GPM First
Chapter 6 of Managing Risk in Projects (978-0-5660-8867-4) by David Hillson

The Bigger Picture

Chapter 6

In the previous chapter we saw how risk management in projects must not be treated as if it were separate from wider project management. Instead it needs to be fully integrated into the way projects are managed if the management of project risk is to be fully effective and if the project is to gain the promised benefits. The phrase ‘built-in not bolt-on’ describes this well. There is however another level of integration which is important, and this is addressed in this chapter.

Strategy, Tactics and Projects

Projects do not exist in isolation within an organisation. Properly understood, a project is part of the delivery mechanism for the overall strategic vision of the organisation. This is illustrated in Figure 6.1 (which is a simplification of Figure 2.1), which distinguishes strategy from tactics. Organisations exist to create benefits for their stakeholders, and the corporate vision or mission statement defines the scope and extent of those benefits, as well as the change that is required to create them. This is shown in the left-hand side of Figure 6.1. However vision alone does not create business benefits, and many organisations use projects as the change vehicle to deliver the capability which leads to the required benefits, perhaps managing related projects through higher-level programmes (see right-hand side of Figure 6.1). Defining the desired vision, required change and ultimate business benefits is the realm of strategy, whereas projects and their deliverables describe the tactics by which the strategy is achieved. Project (and programme) objectives sit between the strategic and tactical levels, since they are defined in relation to the strategic vision, and they in turn define the requirement for projects (top arrow in Figure 6.1). Objectives are also used to measure the value of project deliverables (bottom arrow in Figure 6.1). Many projects fail because of a disconnect between strategic vision and tactical deliverables, often as a result of poorly defined project objectives. This space between the two levels of strategy and tactics requires careful and proactive management if projects and programmes are to succeed in delivering the required benefits to the business. Yet it is precisely in this area that businesses are most at risk.

Figure 6.1 Strategy-Vision-Benefits and Tactics-Project-Deliverables


Project objectives provide the link between the overall vision and the projects which are established to implement that vision (Figure 6.1, top arrow). They also define the acceptance criteria for project deliverables which provide the capability to realise business benefits (Figure 6.1, bottom arrow). Project objectives are however affected by the uncertain environment within which projects and business are undertaken, resulting in a level of risk exposure. Project risk management exists to address this risk exposure, and should lead to an acceptable and manageable level of risk in each project. This increases the chance of meeting project objectives, which in turn maximises the likelihood of achieving the required business benefits. As a result, there is a clear link between project risk management and business performance: effective risk management at project level should lead to realised business benefits, as illustrated in Figure 6.2.

However the project environment is not the only place where risk management is important, and successfully managing project risk is not the sole contributor to business success. As discussed above, project objectives are (or should be) derived from the overall strategic vision of the organisation, but this is not typically done in a single step, except in very small organisations. More commonly a hierarchy of objectives exists within the organisation, progressively elaborating the vision into more and more detailed objectives, eventually reaching the project level. Figure 6.3 depicts this hierarchy, showing several intermediate levels between the vision and the resulting projects. This figure is not intended to imply that these are the only objectives within a typical organisation, but merely to represent the range of objectives at different levels which lie on the path between the top vision and projects.

Figure 6.2 Link between project risk management and business benefits


Figure 6.3 The organisation as a hierarchy of objectives


When deriving the business case for projects it is essential that there is a clear link with the strategic vision of the organisation, so that each project team understands how their work is contributing to achieving the wider purpose. This presents a double challenge to those responsible for management at every level in the organisation. The hierarchy of objectives produced through the planning process must exhibit both coherence and alignment if the tactical work is to deliver the strategic benefits. Consequently it must be possible to trace the overall vision down through the hierarchy as it is broken down into ever more detail. In the same way there should be bottom-up coherence, with the sum of the objectives on each lower level completely describing the next higher level. This demands attention to inter-level communication with the ability to both roll-up and drill-down through the hierarchy.

