Managing risk in the project portfolio
“Project risk analysis,” as described by The Project Management Institute (PMI®), “includes the processes concerned with conducting risk management, planning, identification analysis, response, and monitoring and control on a project;./…” (PMI, 2004, p 237) These processes include risk identification and quantification, risk response development and risk response control.
Because these processes interact with each other as well as with processes in other parts of an organization, companies are beginning to measure risk across all of their projects as part of an enterprise portfolio.
Risk management can be as simple as identifying a list of technological, operational and business risks, or as comprehensive as in-depth schedule risk analysis using Monte Carlo simulation. But because risk is a driver in an organization's growth – the greater the risk, the greater the reward – the adoption of a structured enterprisewide project risk analysis program will give managers confidence in their decision-making to foster organizational growth and increase ROI for their stakeholders.
Choosing the right projects
How well an organization examines the risks associated with its initiatives, how well it understands the way that projects planned or underway are impacted by risk, and how well it develops mitigation strategies to protect the organization, can mean the difference between a crisis and an opportunity.
Examples abound of companies that have seen their fortunes rise or drop based on the effectiveness of their risk management – a pharmaceutical company makes headlines when its promising new drug brings unforeseen side effects. Or a large telecom corporation pours millions of dollars into perfecting long distance, while new technologies are presenting more exciting opportunities.
Today that pharmaceutical is distracted by lawsuits and financial payouts, finding itself with a shrinking pipeline of new drugs. The telecom, on the other hand, after using a portfolio risk management software application to rationalize and rank its initiatives, made the decision to shift its research dollars away from perfecting long distance and into developing VOIP -- rejuvenating and reinforcing its leadership position.
Managing Risk At The Project Level
Before we delve deeper into risk management at the portfolio level, let's look at risk in the individual project. Every project requires a risk management plan that is integrated with the scope of effort, budget, schedule, resource management, communications and work breakdown structure (WBS).
Risk identification consists of determining which risks – both internal and external -- are likely to affect the project. Internal risks are things that the project team can control or influence, such as staff levels or budget changes. External risks are those over which an organization has little or no control and they are many. Events like power outages, supply shortages, labor strikes, storms, vandalism and terrorism are all very real possibilities that must be factored into the potential for project success.
These are all negative risks – or threats. However, there can also be positive risks – or opportunities. For example, a new technology could emerge halfway through the project that reduces time to complete or reduces the cost. These scenarios, both negative and positive, must be considered, analyzed and adjusted throughout the project lifecycle.
“Risk management” may, in fact, be a misleading term. “Confidence management” might be better. How confident is the project team that it can complete the project successfully? Once the team has completed a risk analysis, addressed all possible scenarios, and developed a contingency plan to mitigate the risk, it can feel confident that the project will be successful. (A word of caution: Be careful that the mitigation plan isn't actually more expensive than the original project plan. It's important to do a cost/benefit analysis on the risk response plan before putting it in place.)
A broad range of solutions
There is a wide range of methodologies and software solutions to support decision making in an uncertain world. Examples include probability-impact (PI) tables, what-if analysis, scenario analysis, and analysis using Monte Carlo simulation.
Monte Carlo simulation is a well-established technique that allows the project team to collect historical data and expert opinions, assign weights to both the known and the uncertain parameters, and then run simulations that generate thousands of scenarios -- or potential outcomes. It applies hard risk values to subjective risks, so that they can be measured and studied.
The inputs selected for the repeated analysis are generated randomly – a little like rolling the dice, thus the name Monte Carlo. A series of simulations allows a picture to emerge that shows probabilistic durations and cost to determine a range of finish dates and costs, along with the likelihood of achieving them. Perhaps there's a 30 percent chance of finishing a month early and under budget. Or perhaps there's a 60 percent chance of finishing three months late and severely over budget. With this information, the organization can determine how much it is willing to spend to mitigate the risk.
The analysis can also be done on only one of the uncertainties – rolling just one of the die – while the other factors remain fixed. In this way, the project team can see which risks have the greatest impact on project value, and make the necessary adjustments. For example, if the analysis shows a 60 percent probability that the job will finish three months late, the team might decide to build extra time into the schedule. Again, Monte Carlo analysis can help the project team determine how far it is willing to extend the schedule to mitigate the risk.
And because Monte Carlo simulation is actually running the schedule during the simulations, it takes into account calendars, resources, activities and relationships -- something that a spreadsheet simply can not do.
Assessing risk objectively
Garbage in, garbage out. That mantra from the earliest days of computing, also applies to project risk analysis in the planning and scheduling phase. The goal of assessing risk is to be as objective as possible. If the data entered into the schedule is biased or incorrect, the information generated by the analysis will be invalid.
