STUDENT

GUIDE

BSBPMG632
MANAGE PROGRAM RISK
BSBPMG632 Manage program risk | 2
First published 2021

Version 1.0

RTO Works
www.rtoworks.com.au
[email protected]

© 2021 RTO Works

This resource is copyright. Apart from any fair dealing for the purposes of private study, research, criticism or review
as permitted under the Copyright Act 1968, no part may be reproduced by any process without written permission as
expressed in the RTO Works License Agreement.

The information contained in this resource is, to the best of the project team’s and publisher’s knowledge true and
correct. Every effort has been made to ensure its accuracy, but the project team and publisher do not accept
responsibility for any loss, injury or damage arising from such information.

While every effort has been made to achieve strict accuracy in this resource, the publisher would welcome
notification of any errors and any suggestions for improvement. Readers are invited to write to us at
[email protected].

Business Works is a series of training and assessment resources developed for qualifications within the Business
Services Training Package.
 Contents

Overview 4
Topic 1: Planning for program risks 5
Topic 2: Managing program risks 19
Topic 3: Assessing program risk outcomes 25

BSBPMG632 Manage program risk | 4

 Overview

The Student Guide should be used in conjunction with the recommended reading and any further
course notes or activities given by the trainer/assessor.

Application of the unit

This unit describes the skills and knowledge required to manage risks that might affect program
deliverables and organisational objectives. It covers directing the planning and management of
program risks, managing risks to the overall program and assessing risk management outcomes
for the program and the organisation.
The unit applies to individuals who are program managers, managing or directing a suite of
projects (a program) and/or senior project managers.
No licensing, legislative or certification requirements apply to this unit at the time of publication.

Learning goals
Learning goals include:

 You are able to direct the planning of program risk management.

 You are able to manage program risk.

 You are able to assess program risk management outcomes.

BSBPMG632 Manage program risk | 5

 Topic 1: Planning for program risks

This topic looks at directing the planning of program

risk management including identification of potential,
actual and residual risks, modifying the program risk
methodology to match the context for risk, consulting
with stakeholders to identify, document and analyse
program level risks, supporting and mentoring
project managers for the treatment of risks, ensuring
risk management is transparent and dynamic across
the program and developing and maintaining an
effective risk management system.
Image by Edge2Edge Media on Unsplash

What is program risk management?

A program is defined as a set of interrelated projects, each of which has a project manager.
‘Multiple projects’, or ‘a program of projects’, refers to several related projects managed by the
same person as a program to achieve organisational objective/s.
A risk is situation or a state which involves danger to a valued possession or person. A risk can be
managed by undertaking a risk management process that helps deal with the risks.
Combining the two, a program has objects and any situation or state that has the potential to
compromise achievement of these objectives is a program risk. Therefore, program managers
must undertake program risk management initiatives to manage risks and ensure that program
objectives are successfully achieved.
The two primary objectives of risks management include:

 Decrease the probable or potential negative impacts; or

 Increase the prospective positive impacts.

In this topic we will look at how program managers plan risk management programs. The risk
management process involves:

Developing risk management framework, Identifying, documenting and analysing

standards and methodology risks

Treating risks Managing risks Developing risk management systems

BSBPMG632 Manage program risk | 6

 Activity: Research and discuss

Watch the following video as an introduction to program risk management.

Video: https://www.youtube.com/watch?v=x7A9idByPA4 (04:05)
Discuss the following:

 How can risks impact programs?

 What does a risk management plan encompass?

 Identify some risk management activities.

Your trainer/assessor will facilitate a discussion.

Firstly, to plan for risk, you need to identify potential, actual and residual risks. The following table
highlights the difference between each type of risk:

x These are risks that could be likely to happen and that could cause
Potential risk a project to fail or not achieve its goals. Risks may relate to cost,
to a program time, technology, resources. These can occur from poor or
inaccurate planning.

Actual risks x These are known risks that can be taken into account.

x Residual risks are those expected to remain after implementing a

planned risk response and those that are deliberately accepted.
Residual risks
(This can be the acceptable risk tolerance or a risk that does not
have a reasonable response).

All of these risks must be identified during the planning process so that they can be managed.

Activity: Read

Read the following article of residual risk vs secondary risk:

https://www.simplilearn.com/residual-risk-vs-secondary-risk-article
Take any notes to summarise what you have read.

Risk management framework

The risk management framework is there to ensure information about any risks, derived from the
risk management process, is sufficiently reported and then used as a basis for managerial decision
making and accountability throughout an organisation.

BSBPMG632 Manage program risk | 7

Team leaders, supervisors and heads of departments etc are part of this process and expected to:

 Contribute input to this framework.

 Reference information generated by others who are part of this framework when they make
risk-related decisions.
The design of the risk management framework must take into consideration:

 Activities undertaken by the work area.

 Accountabilities the team etc has for performance, production, service delivery and similar.

 The Risk Management policy of the organisation as it applies to the specific work area.

