EN 9239:2024

SLOVENSKI STANDARD
01-oktober-2024
Aeronavtika - Vodenje programov - Priporočila za obvladovanje tveganja in
upravljanje priložnosti
Aerospace series - Programme Management - Recommendations to implement risk
management and opportunity management
Luft- und Raumfahrt - Programm-Management - Empfehlungen zur Umsetzung für
Risikomanagement und Gelegenheitsmanagement
Série aérospatiale - Management de Programme - Recommandations pour la mise en
œuvre du management des risques et du management des opportunités
Ta slovenski standard je istoveten z: EN 9239:2024
ICS:
03.100.01 Organizacija in vodenje Company organization and
podjetja na splošno management in general
49.020 Letala in vesoljska vozila na Aircraft and space vehicles in
splošno general
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

EN 9239
EUROPEAN STANDARD
NORME EUROPÉENNE
August 2024
EUROPÄISCHE NORM
ICS 49.020 Supersedes EN 9239:2016
English Version
Aerospace series - Programme management -
Recommendations to implement risk management and
opportunity management
Série aérospatiale - Management de programme - Luft- und Raumfahrt - Programm-Management -
Recommandations pour la mise en œuvre du Empfehlungen zur Umsetzung für Risikomanagement
management des risques et du management des und Gelegenheitsmanagement
opportunités
This European Standard was approved by CEN on 26 May 2024.

CEN members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this
European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical references
concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to any CEN
member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by
translation under the responsibility of a CEN member into its own language and notified to the CEN-CENELEC Management
Centre has the same status as the official versions.

CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia,
Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway,
Poland, Portugal, Republic of North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and
United Kingdom.
EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION

EUROPÄISCHES KOMITEE FÜR NORMUNG

CEN-CENELEC Management Centre: Rue de la Science 23, B-1040 Brussels
© 2024 CEN All rights of exploitation in any form and by any means reserved Ref. No. EN 9239:2024 E
worldwide for CEN national Members.

Contents Page
European foreword . 4
Introduction . 6
1 Scope . 7
2 Normative references . 7
3 Terms and definitions . 7
4 Principles . 11
4.1 Integral part of management of the entire programme . 11
4.2 Incorporation of risks and opportunities . 12
4.2.1 Apprehension of risks and opportunities . 12
4.2.2 Assessment of the risk or opportunity . 12
4.2.3 Treatment of the risk or opportunity . 12
4.2.4 Control and monitoring . 12
4.2.5 Capitalization . 12
4.2.6 Overall synopsis . 13
4.3 Transversality . 13
4.4 Communication . 13
5 Risk management . 14
5.1 Organizational framework for risk management in the programme . 14
5.1.1 General. 14
5.1.2 Leadership . 14
5.1.3 Risk management plan . 14
5.1.4 Context and customer requirements . 15
5.1.5 Roles and responsibilities . 15
5.1.6 Resources . 16
5.1.7 Improvement: maturity of programme risk control process . 18
5.2 Programme risk management process . 18
5.2.1 General. 18
5.2.2 Step 1: setting up the risk management framework . 20
5.2.3 Step 2: identifying . 21
5.2.4 Step 3: analysing . 22
5.2.5 Step 4: assessing . 23
5.2.6 Step 5: producing risk reduction scenarios . 25
5.2.7 Step 6: selecting the scenarios . 27
5.2.8 Step 7: implementing the risk treatment actions . 28
5.2.9 Step 8: controlling and monitoring . 29
5.2.10 Step 9: capitalising . 30
5.2.11 Communicating . 32
6 Opportunity management . 33
6.1 Organizational framework for programme opportunity management . 33
6.1.1 General. 33
6.1.2 Leadership . 33
6.1.3 Strategic opportunity management plan . 33
6.1.4 Context and customer requirements . 33
6.1.5 Roles and responsibilities . 34
6.1.6 Resources . 35
6.1.7 Improvement: maturity of programme opportunity control process . 37
6.2 Programme opportunity management process . 37
6.2.1 General . 37
6.2.2 Step 1: setting up the opportunity management framework . 39
6.2.3 Step 2: identifying . 40
6.2.4 Step 3: analysing . 41
6.2.5 Step 4: assessing . 42
6.2.6 Step 5: producing scenarios for undertaking opportunity control actions . 44
6.2.7 Step 6: selecting the scenarios . 46
