Do you use risk governance in your organization? If your organization is implementing new services or launching new products, you’ll be introducing risk to your business. Projects create risk – it’s not necessarily a bad thing, but it should be adequately managed.
Generally, project teams are at the forefront of identifying, mitigating and managing risk. Their horizon scanning spots the risks and then as part of the project they work out how best to address them, with support from the project sponsorship and executive management. Project managers and their teams will be familiar with the idea of a risk log and regular meetings to discuss progress on risk management activities.
However, sometimes risks to the organization can be so significant that it is worth convening a separate governing body to oversee the management activities relating to risk. This is risk governance.
In this article we’ll look at 3 reasons why you should consider a risk governance structure that includes a specific group looking at risk.
1. You Have Multiple and Complex Project Dependencies
Projects often overlap and relate to each other. Sometimes in complex business processes, multiple projects could be working on the same process at the same time. When the interdependencies weave between multiple projects, it’s a reason to make sure your risk governance approach is up to the job.
The rationale for this is that many project teams lack experience in this kind of situation. According to Todd C. Williams in his book, Filling Execution Gaps, project delivery professionals don’t always have the background required to develop effective mitigation strategies.
In his book, Williams suggests that organizations should convene a specific group of specialists who have the job of monitoring and controlling the risk exposure from the portfolio. Their role includes looking at probabilities and mitigating actions to minimize the impact and exposure on the business.
Whether this group is a standalone executive sub-committee, a fundamental part of your PMO governance model, or something else, will depend on your organization’s approach to risk management. A dedicated committee of people with the specialist knowledge to be able to respond to volatile risks in a complex environment will be able to bolster the risk management activities of individual project teams.
2. You Have a Lot of Projects are High Risk
So you have one or two projects you’d consider as high risk? Great. There’s probably limited value in putting together a dedicated group to manage the governance of risk across such a small exposure, even if within each individual project the potential for risk is high.
In a business with a risk culture that results in lots of high risk projects, there’s more value in ensuring that together, the exposure to the business does not exceed what executives are prepared to tolerate. If a large portion of your portfolio is high risk projects, then that’s another reason to consider a separate governance strand for risk.
The added benefit here is that a group of specialists can start to build relationships across projects. They can apply their knowledge to multiple situations at a time, drawing links between projects, identifying commonalities between risks and addressing them holistically. For example, if your risk governance group includes legal experts, they can apply their understanding of the regulations across multiple projects – there are economies of scale in using the same resources to do this kind of analysis.
3. You Have Significant Assets Invested in A Small Number of Projects
There’s definitely value in taking control of your risks when you have a large portion of your organization’s assets tied up in a small number of projects. Trouble with just one or two of those projects could create major difficulties for your business.
This was evident recently with UK-based construction giant Carillion going into liquidation. Reports from the BBC and other sources show that difficulties with three public sector contracts contributed to pushing the organization into financial collapse, impacting thousands of workers and other businesses.
If your business focuses on large-scale, high risk projects like construction for utilities or scientific research, then the oversight that comes with a strong focus on risk could mean the difference between knowing what’s coming for your teams and staying in the dark. You would need to decide how much of your business’ assets would need to be assigned to one project before this governance model applied and your risk group was created.
Once those rules are in place, you can convene a risk governance group as appropriate. You can also link them in with the corporate governance framework for risk, providing an interface between the project and the wider risk appetite and culture in the business.
Reviewing Risk Governance
A group focused on risk governance has its uses, but as projects have a defined end date, there will come a time when the high risk initiatives have passed – or perhaps have been replaced by other projects. As and when this happens, the governance framework supporting risk should flex as well. You may need to add in subject matter experts and let other specialists step down. Or the group may be disbanded when the program that brought it into creation comes to an end.
Organizations should take an active approach to identifying the criteria for when risk governance needs to be moved out of project teams and into the realms of a cross-functional specialist group. Knowing those criteria makes it easy to understand which projects need that kind of support, and how your business will benefit from having that framework in place.
Equally, you should consider the life cycle of this part of your risk governance. What criteria need to be in place before risk governance on a project is downscaled or the governance body disbanded? Documenting these criteria in a Terms of Reference document or equivalent will make it easier to set up and close down specialists groups as required.
However you approach it, risk governance in complex organizations is something to be embrace and actively managed.
Recommended reading: Filling Execution Gaps, Todd C. Williams, de Gruyter, 2017.