Risk management framework

Purpose:

To define how management of risk will be handled within the associated context (could be organisation-wide or for a specific activity such as a project). It covers the lifetime of the activity. It provides information on roles, responsibilities, processes and procedures, standards, tools, facilities and documentation to be produced. It sets the context in which risks are managed, in terms of how they will be identified, analysed, controlled, monitored and reviewed. It must be consistent and comprehensive with processes that are embedded in everyday management.

Fitness for purpose content:

• Does the framework identify relevant standards, policies and legal requirements?
• Does the framework identify (or validate) the context and perspective for the situation (e.g. strategic, operational? Which stakeholders' views are of primary importance?)?
• Are the stated management of risk objectives, constraints and concerns agreed (or validated)?
• Has the framework established how a successful outcome is to be judged?
• Does the framework identify the tools and techniques to be adopted?
• Does the framework identify the scale for evaluation of risk? 

Suggested content:

It addresses how:

• risks are identified
• information about their probability and potential impact is obtained
• they are quantified, taking into account expert advice and the degree of uncertainty
• options to deal with them are identified, taking into account constraints, such as internal obligations
• decisions on risk management are made. This includes the criteria used to decide when further risk reduction is necessary, taking into account costs and benefits
• these decisions are implemented. This includes the principles guiding the choice of how to intervene (such as education, information, inspection) and on whom to target any intervention
• actions are evaluated for their effectiveness
• appropriate communication mechanisms are set up and supported
• stakeholders are engaged throughout the process - especially suppliers and partners.

Source information:

• Business Case
• Programme/ Project Plan
• Project Brief
• Project Initiation Document

Notes:
Where partners and/or suppliers are involved, it is essential to have shared understanding of risks and agreed plans for managing them.

There are three broad types of risk -

Business Risk
This covers the threats associated with a project not delivering products that can achieve the expected benefits. It is the responsibility of the Project owner to manage business risks.

Project Risk
This is the collection of threats to the management of the project and hence to the achievement of the project's end results within cost and time. The Project Sponsor/Project Manager may manage these on a day to day basis.

Operational risk
This covers ongoing risk to service delivery, which could include anything from major disaster to minor technical breakdown. These risks are managed in a day-to-day basis by the organisation's service manager and the service provider. Note that although the client may not have hands on responsibility they must have the capability to understand what is being done on their behalf and to take appropriate action if required. 

Further information:

See the briefing on Managing risk and document outlines for Risk management strategy and contingency/reversion plan.

OGC's Management of Risk guidelines and business continuity briefings

Management of Risk: Practitioner guidance