Board of Directors

As the highest level in the organisation, the board of directors is responsible for strategy formulation, including that for projects. Business and project strategy interact to produce desired business outcomes. The board therefore has to be part of decision-making that affect projects in a number of areas. It determines the composition of the project portfolio that best meets its strategic objectives. Programmes within the portfolio are identified and projects prioritised in terms of starting and completion dates, and possibly suspensions or terminations. The board has the responsibility and authority to allocate the necessary resources to projects and thereby overcome delays that may impact delivering projects on time. It needs to develop measures that monitor the adequacy of project and project management performance.

PROJECT RISK GOVERNANCE RESPONSIBILITY

The board's responsibility towards managing enterprise risk, including project risk, is not without controversy. One belief is that risk should be managed at the operational level, below board level. It is argued that risk is a relatively simple concept to manage because 'risk is calculable, regardless of the complexities of the calculations' (Garratt 2007: 13). In other words, risk is easy to identify, define, analyse and respond to and does not require the board's consideration.

Another reason is the difficulty the board may have in dealing with external uncertainty. This requires tracking multiple scenarios in an ever-changing environment with which directors are not comfortable. Despite having to formulate policy in an uncertain world, so far '[l]ittle work has been done on the nature of directors coping with uncertainty, and yet they to continue to function' (Garratt 2007: 12). Board members are believed to rely more on gut feelings than on rigorous analysis when they decide the future direction of the organisation. As a consequence, little consideration is given to risk management at the board level; 'risk management per se is still not being embraced at board level' (Everett 2011: 5). The exceptions are organisations in highly regulated industries such as banking and telecommunications.

In contrast to the apparent 'hands-off attitude, there is the dear responsibility for risk management laid out in corporate governance principles. The UK Code of 2010 requires the board to determine the nature and extent of the significant risks it is willing to take in achieving its strategic objectives. In Australia, the board is expected to recognise and manage risk and provide a sound system of risk oversight, management and internal control (Australian Stock Exchange Corporate Governance Council 2010). Risk management as a corporate activity is also well established in the concept of ERM as outlined in Chapter 3.

The increasing importance of projects has provided a further responsibility for the board: to balance innovation with control. PRG is at the heart of this challenge.

Project risk offers both innovation and control in the form of positive and negative risks respectively, as discussed in previous chapters. Garratt (2007:11) believes that the role of board of directors 'is to balance and rebalance continuously their irresolvable dilemma - "how do we drive our enterprise forward while keeping it under prudent control?'". The board has to think strategically to sustain the organisation while, at the same time, maintaining internal integrity. For PRG this requires the board to direct the formulation of project risk strategies for value-creating and value-protecting as detailed in Chapter 2.

Checklist: Responsibilities of the Board of Directors for Project Risk Governance

• Do board members have the necessary expertise to oversee the implementation of risk management activities?

• Is there a clear relationship between corporate and project strategy?

• Is the interaction between business and project strategy reflected in the composition of the project portfolio?

• Is the impact of risk on the project portfolio assessed?

• Does the board have overall responsibility for the governance of projects?

• Does the board have overall responsibility for PRG?

• Does the board distinguish between project and non-project risk activities?

• Are roles and responsibilities for PRG in the organisation clearly defined?

• Does the board have the necessary competence to direct the activities of PRG?

• Does the board receive sufficient information on significant project- related risks and their management?

• Are the board's deliberations and decisions documented and communicated?

• Are there clearly defined measures to monitor risk management performance in the project portfolio, programmes and projects?

• Does the board receive timely, relevant and reliable information which compares PRG performance against objectives?

• Is the board familiar with accepted criteria for project success, including PRG?

• Are critical success criteria used to measure project success, including PRG?

• Does the board require a PRG maturity assessment on a regular basis?

• Does the board seek independent advice on the performance of PRG from time to time?