 Integration of organisational processes in terms of standard operating procedures (SOPs) the

team/work unit uses that are common across the business.

 Establishing communication and reporting mechanisms between departments, work teams as

well as need for intra-work group sharing of information.

 Resources needed for the work unit to do the jobs expected of it.

The framework used should support managing program risk as it applies a structured,
methodological, formal process followed by all project managers.

Risk management standards

Risk identification and management is very important for a company as identifying risks and control
measures helps in ensuring a profitable and effective business. The purpose of risk management
standards is to provide a framework that can assist companies to implement risk management
systems systematically and effectively. 
A range of standards that can assist with various aspects of business management are provided by
SAI Global. One of these is the AS/NZS ISO 31000:2018, Risk management guidelines, used by
many organisations to help them manage risks.
An organisation’s risk management policy and processes would be based upon these standards.
The standard is useful in that it gives terms and definitions relating to ‘risk management and
provides information and step-by-step guidance on topics including:

 Principles underlying risk management.

 The risk management framework.

 The risk management process.

The AS/NZS ISO 31000: 2018 provides organisations with principles and general guidelines to be
considered when developing risk management frameworks and programs. See the link in the next
activity on the principles, framework and. Process for the standard.
Use of or adherence to this standard is not mandatory but is considered ‘best practice’ or the
benchmark against which an organisation’s risk management practices can be judged.

BSBPMG632 Manage program risk | 8

 Activity: Read

Read more on the standards.

Principles, framework and process:
https://www.iso.org/obp/ui/#iso:std:iso:31000:ed-2:v1:en
A risk practitioner’s guide to ISO 31000: 2018:
http://www.demarcheiso17025.com/document/A%20Risk%20 Practitioners%20Guide
%20to%20ISO%2031000%20%96%202018.pdf
8-page limited free preview of AS/NZS 31000: 2018:
https://infostore.saiglobal.com/preview/332265330632.pdf?sku=1134720_
SAIG_AS_AS_2680492
Take any notes to summarise what you have read and keep for future reference.

Program risk methodology

A program manager selects and modifies the program risk methodology to match the context for
risk. It defines the process used for risk management and can include:

 How risks should be identified

 The methods that should be used

 Stakeholder involvement

 Methods to be employed

 Documents and templates required.

This requires planning on which the risk management approach will be used in managing risks of
the program.

Risks impact project costs, time, quality, and scope of work and so can program opportunity.
Program opportunities can result in cost and time savings without compromising the quality or
scope of program works.

As per Project Management Book of knowledge (PMBOK), both risks and opportunities are
managed using same methodologies.
In this unit, we will follow a risk management methodology for managing potential risks and
opportunities in a program.

Program level risks

Risks exist at two levels in an organisation.

BSBPMG632 Manage program risk | 9

BSBPMG632 Manage program risk | 10
Identify levels of risks
 Program level – facilitates an overall coordination and management of overall program risks. A
program can involve many teams and therefore at program level, a team will have wide
management of issues that may become a potential threat or a problem. Here all potential
risks are identified at all team levels associated with the program. The program manager
ensures that the key stakeholders meet regularly to identify and address approaches to risk
management. Respective project managers are assigned with risk management
responsibilities, so that risks and opportunities associated with integration, interdependencies
and interactions between sub teams are identified, coordinated and managed at team levels.
The program manager also ensures that the project managers meet regularly to review and
provide feedback on management of risks in their teams. This is how a program gains an
overview of ongoing risk management in their program.

 Team level – each team is responsible for identifying, assessing and mitigating risks that are
pertinent to their teams. These teams can be sub-project teams and come from different parts
of the organisation or diverse organisations.

Establish common understanding of risks

 The program managers and key stakeholders of the program such as project managers meet
to establish:
o Key program evaluation criteria or areas that can be affected e.g. product quality,
performance standards for teams, etc.
o Impact of risk e.g. low, medium or high.

o Risk sensitivity in terms of likelihood or probability of risk occurrence e.g. low, medium or
high.
A note on stakeholder consultation:

A program manager will need to consult with stakeholders for their views on risk management
planning. A stakeholder can include team members, clients, senior management, decision
makers, authorities or any other person who has an interest in the project. A program manager
may need their input for:

 helping to identify risk objectives

 identification of any standards

 identification of constraints with project objectives

 providing information on variations in risk tolerance levels

 reporting on how risks can directly affect them.

Gaining stakeholder’s input can highlight critical factors or issues as well as views that can either
support or hold back an organisation’s ability to manage risk.
You will see that throughout each phase of the risk management process, the program manager
carries out a number of consultations to identify, document and analyse program level risks.

BSBPMG632 Manage program risk | 11

 Activity: Research and discuss

Work in pairs. Ensure work is equally shared.

Research the following to establish your understanding on risk assessment.

 What is risk assessment criteria matrix and what is its purpose?

 What is risk index priority and what are some advantages of prioritising risks?

 Search samples of risk criteria assessment and risk index priority.

o What are the key elements used in mapping risks on each matrix?

o What are some general rules of thumb that can be used in calculating or
working out impact and probability of risks?

