IN FOCUS: risk management
A project portfolio can be a hornet's nest of competing and conflicting priorities. The trick is to find the right mix of risk and reward for your organization.
by William Hoffman
photo illustration by Fredrik Brodén
Balancing the risk and reward from a single project can be a fairly simple task for those who understand an organization's strategic goals. However, when multiple projects with diverse objectives vie for an executive's attention, things get more complicated. An enterprise-wide risk management approach helps ensure not only successful completion of those projects, but also control of the uncertainties they bring to the bottom line.
Project portfolio risk management aggregates project risks and compares them with their estimated return on investment (ROI)—usually seeking the highest return with the lowest aggregate risk. “It's like your stock portfolio,” says Chuck Rusch, vice president of consulting services at Digineer Inc., a technology and management consultancy in Minneapolis, Minn., USA. “You look at each of those projects as if it's a stock in a mutual fund portfolio.”
Mr. Rusch breaks down projects into three categories:
- Transformational projects try to move organizations to new competitive strengths, products or services
- Growth projects maximize investment in the organization's existing platform of services and products
- Run projects “are just trying to keep the lights on,” he says.
The balance between how many transformational projects an organization takes on and how many run projects it needs often depends on the industry in which it operates. IT companies, for example, lean heavily on transformational projects that may give them a competitive edge in world markets. On the flip side, utility companies tend to have a lot more run projects because the industry's technology and processes are mature and less amenable to transformational projects and their attendant risks, Mr. Rusch says.
Banks and financial institutions that must comply with multiple countries' regulations also are more sensitive to risk, says Roberto Abad, managing director at the Mexico City, Mexico, office of Protiviti, a worldwide risk consulting firm. Businesses such as restaurants and hospitals may have categories of risk unique to their industry.
Political and economic conditions can influence project risk assessments in different areas of the world, Mr. Abad says, but “I think the approach used by risk consultants for measuring risk is standard worldwide.”
Bassam Samman, PMP, CEO and founder of Collaboration Management & Control Solutions FZ, a project portfolio management consulting firm in Dubai, United Arab Emirates, sees geographic differences. “The trend in [the Middle East] region is to avoid the most serious risks,” he says, “even if it means declining to proceed with the project.” Vast and complex oil refineries, for example, tend to be intolerant of risks that might delay or shut down production, Mr. Samman says.
the human touch
Universal Behavioral Health (UBH), Minneapolis, Minn., USA, uses software to help it manage and monitor risk—but it's “not the be-all, end-all,” says program director Avis Braschayko.
“Tools help project managers manage the data and information, but project managers still have to take responsibility to use them,” she says.
Ms. Braschayko is responsible for 120 employees working on 24 projects in a portfolio UBH needs to complete a claims conversion program. She uses Microsoft Project Server to keep project managers abreast of the latest developments related to each project. They each have home pages from which they can assess plans, manage resources and so on. She also applies a larger, customized risk management tool from Digineer to match mitigation strategies with individual project assignments and due dates.
The tools keep project risks “in front of you all the time so you aren't ignoring things,” Ms. Braschayko says. But software is largely an administrative tool. UBH has an executive steering committee to oversee project progress and periodically reassess risks as well as a user-advisory committee to address stakeholder concerns. Both groups meet monthly, she said. Working groups meet weekly to discuss the schedule of project deliverables, and stakeholders communicate via e-mail and conference call in the interim.
UBH is about halfway through its claims-conversion portfolio, with about two years to go, Ms. Braschayko says. A phased implementation of the results is designed to mitigate risk to the organization. “Don't rush things,” she advises. “Do it in bite-size pieces.”
Bassam Samman, PMP, CEO and Founder of Collaboration Management & Control Solutions FZ, Dubai, United Arab Emirates
The trend in [the Middle East] region is to avoid the most serious risks, even if it means declining to proceed with the project.
BY JAMES T. BROWN, PMP
Organizations must establish a consistent method for evaluating and responding to risk across the enterprise. One obstacle to developing that consistency is people's different attitudes toward risks—and those attitudes may vary according to the circumstance. There are three risk attitudes:
Risk-Averse—You're willing to pay a premium or penalty to avoid risk
Risk-Neutral—Your decisions are based solely on expected monetary value
Risk-Seeking—You're willing to pay a premium or penalty to accept a risk.
The situation is further complicated because a project manager's risk attitude can be a function of how he or she perceives the project's “state of wealth.” The project manager of a “wealthy” project that's on schedule and has an adequate budget may be reluctant to make aggressive or risky decisions because of an underlying risk-averse attitude. Conversely, a project manager of a “poor” project that's behind schedule and over budget may be overly aggressive because of an underlying risk-seeking attitude.