Hierarchy of Objectives, Hierarchy of Risk

In Chapter 1 we derived a working definition of risk as ‘uncertainty that, if it occurs, will affect achievement of objectives’. Clearly in project risk management the focus is on finding and managing the uncertainties that could affect achievement of project objectives. But objectives exist elsewhere in the organisation, ideally as a coherent and aligned hierarchy. Wherever there are objectives, they are likely to be affected by uncertainty, whether that is at the highest strategic level of the organisation, through intermediate objectives, right down to tactical objectives within projects. In other words, risk exists at every level where objectives exist. And wherever risk is present, it should be managed proactively in order to maximise the likelihood of achieving the relevant objectives.

It is therefore possible to speak of different types of risk management, or more accurately, risk management with different levels of focus. So one might use the term ‘strategic risk management to refer to management of strategic risk, which in turn can be defined as ‘uncertainty that, if it occurs, will affect achievement of strategic objectives’. A range of similar specific definitions for various types of risk can be produced, describing financial risk, environmental risk, safety risk, operational risk, programme risk, and so on. Just as there is (or should be) a hierarchy of objectives across the organisation, so risk management is (or should be) hierarchical in nature. And in the same way that organisational objectives need to be coherent and aligned across the different levels, the management of risk at the various levels should be conducted in a coordinated manner. There are a number of ways of describing such an integrated approach to managing risk across an organisation, and it is most commonly known as enterprise risk management (or enterprise-wide risk management).

Some view enterprise risk management as an unnecessary complexity, suggesting that the only requirement is to manage risk effectively at each level. They argue that if risk is dealt with at its point of origin wherever it arises within the organisation, then there is no need for an integrated approach that overlays additional bureaucracy. However just as there are clear benefits to managing an organisation’s objectives in a coherent and aligned manner, the same is true for managing risk.

Enterprise risk management addresses risks across a variety of levels in the organisation, from strategic to tactical levels, and covering both opportunity and threat. Effective implementation of enterprise risk management can produce a number of benefits to the organisation which are not available from a nonintegrated risk process. These include :

  • Bridging the strategy/tactics gap to ensure that project delivery is tied to organisational needs and vision.

  • Focusing projects on the benefits they exist to support, rather than simply on producing a set of deliverables.

  • Identifying risks at the strategic level which could have a significant effect on the overall organisation, and enabling these to be managed proactively.

  • Providing useful information to decision makers when the environment is uncertain, to support the best possible decisions at all levels.

  • Creating space to manage uncertainty in advance, with planned responses to known risks, increasing both efficiency and effectiveness, and reducing waste and stress.

  • Minimising threats and maximising opportunities, and so increasing the likelihood of achieving objectives at all levels from strategic to tactical.

  • Allowing an appropriate level of risk to be taken intelligently by the organisation and its projects, with full awareness of the degree of uncertainty and its potential effects on objectives, opening the way to achieving the increased rewards which are associated with safe risk-taking.

  • Development of a risk-mature culture within the organisation, recognising that risk exists in all levels of the enterprise, but that risk can and should be managed proactively in order to deliver benefits.


The good news is that enterprise risk management does not have to impose additional complexity or bureaucracy, if it is properly understood as integrated management of risk across the hierarchy. The basic risk management process outlined in Chapter 3 can be applied to the management of risk at any level, with a few simple modifications:

  • The process is focused around achievement of the specific objectives at the level under consideration (for example, strategic risk management addresses uncertainties with the potential to affect strategic objectives).

  • Risk-related tasks are performed by different people, namely those responsible for the specific objectives which are at risk (so strategic risk management is undertaken by senior management).

  • Risk reports use the language of the stakeholders (for example, strategic risk reports relate to business benefits, share value, market position and so on).


