Management of Risk

What is it?

Before we go into the specifics of M_o_R, there are some general points about the subject of risk management, which should help put everything into context...

Why management of risk is important

A certain amount of risk taking is inevitable if your organisation is to achieve its objectives. Effective management of risk helps you to improve performance by contributing to:

• Increased certainty and fewer surprises
• Better service delivery
• More effective management of change
• More efficient use of resources
• Better management at all levels through improved decision making
• Reduced waste and fraud, and better value for money
• Innovation
• Management of contingent and maintenance activities.

Together these elements can be summed up in the statement that ‘adoption of well managed risk taking is likely to lead to sustainable improvements in service delivery’. Organisations need to have in place the skills, management structures and organisational structures to take advantage of potential opportunities to perform better and to reduce the possibility of failure.

Why help is needed to manage risk

A number of reports have been published recently concerning risk management. Each looks at specific aspects on risk management. Most notably the UK National Audit Office (NAO) study of risk management (Supporting Innovation: Managing Risk in Government Departments), the UK Cabinet Office’s report Successful IT: Modernising Government in Action, and HM Treasury’s Orange Book provide valuable messages.

The above demonstrates that there is a significant amount of guidance available on risk management. But, as stated in the Successful IT report, there is little evidence of sustained uptake. Part of the reason for this is seen as the potentially divergent advice (and language used) within the various reports which makes adoption difficult.

Management of risk is critical to organisational success. Informed risk-taking helps to improve performance through innovative approaches for managing the business, service delivery and value for money. Thus we need to improve the implementation of risk management practices.

Coverage of M_o_R

The key areas that have to be, and are addressed, in M_o_R are:

• The requirements of corporate governance – including more focused and open ways of managing risk
• The need for a ‘risk owner’ at senior level, for an activity (e.g. strategy, programme or project). He or she is supported by risk owners at everyday working levels as appropriate for the activity and risk exposure
• The need for improved reporting and upward referral of major problems opportunities and the potential resolution approaches
• The need for shared understanding of risk management at all levels in the organisation and with partners, combined with consistent treatment of risk
• Managing project risk in the wider context of programmes of change and the business.

Management of risk covers a wide range of topics, including business continuity management, security, programme/project risk management and operational service management. These topics need to be placed in the context of an organisational framework for the management of risk. Some risk-related topics, such as security, are highly specialised and the M_o_R guidance provides only an overview of such aspects.

The M_o_R approach complements the OGC’s guidance on programme and project management.

Essential elements of risk management

Risk includes the probability of both good and bad outcomes; the consideration of risk has to be set in the context of opportunity. The task of risk management is to limit the organisation’s exposure to an acceptable level of risk by taking action on the probability of the risk occurring, its impact or both. The principles of risk management can be directed both to limiting adverse outcomes and achieving desirable ones.

To be successful in managing risk

The key elements that need to be in place include:

• Nominated senior management individuals to support, own and lead on risk management
• Risk management policies, and the benefits of following them, clearly communicated to all staff
• Existence and adoption of a framework for management of risk that is transparent and repeatable
• Existence of an organisational culture that supports well thought-through risk taking and innovation
• Management of risk fully embedded in management processes and consistently applied
• Management of risk closely linked to achievement of objectives
• Risks associated with working with other organisations explicitly assessed and managed
• Risks actively monitored and regularly reviewed on a constructive ‘no-blame’ basis.

Joint working and partnerships often involve more complex types of risk that can adversely affect the delivery of business services. For example, if part of the service provided by one organisation is delayed or of poor quality, the success of the whole collaboration can be put at risk. You must make sure that your organisation knows about the risk management approaches of your partners. Sharing information about risk management means that risks in collaborative programmes can be identified and managed in a proactive way.

And finally…

Having read this brief introduction to risk management and M_o_R, the next thing to do is go on a training course and find out more!

Click here to see the full Course Outline.

PRINCE2® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries.
The Swirl logo™ is a Trade Mark of the Office of Government Commerce.