A.24 Risk management strategy
A risk management strategy describes the specific risk management techniques and standards to be applied and the responsibilities for achieving an effective risk management procedure.
- Introduction States the purpose, objectives and scope, and identifies who is responsible for the strategy
- Risk management procedure A description of (or reference to) the risk management procedure to be used. Any variance from corporate or programme management standards should be highlighted, together with a justification for the variance. The procedure should cover activities such as:
- Tools and techniques Refers to any risk management systems or tools to be used, and any preference for techniques which may be used for each step in the risk management procedure
- Records Definition of the composition and format of the risk register and any other risk records to be used by the project
- Reporting Describes any risk management reports that are to be produced, including their purpose, timing and recipients
- Timing of risk management activities States when formal risk management activities are to be undertaken – for example, at end stage assessments
- Roles and responsibilities Defines the roles and responsibilities for risk management activities
- Scales Defines the scales for estimating probability and impact for the project to ensure that the scales for cost and time (for instance) are relevant to the cost and timeframe of the project. These may be shown in the form of probability impact grids giving the criteria for each level within the scale, e.g. for ‘very high’, ‘high’, ‘medium’, ‘low’ and ‘very low’
- Proximity Guidance on how proximity for risk events is to be assessed. Proximity reflects the fact that risks will occur at particular times and the severity of their impact will vary according to when they occur. Typical proximity categories will be: imminent, within the stage, within the project, beyond the project
- Risk categories Definition of the risk categories to be used (if at all). These may be derived from a risk breakdown structure or prompt list. If no risks have been recorded against a category, this may suggest that the risk identification has not been as thorough as it should have been
- Risk response categories Definition of the risk response categories to be used, which themselves depend on whether a risk is a perceived threat or an opportunity
- Early-warning indicators Definition of any indicators to be used to track critical aspects of the project so that if certain predefined levels are reached, corrective action will be triggered. They will be selected for their relevance to the project objectives
- Risk tolerance Defining the threshold levels of risk exposure, which, when exceeded, require the risk to be escalated to the next level of management. (For example, a project-level risk tolerance could be set as any risk that, should it occur, would result in loss of trading. Such risks would need to be escalated to corporate or programme management.) The risk tolerance should define the risk expectations of corporate or programme management and the project board
- Risk budget Describing whether a risk budget is to be established and, if so, how it will be used.