using their knowledge, skills,
and practical experience. During the project management process, they have to use a
combination of their roles (integrator, communicator, and leader) and skills (management and
interpersonal).
70 | P a g e
All these roles and skills are equally important in managing a project successfully. Successful
project managers are expected to and must play any one, or a combination of these roles,
depending upon the situation and the phase of the project life cycle. Project managers should
place relatively more emphasis on their role as leaders during the initiation phase, as integrators
during the planning phase, as managers during the implementation phase, and as administrators
during the closing phase. However, it should be recognized that although these roles have some
of their own distinct characteristics, there are also some characteristics that are common and
overlapping. Effective project managers should be able to tailor their roles to the size, complexity,
and environment of the project; cultural diversity of the people and overall organizational culture;
and the circumstances surrounding the project management.
Activity 2
What steps can a Program Manager take to mentor Project Managers within the program in
risk management.
71 | P a g e
Activity 2
72 | P a g e
Activity 2
Confirm risk management is transparent and dynamic across the program so

that risks are assigned and managed in a timely manner
73 | P a g e
Effective program risk management promotes16 -
Risk management as part of the organisation’s culture:
• a culture that is not risk averse but is prepared to manage risks within an appetite that is
set and reviewed by the Executive Leadership Team (ELT);
• a culture of enquiry, learning, reflection and trust to anticipate and objectively assess risks
and opportunities associated with managing directions, services, processes, competencies,
values and behaviours;
• a culture with channels of communication that are open, ethical, and improve connectivity
across the department;
• a culture which continually adds value to departmental governance structure and client
outcomes;
• a culture which commits to a robust business planning and reporting cycle which is
inclusive of risk management principles.
Visible focus on managing strategic risk emergence and uncertainty:
• demonstrated by exercising risk leadership by example and communicating the risk

culture;
• modelling behaviours based on principles outlined in this framework;
• overseeing and understanding the interdependence of risks;
• ensuring competencies by supporting professional development and risk management
education and training; and
• aligning resources with managing risks and opportunities
Full accountability for managing and reporting significant risks at all levels of the organisation
(strategic and operational):
• managing the uncertainty associated with strategic risks

• creating predictability and operational reliability
• implementing cost effective treatments to reduce risks and exploit opportunities
• ensuring risk management is considered in all new projects, initiatives, business cases and
cabinet submissions
• risk information and knowledge that is accurate, timely and complete to be integrated into
an effective decision making process
Risk management roles and responsibilities
The main risk management roles and responsibilities are:
• senior responsible owner - in a program and project management context, the SRO has
overall responsibility for putting in place an effective risk management policy and process
16
Source: Government of South Australia, as at
http://www.dcsi.sa.gov.au/__data/assets/pdf_file/0008/9782/risk-management-framework.pdf, as on 17th
February, 2021.
74 | P a g e
• sponsoring group or board - has key oversight responsibility for risk management
processes and a prime role in setting policy and approving action in the mitigation of risks
that are causing concern
• program manager or project manager - day to day risk management responsibility rests
here; the program or project manager has a key role in implementing PPM related risk
management policy
• risk owner - the person best placed to direct or take mitigating action against individual
risks
• all staff - risk management is the responsibility of all staff in the organisation - staff will
adopt various roles at different stages in the program or project
Activity 3
Describe the various stakeholder responsibilities for risk management within a program
75 | P a g e
Activity 3
76 | P a g e
Activity 3
77 | P a g e
Develop and maintain a program risk-management system for effective
management and communication of risks, controls, treatments and
outcomes to stakeholders across the program
Selecting and implementing risk treatments
Risk treatment involves working through options to treat unacceptable risks to your business.
Unacceptable risks range in severity; some require immediate treatment, others can be monitored
and treated later.
Before you decide which risks to treat, you need to gather information about the:
• method of treatment
• people responsible for treatment
• costs involved
• benefits of treatment
• likelihood of success
• ways to measure and assess treatments.
Once you decide how to treat identified risks you will need to develop, and regularly review, your
risk management plan.
The following are different options for treating risk.
Avoid the risk
You may decide not to proceed with the activity likely to generate the risk, where practical.
Alternatively, you may think of another way to reach the same outcome.
Reduce the risk
You can control a risk by:
• reducing the likelihood of the risk occurring - for example, through quality control
processes, managing debtors, auditing, compliance with legislation, staff training, regular
maintenance or a change in procedures
• reducing the impact if the risk occurs - for example, through emergency procedures, off-
site data backup, minimising exposure to sources of risk or public relations.
Transfer the risk
You may be able to shift some or all of the responsibility for the risk to another party through
insurance, outsourcing, joint ventures or partnerships.
78 | P a g e
Accept the risk
You may accept a risk if it cannot be avoided, reduced or transferred. However, you will need to
have plans for managing and funding the consequences of the risk if it occurs.
Determining and selecting most appropriate options for treating risks
Risk treatment involves identifying the range of options for treating risk, assessing those options,
preparing risk treatment plans and implementing them. It is probable that a combination of
options will be required to treat complex risks. Once a risk is well understood and it is clear that
some treatment will be required, detailed analysis of treatment options may be required. There
will usually be several options, each entailing different costs and benefits and each offering a
different level of risk mitigation.
Key outcomes steps
Identify treatment options

The most suitable risk treatment options for the organisation are identified.
The options are summarised below.
The control or management of risk can be different on an organisational or industry basis.

However there are seven commonly used approaches:
APPROACH DESCRIPTION
1. Elimination / reduction • In this approach the risk is either reduced to its
management lowest possible level to enable it to be managed, or
it is eliminated
• This latter course may involve divesting a
manufacturing process, a particular service within a
general service industry, or simply deleting a process
and replacing it with a newer, safer or alternative
system
• A variation in this approach is not to eliminate the
risk if that is too difficult or too late, but to reduce or
eliminate its effect
2. Assumption of risk • Insurance companies assume risk as part of their
operations. Here the expression ‘assume risk’ means
79 | P a g e
to knowingly accept the risk as part of the agreement
with the person/company that pays the premium.
Organisations unused to risk may assume or accept
its effect because to fail to do so might negatively
affect the organisation’s operations
• Once again the decision to assume a risk must be
taken bearing in mind the competing issues of cost,
proximity and extent of the risk
3. Transfer risk • Insurance is a means of transferring the risk, through
the payment of insurance premiums, to an insurance
company
• It is important to understand that this is generally a
way of managing financially based risk. The
insurance company can only really assume a
financial risk. It is not able to assume risk that relates
to culture, personnel or manufacturing for example
• So if the risk of the factory burning down is
identified, then the financial risk can be transferred to
the insurance company, but the actual risk of losing
specific or specialist machinery cannot
• Often organisations only transfer part of the financial
risk having assessed the insurance premium cost as
too high to transfer it all
• To offer a personal example, this may be
compared with a householder insuring the contents
of the house against fire, but not paying extra for the
loss of specialist jewellery or stereo equipment. It
then falls on the householder to fund the
replacement of such items
4. Changing processes • Risk can be avoided by changing processes, or
refraining from an activity. This is often an ongoing
process of change from risk identification
• Organisations with a positive risk identification and
management culture are ready and willing to change
or remove processes that demonstrate a greater
degree of risk or risk potential
• Changing a process to avoid an activity also requires
a positive risk management culture as this can be
confronting and expensive, particularly if the process
needs to be replaced
• The change or replacement of a process in order to
manage a risk must also be undertaken using risk
management procedures. In other words, the new
process must not create or support the same or
similar risk it was designed to eliminate
80 | P a g e
5. Delaying • An organisation may defer a risk, by delaying it until
such time as it is able to assume the risk or deal with
it in a better and more positive way
• An organisation may believe that research or
development
• It’s undertaking will make it more able to deal with
the risk at a later time
6. Sharing risk • Organisations may seek to share risk with other
organisations by way of joint ventures or cooperative
options
• A good example of this is seen in the construction
and maintenance of motorways in capital cities where
government and private industry come together to
share the expense
• Similarly in recent times wine and beer companies
have combined with manufacturing industries
associated with wine and beer production, when
entering new markets such as China
7. Spread and minimise • An organisation may attempt to spread and
locations of the risk minimise locations of the risk, e.g. a company
may spread its outlets and workforce to a
number of areas in order to spread or reduce
the risk of an incorrect decision in relation to
geographic marketing. For example, a retailer
may have outlets in a number of locations in a
town to ensure the product is available to as
many potential customers as possible
The purpose of evaluating risks is to prioritise the need for treatment plan development. Once
that is completed, it is time to determine the best treatment plan option for that particular risk.
There are a number of different options which you can apply to any risk:
• Accept the risk

• Avoid the risk
• Reduce the risk
• Develop a contingency plan
• Mitigate the impact
o Change the consequences
o Change the likelihood
• Transfer or Share the risk with a third party
Regardless of the final decision ensure that all relevant parties have signed off on it. Although you
may be in charge of developing the risk management plan, this is a group project, with group
decisions.
81 | P a g e
Developing an action plan for implementing risk treatment
A risk management plan details your strategy for treating risks. It details information about:
• identified risks
• the level of risks
• your planned strategy
• the time frame for implementing your strategy
• the resources required
• the individuals responsible for ensuring the strategy is implemented.
Your final plan should include appropriate objectives, a budget and milestones on the way to
achieving those objectives.
Reviewing your risk management plan
The business environment is constantly changing. The type of risks you face will change as your
business develops and grows. Regularly reviewing your risk management plan is therefore
essential for identifying new risks and monitoring the effectiveness of your risk treatment
strategies.
The action plan formalises the risk management process. The specific format of the risk
management action plan will vary from one organisation to another, but the following is an example
of a relatively straightforward methodology.
• Risk
• Date identified
• Level of risk
• Reason for risk rating
• Risk priority /risk ranking
• Action (what is to be done)
• What resources are required
• Who is responsible for the action
• Timeline-when should the action be completed
• Strategy for informing relevant stakeholders- i.e. staff volunteers, board, corporate
sponsors, etc.
• Review date
A risk control action plan is essential for the effective and systematic introduction of risk control
actions. Remember to compare the levels of the risk control hierarchy with the time frame when
determining target dates.
Sample risk treatment action plan
82 | P a g e
Communicating risk management processes to relevant parties
Risk management communication is the sharing of information about risk and risk management
between the decision makers and others. Parties can communicate at any stage of the risk
management process. When all parties in a project communicate their expectations and
perceptions early and often, the “disconnects” between opposing parties can be readily
established.
Steps can then be taken to resolve those differences and align everyone’s expectations and
perceptions. To be effective, communication must flow both up and down the chain of command
so that all parties are informed.
Good planning will lead to good communication. All parties should agree on acceptable means
and lines of communication early in the process. Develop tools to aid the communication process
such as correspondence logs, telephone conversation logs, and e-mail protocol. Communication
must be handled in a professional and courteous manner.
When dealing with a contentious issue, it is not a good practice to send a letter or e- mail
immediately after composing it. Take time and then re-read the communication before sending it.
Communicating only the facts of the case and avoiding emotional outbursts or statements of
opinion can help to avoid problems or making problems worse. 17
17
Source: Civil Engineer, as at http://civilengineerblog.com/foundation-risk-management/, as on 17th
February, 2021.
83 | P a g e
Communication factors such as language and literacy
Effective communication is obviously critical to genuine participation. The specific needs of
individuals in the workplace need to be taken into account. Individuals will have different levels of
literacy and either may not speak much English or may not have English as their first language.
For example, induction and instruction in policies and procedures need to reflect the language
and literacy levels of each person, and things like safety and emergency warning signs, which are
for the whole workplace, need to be based on easily understandable pictures, rather than complex
language.
Communication must be a two-way street. If individuals are to be able to participate in OHS

activity in a meaningful way they need access to information in a format they can understand, and
they need to be able to communicate back to OHS representatives, supervisors, OHS advisers and
others easily. 18
Diversity of workers
Employees may come from different cultural, age and educational backgrounds with different
views about personal responsibility and authority; they will have different previous experiences,
knowledge and skills and may have different learning styles. They may have external pressures
and stresses in their lives or pre-existing physical injuries. All these factors need to be taken into
consideration in designing and developing participative arrangements.
Your risk management plan must be distributed to all appropriate personnel; especially those who
have a part in implementing the plan.
Distribution of your risk management plan to key personnel is best accomplished through a
meeting where you briefly explain the plan. I say briefly, because we all have the tendency to
become long winded when we are talking about our own pet project. You need to ensure that the
information you share verbally in that meeting is the key information, nothing more. Everything
else will be provided in the written plans that you distribute in the meeting.
Identify and evaluate key ethical, legislative and organisational considerations for risk
management options19
Risk management is the process whereby organisations identify, assess and treat risks that could
potentially affect their business operations. It should be a central part to any organisation's
strategic management and its objective is to add maximum sustainable value to all the activities of
the organisation.
18
Safetyline Institute, as at
http://institute.safetyline.wa.gov.au/pluginfile.php/1642/mod_label/intro/BSBOHS503B.pdf, as on 11th
August, 2015.
19
Source: Small Biz Connect, as at http://toolkit.smallbiz.nsw.gov.au/part/18/89/392, as on 17th September,
2015; Core, UK, as at http://core.ac.uk/download/pdf/10826574.pdf, as on 17th February, 2021.
84 | P a g e
Risk management is not something that you just do once and forget about. Rather, it should be a
continuous and developing process. Risk management should also be integrated into the culture
of your business and you should put in effort to convey this to all your staff, from management to
the workers. This approach to risk management will create an environment of accountability,
performance measurement and reward, thus promote operational efficiency at all levels within
your business.
The following are some ways in which risk management can protect and add value to your
business:
• Provide a framework for your business that enables future activity to take place in a
consistent and controlled manner
• Improve decision making, planning and prioritisation by comprehensive and structured
understanding of business activity, volatility and project opportunity/threat
• Contribute to more efficient use/allocation of capital and resources
• Reduce volatility in the non essential areas
• Protect and enhance assets and the image of your business
• Optimise operational efficiency
One of the more recognised and structured approach to identifying risks is to consider the key
processes and assets that are responsible for your business' success. You can use techniques such
as brainstorming and the SWOT analysis. Keep in mind that this activity should be done by
someone that understands the business inside out. If you wish to use the services of an external
consultant, it is best that you spend time with them to ensure that they understand how the
business operates in practice. Any 'standard solution' should be approached with caution as each
business is unique thus often requiring a customised approach.
85 | P a g e
When identifying risks, you should not only focus on the strategic or corporate level (i.e. top-down
approach), but also at the level where the risk arises or has its most direct impact (bottom-up).
The latter is often neglected but you should be aware that almost every person within your
business plays some role in the management of risks. It is therefore always important to involve all
staff in order to capture information about risks and allow better decision making.
You should also factor in all the potential risks that are applicable to your industry. However,
industry-wide risks are not always a negative thing. With the correct approach and resources in
place, these risks are usually opportunities for individual businesses that can successfully overcome
the challenges.
The process of assessing risk involves four steps:
1) Risk awareness
Before risk management can occur, you need to recognise that risks exist within your business and
that they can and should be managed. Further, it is good practice if you embed risk within the
culture of your business.
2) Assess the risks
Every type of risk should be approached differently and should have its own assessment format.
For example, environmental risks such as fire involve physical audits, while strategic risks are more
likely to involve research and analysis. It is recommended that you develop a standard
methodology for assessing each type of risk.
A thorough risk assessment usually includes measurement. This allows you to analyse trends, and
to make decisions based on fact, not opinion.
The next part of the process is to determine the priorities of each risk. This will allow you to
allocate appropriate resources depending on the rankings of the risks. For example, if your
business has had a history of high staff turnover, you may rank the risk of staff leaving
unexpectedly high as opposed to the risk of a bush fire, which would be relatively low (depending
on your location).
86 | P a g e
A common practice for many businesses is to limit their risk assessment to those risks which they
know that can resolve or ones that they can afford to resolve. This is a dangerous strategy and
almost defeats the purpose of risk management. When undertaking this task, you should not have
any preconceptions about risk. No risks should be excluded simply because of a lack of resources
or because you may feel that they cannot be solved. If you are unable to acknowledge that a risk
exists when you clearly know it's there, you won't be doing yourself and your business any favours.
In fact, you will be holding your business back from finding solutions to overcome the risk which
consequently will result in higher risk exposure for your business.
3) Treat the risks
Once all the risks have been identified and assessed, you should develop strategies to prevent
them from occurring. Strategies include:
• Avoid: choosing not to accept the risk.

• Minimise, reduce or control: through means such as improved monitoring, or changing
the process.
• Spread (also known as transferring or sharing risk): by diversifying, sub-contracting,
outsourcing, joint venture, hedging, or insurance.
• Accept: deciding that the risk is within agreed risk tolerances.
4) Monitor
The final stage is to monitor risks. This includes regularly measuring the risk (to ensure that it
remains within stated tolerances), and auditing (to ensure that the procedure is being followed).
As part of the monitoring process, you should be looking at things such as:
• Trends that indicate a growing danger

• Data that shows variances from the norm, or is outside pre-set limits
• Key performance indicators
• One-off reports on new areas of risk
• Information from a range of sources
• Key findings from audits
Ethics related to Risk Management

Ethics has often been seen as something outside normal business practice – something that is
good and proper, good to have, but something of a luxury in the turmoil and competitive
environment of the business world. It is also clear that only a genuine commitment rather than a
public relations veneer will work. More important activities were those that can be costed and
seen to add value to the bottom line. Managing risk is about managing the threats posed by such
things as changes to government legislation (such as industrial and commercial work cover
insurance or equal opportunity employment), or responding to the public outcry from
technological collapses (as happened in the ESSO plant in Victoria, Australia; and the Exxon oil
spill in Alaska).
87 | P a g e
With the collapse of major business corporations, such as ENRON, OneTel and WorldCom, due
not in small part to the pervasive influence of corporate cultures devoid of ethical principles and
conduct, stakeholders of major corporations are wondering whether implementation of risk
management strategies (including ethical principles) may have alleviated if not avoided some of
these collapses.
Risk entails a threat posed by the failure of corporate decisions: the exposure to such issues as
economic or financial loss or gain, physical injury, or delay as a consequence of pursuing or not
pursuing a particular course of action. BHP’s losses in Bougainville, Shell’s in Nigeria and CRA’s in
New Guinea were due to loss of local support because of a failure in relationships with local
communities. Managing risk is about the application of policies and procedures to the tasks of
identifying, analysing and assessing risks, determining the degree of exposure to risk that
organisations can accommodate, and taking appropriate steps to avoid litigation, loss of
reputation or injury.
There are at least two aspects to risk management: management of resources, and management
of stakeholders. The former refers to such matters as corporate management (for example,
managing investment, diversification, production of new products, relationships with the external
political/legal/social environment in which the organisation operates), administrative systems (debt
management), technology (information systems), or human resources (loss of skilled personnel).
The latter issue, decisions about stakeholder relations, are about the interests and well-being of
people, (such as customers, suppliers, employees, affected communities and others who have an
interest in the performance of a company). This paper argues that there are compelling reasons to
consider good ethical practices to be an essential part of risk management. It discusses what
ethics means in an organisation context, two ethical risk management strategies (compliance and
building internal infrastructure), and illustrates some of the consequences of an effective ethical
risk management strategy. The approach here is that of exemplars and of legal determinations
rather than the empirical studies of the connection between financial and ethics measures, or of
strategies that do not directly address ethics, such as the issue of growth outlined by Hamel
(1999), in which he argued that there are as many stupid ways to grow as there are to cut. He
advocates the value of growing by changing the basis for competition by inventing new industries
or by a dramatic reinvention of existing industries.
ETHICS IN AN ORGANISATIONAL CONTEXT

Business ethics is concerned with the moral philosophy, values and norms of behaviour that guide
a corporation’s behaviour within society. Ethics concerns formalised principles and codes of
conduct as well as value systems that guide how we behave and apply to ethical situations that
may arise in doing business.
Francis (2000) describes seven ethical principles that might act as a guide to ethical behaviour.
Dignity refers to treating each individual as an end rather than a means. This means respecting the
interests of other. This principle, for example, guides actions taken in the interests of others,
customers in product recalls, employees in safety practices, and small less powerful business by
offices of fair trading. It implies the avoidance of ruthfulness, callousness or arrogance. Equitability
is being just, fair and even-handed in decisions. Prudence requires people to exercise a degree of
88 | P a g e
judgement that makes a situation no worse, and applies when decisions must be made about
recalling products that cause illness or are unsafe. Prudence also applies to decisions where harm
may outweigh the good. An example is the convention that, when faced with a tied vote, a
chairman will cast a vote in a cautious and prudent manner, voting for the status quo, and
defeating the motion. Honesty is reflected in straightforwardness, truthfulness and avoidance of
lying, cheating or stealing. Openness is about not concealing that which should be revealed. In the
public sector it encompasses the public interest and the public’s ‘right to know’ and a duty not to
unnecessarily invoke the ‘commercial in confidence’ clause to disguise business dealings. The
converse side of openness is a respect for the privacy of individuals. Goodwill is about concern for
others reflected in kindness and tolerance. Essential aspects of goodwill in business are altruism,
philanthropy and corporate social responsibility. The latter affects decisions about a variety of
actions as diverse as paying a just share of taxes, handling health and safety for employees or
concern for the communities in which they operate. Avoidance of suffering supports the view that
pain and suffering should be prevented and alleviated arises in decisions about for example, the
level of care and expense that should be invested in avoiding oil spills, avoiding production for
chemical or biological warfare, or avoiding investment in some industries such as the tobacco
industry.
These principles are valued when they are seen as important. Companies may also have other
values (such as customer first service; excellence: being the best in what we do; integrity: when we
say we will do something we will do it) that are also seen as important. Professional and other
associations also promote their own value systems. For example, in addition to the above values
The Australian Institute of Company Directors expects Board members to support values of
independence and equality of shareholder opportunity.
Many of the pressures to give adequate consideration to ethical issues come not from the
traditional concerns of strategic management but instead from concerns about social issues
(Prahalad and Hamel, 1994). Among them is an appreciation that successful corporate
performance depends on the competitive advantage offered by managing issues that affect
various stakeholders. These range from employees and customers to government departments
and communities and changing expectations of business reflected in the emergence of mutual
obligation and corporate social responsibility (CSR). CSR is the social, cultural, and environmental
responsibilities that a business, a corporation, or an organisation has to the community in which it
seeks to operate, as well as economic and financial ones to shareholders or immediate
stakeholders.
The World Business Council for Sustainable Development (WBCSD: 2001) noted the wide
opportunities for companies to ‘… to drive profitable growth by providing products and services
that improve people’s lives in both the developed and especially in the developing countries’. This
amounts to an argument that the ongoing commitment to ethical behaviour contributes positively
to economic development as well as to the improvement of quality of life of all.
In 1997 Waddock & Graves argued for a reformulation of the hypothesized relationship between
socially responsible performance and financial performance. Their conclusions were that ‘… the
89 | P a g e
quality of management of a company’s stakeholders –owners, customers, employees,
communities, and the environment – reflects the quality of its social performance’.
While the evidence is not always unequivocal there is increasing support for the proposition that
investing in stakeholder relations is a positive risk management strategy. The above discussion
suggests that organisations and their stakeholders profit when commitment to ethical principles
and values guide decisions. As Hillman & Keim found (2001, p.126) managing stakeholder relations
leads ‘to customer or supplier loyalty, reduced turnover among employees, or improved
reputation’, and go on to nominate those valuable assets as likely to ‘… lead to a positive
relationship between stakeholder management and shareholder value wherein effective
stakeholder management leads to improved financial performance’. It is worth noting that this
conclusion is based on empirical data from 500 companies in the Standard & Poor list.
An ethical risk management strategy concerns the infrastructure that promotes ethical conduct,
that is, the directives and supports that both manage risks associated with lack of ethical practices
and provide incentives to promote ethical conduct. These can include conformance with externally
mandated legal and legislative requirements as well as internal supports and expectations.
COMPLIANCE WITH LEGAL AND LEGISLATIVE REQUIREMENTS

