Log in / Register
Home arrow Business & Finance arrow Project Risk Governance

A Project Risk Governance Maturity Model

Chapter 2 introduced the cyclical approach to aligning business and project strategies and activities. Four stages were identified: formulating strategic goals ('what should be done'), deciding on the project portfolio, programmes and projects ('what can be done'), implementing PRG ('how to do it') and managing risks at the project level ('do it'). The cycle is completed by adding a reflection stage on 'what was done' during the implementation of PRG. This stage supports an assessment of PRG maturity and is included in the augmented PRG model as shown in Figure 9.2.

Augmented project risk governance model

Figure 9.2 Augmented project risk governance model

Relationships between project risk governance maturity dimensions

Figure 9.3 Relationships between project risk governance maturity dimensions

Levels of PRG maturity are determined according to governance performance in the dimensions identified in Table 9.2. To understand the relative impact of each dimension on PRG maturity, they are represented in a model as shown in Figure 9.3. At one end of the model are the organisational factors that determine the approaches to PRG. They are the characteristics of a PBO, organisational leadership to implement governance and supporting PRG structures and relationships. At the opposite end are the contributions that PRG makes in the form of business outcomes.

In between are the activities of PRG processes to implement project risk strategies for value-creating and value-protecting. Project development itself requires effective project risk management. Both PRG processes and project risk management are moderated by the internal context such as HRM practices and the ability to manage change. Performance is assessed through performance criteria and success factors. There are two ongoing influences: the external context and business/project integration. The former is largely outside the organisation's control but needs to be considered during PRG. The latter provides the overriding objective of PRG, namely to achieve improved business outcomes by linking projects with business strategy.

There are five levels, each with variations in PRG performance within each of the dimensions. The details are provided in Appendix 3. Below are the key dimensions that make up each level.


At this early stage there is no or little awareness of PRG among executive management and it has not received recognition within the organisation. This may be due to a hands-off attitude of the board to risk matters and that no or few formal standards exist for ERM. The emphasis is on identifying and managing negative project risks, while the opportunities of positive project risks are not actively exploited.

The organisation operates in a traditional hierarchical and functional manner. When developing business strategy, little consideration is given to the role of projects. There is no or little recognition of project governance within the organisation's governance framework. Project management is guided by the hard paradigm and manages project costs and benefits and the most obvious associated negative risks. The implementation of project risk responses is neglected. While the concept of uncertainty in project outcomes is understood, project risk appetite and tolerance are inadequately defined. No or little use is made of project management maturity models.


During this stage the importance of project governance and PRG is starting to be recognised within the organisation. There is increasing project activity, and business strategy takes into account the importance of projects to business success. The board's attitude changes to one that attempts to balance control with innovation in relation to risk. The board and senior management realise the strategic importance of managing project risk. Existing risk management standards, such as ISO 31000, provide a guide for ERM. Emphasis is placed on diversifying the overall risk in the project portfolio.

At the project level, obvious opportunities present in positive project risks are now pursued. A more sophisticated approach is taken when considering the impact of project risk in project investments. The organisation gives attention to defining its project risk appetite and tolerance levels. Management, however, has concerns about the effectiveness of risk response implementation. It is understood that risk is not a phenomenon but is socially constructed. The importance of project risk management as a project management knowledge area is recognised and project members are encouraged to join project management associations. There is an emerging awareness of the soft project management paradigm and the merits of project management maturity models.


The move to a project-based environment sees the formulation of both business and project strategies with project risk management included in project strategy. At the board level, attention is given to PRG. Existing ERM systems contribute to defining PRG processes and structures. Value-protecting strategies are developed for preventable and external project risks, while value-creating strategies exploit opportunities provided by taking on risk. PRG extends to project programmes, defining the structure of project business cases, implementing a project value realisation methodology and developing a set of PRG performance metrics. The PMO is identified as the change agent for implementing PRG.

At the project level, project governance is distinguished from project management. Project risk perceptions are defined and evaluated and project risk appetite and tolerance are articulated. The contents of the project risk management plan is agreed and developed. There is an expectation that staff should be members of project management associations and gain certification. Desirable aspects of the soft PM paradigm are identified and implemented. Project risk management success factors are determined and monitored, and the design of a PRG maturity model commences.


Corporate governance recognises its important responsibility for risk management, and executive management engage with PRG. The organisation has changed from a hierarchical to an integrated PBO structure. Business and project strategies are aligned hierarchically, with project risk management part of the alignment. PRG processes and structures are implemented but differ for project portfolio, programmes and projects. Comprehensive business cases are developed by project sponsors and approved by steering committees. The latter fulfil 'broker' and 'steward' governance roles. Metrics measure and monitor PRG performance.

Project managers align project risk management with strategic goals and are conscious of the risk/reward equation. Projects adhere closely to the limits set for by the organisation's risk appetite and tolerance. The risk management plan is followed and regularly updated. A combination of qualitative and quantitative approaches is used to evaluate project risks. There is greater monitoring and control over project risk responses. Project members are rewarded for their professional memberships and certifications. Most project-based activities are managed in the soft project management paradigm. A model of PRG maturity is used to assess PRG performance.


At this level the organisation is project-based. Corporate governance principles aim to manage risk as a strategic dimension of business success. The board fully accepts overall responsibility for PRG and there is leadership capacity to support and shape PRG. Business and project strategies are integrated, with the proactive exploitation of positive project risk a strategic priority. Corporate, project and project risk governance activities overlap with a seamless integration of ERM and PRG. Implementation is effected through successful change management.

A comprehensive model of PRG exists and PRG processes are integrated across project portfolio, programmes and projects. Business cases include intangible project benefits and non-financial evaluations. Assurance is given that project benefits are realised as defined in the project business case. The PMO is regarded as the centre of excellence for project management and is the vehicle for integrating PRG structures and processes. Project risk appetite and tolerance are linked to the corporate governance style. The project risk register is the core repository for all information concerning the context in which project risk is managed. Most aspects of the soft paradigm have been adapted to PRG. The PRG maturity model is used to assess PRG sophistication.

Checklist: Implementation of Project Risk Governance Maturity Model

• Does the organisation use a PRG maturity model?

• Does the PRG maturity model assist in determining the organisation's level of PRG maturity?

• Does the PRG maturity model provide a roadmap for improving the performance of PRG?

• Should the PRG maturity model be modified to reflect new PRG approaches?

• Is PRG maturity regularly assessed?

Found a mistake? Please highlight the word and press Shift + Enter  
< Prev   CONTENTS   Next >
Business & Finance
Computer Science
Language & Literature
Political science