 Do you think risks should be assessed at both team and program levels?
Support your answers with reasons.
Your trainer/assessor will facilitate a discussion about the outcomes from the
research.

Identify, document and analyse risks

This involves direct identification, documentation and analysis of program level risks, in
consultation with stakeholders, as the basis for project risk-management planning.

Risk identification
 Requires program and project managers and other key stakeholders to consult with each
other to be objective and brainstorm to recognise risks.

 This is done after the project scope, milestones and elementary requirements of the program
have been established but before the business case and program budget is prepared.
Managing risks can require additional time and money, therefore must be identified prior to
finalising program costs.

 Identifies risks in the initial phases of program.

 Identifies on-going risks associated with program.

 Potential sources of risks include technology, politics, environmental, legal, sponsors, timing or
schedule, technology, budget or costs, etc.
Source: https://opentextbc.ca/projectmanagement/chapter/chapter-16-risk-management-planning-project-management/

Risk documentation
 Risks can be recorded on a risk register with details of its cases, events and effects of risks on
overall program.

BSBPMG632 Manage program risk | 12

 Must be written using Meta language stating the case, effect and impact of risk.

 Must have objective details.

 It shows that a thorough and systematic approach was adopted to identify risks.

 Helps review and update risks throughout the life of the program.

 This document must be updated regularly.

 Forms basis of knowledge management.

Source: https://lokesh12.wordpress.com/2012/12/14/4-best-practices-for-documenting-project-risks/

The risk register with details from past projects can be useful in identifying what worked, what
did not and what must not be repeated in other projects. Other reasons include:

 Creates risk awareness.

 A chance to create a contingency plan.

 Helps assess organisational risk tolerance threshold earlier.

 Letting risks fall through the cracks can impact project outcomes significantly.

 Learn as you go and become better every time.

 Learning from mistakes and not repeating them can save costs and time.

 Improves product quality, saves time and money in the long run.

 Helps build program and project managers and organisation’s reputation.

 A good way to exchange skills and knowledge.

 Builds team confidence and process efficiency.

 Looks at innovative ways of identifying and managing risks.

A dynamic risk register can help to avoid identified risks through different project teams utilising a
process that will keep track of risks within their areas of specialisation, providing more data to help
identify and mitigate potential risks across a program.
A dynamic risk register is one that is kept up to date with all of the of the most important risks the
project faces and how the each of the
project management team will deal with
them. The risk register is usually in a table
form and lists risks, their analysis and risk
treatments.
Risk management software can allow a
risk register to be dynamic, as it can be
managed and coordinated across multiple
projects in a structured and controlled
platform. The alternative would be to use
a spreadsheet that is accessed by all

Image by Nataliya Vaitkevich on Pexels

BSBPMG632 Manage program risk | 13

project managers which could end up complex and unusable due to the lack of controls that can be
put in place.

Activity: Watch

What is a Risk Register and When To Use It.

Video: https://www.youtube.com/watch?v=voR0FBnC2ZU (03:56)

 Discuss the use of a dynamic risk register across a program and its benefits in
class.
Note key learnings form video and discussion.
Your trainer/assessor will facilitate a discussion about the outcomes from the video.

Analyse risks
 Risks are categorised in three forms. It is important to register the first two forms of risks as it
permits time to address the unknowable risks when it occurs. It is advisable to factor in a
percentage of cost and time to address unknowable risks even when they are unpredictable.
This gives your budget and delivery time some buffer to respond to any situational surprises.
o Known risks – risks known by many persons as it is evident in the early phases of
program planning.
o Unknown risks – risks that are known by a limited number of people and not recognised
in the planning phase.
o Unknowable risks – risks are completely unforeseen and surprising.

 Risks are then analysed using two methods:

o Quantitative analysis – uses numbers to measure the overall impact of risks on the
program. E.g. the numerical scale or cost measures
o Qualitative analysis – uses words to describe the overall impact of risks on the program.
E.g. high, medium or low impact.
Source: https://www.pmi.org/learning/library/practical-risk-management-approach-8248 and
https://www.izenbridge.com/blog/differentiating-quantitative-risk-analysis-and-qualitative-risk-analysis/

Support project managers and treatment of risks

Treatment of risks is also sometimes termed as risk response planning.

Treatment of risks
 The program manager and the project managers must consult other key stakeholders and
work together to identify possible responses to risks.

 They must develop strategies and plans that will be implemented to treat the risks.

BSBPMG632 Manage program risk | 14

 Has mitigation and contingency plan.

BSBPMG632 Manage program risk | 15

 Risk treatment strategies are as follows:

o Avoidance or elimination – select different approach so that the risk is eliminated

o Transfer – move the risk to elsewhere or another party

o Mitigate – develop a response plan for the risk

o Acceptance – allow the risk to persist and deal with it when it eventuates

 Risk treatment plan includes information on the following:

o What will be done?

o Who (name and role) will implement the strategy?

o When to apply the strategy e.g. schedule or trigger point?

o Where will the additional costs of treatment be funded from and who will authorise it?

o How will it be communicated? etc.