Compliance may be comprised of different content areas; and will include, for example,
environmental management systems, defamation, regulatory, reputational, financial, occupational
health and safety, competition issues, consumer issues, privacy, and intellectual property.
Over the last three decades there has been a strong move to formalise compliance rules. Among
the bodies exerting a powerful influence are the Australian Competition and Consumer
Commission (ACCC), the Australian Securities and Investments Commission (ASIC), and the
Australian Stock Exchange (ASX).
A report reviewing the 25 years of the ACCC (ACCC. 25 Years of the Trade Practices Act, 1998-
1999) noted that the Trade Practices Act of 1974 (the benchmark Act) has become ‘... part of the
economic fabric of Australia’. In essence the ACCC monitors competition and consumer issues by
both administering the Act, by less formal dispute resolution, and by prosecuting errant
behaviour. Its high profile ensures that appropriate publicity is given to exemplary cases to be
certain that the message is driven home. Indeed, one can well see that adverse publicity is
expensive in both financial and reputational terms. This Commission is now part of the fabric of
Australian economic activity such that it takes some thought to imagine the standards that would
prevail were it otherwise.
The case of ACCC v Real Estate Institute of Western Australia Inc. (1998) has widened the scope of
trade practices compliance programs under section 80 of the Trade Practices Act (see also Farmer,
1999). The court held that it had a power to order respondents to undertake a program that
ensures that the organisation understands what legal compliance is necessary. This is a broader
approach by the court than that previously applied, for example in the Z-Tek decision in which the
Federal Court held that Z-Tek Computers, in advertising the price ex-tax without also advising
potential customers the tax-inclusive price, was in breach of the Trade Practices Act of 1974
(Australian Competition and Consumer Commission [ACCC 1998]
90 | P a g e
Work available on the ACCC website deals with legal aspects rather than corporate governance or
ethics, but still contains valuable guides to establishing a risk management strategy that ensures
compliance with government regulations. A guide to AS 3806 Compliance Programs (What are
the essential elements of an effective compliance program, ACCC, 2001) outlines the important
elements and may be used to assess an organisation’s compliance system when considering
complaints under the Trade Practices Act. The Australian and Securities and Investments
Commission have adopted these as benchmarks for the Managed Investments Act of 1998. The
guide notes available resources, and how they may be used to help decide on the risks to be
covered. There is a useful risk management guide.
The Australian Stock Exchange now requires Listed Companies to include in their annual reports
their policies on corporate governance practices. In an example of what such reporting could
cover, the ASX includes procedures to ensure openness and transparency of board decisions and
management of risk that include disclosure of: appointment of non-executive directors;
procedures, responsibilities and rights of the audit committee; the board’s approach to identifying
areas of significant business risk and to establishing procedures to manage those risks; and the
company’s policy on the establishment and maintenance of appropriate ethical standards
(Stapledon & Taylor. 1998).
Central to the notion of good ethics is the issue of transparency. Kensicki (2000) makes that point
in connection with disclosure to underwriters; and Veysey (2000) makes it about the lack of
transparency leading to reputational risks.
Stapledon and Taylor went on to report (p.395) that in a review of the top 100 companies many
companies ‘revealed an imperfect understanding of the underlying issues’ involved in corporate
governance. If corporate governance policy is to be more than window dressing, and to have real
utility, it could well consider including an ethics audit on every major policy decision implemented
during the year under report. Such reporting would enhance its reputation for taking a big view of
its decisions and provide a proactive defence against criticism.
While it is clear that legal compliance must have primacy that is not to say that ethical compliance
does not complement that process. Where the law quite rightly sets minimum standards, ethics
may set aspirational ones; where the law seeks sanctions, ethics may seek flexible and creative
solutions. On first principles a court will consider a Code of Ethics as of substantial relevance.
Ethical self-regulation is a complement to the law. Ethics seems to be more effective when it is
positive rather than punitive; similarly, a solution orientation rather than a punitive orientation is
itself an ethical response. Given that ethics does not have the firm prescriptions that the law has it
affords an opportunity to be creative in its approach.
The trend to self-regulation has much to commend it. This proposal applies just as much to other
organisations (such as aid organisations, bureaucracies, and professional bodies) as it does to
business. Where self-regulation fails there is little doubt that the law will intervene. Whatever the
basis of the code disclosure of compliance is a major issue.
A recent example is that of Baring’s Bank. One of the traders for Baring’s Bank (Nick Leeson)
deceived the Bank by reporting huge profits while actually incurring huge losses. No responsible
91 | P a g e
person seemed to have checked what was going on, although with the wisdom of hindsight there
were indications of unlawful acts.
The Bank’s collapse was sudden and total. The point here is that there are danger signs and the
need for supervision – and that organisations ignore them at considerable risk (Drummond, 2002).
This highlights what can happen when compliance checks are not kept firmly in place. Illegal
decisions occur when employees, no matter how senior, have considerable control over profit
goals, and when employee’s opportunity for abuse is unchecked and uncontrolled. We must
conclude that external controls are important.
INTERNAL INFRASTRUCTURE
Most textbooks on strategic management have a chapter on the influence of values and
organisation culture on strategy. As Thompson and Strickland (2001) noted, the culture of an
organisation is comprised of its beliefs, practices, views, and traditions. The stronger the culture
the increased probability that it will affect its strategic decisions. Those authors go on to say the
importance of organisational culture, and highlight how it might be used advantageously to
construct meaningful strategies. This view is reflected in the recent emphasis on strategic
management on the construction of meaningful strategies that emphasise core values to which
employees and stakeholders can relate – as is implied in such studies as Waddock and Graves
(1995 and 1997).
Starting with Board composition and conduct, committees and ethical decisions, the leaders of
organisations send a clear message to employees about an organisation’s culture and behavioural
expectations. Many studies (for example, Waddock and Graves, 1997, Francis and Armstrong,
2000) have found that good social performance is positively correlated with financial performance.
Others have shown the advantages of ethical climate and good social performance. Studies of
corporate climate (Cockerell and Armstrong, 1999) found that a lack of ethical climate was
associated with higher incidences of fraud .
The KPMG Fraud Surveys (KPMG Australia. 1997 & 1999) showed that poor internal controls, and
employee/third party collusion ranked of high importance in allowing fraud to occur (poor internal
controls, at its highest, was rated at about 58%). Lack of controls by directors ranked distinctly
lower in importance (about 3-5%). It is instructive to look at the responses that see a code of
conduct as a step which might be taken to reduce fraud. In 1993, fraud, in companies who took
steps to reduce fraud by a Code of Conduct, was 69%; in 1995 it was 51%; in 1997 it was 51%; and
in 1999 it was 59%. It will be seen that a Code is perceived to occupy a key role in fraud
prevention. The measures used to prevent and detect fraud are given in some detail. It will be
borne in mind that these are directors’ perceptions. The surveys obtained responses gathered with
a questionnaire sent to a large sample of Australia’s largest businesses.
It will be noted that these responses represent the perceptions of the most senior staff within
companies, and that the response rates vary from the low 20% to a notably higher rate of 37%. A
particularly valuable part of the KPMG work is its ongoing nature, allowing us to gain a better
temporal perspective.
One of the most effective tests of sincerity of commitment is that implementation of a good
whistleblower policy, as is the need to have an appropriate audit procedure to monitor those
92 | P a g e
most responsible or at risk where breaches might occur. With this goes the need to keep
complete records. An independent audit of this whole compliance process makes its sincerity of
commitment transparent. For a fuller discussion of this compliance issue see Dee (1999).
Wood (2002) in a study of the top companies in Australia confirmed that the appropriate
infrastructure to support an ethical culture included a code of conduct. As Wood pointed out, an
inclusive approach is essential for any ethical infrastructure. The imposition of ethics from the top
down is unlikely to be successful. Among the aspects of ethical infrastructure is not only a code
but also a committee to develop and exercise the code, some form of training, and regular open
reporting.
A risk management strategy starts with commitment from the top of an organisation for an ethical
culture supported by appropriate policies, a code of conduct, and procedures and systems in
place to reward ethical conduct and censure inappropriate actions.
DOES AN ETHICAL RISK MANAGEMENT STRATEGY PAY DIVIDENDS?

The motivation of performance and building social capital through good relationships with
stakeholders is an integral part of good risk-management. This helps ensure a more rigorous basis
for strategic planning as a result of a structured consideration of the key elements of risk. Other
advantages are that ethical behaviour is likely to help avoid litigation: if litigation does occur there
may be mitigation of penalty if a sincere commitment to ethics is able to be shown.
There are a number of compelling reasons for Australian companies to avoid disputes. While
recognising that there are sometimes legitimate reasons for dispute it does seem that many such
disputes are both un-necessary and counter-productive. Informal dispute resolution has the
several merits of producing flexible outcomes, retention of confidentiality, time and cost savings,
and reputational enhancement. These points are endorsed by the Australian Competition and
Consumer Commission. Indeed, that ACCC has a paper entitled ‘Benchmarks for dispute
avoidance and resolution’ . Complementary to this is the publication ‘Unconscionable conduct in
commercial transactions’ (ACCC, 1998). (See also Zumbo, 1998). It is here that that ethical
principles have persuasive power.
There are new laws having an impact on a directors’ responsibility to understand new legislation
and to ensure that compliance procedures are in place. Kole & Lefeber (1994) noted that … the
single biggest factor in making prosecutorial discretion work toward the goal of avoiding risk is the
existence of any regularized, intensive, and comprehensive environmental compliance program’.
The absence of risk management opens opportunities for litigation. The risks here might be
extended to the management of public outrage. Watts, (1998) has discussed this issue in some
detail. His point is that there is a significant danger in ignoring public ire: the way that risk is ‘...
perceived by companies and the way that it is perceived by external stakeholders’. There is even a
reference to a windows based program to ‘... help companies to predict and manage public
outrage’.
Laufer (1999) has drawn our attention to the risk of being too compliance oriented. As he puts it ‘
… corporations that purchase only the amount of compliance necessary to effectively shift liability
away from the firm encourage moral hazards’. We argue that this compliance, and perhaps,
93 | P a g e
minimalist orientation draws our attention from the distinct benefits to be derived from observing
the ethical canons at the highest level. Organisations that take only the minimum compliance
position do, as Gentile (1998) noted, ‘… effectively shift liability away from the firm encourage
moral hazards’.
In the US context Butler (1997) noted that ‘As corporations we live at the sufferance of the public.
If we do not behave well we can be sued... and every day it seems that another company is the
subject of ‘the wrong kind of story’ in the Wall Street Journal’. Butler goes on to recount
arguments concerning the adverse publicity that stems from allegations of environmental
pollution, anti-trust infractions, sexual harassment, illegal payments, and racial issues.
An analysis of litigation, given by Francis, Philbrick and Schipper (1998), noted that companies that
were the targets of earnings-based litigation 1983 - 1993, had steep earnings decline that
management attributed to poor sales. Those firms also had higher operating leverage and greater
sales volatility than comparable companies that were not sued. Those writers support the idea that
litigation prone industries and companies have operating environments that make them
susceptible to earnings surprises. One has to recognise that earnings surprises may stem from
other sources, such as sales surprises, Indeed, it might be argued that earnings surprises had little
to do with ethical behaviour but Francis et al did note that the litigation was based on managers’
withholding of relevant information from investors – clearly an ethical matter.
None of that vitiates the view that in recent times there have been several exemplary cases of
what happens when a disaster strikes. The bad press, the reputational loss, and the legal and
commercial difficulties are well illustrated by such cases as the Union Carbide disaster at Bhopal in
India; the Exxon Valdez oil spill, and difficulties that BHP encountered over the OK Tedi mine in
Niugini. In this latter case
the company, Australia’s largest, was engaged in a mining operation at OkTedi in Papua Niugini,
seeking to extract gold and copper. They were extracting 180,000 tons of rock per day in order to
get 80,000 tons of ore from which to extract the minerals. There were tailings of rock, powder, silt
and water, together with some treatment chemicals, which needed to be disposed of. A dam was
built to accommodate these tailings and to try and deal with them in an environmentally friendly
way. Landslides destroyed the dam and so the fine tailings were dumped in the river. While there
were elements of financial prosperity brought to the region the long term effects on health,
education, social, and recreational needs were not being met. The poisoning of the river, the
destruction of habitat, and the absence of a long-term plan for living are viewed detrimentally.
This case was the subject not only of litigation but also of wide media coverage in Australia. While
BHP had taken certain steps to rectify the situation, including setting up a trust, the reputational
damage was substantial (see (Hanson & Stuart, 2001 for a fuller discussion).
There are salutary lessons about handling disasters well: the poor handling of the Bhopal disaster
is contrasted with the excellent handling by Johnson & Johnson’s recall of Tylenol following
allegations of criminal poisoning of the product.
MITIGATION OF PENALTIES FOR NON-COMPLIANCE

With a proactive compliance program, in a case of non-compliance courts might well be more
willing to mitigate penalty, and thus a prior commitment to an ethical stance could become a
94 | P a g e
proactive strategy to limit penalty risks. While the proactive strategy does not necessarily imply a
genuine desire to behave in an exemplary fashion it also points to the need not to feel and to be
saintly, but rather, to behave well.
From an enforcement point of view, companies will be particularly interested in remedies and
defences. The Australian Trade Practices Reporter (CCH,2001), writing on compliance procedures
noted that ‘... compliance programs serve a preventative function in relation to strict liability
offences and inferential function in relation to other types of conduct in that the existence or lack
thereof may assist a court to assess the purpose behind a company’s conduct’. That source also
went on to say that ‘... the existence of a compliance program in relation to Pt IV will not provide a
defence but will merely be taken into account in mitigation of penalty, it will still be an influential
factor (and then cited the cases in demonstration) (ATPR. V2. 12,463 / 18-575).
Courts have taken a sincere commitment to recognising appropriate behaviour as evidence, and
have varied the penalties where it can be shown that such a commitment was genuine. In order to
mount such an argument it is necessary to gather evidence about the existence of ethical
infrastructures, corporate governance, contrition where breaches have occurred, and of a genuine
commitment to improve. No matter how constant the vigilance it would be hard to believe that
some occasions of complaint will never occur. An effective ethics policy, and an aspirational Code
will both minimise the risk of such occurrence and provide an aid to defence should a
transgression occur. The existence of a properly maintained and run ethical infrastructure is an
indicator of an appropriate corporate mens rea.
The idea that the courts could take genuine ethical commitment into account has been set out in
the Goldberg Test for Compliance. This landmark case was ACCC v Australian Safeway Stores Pty
Ltd. (1996) Australian Trade Practices Reporter (ATPR. vol 2. 12-305 / 18-365) Mr Justice Goldberg
indicated that one needs to look at the company’s compliance program in two ways: whether or
not there has been a substantial compliance program in place, and actively implemented; and
whether or not the compliance program was successful (Dee, 1999).
His Honour did not set out the detail of compliance, but that seems already to be found in the
Australian Standard on Compliance Programs (AS 3606-1998). Among the salient considerations is
that compliance be ‘top-driven’, and there be the appointment of someone senior with direct
responsibility. All of this commitment needs to be adequately resourced. The court found that a
compliance program was not successful in that the failure was not an isolated one ‘... but had
occurred on different occasions and with different officers.’
It was noted there that the courts have been inclined increasingly to the view that an effective
compliance program ‘can be useful in mitigating penalty’. One of the first cases in which this
became an issue was in the Trade Practices Commission versus CSR Ltd. Here the court looked at
the substance of the compliance program. In the judgement it was noted that the ‘… failure of CSR
to offer any indication of, inter alia, revitalisation of its compliance program was regarded as a
matter of criticism’.
Although not all criteria may be binding, they are highly persuasive in court when it comes to
assessing penalty. These were set out by Justice French in the Trade Practices Commission v CSR
Ltd case. The criteria are:
1 The nature and extent of the contravening conduct.
2 The amount of loss or damage caused.
3 The circumstances in which the conduct took place.
95 | P a g e
4 The size of the contravening company.
5 The degree of power that it has, as evidenced by its market share and ease of entry into the
market.
6 The deliberateness of the contravention and the period over which it extended.
7 Whether the contravention arose out of the conduct of senior management or at a lower level.
8 Whether the company has a corporate culture conducive to compliance with the Act, as
evidenced by educational programs and disciplinary or other corrective measures in response to
an acknowledged contravention.
9 Whether the company has shown a disposition to co-operate with the authorities responsible
for the enforcement of the Act in relation to the contravention. (ATPR: vol 2. 12-304 / 18-
365
It seems obvious that not all of these principles will be applied with the same force regardless of
circumstance. Judges are more likely to take these factors and consider to what extent they are
applicable to the case, and to what degree. To this we might add that there is a useful guide to
‘What have the courts said about compliance programs’ (ACCC).
In the US, Dalton et al (1995), with a consistent finding, wrote of the courts as having provided a
new set of compulsory sentencing guidelines. Among these factors which ‘... mitigate or aggravate
sanctions for offenders’. That is to say that good reputation is taken into account.
Another dimension may be added to this issue, that of using creative solutions that are both novel
and ethical - an issue has been well addressed by Jones (1992). For example, the American
Environmental Protection Agency assessed a substantial penalty for pollution against one
company. The financial was reduced to less than half on the understanding that the company
would invest the remaining penalty sum installing pollution-reduction equipment. Other instances
are the requirement of environmental restoration
ENSURING A SAFE AND HEALTHY WORK ENVIRONMENT

Legislation has been one of the effective ways of motivating corporate decision makers to ensure
a safe and healthy work environment, Not only is this a corporate social responsibility but the
threat of company director prosecution for not preventing an unsafe workplace make compliance
imperative. Not only prosecution but the penalties of over 100% rises in Worksafe premiums when
accidents occur are motivators in themselves.
Gallagher (1999) has suggested that another way of convincing decision makers to reduce risks
would be to appeal to their values and morals. He recognises the companies are profit oriented,
and holds that making a moral challenge to safety professionals is the right thing to do. It could
well work.
ETHICAL JUDGEMENT
Ethical judgements fall on a continuum. At one end are the legally certain (you may not
discriminate on the grounds of colour of skin): of more dubious nature is that of executives getting
pay rises when other staff are being laid off: thornier ones here involve the collision of sincerely
held belief systems. (eg. a Roman Catholic nurse who refused to hand out condoms and the
contraceptive pill). Grensing-Pophal (1998) aptly calls the article ‘Walking the tightrope: balancing
risks and gains’.
96 | P a g e
One of the issues of significant concern is that of preserving confidentiality of individuals and of
commercial secrets. If privacy safeguards are not provided, ethical compliance may be seen as a
deterrent; too diligent a publication of all adverse findings has the same effect. Another
fundamental issue of what policy and procedures to adopt to accommodates those who would
blow the whistle.
Ethical programs need several features that act in concert; the absence of any one is likely to
negate the benefits of the whole, and render the ‘good intention’ defence inoperable. The
significant features are the formalisation of a Code of Conduct; a properly constituted ethics
committee that meets regularly; periodic and transparent reporting; and an involvement by
representatives from all levels of the organisation.
A risk management strategy is a commitment to ethics in an organisation. Risk management in

this context addresses the threats posed by unethical decisions in relation to an organisation’s
stakeholders. An ethical organisation is one where ethical conduct is promoted by the
organisation leaders, where systems and procedures are in place to reward conformance to
ethical behaviour and discourage unethical practices. The evidence presented above suggests that
not only does this contribute to the quality of life of all stakeholders but it has positive outcomes
for the organisation, contributing to profits, reducing fraud, avoidance of litigation, mitigating
legal penalties for lapses in legal compliance and ensuring a safe and healthy environment.
There is a case for a synthesis between legal compliance and ethical compliance through
aspirational self-regulation. This beneficial symbiosis would need to be accompanied by some
form of reward system that has a direct outcome of benefit to the company, to stakeholders, and
to society. Self-regulatory is better than externally imposed sanctions in that it is well informed by
those expert within the industry sector. A well-informed code of conduct that optimises the
commercial function of an organisation - thereby improving profits – provided self-regulation is
not seen as a means of subverting the basic principles of ethics. The most advantageous
combination would be that of seeing them as complementary aspects of regulatory control.
Whether or not regulatory authorities should use the carrot or the stick is irrelevant in the light of
the knowledge that complying with both legal and ethical requirements is in an organisation’s self-
interest. The recent innovations of the Australian Stock Exchange that requested listed companies
to disclose on a range of corporate practices - including corporate governance, and ethics. If
nothing else, this requirement will sensitise the business community to the need for the ethical
dimension in business.
An aspirational code of ethics as an expression of the intent of the law. The existence of a properly
maintained and run ethical infrastructure is an indicator of an appropriate corporate mens rea. No
matter how constant the vigilance it would be hard to believe that some occasions of complaint
will not occur. An effective ethics policy, and an aspirational Code will both minimise the risk of
such occurrence and provide an aid to defence should they occur.
Risk management might consist, inter alia, of a means of trying to predict the probability of future
risk: perhaps, more importantly, and be considered a strategy for obviating some risk for the
reasons outlined above.
97 | P a g e
Activity 4
Summarise the relationship between ethics and risk management. In your summary, outline
how considering ethics can be applied as a risk management tool. Provide examples of how a
consideration of ethics impacts on organisational practices.
98 | P a g e
Activity 4
99 | P a g e
Activity 4
Risk management implementation: Risk register20
The tool or risk register (in this case, a Microsoft Excel Spreadsheet) provides a mechanism for
capturing project risks and issues, yet also covers all of the PMBOK® KPA processes, with the
exception of risk planning. We suggest risk planning can be covered within one’s project
management plan. The planning component within the risk management plan can be relatively
short (summarised within a couple of paragraphs) by referencing the self-contained risk register,
identifying the methods for updating the risk tool, and communicating the risks and issues from
the risk tool.
As stated previously, we choose to manage some project risks via a spreadsheet template (see
diagram).
20
Source: CIO, as at http://www.cio.com.au/article/427457/risk_management_implementation/, as on 29th
March, 2017.
100 | P a g e
As shown above, each of the processes is included within the spreadsheet (or risk register), with
the exception of risk management planning. The idea is that each horizontal entry represents one
risk or issue. If it is a risk, the format for capturing it is in a specific format: “IF BY THEN ”. Because
risks are uncertain events, it is useful to state them in this format so that the point at which this risk
may become an issue is clear. Note: Not all risks become issues; that is part of their inherent
uncertainty.
As part of risk identification, we also capture the date on which the risk was identified and the
category to which the risk belongs. Risk identification has been shown to be a significant part of
risk management in that it makes one aware of potential events or issues that may impact the
group.
Following this, we want to quantity and qualify the individual risk itself. Many organisations use a
‘risk matrix’ to control this (e.g. magnitude and likelihood). The mechanism employed here
multiplies the probability of risk (value between 0.0 and 1.00) by the impact of the risk if it were to
become an issue (values range 1 to 100). This produces a risk event number (REN), a way of
ascribing a value (one to 100) to each risk. Depending upon your organisation’s preferences, you
may consider color-coding the REN cell (clear, yellow, red) as a means of drawing attention to
high-probability, high-impact risk.
Additionally, this mechanism enables users to collectively sort all of the risks, allowing them to
recognise at any point how close any particular risk is to turning into an issue. It also allows users
to sort and compare project risks.
Continuing left to right, the next field is labelled “Mitigation”. Within this field, we want to capture
our risk mitigation plans. This requires that we look ahead, consider and plan as to what we will do
101 | P a g e
to manage our risks and their potential progression to becoming issues. We find that having
multiple plans in place helps to maintain a balance as to how we’ll manage our risks. To this end,
we prefer to categorise the plans as either mitigate, monitor, encourage, or accept.
The last two fields include the risk owner (the person primarily responsible for the risk) and a
running status of the risk. The latter should be updated each time the risk status is changed, so
that one has a history log for all the risks.
Direct management of the program in accordance with agreed program

risk-management plans
The risks you identified in your risk management plan, and your assessment of them, were
probably fairly accurate at the time you did the plan. Twelve months later it is more than likely that
some of those risks will have changed. What's worse, it's Murphy's Law that the one risk you've
missed will be the risk that happens.
There are two ways that you can ensure that your risk management plan is up to date.
Firstly, it should be reviewed on a regular basis. The more volatile and changeable your
organisation and its environment, and the higher the level of risk you face, the greater the need to
keep your risk management plan up to date. At a minimum, your risk management plan should
be reviewed at least once a year.
Secondly, you should evaluate changes within your organisation, or within your organisation's
environment, in terms of their implications for risk within your organisation. New legislation
relevant to your organisation, taking on new roles, acquisition of new equipment, or creation of
new positions should all be considered for their implications for risk management.
As well as protecting you against new risks, keeping your risk management plan up to date could
well save you a significant amount of money. Routine replacement of old equipment, for instance,
can lead to reduced risk exposures.
Once you have the backing of the board, establishing a risk management sub-committee or
appoint one person (preferable not a Board member) to take responsibility for the process and
who will be accountable for communicating and adopting a systematic approach to the
development of risk management for your organisation. Once you have the commitment you are
on the road.
Either way, a senior committee or Board member should also work with the risk management sub
committee or risk manager to ensure the process is properly facilitated.
The emphasis from the Board should be to ensure that all sections of the organisation participates
in the formulation of risk management strategy.
102 | P a g e
Part of that will mean explaining to staff, volunteers and stakeholders the reasons why the process
is necessary and the benefits for doing it.
The Board should also set a reasonable timetable for the risk management committee to report
back on a regular basis so the issue remains alive at your next committee meetings and doesn't
get shunted off to the side.
Start by communicating your committee or board's commitment to risk management to all of

your staff, members, participants and stakeholders and place it in the context of the process
beginning and needing all of their support to make it a success.
To get ideas you can set up:
• Individual interviews
• Raise the issue at regular committee and/or staff meetings
• Set up a dedicated brainstorming session to bring everyone together to discuss the issue.
• Send out a questionnaire asking people to identify risks.
• Set up a risk management ideas book or computer file where people can add ideas as
they think of them.
If you need assistance you can also seek the assistance of insurance or risk management
professionals to assist and/or guide you through the process. You may like to ask your local
government or peak association for assistance or guidance also.
For some organisations, this can be done in a one-day session. For others it will be a process over
weeks or even months. Each organisation is different and each organisation has different priorities.
The one thing is you don't want to stretch it out so long that the original energy and enthusiasm
for the process wanes and tapers off, leaving you with an inferior end strategy.
Adopt a systematic approach to the management of risk.
Once you have consulted with staff, members, participants and volunteers, compile the list. It
might be worth distributing the list to all who participated to see if it prompts other risks that have
not be been included.
Review progress, analyse variance and initiate risk responses to achieve