6.2.8 Step 7: implementing the opportunity treatment actions . 47
6.2.9 Step 8: controlling and monitoring . 48
6.2.10 Step 9: capitalizing . 49
6.2.11 Communicating . 51
Annex A (informative) List of typical risks by category . 52
Annex B (informative) List of typical opportunities by category . 55
Annex C (informative) Example of risk sheet . 57
Annex D (informative) Example of opportunity sheet . 59
Annex E (informative) Examples of qualitative and quantitative assessments . 60
Annex F (informative) Examples of registers . 62
Annex G (informative) Notable differences between the risk management process and the
opportunity management process . 64
Bibliography . 70

European foreword
This document (EN 9239:2024) has been prepared by ASD-STAN.
After enquiries and votes carried out in accordance with the rules of this Association, this document has
received the approval of the National Associations and the Official Services of the member countries of
ASD-STAN, prior to its presentation to CEN.
This document shall be given the status of a national standard, either by publication of an identical text
or by endorsement, at the latest by February 2025, and conflicting national standards shall be
withdrawn at the latest by February 2025.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CEN shall not be held responsible for identifying any or all such patent rights.
This document supersedes EN 9239:2016.
The main changes with respect to the previous edition are as follows:
— EN 9239 (P1), 05/2016:
o separation of risk management and opportunity management and the explanation of this
choice in the introduction.
o terms and definitions clause:
• addition of terms and definitions associated with opportunity management (including
“amplitude”, “benefit” and “opportunity”);
• update of the list of defined terms with the addition of new terms (including “detectability”,
“sheet”, “list of typical risks”, “matrix”, “portfolio” and “register”).
o modification of the overall structure of the document:
• Clause 4: principles added, common to risks and opportunities;
• Clause 5: description of the organizational framework and process for risk management;
• Clause6: description of the organizational framework and process for opportunity
management (which mirrors the risk management process);
o compared to the risk management process described in the previous edition:
• choice to describe the process steps with the following construction: input
data/actors/processes/output data;
• addition of a step 3 – analysing (between identifying and assessing), a step 5 – producing
scenarios (risk reduction and undertaking opportunity control actions) and a step 6 –
selecting the scenarios. Communication is no longer described as a step because it is meant
to be transverse at all steps;
o addition/removal of some annexes:
• new Annex B “List of typical opportunities by category” added;
• former Annex D: “Example of 3-colour code criticality and acceptability matrix: general risk
mapping” deleted (addressed in the body of the document);
• new Annex C and Annex D: “Example of risk/opportunity sheet” added;
• former Annex F “Risk assessment report” deleted;
• former Annex G “Maturity of programme risk management: assessment criteria” deleted.
o update of the references cited and in the bibliography.
According to the CEN-CENELEC Internal Regulations, the national standards organizations of the
following countries are bound to implement this document: Austria, Belgium, Bulgaria, Croatia, Cyprus,
Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,
Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North
Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and the United
Kingdom.
Introduction
Risk management and opportunity management form an integral part of programme management.
They are implemented right from the start of the project feasibility stage and continue until material
disposal. This document is intended to be used as a basis, for any given programme, for negotiating the
requirements and relationships between customers and suppliers for risk management and
opportunity management. EN 9239 complements EN 9200 on programme management.
This document describes the processes to be followed in order to:
— identify and manage risks and opportunities within the programmes;
— maximize benefits for the programme, and also for any associated transverse function;
— construct and implement appropriate action plans.