Supporting project managers

 The program managers must direct, support and mentor project managers in analysing,
evaluating and treating or mitigating of risks. This is purely because not all project managers
will have the knowledge or experience. Program managers can use a combination of
strategies stated below to support project managers.

 Directing – this form of management will be required with new project managers who have
minimum or no experience in managing risks. This can be termed providing instructions and
doing a follow up to check if the tasks are understood and executed properly.

 Support and coaching – this form of management can be adopted either with new or
experienced project managers in the following ways:
o Go above and beyond to assist them.

o Empathise and work as a team player not necessarily as a boss or a someone who works
above them.
o Back them up and investigate if project managers have problems with clients.

o Set yourself apart by being creative and incentivising them.

o Be transparent and provide constructive feedback.

o Encourage project managers to take risks to build their confidence or learn from mistakes
together.
o Create a learning environment and new experiences.

o Deliver what you promise in terms of expected standards and rewards.

 Mentoring – this form of management is encouraged when you have semi to experienced
project management who can work with little or minimum guidance.
o Be a good role model and communicate with your team.

BSBPMG632 Manage program risk | 16

 o Use informal training and cross training. This allows a fresh perspective to flow of work
ideas.
o Use two-directional mentoring approach where both you and your mentor can learn from
each other. This is a great way to facilitate mentoring with different generations of project
managers.
o Allow and encourage project managers to take on transitional roles and responsibilities to
build on knowledge and experiences.
o Identify your mentoring style. Enable project managers to identify theirs. This is important
for ensuring a proper mentor-mentee match and forming of effective collaboration.
Source: https://www.forbes.com/sites/johnhall/2014/03/10/11-simple-ways-to-show-your-employees-you-care/
#4b7efa6d450e and https://www.roberthalf.com.au/blog/employers/5-tips-becoming-inspirational-mentor

Managing risks
Program managers need to ensure risk management is visible and dynamic across the program so
that risks are assigned and managed in a timely manner. This done by developing a risk
management structure.

Risk management structure

Risk management structure

1. 2. 3. 4. 5. 6.
Risk Risk Management Make risks Chunk Assign
management acceptance commitment visible organisation cluster
policies & tolerance manager
procedures

The structure involves:

 Setting up an organisational risk management structure in accordance with risk management

policy.

 Defining the organisation’s risk tolerance thresholds.

 Embedding risk management structure from top management down.

 Incorporating multiple risks into the organisational risk management’s big picture

 Chunking the organisation into parts with objectives to deliver project outcomes in a timely
manner.

 Clustering risk activities by team, tolerance levels and assigning them to relevant project
managers or individuals. This person is called the cluster manager who will be responsible for
managing risk activities.
Source: https://www.riskdecisions.com/assigning-responsibility-managing-risk-using-risk-management-clusters/

BSBPMG632 Manage program risk | 17

BSBPMG632 Manage program risk | 18
Making risks visible and dynamic
The chunking of the organisation and assigning a cluster manager has two purposes:

 Cluster manager makes the chunk of the organisation aware of risks and ensures its visible.

 The cluster manager can make risk plans visible by distributing the risk management plan
electronically, communicating about the tolerance levels and impacts of risks in informal or
formal conversations, printing out the plan and pining it in near scrum area or project
storyboard or noticeboard.
It allows clusters of the organisation to focus on deliverables whilst managing risk activities and
ensures risks are identified and risk treatment plan is executed in a timely manner.
Risks can emerge, change or disappear as an organisation’s external and internal context
changes. Risk management should therefore be dynamic so that it can anticipate, detect,
acknowledge and be responsive to those changes and events in an appropriate and timely manner.
The risk management framework should be dynamic, so that when there are changes to the
environment, it can be updated to reflect these changes.
If a standard approach is taken to risk management, then it allows risks to be appropriately
prioritised across all operations, resulting in effective controls.
Appropriate and timely involvement of stakeholders enables transparency and can result in
improved awareness and informed risk management.

Addressing risks on time

The cluster managers monitor project progress and keep an eye out for risk trigger points to be
able to execute the risk response plan. Failing to perform this task in a timely fashion will impact
project costs, deliverable time, quality and even breach of sponsor’s program contract.

 Executing the planned risk treatment plan in a timely manner reduces frustration and stress
build up.

 Provides time to manage unknowable risks when they eventuate.

Addressing the risk treatment plan sometimes requires work in cross teams. The cluster managers
must ensure any team interdependences are clearly worked out and service level agreements are
put in place and risk treatment plans are executed effectively without wasting time.
The project teams must review the risk register or list regularly, for example on a fortnightly basis.

Developing program risk-management systems

A program risk-management system enables effective management and communication of risks,
controls, treatments and outcomes to stakeholders across the program. There are many ways in
which program managers can develop and maintain a program risk-management system.
Management and communication of risks provides accountability, transparency, realistic
expectations, and promotes collaboration with stakeholders across the program. For example,
implementing a risk assessment reporting system, regular communication and progress reports
and accessible, dynamic risk registers.

