neart.ai
EcosystemStoryHow We BuildPricingBlog
Try Inspected →
neart.ai
EcosystemStoryHow We BuildBlog

Ní neart go cur le chéile

A SaltCore Group Limited company

© 2026 neart.ai · SaltCore Group Limited. All rights reserved.

Delivery & PMO

Programme-Level Risk Management: Why It's Not Just Bigger Project Risk

19 August 20254 min read

## The short answer


Programme risk management is concerned with threats to the **overall outcome and benefits**, not just to individual deliverables. It deals with three things that project-level risk management misses: **aggregated risk** (small project risks that combine into a big one), **emergent risk** (risks that only exist because projects interact), and **strategic risk** (threats to the business case itself). Rolling up project risk registers is necessary but nowhere near sufficient.


## The mistake of "just roll it up"


Many programmes manage risk by collecting each project's risk register and merging them into one big list. This feels rigorous but quietly misses the risks that matter most at programme level. A programme is not the sum of its projects, and its risk profile isn't the sum of their registers either.


Three categories of risk simply don't appear on any individual project's list.


## Aggregated risk


Individually tolerable risks can become intolerable when combined. Three projects each carry a modest 15% chance of slipping by a month. On their own, each is acceptable. But if they feed a shared go-live, the probability that *at least one* slips — and drags the milestone with it — is much higher than any single figure suggests. Project managers, looking only at their own risk, will all report "manageable". The programme manager has to see the aggregate.


The same applies to budget contingency. Each project holds a sensible buffer, but if several adverse events are correlated — a key supplier struggling, say, affects multiple projects at once — the buffers can be drawn down together. Programme risk management looks for these correlations.


## Emergent risk


Some risks exist *only* because projects interact. They cannot appear on a single project's register because no single project can see them:


- Two projects changing the same business process in incompatible ways.

- Combined change overwhelming the operational teams expected to absorb it.

- Integration risk at the boundary between systems that each project considers "done".

- Contention for the same scarce specialists, environments or stakeholder attention.


These emergent risks are precisely why programmes need a coordinating layer. Spotting them requires a view across all projects at once.


## Strategic and business-case risk


The highest-level programme risks threaten the rationale for the programme itself:


- The market or regulatory landscape shifts, eroding the expected benefits.

- A reorganisation changes who owns the outcome.

- The strategic priority that justified the spend gets superseded.

- The benefits prove unrealisable even if every output ships.


No project manager owns these — they belong to the programme and its sponsor. Ignoring them is how organisations end up flawlessly delivering a programme that the business no longer needs.


## How to manage programme risk in practice


1. **Maintain a programme risk register** that is *not* a copy-paste of project risks — it holds aggregated, emergent and strategic risks explicitly.

2. **Set risk appetite and thresholds** at programme level so you know which risks the board must own versus which projects can carry.

3. **Look for correlation**, not just individual probability — ask which risks would bite together.

4. **Assign clear ownership** — every significant risk needs a named owner with the authority to act on it.

5. **Manage contingency centrally** as well as locally — a shared programme buffer is more efficient than over-buffering every project.

6. **Review at the right cadence** — strategic risks at the board, delivery and emergent risks in the cross-project forum.


## Don't confuse risks and issues


A risk is a future possibility; an issue is a present reality. Programmes get into trouble when risks that have clearly crystallised are still nursed as "risks" on a register, because owning an issue requires action and accountability that owning a risk does not. Be honest about which is which — and escalate issues that threaten the outcome immediately, not at the next monthly review.


## Warning signs


- The programme risk register is identical to the merged project registers.

- Every project reports acceptable risk, yet the milestone keeps slipping.

- No one owns business-case or strategic risk.

- Contingency is fragmented across projects with no programme-level view.

- Crystallised issues are still being tracked as future risks.


At neart.ai we build enterprise-grade PMO products, and the recurring lesson is that programme risk lives in aggregation and interaction — exactly what a flat, rolled-up register hides. Making cross-project and strategic risk visible separately is what turns risk management from a compliance exercise into genuine foresight.


## Practical takeaway


Don't manage programme risk by stapling project registers together. Maintain a separate programme view for the three risks projects can't see — aggregated, emergent and strategic — assign each a named owner, look for correlations rather than isolated probabilities, and make sure someone senior owns the risk to the business case itself.

Related posts

Delivery & PMO

What Is Stage-Gate Governance and How Do You Run It Well?

Delivery & PMO

How Do You Run a RAID Log That Delivery Teams Actually Use?

Delivery & PMO

Earned Value Management Explained: A Practical Guide for Delivery Leaders