In this document, risks and opportunities are addressed separately in two different clauses. This is
because the contractual, organizational, and financial impacts of risk management and of opportunity
management may be different. Separate documentation for risk management and opportunity
management is recommended, as the respective responsibilities may be entrusted to the same or
different people.
The ultimate goal of this document is to contribute to an appropriate definition of programme
objectives (including costs, schedules and performances) and to continuously ensure that they are met
or enhanced, despite or thanks to events likely to have a negative or positive impact on its progress.
The programme director can manage risks and opportunities through the application of methods.

1 Scope
This document enables the specific needs of the aeronautical, space and defence fields to be met. It can
also apply to other fields.
However, the specificity of some fields can lead to the use of existing sectorial standards such as
EN 16601-80, Space project management — Risk management (derived from ECSS-M-80).
This document:
— proposes a framework for implementing organization of risk management and opportunity
management within programme management; this framework may serve as a basis for writing risk
management specifications and opportunity management specifications;
— describes a process for keeping programme risks within the defined limitations that are considered
tolerable; this standard process can be used as a methodological guide for writing the programme
risk control plan;
— describes a process for addressing and developing opportunities that have positive consequences
on the execution of a programme; this standard process can be used as a methodological guide for
writing the strategic programme opportunity control plan;
— recognizes the need for knowledge management in order to capitalise and to share lessons learned
with other programmes, as well as the maturity assessment of the risk management and
opportunity management processes;
— identifies useful documents for risk management and opportunity management;
— proposes an example of a typical list of risks and opportunities.
2 Normative references
There are no normative references in this document.
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https://www.iso.org/obp/
— IEC Electropedia: available at https://www.electropedia.org/
3.1
amplitude
level of importance of the opportunity allowing prioritization
Note 1 to entry: The amplitude of an opportunity is often the combination of the consequence in terms of
expected benefit and the likelihood (or probability) of occurrence of the opportunity, and possibly other attributes
(defined in the opportunity management plan) such as detectability.
3.2
target amplitude
level of importance of the opportunity after implementation of the proposed action plan
Note 1 to entry: The target amplitude is characterized by a target likelihood (probability), a target consequence
index, and possibly detectability or another target attribute.
3.3
benefit
significance of the impact of an opportunity
3.4
library of risks and opportunities
set of information documented by the risk management and opportunity management processes
EXAMPLE Standard sheets or lessons learned.
3.5
mapping of risks and opportunities
summary of the register obtained by consolidation of risks or of opportunities with the aim of
presenting them to aid strategic decision-making
3.6
cause
set of events and situations that are at the origin of the risk or opportunity
3.7
criticality
level of importance of the risk allowing prioritization
Note 1 to entry: The criticality of a risk is often the combination of the severity and the likelihood (or
probability) of occurrence of the risk, and possibly other attributes (defined in the risk management plan) such as
detectability.
3.8
detectability
capacity to detect the direct manifestation of a risk or the appearance of one of the causes of a risk or
opportunity
Note 1 to entry: Detectability includes the capacity to provide an appropriate response to mitigate the risk or
seize the opportunity.
3.9
opportunity sheet
documentation of the characteristics and other parameters of an identified opportunity
Note 1 to entry: An example is available in Annex D.
3.10
risk sheet
documentation of the characteristics and other parameters of an identified risk
Note 1 to entry: An example is available in Annex C.
3.11
severity
significance of the impact of a risk
3.12
impact
effect of a risk or opportunity when it occurs
3.13
list of typical opportunities
identification of generic opportunities to assist with construction of the opportunity register for a
programme
Note 1 to entry: The list of consolidated typical opportunities at the company level is based on feedback from
the company, from previous or current programs and on the best practices identified in the normative
repositories.
Note 2 to entry: See Annex B.