program objectives in dynamic risk environments
Control effectiveness
A control is anything that modifies risk; controls may include existing policies, devices, procedures
and practices. The level of risk is estimated taking into account the context and the environment in
which the organisation currently operates and the controls that are in place. However, existing
103 | P a g e
controls may not all be well designed, they may not all be well implemented and they may not
operate as intended when required. These are the factors measured by control effectiveness.
Control effectiveness takes into account both the adequacy of the controls and how well they are
implemented. Adequacy refers to the design of the controls and whether they would achieve the
desired control outcomes if they were implemented well; implementation refers to how well the
controls are executed in practice as well as their availability and reliability when they are needed.
The control effectiveness measure is only applied to the suite of controls that are relevant for a
risk, rather than attempting to apply it to each control, which is not useful. It is a measure of the
completeness, relevance and efficacy of all the current controls operating on a risk.
Control effectiveness is a relative measure that estimates the actual level of control that is currently
present and effective compared with that which is reasonably achievable by the organisation for a
particular risk. It does not refer to perfect control, which is an unrealistic and meaningless concept.
When conducting a risk analysis, it is useful to assess the effectiveness of the controls before
assessing consequences and likelihoods. This can bring out useful insights and promote valuable
communication among the risk assessment participants. An example of a control effectiveness
rating scale is shown in Table 1 (adapted from Finger et al, 2010).
Table 1: Control effectiveness rating scale
Control Guide
effectiveness
Fully effective Nothing more to be done except review and monitor the existing controls.
Controls are well designed for the risk, and address the root causes.
Management believes they are effective and reliable at all times.
Substantially Most controls are designed correctly and are in place and effective. Some
effective more work to be done to improve operating effectiveness or management
has doubts about operational effectiveness and reliability.
Partially effective While the design of controls may be largely correct in that they treat most of
the root causes of the risk, they are not currently very effective.
or
Some of the controls do not seem correctly designed in that they do not
treat root causes. Those that are correctly designed are operating effectively.
Largely Significant control gaps. Either controls do not treat root causes or they do
ineffective not operate at all effectively.
None or totally Virtually no credible control. Management has no confidence that any
ineffective degree of control is being achieved due to poor control design or very
limited operational effectiveness.
It is important to note that control effectiveness as defined here is measured in relation to what
the organisation could do, not in relation to a hypothetical state of perfect control. It is a measure
of organisational and managerial effectiveness. An organisation’s controls may already be as good
as it is reasonably able to make them (taking into account its circumstances and its risk appetite as
104 | P a g e
well as the characteristics of the risk). In these circumstances, control effectiveness would be rated
high, even though high natural or external variability that cannot be controlled may remain, with a
corresponding high level of risk. For example, an organisation may have excellent treasury
functions, and hence high control effectiveness on exchange rate and interest rate risks, yet still
regard volatility in foreign exchange rates, interest rates and commodity prices as a high risk to its
profitability.
The additional information provided by control effectiveness can highlight areas that warrant
attention. Where control effectiveness is less than ‘fully effective’ consideration should be given to
risk treatment that further modifies the risk, either by adding new controls, improving the design
of the existing controls or increasing their effectiveness, availability and reliability. This is
particularly important if the level of risk is high. Whether particular treatments are actually
implemented will depend on whether they are cost-effective or have a net beneficial effect not
only on financial measures but also other factors such as safety, public relations and other
intangible but important objectives.
Potential exposure
Potential exposure a simple but extremely useful measure of a risk. It is the maximum
consequence to which the organisation may be exposed if all the controls were to fail in a
plausible manner. It is a much more effective means of assessing how severe a risk could be if it
was uncontrolled than the troublesome concept of inherent risk, as explained later in this paper.
Potential exposure achieves what inherent risk was intended without the conceptual and practical
problems that inherent risk entails.
Some risk analysts use the term 'exposure' in very specific ways. For example exposure to drugs,
toxins and so on is a different use of the word that should not be confused with potential
exposure. Although we use the term potential exposure, other terms for the same concept include
maximum foreseeable loss (e.g. in insurance applications) or maximum potential consequences.
These all share the properties of being free from any consideration of likelihood and framed by
the plausible failure of controls.
Potential exposure is measured in terms of consequences only.
• If a single measure of consequences is used by the organisation, say dollars, then potential
exposure is the maximum monetary loss associated with the risk if all the controls were to
fail. This might include direct costs (like repair costs, fines or compensation payments),
indirect costs (like business disruption and reestablishment costs), and opportunity costs
(like lost profit or reduced growth potential). In this case, potential exposure can be
measured on a numerical ratio scale denominated in dollars.
• Some organisations use two measures of potential exposure: one based on monetary
value and another based on safety outcomes such as fatalities or morbidity.
• If the organisation is using an agreed set of consequence scales for its risk analysis,
possibly including financial, timing and intangible measures, then a potential exposure
rating can be based on those same consequence scales. If an ordinal (ranking) scale is
used for consequences, such as is commonly employed in qualitative risk assessment, then
potential exposure can be measured on an ordinal scale.
105 | P a g e
Potential exposure is used to identify key controls. A key control is a control or group of controls
that is believed to be maintaining an otherwise intolerable risk at a tolerable level. If such controls
fail, the consequences can be, by definition, intolerable.
Risk sensitive industries21
Some industries manage risk in a highly quantified and numerate way. These include the nuclear
power and aircraft industries, where the possible failure of a complex series of engineered systems
could result in highly undesirable outcomes. The usual measure of risk for a class of events is then
Risk = Probability (of the Event) times Consequence.
(The total risk is then the sum of the individual class risks)
In the nuclear industry, 'consequence' is often measured in terms of off site radiological release,
and this is often banded into five or six decade wide bands.
The risks are evaluated using Fault Tree/Event Tree techniques. Where these risks are low they are
normally considered to be 'Broadly Acceptable'. A higher level of risk (typically up to 10 to 100
times BA) has to be justified against the costs of reducing it further and the possible benefits that
make it tolerable these risks are described as 'Tolerable’. Risks beyond this level are of course
'Intolerable'.
The level of risk deemed 'Broadly Acceptable' has been considered by Regulatory bodies in
various countries an early attempt by UK government regulator & academic F. R. Farmer used
the example of hill walking and similar activities which have definable risks that people appear to
find acceptable. This resulted in the so called Farmer Curve, of acceptable probability of an event
versus its consequence.
The technique as a whole is usually refered to as Probabilistic Risk Assessment (PRA), (or
Probabilistic Safety Assessment, PSA).
Risk in finance
Risk in finance has no one definition, but some theorists, notably Ron Dembo, have defined quite
general methods to assess risk as an expected after the fact level of regret. Such methods have
been uniquely successful in limiting interest rate risk in financial markets. Financial markets are
considered to be a proving ground for general methods of risk assessment.
However, these methods are also hard to understand. The mathematical difficulties interfere with
other social goods such as disclosure, valuation and transparency. In particular, it is often difficult
to tell if such financial instruments are "hedging" (decreasing measurable risk by giving up certain
21
Source: Atlantic International University, as at
http://aiu.edu/publications/student/english/Business%20Risk%20Management.html, as on 17th September,
2015.
106 | P a g e
windfall gains) or "gambling" (increasing measurable risk and exposing the investor to catastrophic
loss in pursuit of very high windfalls that increase expected value).
As regret measures rarely reflect actual human risk aversion, it is difficult to determine if the
outcomes of such transactions will be satisfactory. Risk seeking describes an individual who has a
positive second derivative of his/her utility function. Such an individual would willingly (actually pay
a premium to) assume all risk in the economy and is hence not likely to exist. In financial markets
one may need to measure credit risk, information timing and source risk, probability model risk,
and legal risk if there are regulatory or civil actions taken as a result of some "investor's regret".
Business risk analysis
Figure. 1. Business Risk Analysis Tool
o Description of the Model
The concepts of closeness to the core business and market attractiveness can be combined to
analyze the risk of investing in new offerings. The proximity of the new offering to the core
business is measured by its proximity to current offerings and current markets.
o Characterize Your Enterprise
The expert system will position your enterprise on the chart based upon your description of:
• technology
• familiarity with the materials
• special finishes
• quality standards
• suppliers bargaining power
• threat of substitutes
• threat of new entrants
107 | P a g e
• competitive rivalry
• bargaining power of the buyers
You can trace through the supporting analysis and its conclusions, adjusting your input until you
are satisfied your description accurately characterizes your enterprise.
Analysis of Your Enterprise Position

Ideal Risky Low Potential Poor Prospect
Close to Core Distant from Core Business Close to Core Distant from Core
Business High Market Attractiveness Business Business
High Market Low Market Low Market
Attractiveness Attractiveness Attractiveness
Offerings in this Offerings in this quadrant The decision to Offerings in this
category are risky to develop since proceed should quadrant are poor
represent the they stray from the core be based on the prospects. They depart
least risk and will business. They will need a evaluation of the from the core business
be ideal high level of investment, market potential. and offer low market
candidates for both in terms of resources The low attractiveness
development. and expertise. Proceed attractiveness of
only if the long term the market may
corporate strategy is be a benefit
intended to develop in this since it will be
way. less lucrative for
competitors.
Figure. 2. Results based on the Outcome of Risk Analysis Tool
Every Business faces the same 5 Key Risks
1. Development Risk
Can the original product or service idea actually be created?
1. Manufacturing Risk
If the product can be developed, can it actually be produced in appropriate volume?
1. Marketing Risk
If the product can be made, can it be sold effectively?
1. Financial Risk
If the product can be sold effectively, will the resulting company be profitable and can the profits
actually be realized in a form that allows investors to receive cash
1. Growth Risk
108 | P a g e
If the company can achieve operating profitability at one level, can profitability be maintained as
the company grows and evolves?
Risk and uncertainty in international business
1. Risk, uncertainty, and volatility
The universe of uncertainty that each company faces is comprised of endogenous and exogenous
dimensions. Endogenous uncertainty arises from the nature of the internal (i.e. project and
organization level) environment. Exogenous sources of uncertainty, in turn, arise at three levels:
industry, competition and external environment.
Industry level uncertainties originate primarily from technological innovation and changes in the
relative prices of inputs and outputs. Competitive risk represents the degree to which competitors'
actions cannot be predicted, and may therefore bring about unanticipated consequences.
Uncertainty in the external environment refers to the risk present in the operating environment of
a given country.
Environmental uncertainty arises from the prospect of political, macro economic, social, natural,
financial and currency volatility, and is often represented by the term country risk (Clark and
Marois, 1996, Howell, 1998 and Robock, 1971).
Academic usage of the terms risk and uncertainty has been shaped by Knight's (1921) assertion
that the former entails uncertain outcomes of known
probabilities, while the latter entails uncertain outcomes of unknown probabilities. Volatility, in
turn, is typically equated with the statistical measure of variance (or standard deviation), and as
such is an ex post measurement of risk and/or uncertainty.
Among practitioners, however, the most important aspect of all three terms is the unpredictable
nature of potentially detrimental outcomes, or in more colloquial terms “the future is no longer
what it used to be” (Hausmann et al., 1995). For instance, in a survey of financial analysts, Baird
and Thomas (1990) found the most common definitions of risk used by the analysts were;
1. size of loss,
2. probability of loss,
3. variance, and
4. lack of information.
In the same survey, the item that was least associated with risk was the Knightian definition of risk
as known probabilities and outcomes. Unlike gambling, business strategy entails outcomes of
unknown or uncertain probabilities, and the nature of the outcomes themselves may be
unknowable. Also, drawing from real options thinking (e.g. Amram and Kulatilaka, 1999, McGrath
and MacMillan, 2000 and Trigeorgis, 1996),
109 | P a g e
1. Country risk measures and the minimization of downside risk
The analysis of country risk is a well established field within international business research which
demonstrates a clear relevance to practice. Country risk analysis is intended to isolate idiosyncratic
sources of potential volatility in a country's political, economic, or social environment. In line with
the manner in which most practitioners conceptualize risk, the principal objective behind country
risk analysis has been the minimization of downside risk.
The formal evaluation of country risk grew out of the need to evaluate the creditworthiness of
sovereign nations, and was extended within the financial sector to evaluate private foreign entities.
Most large international banks maintain departments specifically responsible for monitoring
country risk, and many of these offer clients formal, standardized analyses of country risk.
In addition, consultancies and business information providers such as the Economist Intelligence
Unit, Credit Risk International, International Business Communications, Institutional Investor, and
Euromoney routinely conduct
structured analyses of country risk, which are disseminated to clients in the form of standardized
reports and customized services.
Clark and Marois (1996) summarize the methodologies employed by some of these organizations,
which typically utilize a weighted average of objective economic and political data (e.g. change in
GDP, GDP per capita, industrial costs, number of political uprisings) as well as a survey of experts
to arrive at an aggregate measurement of country risk.
Cosset and Roy (1991) found the primary determinants of the ratings generated by Euromoney
and Institutional Investor are per capita income and the country's propensity to invest and level of
indebtedness.
Due to the lack of competing methodologies, the country risk analysis techniques that were
developed for use in the financial sector are now applied with few or no changes for the purpose
of evaluating country level uncertainties in the operating environment (Clark & Marois, 1996).
Country risk scores are typically used to discount the value of potential investments in a given
foreign country, such that potential projects in higher risk countries are subjected to a higher
discount rate (or must exceed a higher hurdle rate of return).
The commonly employed practice of accounting for the downside risk associated with potential
private foreign direct investment based on country risk measures that were originally designed to
evaluate sovereign risk is likely inappropriate, for four main reasons. First, the risk of default in
international lending is not necessarily equivalent to other risks faced in international business. A
measurement of financial risks is unlikely to accurately represent economic, social, currency and
political risks.
Second, lending situations are fundamentally different from other forms of international business,
in that only downside risk is relevant in a lending context (i.e. if a borrower is more successful than
anticipated, they do not pay a higher interest rate).
110 | P a g e
Third, the generation of a generic country risk rating does not account for firm specific factors,
such as exposure, aversion to risk, and ability to manage risk.
Fourth, the current ways in which country risk is measured do not effectively gauge the most
commonly perceived definitions of risk. For instance, an average of analysts' expectations of GDP
growth is frequently incorporated into country risk measures (Clark & Marois, 1996), with lower
growth reflecting higher risk.
However, this measure confounds expected return with risk, and does not directly assess the
predictability of GDP growth.
At best, country risk rating methods help increase managers abilities to anticipate or identify
changes in the operating environment. But these methods do not measure the predictability of
the environment or the chance and size of a detrimental outcome. Therefore, country risk
measures are unlikely to truly capture the nature of risk as conceived by practitioners.
1. Assessing the track record of established country risk measures
The conceptual concerns with country risk measures outlined in Section 1.2 are corroborated by
empirical research evaluating the extent to which country risk measures are effective predictors of
macro level volatility. In a recent study, Oetzel et al. (2001) examined the performance of 11 widely
used measures of country risk during a 19 year period across 17 countries. The authors found that
none of the sampled measures was effective in predicting periods of significant volatility.
A further demonstration of the shortcomings inherent in relying upon established measures of