BSBPMG632 Manage program risk | 19

Risk controls could be engineering controls, administrative controls and work practice controls.
Risk treatment could include how risks can be avoided, transferred, mitigated or accepted. The
outcomes may be how the program is performing, its progress, or effectiveness of controls.
A risk management communication plan can also help to effectively communicate with
stakeholders of the program and can include roles and responsibilities, activities, reporting dates
and schedules.
As an example, we have highlighted how risks can be managed within the program/project
management life cycle in the table below:

Implementing risk management in project stages

Project stages Systematic identification and management of risks

Stage one –  Use of critical path - show which tasks have high impact on outcomes, its
Define project interdependence on tasks and duration. This helps identify high-risk
scope and activities.
goals
 Use of Gantt Chat – shows relationships between tasks and their
interdependencies. Unless one task is completed, the next task will have
to wait. This can also assist with outlining risks and making mitigation
and contingency plans.

Stage two –  Project managers and key stakeholders break up a major task into single
Detail work activities. During this phase, additional risks can be identified. Along with
breakdown allocation of many single activities, risks are also assigned to project
teams.

Stage three –  Risks associated with resources such as personnel and finance are
Resource and identified.
budget
scheduling

Stage four –  Project workflow is monitored and any further risks are identified,
Execution of registered and or mitigated as per plan.
deliverables

Stage five –  Identified risks are escalated to sponsors during reporting project
Reporting on progress. Any predicted changes to project completion time or budget is
deliverables communicated.

 The success or failure of risk treat plans are also reported to sponsors
and key stakeholders.

Stage six –  Actual vs planned program progress is analysed.

Analysing
 Check point to see how planned risks responses are worked and if it did
progress
not then why it did not work and what other contingency plan or options
are available to mitigate the risks is analysed.

BSBPMG632 Manage program risk | 20

 Project stages Systematic identification and management of risks

Stage seven –  This stage must be a formal process because it forms the basis for best
Project close practice to learn mistakes and experiences of managing risks.
out

Project management software

Project management software can be used for the effective management and communication of
risks, controls, treatments and outcomes with stakeholders across the program through project
management tools and applications.
There are various project management software that can used to manage projects and many have
the capability to register risks and link them to tasks, responsibilities, create alerts on tasks that
have potentially medium to high risk exposure and email notifications to responsible persons with
details of risk and its treatment.
However, program managers must note that project managers must be able to identify risks and be
able to address them at every stages of project management. If project managers are unable to do
this, then project management systems are not used to their full potential.
Some examples of project management software with risk management capabilities are:

 Microsoft project

 Workzone

 Clarizen

 Smartsheet

 Monday.com

 Airtable.

Activity: Research and discuss

Divide into pairs. Read the following article and write down notes on how you could
plan to respond to risks associated with the following:

 Quality

 Loss of important team member

 Vendor not meeting his/her commitment to supply goods

 Destructive stakeholders

Link: https://pmbasics101.com/3-powerful-risk-management-examples/
Your trainer/assessor will facilitate a discussion after you have completed the activity,
ensure to participate and share your responses.

BSBPMG632 Manage program risk | 21

Activity: Group work

You are to work as part of a team to manage program risk in preparation for your
assessment. At the end of each topic, you will be given an activity to complete to
support your learning. Your trainer/assessor will support you to undertake the activity
and provide your group with feedback.
During your group work you will need to:

 Work as part of a team, dividing work equally, collaborating, using effective

communication and participating in discussions using appropriate language and
active listening and questioning to confirm understanding.

 Ensure to plan and schedule your activities appropriately and within the
timeframes allocated by your trainer/assessor.

 For all activities clearly document information in a clearly structured,

appropriately formatted and professional manner, using appropriate terminology
and relevant to the audience.
Read the following then undertake the first group activity:
You are to manage a group of projects for an organisation. The projects are for four
project managers implementing a sustainability policy for each department based on
an organisational strategy. You can research what is involved in implementing the
policy and use an example organisation to base the project. For example, it could be
for a university implementing across four different faculties. You will need to provide
some background and context to the project and have this approved by your
trainer/assessor before continuing with the activity. Ensure to plan all activities and
schedule your tasks so that you complete the activity on time.
Undertake the following:
Direct the planning of program risk management, including:
 assessing and selecting risk methods to suit risk context

 directing identification, documentation and analysis of risks as basis for planning

 directing, supporting and mentoring project managers in analysing, evaluation

and treatment of risks

 confirming risk management is transparent and timely

 developing and maintaining a risk management system across the program

Submit to your trainer/assessor for feedback upon completion of the activity, but
within the timeframe allocated.

BSBPMG632 Manage program risk | 22

 Topic 2: Managing program risks

This topic is all about managing program risk including managing agreed risk management plans,
reviewing progress, achieving objectives, monitoring and assessment, and responding to program
risk through authorised remedial actions.