3.14
list of typical risks
identification of generic risks to assist with construction of the risk register for a programme
Note 1 to entry: The list of consolidated typical risks at the company level is based on feedback from the
company, from previous or current programs and on the best practices identified in the normative repositories.
Note 2 to entry: See Annex A.
3.15
programme opportunity management
coordinated activities in order to take advantage of the opportunities for a programme
3.16
programme risk management
coordinated activities in order to mitigate the risks for a programme
3.17
opportunity matrix
presentation of the mapping of opportunities characterised according to their amplitude
Note 1 to entry: The amplitude may be represented by a colour code with 3 or 4 values, see Figure 5 in
subclause 6.2.5.4.
3.18
risk matrix
presentation of the mapping of risks characterised according to their criticality
Note 1 to entry: The criticality is often represented by a colour code with 3 or 4 values, see Figure 3 in 5.2.5.4.
3.19
level of risk tolerance
criticality value beyond which specific risk mitigation actions are implemented
3.20
opportunity consideration level
amplitude value beyond which specific actions for the opportunity are implemented
3.21
occurrence of a risk or of an opportunity
fact of a risk or of an opportunity occurring
3.22
opportunity
uncertain event or circumstance which can have a positive impact on the achievement of the objectives
of the programme
3.23
typical opportunity
generic set of characteristics of opportunities
Note 1 to entry: The definition of typical opportunities supports the identification of the opportunities of a
programme.
3.24
risk portfolio
set of identified risk sheets for the programme
3.25
opportunity portfolio
set of identified opportunity sheets for the programme
3.26
programme
coordinated set of technical, administrative and financial tasks, intended to design, develop,
manufacture and use a product or a system, satisfying a need under the best performance, cost and time
conditions as well as ensuring the support of it and finally the disposal
Note 1 to entry: All or part of a programme can be designated also in the industrial world and in some
normative texts by words such as “project” or “contract”.
Note 2 to entry: When the notion of programme is associated with an overall system, the notion of sub-
programme or project is frequently used when addressing the constituents of this system.
3.27
opportunity promoter
person or entity responsible for promoting an opportunity and with the authority to manage it
3.28
risk owner
person or entity responsible for a risk and with the authority to manage it
[SOURCE: ISO/IEC 27000]
3.29
opportunity register
list of identified opportunities in the portfolio, accompanied by their associated key information
Note 1 to entry: An example register is available in Annex F, subclause F.2.
3.30
risk register
list of identified risks in the portfolio, accompanied by their associated key information
Note 1 to entry: An example register is available in Annex F, subclause F.1.
3.31
opportunity lessons learned
retrospective analysis of each opportunity managed during the programme, aiming to determine the
knowledge that is reusable for opportunity management for the current programme and/or other
programmes
3.32
risk lessons learned
retrospective analysis of each risk managed during the programme, aiming to determine the knowledge
that is reusable for risk management for the current programme and/or other programmes
3.33
risk
uncertain event or circumstance which can have a negative impact on the achievement of the objectives
of the programme
3.34
residual risk
risk remaining after implementation of mitigation actions
Note 1 to entry: The residual risk is characterized by a residual criticality determined by a residual likelihood
(probability), a residual severity, and possibly detectability or another residual attribute.
3.35
likelihood of a risk or of an opportunity
assessment of the probability or frequency of a risk or of an opportunity occurring
4 Principles
4.1 Integral part of management of the entire programme
Risk management and opportunity management are an integral part of programme management.
The risk management and opportunity management success criteria cannot be dissociated from the
programme and programme management success criteria.
Risk management and opportunity management require a risk culture and an opportunity culture
within the organization. They rely on the involvement of all personnel and the deployment of
suitable practices.
Risk management and opportunity management cover each stage of the programme and of the product
life cycle.
4.2 Incorporation of risks and opportunities
4.2.1 Apprehension of risks and opportunities
The risks and opportunities can be apprehended by all stakeholders of the programme, organization or
their environments. This apprehension of a risk or opportunity is expressed in a statement.