The goal of enterprise risk management is to create an integrated approach to managing risk across all levels, with a shared understanding of risk by everyone involved, a common language for risk, the same risk process employed at each level, generic risk templates which are applicable for all, and a risk-aware culture across the organisation which recognises the value of risk management and is committed to implementing it effectively. One of the main success factors in getting this to work is an understanding of the boundary conditions and interfaces between the different levels of risk, to answer questions such as: ‘When does a project risk become a programme risk?’ or ‘How do strategic risks impact other parts of the organisation?’ An effective approach to enterprise risk management will define such escalation and delegation criteria in terms of objectives at each level, ensuring that everyone has a shared understanding of how risk at their level relates to other levels.

Project Risk Management in the Programme Context

Projects sit near the bottom of the hierarchy of objectives, connected to organisational strategy through several intermediate layers. As explained above, it is clearly important for projects to be tightly coupled to strategic objectives, so that successful completion of each project and generation of its deliverables will make a positive contribution to creating value for the organisation and its stakeholders. In the same way, effective management of project risk is essential to achieving overall business benefits, as shown in Figure 6.2. In order to make this contribution, project risk management must have a clear working interface with the next level up the hierarchy, namely the programme level. It is not appropriate here to describe enterprise risk management in detail, but it is important to explain how project risk management is connected into this wider framework. So what are the links between project risk management and risk management at programme level?

Programmes exist at a higher organisational level than projects, and their purpose is to deliver strategic benefits. In effect programmes sit between strategy and projects (although there may be other intermediate levels above programmes). Since programmes sit between projects and organisational strategy, risks could arise at programme level from three directions, as illustrated in Figure 6.4, namely up from the components of the programme, down from organisational strategy level, or sideways from the programme level itself. The scope of programme risk management must include all three sources of risk.

Figure 6.4 Sources of risks at programme level


  1. Risks can be delegated from higher levels in the organisation to the programme level if they can affect programme objectives or if they require programme-level action. This requires well-defined delegation criteria and thresholds, as well as clear channels of communication to ensure that management of strategic risks delegated to programme level is reported back to senior management.

  2. Some risks specifically arise at the programme level, including both threats and opportunities across the full range of risk types (technical, management, commercial and external risks). Programme-level risks fall into two main categories: those arising from interfaces between programme components, and ‘pure’ programme risks relating to the execution and management of the programme itself.

  3. Our particular interest here is to explore the relationship between project risk and programmes, which occurs in three ways:

    1. Project risks which meet predefined escalation criteria should be passed up to programme level, including project risks with programme-level impact, as well as project risks requiring programme-level responses.

    2. Similar and related risks at project level might be aggregated to create a programme-level risk, either by simple summation (ten insignificant project risks may equal one significant programme risk), or as a result of synergy (the whole may be greater than the sum of the parts). Suitable risk categorisation schemes are required to facilitate such aggregation by identifying commonalities and possible synergies, and a generic programme-level Risk Breakdown Structure (RBS) may be used for this purpose.

    3. Overall ‘project risk’ as defined in Chapter 2 (or the risk of the project, as distinct from the risks in the project) will have an impact at programme level, and must therefore be considered within the scope of programme risk.


Enterprise Risk Management as An Integrative Framework

In order to be successful in delivering value and benefits to its stakeholders in line with its vision, an organisation must establish a coherent and aligned hierarchical set of objectives which connects the strategic level to tactical delivery. Having established these objectives, they must be achieved, despite the uncertain environment within which the organisation operates. It is the role of enterprise risk management to identify and manage ‘uncertainties that matter’ at whatever level they arise. This could be done at each level in isolation, with no communication or interfaces between levels, but it would be better to manage risk in a coordinated way across the entire hierarchy of objectives. Done in this way, enterprise risk management offers an integrative framework for the business, promoting achievement of objectives at all levels, leading to successful project delivery and ultimately to realised strategic benefits and value.

The contribution of project risk management to this overall success requires it to be fully integrated into the wider hierarchy of enterprise risk management, with particular attention to the interface with the next level up, namely programme risk management. Only then can project risk management play its full part in delivering value to the organisation.

Submit your own content for publication

Submit content