Leaders must take account of the strong biases of risk attitudes on decisions. When dealing with stable projects that are performing well, ask the project manager, “If we had to deliver this project 25 percent sooner or cheaper, what would be the top three recommendations?” This facilitates the risk and reward tradeoff analysis and forces the risk-averse project manager to think risk-seeking.
When addressing project managers who are behind schedule and/or over budget, ask, “If this project wasn't facing scheduling or cost pressures, what steps would we take to ensure a quality deliverable?” This forces the risk-seeking project manager to think risk-averse and allow the current plans of action to be put into proper context.
Dr. James T. Brown, PMP, is president of SEBA Solutions Inc., Viera, Florida, USA, a PMI® Registered Education Provider.
Nevertheless, big wins usually require big wagers. “An aggressive organization will be willing to take more risks if taking those risks would achieve their strategic objectives,” he says.
“Just recently [project portfolio risk management] has taken much more attention” in the Middle East, Mr. Samman says. However, compressed time schedules, intensifying global competition and increased revenue demands of project-oriented organizations should put the issue on every executive and project manager's agenda.
That means having a clear understanding of what “risk” is. “Risks are not only threats,” says Keith Anderson, product manager at Welcom, a project portfolio software company in Houston, Texas, USA. “They're both threats and opportunities.” For most organizations, oil prices are a threat if they go up, but an opportunity if they go down. The same applies for a host of issues; currency fluctuations can bring both positive and negative risks for multinational organizations. Best-practice organizations are increasingly adopting the philosophy that risks are known and unknown factors. They are things that haven't happened, and may not, he says.
The Risk Signature
An organization's risk profile is as individual as fingerprints. It encompasses the company's history, shareholder and executive temperaments, industry and competitive conditions, and priorities and goals. What one company considers risky business may be standard operating procedure at another.
Securing a realistic appraisal of an organization's risk profile can be tricky, though. “Risk management is often thought of as the elephant in the room,” Mr. Anderson says. “It's there, and everybody sees it, but no one wants to look at it.”
Optimal portfolio risk management starts with deep knowledge of the organization's operational, financial and cultural priorities:
Is it financially stable and secure? The balance sheet tells most of this story. Profitable (or at least well-financed) organizations are more risk-tolerant. Companies in turnaround may undertake risky projects but need to account for the impact of those risks on their changing financial condition.
Can current business operations continue alongside forward-looking project work without substantial disruptions to either? Ideally, projects would be completed behind a firewall that seals them off from operations. The reality is projects often must interplay with operations to ensure both align properly in execution. Each project's design and schedule should be assessed for its risk to other projects and to ongoing operations it may affect before, during and after execution.
What are the top-level executives' tolerance for risk and commitment to completion of individual projects? Risk assessment takes into account the resource demands of various departments but may fail to account for human factors. Does a project have an executive sponsor who may leave and orphan the project? Is an executive micromanaging a project, or conversely, wedded to an arms-length approach that delays decision-making? Do executives seem too busy for project updates? Institutionalizing the feedback cycle between the project management office (PMO) and financial or operational executives through efficient, periodic meetings or other structured communications can minimize the unavoidable vacillations introduced by personalities and personnel.
The first serious mistake is to not make risk management part of the project life cycle. All too often, organizations will identify risks and assess risks, but stop there.
—Keith Anderson, Welcom
Nailing down a company's risk profile is made somewhat simpler by the fact that profit—or at least cost reduction—is almost always near the top of the priority list. Whether it's sticking to a budget or demonstrating ROI from specific projects, money tends to focus projects and, as a result, constrain risks.
An often-neglected but key part of risk management is follow-up. Individual project risks may fluctuate over time. Thus, the risk-ROI balance of the entire portfolio can change, necessitating management review, resource reallocation, or even cancellation of individual projects to ensure budgets and deadlines are met.
“The first serious mistake is to not make risk management part of the project life cycle,” Mr. Anderson says. “All too often, organizations will identify risks and assess risks, but stop there. What they are missing is closed-loop management of the risks. This includes actively responding to risks as well as continuously identifying and assessing new risks throughout the project life cycle.” Software products such as Microsoft's Project Server can provide weekly or other periodic networked updates of project status and potential or changed risks, so the PMO can modify schedules and costs as necessary. Monthly or quarterly reviews of portfolio or critical project status by budgetary authorities—often at the finance office or boardroom level—may be necessary to maintain the portfolio's risk-ROI balance. “The overarching thought is to chart [project risk] early and manage it throughout the life cycle,” Mr. Anderson says. PM
William Hoffman is a business and political journalist based in the Washington, D.C., USA, area.
PM NETWORK | MAY 2006 | WWW.PMI.ORG
MAY 2006 | PM NETWORK