Risk management plans

The risk management plan is a document that describes the way in which a project will manage
risk. It is usually a formal document with standard headings that will vary depending upon the
organisation, industry, standards and size of the project. Broadly, there are six components of a
good risk management plan: 

Risk context

Methodology or framework being used

Roles and responsibilities

Reporting

Compliance/audits

Historical data

It may also contain:

 Definitions: how risks are identified and given prioritization rankings, such as

“high/medium/low.”, or “Probability of 0.05 = Very Low.”  

 Assumptions: these statements are the basis on which the project risk is based. Such as,
“How many previous projects with similar components have been completed successfully?” or
“What expertise or prior experience does the company have in this work?” 

 Risk Breakdown Structure: this is a categorical listing of the major categories of risk, and it
highly specific to the industry.  

 Probability Impact Matrix: gives a more detailed definition of the probability and impact
structure used by the risk register. The matrix considers both factors and sets the stage for the
determination of numerical probability and impact values for each risk event. 

 Accuracy (or Confidence) Estimates: an analysis by the risk management team (or project
manager) of the potential deviation from the project plan. They can be as simple as
low/medium/high probabilities or as complex as statistical analysis of the probability of meeting
deadline dates 

 Risk Register: contains a listing of the most important risks the project faces and how the
project management team will deal with them. The risk register is usually in table form.  

BSBPMG632 Manage program risk | 23

A program manager will need to direct the management of a program in accordance with an
agreed program risk-management plan that will oversee each project.
There are a number of risks that a program manager will need to manage simultaneously. As per
our discussion in the last topic, program managers can cluster and chunk delegate risk
management at various organisational levels and the likelihood and impact of risks.
Some aspects of directly managing the program with agreed risk management plan involves:

 Centralised and visible risk register available on project management systems.

 Managing accountable persons responsible

for managing risks and mitigation plans in a
timely manner.

 Have dashboard that displays projects key

performance indicators and high risks tasks
that could potentially impact project time,
costs, quality deliverables and scope.

 Automated notification of risk alerts to project

managers before they engage in tasks so
that they can assess any risk triggers and
mitigate risks by using contingency plan.

 Manage workflow and ensure no tasks or Image by Campaign Creators on Unsplash

risk fall through the cracks.

Activity: Research

Source a program risk management plan and review its contents. How does it differ
from a project risk management plan?
Your trainer/assessor will facilitate a discussion.

Activity: Read

Read the following article on the components of a risk management plan.

https://projectriskcoach.com/project-risk-management-plan/
Write down any key takeaways and keep a copy of the link for future reference.

Achieving program objectives

The program objectives should be linked to an organisation’s business goals and objectives. To be
able to review progress you need to be able to continually determine if these objectives are being
met. Any variances can then be analysed and risk responses initiated so that the program
objectives can still be achieved.

BSBPMG632 Manage program risk | 24

The objectives should be SMART (specific, measurable, achievable, relevant and timely) and could
relate to cost, scheduling or performance variances. For example, for cost:

 A program must remain within the budget with a variance of no more than 5%.

 A program must keep to the schedule including adhering to the project deadline of 25 th
September.
It is important to set these objectives so that you can review the performance results at progress
points or milestones of a program. For example, if the program is reviewed and there is over 5%
variance of the budget then you would need to initiate a risk response to deal with the variance.
In order to review progress of projects, program managers need real-time data to match against
planned outcomes. This can be accessed on a project management software dashboard and the
generation of reports. The reports can provide a snapshot of each stage of the project.
Some key variables to analyse from dashboards and reports include but are not limited to:

 Expenses and time sustained vs planned budget.

 Any tasks that took longer than planned time to complete.

 Accuracy in achieving milestones and deadlines (for example from a Gantt Chart).

The analysis process looks at:

 The any differences or variables (positive and or negative).

 Asking “how and why” questions for occurrence of variance.

 Recording, escalating and sharing the information with respect to project managers and key
stakeholders.
Because of the dynamic risk environment, it is important that these reviews are continually carried
out and monitored so that risk responses can be initiated in a timely manner.

Initiating risk responses

Once a risk and/or variance has been identified and analysed, program managers must ensure
appropriate risk responses are initiated to achieve program objectives for the dynamic risk
environment. Some risks emerging from the internal and external organisational environment that
need initiation of risk responses could include:

 Change management – identifying root causes of change and executing change requests.

 Project management risk – capability and capacity of project team to effectively manage
projects.

 Portfolio risks – managing the program should have positive returns on investment.

 Schedule risk – achieving schedules at planned or under cost.

 Operational risk – building team/department interdependencies to achieve quick response to

risks.

 Opportunity management – taking advantage of any opportunities in the market that can add
value to the program and/or organisation.

BSBPMG632 Manage program risk | 25

 Governance risk – ensuring effective program structure, policies, procedures and standards
are in place.

 Compliance risk – ensuring compliance to organisational policies and procedures, legislations,

laws and regulations.