A good risk analysis solution includes a “schedule check” feature to verify that the project team's schedule has been properly structured. For example, when planning the schedule, there could be an activity that's considered to take 10 days, unless a risk event happens, in which case it could take 20. When the team performs the risk analysis, it's imperative that the schedule has first been updated to reflect the 20 days.
Schedules are dynamic, and so are the risk management processes associated with them. The analysis that is performed at the beginning of a project continues throughout the lifecycle of that project, indicating where adjustments must be made as the project progresses. In this way, the project team will be able to predict where problems may arise and take corrective action.
Risk analysis also works in tandem with other processes within the organization, including Six Sigma and Balanced Scorecard, or earned value tracking, whereby it creates a picture of how far along the project is, and how much is left to do, whether it's money, time, cost, etc.
Risk management software offers a number of tools and techniques to help the project team initiate and monitor the project:
- Templates – Clear communication is necessary to make sure that all the project stakeholders are speaking the same language. For example, will the risk parameters be based on a scale of one to 10, or on a sliding scale of low, medium and high? Many risk analysis software applications offer templates that prompt the project team and create the basis for a library that ensures consistency and facilitates auditing the projects over time.
- Risk workshops -- When a type of project is new to the organization, and therefore offers no historical data, the project team might conduct a risk workshop, a formal brainstorming session facilitated by a risk facilitator, but conducted by the project team. If you can imagine an event, you can assign a probability to it. These workshops extract knowledge from the members of the team about previously performed projects with similarities that can be applied to the new project. If the team does not have enough collective knowledge and experience to undertake the new project, the organization should consider changing the mix in the project team. This information can then be modeled in a risk analysis software solution.
- Risk registers – A risk register, or risk tracker, is a detailed document or database that lists all the risks associated with the project, along with a variety of information that is useful for the management of those risks. Risk registers define the risks -- both threats and opportunities -- and at a minimum, include the risk owner, cause, effect, status, probability and cost, time and customer impacts and fields. They track any detailed actions used to mitigate the probability and impact of risks using a mitigation plan and waterfall charts. They map risk to tasks in WBS items, and define the impact a risk has on each task or WBS item to which it it mapped. Risk registers quantify the schedule and cost impact caused by the risks on the project. They compare pre- and post-mitigation scenarios. And they create and compare custom risk plans. (See Exhibit 1)
Exhibit 1 – A Partial Risk Register
The most severe risks are summarized and adjusted to reflect any previous changes made to reduce a particular risk in the project.
Because risk in one project impacts other projects in the organization, risk registers are often made available to executives via a dashboard. This provides a format for decision-making among all the stakeholders when a project risk threatens the organization as a whole.
Managing Risk Across The Portfolio
Every project considered is tied to a decision to invest the resources of the organization to gain a specific outcome--launch a new IT initiative; design a new building; or undertake an updated human resources program, for example. On the other hand, decisions to outsource a project already underway, put it on hold until more resources are available, or abandon it completely are also considerations for achieving the desired outcome. If a project is misaligned with the values of the organization; not achieving the expected ROI, or in extreme cases, threatening the health of the company; abandoning the project may be the most beneficial course of action.
These decisions can not be made in a vacuum. Every project must be examined within the context of the organization's overall portfolio – its strategic goals, financial and human resources, and of course, its boundaries for acceptable risk. In general, the higher the risk, the higher the return; the lower the risk, the lower the return. Developing a well-balanced mix of high- and low-risk projects reduces risk and maximizes return for the entire organization.
No project is an island
Companies are increasingly challenged by the lack of visibility and control necessary to ensure their business and technology investments fully support the business objectives and goals. Typical transaction systems can track costs by keeping the ledger up to date, but they don't answer critical business questions such as:
- Which investments are strategic and aligned with business need?
- What are our investment priorities?
- What value is being returned to the business for each item or each portfolio?
- If the budget were increased by 3 percent, what would our priorities be?
- How do we coordinate investments across departments?
- Are our investments adequately diversified? Adequately balanced?
Senior executives, unlike project managers, do not evaluate corporate success on a project-by-project basis. They are more likely to look at aggregate cost, value and risk of the overall project portfolio. Chief executives are focused on achieving the objectives of the stakeholders, and whether a particular project succeeds is often of lesser importance. Therefore, a risk management program must be developed that encompasses and protects the organization as a whole.
Start at the beginning, start at the top
Implementing a portfolio risk management program starts at the top of the organization, and involves all the people who are significantly involved in its potential success. Heads of finance, legal, marketing, IT, human resources, outsourced providers, and consultants, for example, all have a responsibility in determining which projects will move the company forward.
The first step is to take inventory. “What projects do we have underway?” “How many people are working on them?” “What applications are we running in our data center?”
For many executives, the answers can be surprising. They may discover that a significant number of projects are initiatives that nobody really cares about. If they've scheduled 125 percent of the company's resources, something isn't going to get done. Further, there is probably no need to maintain 10 different software applications that do the same thing.
