Risk Assessment PMO Briefing 31st January 2018
What is Risk Management? It is about being aware of the potential of things that can adversely affect your project (risks) and putting in place actions (controls) to make sure that the likelihood of them occurring is reduced in so far as is reasonably practicable.
Risk v’s Issue A risk is something that COULD happen An issue (incident) is something that HAS happened
Risk and Project Management Project risk is an uncertain event or condition that, if it occurs, has an effect on at least one project objective. Risk management focuses on identifying and assessing the risks to the project and managing those risks to minimize the impact on the project.
HSE Framework for Risk Management
Risk Assessment Key Messages Risks that require a management plan to address should be formally assessed. Risk assessment should be carried out by someone who know the subject matter relating to the risk.
Start by Establishing the Context Different levels in a Division have different contexts The higher the level the more likely the context is strategic. The more you move down the more operational the context will be. Strategic Operational
Lets say the structure is…. PHSI Project 1 Project 1a Project 1b Project 2 Project 3 Project 4…. Project 4a Project …18
Lets say the structure is…. Context : Achievement of overall objectives of the Programme PHSI Project 1 Project 1a Project 1b Project 2 Project 3 Project 4…. Project 4a Project …18 Context : Achievement of objectives of Project 4 Context : Achievement of objectives of Project 1
Lets say the structure is…. Context : Achievement of overall objectives of the HSE Leadership Team PHSI Project 1 Project 1a Project 1b Project 2 Project 3 Project 4…. Project 4a Project …18 Context : Achievement of overall objectives of the Programme Context : Achievement of objectives of Project 1 Context : Achievement of objectives of Project 4
The importance of the Risk Description The quality of the risk assessment is critically dependant on a good risk description
Characteristics of a Good Risk Description The ‘ICC Rule’ – Impact, Cause and Context Risk of harm to patients (Impact) due to the a failure to comply with infection prevention and control standards (Cause) in X service (Context) .
Characteristics of a Good Risk Description The ‘ICC Rule’ – Impact, Cause and Context Failure to meet project objectives (Impact) due to the a failure to manage critical dependencies (Cause) in PHSI Project 4(Context) .
Identifying Controls Next ask a number of questions What should be in place if this risk is to be managed? Of these, what is in place? Are there any ‘yes but..’ answers?
List here (one per line) all Controls Required to Manage the Risk How do I identify the controls that should be in place? Are all the controls listed in place? Risk Description List here (one per line) all Controls Required to Manage the Risk Yes No Yes But… Enter Risk Description here
Existing Controls Those controls that are in place i.e. Yes answers Those elements of the Yes but.. Answers that are in place
Rating the Risk Taking account of the EXISTING CONTROLS only and using the HSE’s Risk Assessment Tool assign an impact score and a likelihood score. Risk Rating = Impact X Likelihood
HSE Risk Assessment Tool
Additional Controls (Actions) Required 1. Controls that should be in place but are not in place. 2. The balance of the ‘yes but…’ controls required
A word about actions! They must be SMART They must have a deliverable attached They must be assigned a ‘due date’ They must be assigned to a named person for completion
Rules for assigning actions To the manager To a member of their team To their manager
What if my manager does not accept an action? Rule 1. You are responsible for those actions that are within your span of control to manage. Rule 2. You are responsible for communicating to your line manager those actions that are outside of your control Rule 3. Your manager must consider actions communicated to them and make a decision the outcome of which they should communicate to you.
Managing and Monitoring Risk Registers Key Messages Include formally assessed risks on the risk register Monitoring relates both to the robustness of existing controls and to the completion of additional controls required. Decisions to close or monitor a risk will relate to changes in the rating of the risk i.e. that the level of risk is acceptable.
Re-rating Risk Depends on a review of the ‘existing controls’ e.g. Where actions have been completed they become ‘new existing controls’ and may serve to reduce the likelihood of the risk occurring Or conversely; Where controls that existed at the time of assessment no longer exist it may serve to increase the likelihood of the risk occurring
Any Questions?