StartseiteHome » Blog » Risk Management starts at the very top of the company

Risk Management starts at the very top of the company

“Program Risk Management: “Promotion of a risk aware culture starts at the very top of the organisation, with the CEO and the Board.“

Bryan Barrow is a consultant for project management and speaker for all topics relating to risk management. In the master classes in frame of the event  Nordic Project Zone (25 – 27 November 2013 Copenhagen) he talk about risk management in a keynote  and in a workshop. As sponsor of the Nordic Project Zone you Can Do presents a project management interview with Bryan Barrow. For more information about the risk management expert visit

Nordic Project Zone (NPZ): How do the objectives of project risk management and risk management at the programme level differ?
Bryan Barrow: Projects are about delivering outputs. They are tactical, they have a defined project scope and they have limited budgets, time and resources. The objective of risk management at the project level is to ensure the delivery of the project outputs; project risks are consistent with their scope and can transfer risk outside the project. Programmes, on the other hand, are about delivering business benefits, or outcomes. They are strategic, have a fixed budget envelope, have an evolving scope, and they may run on until the benefits are achieved.

Each individual project seeks to deliver a part of a programme. The programme itself delivers not just the total set of outputs from the collection of projects, but the business benefits themselves. The objective of risk management at the programme level is therefore about ensuring the delivery of the strategic benefits of the programme to the organisation.

NPZ: Do these differences create a conflict? If so, how can these differences be managed?
Bryan Barrow: Now these two objectives should be complementary, or harmonious, but they can create conflict. A couple of immediate examples that come to mind are conflicts over budgets, where two projects are competing for the same funds, and conflict over resources needed for projects in the programme, especially where pinch-point or bottle-neck resources are involved.

A more significant conflict is over scope. As the programme has the responsibility, and the power, to determine scope it can decide where risk needs to be managed. You may not want to accept a change to your scope if you believe that with it comes risk that you feel will be difficult to manage.

A final one is conflict over schedule. Since one of the aims of programme risk management is to ensure the optimum use of resources across the programme it may be that one project may be impacted by changes to the programme’s schedule, having to slow down or speed up in order to meet a delivery deadline imposed on it in order to meet a dependency date.

There are several ways to manage these conflicts. One way is to make sure that the projects are fully aligned with the aims of the programme, so that individual projects recognise the programme objectives as their own. Another is to ensure that the risks associated with potential areas of conflict are clear, are communicated and can be managed by, and within, the programme. A third builds on the second by creating a joined up approach to managing risk, managing risk at both project and programme level so as to overcome the tendency to manage in isolation or silos. A fourth is to align incentives and performance goals with the programme, so that people are incentivised to act in the best interests of the programme rather than their own individual performance objectives. Underpinning all of this though is the need to create a risk aware culture.

NPZ: How does having a risk aware culture differ from having a risk management strategy or framework? What are some key ways to promote having such a culture in an organisation?
Bryan Barrow: Risk strategy aims to identify which risks are important to the organization; which ones are opportunities and which are potential calamities. The strategy provides the rationale for managing risk.

Risk frameworks, on the other hand, provide the tools, artefacts and processes for the consistent management of risk. These frameworks can be specific to a programme or else can be part of an enterprise risk management system.

Risk culture is different. It is more than just the tools and artefacts. It includes the values, beliefs, behaviours and attitude of the organisation. A risk aware culture provides the motivation for managing risk. If strategy provides the targets and frameworks provide the bows and arrows, risk culture provides the skills – and the desire – to take aim and fire.

Promotion of a risk aware culture starts at the very top of the organisation, with the CEO and the Board. They have a profound influence on the culture of the organisation. The Board decides the organisation’s goals, activities and priorities. The Board decides the level of risk that it is willing to take. The Board decides, through the use of financial and other incentives, which behaviours to reward and through this determines the behaviours of everyone else in the organization.

Promotion of a risk aware culture continues through the use of good programme risk governance, through the development of the risk function and through the promotion of risk management as a specialism in the organization.

At the individual level a risk aware culture is best strengthened through the use of risk management training, coaching and mentoring, so that values, skills and beliefs are embedded. Training provides the skills and capabilities. Coaching provides the self-learning, the motivation and the drive. Mentoring provides for the transfer of knowledge and skills across teams, departments and generations.

NPZ: How can risks be effectively communicated with different stakeholders?
Bryan Barrow: There are a number of different audiences for information on risks. There are also a number of different requirements or needs that may be satisfied. It is no surprise therefore that there are a number of different ways that risks can be communicated. This can be through specific risk artefacts such as risk registers, risk matrices, s-curves, heat maps, risk influence charts, exception reports. This can also be through more general forms of communication – newsletters, bulletins, slide decks, presentations, webinars, talks at team meetings, podcasts, tweets and status updates.

The best communications have a number of common features. Firstly, they take into account the needs of the specific audience; they answer the question “What’s in it for me?” or “Why are you telling me this?” Secondly, they are adapted or constructed to cater to that audience or group, whether they be the project board, the project team, other projects and programmes, people impacted by the risks, or regulators and other governance bodies. Thirdly, they provide positive influence; that is not to say that the communications are always positive in nature, but instead they are aimed at facilitating actions. Fourthly, they are timely, so provide the information that is needed when the recipients are most disposed to receiving it. Finally, they are consistent so do not fall off after an initial burst of enthusiasm.