Risk management is a major topic in project management practices.
The staff assigned to the implementation of risk mitigation measures shall implement Critical Risk Mitigation Plans in the specific planning areas, in accordance with the specific responsibilities assigned.
Risk mitigation plans include:
Detailed control of the activities for prevention of each risk, by applying specific measures.
Performing activities to limit the risk to the minimum possible levels.
During the Annual Workshop, the activities and methods necessary for risk reduction are approved. They must be approved by the head of the Risk Managing Authority. Reference: Methodology for risk assessment and project risk management, mmrls.org
Different methods of risk MANAGEMENT are possible:
Risk avoidance: Reorganize the process or activity so as to completely avoid the risk. For example: If a private enterprise is designated as a beneficiary, the risk will be eliminated by exercising increased control by the public authority over all important project implementation activities, as well as giving mandatory instructions to the private entity.
Diversification: The distribution and sharing of risks between individual activities, organizations and employees, to such an extent as to minimize (limit) the level of risk. Reference: Risk Management in Project Management practices, brightonbot.com, October 8, 2019
Risk control: The development and implementation of control on risk prevention detection or correction (regulation) of the causes of risk, cases of risk and their consequences. For example: The introduction of a checklist for prepayment and the principle of double signature.
Risk allocation: The allocation of risk between partners, participants (counterparties) or various contractual parts of market risk in public-private partnership schemes.
Risk transfer: Transfer of risk to the other partner. For example: One organization transfers the risk to another.
Acceptance of risk: Exclusion of the presence of inappropriate or insignificant risks and the use of other management techniques. The choice of the most appropriate method involves balancing the implementation costs for each option in relation to the benefits arising therefrom. Reference: The Qualitative Approach to Project risk assessment, Agile Programming (agileprogramming.org), ISSN 2652-5925, 2020
For example: The risk of employees not being able to cope with the mid-term evaluation due to lack of competence and experience can be ignored, as staff training is very expensive and can take a long time without a reliable result.
Therefore, the lack of competence is ignored and another solution is sought.
In conclusion, the cost of risk management must be proportionate to the benefits obtained.
The preferred methods are those in which a large risk reduction can be achieved at extremely low cost. However, the approach also requires taking into account risks that are less likely but have a high degree of impact, which a decision from a narrow economic point of view is not justified.
In many cases, it turns out that using just one method is not enough for a specific risk. It is often necessary to use a combination of methods to reduce the risk. Reference: Managing Risks: A New Framework – Harvard Business Review
Risk control and monitoring of the risk mitigation process
Risk management is an ongoing process. Although regular risk workshops are held once a year, risk assessors, as well as the composition of the Managing Authority, should periodically review the results of risk identification and management and, in the event of a new risk, present it to the internal meetings, as well as to propose restrictive measures.
When a new risk is identified, it is considered at an internal meeting. If it is decided at the internal meeting that measures should be taken to limit this risk, it will not be assessed for the risk as it is done at the Risk Annual Workshop. Internal meetings should nominate a person in charge to prepare a risk mitigation plan for the specific risk, as well as to inform the Chair of the Annual Workshop of the decisions taken.
The Manager of the Annual Risk Workshop receives a copy of the risk reduction plan and adds this plan to the Risk Management Plan. The managing authority shall approve the risk management plan. Risk mitigation may lead to the introduction of new procedures based on the principles of efficiency, prudence, and / or new activities.
In order to ensure consistency in the monitoring of the risk mitigation process, as well as subsequent risk management, the measures are the following:
- maintaining a risk database;
- holding quarterly internal meetings to review risk management and mitigation.
The risk database consists of the following elements:
- Complete list of risks and results of risk identification and assessment;
- Risk management plan – a list of critical risks, the reduction of which is defined by people;
Risk mitigation plan
The risk database is maintained by the Chair of the Annual Workshop. The responsible persons who need to update the risk mitigation plan must send the plans in electronic form to the Chair before the quarterly meeting, who in turn is required to update Part 3 of the risk database.
Quarterly risk mitigation meetings
At the quarterly internal meetings are reviewed: the ranking in the full list of risks (part 1 of the risk database), their criticality and probability. At each quarterly meeting, those responsible shall prepare an updated plan for risk mitigation and risk control, as well as review the risk mitigation process.
All other risks in the list of risks are also reviewed and addressed, and if necessary, some of them are defined as “critical”. The managing authority, following a report from an internal workshop, may decide to take further specific measures regarding this risk, such as: to add the new critical risk to the risk management plan and to select a person in charge to prepare a plan for its restriction.
The decisions of the internal meetings also include information on:
- Availability and adequacy of risk management measures;
- Need to create new measures for new critical risks;
- Need to change risk management measures where the measures taken have proved insufficient;
- Need to reduce risk management measures when they are unnecessary;
- Need to set deadlines and responsibilities for the implementation of the above activities;
Informing the internal audit unit about the undertaken activities and improving the internal audit plans based on the received information.
The quarterly internal meetings must be attended by:
- Representatives from the management of the managing authority and the regional departments;
- The Chairman of the Annual Workshop;
- Responsible for critical risks.
Other participants may be appointed by the managing authority.
COORDINATION AND COOPERATION WITH THE INTERNAL AUDIT UNIT
Data exchange between the Risk Management Authority and the Internal Audit Unit
The risk assessment and management within the Operational Program is a task of the management of the managing authority. The managing authority shall adopt its own risk assessment rules and management measures, including the use of internal audit data.
The Internal Risk Audit Unit may use the risk assessment data of the managing authority as a first step in its own risk assessment when planning audits. The conclusions and recommendations set out in the internal audit reports are used by the managing authority to update the risk database and to improve the risk management process.
Comments and recommendations may also arise as a result of subsequent conclusions, following the completion of audits reported by:
- internal risk auditors
- external risk auditors
- data in the audit reports regarding compliance with the financial and accounting standards under EDIS (Analysis of deficiencies, Filling in the deficiencies, Compliance audit and Verification audit)
The Managing Authority will follow all audit recommendations and will:
- ensure that appropriate corrective measures are identified and in line with the recommendations;
- implement the relevant corrective measures through various actions, including amendments to the Procedural Manual.
It is important to note that the internal audit unit, according to the Internal Audit of Risk Management Act, is obliged to introduce the risk assessment procedure as a basis for conducting the internal audit procedure, but will not participate in the management activity and risk assessment under the operational program. This activity is the task of the managing authority.