When a new risk is added to a project, it is subject to two properties: approval and visibility. Approval indicates the risk has been approved by management and can be included as part of the portfolio risk register. Visibility indicates where in the portfolio this risk can be assigned: projects,summary projects, or the portfolio.Why is this required? Let us assume that we have a risk “Budgetary Problems”. It is not something that we want to share with all of the people in the team; it may cause some team members to leave if they are worried about getting paid. Different risks will have different visibility, for example, “Low Quality Components” affect only specific projects related, so we will manage them at the project or summary project level, rather than the portfolio level.
Each project portfolio usually has Risk visibility rules. These rules define how risks will be visible when they are first entered in the portfolio. For example, when risk is first added to the register, visibility settings are portfolio level, for all summary projects, immediate summary project, or current project.
Enterprise risk management software usually has different roles and permissions for users. Some users will be administrators and have complete access to the system, others will have management roles such as being part of the risk committee, and others will be members of specific projects and will have access only to specific project and/or risks. When a new risk is entered into the system, it may be visible to administrators and some managers, but remain invisible to the majority of users depending on visibility and approval status. Once entered, a risk status can change depending on the review by the risk committee. For example, “Low Quality component,” was originally identified by a member of a specific project, but after review by the Risk Committee, its visibility has been extended to all climbing projects.
In addition, risk visibility and approval rules can be extended to mitigation and response plans. In other words mitigation and response plants can be visible on certain levels of project hierarchy.