country risk is depicted in Fig. 3 and Fig. 4. Each figure depicts a decade (1993–2003) of quarterly
country risk measures from the International Country Risk Guide (ICRG) (www.countrydata.com).
The ICRG risk measures are widely used by both practitioners and academics (e.g. La Porta, Lopez
de Silanes, Shleifer, & Vishny, 1997) to capture the various dimensions of country risk and identify
potential volatility. The measures shown represent a composite measure of country risk, which
consists of an aggregate of political risk, economic risk and financial risk.
The figures include seven major emerging markets, which were chosen on the basis of each
having experienced at least one major economic crisis during the sample period, and collectively
these countries account for the most prominent emerging market economic crises in the past
decade. In each case, the quarter in which the crisis first materialized is indicated with a special
symbol.
111 | P a g e
Figure. 3. Illustrative evidence of the ineffectiveness of country risk measures in predicting volatility
ex ante.
Figure. 4. Illustrative evidence of the ineffectiveness of country risk measures in predicting volatility
ex ante.
As shown in the illustrative cases depicted in these figures, a well established measure of country
risk failed to clearly predict any of the crises. In fact, in a majority of cases, the focal country was
deemed to be exhibiting diminishing risk in the periods leading up to a major crisis.
For instance, Mexico's country risk rating increased (i.e. improved) consistently in 1993 and 1994,
only to collapse after the December 1994 peso devaluation. In an even more extreme case,
Thailand's country risk rating climbed from 73 to above 80 in the 2 year period preceding the
crisis which started in July 1997 and eventually spread to most of Asia and other emerging
markets. After the crisis materialized, Thailand's country risk rating fell to 60
112 | P a g e
Links22
The first step in developing any framework for the measuring risk quantitatively involves creating a
framework for addressing and studying uncertainty itself. Such a framework lies within the realm
of probability. Since risk arises from uncertainty, measures of risk must also take uncertainty into
account. The process of quantifying uncertainty, also known as probability theory, actually proved
to be surprisingly difficult and took millennia to develop. Progress on this front required that we
develop two fundamental ideas. The first is a way to quantify uncertainty (probability) of potential
states of the world. Second, we had to develop the notion that the outcomes of interest to human
events, the risks, were subject to some kind of regularity that we could predict and that would
remain stable over time. Developing and accepting these two notions represented path-breaking,
seminal changes from previous mindsets. Until research teams made and accepted these steps,
any firm, scientific foundation for developing probability and risk was impossible.
Solving risk problems requires that we compile a puzzle of the many personal and business risks.
First, we need to obtain quantitative measures of each risk.. The point illustrated in Figure 2.1
"Links between Each Holistic Risk Puzzle Piece and Its Computational Measures" is that we face
many varied risk exposures, appropriate risk measures, and statistical techniques that we apply for
different risks. However, most risks are interconnected. When taken together, they provide a
holistic risk measure for the firm or a family. For some risks, measures are not sophisticated and
easy to achieve, such as the risk of potential fires in a region. Sometimes trying to predict potential
risks is much more complex, such as predicting one-hundred-year floods in various regions. For
each type of peril and hazard, we may well have different techniques to measure the risks. Our
need to realize that catastrophes can happen and our need to account for them are of
paramount importance. The 2008–2009 financial crisis may well have occurred in part because the
risk measures in use failed to account for the systemic collapses of the financial institutions. Mostly,
institutions toppled because of a result of the mortgage-backed securities and the real estate
markets. As we explore risk computations and measures throughout this chapter, you will learn
terminology and understand how we use such measures. You will thus embark on a journey into
the world of risk management. Some measures may seem simplistic. Other measures will show
you how to use complex models that use the most sophisticated state-of-the-art mathematical
and statistical technology. You’ll notice also that many computations would be impossible without
the advent of powerful computers and computation memory. Now, on to the journey.
Figure 2.1 Links between Each Holistic Risk Puzzle Piece and Its Computational Measures
22
Source: Flat World Knowledge, as at http://catalog.flatworldknowledge.com/bookhub/1?e=baranoff-
ch01_s04#baranoff-ch02_s01, as on 17th September, 2015.
113 | P a g e
Quantification of Uncertainty via Probability Models
As we consider uncertainty, we use rigorous quantitative studies of chance, the recognition of its
empirical regularity in uncertain situations. Many of these methods are used to quantify the
occurrence of uncertain events that represent intellectual milestones. As we create models based
upon probability and statistics, you will likely recognize that probability and statistics touch nearly
every field of study today. As we have internalized the predictive regularity of repeated chance
events, our entire worldview has changed. For example, we have convinced ourselves of the odds
of getting heads in a coin flip so much that it’s hard to imagine otherwise. We’re used to seeing
statements such as “average life of 1,000 hours” on a package of light bulbs. We understand such
a phrase because we can think of the length of life of a light bulb as being uncertain but
statistically predictable. We routinely hear such statements as “The chance of rain tomorrow is 20
percent.” It’s hard for us to imagine that only a few centuries ago people did not believe even in
the existence of chance occurrences or random events or in accidents, much less explore any
method of quantifying seemingly chance events. Up until very recently, people have believed that
God controlled every minute detail of the universe. This belief rules out any kind of
conceptualization of chance as a regular or predictable phenomenon. For example, until recently
the cost of buying a life annuity that paid buyers $100 per month for life was the same for a thirty-
year-old as it was for a seventy-year-old. It didn’t matter that empirically, the “life expectancy” of a
thirty-year-old was four times longer than that of a seventy-year-old. After all, people believed
that a person’s particular time of death was “God’s will.” No one believed that the length of
someone’s life could be judged or predicted statistically by any noticed or exhibited regularity
across people. In spite of the advancements in mathematics and science since the beginning of
114 | P a g e
civilization, remarkably, the development of measures of relative frequency of occurrence of
uncertain events did not occur until the 1600s. This birth of the “modern” ideas of chance occurred
when a problem was posed to mathematician Blaisé Pascal by a frequent gambler. As often
occurs, the problem turned out to be less important in the long run than the solution developed
to solve the problem.
The problem posed was: If two people are gambling and the game is interrupted and
discontinued before either one of the two has won, what is a fair way to split the pot of money on
the table? Clearly the person ahead at that time had a better chance of winning the game and
should have gotten more. The player in the lead would receive the larger portion of the pot of
money. However, the person losing could come from behind and win. It could happen and such a
possibility should not be excluded. How should the pot be split fairly? Pascal formulated an
approach to this problem and, in a series of letters with Pierre de Fermat, developed an approach
to the problem that entailed writing down all possible outcomes that could possibly occur and
then counting the number of times the first gambler won. The proportion of times that the first
gambler won (calculated as the number of times the gambler won divided by the total number of
possible outcomes) was taken to be the proportion of the pot that the first gambler could fairly
claim. In the process of formulating this solution, Pascal and Fermat more generally developed a
framework to quantify the relative frequency of uncertain outcomes, which is now known as
probability. They created the mathematical notion of expected value of an uncertain event. They
were the first to model the exhibited regularity of chance or uncertain events and apply it to solve
a practical problem. In fact, their solution pointed to many other potential applications to
problems in law, economics, and other fields.
From Pascal and Fermat’s work, it became clear that to manage future risks under uncertainty, we
need to have some idea about not only the possible outcomes or states of the world but also how
likely each outcome is to occur. We need a model, or in other words, a symbolic representation of
the possible outcomes and their likelihoods or relative frequencies.
A Historical Prelude to the Quantification of Uncertainty Via Probabilities
Historically, the development of measures of chance (probability) only began in the mid-1600s.
Why in the middle ages, and not with the Greeks? The answer, in part, is that the Greeks and their
predecessors did not have the mathematical concepts. Nor, more importantly, did the Greeks
have the psychological perspective to even contemplate these notions, much less develop them
into a cogent theory capable of reproduction and expansion. First, the Greeks did not have the
mathematical notational system necessary to contemplate a formal approach to risk. They lacked,
for example, the simple and complete symbolic system including a zero and an equal sign useful
for computation, a contribution that was subsequently developed by the Arabs and later adopted
by the Western world. The use of Roman numerals might have been sufficient for counting, and
perhaps sufficient for geometry, but certainly it was not conducive to complex calculations. The
equal sign was not in common use until the late middle ages. Imagine doing calculations (even
such simple computations as dividing fractions or solving an equation) in Roman numerals without
an equal sign, a zero element, or a decimal point!
But mathematicians and scientists settled these impediments a thousand years before the advent
of probability. Why did risk analysis not emerge with the advent of a more complete numbering
115 | P a g e
system just as sophisticated calculations in astronomy, engineering, and physics did? The answer is
more psychological than mathematical and goes to the heart of why we consider risk as both a
psychological and a numerical concept in this book. To the Greeks (and to the millennia of others
who followed them), the heavens, divinely created, were believed to be static and perfect and
governed by regularity and rules of perfection—circles, spheres, the six perfect geometric solids,
and so forth. The earthly sphere, on the other hand, was the source of imperfection and chaos.
The Greeks accepted that they would find no sense in studying the chaotic events of Earth. The
ancient Greeks found the path to truth in contemplating the perfection of the heavens and other
perfect unspoiled or uncorrupted entities. Why would a god (or gods) powerful enough to know
and create everything intentionally create a world using a less than perfect model? The Greeks,
and others who followed, believed pure reasoning, not empirical, observation would lead to
knowledge. Studying regularity in the chaotic earthly sphere was worst than a futile waste of time;
it distracted attention from important contemplations actually likely to impart true knowledge.
It took a radical change in mindset to start to contemplate regularity in events in the earthly
domain. We are all creatures of our age, and we could not pose the necessary questions to
develop a theory of probability and risk until we shook off these shackles of the mind. Until the
age of reason, when church reforms and a growing merchant class (who pragmatically examined
and counted things empirically) created a tremendous growth in trade, we remained trapped in
the old ways of thinking. As long as society was static and stationary, with villages this year being
essentially the same as they were last year or a decade or century before, there was little need to
pose or solve these problems. M. G. Kendall captures this succinctly when he noted that
“mathematics never leads thought, but only expresses it.”* The western world was simply not yet
ready to try to quantify risk or event likelihood (probability) or to contemplate uncertainty. If all
things are believed to be governed by an omnipotent god, then regularity is not to be trusted,
perhaps it can even be considered deceptive, and variation is irrelevant and illusive, being merely
reflective of God’s will. Moreover, the fact that things like dice and drawing of lots were
simultaneously used by magicians, by gamblers, and by religious figures for divination did not
provide any impetus toward looking for regularity in earthly endeavors.
* M. G. Kendall, “The Beginnings of a Probability Calculus,” in Studies in the History of Statistics and
Probability, vol. 1, ed. E. S. Pearson and Sir Maurice Kendall (London: Charles Griffin & Co., 1970),
30.
Measurement Techniques for Frequency, Severity, and Probability Distribution Measures for
Quantifying Uncertain Events
When we can see the pattern of the losses and/or gains experienced in the past, we hope that the
same pattern will continue in the future. In some cases, we want to be able to modify the past
results in a logical way like inflating them for the time value of. If the patterns of gains and losses
continue, our predictions of future losses or gains will be informative. Similarly, we may develop a
pattern of losses based on theoretical or physical constructs (such as hurricane forecasting models
based on physics or likelihood of obtaining a head in a flip of a coin based on theoretical models
of equal likelihood of a head and a tail). Likelihood is the notion of how often a certain event will
occur. Inaccuracies in our abilities to create a correct distribution arise from our inability to predict
futures outcomes accurately. The distribution is the display of the events on a map that tells us the
likelihood that the event or events will occur. In some ways, it resembles a picture of the likelihood
116 | P a g e
and regularity of events that occur. Let’s now turn to creating models and measures of the
outcomes and their frequency.
Measures of Frequency and Severity
Table 2.1 "Claims and Fire Losses for Group of Homes in Location A" and Table 2.2 "Claims and
Fire Losses ($) for Homes in Location B" show the compilation of the number of claims and their
dollar amounts for homes that were burnt during a five-year period in two different locations
labeled Location A and Location B. We have information about the total number of claims per
year and the amount of the fire losses in dollars for each year. Each location has the same number
of homes (1,000 homes). Each location has a total of 51 claims for the five-year period, an average
(or mean) of 10.2 claims per year, which is the frequency. The average dollar amount of losses per
claim for the whole period is also the same for each location, $6,166.67, which is the definition of
severity.
Table 2.1 Claims and Fire Losses for Group of Homes in Location A
Year Number of Fire Claims Number of Fire Losses ($) Average Loss per Claim ($)
1 11 16,500.00 1,500.00
2 9 40,000.00 4,444.44
3 7 30,000.00 4,285.71
4 10 123,000.00 12,300.00
5 14 105,000.00 7,500.00
Total 51.00 314,500.00 6,166.67
Mean 10.20 62,900.00 6,166.67
Average Frequency = 10.20
Average Severity = 6,166.67 for the 5-year period
Table 2.2 Claims and Fire Losses ($) for Homes in Location B
Year Number of Fire Claims Fire Losses Average Loss per Claim ($)
1 15 16,500.00 1,100.00
2 5 40,000.00 8,000.00
3 12 30,000.00 2,500.00
4 10 123,000.00 12,300.00
5 9 105,000.00 11,666.67
Total 51.00 314,500.00 6,166.67
Mean 10.20 62,900.00 6,166.67
Average frequency = 10.20
Average severity = 6,166.67 for the 5-year period
As shown in Table 2.1 "Claims and Fire Losses for Group of Homes in Location A" and Table 2.2
"Claims and Fire Losses ($) for Homes in Location B", the total number of fire claims for the two
locations A and B is the same, as is the total dollar amount of losses shown. You might recall from
earlier, the number of claims per year is called the frequency. The average frequency of claims for
locations A and B is 10.2 per year. The size of the loss in terms of dollars lost per claim is called
117 | P a g e
severity, as we noted previously. The average dollars lost per claim per year in each location is
$6,166.67.
The most important measures for risk managers when they address potential losses that arise
from uncertainty are usually those associated with frequency and severity of losses during a
specified period of time. The use of frequency and severity data is very important to both insurers
and firm managers concerned with judging the risk of various endeavors. Risk managers try to
employ activities (physical construction, backup systems, financial hedging, insurance, etc.) to
decrease the frequency or severity (or both) of potential losses. We will see frequency data and
severity data represented. Typically, the risk manager will relate the number of incidents under
investigation to a base, such as the number of employees if examining the frequency and severity
of workplace injuries. In the examples in Table 2.1 "Claims and Fire Losses for Group of Homes in
Location A" and Table 2.2 "Claims and Fire Losses ($) for Homes in Location B", the severity is
related to the number of fire claims in the five-year period per 1,000 homes. It is important to note
that in these tables the precise distribution (frequencies and dollar losses) over the years for the
claims per year arising in Location A is different from distribution for Location B. This will be
discussed later in this chapter. Next, we discuss the concept of frequency in terms of probability or
likelihood.
Frequency and Probability
Returning back to the quantification of the notion of uncertainty, we first observe that our intuitive
usage of the word probability can have two different meanings or forms as related to statements
of uncertain outcomes. This is exemplified by two different statements:
1. “If I sail west from Europe, I have a 50 percent chance that I will fall off the edge of the
earth.”
2. “If I flip a coin, I have a 50 percent chance that it will land on heads.”
Conceptually, these represent two distinct types of probability statements. The first is a statement
about probability as a degree of belief about whether an event will occur and how firmly this
belief is held. The second is a statement about how often a head would be expected to show up
in repeated flips of a coin. The important difference is that the first statement’s validity or truth will
be stated. We can clear up the statement’s veracity for all by sailing across the globe.
The second statement, however, still remains unsettled. Even after the first coin flip, we still have a
50 percent chance that the next flip will result in a head. The second provides a different
interpretation of “probability,” namely, as a relative frequency of occurrence in repeated trials. This
relative frequency conceptualization of probability is most relevant for risk management. One
wants to learn from past events about the likelihood of future occurrences. The discoverers of
probability theory adopted the relative frequency approach to formalizing the likelihood of chance
events.
Pascal and Fermat ushered in a major conceptual breakthrough: the concept that, in repeated
games of chance (or in many other situations encountered in nature) involving uncertainty, fixed
relative frequencies of occurrence of the individual possible outcomes arose. These relative
frequencies were both stable over time and individuals could calculate them by simply counting
118 | P a g e
the number of ways that the outcome could occur divided by the total number of equally likely
possible outcomes. In addition, empirically the relative frequency of occurrence of events in a long
sequence of repeated trials (e.g., repeated gambling games) corresponded with the theoretical
calculation of the number of ways an event could occur divided by the total number of possible
outcomes. This is the model of equally likely outcomes or relative frequency definition of
probability. It was a very distinct departure from the previous conceptualization of uncertainty that
had all events controlled by God with no humanly discernable pattern. In the Pascal-Fermat
framework, prediction became a matter of counting that could be done by anyone. Probability
and prediction had become a tool of the people! Figure 2.2 "Possible Outcomes for a Roll of Two
Dice with the Probability of Having a Particular Number of Dots Facing Up" provides an example
representing all possible outcomes in the throw of two colored dice along with their associated
probabilities.
Figure 2.2 Possible Outcomes for a Roll of Two Dice with the Probability of Having a Particular
Number of Dots Facing Up
Figure 2.2 "Possible Outcomes for a Roll of Two Dice with the Probability of Having a Particular
Number of Dots Facing Up" lists the probabilities for the number of dots facing upward (2, 3, 4,
etc.) in a roll of two coloured dice. We can calculate the probability for any one of these numbers
(2, 3, 4, etc.) by adding up the number of outcomes (rolls of two dice) that result in this number of
dots facing up divided by the total number of possibilities. For example, a roll of thirty-six
possibilities total when we roll two dice (count them). The probability of rolling a 2 is 1/36 (we can
only roll a 2 one way, namely, when both dice have a 1 facing up). The probability of rolling a 7 is
6/36 = 1/6 (since rolls can fall any of six ways to roll a 7—1 and 6 twice, 2 and 5 twice, 3 and 4
119 | P a g e
twice). For any other choice of number of dots facing upward, we can get the probability by just
adding the number of ways the event can occur divided by thirty-six. The probability of rolling a 7
or an 11 (5 and 6 twice) on a throw of the dice, for instance, is (6 + 2)/36 = 2/9.
The notions of “equally likely outcomes” and the calculation of probabilities as the ratio of “the
number of ways in which an event could occur, divided by the total number of equally likely
outcomes” is seminal and instructive. But, it did not include situations in which the number of
possible outcomes was (at least conceptually) unbounded or infinite or not equally likely. We
needed an extension. Noticing that the probability of an event, any event, provided that extension.
Further, extending the theory to nonequally likely possible outcomes arose by noticing that the
probability of an event—any event—occurring could be calculated as the relative frequency of an
event occurring in a long run of trials in which the event may or may not occur. Thus, different
events could have different, nonequal chances of occurring in a long repetition of scenarios
involving the possible occurrences of the events. Table 2.3 "Opportunity and Loss Assessment
Consequences of New Product Market Entry" provides an example of this. We can extend the
theory yet further to a situation in which the number of possible outcomes is potentially infinite.
But what about a situation in which no easily definable bound on the number of possible
outcomes can be found? We can address this situation by again using the relative frequency
interpretation of probability as well. When we have a continuum of possible outcomes (e.g., if an
outcome is time, we can view it as a continuous variable outcome), then a curve of relative
frequency is created. Thus, the probability of an outcome falling between two numbers x and y is
the area under the frequency curve between x and y. The total area under the curve is one
reflecting that it’s 100 percent certain that some outcome will occur.
The so-called normal distribution or bell-shaped curve from statistics provides us with an example
of such a continuous probability distribution curve. The bell-shaped curve represents a situation
wherein a continuum of possible outcomes arises. Figure 2.3 "Normal Distribution of Potential
Profit from a Research and Development Project" provides such a bell-shaped curve for the
profitability of implementing a new research and development project. It may have profit or loss.
Figure 2.3 Normal Distribution of Potential Profit from a Research and Development Project
120 | P a g e
To find the probability of any range of profitability values for this research and development
project, we find the area under the curve in Figure 2.3 "Normal Distribution of Potential Profit from
a Research and Development Project" between the desired range of profitability values. For
example, the distribution in Figure 2.3 "Normal Distribution of Potential Profit from a Research and
Development Project" was constructed to have what is called a normal distribution with the hump
over the point $30 million and a measure of spread of $23 million. This spread represents the
standard deviation that we will discuss in the next section. We can calculate the area under the
curve above $0, which will be the probability that we will make a profit by implementing the
research and development project. We do this by reference to a normal distribution table of
values available in any statistics book. The area under the curve is 0.904, meaning that we have
approximately a 90 percent change (probability of 0.9) that the project will result in a profit.
In practice, we build probability distribution tables or probability curves such as those in Figure 2.2
"Possible Outcomes for a Roll of Two Dice with the Probability of Having a Particular Number of
Dots Facing Up", Figure 2.3 "Normal Distribution of Potential Profit from a Research and
Development Project", and Table 2.3 "Opportunity and Loss Assessment Consequences of New
Product Market Entry" using estimates of the likelihood (probability) of various different states of
nature based on either historical relative frequency of occurrence or theoretical data. For example,
empirical data may come from repeated observations in similar situations such as with historically
constructed life or mortality tables. Theoretical data may come from a physics or engineering
assessment of failure likelihood for a bridge or nuclear power plant containment vessel. In some
situations, however, we can determine the likelihoods subjectively or by expert opinion. For
example, assessments of political overthrows of governments are used for pricing political risk
insurance needed by corporations doing business in emerging markets. Regardless of the source
of the likelihoods, we can obtain an assessment of the probabilities or relative frequencies of the
future occurrence of each conceivable event. The resulting collection of possible events together
with their respective probabilities of occurrence is called a probability distribution, an example of
which is shown in Table 2.3 "Opportunity and Loss Assessment Consequences of New Product
Market Entry".
Measures of Outcome Value: Severity of Loss, Value of Gain
We have developed a quantified measure of the likelihood of the various uncertain outcomes that
a firm or individual might face—these are also called probabilities. We can now turn to address
the consequences of the uncertainty. The consequences of uncertainty are most often a vital issue
financially. The reason that uncertainty is unsettling is not the uncertainty itself but rather the
various different outcomes that can impact strategic plans, profitability, quality of life, and other
important aspects of our life or the viability of a company. Therefore, we need to assess how we
are impacted in each state of the world. For each outcome, we associate a value reflecting how
we are affected by being in this state of the world.
As an example, consider a retail firm entering a new market with a newly created product. They
may make a lot of money by taking advantage of “first-mover” status. They may lose money if the
product is not accepted sufficiently by the marketplace. In addition, although they have tried to
anticipate any problems, they may be faced with potential product liability. While they naturally try
to make their products as safe as possible, they have to regard the potential liability because of
the limited experience with the product. They may be able to assess the likelihood of a lawsuit as
121 | P a g e
well as the consequences (losses) that might result from having to defend such lawsuits. The
uncertainty of the consequences makes this endeavor risky and the potential for gain that
motivates the company’s entry into the new market. How does one calculate these gains and
losses? We already demonstrated some calculations in the examples above in Table 2.1 "Claims
and Fire Losses for Group of Homes in Location A" and Table 2.2 "Claims and Fire Losses ($) for
Homes in Location B" for the claims and fire losses for homes in locations A and B. These
examples concentrated on the consequences of the uncertainty about fires. Another way to
compute the same type of consequences is provided in the example in Table 2.3 "Opportunity
and Loss Assessment Consequences of New Product Market Entry" for the probability distribution
for this new market entry. We look for an assessment of the financial consequences of the entry
into the market as well. This example looks at a few possible outcomes, not only the fire losses
outcome. These outcomes can have positive or negative consequences. Therefore, we use the
opportunity terminology here rather than only the loss possibilities.
Table 2.3 Opportunity and Loss Assessment Consequences of New Product Market Entry
State of Nature Probability Assessment Financial Consequences of Being in

of Likelihood of State This State (in Millions of Dollars)
Subject to a loss in a product .01 −10.2
liability lawsuit
Market acceptance is limited .10 −.50
and temporary
Some market acceptance but .40 .10
no great consumer demand
Good market acceptance and .40 1
sales performance
Great market demand and .09 8
sales performance
As you can see, it’s not the uncertainty of the states themselves that causes decision makers to
ponder the advisability of market entry of a new product. It’s the consequences of the different
outcomes that cause deliberation. The firm could lose $10.2 million or gain $8 million. If we knew
which state would materialize, the decision would be simple. We address the issue of how we
combine the probability assessment with the value of the gain or loss for the purpose of assessing
the risk (consequences of uncertainty) in the next section.
122 | P a g e
Activity 5
A study of data losses incurred by companies due to hackers penetrating the Internet security
of the company found that 60 percent of the companies in the industry studied had
experienced security breaches and that the average loss per security breach was $15,000.
1. What is the probability that a company will not have a security breach?
2. One company had two breaches in one year and is contemplating spending money to
decrease the likelihood of a breach. Assuming that the next year would be the same as
this year in terms of security breaches, how much should the firm be willing to pay to
eliminate security breaches (i.e., what is the expected value of their loss)?
123 | P a g e
Activity 5
Combining Probability and Outcome Value Together to Get an Overall Assessment of the Impact
of an Uncertain Endeavor
Early probability developers asked how we could combine the various probabilities and outcome
values together to obtain a single number reflecting the “value” of the multitude of different
outcomes and different consequences of these outcomes. They wanted a single number that
summarized in some way the entire probability distribution. In the context of the gambling games
of the time when the outcomes were the amount you won in each potential uncertain state of the
world, they asserted that this value was the “fair value” of the gamble. We define fair value as the
numerical average of the experience of all possible outcomes if you played the game over and
over. This is also called the “expected value.” Expected value is calculated by multiplying each
probability (or relative frequency) by its respective gain or loss. It is also referred to as the mean
value, or the average value. If X denotes the value that results in an uncertain situation, then the
expected value (or average value or mean value) is often denoted by E(X), sometimes also
referred to by economists as E(U)—expected utility—and E(G)—expected gain. In the long run,
the total experienced loss or gain divided by the number of repeated trials would be the sum of
the probabilities times the experience in each state. In Table 2.3 "Opportunity and Loss
Assessment Consequences of New Product Market Entry" the expected value is (.01)×(–10.2) + (.1)
× ( −.50) + (.4) × (.1) + (.4) × (1) + (.09) × (8) = 1.008. Thus, we would say the expected outcome
of the uncertain situation described in Table 2.3 "Opportunity and Loss Assessment Consequences
of New Product Market Entry" was $1.008 million, or $1,008,000.00. Similarly, the expected value of
the number of points on the toss of a pair of dice calculated from example in Figure 2.2 "Possible
Outcomes for a Roll of Two Dice with the Probability of Having a Particular Number of Dots
Facing Up" is 2 × (1/36) + 3 × (2/36) + 4 × (3/36) + 5 × (4/36) + 6 × (5/36) + 7 × (6/36) + 8 ×
(5/36) + 9 × (4/36) + 10 × (3/36) + 11 × (2/36) + 12 × (1/36) = 7. In uncertain economic situations
involving possible financial gains or losses, the mean value or average value or expected value is
often used to express the expected returns. It represents the expected return from an endeavor;
however, it does not express the risk involved in the uncertain scenario. We turn to this now.
Relating back to Table 2.1 "Claims and Fire Losses for Group of Homes in Location A" and Table
2.2 "Claims and Fire Losses ($) for Homes in Location B", for locations A and B of fire claim losses,
the expected value of losses is the severity of fire claims, $6,166.67, and the expected number of
claims is the frequency of occurrence, 10.2 claims per year.
124 | P a g e
Activity 6
The following is the experience of Insurer A for the last three years:
Year Number of Exposures Number of Collision Claims Collision Losses ($)

1 10,000 375 350,000
2 10,000 330 250,000
3 10,000 420 400,000
1. What is the frequency of losses in year 1?

2. Calculate the probability of a loss in year 1.
3. Calculate the mean losses per year for the collision claims and losses.
4. Calculate the mean losses per exposure.
5. Calculate the mean losses per claim.
6. What is the frequency of the losses?
7. What is the severity of the losses?
125 | P a g e
Activity 6
Measures of Risk: Putting It Together
Having developed the concept of probability to quantify the relative likelihood of an uncertain
event, and having developed a measure of “expected value” for an uncertain event, we are now
ready to try to quantify risk itself. The “expected value” (or mean value or fair value) quantifying
the potential outcome arising from an uncertain scenario or situation in which probabilities have
been assigned is a common input into the decision-making process concerning the advisability of
taking certain actions, but it is not the only consideration. The financial return outcomes of various
uncertain research and development, might, for example, be almost identical except that the
126 | P a g e
return distributions are sort of shifted in one direction or the other. Such a situation is shown in
Figure 2.4 "Possible Profitability from Three Potential Research and Development Projects". This
figure describes the (continuous) distributions of anticipated profitability for each of three possible
capital expenditures on uncertain research and development projects. These are labelled A, B, and
C, respectively.
Figure 2.4 Possible Profitability from Three Potential Research and Development Projects
Intuitively, in economic terms a risk is a “surprise” outcome that is a consequence of uncertainty. It

can be a positive surprise or a negative surprise.
Using the terms explained in the last section, we can regard risk as the deviation from the
expected value. The more an observation deviates from what we expected, the more surprised we
are likely to become if we should see it, and hence the more risky (in an economic sense) we
deem the outcome to be. Intuitively, the more surprise we “expect” from a venture or a scenario,
the riskier we judge this venture or scenario to be.
Looking back on Figure 2.4 "Possible Profitability from Three Potential Research and Development
Projects", we might say that all three curves actually represent the same level of risk in that they
each differ from their expected value (the mean or hump of the distribution) in identical ways.
They only differ in their respective expected level of profitability (the hump in the curve). Note that
the uncertain scenarios “B” and “C” still describe risky situations, even though virtually all of the
possible outcomes of these uncertain scenarios are in the positive profit range. The “risk” resides
in the deviations from the expected value that might result (the surprise potential), whether on the
average the result is negative or positive. Look at the distribution labeled “A,” which describes a
scenario or opportunity/loss description where much more of the possible results are on the
negative range (damages or losses). Economists don’t consider “A” to be any more risky (or more
127 | P a g e
dangerous) than “B” or “C,” but simply less profitable. The deviation from any expected risk
defines risk here. We can plan for negative as well as positive outcomes if we know what to
expect. A certain negative value may be unfortunate, but it is not risky.
Some other uncertain situations or scenarios will have the same expected level of “profitability,”
but will differ in the amount of “surprise” they might present. For example, let’s assume that we
have three potential corporate project investment opportunities. We expect that, over a decade,
the average profitability in each opportunity will amount to $30 million. The projects differ,
however, by the level of uncertainty involved in this profitability assessment (see Figure 2.5 "Three
Corporate Opportunities Having the Same Expected Profitability but Differing in Risk or Surprise
Potential"). In Opportunity A, the possible range of profitability is $5–$60 million, whereas
Opportunity B has a larger range of possible profits, between –$20 million and + $90 million. The
third opportunity still has an expected return of $30 million, but now the range of values is from –
$40 million to +$100. You could make more from Opportunity C, but you could lose more, as well.
The deviation of the results around the expected value can measure the level of “surprise”
potential the uncertain situation or profit/loss scenario contains. The uncertain situation
concerning the profitability in Opportunity B contains a larger potential surprise in it than A, since
we might get a larger deviation from the expected value in B than in A. That’s why we consider
Opportunity B more risky than A. Opportunity C is the riskiest of all, having the possibility of a
giant $100 million return, with the downside potential of creating a $40 million loss.
Figure 2.5 Three Corporate Opportunities Having the Same Expected Profitability but Differing in
Risk or Surprise Potential
Our discussion above is based upon intuition rather than mathematics. To make it specific, we
need to actually define quantitatively what we mean by the terms “a surprise” and “more
surprised.” To this end, we must focus on the objective of the analysis. A sequence of throws of a
128 | P a g e
pair of colored dice in which the red die always lands to the left of the green die may be
surprising, but this surprise is irrelevant if the purpose of the dice throw is to play a game in which
the number of dots facing up determines the pay off. We thus recognize that we must define risk
in a context of the goal of the endeavor or study. If we are most concerned about the risk of
insolvency, we may use one risk measure, while if we are interested in susceptibility of portfolio of
assets to moderate interest rate changes, we may use another measure of risk. Context is
everything. Let’s discuss several risk measures that are appropriate in different situations.
Some Common Measures of Risk
As we mentioned previously, intuitively, a risk measure should reflect the level of “surprise”
potential intrinsic in the various outcomes of an uncertain situation or scenario. To this end, the
literature proposes a variety of statistical measures for risk levels. All of these measures attempt to
express the result variability for each relevant outcome in the uncertain situation. The following are
some risk measures.
The Range
We can use the range of the distribution—that is, the distance between the highest possible
outcome value to the lowest—as a rough risk measure. The range provides an idea about the
“worst-case” dispersion of successive surprises. By taking the “best-case scenario minus the worst-
case scenario” we define the potential breadth of outcomes that could arise in the uncertain
situation.
As an example, consider the number of claims per year in Location A of Table 2.1 "Claims and Fire
Losses for Group of Homes in Location A". Table 2.1 "Claims and Fire Losses for Group of Homes
in Location A" shows a low of seven claims per year to a high of fourteen claims per year, for a
range of seven claims per year. For Location B of Table 2.2 "Claims and Fire Losses ($) for Homes
in Location B", we have a range in the number of claims from a low of five in one year to a high of
fifteen claims per year, which gives us a range of ten claims per year. Using the range measure of
risk, we would say that Location A is less risky than Location B in this situation, especially since the
average claim is the same (10.2) in each case and we have more variability or surprise potential in
Location B. As another example, if we go back to the distribution of possible values in Table 2.3
"Opportunity and Loss Assessment Consequences of New Product Market Entry", the extremes
vary from −$10.2 million to +$8 million, so the range is $18.2 million.
This risk measure leaves the picture incomplete because it cannot distinguish in riskiness between
two distributions of situations where the possible outcomes are unbounded, nor does it take into
account the frequency or probability of the extreme values. The lower value of –$10.2 million in
Table 2.3 "Opportunity and Loss Assessment Consequences of New Product Market Entry" only
occurs 1 percent of the time, so it’s highly unlikely that you would get a value this small. It could
have had an extreme value of –$100 million, which occurred with probability 0.0000000001, in
which case the range would have reflected this possibility. Note that it’s extremely unlikely that you
would ever experience a one-in-a-trillion event. Usually you would not want your risk
management activities or managerial actions to be dictated by a one-in-a-trillion event.
129 | P a g e
Deviation from a Central Value
A more sophisticated (and more traditional) way to measure risk would consider not just the most
extreme values of the distribution but all values and their respective occurrence probabilities. One
way to do this is to average the deviations of the possible values of the distribution from a central
value, such as the expected value E(V) or mean value discussed earlier. We develop this idea
further below.
Variance and Standard Deviation
Continuing the example from Table 2.1 "Claims and Fire Losses for Group of Homes in Location A"
and Table 2.2 "Claims and Fire Losses ($) for Homes in Location B", we now ask what differentiates
the claims distribution of Location A and B, both of which possess the same expected frequency
and severity. We have already seen that the range is different. We now examine how the two
locations differ in terms of their deviation from the common mean or expected value. Essentially,
we want to examine how they differ in terms of the amount of surprise we expect to see in
observations form the distributions. One such measure of deviation or surprise is by calculating
the expected squared distance of each of the various outcomes from their mean value. This is a
weighted average squared distance of each possible value from the mean of all observations,
where the weights are the probabilities of occurrence. Computationally, we do this by individually
squaring the deviation of each possible outcome from the expected value, multiplying this result
by its respective probability or likelihood of occurring, and then summing up the resulting
products. This produces a measure known as the variance. Variance provides a very commonly
used measure of risk in financial contexts and is one of the bases of the notion of efficient
portfolio selection in finance and the Capital Asset Pricing Model, which is used to explicitly show
the trade-off between risk and return of assets in a capital market.
We first illustrate the calculation of the variance by using the probability distribution shown in
Table 2.2 "Claims and Fire Losses ($) for Homes in Location B". We already calculated the
expected value to be $1.008 million, so we may calculate the variance to be (.01) × (–10.2 –1.008)2
+ (.1) × (–.5 –1.008)2+ (.4) × (.1 – 1.008)2+ (.4) × (1 – 1.008)2 + (.09) × (8 – 1.008)2 = 7.445. Usually,
variance is denoted with the Greek symbol sigma squared, σ2, or simply V.
As another example, Table 2.4 "Variance and Standard Deviation of Fire Claims of Location A" and
Table 2.5 "Variance and Standard Deviation of Fire Claims of Location B" show the calculation of
the variance for the two samples of claims given in locations A and B of Table 2.1 "Claims and Fire
Losses for Group of Homes in Location A" and Table 2.2 "Claims and Fire Losses ($) for Homes in
Location B", respectively. In this case, the years are all treated equally so the average squared
deviation from the mean is just the simple average of the five years squared deviations from the
mean. We calculate the variance of the number of claims only.
Table 2.4 Variance and Standard Deviation of Fire Claims of Location A
Year Number of Fire Difference between Observed Number of Claims Difference

