This website is being reviewed and updated. Some content may no longer reflect Government policy. All content has been archived and access to key documents will continue to be possible via the archived website;


Risk management strategy


Defines how risks will be managed during the lifecycle of the programme. Used to plan the way risks are handled within the programme.

The Risk Strategy and supporting Plan must acknowledge actual and potential threats to the successful delivery of a project and determines the activities required to minimise or eliminate them. The risk plan needs to be capable of integration into or co-ordination with the project plan.

A major concern is the appropriate communication of risk information, in particular where escalation is required. The ‘summary risk profile’(SRP) is a simple mechanism to increase visibility of risks. It is a graphical representation of information normally found on a risk register. This graph should be updated in line with the risk register on a regular basis. The profile shows risks in terms of probability and severity of impact with the effects of mitigating action taken into account.

The SRP is often referred to as a probability/impact matrix. Each risk (indicated by * on the diagram) would normally have a number or other reference and supporting details. The position of the risk tolerance line would depend on the organisation and its project. See figure 2 for an example SRP.

Fitness for purpose checklist:

  • requires time and top-level commitment
  • individual accountability, scrutiny and challenge;
  • risk judgements depend on sound information;
  • must be applied throughout delivery networks;
  • wider understanding of cross-departmental risks and joint working to manage them.
  • check the framework references the organisational appetite for risk and any delegated appetite in respect of specific programmes or projects  

Suggested content:

  • What risks are to be managed
  • How much risk is acceptable
  • Who is responsible for the risk management activities
  • What relative significance time, cost, benefits, quality, stakeholders have in the management of programme risks 

Source information:

Where partners and/or suppliers are involved, it is essential to have shared understanding of risks and agreed plans for managing them.

There are two parts to the strategy

1.       Analysis of risk, which involves the identification and definition of risks, plus the evaluation of impact and consequent action.
2.       Risk management, which covers the activities involved in the planning, monitoring and controlling of actions that will address the threats and problems identified, so as to improve the likelihood of the project achieving its stated objectives.

The risk analysis and risk management phases must be treated separately, to ensure that decisions are made objectively and based on all the relevant information.

Risk analysis and risk management are interrelated and undertaken iteratively. The formal recording of information is an important element in risk analysis and risk management. The documentation provides the foundation that supports the overall management of risk.

Further information:

Managing Successful Programmes

OGC's Achieving Excellence Guides

Management of Risk