Risk responses are broadly:

Avoid Transfer Mitigate Accept

Activity: Read

Read more on risk responses:

https://www.projectengineer.net/how-to-create-a-risk-response-plan/
Write down any key takeaways and keep a copy of the link for future reference.

Monitor and assess risks

Program managers have to ensure that risks are monitored and assessed across the program at
agreed intervals. Certainly, program managers delegate risk management to project managers
therefore it is the risk owner’s responsibility to track and resolve their share of allocated risks.
Program managers must foster a collaborative environment so that project managers are
transparent about any issues and they can work collectively if necessary, to manage the risk
management process. Some ways to monitor and assess risks include:

 Use various modes of communication to keep teams updated with project progress and
potential old and new risks.

 Fix regular meeting to manage risks. This can be done face-to-face and followed up using
emails and project management tools.

 Assess risk regularly as their impacts can either intensify or become low during the lifecycle of
the projects.

 Ensure periodical reviews of projects and its status.

 Incorporate periodical technical performance reviews.

 Using project management software to monitor and report on each individual project at
milestones or agreed dates.
A program manager will need to coordinate, track and collaborate with project managers to ensure
that strategies for monitoring risks are consistent and carried out according to the agreed
processes.

BSBPMG632 Manage program risk | 26

Managing actuated risks
Direct response to actuated program risk (issues) involves impact analysis and authorisation of
remedial actions in order to achieve program objectives.
Risk impact analysis includes:

 Matching organisation risk tolerance against the actual risk impact. The actual risk tolerance
can be worked out using qualitative risk analysis where the technical capability, costs and
schedule are assessed for achieving long-term program and organisation objectives.

 A quantitative risk analysis includes use of tools such as decision trees to assist with working
out numerical rating to risks and activity risk assessment matrix.
Authorisation of remedial actions includes:

 Having honest and open communication with program or project sponsors about actuated
risks and their impact on program deliverables and objectives.

 Initiating change request documentation for actuated risk.

 The sponsors may agree to change request because they would rather continue with the
project as money has already been invested into it. They may agree to sponsor additional
costs or approve change requests. They can also choose to decline the change request and
stop the project because their organisations do not have the tolerance threshold for the
actuated risks. However, this can be used as a learning curve and used in management of
future projects.

 The outcomes of decision must be communicated with the respective teams and actioned as
appropriate.

 Change request approval and disapproval must be stored safely as it is an official document
i.e. an addendum to project contract.

Activity: Watch

Watch the following video on monitoring and controlling project work.

Video: https://www.youtube.com/watch?time_continue=10&v=s3YyuUso49Q&feature
=emb_logo (04:11)
Write down your key takeaways.

Activity: Group work

Refer back to your group work.

You are to demonstrate that you have managed program risk by providing evidence
that you have:

 managed the program

BSBPMG632 Manage program risk | 27

 reviewed the progress, analysed variance and initiated risk responses

 confirmed risks are assigned and monitored across the program at agreed
intervals

 assessed issues for impact and remedial actions

Submit to your trainer/assessor for feedback upon completion of the activity, but
within the timeframe allocated.

BSBPMG632 Manage program risk | 28

 Topic 3: Assessing program risk outcomes

For this last topic we will be looking at assessing program risk outcomes which includes
documenting program residual risk and communicating with stakeholders any transferred liability,
reviewing and analysing the program outcomes to assess the effectiveness of the risk
management methodology used, seeking and responding to feedback from relevant stakeholders
and finally documenting and recommending lessons learned.

Program residual risk

Program residual risks are left over risks after planned risks have been actioned or factored into
program delivery. These risks usually do not have planned responses. These are risks that will
happen when they happen and there isn’t much that can be done about them in the planning stage.
Identifying and documenting program residual risks to alert stakeholders of any transferred liability
at a program completion would be mandatory. The risks are not eliminated but making them known
can reduce their impact in other programs. As program managers document these residual risks,
they must also state the following in their report to stakeholders:

A c k n o w le d g e th a t ris k s s till e x is t.

Id e n tify re le v a n t g o v e rn a n c e a n d c o m p lia n c e re q u ire m e n ts th a t n e e d s to b e

m e t in o rd e r to m a n a g e re s id u a l ris k s .

Id e n tify a n y o rg a n is a tio n a l ris k m a n a g e m e n t w e a k n e s s o r s tre n g th s th a t

c a n b e u s e d to m itig a te re s id u a l ris k s .

Id e n tify o rg a n is a tio n ’s th re s h o ld fo r re s id u a l ris k to le ra n c e .

R e c o m m e n d ris k tre a tm e n t a n d c o n tin g e n c y p la n .

Communicating to stakeholders any transferred liability at the end of a program could be through
an end of program meeting using project management software reports and any further recorded
documentation (for example risk registers) to support what the risks are and why they remain.