Claims and Mean Number of Claims Squared
1 11 0.8 0.64
2 9 −1.2 1.44
130 | P a g e
3 7 −3.2 10.24
4 10 −0.2 0.04
5 14 3.8 14.44
Total 51 0 26.8
Mean 10.2 = (26.8)/4 =
6.7
Variance 6.70
Standard Deviation = Square Root (6.7) = 2.59
Table 2.5 Variance and Standard Deviation of Fire Claims of Location B

1 15 4.8 23.04
2 5 −5.2 27.04
3 12 1.8 3.24
4 10 −0.2 0.04
5 9 −1.2 1.44
Total 51 0 54.8
Mean 10.2 =(54.8)/4 =
13.70
Variance 13.70
Standard Deviation 3.70
A problem with the variance as a measure of risk is that by squaring the individual deviations from
the mean, you end up with a measure that is in squared units (e.g., if the original losses are
measured in dollars, then the variance is measured in dollars-squared). To get back to the original
units of measurement we commonly take the square root and obtain a risk measure known as the
standard deviation, denoted by the Greek letter sigma (σ). To provide a more meaningful measure
of risk denominated in the same units as the original data, economists and risk professionals often
use this square root of the variance—the standard deviation—as a measure of risk. It provides a
value comparable with the original expected outcomes. Remember that variance uses squared
differences; therefore, taking the square root returns the measure to its initial unit of
measurement.
Thus, the standard deviation is the square root of the variance. For the distribution in Table 2.3
"Opportunity and Loss Assessment Consequences of New Product Market Entry", we calculated
the variance to be 7.445, so the standard deviation is the square root of 7.445 or $2.73 million.
Similarly, the standard deviations of locations A and B of Table 2.1 "Claims and Fire Losses for
Group of Homes in Location A" and Table 2.2 "Claims and Fire Losses ($) for Homes in Location B"
appear in Tables 2.4 and 2.5. As you can see, the standard deviation of the sample for Location A
is only 2.59, while the standard deviation of the sample of Location B is 2.70. The number of fire
claims in Location B is more spread out from year to year than those in Location A. The standard
deviation is the numeric representation of that spread.
131 | P a g e
If we compare one standard deviation with another distribution of equal mean but larger standard
deviation—as when we compare the claims distribution from Location A with Location B—we
could say that the second distribution with the larger standard deviation is riskier than the first. It is
riskier because the observations are, on average, further away from the mean (more spread out
and hence providing more “surprise” potential) than the observations in the first distribution.
Larger standard deviations, therefore, represent greater risk, everything else being the same.
Of course, distributions seldom have the same mean. What if we are comparing two distributions
with different means? In this case, one approach would be to consider the coefficient of variation,
which is the standard deviation of a distribution divided by its mean. It essentially trades off risk (as
measured by the standard deviation) with the return (as measured by the mean or expected
value). The coefficient of variation can be used to give us a relative value of risk when the means
of the distributions are not equal.
The Semivariance
The above measures of risk gave the same attention or importance to both positive and negative
deviations from the mean or expected value. Some people prefer to measure risk by the surprises
in one direction only. Usually only negative deviations below the expected value are considered
risky and in need of control or management. For example, a decision maker might be especially
troubled by deviations below the expected level of profit and would welcome deviations above
the expected value. For this purpose a “semivariance” could serve as a more appropriate measure
of risk than the variance, which treats deviations in both directions the same. The semivariance is
the average square deviation. Now you sum only the deviations below the expected value. If the
profit-loss distribution is symmetric, the use of the semivariance turns out to result in the exact
same ranking of uncertain outcomes with respect to risk as the use of the variance. If the
distribution is not symmetric, however, then these measures may differ and the decisions made as
to which distribution of uncertain outcomes is riskier will differ, and the decisions made as to how
to manage risk as measured by these two measures may be different. As most financial and pure
loss distributions are asymmetric, professionals often prefer the semi-variance in financial analysis
as a measure of risk, even though the variance (and standard deviation) are also commonly used.
Value at Risk (VaR) and Maximum Probable Annual Loss (MPAL)
How do banks and other financial institutions manage the systemic or fundamental market risks
they face? VaR modeling has become the standard risk measurement tool in the banking industry
to assess market risk exposure. After the banking industry adopted VaR, many other financial firms
adopted it as well. This is in part because of the acceptance of this technique by regulators, such
as conditions written in the Basel II agreements on bank regulation. Further, financial institutions
need to know how much money they need to reserve to be able to withstand a shock or loss of
capital and still remain solvent. To do so, they need a risk measure with a specified high
probability. Intuitively, VaR is defined as the worst-case scenario dollar value loss (up to a specified
probability level) that could occur for a company exposed to a specific set of risks (interest rates,
equity prices, exchange rates, and commodity prices). This is the amount needed to have in
reserve in order to stave off insolvency with the specified level of probability.
132 | P a g e
In reality, for many risk exposures the absolute “worst-case” loss that could be experienced is
conceivably unbounded. It’s conceivable that you could lose a very huge amount but it may be
highly unlikely to lose this much. Thus, instead of picking the largest possible loss to prepare
against, the firm selects a probability level they can live with (usually, they are interested in having
their financial risk exposure covered something like 95 percent or 99 percent of the time), and
they ask, “What is the worst case that can happen up to being covered 95 percent or 99 percent
of the time?” For a given level of confidence (in this case 95 percent or 99 percent) and over a
specified time horizon, VaR can measure risks in any single security (either a specific investment
represented in their investment securities or loan from a specific customer) or an entire portfolio
as long as we have sufficient historical data. VaR provides an answer to the question “What is the
worst loss that could occur and that I should prepare for?”
In practice, professionals examine a historical record of returns for the asset or portfolio under
consideration and construct a probability distribution of returns. If you select a 95 percent VaR,
then you pick the lowest 5 percent of the distribution, and when multiplied by the asset or
portfolio value, you obtain the 95 percent VaR. If a 99 percent VaR is desired, then the lowest 1
percent of the return distribution is determined and this is multiplied by the asset or portfolio
value to obtain the 99 percent VaR.
Figure 2.6 The 95 percent VaR for the Profit and Loss Distribution of Figure 2.2 "Possible
Outcomes for a Roll of Two Dice with the Probability of Having a Particular Number of Dots
Facing Up"
We illustrate this further with the Figure 2.6, concerning Hometown Bank.
Case: Hometown Bank Market Risk
Market risk is the change in market value of bank assets and liabilities resulting from changing
market conditions. For example, as interest rates increase, the loans Hometown Bank made at low
133 | P a g e
fixed rates become less valuable to the bank. The total market values of their assets decline as the
market value of the loans lose value. If the loans are traded in the secondary market, Hometown
would record an actual loss. Other bank assets and liabilities are at risk as well due to changing
market prices. Hometown accepts equity positions as collateral (e.g., a mortgage on the house
includes the house as collateral) against loans that are subject to changing equity prices. As equity
prices fall, the collateral against the loan is less valuable. If the price decline is precipitous, the loan
could become undercollateralized where the value of the equity, such as a home, is less than the
amount of the loan taken and may not provide enough protection to Hometown Bank in case of
customer default.
Another example of risk includes bank activities in foreign exchange services. This subjects them to
currency exchange rate risk. Also included is commodity price risk associated with lending in the
agricultural industry.
Hometown Bank has a total of $65.5 million in investment securities. Typically, banks hold these
securities until the money is needed by bank customers as loans, but the Federal Reserve requires
that some money be kept in reserve to pay depositors who request their money back. Hometown
has an investment policy that lists its approved securities for investment. Because the portfolio
consists of interest rate sensitive securities, as interest rates rise, the value of the securities declines.
Hometown Bank’s CEO, Mr. Allen, is interested in estimating his risk over a five-day period as
measured by the worst case he is likely to face in terms of losses in portfolio value. He can then
hold that amount of money in reserve so that he can keep from facing liquidity problems. This
problem plagued numerous banks during the financial crisis of late 2008. Allen could conceivably
lose the entire $65.5 million, but this is incredibly unlikely. He chooses a level of risk coverage of
99 percent and chooses to measure this five-day potential risk of loss by using the 99 percent—
the VaR or value at risk. That is, he wants to find the amount of money he needs to keep available
so that he has a supply of money sufficient to meet demand with probability of at least 0.99. To
illustrate the computation of VaR, we use a historical database to track the value of the different
bonds held by Hometown Bank as investment securities. How many times over a given time
period—one year, in our example—did Hometown experience negative price movement on their
investments and by how much? To simplify the example, we will assume the entire portfolio is
invested in two-year U.S. Treasury notes. A year of historical data would create approximately 250
price movement data points for the portfolio. Of those 250 results, how frequently did the
portfolio value decrease 5 percent or more from the beginning value? What was the frequency of
times the portfolio of U.S. Treasury notes increased in value more than 5 percent? Hometown
Bank can now construct a probability distribution of returns by recording observations of portfolio
performance. This probability distribution appears in Figure 2.7 "Hometown Bank Frequency
Distribution of Daily Price Movement of Investment Securities Portfolio".
Figure 2.7 Hometown Bank Frequency Distribution of Daily Price Movement of Investment
Securities Portfolio
134 | P a g e
The frequency distribution curve of price movement for the portfolio appears in Figure 2.4
"Possible Profitability from Three Potential Research and Development Projects". From that data,
Hometown can measure a portfolio’s 99 percent VaR for a five-day period by finding the lower
one percentile for the probability distribution. VaR describes the probability of potential loss in
value of the U.S. Treasury notes that relates to market price risk. From the chart, we observe that
the bottom 1 percent of the 250 observations is about a 5 percent loss, that is, 99 percent of the
time the return is greater than –5 percent. Thus, the 99 percent VaR on the returns is –5 percent.
The VaR for the portfolio is the VaR on the return times $65.5 million, or –.05 × ($65.5 million) =
−$3,275,000. This answers the question of how much risk capital the bank needs to hold against
contingencies that should only occur once in one hundred five-day periods, namely, they should
hold $3,275,000 in reserve. With this amount of money, the likelihood that the movements in
market values will cause a loss of more than $3,275,000 is 1 percent.
The risk can now be communicated with the statement: Under normal market conditions, the most
the investment security portfolio will lose in value over a five-day period is about $3,275,000 with a
confidence level of 99 percent.
135 | P a g e
In the context of pure risk exposures, the equivalent notion to VaR is the Maximal Probable Annual
Loss (MPAL). As with the VaR measure, it looks at a probability distribution, in this case of losses
over a year period and then picks the selected lower percentile value as the MPAL. For example, if
the loss distribution is given by Figure 2.3 "Normal Distribution of Potential Profit from a Research
and Development Project", and the 95 percent level of confidence is selected, then the MPAL is
the same as the 95 percent VaR value. In insurance contexts one often encounters the term MPAL,
whereas in finance one often encounters the term VaR. Their calculation is the same and their
interpretation as a measure of risk is the same.
We also note that debate rages about perceived weaknesses in using VaR as a risk measure in
finance. “In short, VaR models do not provide an accurate measure of the losses that occur in
extreme events. You simply cannot depict the full texture and range of your market risks with VaR
alone.” In addition, the VaR examines the size of loss that would occur only 1 percent of the time,
but it does not specify the size of the shortfall that the company would be expected to have to
make up by a distress liquidation of assets should such a large loss occur. Another measure called
the expected shortfall is used for this.
CAPM’s Beta Measure of Nondiversifiable Portfolio Risk
Some risk exposures affect many assets of a firm at the same time. In finance, for example,
movements in the market as a whole or in the entire economy can affect the value of many
individual stocks (and firms) simultaneously. We saw this very dramatically illustrated in the
financial crisis in 2008–2009 where the entire stock market went down and dragged many stocks
(and firms) down with it, some more than others. For a firm (or individual) having a large, well-
diversified portfolio of assets, the total negative financial impact of any single idiosyncratic risk on
the value of the portfolio is minimal since it constitutes only a small fraction of their wealth.
Therefore, the asset-specific idiosyncratic risk is generally ignored when making decisions
concerning the additional amount of risk involved when acquiring an additional asset to be added
to an already well-diversified portfolio of assets. The question is how to disentangle the systematic
from the nonsystematic risk embedded in any asset. Finance professors Jack Treynor, William
Sharpe, John Lintner, and Jan Mossin worked independently and developed a model called the
Capital Asset Pricing Model (CAPM). From this model we can get a measure of how the return on
an asset systematically varies with the variations in the market, and consequently we can get a
measure of systematic risk. The idea is similar to the old adage that a rising tide lifts all ships. In
this case a rising (or falling) market or economy rises (or lowers) all assets to a greater or lesser
degree depending on their covariation with the market. This covariation with the market is
fundamental to obtaining a measure of systematic risk. We develop it now.
Essentially, the CAPM model assumes that investors in assets expect to be compensated for both
the time value of money and the systematic or nondiversifiable risk they bear. In this regard, the
return on an asset A, RA, is assumed to be equal to the return on an absolutely safe or risk-free
investment, rf (the time value of money part) and a risk premium, which measures the
compensation for the systematic risk they are bearing. To measure the amount of this systematic
risk, we first look at the correlation between the returns on the asset and the returns on a market
portfolio of all assets. The assumption is that the market portfolio changes with changes in the
economy as a whole, and so systematic changes in the economy are reflected by changes in the
136 | P a g e
level of the market portfolio. The variation of the asset returns with respect to the market returns is
assumed to be linear and so the general framework is expressed as
RA= rf + βA*(Rm - rf ) + ε,
where ε denotes a random term that is unrelated to the market return. Thus the term βA × (Rm − rf
) represents a systematic return and ε represents a firm-specific or idiosyncratic nonsystematic
component of return.
Notice that upon taking variances, we have σ2A = .β2A × β2m, + σ2ε, so the first term is called the
systematic variance and the second term is the idiosyncratic or firm-specific variance.
The idea behind the CAPM is that investors would be compensated for the systematic risk and not
the idiosyncratic risk, since the idiosyncratic risk should be diversifiable by the investors who hold a
large diversified portfolio of assets, while the systematic or market risk affects them all. In terms of
expected values, we often write the equation as
E[RA]= rf+βA*(E[Rm]-rf),
which is the so-called CAPM model. In this regard the expected rate of return on an asset E[RA], is
the risk-free investment, rf, plus a market risk premium equal to βA × (E[Rm] − Rf). The coefficient
βA is called the market risk or systematic risk of asset A.
By running a linear regression of the returns experienced on asset A with those returns
experienced on a market portfolio (such as the Dow Jones Industrial stock portfolio) and the risk-
free asset return (such as the U.S. T-Bill rate of return), one can find the risk measure βA. A
regression is a statistical technique that creates a trend based on the data. Statistical books show
that βA. = COV(RA, Rm)/β2m where COV(RA,Rm) is the covariance of the return on the asset with the
return on the market and is defined by
COV(RA, Rm) = E[{RA,−E(RA)} × { Rm,-E(Rm)}],
that is, the average value of the product of the deviation of the asset return from its expected
value and the market returns from its expected value. In terms of the correlation coefficient ρAm
between the return on the asset and the market, we have βA = ρAm × (βA/βm), so we can also think
of beta as scaling the asset volatility by the market volatility and the correlation of the asset with
the market.
The β (beta) term in the above equations attempts to quantify the risk associated with market
fluctuations or swings in the market. A beta of 1 means that the asset return is expected to move
in conjunction with the market, that is, a 5 percent move (measured in terms of standard deviation
units of the market) in the market will result in a 5 percent move in the asset (measured in terms
of standard deviation units of the asset). A beta less than one indicates that the asset is less
volatile than the market in that when the market goes up (or down) by 5 percent the asset will go
up (or down) by less than 5 percent. A beta greater than one means that the asset price is
expected to move more rapidly than the market so if the market goes up (or down) by 5 percent
137 | P a g e
then the asset will go up (or down) by more than 5 percent. A beta of zero indicates that the
return on the asset does not correlate with the returns on the market.
Confirm risks are monitored and assessed across the program at agreed
intervals
Risk monitoring should be ongoing and continual. As you travel through the project lifecycle you
should be monitoring for changes in the environment and regularly recheck your assumptions.
The likelihood and impact of risks changes over time.
Early on in the project the likelihood of risks occurring is much greater due to the relative
uncertainty compared to the end of a project. Also the impact of risks changes over time; for
example if you cancel s project at the beginning you have expended less labour costs that at the
end.
A project’s success factors change over time also. For example a building development may
acquire a success factor of dealing successfully with local anti-development protestors. The risks
associated with dealing with these stakeholders will change as their importance and influence
changes.
138 | P a g e
As well as monitoring existing risks you will have the opportunity to monitor for new risks. Have
new opportunities for risk come up as a result of changing environment or scope? Has the
project’s business case or relationship with the rest of the world changed?
Specific things you can do to help monitor risks include:
• Risk Owners: Ensure all risks have an owner, even if there is no active management plan
for them. It is best if these risk owners will have to deal with the results of the risk
occurring to give them motivation to pay attention.
• Risk Meetings: Have formal risk review meetings where people have time to stop and think
about risks. Time may cost money but often risks can be much more expensive that they
first appear. You can also schedule low likelihood and impact risks to future dates.
• Triggers: Identify triggers for reviewing risks. If a risk is minor today but will become
important if something occurs, look out for the something.
Activity 7
Develop a sample agenda for a program risk monitoring meeting.
139 | P a g e
Activity 7
140 | P a g e
Activity 7
Guidelines for Risk Management Process Review
The purpose of risk management is to identify potential problems before they occur so that risk-
handling activities may be planned and invoked as needed across the life of the product or project
to mitigate adverse impacts on achieving objectives.
141 | P a g e
Risk management is a continuous, forward-looking process that is an important part of business
and technical management processes. Risk management should address issues that could
endanger achievement of critical objectives. A continuous risk management approach is applied
to effectively anticipate and mitigate the risks that have critical impact on the project.
Effective risk management includes early and aggressive risk identification through the
collaboration and involvement of relevant stakeholders. Strong leadership across all relevant
stakeholders is needed to establish an environment for the free and open disclosure and
discussion of risk.
Although technical issues are a primary concern both early on and throughout all project phases,
risk management must consider both internal and external sources for cost, schedule, and
technical risk. Early and aggressive detection of risk is important because it is typically easier, less
costly, and less disruptive to make changes and correct work efforts during the earlier, rather than
the later, phases of the project.
Risk management can be divided into three parts: defining a risk management strategy;
identifying and analyzing risks; and handling identified risks, including the implementation of risk
mitigation plans when needed.
For the purpose of this review, please address the following points:
1. Demonstrate that you have a process to determine risk sources and categories. Identification
of risk sources provides a basis for systematically examining changing situations over time to
uncover circumstances that impact the ability of the project to meet its objectives. Risk sources
are both internal and external to the project. As the project progresses, additional sources of
risk may be identified. Establishing categories for risks provides a mechanism for collecting
and organizing risks as well as ensuring appropriate scrutiny and management attention for
those risks that can have more serious consequences on meeting project objectives.
Typical work products would include: (1) risk source lists (external and internal) and (2) risk
categories lists.
2. Demonstrate that you have a process to define the parameters used to analyze and
categorize risks, and the parameters used to control the risk management effort. Parameters
for evaluating, categorizing, and prioritizing risks typically include risk likelihood (i.e., the
probability of risk occurrence), risk consequence (i.e., the impact and severity of risk
occurrence), and thresholds to trigger management activities.
Risk parameters are used to provide common and consistent criteria for comparing the
various risks to be managed. Without these parameters, it would be very difficult to gauge the
142 | P a g e
severity of the unwanted change caused by the risk and to prioritize the necessary actions
required for risk mitigation planning.
Typical work products would include: (1) risk evaluation, categorization, and prioritization
criteria and (2) risk management requirements (control and approval levels, reassessment
intervals, etc.).
3. Demonstrate that you have a process to establish and maintain the strategy to be used for risk
management. A comprehensive risk management strategy addresses items such as: (1) The
scope of the risk management effort, (2) Methods and tools to be used for risk identification,
risk analysis, risk mitigation, risk monitoring, and communication, (3) Project-specific sources of
risks, (4) How these risks are to be organized, categorized, compared, and consolidated, (5)
Parameters, including likelihood, consequence, and thresholds, for taking action on identified
risks, (6) Risk mitigation techniques to be used, such as prototyping, simulation, alternative
designs, or evolutionary development, (7) Definition of risk measures to monitor the status of
the risks, and (8) Time intervals for risk monitoring or reassessment.
The risk management strategy should be guided by a common vision of success that
describes the desired future project outcomes in terms of the product that is delivered, its
cost, and its fitness for the task. The risk management strategy is often documented in an
organizational or a project risk management plan. The risk management strategy is reviewed
with relevant stakeholders to promote commitment and understanding.
A typical work product would be the project risk management strategy.
4. Demonstrate that you have a process to identify and document the risks. The identification of
potential issues, hazards, threats, and vulnerabilities that could negatively affect work efforts or
plans is the basis for sound and successful risk management. Risks must be identified and
described in an understandable way before they can be analyzed and managed properly.
Risks are documented in a concise statement that includes the context, conditions, and
consequences of risk occurrence.
Risk identification should be an organized, thorough approach to seek out probable or

realistic risks in achieving objectives. To be effective, risk identification should not be an
attempt to address every possible event regardless of how highly improbable it may be. Use
of the categories and parameters developed in the risk management strategy, along with the
identified sources of risk, can provide the discipline and streamlining appropriate to risk
identification. The identified risks form a baseline to initiate risk management activities. The list
of risks should be reviewed periodically to reexamine possible sources of risk and changing
143 | P a g e
conditions to uncover sources and risks previously overlooked or nonexistent when the risk
management strategy was last updated.
Risk identification activities focus on the identification of risks, not placement of blame. The
results of risk identification activities are not used by management to evaluate the
performance of individuals.
There are many methods for identifying risks. Typical identification methods include (1)
Examine each element of the project work breakdown structure to uncover risks; (2) Conduct
a risk assessment using a risk taxonomy. Interview subject matter experts; (3) Review risk
management efforts from similar products. Examine lessons-learned documents or databases;
(4) Examine design specifications and agreement requirements.
A typical work product would be a list of identified risks, including the context, conditions, and
consequences of risk occurrence.
5. Demonstrate that you have a process to evaluate and categorize each identified risk using the
defined risk categories and parameters, and determine its relative priority. The evaluation of
risks is needed to assign relative importance to each identified risk, and is used in determining
when appropriate management attention is required. Often it is useful to aggregate risks
based on their interrelationships, and develop options at an aggregate level. When an
aggregate risk is formed by a roll up of lower level risks, care must be taken to ensure that
important lower level risks are not ignored.
A typical work product would be a list of risks, with a priority assigned to each risk.
6. Demonstrate that you have a process to develop a risk mitigation plan for the most important
risks to the project, as defined by the risk management strategy. A critical component of a risk
mitigation plan is to develop alternative courses of action, workarounds, and fallback
positions, with a recommended course of action for each critical risk. The risk mitigation plan
for a given risk includes techniques and methods used to avoid, reduce, and control the
probability of occurrence of the risk, the extent of damage incurred should the risk occur
(sometimes called a “contingency plan”), or both. Risks are monitored and when they exceed
the established thresholds, the risk mitigation plans are deployed to return the impacted effort
to an acceptable risk level. If the risk cannot be mitigated, a contingency plan may be invoked.
Both risk mitigation and contingency plans are often generated only for selected risks where
the consequences of the risks are determined to be high or unacceptable; other risks may be
accepted and simply monitored.
Options for handling risks typically include alternatives such as: (1) Risk avoidance: Changing or
lowering requirements while still meeting the user’s needs; (2) Risk control: Taking active steps
144 | P a g e
to minimize risks; (3) Risk transfer: Reallocating design requirements to lower the risks; (4) Risk
monitoring: Watching and periodically reevaluating the risk for changes to the assigned risk
parameters; (5) Risk acceptance: Acknowledgment of risk but not taking any action. Often,
especially for high risks, more than one approach to handling a risk should be generated.
In many cases, risks will be accepted or watched. Risk acceptance is usually done when the risk
is judged too low for formal mitigation, or when there appears to be no viable way to reduce
the risk. If a risk is accepted, the rationale for this decision should be documented. Risks are
watched when there is an objectively defined, verifiable, and documented threshold of
performance, time, or risk exposure (the combination of likelihood and consequence) that will
trigger risk mitigation planning or invoke a contingency plan if it is needed.
Adequate consideration should be given early to technology demonstrations, models,

