Project Management Central

Please login or join to subscribe to this thread

Topics: Risk Management
Enterprise risk management versus project risk management?

There have been discussions about what risks a project should own. My philosophy is that my project should focus on risks that are not already managed at the enterprise level.

For example, you could say one of the project risk is the cessation of work due to a natural catastrophe. As a project manager, I would verify that there are already enterprise mitigation and contingency actions in place such as alternate sites, business continuity plan.

At that point, there is very little benefit in retaining that risk in the project register since it is already in the enterprise register, being managed by dedicated risk managers.

How do you handle project risks that are already identified as enterprise risks?
Sort By:
Page: 1 2 next>

It is a great topic Stéphane. I am leading a hugh program where one of the strategic requirements is to align organizational risk management to all the other areas where risk must take into account. This is close to end and it demanded three years. The taxonomy could be see as a big tree. In our case, organizational risk management is the driver. All the other actions regarding risk management (project risk management for example) are derived from organizational risk management. And as you mentioned, it was a top-down/bottom-up work where some project risk helped to change organizational risk definition too.

That's great to hear, Sergio. I totally agree that projects would likely be the harbinger of new, unidentified risks. I like the fact that you have a process to ensure project risks are migrated, as necessary, to an organization risk register.

Interesting question Stéphane, in a high functioning organization I would say yes, your approach is fine. If, however, an organization is not as mature and risks aren't well managed, then you'd need to make sure you take them into account for your project. I will caveat that though, certain risks such as what you mention "natural disaster" are more project specific. While working on government projects for secondary disaster recovery sites, this risk came into play for the project in a big way. At the end of the day, we as Project Managers still own the risks for our project and while I'd like to trust that someone is keeping an eye on the high level risks, I would need to make doubly sure that is so.

It is an unfortunate reality, Liana, that projects often force maturity to their organizations.

We need to feel comfortable that risks that affect our projects are properly handled, whether within our projects or at the enterprise level.

Interesting, the level of maturity of the organisation will influence. If the organisation use some level of risk management your assumption is a good starting point.
Would the mitigation put in place at the corporate level covering project? not in all organisation or in all case.
Backup corporate server using UPS look very good, it get the server running in case of local power shortage, user in the building are cover but what about off-site installation.
I think it is a case by case.

I can certainly see cases where the enterprise's management of a project-affecting risk is insufficient for your project. I could definitely see the project having supplementary risk management to mitigate the risk down to a lower severity level.

I can see also case where enterprise risk need to be manage at the project level. First that come to mind is reputation.

How would that work, Vincent?

Organisation that do project for other build there reputation on project. They also put it at risk in each project.
The risk is an enterprise risk, but most of the risk management need to be done at the project level.
Let say the enterprise have the reputation of delivering project on time. The risk of loosing this reputation stand in each project. It is not one project failing that will breaking that but a series will impact.
Delivering is a responsibility of the project and need to be manage there.
Hope it answer.
1 reply by Stéphane Parent
Aug 14, 2017 7:29 PM
Stéphane Parent
If a company has a reputation for delivering on time, would your project not be framed by organizational assets, processes and units to ensure you can sustain and maintain that reputation? I can't imagine the organization would leave it in the sole hands of the project manager to not blow their image.

I agree that your project should focus on risks that are not already managed at the enterprise level. But as the PM, you should also be aware of the Organizational risk, and the likely impact to your project.
1 reply by Stéphane Parent
Aug 14, 2017 7:30 PM
Stéphane Parent
Absolutely, Horace. You should not only be aware of enterprise risks, you should be ensuring that they are managed to the level necessary for your project.
Page: 1 2 next>  

Please login or join to reply

Content ID:

"A child of five would understand this. Send someone to fetch a child of five."

- Groucho Marx