WILSON PROGRAMME BOARD
Date of Meeting: 8th June 2017
Agenda No: 6
Attachment: 5
Title of Document:
Purpose of Report:
Wilson Risk Management Strategy
For Approval
Report Author:
Lead Director:
Sue Howson
Andrew McMylor
Contact details: Programme Director: Sue Howson
Executive Summary: The Risk Management Strategy sets out the process for managing
risks within the Wilson Programme.
It sets out the methodology for the identification, scoring, mitigation and management of
risks.
Key sections for particular note, areas of concern etc. (paragraph/page):
Pages 6 and 7. The Programme Board are asked to review and agree the tolerances
within the two tables regarding cost and delay.
Recommendation(s):
The Programme Board is asked to review and approve the Risk Management Strategy.
Committees which have previously discussed/agreed the report:
None
Financial Implications:
None
Organisational implications: (CCG Governing Body / LBM Cabinet / CHP / NHSPS) None
How has the patient/user’s voice been considered in development of this paper:
N/A
Other Implications:
N/A at this stage
Equality Assessment:
N/A
Information Privacy Issues:
N/A
Communication Plan: (including any implications under the Freedom of Information
Act or NHS Constitution)
N/A
!
Wilson Programme
Risk Management Strategy
01 June 2017
Version 0.2
1 Introduction
The purpose of this document is to provide a consistent process for the management of
risks across the Wilson Campus Development programme. It defines risk management in
respect of the standards, processes and procedures to be employed in the identification,
analysis, quantification, mitigation, escalation and documentation of risks.
This document describes the process for resolving:
•
Project Risks - risks that can be resolved within a project team.
•
Programme Board Risks - risks that are either of a strategic nature, have a major
impact on service operations or project milestones, or require senior stakeholder
direction or action.
•
Programme Risks - risks that cannot be managed at the project level or affect
multiple projects within a programme
The audience for this document is members of the Wilson Programme Board, Project
Team members and all participants in the project work streams.
2 Risk Management Framework
2.1 The Aims
The aim of risk management is to improve the likelihood of the Project or Programme
achieving its stated objectives.
The risk management process is designed to:
• Focus the Programme Board and senior management team on the major risks that
threaten project delivery and objectives;
• Provide a clear picture of the major risks facing the programme, their nature,
potential impact and likelihood;
• Establish a shared and unambiguous understanding of what risks will be tolerated;
• Actively involve all those responsible for planning and delivery of the programme’s
key deliverables and benefits;
• Embed risk awareness and management in planning and decision making
processes; and
• Enable and empower managers to manage those risks within their area of
responsibility.
Wilson Programme/Risk Management Strategy /01 June 2017
page 2/11
2.2 The Objectives
The objectives of a risk management system is to ensure:
• Early identification and management of risks;
• Proper analysis, evaluation and quantification;
• Clear and consistent assignment of ownership and management;
• Comprehensive identification, definition and evaluation of appropriate mitigation
routes;
• Clearly defined policy, standards, processes and procedures; and
• Robust documentation for audit purposes.
A common problem when identifying and scoring risks is the confusion between what is a
risk and what is an issue. The following definitions should assist with clarification.
• A risk is something that might happen and needs a mitigation/management plan to
either avoid it materialising or minimising the impact.
• An issue is something that has happened and needs to be managed with
immediate effect.
3 Risk Management Process
Risk analysis and management are on-going processes incorporated throughout the life of
a programme or project and are the responsibility of
all staff involved with a project or
programme. The responsible managers will keep stakeholders informed of risks identified,
action taken where appropriate and the success of those actions.
There are three parts to the risk management process:
1.
Analysis - identification, definition, and assessment of probability and impact.
2.
Management - risk mitigation strategy and plan, monitoring and control of actions
employed to deal with the threat, and problems identified in analysis.
3.
Reporting - all risks raised will be recorded on the project risk register and will be
owned by the Programme Director. Reporting of risks will be carried out on a
regular basis in accordance with the agreed Governance structure and terms of
reference.
Wilson Programme/Risk Management Strategy /01 June 2017
page 3/11
3.1 Risk Analysis
Identification of risks is an ongoing process but gets the best results when done on a
group basis at key intervals – such as the initial business case development stage, and
again during Project Initiation. The process involves:
• Identification of potential risks that could adversely affect the impact and efficient
delivery of project and programme objectives and benefits.
• Assessment of the importance, probability and the impact of each risk
• A decision as to whether the level of risk is acceptable
• Identifying courses of possible actions to be taken to reduce the probability or
impact of the risk materialising.
3.2 Mitigation strategy and monitoring
Based upon the level of concern and controllability for each risk, the Risk Owner will
decide on the risk mitigation strategy and associated actions i.e. whether to accept, treat,
or transfer the risk, and ensure those actions are carried out as required. The Risk Owner
at least monthly (more frequently for red and amber/red risks), will review and monitor
progress and consider the effect on the overall risk rating and report to the Programme
Director so that those changes and updates are reflected in the risk register.