Processes [such as monitoring and alert system, lessons learned or comparative studies of the
competition (“benchmarking”)] are to be implemented to apprehend risks and opportunities.
This apprehension may be intuitive and based on listening, observation, critical thinking and openness.
The apprehended statement is then compared with risks and opportunities that have already been
identified. If it is new, it is reformulated as a risk or opportunity, and enters into the
assessment process.
4.2.2 Assessment of the risk or opportunity
This risk or opportunity is then assessed by the programme team’s risk and opportunity managers, in
three steps: identification, analysis and assessment.
As the managers and processes for risk management and for opportunity management are technically
different, risks and opportunities are addressed separately in this document.
NOTE See Clause 5 for risk management, Clause 6 for opportunity management and Annex G to compare risk
and opportunity terminologies and approaches.
4.2.3 Treatment of the risk or opportunity
The risk manager for the programme determines the roles and responsibilities in the treatment of each
risk, and the opportunity manager for the programme determines the roles and responsibilities in the
treatment of each opportunity.
The treatment is articulated in three steps: elaboration of scenarios, selection of scenarios and
implementation.
4.2.4 Control and monitoring
All of the risk management processes and the opportunity management processes are iterative.
This entails assessing the effectiveness and efficiency of the scenarios and actions and making
necessary updates.
4.2.5 Capitalization
The purpose of capitalization is to take into account the lessons learned, in order to make risk
management and opportunity management for current or future programmes more effective.
In particular, capitalization involves the consolidation of these lessons learned.
It is initiated at each step of the risk management and opportunity management processes and finalised
at the closure of the programme or of each of its stages.

4.2.6 Overall synopsis
Figure 1 below presents the principles for incorporation of risks and opportunities, and the actors
involved.
Key
stages of the process
iterative approaches
transverse stage
Figure 1 — Principles for incorporation of risks and opportunities
4.3 Transversality
The principle of transversality in all the steps of the risk management and opportunity management
processes allows an assessment of the risks and of the opportunities to be validated for all of the actors
and stakeholders concerned. In addition, this principle allows duplicates to be avoided and subsidiarity
to be ensured.
4.4 Communication
Upward communication, that intended for the customer then that intended for the stakeholders and
parties concerned, is to be defined (content, details, nature, frequency of information according to
each recipient).
5 Risk management
5.1 Organizational framework for risk management in the programme
5.1.1 General
The programme risk management framework is implemented right from the start of the programme
feasibility study and continues through until material disposal. It covers all of the stages in the
programme, all of the components and all of the activities.
NOTE Depending on the programme, dismantling can be included in disposal, or can be the subject of a separate
programme.
It is based on multidisciplinary skills (such as legal, technical, financial or logistics) in order to identify
the various aspects of risks and take into account the different points of view.
Risk management is adapted according to the programme stages.
All actors are involved and take an active part in risk management.
All programme stakeholders can also take part in risk management.
5.1.2 Leadership
Leadership for risk management is provided by the programme director or by the manager of a
portfolio of programmes.
In this regard, they guide and direct risk management in the programme or programmes for which they
are responsible.
5.1.3 Risk management plan
The risk management framework is described in a document (a specific chapter of the programme
management plan, risk management plan) drawn up by the programme director.
This risk management plan is drawn up right from the start of the programme, taking into account the
general context of the programme.
It may be common with the strategic opportunity management plan (see subclause 6.1.3).
Based on the risk management plan, risk management activity is punctuated by milestones at progress
meetings and risk reviews. This activity is based on the risk analysis report (see Annex F,
subclause F.1).
5.1.4 Context and customer requirements
In the programme management specification, the customer states their requirements concerning the
implementation of a risk management by their supplier and the sharing or exchanging of risk
information between customer and supplier.
