A risk ‘owner’ should be identified for each risk, who should be the person best situated to keep an eye on it. The Project Manager will normally suggest the ‘owner’ and the Project Board should make the decision.
Project Board members may be appointed ‘owners’ of risks, particularly risks from sources external to the project.
Allocating ownership of the risk process as a whole and the various components is fundamental from the outset. When describing who owns the various elements of risk, it is important to identify who owns the following:
- The risk framework in totality
- Setting risk policy and the project team’s willingness to take risk
- Different elements of the risk process, such as identifying threats, through to producing risk response and reporting
- Implementation of the actual measures taken in response to the risks
- Interdependent risks that cross organisational boundaries, whether they be related to business processes, IT systems or other projects.
Overall ownership of the Risk Log is likely to lie with the Executive. However, the Executive will need to ensure that the people who own the various parts of the risk process are clearly defined, documented and agreed, so that they understand their various roles, responsibilities and ultimate accountability with regard to the management of risk.
Normally the risk ‘owner’ will have the responsibility of monitoring each risk. If the owner is a Project Boardmember, the actual task of monitoring maybe delegated, but the responsibility stays with the owner.
The Executive, for example, has ultimate responsibility for monitoring any risks or opportunities facing the Business Case, particularly any external ones, such as changes incompany policy.
The Project Manager has the job of keeping a watching brief over all risks and checking that the defined actions, including monitoring, are taking place and are having the desired effect.
Risks owned at team level should be reported on in the Checkpoint Reports.
The Project Manager includes some form of report on any significant risks in the Highlight Report. The End Stage Report also summarises the risk status.
Where a risk or opportunity actually occurs, the Project Manager will either instigate contingency action, or deal with the issue under Change Control.