simulations, and prototypes as part of risk mitigation planning.
Typical work products would include: (1) Documented handling options for each identified risk;
(2) Risk mitigation plans; (3) Contingency plans; and (4) a list of those responsible for tracking
and addressing each risk
7. Demonstrate that you have a process to monitor the status of each risk periodically and
implement the risk mitigation plan as appropriate. To control and manage risks effectively
during the work effort, follow a program to monitor risks and their status and the results of
risk-handling actions regularly. The risk management strategy defines the intervals at which
the risk status should be revisited. This activity may result in the discovery of new risks or new
risk-handling options that may require re-planning and reassessment. In either event, the
acceptability thresholds associated with the risk should be compared against the status to
determine the need for implementing a risk mitigation plan.
Typical work products would include: (1) Updated lists of risk status; (2) Updated assessments
of risk likelihood, consequence, and thresholds; (3) Updated lists of risk-handling options; (4)
Updated list of actions taken to handle risks; and (5) Risk mitigation plans.
8. Demonstrate that you have established and maintain an organizational policy for planning
and performing the risk management processes.
9. Demonstrate that you establish and maintain a plan for performing the risk management
process. Typically, this plan for performing the risk management process is included in (or
referenced by) the project plan. This would address the comprehensive planning for all of the
145 | P a g e
specific practices in the project plan, from determining risk sources and categories all the way
through to the implementation of risk mitigation plans.
10. Demonstrate that you provide adequate resources for performing the risk management
process, developing the work products, and providing the services of the process. Examples of
resources provided are: risk management databases, risk mitigation tools, prototyping tools,
and modelling and simulation.
11. Demonstrate that you assign responsibility and authority for performing the process,
developing the work products, and providing the services of the risk management process.
12. Demonstrate that you train the people performing or supporting the risk management
process as needed.
13. Demonstrate that you place designated work products of the risk management process under
appropriate levels of configuration management.
14. Demonstrate that you identify and involve the relevant stakeholders of the risk management
process as planned.
15. Demonstrate that you monitor and control the risk management process against the plan for
performing the process and take appropriate corrective action.
16. Demonstrate that you objectively evaluate adherence of the risk management process against
its process description, standards, and procedures, and address noncompliance.
17. Demonstrate that you review the activities, status, and results of the risk management process
with higher level management and resolve issues. Reviews of the project risk status are held
on a periodic and event-driven basis with appropriate levels of management, to provide
visibility into the potential for project risk exposure and appropriate corrective action. Typically,
these reviews will include a summary of the most critical risks, key risk parameters (such as
likelihood and consequence of these risks), and the status of risk mitigation efforts.
146 | P a g e
Direct response to actuated program risk and confirm remedial actions are
authorised with impact analysis according to program objectives
Once you’ve completed your risk assessment, you’re ready to create your risk management
response plan (using appropriate risk management tools). Note that risk management isn’t
something you check off your project to-do list; it’s an ongoing process.
Here are the suggested steps:
Step 1: Determine Your “Risk Tolerance”
How much risk can you take on before you consider abandoning the project? This is an
essential conversation to have with your stakeholders. Their success is on the line, too.
There are a lot of issues to discuss: do they want to be informed when risks happen? Or will
it depend on the level of impact? If certain risks occur that could derail the project, do they
want to be consulted first or do you have the authority to act right away? Make sure
everyone knows the plan of attack and agrees on the strategy. Stakeholder conflict is one
risk you can counteract with open communication.
Step 2: Decide Which Risks to Manage
Once you’ve determined the project’s risk tolerance level, you can start to identify which
risks are worth your time and attention. Even if a risk has a high probability of occurring, if
its impact is small — say it would add $200 to your project costs and your budget is $50
million — you may choose to ignore it if counteracting the risk is an inefficient use
Use a risk matrix as a key tool for your risk register to identify which risks fall below your
level of tolerance, and which you need to plan for. Use your completed assessment to plot
each risk on a quadrant: high probability and high impact risks to the upper right; low
probability, low impact risks to the lower left.
147 | P a g e
Risk Matrix template from The Program Manager’s Blog
Pay special attention to that upper-right quadrant. These are risks that are both high
probability and high impact. They’re more likely to happen, and if they do, it could be game
over for your project. In these instances, you’ll want to be proactive in lowering the
probability that the risk will occur (if possible), or have a definite plan in place to counter its
effects.
Step 3: Identify Project Risk Triggers
What cues might indicate a particular risk is imminent? If someone in the office starts
sneezing and coughing, that could be a “trigger” your team is about to get hit with the flu
bug. Establish roles and responsibilities for monitoring triggers among your team, and
determine what steps should be taken if one pops up.
Step 4: Create an Action Plan
What can be done to reduce the probability of a risk occurring, or minimize its negative
impact? (Can you provide Purell during flu season? Or spread important tasks among the
team so progress can be made even if someone’s out for a few days?) If a risk occurs,
what’s the most effective response? What will your team do, and who’s responsible for
what? Make sure you’ve thought each piece through and everyone on your team knows
the plan.
Step 5: Evaluate
After your project wraps up, step back and consider which parts of your strategy were
successful. How effective were your triggers in forewarning risks? How effectively did you
react to those triggers, and were you able to successfully prevent any risks from affecting
the project outcomes? What could be done to improve for the next project?
A project manager must be able to handle risk well to be able to guide a project to its
completion. As the complexity of projects has increased over the years and as products and
148 | P a g e
services have become more technologically sophisticated, the need for risk analysis has
significantly increased23.
A project manager is probably not able to address every single risk, but needs to take steps to
identify them and plan to handle them should they occur. A useful way to categorise risk is
through two distinct dimensions:
Probability.This dimension represents how likely it is for an event to occur. The range is between
0% and 100%. It can"t be 0% since it will never be a risk and it can’t be 100% since it will
become certainty.
Impact.This represents the size of the impact of the risk if it occurs. The larger the impact the
more critical the risk.
Considering these two dimensions, all risks can be divided into four types as explained below:
Low impact, Low probability. You can usually ignore these risks (subject to specific industry
standards).
Low impact, High probability.You may get numerous risks in this category. You should take
steps to reduce the likelihood of their occurrence.
High impact, Low probability.When they happen they are bad, but it is rare for these to happen.
For these you should take steps to reduce their impact, perhaps using contingency plans.
High impact, High probability.These risks are frequent and since they can be disruptive, you
must consider them as top priority. If you find yourself here consistently, you need to step back
to the drawing board and carry out detailed analysis.
Project management involves the identification of risk and understanding which category each
risk belongs to. To carry out a valuable risk analysis, correct and accurate prediction is critical.
To carry out a thorough project management analysis, use the following steps:
1. Divide the project into work breakdown structures (WBS). This allows you to chunk the project
into smaller parts which allows you to handle each part easily.
2. Identify the inputs and outputs of each WBS. Since the completion of each WBS depends on
what is available at the start, it is critical to identify these inputs so you can accurately analyse
risks later on. You also need to identify what is required from each WBS, so that the risks of not
delivering those outputs can be identified. In other words, if you don"t know the exact standard
of the output required for each WBS, you will have difficulty identifying critical risks.
23
Source: TASKey, as at http://www.taskey.com/resources/Related%20articles/project-management-training-
materials.aspx, as on 29th March, 2017.
149 | P a g e
3. Having identified the WBS and their inputs/outputs, you need to link them us to see which
WBS leads to others. If work is halted in one WBS, you need to know the impact of this on other
WBS and the associated risk.
4. Identify critical dependencies. Is there a WBS that many others rely on and its completion is
critical to the success of the project? For this, you can use critical dependency graphs to visually
analyse the project.
5. Identify risks across the whole project. Consider the following types:
A. Risks in each WBS
B. Risks of receiving wrong inputs or no inputs at all
C. Risks of product wrong outputs or no outputs at all
D. Risks identified based on critical dependency graph
E. External risks
F. Project management risks
6. Score these risks based on the likelihood of their occurrence. You can use calculations,
historical analysis or use statistical calculations to identify these values. Use a scale of 0 to 100%
probability.
7. Estimate the impact of each risk on the success of the project. For each risk assign a number
between 0 and 100 representing its impact on the project. For example, an impact of 100 means
the total failure of the project as a result of a specific risk.
8. Draw a 2D map using the two dimensions of probability and impact. Plot the risks you have
identified on this map using the two dimensions.
9. Based on the specific priority identified earlier when handling risks, address each risk and
devise plans to reduce their impact or draw up contingency plans.
Good project management relies on foresight and vision. Most of the time, the data and
information are available before disaster occurs. It only requires us to look a bit deeper into the
project and walk through it as it would unfold in the future. Those who can master the art of risk
analysis usually go on successfully manage projects, even those that are insanely complex.
Project managers who fail to grasp the importance of risk management and 'black swan' events
can wake up one day and be faced with a lot of lost effort, wasted time and resources
150 | P a g e
Start Your Projects Risk-aware, Not “Risk-free”
Discovery, ingenuity, ambition — all businesses and projects involve risk. You’ll never be able to
eliminate uncertainties, but having a plan in place can keep small problems from growing into full-
blown catastrophes. And by acknowledging risk and keeping an eye out for it, you can recognize
and jump on fortunate opportunities to deliver value beyond what’s expected.
Activity 8
Provide an example of an identified program risk, its potential impact on a program and
possible remedial action to mitigate the risk.
151 | P a g e
Activity 8
152 | P a g e
Activity 8
Identify and document program residual risk and communicate to

stakeholders any transferred liability at program completion
Types of Risks24
Aside from the primary risk inherent in any project, activities may also involve secondary and
residual risks.
Secondary Risks
The PMBOK® Guide defines Secondary Risks as "those risks that arise as a direct outcome of
implementing a risk response". In simple terms, you identify a risk and have a response plan in
place to deal with that risk. Once this plan is implemented, the new risk that may arise from the
implementation is called a secondary risk.
A response plan is created depending on the impact of these risks on a project. A high impact risk
24
Source: Simplilearn, as at https://www.simplilearn.com/residual-risk-vs-secondary-risk-article, as on 17th
February, 2021.
153 | P a g e
will require a response plan, whereas if the risk seems negligible, it will only be watched by
managers.
Consider an illustration: you put in a trap for a wild animal that has been coming to your garden
at night and destroying it. However, there is a chance that a member of your family or a guest at
your house might get caught in this trap.
Or, assume you are the manager for a construction project. From past experience, you know that
one main risk that you may face is that the sand supplier may not deliver on time. In the risk
management plan you create, you have already accounted for this risk. The action you will take up
if this were to occur is to procure the sand from a different supplier. A potential risk that you may
encounter is the difference in the sand, provided by the first and second supplier, which would
then be a secondary risk.
Residual Risks
Residual risks are the leftover risks, the minor risks that remain. The PMBOK® Guide defines
Residual Risks as "those risks that are expected to remain after the planned response of risk has
been taken, as well as those that have been deliberately accepted".
Residual risk is the risk that remains after you have treated risks25. Risk management involves
treating risks meaning that a choice is made to avoid, reduce, transfer or accept each individual
risk. It is difficult to completely eliminate risk and normally there is a residual risk that remains
after each risk has been managed.
The following are a few examples of residual risks.
1. Risk Avoidance
A business decides to avoid the risk of developing a new technology because the project has
many risks. The residual risk is that a competitor will develop the technology instead and the
business will become less competitive.
2. Risk Reduction
An airline reduces the risk of an accident by improving maintenance procedures. Residual risks
remain in the process including a chance of human error such as skipping steps in the
procedure.
3. Risk Transfer
A homeowner transfers the risk of flood damages to their home by getting flood insurance.
Residual risks include the insurance deducible amount and the chance that the insurance
company will go bankrupt as the result of a large scale flood and fail to pay.
4. Risk Acceptance
When a risk is accepted, the entire risk becomes a residual risk. For example, an investor may
accept the risk that a stock will go down because they predict that the potential rewards of the
investment outweigh the risks.
25
Source: Simplicable, as at http://simplicable.com/new/residual-risk, as on 17th February, 2021.
154 | P a g e
They are acceptable to the organization's risk tolerance level. Sometimes a residual risk has no
reasonable response either. Managers simply accept them the way they are. If it has to happen, it
will happen, and there isn't much you can do about it.
These risks are identified during the process of planning. A contingency reserve is set up to
manage risks such as these.
Organizations should address residual risks by:
• Identifying the relevant governance, risk, and compliance requirements.

• Acknowledging existing risks.
• Determine the organization's control framework's strengths and weaknesses
• Define the organization's appetite.
• Plan for appropriate contingencies
For instance, you may have established a risk of rain that may last an hour or two and which may
disrupt some of your planned meetings. To manage this risk, you have scheduled your other
meetings with a buffer of couple of hours. So that even if it rains for 2 hours, your other plans are
not disrupted.
This doesn’t eliminate the risk of your schedule getting messed up, but only lowers the risk.
Whatever risk that still remains is termed “residual risk”. As an example, it is possible it continues to
pour down, which disrupts your subsequent meetings. So the contingency plan (if the risk occurs)
could be that you attend the meeting remotely, over phone.
This may lead to another risk that your presence during the meeting may not be as effective or
impactful had there been no rain and you were present in person. This is secondary risk.
Table:
Secondary Risks Residual Risks

Definition Those risks which arise as a Those risks which are
direct outcome of expected to remain after the
implementing a risk response planned response of risk has
been taken, as well as those
that have been deliberately
accepted
Action Required? Yes Not always – depends
Action to take Creation of a response plan A contingency plan
Example Putting out a trap for an You end up attending
animal in your field but a meeting remotely
member of the family getting
caught in it instead
155 | P a g e
Residual risk management26
Once you find out what residual risks are, what do you do with them? Basically, you have these
three options:
1. If the level of risks is below the acceptable level of risk, then you do nothing – the
management needs to formally accept those risks.
2. If the level of risks is above the acceptable level of risk, then you need to find out some
new (and better) ways to mitigate those risks – that also means you’ll need to reassess the
residual risks.
3. If the level of risks is above the acceptable level of risk, and the costs of decreasing such
risks would be higher than the impact itself, than you need to propose to the
management to accept these high risks.
Such a systematic way ensures that management is involved in reaching the most important
decisions, and that nothing is overlooked.
So the point is – top management needs to know which risks their company will face even after
various mitigation methods have been applied. After all, top management is not only responsible
for the bottom line of the company, but also for its viability.
26
Source: Advicera, as at https://advisera.com/27001academy/knowledgebase/why-is-residual-risk-so-
important/, as on 17th February, 2021.
156 | P a g e
Review and analyse program outcomes to assess the effectiveness of the
risk-management methodology
Evaluating the effectiveness of risk management27
Phased approach to evaluating risk management effectiveness
This guide describes a systematic way of finding how effective is an organisation’s current
approach to managing risk. It considers the intentions of the organisation, how they are expressed
and communicated and also what happens in practice. This leads to a realistic improvement
program for the organisation’s framework for managing risk and each application of the risk
management process. The guide stresses how management must be involved in all stages to
ensure success.
Introduction
All organizations of all kinds face internal and external factors and influences that make it
uncertain whether, when and the extent to which they will achieve or exceed their objectives.
These objectives are its highest expression of intent and purpose, and typically reflect an
organisation’s explicit and implicit goals, values, and imperatives or relevant enabling legislation.
The international risk management standard, ISO 31000:2009, defines risk as the effect of
uncertainty on objectives. The effective management of risk is therefore essential if organisations
are to achieve their objectives and satisfy the needs of their stakeholders.
It has been long recognised that good governance and effective management are best achieved
through the development and deployment within an organisation of one coherent and consistent
27
Source: Broadleaf, as at http://broadleaf.com.au/resource-material/evaluating-the-effectiveness-of-risk-
management/, as on 17th February, 2021.
157 | P a g e
framework, methodology and vocabulary for management of risk, to be used for all types of
activity. This ensures that:
• There is a consistent and defensible basis for decision making at all levels, particularly
where effort or capital is expended
• Change activities are more likely to succeed
• The organisation can pre-empt and capitalise on external changes such as those involving
demographics, customers’ needs and government policy
• All employees are encouraged to focus on and give priority to actions that aid and
enhance the execution of strategic and project plans and the organisation’s objectives
• The organisation is prepared for and protected from major incidents and losses
• Tactical moves, to identify and seize opportunities are stimulated and enhanced
• Accountability for risks and, most importantly, for controls and the monitoring and
assurance of controls is clear and not doubtful.
In time this will also lead to a significant change in culture as the organisation as its employees
engage on activities directly related to ensuring the achievement of goals and objectives and the
successful completion of projects.
What is a framework and how does it lead to effective risk management?
An organisation’s ability to manage risk effectively depends on its intentions and its capacity to
achieve those intentions. This intent and capacity is referred to as its risk management framework
and is part of its system of governance and management.
The quality of the framework is important because effective risk management requires:
• Clear expectations from ‘the top’

• Appropriate capability (skills, resources, support)
• Sound relationships with stakeholders
• Integration of necessary risk management practices into the day-to-day activities and
accountabilities of the management team
• A commitment to continually learn and improve.
The risk management framework should not attempt to replace the natural capability of people to
manage risk; rather it should enhance good practices so that the process is reliable,
comprehensive and consistent. For this to occur and for the required capability to be achieved,
the organisation requires:
1. A set of suitable ‘tools’

2. A coherent approach to training and communicating to people so that they can use those
tools in a competent and consistent manner
3. An approach that signals and reinforces the correct behaviour and way of thinking.
The typical elements of a framework and an illustration of how this supports the integration of the
risk management process is shown in the figure below.
158 | P a g e
The framework for risk management
General approach to effectiveness evaluation
After many years of practical experience in evaluating and enhancing frameworks for risk
management in organisations, Broadleaf believes that success depends as much in the manner in
which any changes to a framework are developed and implemented as it does in the detail of the
tools and written materials generated. This is why we would strongly recommend to our clients
that we help it through a management of change process, where key internal stakeholders are
carefully involved and engaged in evaluating the existing approach and in planning how, where
and when enhancements will be made.
The core of this management of change process involves internal stakeholder representatives
participating in a facilitated gap analysis and evaluation that then leads to a clear and practical
enhancement and implementation plan. This is depicted in the “Y Model” shown in the figure and
described below.
To enable those stakeholder representatives to participate effectively, they need to be well briefed
on current risk management thinking and shown examples drawn from other organisations of
elements of a risk management framework.
This approach has the added benefit that the participants of this process then become the
organisation’s “Champions” who are motivated to lead the implementation process in their own
departments and functions. They also act to convince their superiors of the merits of the approach
and motivate acceptance and use.
159 | P a g e
Y Model
To be successful and efficient, the management of change approach requires:
1. An accepted and accurate representation of the current arrangements for managing

different forms of risk – the present situation
2. The fundamental concepts of risk and risk management and the desired goals in terms of
the risk management framework and process to be clearly understood by those
sponsoring the change – the wanted situation
3. A clear and accepted appreciation of the elements of the existing framework that need to
be enhanced or improved and the nature of those changes and any additional elements
that need created – what needs to change
4. The exploration of options, constraints, enablers and critical paths leading to an
appropriate plan of actions with timings
5. A clear commitment to the plan and its implementation through the allocation of suitable
resources by senior management and by their continued oversight of progress.
These steps can be tackled separately and the results fed back to senior management. However,
after many years and numerous attempts we have found that most efficient approach, and the
one that gains the greatest degree of ownership and endorsement, is to involve representatives of
senior internal stakeholders in all these steps over a short space of time. This approach is
described in detail below.
Phase 1 - Preparation
160 | P a g e
Evaluation studies typically start with an initial meeting where the detailed arrangements, including
the schedule of activities and delivery dates, the documents to review reviewed and the interview
candidates are agreed.
Prior to the meeting we issue a checklist of background documentation we would like to review
and will often open up a secure Internet portal to which documents can be uploaded. This list can
include:
• Relevant policy statements, framework descriptions, internal standards and procedures,

with a particular focus on decision support and controls assurance
• Internal standards, procedures or guidelines that deal with particular applications of risk
management. For example in the area of safety, procurement, security, operations,
maintenance, BCM, compliance and project management
• The current strategic plan and objectives
• Examples of risk management plans and control assurance plans
• Extracts from the risk management information system including risk registers and risk
treatment plans
• Methodology for and outputs from any quantitative risk analysis studies (range analyses)
for schedule, capital and value evaluation and contingency estimation
• Copies of recent reports to any risk management steering committees or review groups
and the oversight committee that show risk management performance
• Copies of any existing training and briefing materials that deal with risk management.
We then normally undertake a preliminary review of the materials and, from this, develop an aide
memoire of sample questions that we might ask those we interview. This document is sent to
those who are to be interviewed to allow them to prepare.
Phase 2 - Elicitation and verification
In our experience it is vital to observe and review how risk management takes place in practice.
This is particularly true if there might be any discontinuity of practice across the organisation or
inconsistent processes and systems. It is also important to test management’s perceptions of the
current approach to risk management to see if it is currently viewed as effective and is likely to
satisfy their future needs.
We therefore undertake this observation through a series of structured interviews with senior
managers from which we will draw conclusions on:
• The suitability of the current framework and tools to manage risk associated with an
organisation of a comparable size and complexity, its risk profile and the risk criteria that
should reflect its attitude (appetite)
• The drivers of that attitude, based on what are recognised as the ‘key success factors’ and
growth objectives for the organisation
• The perceived usefulness of the current risk management process and its degree of
integration into key decision-making processes;
• The strengths and limitations of the other approaches to risk management specific to
particular kinds of risks that co-exist in the organisation
• Whether the tools and methods currently being used are capable of providing the
161 | P a g e
organisation with a current, correct and comprehensive understanding of its risks and
inform it whether the risks are within its risk criteria
• The level of understanding of senior managers about aspects of the risk management
culture
• An outline of the perceived risk profile of the organisation and whether this varies from
the risks reported to senior management and oversight committees.
Each interview usually takes about one hour and a member of the organisation’s risk function
normally accompanies us to help transfer knowledge.
While the predominant purpose of the interviews is to obtain information from the participants to
support our review, they also provide an opportunity to explain the purpose of the study.
At the conclusion of the series of interviews we normally provide immediate feedback to the
organisation’s risk staff on:
• Our findings
• Our conclusions on the level of maturity, the strengths and weaknesses
• Our initial thoughts on where the organisation could enhance the management of risk and
the steps that should be taken.
This meeting also allows any misunderstandings or misperceptions to be rectified.
Phase 3 - Gap analysis and evaluation
Using the information we have gathered we conduct a detailed gap analysis and evaluation of
effectiveness using the guidelines and principles in ISO 31000 and what we understand is world’s
best practice as a basis for comparison. Often this is conducted as a facilitated workshop involving
the management team.
The gap analysis looks at how the organisation expresses its intentions for managing risk and the
elements of the capacity it claims it provides. In practice this involve us looking all the elements of
the risk management framework and process shown above to determine if they are present and
are suitable for the organisation and its environment.
We normally prepare a full gap analysis and evaluation report that includes our findings in terms
of:
• The framework and how it facilitates the integration of risk management into decision
making, including risk management plans and the strategy for their implementation
• How risk management is applied in strategy development and during the concept and
development phases of projects, for decision-making and change management and as
part of design review
• Control assurance and reporting
• The reliability of each element of the risk management process
• How risk management is used to deal with changes and to provide contingency
arrangements that respond to disruptions, including how learning and feedback take
place after events, incidents and decisions
162 | P a g e
• How the overall risk profile of the company is obtained and evaluated through
aggregation and roll-up and how risks are treated at a corporate level
• The form and content of governance reporting
• How risk treatments are closed out and monitoring and review of risks, controls and risk
treatments occurs
• The organisation’s culture as it pertains to the management of risks in terms of both intent
and practice
• The adequacy and effectiveness of the systems and resources available to support the
management of risk, including human resources.
Phase 4 - Gaining ownership and detailed planning
We believe that it is important that senior managers appreciate and can comment on our findings
and conclusions and that this leads to support for any enhancement plan. It is important that this
takes place before our report is made available to the oversight committee so that it can indicate
management’s response.
We therefore normally present our findings and recommendations at a short meeting with senior
managers. A typical draft agenda will be:
• Fundamentals of risk and best practice risk management

