A challenge that has been raised by several Clients and is also a discussion stream of the ISO 31000 LinkedIn group is whether aggregating risks to enable an overall risk rating is appropriate. When it comes to projects (and which organisations do not have projects) this is fraught with difficulty. There are two aspects to consider:

Risks at the start of a project are large in number and often analysed as high which reflects the fact that there is a lot of uncertainty at the outset. Over the planning phase the risks reduce (eg through design). At the end of a project there are no risks. Hence the risk profile changes dramatically over the life of a project which is often a relatively short period of time. Given projects will generally be at different phases what is aggregation (say on a monthly basis) going to tell us?

The second factor is project type. Which is more risky; an IT, construction or change management project? Within each of these types are subsets; large v small, leading technology v BAU, new v long term Client etc. An organisation can certainly have all these project types underway at the same time. Hence aggregation is a challenge and rolling up analysis for an overall risk rating could be quite misleading.

One way of assisting this challenge is gatekeeping. Good governance normally requires projects to pass through various approval gates. The risk profile for specific project types at prescribed gates should be similar. If they are not then this should be a signal to senior management to delve deeper.

With the right toolset roll up by project type at prescribed gates is both possible and appropriate. If you would like further information or wish to comment on this brief blog then please contact us at queries@risktools.com.au.