3.3 Contingency planning
Where the risk has a high risk rating (Red) contingency plans will need to be developed to
address the consequences of the risk materialising.
3.4 Escalation
Risks will need to be escalated to the next level of seniority (i.e. individual or group) and
the escalation recorded in the risk register where:
• The risk is of significant concern (red) – escalate to the Wilson Programme Board
or CCG Governing Body;
• The risk is outside the authority, responsibility or control of the risk owner;
• The risk relates to more then one managers area of responsibility; or
• Actions to manage the risk require additional resources or the action requires
approval elsewhere
The escalation or transfer of the risk will be authorised by the Programme Board. If action
is required in between Programme Board meetings the SRO will take on that
responsibility.
Wilson Programme/Risk Management Strategy /01 June 2017
page 4/11
3.5 Transfer
When the risk actually happens it becomes an issue and should be transferred to the
‘Issues’ log. If a risk affects the project but is outside the remit of the Project team or
Programme Board it should be transferred to the most appropriate corporate governance
body and managed therein. A watching brief within the programme or project will be
required.
3.6 Reporting
Up to date risk reports are provided for the Project Team and Programme Board meetings
on a timely basis for review with a focus on amber and red/amber risks within the Project
Team and amber/red and red risks at the Programme Board.
4 Risk Assessment
4.1 Risk Categories
The risks identified within the risk register are categorised by the type of risk that they
pose. In categorising the risks it is important to identify the main cause of the risk, not the
impact. For example a design risk around the fit out of the x-ray department is what
triggers the risk to be placed on the register, the impact may be financial and affordability
but is not the causative factor.
The categories currently utilised are:
•
Strategic and Political – likely to be external to the organisation and difficult to
mitigate/manage
•
Information Technology – a risk with the technical aspects of software/hardware
compatibility, delivery or equipment
•
Design and Planning – having an impact on the design of the facility or planning
approvals with the potential knock on impact on cost or programme.
•
Procurement – mainly related to the timescales for the procurement of services,
equipment or property
•
Funding/Financial/Affordability – lack of available funding, increased costs
leading to an unaffordable scheme
•
Capability and Capacity – risks associate with the lack of a skilled resource or
limited resource.
•
Construction – has an impact on the timescale and potentially cost of the
construction of the facility
•
Clinical Commissioning – related to the commissioning of clinical services to be
provided within the centre
Wilson Programme/Risk Management Strategy /01 June 2017
page 5/11
4.2 Assessment Matrix
The assessment matrix provides a framework for assessing and measuring identified
risks, which will be reviewed at various points within the governance structure to ensure
appropriate priority and visibility is assigned to it
Whilst risks will occur from various diverse routes, it is essential that the standards for
assessing the probability and impact of occurrence of each risk should be subject to the
same criteria across the whole project/programme. This will allow the risks to be
managed consistently, at the appropriate level and given the appropriate attention and
visibility.
Risk evaluation and quantification comprises of scores of three types:
•
Impact – the level of impact on project objectives and business that would arise
should the risk materialise;
•
Probability – the likelihood of the risk arising; and
•
Proximity – when the risk is likely to occur. This assists with prioritisation and
urgency associated with managing the risk.
The scores and associated descriptions are shown in the figures below.
Figure 1. Scoring Protocol – IMPACT
Impact Rating
Impact Description
Impact on Cost
1 – negligible
It will have little effect on project milestones,
No additional cost
timescales or achievement of objectives or benefits
2 – minor
It may delay delivery or quality of one or more
No additional cost
deliverables but not delay the overall project or
affect achievement of objectives or benefits
3 – moderate
A project milestone is delayed which could extend
Additional cost by up to [x]%
timescales but is unlikely to materially affect
successful delivery of the project objectives and
benefits
4 – major
It is likely to delay the achievement of a number of
Additional cost by up to [x]% to
project milestones or a major milestone which could [x]%
significantly extend timescales. Successful delivery
of the project objectives and benefits could also be
materially impacted.
5 - catastrophic
Project objectives no longer achievable or major
Additional cost over [x]%
reduction of benefits due to significant time, cost or
quality issues.
Wilson Programme/Risk Management Strategy /01 June 2017
page 6/11
Figure 2. Scoring Protocol – PROBABILITY
Value
Impact Description
1
Rare – it is highly unlikely that this risk would materialise – less than [x]% chance
2
Unlikely - it is unlikely that the risk will materialise – less than [x]% chance
3
Possible – Could happen – [x]% - [x]% chance
4
Likely - Often a risk that is outside your direct control or influence – [x]% - [x]% chance
5
Almost certain – 80%+ chance. Often a risk that is outside your direct control or influence.
Figure 3. Scoring Protocol – PROXIMITY
Score
Proximity
1
9 months +
2
6 – 9 months
3
3- 6 months
4
1 – 3 months
5
< 1 month
The impact score multiplied by the probability score give the overall risk score.