• Overall findings and assessment of the benchmarking review
• Suggested improvements and enhancement strategies
• Draft enhancement plan.
The planning component of this session follows the ‘Y model’ (see above) to elicit feedback and
ownership of the current situation, the wanted situation and what needs to change. The
management team is encouraged to discuss and compare options and then to finalise the
enhancement plan actions and agree timelines. These agreements are recorded and included in
our final report.
Phase 5 - Report to the oversight committee
Our clients often ask us to present our findings to their oversight committee. This provides them
with the confidence that the evaluation was conducted in an independent manner and to enable
the members to challenge and question any outcomes.
Normally our report is accompanied by the management-agreed enhancement plan, to indicate

the organisation’s commitment to improvement.
In most cases the oversight committee is provided with progress reports against this enhancement
plan at subsequent meetings.
163 | P a g e
Activity 9
What is involved in gap analysis and evaluation?
164 | P a g e
Activity 9
Seek feedback and respond to relevant stakeholders on risk management
The Importance of Stakeholder Opinion28
Not only will your immediate team be invested in the success of your project, but stakeholders will
too. Typically, stakeholders are people, groups, or organizations outside a project, who can affect
or be affected by your plans. It's all but certain they’ll be eager for updates and information about
how your project is running.
28
Source: Safran, as at https://www.safran.com/blog/how-to-communicate-risk-to-project-stakeholders, as on
17th February, 2021.
165 | P a g e
Additionally, these stakeholders and their approval (or ‘buy-in’) will be crucial to the success of
your project life-cycle as they provide important resources, external support, and influence that
can help you achieve key project milestones and keep your plans moving until completion.
Arguably, external stakeholders wield the most influence on the long term success of a business or
project, as they will often be the end users/customers.
If you regularly engage your stakeholders from the start, their expectations for the delivery, risks,
and completion of your project will be more realistic – avoiding negative stakeholder opinion and
instead meeting their expectations.
Why You Should Communicate Risks
Identifying risks should never be purely an academic exercise – in reality, risk assessments are next
to useless unless effectively communicated. Why should you communicate risks?
Promote Accountability
Before risks are identified, it can be difficult for project roles and responsibilities to be defined.
29% of businesses identify accountability as a key obstacle to project completion – highlighting
the need for better role allocation and procedures for dealing with risks.
If project managers are able to immediately call to the right individual or resources to deal with an
issue, projects can stay on track when or if a risk occurs, as potential risks are already 'marked in
red'. By communicating potential risks to the right people, such as your teams and stakeholders,
you're able to better understand who you should allocate roles and responsibilities to.
Provide Realistic Expectations
Project stakeholders will have multiple reasons for investing their finances, time, and support into
your project – so it's important to return the gesture with transparent communications about your
project timeline.
If your stakeholders have unrealistic expectations that are not met, it's likely they will
become disengaged or unhappy and cause damage to your project by being non-responsive or
communicating negatively to others. If you find a balance in both general and risk
communications and communicate the potential risks that could alter project timelines, your
stakeholders are likely to have higher trust and confidence in your project.
Unify Your Team
In modern times, projects and the teams that work on them often aren't found in just one
location, with many projects even extending across the world. So, if something goes wrong, how
can project managers effectively communicate the risk to their widespread team?
By taking steps to communicate risk, you identify potential issues beforehand and equip your
teams with the ability to respond effectively. This reduces confusion and enhances problem-
solving skills in your teams. Risk analysis software can detect potential risks and communicate
166 | P a g e
them using graphical reports. This provides your teams with easily understood information,
enabling them to respond to risk instantly, without needing to be informed by other personnel
who may be in different locations or time zones.
How to Communicate Risk to Stakeholders
Risks need to be clearly communicated before, during, and after a project to ensure that
stakeholder expectations and opinion are upheld.
Unfortunately, we all know that risk management isn't as easy as writing a list and sliding it across
the table towards your most important stakeholders. Project managers need to involve
stakeholders in project conversations, keep important individuals engaged, and use the correct
tools to enable effective communication.
Here are our four tips for communicating risks to stakeholders, and why they're important:
1. Involve Your Team
Project managers are often held responsible for communicating with stakeholders, but they
shouldn't be the only line of communication. Risk management requires the involvement of all of
your project team members, especially if individuals hold expertise in certain risk areas, or are
leaders of a specific aspect of the project.
These particular specialists will provide relevant and detailed information, and help build more
realistic stakeholder expectations. By meeting expectations, it's easier to relate to project
stakeholders and obtain their vital support for your project.
Studies conducted by The Project Management Institute found that by shaping realistic
stakeholder expectations, projects were found to be more successful, as support was a
distinguishing factor between successful and challenged projects. By allocating communication
responsibilities to expert individuals, stakeholders can obtain more relevant information that
provides them with these vital realistic expectations.
2. Consider Stakeholder Location
If key stakeholders aren't located near you or your project, it can make it difficult to communicate
effectively. Ideally, you should choose a project team member who is close to the location of your
stakeholders, whether it's by region, country, or time zone, who can more easily respond to
questions and concerns.
In our digital age, face-to-face communication can build stronger working relationships and
encourage higher engagement, so consideration of stakeholder location should be a priority if
you want to communicate effectively. If you're holding a weekly call at a time where a stakeholder
in a different time zone may be asleep, or can't find a time or day when essential stakeholders are
available, it's likely they'll become disengaged. Remote members of your team can use your risk
assessment reporting system as the central hub of their information and communicate to
stakeholders with greater foresight into potential risks.
167 | P a g e
3. Utilize technology
Risk analysis technology can equip you and your team members with the ability to
communicate quantitative risk analysis to your stakeholders. When risk assessment is purely
speculative or includes an inaccurate assessment of resources, finances, or time, stakeholder
expectations can become misguided towards unrealistic demands. This can leave them unhappy
with your project's management, potentially damaging their support.
Cost risk tools can perform a cost-only risk analysis from the beginning of your project until
closeout, ensuring that financial expectations are met. Additionally, risk analysis technology can
perform a schedule risk analysis that identifies high-risk areas of your project, provides high value
information such as a prioritized report of the top risks likely to delay your project, and allows you
to accurately determine an end date (a crucial stakeholder expectation).
Moreover, risk assessment tools enable you to visualize alternative scenarios to your risks and
enable you to calculate the impact of them. By using technology, you can communicate accurate
information to your stakeholders that is more likely to ensure their support.
4. Use Reporting and Alerts
If we recognise the importance of communicating with stakeholders, how do project managers

ensure that communications are regular, stakeholders are engaged, and that stakeholders are fully
aware of the risks of their project?
By regularly reporting on your project, you can check for common issues, report potential issues
with interactive links, and submit them for analysis. You can then set up alerts for potential risks
and retroactively react and inform key individuals or stakeholders who need to know.
Activity 10
Outline two methods that you could use to collect stakeholder feedback related to a program.
168 | P a g e
Activity 10
169 | P a g e
Activity 10
Analyse, document and recommend lessons learned for application in other

programs
Evaluating risk management process

Risk management is a continual process. Reaching a point of completion in a risk management
project, only means that it’s time to go back and review everything over again.
It is critical to constantly monitor and review the processes and outcomes. Monitoring and
reviewing risk management processes helps to include risk management as a valuable part of the
170 | P a g e
company. The risk management process in not static but is taken in the context of the internal and
external environments. As these environments change, the variables affecting risk also change.
Evaluating the process of risk management can be assigned to individuals within departments or
to dedicated staff depending upon the nature of the organisation and the resources available.
Consultants may be brought in at critical times to evaluate processes and institute changes based
on risk contexts or environmental, social and political changes.
In addition to planned and scheduled monitoring and review sessions to examine new risk, review
of the management plan must be ongoing in order to stay relevant. As policies, procedures, and
visions of a corporation change, risk changes. As external contexts change, risks change. Suitability
and cost factors for treatment options change. Treatment options or contingency plans may lose
relevancy throughout the process. External variables such as legislative actions may develop which
creates a different context under which to analyse and evaluate risk.
Examination of successes and failures in relation to anticipated outcomes is a necessary

component of the risk management process. It increases the probability that future risks can be
evaluated with higher levels of accuracy and greater success. An inability to achieve outcomes
does not indicate failure, but provides an opportunity to gain valuable knowledge regarding
process change. Duplication of ineffective processes leading to a repetition of unachieved
outcomes indicates a failure to learn. That can be tragic when corporations, and the people that
depend on them, are at risk.
One of the key components to the risk management process is keeping an accurate record of
documentation relating to the communications, justifications, analyses and relevant information
pertaining to risk. Remember how we began the risk assessment process? With research relating
to:
• Data or statistical information

• Information from other business areas
• Lessons learned from other projects or activities
• Market research
• Previous experience
• Public consultation
• Review of literature and other information sources
171 | P a g e
Monitoring is not only a practical requirement but a legal obligation, as the common law duty of
care and WHS legislation requires that the employer “provide and maintain a working
environment that is safe”.
All organisations should ensure that risk identification, assessment analysis, evaluation techniques
and the change arising from these processes fall within the culture of the organisation. This
requires commitment from the most senior levels of management in the organisation, and it
requires communication throughout all ranks of the organisation.
Leadership and coaching are two of the most commonly used processes to engage an
organisation in cultural change to embrace the issues of risk identification and management and
the issues arising from the change that flows from these procedures.
Activity 11
When selecting and implementing treatments, there are six things you need to ensure you do.
List them in the table below, then give a brief description of what they involve.
Task Brief Description
172 | P a g e
Identify and document risk management issues and recommended improvements for application
to future projects and programs29
Project Management Institute (PMI) Project Management Body of Knowledge (PMBOK) defines
lessons learned as the learning gained from the process of performing the project. Formally
conducted lessons learned sessions are traditionally held during project close-out, near the
completion of the project or program.
However, lessons learned may be identified and documented at any point during the project’s life
cycle.
The purpose of documenting lessons learned is to share and use knowledge derived from
experience to:
• Promote the recurrence of desirable outcomes
• Preclude the recurrence of undesirable outcomes
As a practice, lessons learned includes the processes necessary for identification, documentation,
validation, and dissemination of lessons learned. Utilization and incorporation of those processes
includes identification of applicable lessons learned, documentation of lessons learned, archiving
29
Source: Mind Tools, as at https://www.mindtools.com/pages/article/newPPM_69.htm, as on 5th December,
2016.
173 | P a g e
lessons learned, distribution to appropriate personnel, identification of actions that will be taken as
a result of the lesson learned, and follow-up to ensure that appropriate actions were taken.
Lessons learned document the cause of issues and the reasoning behind any corrective action
taken to address those issues. When thinking about how to effectively document a project’s
lessons learned, consider these types of questions:
• What was learned about the project in general?
• What was learned about project management?
• What was learned about communication?
• What was learned about budgeting?
• What was learned about procurement?
• What was learned about working with sponsors?
• What was learned about working with customers?
• What was learned about what went well?
• What was learned about what did not go well?
• What was learned about what needs to change?
• How will/was this incorporated into the project?
Lessons learned should draw on both positive experiences – good ideas that improve project
efficiency or save money, and negative experiences – lessons learned only after an undesirable
outcome has already occurred. Every documented lesson learned should contain at least these
general elements:
• Project information and contact information for additional detail
• A clear statement of the lesson
• A background summary of how the lesson was learned
• Benefits of using the lesson and suggestion how the lesson may be used in the future
At any point during the project life cycle, the project team and key stakeholders may identify
lessons. The lessons learned are compiled, formalized, and stored through the project’s duration.
Upon project completion a lessons learned session is conducted that focuses on identifying
project success and project failures, and includes recommendation to improve future performance
on projects.
The lessons learned session is typically a meeting that includes:

• Project team
• Selected stakeholder representation including external project oversight, auditors, and/or QA
• Project support staff
Participants in lessons learned sessions typically discuss questions similar to the following:
• Did the delivered product meet the specified requirements and goals of the project?
• Was the customer satisfied with the end product(s)? If not, why not?
• Where costs budgets met? If not, why not?
• Was the schedule met? If not, why not?
• Were risks identified and mitigated? If not, why not?
• Did the project management methodology work? If not, why not?
• What could be done to improve the process?
• What bottlenecks or hurdles were experienced that impacted the project?
174 | P a g e
• What procedures should be implemented in future projects?
• What can be done in future projects to facilitate success?
• What changes would assist in speeding up future projects while increasing communication?
Lessons learned and comments regarding project assessment should be documented, archived,
presented, and openly discussed with the intent of eliminating the occurrence of avoidable issues
on future projects.
Since most issues are, by their nature, unexpected, how do you make sure you'll be able to deal
with them quickly and effectively? Ideally, you need an issue resolution process in place before
you start your project – to make sure that you stay on schedule, and meet your objectives.
Issue management is the process of identifying and resolving issues. Problems with staff or
suppliers, technical failures, material shortages – these might all have a negative impact on your
project. If the issue goes unresolved, you risk creating unnecessary conflicts, delays, or even failure
to produce your deliverable.
Issues versus Risks
Issues and risks are not quite the same thing. However, the exact nature of both is largely
unknown before you begin. With risks, you usually have a general idea in advance that there's a
cause for concern. An issue tends to be less predictable; it can arise with no warning. For example,
being unable to find qualified staff is an identifiable risk. However, when one of your staff is in a
car accident, and hospitalized for three weeks, that becomes an issue!
It's important to identify risks before the project begins. A Risk/Impact Probability Chart provides a
useful framework to help you prioritize your risks. You can then develop a plan to manage those
risks proactively with solutions that you've already thought through and prearranged. However,
when it comes to issues, you have to deal with them as they happen. Issue management,
therefore, is a planned process for dealing with an unexpected issue – whatever that issue may be
– if and when one arises.
Tip:
When you don't identify and reduce risks at the beginning of a project, they can often become
issues later on. Make sure you understand your risks early. Learn from previous projects, and
benefit from the team's past experiences. This way, you'll have fewer issues to manage as you
move forward.
Issues Log
Issues – otherwise known as problems, gaps, inconsistencies, or conflicts – need to be recorded

when they happen. When you create an issues log*, you provide a tool for reporting and
communicating what's happening with the project. This makes sure that issues are indeed raised,
and then investigated and resolved quickly and effectively. Without a defined process, you risk
175 | P a g e
ignoring issues, or not taking them seriously enough – until it's too late to deal with them
successfully.
An issues log allows you to do the following:
• Have a safe and reliable method for the team to raise issues.
• Track and assign responsibility to specific people for each issue.
• Analyze and prioritize issues more easily.
• Record issue resolution for future reference and project learning.
• Monitor overall project health and status.
You can create an issues log by hand, build your own spreadsheet or database, or buy issue
management software from a wide variety of vendors.
However, do bear in mind that the success of your issue management process doesn't necessarily
depend on which tracking mechanism you use, but rather on the type of information you track.
You can include following information in an issues log:
• Issue type – Define the categories of issues that you're likely to encounter. This helps you
track issues and assign the right people to resolve them. You could have broad
descriptions like these:
• Technical – Relating to a technological problem in the project.
• Business process – Relating to the project's design.
• Change management – Relating to business, customer, or environmental changes.
• Resource – Relating to equipment, material, or people problems.
• Third party – Relating to issues with vendors, suppliers, or another outside party.
• Identifier – Record who discovered the issue.
• Timing – Indicate when the issue was identified.
• Description – Provide details about what happened, and the potential impact. If the issue
remains unresolved, identify which parts of the project will be affected.
• Priority – Assign a priority rating to the issue. Here's an example:
• High priority – A critical issue that will have a high impact on project success, and
has the potential to stop the project completely.
• Medium priority – An issue that will have a noticeable impact, but won't stop the
project from proceeding.
• Low priority – An issue that doesn't affect activities on the critical path, and
probably won't have much impact if it's resolved at some point.
• Assignment/owner – Determine who is responsible for resolving the issue. This person
may or may not actually implement a solution. However, he or she is responsible for
tracking it, and ensuring that it's dealt with according to its priority.
• Target resolution date – Determine the deadline for resolving the issue.
If a date for resolution changes, keep both the old date and the new date visible. This helps you
spot issues that have been on the log for a long time. Then you can either give them extra
attention, or take them off the list if they're no longer important.
176 | P a g e
• Status – Track the progress of the resolution with a clear label identifying the issue's
overall status. Here's an example:
• Open – The issue has been identified, but no action has yet been taken.
• Investigating – The issue, and possible solutions, are being investigated.
• Implementing – The issue resolution is in process.
• Escalated – The issue has been raised to management or the project
sponsor/steering committee, and directions or approval of a solution is pending.
• Resolved – The resolution has been implemented, and the issue is closed.
Use 'traffic lights' when reporting issues. This provides an easy-to-see indication of whether issues
are under control. Traffic lights could be used as follows:
• Red – Cannot proceed before issue is resolved.

• Yellow – Resolution in process, and you'll be able to proceed soon.
• Green – Resolution implemented, and issue no longer exists.
• Action/resolution description – Describe the status of the issue, and what has been done
to find and implement a resolution. Include the dates of each action. Here's an example:
• January 5 – Assigned issue to Samantha.
• January 7 – Testing started to identify origin of problem.
• January 8 – Solution suggested, and sent to steering committee for approval.
• January 10 – Approval received. Assigned implementation to Gregory.
• January 14 – Solution successful. Issue resolved.
• Final resolution – Include a brief description of what was done to address the issue.
Issues Management Framework
Supplement your issues log with a framework, or process, for dealing with those issues. This
framework helps the project team understand what to do with issues once they've been identified
and logged. Developing the framework answers questions like these:
• How will you assign responsibility for resolving the issue? For example, is there one person
who handles all technical issues? Who would handle a vendor issue?
• How will you know when to escalate an issue to management or the steering committee?
You may want to create a matrix of potential business impact versus issue complexity to
help you decide which issues should be taken to higher levels of management.
• Which criteria will determine an issue's priority status?
• Who will set the target resolution date?
• How will issues be communicated within the team? Will you use regular meetings, log
checks, status update emails, and so on?
• How will you identify different issues if several occur during one project? It is helpful to
number them so that you can identify issues easily when discussing them in progress
meetings.
• If change orders are needed, how will those be handled?
• When the resolution affects the budget or schedule, what will the update process be, and
who will be responsible?
177 | P a g e
One of the key challenges of issues management is to resolve the problem quickly and then move
on, with as little impact to the project as possible. The framework provides a structure for making
decisions when issues arise. Remember to consider your team's needs as you develop the
framework.
It's also important to make sure you cover all issues in your Post-Implementation Review. This is
where you capture lessons learned for future projects. The more you learn about your issues, the
better prepared you'll be for the next project. Some issues might occur again, so by recording
what you've learned from previous projects, it will be easier for subsequent project teams to
identify the issues, and resolve them successfully. Other issues might be part of a risk pattern that
you can proactively identify and manage with early risk assessment.
An issues management process gives you a robust way of identifying and documenting issues and
problems that occur during a project. The process also makes it easier to evaluate these issues,
assess their impact, and decide on a plan for resolution. An issues log helps you capture the
details of each issue, so that the project team can quickly see the status, and who is responsible
for resolving it. When you add an issues management framework, you have a comprehensive plan
to deal with issues quickly and effectively. This organized approach to managing issues provides
many valuable insights that can be used to refine and improve future project results.
The ultimate purpose of documented lessons learned is to provide future project teams with
information that can increase effectiveness and efficiency and to build on the experience that has
been earned by each completed project. If documented and disseminated properly, lessons
learned provide a powerful method of sharing ideas for improving work processes, operation,
quality, safety and cost effectiveness, etc. and helps improve management decision making and
worker performance through every phase of a project. They also helps validate some of the
tougher times endured during the project’s life and helps future Project Managers avoid similar
difficulties.
Best Practices
The following are recommended best practice approaches to Lessons Learned:
• Include All Experiences
- Lessons learned should draw on both positive and negative experiences.
• Act Quickly
- Obtain feedback as quickly as possible to avoid people forgetting the challenges faced during
the course of a project.
• Document
- Store lessons learned throughout the project in a central repository.
• Make Accessible
- Make lessons learned accessible to other projects.
• Archive Lessons
- Lessons learned should be archived as historical project data and incorporate into the
organizations lessons learned.
• Disseminate Lessons
- Disseminate lessons learned to the project management community.
• Reuse Lessons
178 | P a g e
- Reuse lessons learned from past projects to help better manage current projects.
• Involve Stakeholders
- Involve all project participants and stakeholders in the lessons learned process.
• Solicit Feedback
- Conduct a post-project survey to solicit feedback on the project from the project team,
customers, and stakeholders who were well-acquainted with the management of the project.
• Identify Lessons Learned
- Convene a lessons learned session to promote the success of future projects.
• Archive Data
- Archive all project data in a central repository. Include best practices, lessons learned, and any
other relevant project documentation.
Activity 12
How can an issue log be used in risk management in future projects?
179 | P a g e
Activity 12
180 | P a g e
Activity 12
181 | P a g e
ASSESSMENT
Student Name
Student ID
Unit commenced (Date)
Unit Completed (Date)
I hereby certify that I have undertaken these
assessment tasks utilising my own work without
assistance from any other parties. I have not
knowingly plagiarised any work in completing these
assessment activities.
Student Signature
182 | P a g e
Knowledge Assessment (Written Tasks)
1. What is risk according to ISO 31000?
183 | P a g e
2. What is the purpose of risk management?
184 | P a g e
3. How do organisational ethics affect risk management strategies?
185 | P a g e
4. What are the 11 risk management principles within AS/NZS ISO 31000:2009 Risk Management
Principles and Guidelines.
5. What is a residual risk?
186 | P a g e
187 | P a g e
6. Why are risks analysed and documented?
188 | P a g e
7. What are the focuses of risk identification?
189 | P a g e
8. Outline possible response strategies to program risks identified as threats.
190 | P a g e
9. Outline possible response strategies to program risks identified as opportunities.
191 | P a g e
192 | P a g e
193 | P a g e
Assessment Outcome
Question Correct (✓)

1
2
3
4
5
6
7
8
9
Assessed by _________________________ Assessor Signature_______________ Date _________
194 | P a g e
Skills Assessment (Practical Tasks)
ASSESSOR NOTE
These instructions must be followed when assessing the student in this unit. The checklist on
the following page is to be completed for each student. Please refer to separate mapping
document for specific details relating to alignment of this task to the unit requirements.
This competency is to be assessed using standard and authorised work practices, safety
requirements and environmental constraints.
Assessment of essential underpinning knowledge will usually be conducted in an off-site
context.
Assessment is to comply with relevant regulatory or Australian standards' requirements.
Resource implications for assessment include:
• an induction procedure and requirement
• realistic tasks or simulated tasks covering the mandatory task requirements
• relevant specifications and work instructions
• tools and equipment appropriate to applying safe work practices
• support materials appropriate to activity
• workplace instructions relating to safe work practices and addressing hazards and
emergencies
• material safety data sheets
• research resources, including industry related systems information.
Reasonable adjustments for people with disabilities must be made to assessment processes
where required. This could include access to modified equipment and other physical resources,
and the provision of appropriate assessment support.
What happens if your result is ‘Not Yet Competent’ for one or more assessment tasks?
The assessment process is designed to answer the question “has the participant satisfactorily
demonstrated competence yet?” If the answer is “Not yet”, then we work with you to see how we
can get there.
In the case that one or more of your assessments has been marked ‘NYC’, your Trainer will
provide you with the necessary feedback and guidance, in order for you to resubmit/redo your
assessment task(s).
What if you disagree on the assessment outcome?
You can appeal against a decision made in regards to an assessment of your competency. An
appeal should only be made if you have been assessed as ‘Not Yet Competent’ against specific
competency standards and you feel you have sufficient grounds to believe that you are entitled to
be assessed as competent.
195 | P a g e
You must be able to adequately demonstrate that you have the skills and experience to be able to
meet the requirements of the unit you are appealing against the assessment of.
You can request a form to make an appeal and submit it to your Trainer, the Course Coordinator,
or an Administration Officer. The RTO will examine the appeal and you will be advised of the
outcome within 14 days. Any additional information you wish to provide may be attached to the
form.
What if I believe I am already competent before training?
If you believe you already have the knowledge and skills to be able to demonstrate competence in
this unit, speak with your Trainer, as you may be able to apply for Recognition of Prior Learning
(RPL).
Credit Transfer
Credit transfer is recognition for study you have already completed. To receive Credit Transfer,
you must be enrolled in the relevant program. Credit Transfer can be granted if you provide the
RTO with certified copies of your qualifications, a Statement of Attainment or a Statement of
Results along with Credit Transfer Application Form. (For further information please visit Credit
Transfer Policy)
196 | P a g e
Task 1 – Risk Management Plan
Assuming that your organization has been awarded contracts to undertake the following projects:
Project 1 - Website redevelopment and hosting and maintenance services for Destination:
Australia
This project is for the technical upgrade of the Archives’ website Destination: Australia. In order
to ensure the best value for money and optimal functionality (for the website and related
exhibition interactive) going forward, it is necessary for the website to be transferred from a
proprietary CMS to a commonly available CMS (including, but not limited to, an Open Source
CMS).
The website will enable the National Archives of Australia to collect user contributed data about
the photographic collection featured on the site. The interface must be modern, engaging and
user-friendly, designed to meet the needs of people of all ages, and differing levels of
computer and English literacy. The website must interact successfully with an exhibition
interactive via an existing API. There is an option for hosting, maintenance and support services
to be provided from contract execution until 31 December 2019.
Project 2 – Re-development of Intranet
A redevelopment of the Clean Energy Regulator staff Intranet into SharePoint 2013
Project 3 - Database for community engagement - Software As A Service Customer

Relationship Management system (SAAS CRM)
The National Radioactive Waste Management Facility project is currently in Phase 2, best
described as the technical assessment and continued community consultation phase. One site
has been chosen to progress to this stage while other as yet unknown sites may also progress
to this stage. The project team requires a database (Software As A Service Customer
Relationship Management system (SAAS CRM) to effectively and confidentially manage large
volumes of data, including names, addresses, opinions of community members and contact
details. This will assist in ongoing community engagement.
The system must be fully operational (tried and tested) within two weeks of the commencement
of the proposed contract. The project, and related community engagement, will be ongoing for
years. Access to maintenance and advice will be desirable.
Your task is to create a comprehensive Program Risk Management Plan that covers the following:
• Program Overview - This section defines the program vision, its business value, and
projected outcome. It may include a summary of the program scope, dependencies and
197 | P a g e
constraints. This introductory portion may also include success criteria for measuring
program outcomes.
• Schedule Management - A roadmap or work breakdown structure may be included in this
section along with a description of how scheduling will be managed, updated, and
monitored. Roles and responsibilities related to scheduling should be made clear.
• Change Management - Provide a clear process for handling program changes, including
who can submit change requests, how and where those requests will be tracked, and who
can approve changes.
• Communications Management - A detailed communications plan can help prevent project
issues and ensure that information is distributed appropriately. Use this section to define
the frequency and type of communication to be provided, who will be providing and
receiving the communications, and other guidelines or expectations.
• Cost Management - This section may include detailed information on program budget
and expenditures as well as the parties responsible for managing costs, who can approve
changes to the program budget, how project budgets will be measured and monitored,
and guidelines for reporting. Funding and funding issues.
• Procurement Management - Describe responsibilities related to procurement throughout
a program lifecycle. Identify who is responsible for vendor relationships, dealing with
contracts, purchasing, and other activities.
• Project Scope Management - Will the project scope be defined in a scope statement,
WBS, or another method? How will the scope be measured? Who is responsible for
managing and approving the program scope? Address these questions as well as any
guidelines related to the scope change process that were not identified in the change
management section.
• Risk Management - Describe how risks will be reported, monitored, and assessed,
including how they can be submitted and who is responsible for dealing with them.
• Staffing Management - This section lists program requirements for staffing, including
specific resources and the timeframes in which they are needed, plus training. It describes
how staff will be managed for the duration of the program.
• Stakeholder Management - Use this section to identify stakeholders and strategies for
managing them, including who is responsible for collecting and reporting stakeholder
information.
• Program Governance - Describe any governing groups, what authority they have, and
their responsibilities within the program. You can include information on how often they
will meet, how escalated decisions should be presented to and handled by the governing
groups, how their decisions will be communicated, and when program reviews will occur.
As a basis the following template should be used and adapted as required. As you develop the
plan, include reference to AS/NZS ISO 31000:2009 Risk Management Principles and Guidelines and
outline how the proposed risk management system meets the requirements of the standard.
Insert this information into the plan where relevant.
Once you have developed the Program Risk Management Plan create a report that will outline a
leadership strategy to ensure that the plan is correctly implemented. The strategy and report must
outline how you will:
198 | P a g e
• manage the program in accordance with plans
• review progress, analyse variance and initiate risk responses
• ensure risks are assigned and monitored across the program at agreed intervals
• assess issues for impact and remedial actions authorised
199 | P a g e
<Program Title>
Risk Management Plan
Version 0.A, dd-mm-yyyy
Copy: Uncontrolled
The version number starts at one and increases by one for each release. It shows the release number and a
revision letter if in draft. The original draft is 0.A and subsequent drafts are 0.B, 0.C etc. The first accepted
and issued document is Version 1.0. Subsequent changes in draft form are 1.0A, 1.0B etc. The accepted and
issued second version is 1.1 or 2.0, depending on the magnitude of the change.
Refer to the Program Management Fact Sheet: Document Control for more information.
200 | P a g e
DOCUMENT ACCEPTANCE and RELEASE NOTICE
This is <release/version> <n.n> of the <Program Title> Risk Management Plan.
The Risk Management Plan is a managed document. For identification of amendments each page
contains a release number and a page number. Changes will only be issued as complete
replacement. Recipients should remove superseded versions from circulation. This document is
authorised for release once all signatures have been obtained.
PREPARED: ______________________________________________________________ DATE: ___/___/___

