Manage risks proportionately
People expect a lot from the government. They expect us to protect their legal interests, provide safe and secure services and use our resources efficiently. To meet those expectations, we need to be able to identify and control risk.
Throughout the development and delivery of digital products and services, project teams must adhere to compliance standards, as outlined in legislation, regulations, policies, contract language and more. Operating outside of these legal boundaries is not only non-compliant, but also risky.
Risk is the likelihood of an event happening multiplied by the expected impact if it does. Managing risk means having ways to identify, assess and respond to events that could cause negative outcomes. Proper risk management can take the uncertainty out of your work, leaving you free to innovate and focus on serving the community.
Examples of risk in digital service delivery include:
- Project risk from a service being delayed or not meeting its objectives
- Legal risk from falling short of legal standards or obligations
- Reputational risk from actions that harm public trust in the government
- Financial risk from a project going over budget
- Privacy risk from a loss of users’ personal information
- Security risk from a bad actor gaining access to a system or confidential information
- Data risk from a loss of data integrity or quality
- Operational risk from service interruptions or natural disasters
Plan for project risk
Project risk is the likelihood of negative outcomes happening to a project. This can be caused by delays, cost overruns, scope increases or changes in government priorities. Whether the cause is in your control or not, you can take steps to reduce the negative impact these events have on your service:
- Comply with laws, core policies, ministry policies or contract terms meant to control risk. This includes standards for financial and business continuity risk
- Speak to subject matter experts to make sure you’re aware of all compliance requirements
- Make sure you have the knowledge and resources you need to manage risk throughout your service’s lifecycle
- Map your risk landscape by consulting with partners, subject-matter experts and risk management professionals
- Decide on your “risk appetite” – the right level of risk for your team to balance safety with innovation
- Identify risks to your project and prioritize them by their likelihood and impact
- Record risks and your plans to address them using the Standard Risk Register
- Plan carefully and follow through, but make sure you stay flexible and responsive so you can react to unexpected changes
- Review your risk situation often and make changes to your plans as needed
- Review the Risk Management Guideline for detailed guidance on the entire risk management process
Manage risk collaboratively
Risk management is a team effort. To fully understand and address your project’s risks, you need to involve the experts and other partners who understand the work best. Not everyone is expected to be a risk expert, but you are expected to know when to ask for help. To make sure you involve the right people in your risk management:
- Connect with your ministry’s risk experts for help identifying, assessing and mitigating project risks
- Consult with project partners and subject matter experts to make sure you understand all events that could threaten your service
- Collaborate with other teams and help identify risks they might have missed in their assessments
- Stay connected with risk management partners for the entire life of your service, including risk reviews and carrying out mitigation plans
- Document all risk consultations, assessments and decisions in a level of detail fitting the risk and your project context. In some cases this can be as simple as an email
The alignment guide is intended to be used with the supporting context of the related practice and resources. This guide provides examples of what the implementation of this practice may look like and defines a range of competence within the practice area.
Initial teams need better practices and resourcing to evaluate project risk and keep it at acceptable levels.
- Planning their work without considering events that could set them back or prevent them from meeting their objectives
- Failing to identify and fill gaps in their risk management skills and resourcing
Developing teams are building their awareness of events that could interfere with their project and steps they can take to address them.
- Determining their current level of risk and considering potential mitigation strategies
- Connecting with government risk management experts and developing a full understanding of their project’s business and technical context
- Building their knowledge of risk management practices and arranging resources to support risk analysis and mitigation
Delivering teams rely on sustainable, documented practices that limit risk so they can focus on delivering value for users.
- Following tested procedures to accurately analyze and document risk
- Developing and implementing effective mitigation strategies tailored to their desired risk levels
- Ensuring their team has enough support, training and resourcing for risk management activities throughout the product lifecycle
Optimizing teams iterate their risk management processes to improve their resiliency, reliability and efficiency.
- Using a data-driven approach to balance their risk appetite and their drive to innovate
- Experimenting with new techniques (such as automation) to improve their analysis, recordkeeping and reporting
- Continually building their risk management capacity by connecting and integrating with other teams
Innovating teams build public trust through creative solutions that minimize risk and maximize innovation.
- Taking a cross-organizational perspective and coordinating risk management practices across government
- Helping other teams understand how risk management can enable better outcomes for users
- Encouraging leadership to integrate risk-informed decision making into organizational values and strategic planning