The supplier complies with these requirements in their risk management plan, specifying:
— their programme framework in terms of risk management, in particular the roles and
responsibilities of each actor in the programme;
— if necessary, their rules for breaking down and distributing requirements at subcontractor level;
— if necessary, their rules for breaking down and distributing requirements regarding interfaces;
— their risk management process and associated deliverables (such as documentation or
status reports.);
— their criteria for assessment, prioritization and definition of risk criticality level;
— their rules for sharing risk information with the customer.
The supplier can also formalize their own internal requirements.
5.1.5 Roles and responsibilities
5.1.5.1 Role and responsibilities of the programme director
The programme director is responsible for risk management. The authority on risk treatment and
management of actions related to risk treatment is internal, but can also be external to the programme,
or even external to the organization (customer or regulatory authority, for example).
The programme director:
— is responsible for managing programme risks. To this end:
o they specify the conditions for organization and operation of risk management;
o they validate the process to be implemented and the criteria for assessment of risk
prioritization and criticality;
o they select the risks treated at its level, from the most critical risks;
o they regularly review the risks and updates the selection;
o they validate the action plans for treatment of major risks;
o they communicate with the parties concerned, internal or external to the company (customers
and suppliers in particular);
— appoints the risk manager, if necessary;
— appoints the various risk owners, or defines appointment methods.
The programme director has responsibility with respect to their upper management and is the point of
contact for the customer or the competent authority.
5.1.5.2 Roles and responsibilities for risk management
The risk manager defines and implements the risk management process, under the authority of the
programme director. They run the process in the programme, are responsible for the overview and
monitoring of all programme risks, guarantees data quality and manages communication to all those
who have a stake in the programme.
The responsible for a risk is involved during the risk assessment and makes a commitment to it.
They define the action plans and then lead the risk treatment actions. They are responsible for
monitoring the execution of the actions and the context. They ensure that each action owner is informed
of what shall be done and carry out their action. They inform the risk manager and report to the
programme director.
NOTE The responsible for a risk can also be referred to as a “risk owner”.
The risk action owner leads the (direct or delegated) performance of the treatment action assigned to
them by the responsible for the risk.
Other actors may be included, such as transverse risk managers, or “analysts” tasked with detecting
weak signals from the organization’s environment.
The above-mentioned organization is to be adapted according to size and complexity of each
programme.
5.1.5.3 Multidisciplinary groups
As there are varying risks and risk management steps, it is necessary to make use of all the
employees’ skills during each of the stages of the process, for instance by forming multidisciplinary
groups.
Resorting to internal skills requires an overall monitoring to avoid dispersion or ineffectiveness and
also the setting up of well-defined rules. General management or the programme director defines the
expert selection process. This process can be submitted for approval by the customer and/or by the
authority.
5.1.6 Resources
5.1.6.1 Information system
It is recommended to set up an information system dedicated to permanent risk monitoring.
This can be based on the general concept of “extended enterprise”, i.e. capable of taking into account the
risks (related to the programme) of the company but also those of its partners and suppliers. A specific
interfacing can be specified for connection (with the necessary protections) with other risk
management tools, in particular with the customer’s tool.
Its main functions are:
— adaptability to any changes in organization affecting the programme;
— traceability of all risk management actions: alert, identification, assessment;
— treatment (mitigation, financing), associated action plan, and monitoring of the action plan;
— history;
— archiving;
— restitution of lessons learned;
— reporting (such as risk register, risk analysis reports or status reports.) and restitution, specifically
adaptable to the needs for information of the various sectors or departments involved.
5.1.6.2 Financial resources
The budget for the resources required for the risk management activity is defined at the start of the
programme. This budget includes risk mitigation actions.
Coverage for residual risks unrelated to a work package (contingencies, provisions for contingencies or
provisions for risks) is also to be provided.
5.1.6.3 Awareness and training
Awareness and training in risk management determine the efficiency of the process.