Figure 4. RAG rating
IMPACT
Negligible
Minor
Moderate
Major
Catastrophic
PROBABILITY
1
2
3
4
5
Almost certain
5
5
10
15
20
25
Likely
4
4
8
12
16
20
Possible
3
3
6
9
12
15
Unlikely
2
2
4
6
8
10
Rare
1
1
2
3
4
5
Wilson Programme/Risk Management Strategy /01 June 2017
page 7/11
The risk scores determine the amount and urgency of mitigation action and monitoring
required in effectively managing the risk.
The proximity score provides another dimension for prioritising mitigation and focusing
resources for effective risk management.
The gross risk score is calculated by:
Impact x Probability x Proximity
The figures below provide guidance on the actions required.
Figure 5. Risk Management – actions
Risk score 15-25
Close monitoring by Project Board
High or very high exposure
With Proximity 50-125
Urgent need to consider additional mitigation action
Contingency plan required
Risk score 8-12
Close monitoring by Project Director and Work Stream
Leads
With Proximity 20-50
Urgent need to consider additional mitigation action
Contingency plan required
Exception reporting on increasing severity to red
Risk score 4-6
Medium exposure
Need to consider additional mitigation measures
With Proximity 8-18
Close monitoring/management by risk owner
Review by Project Director and Work Stream Lead
Risk score 1-3
Low exposure
Monthly monitoring by risk owner
With Proximity 1-6
Could consider relaxation of control to divert resources
4.2.1
Risk Status
The Project Manager updates the risk status depending upon progress with management
and resolution.
•
New – a newly reported risk within the month
•
Open – the risk has been assessed, a risk owner identified and is being actively
managed
Wilson Programme/Risk Management Strategy /01 June 2017
page 8/11
•
Escalated – the risk has been escalated to the Programme Board or other
governance body for review and advice
•
Transferred – either the risk has materialised and has been transferred to the
issue log, or has been transferred out of the project to another body to manage
•
Closed – the risk has been resolved or its consequences accepted.
4.3 Mitigation Strategy
A risk mitigation strategy seeks to mitigate the risks and safeguard the delivery of the
project/programme and its objectives and indeed the investment being made in the
scheme. This is achieved through proactive actions that reduce either:
a) The probability of a risk occurring; or
b) The impact of the risk.
The mitigation strategy comprises of 3 approaches to deal with the risk
•
Acceptance - accept the risk but take no pre-emptive action to resolve it (unable
to address the risk or not cost effective to do so), but consider contingency plans
should the risk materialise.
•
Manage - develop a mitigation plan to reduce probability and or impact
•
Transfer - the risk is moved to another individual, department or function, to
manage
The proposed mitigation is summarised on the risk register. Where the risk is deemed to
be significant i.e. red, a detailed mitigation action plan and contingency plan (proposed
pro-forma at appendix A) will be prepared and presented to the Programme Board. This
provides team members, and managers with clarity of the action that is expected from
them while the Programme Board, senior management and other governing bodies have
the knowledge of the steps being taken on their behalf to reduce the risk.
5 Roles and Responsibilities
5.1 Programme Director
The Programme Director is responsible for ensuring that all risks have been assigned a
Risk Owner and are actively being managed. The Programme Director is specifically
responsible for:
• Ensuring all Programme/Project risks are identified and captured on the risk
register
• Check the assessment (RAG) and mitigation strategy and category for all risks
Wilson Programme/Risk Management Strategy /01 June 2017
page 9/11
• Ensure all Risks are assigned with the most appropriate Risk Owner with the
authority and responsibility to manage them
• Review any with risks increasing severity (Amber to Red based on pre-mitigation
score)
• Escalate risks to the Programme Board for consideration when mitigation is
outside the Programme/Project manager’s jurisdiction, or additional support
outside of the Programme/Project is needed
• Consider if there are new unidentified risks
• Ensure the top 3 risks are reported on the monthly work stream progress reports
and the Programme highlight reports
5.2 Programme Board
The Programme Board is accountable for the overall management of the
programme/project risks and is required to review the Board level risks as a standing
agenda item. They should:
• Review and monitor all Red risks on the register and as a minimum examine in
detail all risks with a score of 16 to 25.
• Identify strategic risks and mitigation
• Allocate as necessary resource to support the risk management process
• Agree the overall risk tolerance level (risk appetite)
• Provide direction to the Programme Director as required for management of risks
5.3 All staff
To be alert to possible risks and to raise these with the Programme Director.
Wilson Programme/Risk Management Strategy /01 June 2017
page 10/11
APPENDIX A – Contingency Plan
Risk ID:
Date Raised
Risk Owner:
Risk Actionee:
RAG Status
Proximity:
Risk Description:
Impact Description:
Proposed Mitigation:
Action
Actionee
Deadline
Contingency Plan:
Action
Actionee
Deadline