Risk Management Strategy
Risk is anything that could hinder the achievement of business goals or the delivery of stakeholder expectations. Risk can arise from failure to exploit opportunities as well as from threats materialising.
Risk Management is the culture, processes and structure aimed at managing potential opportunities and threats to an organisation.
The following diagram shows the Highways Agency strategic element of the Risk Management framework. It allows for senior management to be fully involved in:
- The identification of strategic objectives and the threats to their achievement
- Setting the high level 'culture' which exists in the Agency to encourage responsible risk taking at all levels to achieve VFM
Figure A.3 - Strategic element of the Risk Management framework
The practitioners should establish a risk register at the beginning of a pilot project and continually review and update it while the pilot is delivered.
Risk Management Objectives
The objectives of a Risk Management Framework are to ensure the rapid identification of risk and opportunity within a pilot, providing a clear assessment of potential impact and mitigation, so that effective and timely decision-making can be undertaken to ensure that:
- pilots can be quickly assessed at an appropriate level in order to decide whether and how to proceed with such opportunities
- threats to the HA business strategies, programmes, major projects or other parts of its operations can be eliminated or otherwise reduced on an agreed basis
- all decisions are clearly premised on delivery of value to the HA
The underlying principle is that all key risks to the HA strategy, programmes and projects are to be kept under regular review and reported through the various boards within the agency.
The Risk Management Process can be summarised as follows:
Risk identification is critical to all decision making and problem solving, it is the foundation upon which all subsequent assessment and management is performed. HA Project Sponsors will need to be actively supported at all levels, from strategic down to supporting functions. They will be dependent on high quality processes in capturing and assessing risk and ensuring that a suitable management environment exists that supports rapid communication of risk up the line.
Where risks are likely to have a significant financial impact on objectives, such as a major pilot or undertaking, then the case should be made to examine the risks using a probabilistic technique such as QRA (Quantative Risk analysis). Such techniques will model the combined impact of risk and its probability against key objectives to deliver the result in terms of a range of confidence levels in achieving our objectives.
Sizeable pilots or undertakings commit the HA to a significant investment in terms of resources and cost. Under these circumstances a Risk Management Plan must be prepared to ensure that the management of risk is explicit and clearly understood by all parties.
The risk management plan should identify the following: all the significant risks to the project, the entity who 'owns' those risks, what mitigation strategy is being adopted, the risk management 'Actions' together with the 'Action Owners' and the timescales for action.
Risk mitigation is the process by which the initial risk is reduced to an acceptable level. The first step is to agree an acceptable form of risk mitigation - the mitigation strategy. There are basically four options available to treat risks at this stage:
- Avoid the risk - e.g. the pilot is too risky to consider, risks exceed rewards – avoid
- Reduce the risk - reduces the likelihood, or reduces the impact, do more investigative work
- Transfer the risk - keep the risk and manage it within the broader HA contingency provision in accordance with the agreed action plan
- Transfer to an insurance programme usually only cost effective in terms of catastrophic risk to protect the HA and usually applicable for low probability / high impact risks.
Benefits of the Risk Management Process
The benefits to a business from the proper management of risk are extensive:
- Encourage project sponsors to anticipate problems and to take action whilst the widest choice of options is still available
- Identify who is in the best position to manage the risks
- Enable risks to be allocated to the right party and to allow their management to be monitored
- Allow those with real project knowledge to express their concerns before things are allowed to go wrong
- Focus management effort on the issues of significance
- Develop more realistic programmes and cost plans, together with better contingency management
- Communicating the important issues to senior management
- Greater certainty in achieving the goals and objectives of the programme
- Appreciation of and readiness to exploit potential opportunities
- Focus management on the major risks to the exercise
- Actions implemented in time to be effective
- mproved control of related costs
- Informed decision making with regard to mitigation measures
- Efficient use of resources
- Clarity of roles and responsibilities for action
- Operational flexibility as a result of understanding all options and associated risks
- Fewer costly surprises through effective and transparent contingency planning
- Auditable process demonstrating by consensus and quantification how decisions are reached.
Risk Management Guides and standards
In addition to the HA’s ‘Framework for Business Risk Management’ there are a number of recognised government and industry standards and guides that address the management of project, programme and business risk. The most relevant guide is the OGC Management of Risk, however other relevant guides include:
- BS6079 Part 3:2000 Guide the management of business related project risk
- BS IEC 62198:2001 Project Risk Management - Application Guidelines
- Prince 2 (Office of Government Commerce)
- Managing Successful Programmes (MSP) (Office of Government Commerce)
- Project Risk Analysis and Management (PRAM) - 1997 (Association for Project Management)
Suggestions as to the items to include within a risk register can be found in the OGCommence Resource Toolkit[OGC 2006C] The HA Ramp metering project risk register also provides an example of the areas for consideration[HA 2006H].
Health and Safety Risk Management should be carried out in accordance with the Agency’s Health and Safety Management System (HSMS).