The actors to be educated and trained are all those involved in the execution of programmes:
programme directors and technical managers, industrialization, production, purchasing, quality,
customer support, finance, and subcontractors, contractors and suppliers.
It is also important for awareness and training to be assessed and tracked to assess their effectiveness,
in terms of involvement of personnel in the risk management process.
5.1.6.4 Documentation concerning risks
Documentation relating to programme risk management is compiled and kept updated in the
programme risk management information system.
It includes:
— the programme risk management plan that defines the process or processes to be used (see 5.2.2);
— the risk sheets (one sheet per risk) recording all risk data for each risk: alert, identification,
assessment, treatment (example of risk sheet in Annex C). The risk sheets are kept updated
throughout the programme;
— the risk portfolio compiling all of the risk sheets, kept updated throughout the programme;
— the risk register identifying all of the programme risks, as well as their essential characteristics. It
is also kept updated throughout the programme;
— the status reports concerning programme risks;
— the risk analysis reports;
— the minutes from risk analysis, assessment and treatment meetings;
— lessons learned from the current programme, previous programmes and concurrent programmes.
5.1.7 Improvement: maturity of programme risk control process
It is recommended to establish a system for assessing the maturity of the programme risk management
process.
This maturity assessment system makes it possible to meet various needs, in particular:
— continuous quality improvement;
— requirements expressed by some customers;
— duty to provide advice with regard to the client and more generally to stakeholders;
— business strategy.
This maturity can be measured using multiple levels, as conventionally accepted:
— level 1: initial;
— level 2: repeatable;
— level 3: defined;
— level 4: measured;
— level 5: optimized.
Measurement is based on criteria that can cover the following areas in particular: coverage of relevant
processes, decision-making processes, communication organization, level of involvement of actors, use
of tools, training level.
5.2 Programme risk management process
5.2.1 General
The main steps of risk management are (see Figure 2):
Key
red arrow = decision
blue dotted arrow = information
Figure 2 — Steps in the risk management process

5.2.2 Step 1: setting up the risk management framework
5.2.2.1 Inputs
Setting up risk management meets requirements, specifications or a more general framework.
The risk management framework is based on available lessons learned (previous or concurrent
programmes that are similar).
5.2.2.2 Actors
Setting up risk management is initialised by the programme director.
Setting up risk management is coordinated by the risk manager.
5.2.2.3 Process
Step 1 consists in defining a framework, documenting it (see 5.1.3) and implementing it in terms of
human, material and budgetary resources.
The risk management plan includes at least:
— the scope;
— the organization;
— the roles and responsibilities of the main stakeholders;
— the risk management process (including the categorisation criteria);
— the reporting applied to the programme (indicators, risk analysis reports, status reports);
— the allocated resources;
— the tools used;
— the risk assessment criteria and assessment scales;
— the risk control and monitoring strategies;
— the interfaces with partners;
— the links with the environment, particularly human relationships.
Construction of the risk management plan may lead to discussions with certain stakeholders.
This construction can be based on working groups (analysis and lessons learned, taking account of
specifications and requirements).

5.2.2.4 Outputs
This step leads to:
— the risk management plan approved by the programme director;
— the effective allocation of resources;
— a framework in place.
5.2.3 Step 2: identifying
5.2.3.1 Inputs
The elements to be taken into account are:
— the list of typical risks;
— the risk lessons learned observed by the program and not yet integrated at the company level;
— the proposals or ideas reported by programme actors.
5.2.3.2 Actors
Risks can be reported by all actors involved in the programme and, more generally, all of
its stakeholders.
5.2.3.3 Process
The identification process is conducted as far upstream as possible of the program, then throughout its
execution.
It involves collecting risk identification proposals based on documentary sources
(see subclause 5.2.3.1) or creativity techniques (including brainstorming).
It is recommended for this process to be supplemented by:
— an alert system to capture “weak signals”, and detect those that are likely to become r
...