(for acceptance) (<name>, <Program Title>, Program Manager)
ACCEPTED: ______________________________________________________________ DATE: ___/___/___

(for release) (Program Sponsor, <name>)
on behalf of the <Program Title> Steering Committee
201 | P a g e
1. BUILD STATUS:
The most recent amendment first.
Version Date Author Reason Sections
<n.n> <dd mmm yyyy> <Name> <e.g. Initial Release> <All>
2. AMENDMENTS IN THIS RELEASE:
Section Title Section Amendment Summary

Number
<e.g. This is the first release of this document.>
3. DISTRIBUTION:
Copy No Version Issue Date Issued To
1 <n.n> <dd mmm yyyy> <Name, Title, Organisation>
Electronic
202 | P a g e
Executive Summary
The purpose of this document is to provide a management framework to ensure that levels of risk
and uncertainty are properly managed for the remainder of the program. As risk management is an
ongoing process over the life of a program, the Risk Register must be considered a ‘snap shot’ of
relevant risks at one point in time.
This document will achieve this by defining the following:
• the process that will be/has been adopted by the Program to identify, analyse and evaluate
risks during the remainder of the program;
• how risk mitigation strategies will be developed and deployed to reduce the likelihood and/or
impact of risks;
• how often risks will be reviewed, the process for review and who will be involved;
• roles and responsibilities for risk management;
• how reporting on risk status, and changes to risk status, will be undertaken within the Program
and to the Steering Committee;
• a complete Risk Register containing all risks identified for the Program, their current gradings
and the identified risk mitigation strategies to reduce the likelihood and seriousness of each risk.
Introduction
The purpose of risk management is to ensure levels of risk and uncertainty are identified and then
properly managed in a structured way, so any potential threat to the delivery of outputs (level of
resourcing, time, cost and quality) and the realisation of outcomes/benefits by the Business
Owner(s) is appropriately managed to ensure the program is completed successfully.
The objectives of the risk management approach in the <Program Title> Program are to identify,
assess and mitigate risks where possible and to continually monitor risks throughout the
remainder of the program as other risks or threats emerge or a risk’s impact or likelihood
changes.
As risk management is an ongoing process over the life of a program, this Risk Management Plan
and Risk Register must be considered a ‘snap shot’ of relevant risks at one point in time.
Where required, the process of risk identification, assessment and the development of
countermeasures will involve consultation with the Steering Committee members, the <Program
Title> Reference Group, other relevant stakeholders and Program team members.
Risk Assessment
Identification
Risk identification involves determining which risks or threats are likely to affect the program. It
involves the identification of risks or threats that may lead to program outputs being delayed or
reduced, outlays being advanced or increased and/or output quality (fitness for purpose) being
reduced or compromised.
203 | P a g e
For most large/complex programs, a number of high level risks should have been identified during
the program initiation stage – these should be used as the basis for a more thorough analysis of the
risks facing the program.
One of the most difficult things is ensuring that all major risks are identified. A useful way of
identifying relevant risks is defining causal categories under which risks might be identified. For
example, corporate risks, business risks, program risks and infrastructure risks. These can be broken
down even further into categories such as environmental, economic, political, human, etc. Another
way is to categorise in terms of risks external to the program and those that are internal.
See the Program Management Risk Identification Tool for some useful prompts in identifying
program risks. The Australian Standard for Risk Management AS/NZS 4360: 2004 Appendix D
refers to generic sources of risk.
The wording or articulation of each risk should follow a simple two-step approach:
1. Consider what might be a ‘trigger’ event or threat (eg. ‘poor quality materials causes costs to
rise’) – several triggers may reveal the same inherent risk; then
2. Identify the risk - use a ‘newspaper headline’ style statement – short, sharp and snappy (eg.
‘budget blow out’) then describe the nature of the risk and the impact on the program if the risk
is not mitigated or managed (eg. program delayed or abandoned, expenditure to date wasted,
outcomes not realised, government embarrassed etc).
Use the Risk Register (see Appendix A) to document the results.
For large or complex programs it can be beneficial to use an outside facilitator to conduct a number
of meetings or brainstorming sessions involving (as a minimum) the Program Manager, Program
Team members, Steering Committee members and external key stakeholders. Preparation may
include an environmental scan, seeking views of key stakeholders etc.
For a small program, the Program Manager may develop the Risk Register perhaps with input from
the Program Sponsor/Senior Manager and colleagues, or a small group of key stakeholders.
It is very easy to identify a range of risks that are outside the program and are actually risks to the
business area during output delivery, transition or once operational mode has been established.
These are not program risks and should not be included in the Program Risk Register, but referred
to the relevant Business Owner. It may be appropriate to submit an Issues Paper to the Steering
Committee recommending formal acceptance by the relevant Business Owner for ongoing
monitoring and management of specific risks.
See the Program Management Fact Sheet: Developing a Risk Management Plan and the Risk
Identification Tool for more information on how to undertake risk identification.
In this section specify:
204 | P a g e
• what risk identification process has been undertaken (ie. brainstorm, facilitated session, scan by
Program Manager etc);
• any categories used to assist in the identification or relevant risks;
• when the risk identification process occurred; and
• who was involved.
Analysis and Evaluation

Once risks have been identified they must be analysed by determining how they might affect the
success of the program. Generally the impact of a risk will realise one or any combination of the
following consequences:
• Program outcomes (benefits) are delayed or reduced;

• Program output quality is reduced;
• Timeframes are extended;
• Costs are increased.
Once analysed, risks should be evaluated to determine the likelihood of a risk or threat being
realised and the seriousness, or impact, should the risk occur.
'Likelihood' is a qualitative measure of probability to express the strength of our belief that the threat
will emerge (generally ranked as Low (L), Medium (M) or High (H)).
'Seriousness' is a qualitative measure of negative impact to convey the overall loss of value from a
program if the threat emerges, based on the extent of the damage (generally ranked as Low (L),
Medium (M), High (H) or Extreme).
From this risks will be graded as A, B, C, D or N according to the following matrix:
Seriousness
Low Medium High EXTREME

Likelihood
Low N D C A
Medium D C B A
High C B A A
The ratings for likelihood and seriousness determine a current grading for each risk that in turn
provides a measure of the program risk exposure at the time of the evaluation.
• How the identified risks could potentially impact on the program in terms of the four categories
of consequence (eg. x have potential to delay or reduce program outcomes/reduce output
quality etc);
• Summarise the distribution of risks according to the grading (number of ‘A’ Grade risks, ‘B’
Grade risks etc)
• List any ‘A’ Grade risks.
205 | P a g e
Risk Mitigation
Mitigation of risks involves the identification of actions to reduce the likelihood that a threat will
occur (preventative action) and/or reduce the impact of a threat that does occur (contingency
action). This strategy also involves identifying the stage of the program when the action should be
undertaken, either prior to the start of or during the program.
Risk mitigation strategies to reduce the chance that a risk will be realised and/or reduce the
seriousness of a risk if it is realised have been developed. The following table is useful to determine
how risks will be treated in terms of preparation and/or deployment of mitigation strategies during
the life of the Program. Mitigation strategies are usually only prepared and/or deployed for Grades
A through to C, however where an existing risk graded at D appears likely to be upgraded,
mitigation strategies should be prepared.
Grade Possible Action
Mitigation actions, to reduce the likelihood and seriousness, to be identified and

A
implemented as soon as the program commences as a priority.
B
appropriate actions implemented during program execution.
C
costed for possible action if funds permit.
D To be noted; no action is needed unless grading increases over time.
N To be noted; no action is needed unless grading increases over time.
• The proportion of risk mitigation actions that are preventative (eg. 30%);
• The proportion of risk mitigation actions that are contingency (eg. 70%);
• Key stakeholders nominated as responsible for undertaking specific risk mitigation actions;
• Any major budgetary implications
For any identified ‘A’ Grade risks specify:
• What type of mitigation action is proposed (preventative or contingency);

• Who is responsible for undertaking the proposed action; and
• Any cost implications for the program Budget.
206 | P a g e
Risk Monitoring
Risk Management is an iterative process that should be built into the management processes for
any program. It must be closely linked with Issues Management, as untreated issues may become
significant risks. If prevention strategies are being effective, some of the Grade A and B Risks should
be able to be downgraded fairly soon into the program.
In this section specify
• How frequently a review of the Risk and Issues Registers will be undertaken (eg. fortnightly,
monthly);
• Who will be involved in the review of the Risk and Issues Registers (eg. the Program team);
• How often risks will be monitored to ensure that appropriate action is taken should the
likelihood, or impact, of identified risks change and to ensure that any emerging risks are
appropriately dealt with (eg. monthly);
• If the Risk Register will be maintained as a separate document or as part of the Risk
Management Plan;
• How often the Steering Committee or Program Sponsor/Senior Manager will be provided with
an updated Risk Register for consideration; and
• How often Risk status will be reported in the Program Status Reports to the Steering
Committee/Program Sponsor/Senior Manager (usually only Grade A and B risks).
Roles and Responsibilities
Steering Committee
Ultimate responsibility for ensuring appropriate risk management processes are applied rests with
the Program Sponsor and Program Steering Committee, and they should be involved in the initial
risk identification and analysis process. The Risk Management Plan and the Risk Register should
provide the Program Sponsor and Program Steering Committee with clear statements of the
program risks and the proposed risk management strategies to enable ongoing management and
regular review.
The Steering Committee will review the Grade A and B program risks on a <specify frequency, eg.
monthly> basis via updated information provided in the Program Status Reports and provide
advice and direction to the Program Manager. The Steering Committee will also be provided with
an updated Risk Register for consideration, as required, when additional threats emerge or the
likelihood or potential impact of a previously identified risk changes.
Program Manager
The Program Manager will be responsible for:
207 | P a g e
• Development and implementation of a Program Risk Management Plan;
• Organisation of regular risk management sessions so that risks can be reviewed and new risks
identified;
• Assessment of identified risks and developing strategies to manage those risks for each phase
of the program, as they are identified;
• Ensure that risks given an A grading are closely monitored; and
• Providing regular Status Reports to the Steering Committee noting any ‘A’ Grade risks and
specifying any changes to the risks identified during each phase of the program and the
strategies adopted to manage them.
In large or complex programs, the Program Manager may choose to assign risk management
activities to a separate Risk Manager, but they should still retain responsibility. It should be noted
that large programs are a risk in themselves, and the need for the Program Manager to reassign
this integral aspect of program management may be an indication that the program should be re-
scoped, or divided into several sub-programs overseen by a Program Director.
Program Team
All members of the Program Team will be responsible for assisting the Program Manager in the
risk management process. This includes the identification, analysis and evaluation of risks and
continual monitoring through out the program life cycle.
208 | P a g e
APPENDIX A: <PROGRAM TITLE> RISK REGISTER (AS AT
DD/MM/YY)
Rating for Likelihood and Seriousness for each risk
L Rated as Low E Rated as Extreme (Used for Seriousness only)
M Rated as Medium NA Not Assessed
H Rated as High
Grade: Combined effect of Likelihood/Seriousness
Seriousness
low medium high EXTREME
low N D C A
Likelihood
medium D C B A
high C B A A
Recommended actions for grades of risk
Grade Risk mitigation actions
A Mitigation actions, to reduce the likelihood and seriousness, to be identified and implemented as
soon as the program commences as a priority.
B Mitigation actions, to reduce the likelihood and seriousness, to be identified and appropriate
actions implemented during program execution.
C Mitigation actions, to reduce the likelihood and seriousness, to be identified and costed for
possible action if funds permit.
D To be noted - no action is needed unless grading increases over time.
N To be noted - no action is needed unless grading increases over time.
Change to Grade since last assessment
NEW New risk  Grading decreased
— No change to Grade  Grading increased
209 | P a g e
Id Descripti Impact on L S G Change Date Mitigation Individual Cos Timeline WBS
on of Program 31 32 33
of Actions / t for 34
Risk (Identification Revie (Preventative or Group mitigati

of w Contingency) responsib on
consequence le for action(s)
s30) mitigatio
n
action(s)
<n <A <Describe the <Chan <Date <Specify planned <Specify <Specify
> “newspap nature of the ge in of last mitigation who is timefra
er risk and the Grade review strategies: responsibl me for
headline” impact on the since > • Preventati e for mitigati
style program if last ve undertaki on
statemen the risk is not review (impleme ng each action(s)
t. Also mitigated or > nt mitigatio to be
identify managed> immediat n complet
relevant ely); action(s)> ed by>
triggers
• Continge
that may
ncy
cause the
(impleme
risk to be
nt if/when
realised.>
risk
occurs).>
<n
+
1>
30 This can be useful in identifying appropriate mitigation actions.

31 Assessment of Likelihood.
32 Assessment of Seriousness.
33 Grade (combined effect of Likelihood/Seriousness).
34 Work Breakdown Structure – specify if the mitigation action has been included in the WBS or workplan.
210 | P a g e
Observation Checklist
Observation Criteria S NS
Identified potential, actual and residual risks
Selected and modified program risk methodology to match the
context for risk
Consulted with relevant stakeholders and identify, document and
analyse program level risks
Supported and mentored project managers in the analysis, evaluation
and treatment of risks
Confirmed risk management is transparent and dynamic across the
program so that risks are assigned and managed in a timely manner
Developed and maintained a program risk-management system for
effective management and communication of risks, controls,
treatments and outcomes to stakeholders across the program
Directed management of the program in accordance with agreed
program risk-management plans
Reviewed progress, analyse variance and initiate risk responses to
achieve program objectives in dynamic risk environments
Confirmed risks are monitored and assessed across the program at
agreed intervals
Directed response to actuated program risk and confirm remedial
actions are authorised with impact analysis according to program
objectives
Outcome
❑ Satisfactory ❑ Unsatisfactory
Comments:
Date ______________________
Signed _____________________________ (Assessor)
Signed ______________________________(Student)
211 | P a g e
Task 2 – Risk Management Strategy Review
This assessment task requires you to populate a risk register for the program as outlined in Task 1.
Using the information from the register:
1. Determine program residual risk.
2. Develop a management strategy for each residual risk identified.
3. review and analyse program risk outcomes from the available information
4. Summarise the lessons learnt in such a way that they may be applied to future programs.
Compile a management report to outline each of the above points.
Note: Use the risk register template attached as a basis for this assessment task and add a
minimum of 10 risks. The risks may be identified through stakeholder engagement and this
engagement may be role played.
212 | P a g e
<Program Title>
Risk Register as at <Date>
File No.: <n>
213 | P a g e
REPORT FOR: (Optional) eg <Program Name> Steering Committee
PROGRAM MANAGER: <Name>
PROGRAM OBJECTIVE: As stated in the Program Business Plan.

Rating for Likelihood and Seriousness for each risk
L Rated as Low E Rated as Extreme (Used for Seriousness only)
M Rated as Medium NA Not Assessed
H Rated as High
Grade: Combined effect of Likelihood/Seriousness
Seriousness
low medium high EXTREME
low N D C A
Likelihood
medium D C B A
high C B A A
Recommended actions for grades of risk

Grade Risk mitigation actions
A Mitigation actions, to reduce the likelihood and seriousness, to be identified and implemented as
soon as the program commences as a priority.
B Mitigation actions, to reduce the likelihood and seriousness, to be identified and appropriate
actions implemented during program execution.
C Mitigation actions, to reduce the likelihood and seriousness, to be identified and costed for
possible action if funds permit.
D To be noted - no action is needed unless grading increases over time.
N To be noted - no action is needed unless grading increases over time.
Change to Grade since last assessment

NEW New risk  Grading decreased
— No change to Grade  Grading increased
214 | P a g e
Id Description Impact on Chang Date Mitigation Responsib Co Timeli Work
of Risk Program e of Actions ility for st ne for Breakd
(including (Identify Revie (Preventativ mitigation mitiga own
any identified consequen w e or action(s) tion Structur
‘triggers’) ces 35) Contingency action e
Grade (combined Likelihood and

) (s)
Assessment of
Assessment of
Seriousness)
Seriousness
Likelihood
<n <A “newspaper <Describe <Chan <Date <Specify <Specify <Specif This is to
> headline” style the nature of ge in of last planned who is y indicate
statement. the risk and Grade review mitigation responsible timefra that the
Also identify the impact since > strategies: for me for identified
relevant on the last • Preventativ undertakin mitigati mitigatio
triggers that program if review e g each on n action
may cause the the risk is > (implement mitigation action( has been
risk to be not immediatel action(s)> s) to be included
realised.> mitigated or y) comple in the
managed> • Contingenc ted WBS
y by> (workpla
(implement n).
if/when risk
occurs).>
1 Steering Lack of H H A NEW 15/02/0 Preventative: Program NA 15/03/ Y

Committee availability 6 • Highlight Manager 06
unavailable. will stall strategic
Identified progress (ie. connection
triggers: delayed - link
• Steering decisions will Program
Committ defer output Objective to
ee finalisation, relevant
meeting extend Agency
s program strategic
repeated timelines objectives
ly and staff • Confirm
reschedu resources 2006
led due will be meeting
to lack required for schedule in
of longer than January
availabili anticipated) • Confirm SC
ty; membershi
• Member p
s do not • Widen
attend representati
despite on (include
prior other
confirma Agencies)
tion of
attenda
nce.
35 In larger programs, the consequences of the threat may not be evident, and noting them under each risk or
in a separate column can be useful in identifying appropriate mitigation actions.
215 | P a g e

) (s)
Assessment of
Assessment of
Seriousness)
Seriousness
Likelihood
2 Inadequate Budget blow M M B No 15/02/0 Contingency: Program TB TBC N

funding to out means change 6 Re-scope Manager C
complete the cost savings program,
program must be focusing on
Identified identified – time and
triggers: ie. reduced resourcing
• Funding is output
redirected; quality,
• Costs timeframes
increase are
(poor quality extended,
materials/ outcomes
inaccurate (benefits) will
cost be delayed
estimates) and/or
reduced.
216 | P a g e
3 Staff reject Rejection H H A NEW 15/02 Preventativ
new means /06 e: Sponsor N 21/02 Y
procedures additional High level A /06
Triggers time and reinforcem
include resources ent of Program Y
• Staff don’t required policy Manager N 21/02
participate to achieve changes; A /06
in training successful Provide
(not implemen opportunity Consulta N
prepared tation - ie. for staff nt
for new outputs feedback $3 30/03
roles); languish; prior to ,0 /06
• New more policy/proc 00 N
procedure training is edure Program
s not required finalisation; Manager
applied (additiona Develop 30/03
(work- l cost, Training N /06
arounds time Plan that A N
still used). delays); allows for Program
potential repeat Manager
for ‘falling attendance
back into (perhaps 2 30/04
old ways’ stage N /06
(more training?); A
change Identify
mgt staff
required); ‘champions
loss of ’ to
credibility promote
for adoption of
program new
(perceptio procedures
n of (buddy
failure). system);
Circulate
informatio
n to staff
that
• promotes
how new
procedur
es have
improved
processes
(eg. 10
steps
reduced
to 4
steps
etc);
• proportio
n of staff
217 | P a g e

) (s)
Assessment of
Assessment of
Seriousness)
Seriousness
Likelihood
that
have
successfu
lly
complete
d the
training.
• Identifies
local
‘buddies’
for
troublesh
ooting.
218 | P a g e
Observation Checklist
Observation Criteria S NS
Identified and documented program residual risk to alert stakeholders
of any transferred liability at program completion
Created and completed risk register
Reviewed and analysed program outcomes to assess the effectiveness
of the risk-management methodology
Analysed, documented and recommended lessons learned for
application in other programs
Explained the use of a dynamic risk register across a program
Explained the use of risk management tools, frameworks, systems,
methodologies and standards
Completed management report
Outcome
❑ Satisfactory ❑ Unsatisfactory
Comments:
Date ______________________
Signed _____________________________ (Assessor)
Signed ______________________________(Student)
219 | P a g e
Assessment Outcome Record
In order to be deemed competent in this unit, the candidate must answer all written questions
correctly and satisfactorily complete all practical tasks. In order to complete all practical tasks, all
Observation Criteria need to be satisfied, i.e. demonstrated and marked as an 'S'. The task
summary outcome must be noted as satisfactory to note the demonstration of a satisfactory
outcome for each practical task requirement.
Student Name
 Not Yet Competent  Competent
Comments
Assessor (Name)
Assessor Signature
Date
220 | P a g e
Student Feedback Form
Unit BSBPMG632 Manage program risk
Student Name: Date
Assessor Name:
Please provide us some feedback on your assessment process. Information provided on this
form is used for evaluation of our assessment systems and processes.
This information is confidential and is not released to any external parties without your written
consent. There is no need to sign your name as your feedback is confidential.
Strongly Strongly
Agree
Disagree Agree
I received information about the assessment

1 2 3 4 5
requirements prior to undertaking the tasks
The assessment instructions were clear and easy to

1 3 4 5
understand 2
I understood the purpose of the assessment 1 2 3 4 5
The assessment meet your expectation 1 2 3 4 5

My Assessor was organised and well prepared 1 2 3 4 5
The assessment was Fair, Valid, Flexible and Reliable 1 2 3 4 5
My Assessor's conduct was professional 1 2 3 4 5
The assessment was an accurate reflection of the unit

1 2 3 4 5
requirements
I was comfortable with the outcome of the
1 2 3 4 5
assessment
I received feedback about assessments I completed 1 2 3 4 5
Too Great Too

The pace of this unit was:
Slow Pace Fast
Comments:
Please return this completed form to Reception once you have completed this unit of
competency.
221 | P a g e

BSBPMG632 Manage Program Risk

Uploaded by

Copyright:

Available Formats

BSBPMG632 Manage Program Risk

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

BSBPMG632 Manage Program Risk

Uploaded by

Copyright:

Available Formats

Business, Accounting and Finance

BSBPMG632 Manage program risk

Learner Materials and Assessment Tasks

About BSBPMG632 Manage program risk ......................................................................................................... 4

Business Competence – Project Management

Elements and Performance Criteria

1.3 Consult with relevant stakeholders and identify, document and

1.3 Support and mentor project managers in the analysis, evaluation

1.4 Confirm risk management is transparent and dynamic across the

1.5 Develop and maintain a program risk-management system for

2.2 Review progress, analyse variance and initiate risk responses to

2.4 Direct response to actuated program risk and confirm remedial

3.2 Review and analyse program outcomes to assess the

3.3 Seek feedback and respond to relevant stakeholders on risk

3.4 Analyse, document and recommend lessons learned for

Writing • Documents results of consultations clearly and accurately to inform

Oral • Participates in verbal exchanges using clear and detailed language

Teamwork • Identifies requirements of important communication exchanges,

Unit Mapping Information

Supersedes and is equivalent to BSBPMG616 Manage program risk.

• manage program risk on at least one occasion.

In the course of above, the candidate must:

• direct the planning of program risk management, including:

• assessing and selecting risk methods to suit risk context

• manage program risk, including:

• managing the program

• assess project and program risk-management outcomes, including:

• identifying and documenting residual risk

When to Identify Risks

Want to know how to improve your risk identification? Identify risks:

• Early in the program

Ways to Identify Program Risks

Write Clear Risk Statements

What Is Risk Analysis?

What Is Risk Identification?

What Is Risk Management?

Benefits of Risk Analysis

• Avoid potential litigation

• There’s no lack of information on risk

How to Evaluate Project Risk

Qualitative Risk Analysis

Quantitative Risk Analysis

• Activity resource estimates

Take note of these risk identification mistakes:

1. The failure to recognize risks early when it is less expensive to address.

Which types of risks exist?3

What is residual risk?4

• Identification of relevant governance, risk, and compliance requirements.

What is the difference between secondary and residual risks?

Example of a situation that contains both risks

Figure 3.12: Risk management process

In addition, P3 risk management must contribute, as appropriate, to both business risk

• project risk escalation and aggregation;

1. Interdependencies are often associated with deliverables. Interdependencies should be

Include the Resource dependencies

Adopt a Program view of Issues, Risk and Change

Remember the Risk and Contingency budgets

Options for contingency may include one or more of:

• Holding contingency outside Program Manager’s control (usually controlled by the

What is the project risk management process?7