Tolerate uncertainty and live with it, understand complexity, ambiguity and live with it, manage all these tensions about what can happen is the main goal of risk management.
Projects managing risks in an isolated way is a big risk for the organizations. By this reason the use of a clear risk management framework at program or portfolio level is used.
Risk management strategy, should reflect the organization’s risk policies and processes. In this way the program will inherit same principles and risk appetite of the organization. It also facilitates the organization to define the limits of delegation of authority they want to delegate.
The definition of tolerance thresholds is key as it translate risk appetite into a guideline that steers program and project behavior. Thresholds define the exposure to risks on one level that, if exceeded, requires escalation and reaction from level above.
The uncertainty associated to a risk is expressed within the relationship of the likelihood and the impact it has (preferably expressed in $$). In a program the complexity increases as the combination of risks of different projects can generate a complicated net of exposure, which typically is represented on a risk matrix diagram. Sometimes what is negative for a project is an opportunity for other.
The use of healthy checks during the definition of the programs or the attendance of a bid is key to review the business case or the opportunity from risk management perspective. They oblige you to think about key questions you should think about. I find them useful, not as a controlling tool.
Project aggregation; sometimes a project under execution is added to a program. This requires to the program team to asses the impact of this addition at risk level, review the business case and review the budget.