BSBPMG632 Manage program risk | 29

 Activity: Read and discuss

Review the following articles on residual risk:

https://project-management-knowledge.com/definitions/r/residual-risk/
https://www.wallstreetmojo.com/residual-risk/
https://simplicable.com/new/residual-risk
 What are the four examples of residual risk?

 State how each of the four residual risks can be managed.

Note key learnings from articles, your trainer/assessor will facilitate a discussion.

Assessing the risk management methodology

The only way that a program manager will fully understand the effectiveness of the risk
management methodology used, is by reviewing and analysing the program outcomes as well as
gaining feedback from stakeholders.
A review of program outcomes can identify how well policies, procedures, processes, standards,
and the risk assessment process worked. Program outcomes could also include scheduling,
costing, timings, deadlines, performance, communication and the actual outputs and deliverables
from the projects undertaken.
A program manager may need to review:

 policies and procedures

 decision support systems

 internal standards dealing with risk management and compliance

 risk management plans and controls

 reports or data analysis from information systems such as the risk register or risk treatment
plans

 progress reports, reviews and outcomes from project meetings relating to risk management
performance.
Furthermore, there will be information from the way in which the risk management methodology
was undertaken in practice. If it was consistent across the organisation, if the processes and
systems worked effectively, what went wrong and why. To do this a program manager may need to
meet with the project managers, key stakeholders and sponsors or create a method for seeking
feedback via a questionnaire or requesting feedback.
The questions include but are not limited to:

 Did the risk management methodology help with making the program/project successful?

 Did it meet the requirements of the company?

 Did it help make better decisions?

BSBPMG632 Manage program risk | 30

 Was the risk management methodology clearly communicated and explained?

 Were all relevant risks identified, communicated and their impacts explained to key
stakeholders?

 Do they see the value in risk management activities?

 How can risk management methodology be improved?

The information from these meetings or from feedback received can be used to understand what
needs to be improved or identify any gaps. For example:

 The suitability of the framework, tools and techniques used to manage risk.

 If the current risk management process is effective and how well it integrated across the
organisation.

 How well the governance, control and reporting mechanisms worked.

 The effectiveness of systems, processes and support for managing risk.

 If a different approach to risk management is required due to particular kinds of risk that exist
in the organisation.

 Whether the methods implemented effectively provide a comprehensive and correct

understanding of organisational risks.

 if the methodology being used creates an effective risk culture.

 To understand if the risk profile of the organisation varies from the actual risks reported.

 Strengths and weaknesses of the framework being used.

 Using feedback to identify any gaps.

 Identifying any miscommunication, misunderstandings or barriers to the risk management

methodology being used.

Activity: Read

Read the following articles. These will be useful for both program and project
managers.
Questioning Techniques:
https://www.mindtools.com/pages/article/newTMC_88.htm
Managing communications effectively and efficiently:
https://www.pmi.org/learning/library/managing-communications-effectively-efficiently-
5916
Note key learnings from the articles and take any notes to summarise what you have
read and keep for future reference.

BSBPMG632 Manage program risk | 31

 Activity: Report

Research and document your findings on the following.

 Provide a step-by-step process that program managers could follow to evaluate

the effectiveness of a risk management methodology used for a program.

 What elements of risk management planning and outcomes should program

managers communicate with stakeholders?
Your document should be approximately one page, and be written in clear and
concise English. Submit your document in a professionally written and structured
report format to your trainer/assessor for feedback.

Lessons learned
The program manager can then use the
review and feedback to analyse and
document an evaluation report and
recommend lessons learned for future
programs.
Lessons learned is the knowledge that
has been collected and understood from
the program upon completion. Both the
negatives and positives of the program
can be used to ensure future programs
are improved.

Image by Campaign Creators on Unsplash

Lessons learned follows a common process:

Analysing feedback, Reporting on lessons learned in a structured

recommendations and document kept for historical records and future
knowledge. reference.

Distributing knowledge on lessons learned for

Ensuring lessons learned are
modifications or information for project
accessible and available.
managers to be integrated.

BSBPMG632 Manage program risk | 32

You can imagine with all the complex information it could be quite a big task, however it is well
worthwhile so usually a structured report is used to record and distribute the information.
Broadly, it could include:

 an overview of lessons learned or an executive summary

 a list of findings

 supporting evidence or documentation

 recommendations

 any actions required to be completed.

Activity: Watch

Watch the following video, highlighting the golden rules of knowledge management
that relate to lessons learned in project management.
Video: https://www.youtube.com/watch?v=pXEIyhwdsjQ (00:57)
Write down your key takeaways.
After watching the video take a moment to reflect on how knowledge management
can support lessons learned.
Would a wiki be a useful tool for communicating lessons learned? Research and
write down some strengths and limitations.
Your trainer/assessor will facilitate a discussion.

Activity: Group work

Refer back to your group work.

You are to assess the project and program risk-management outcomes. Document
the following:

 Residual risk.

 A review and analysis of program risk outcomes.

 A lessons learned report.

Submit to your trainer/assessor for feedback upon completion of the activity, but
within the timeframe allocated.

BSBPMG632 Manage program risk | 33