The next step is for the organization's leaders to clearly define its goals. What does the company want to accomplish and what business processes does it want to support? Is innovation the Holy Grail? Increased productivity or reduced costs? Building brand awareness? Improving health and environmental conditions for employees? Compliance with government regulations? Bottom line ROI?
The organization must be able to articulate what its assets are --what gives it value -- and then measure them. It must develop metrics that are tailored to its industry and corporate culture -- the metrics for evaluating a new product from a software developer will be quite different from those of a company operating an oil pipeline – and they must include predictive measurements for risk.
Key Enterprise Risk Management Considerations
The best way to characterize risk is by describing the range of possible outcomes, estimating when they will occur, and assessing probabilities. (Merkhofer, 2007) Today, sophisticated software solutions are available that enable companies to apply both qualitative and quantitative metrics to all the components that make up their unique value, and indicate which projects have the greatest impact.
Hard numbers – from the softer side
Portfolio risk management software provides a common framework that establishes the rules of communication, creating a level playing field where pet projects, personality and politics have little influence.
But because people, not computers, will ultimately decide the direction of the company, hard numbers must be given to “soft” issues like knowledge, experience, ideas and opinion. (Human bias and error will always be a factor, but mathematical analysis can also take this into consideration, eliminating the extremes and determining an appropriate average.)
Qualitative analysis plays an important part in the process of assigning weights to business objectives by asking decision-makers to assign a score to certain values that have been previously defined, but that still require personal judgment. For example, level of importance must be assigned to issues like:
- Market trends
- The capability and experience of the project teams
- The political climate
- The geography of the organization and weather threats
- Employee satisfaction and morale
- Customer satisfaction
- Potential organizational changes
- Vandalism, employee theft or terrorism
Just the facts
The resulting numbers must now be added to the score of the known factors. Quantitative analysis is based on fixed components that include:
- Cost of new equipment required and employee training
- New regulations
- Technology in the data center, and its level of maturity
- Net present value
The big picture
This combination of qualitative and quantitative information can then be analyzed in concert with the scores assigned to each of the organization's values -- and its threshold for risk -- not just on a project-by-project basis, but across the enterprise.
This risk analysis provides critical information about the relevant relationships and correlations among proposed initiatives that might include:
- Projects with shared resources and facilities – capacity versus demand.
- Projects with redundancies across business units within the organization.
- Projects not done. If the company decides not to pursue a project to maintain aging assets, for example, the services provided by those assets will be eliminated and must be compensated for by other initiatives.
- Cascading risks. A real estate company's revenues may decline when interest rates rise or local employment drops. But when both happen simultaneously, the effect could be larger that the sum of both individual effects. (Groenandaal, 2006)
- Multi-organization risks, i.e., a 9/11 type event that impacts not only one organization, but many. Worst-case scenario planning can offer the company a competitive advantage over its competitors, should disaster strike.
- The percentage of high- to low-risk projects in the portfolio.
- The availability of suppliers and vendors to close gaps.
The initial risk analysis process is then repeated and initiatives are continuously whittled down until the organization is confident of which to launch, continue, postpone, adjust or eliminate. It is a multidirectional, iterative process in which any component can influence another.
This is particularly critical in organizations mandated to a certain standard by federal or state regulations. As a result of the Clinger-Cohen Act (CIO.com, 1996), for example, federal agencies must submit their business cases to the Office of Management and Budget describing their proposed initiatives – “Here's what we want the money for, here are three or four alternatives we have considered, and here is why this ranked at the very top of our list of priorities.”
For these agencies, or for companies governed by regulations, including Sarbanes-Oxley (Findlaw.com, 2002), which requires directors to monitor and report operational risk; or Basel 2 (Basel2, 2006), which requires banking institutions to have a framework to measure operational risk; enterprise portfolio risk management solutions provide management with the confidence to move forward, confidence that is supported by real data.
Compensating for risk
Once the risks have been identified, they must be mitigated. The initial executive-level review of considered initiatives will eliminate some for obvious reasons – failure could bankrupt the organization or destroy its image. Others will be eliminated from the line-up as a result of risk analysis that indicates a misalignment with corporate goals. The remaining candidate pool of initiatives – the high scorers on the initial risk analysis performed – must now be re-analyzed and reprioritized in connection with their possible mitigation strategies.
Adding time to the schedule, acquiring more resources, bringing in outside expertise, increasing the budget – any or all of these things will deliver a new outcome. Another round of what-if analysis, scenario planning and simulations now must be performed that factors in all the possibilities for reducing the impact of a risk event, along with the costs connected with the proposed mitigation strategies. As we mentioned earlier, in some cases, the cost of “Plan B” might exceed that of the original initiative. The company may determine the cost to be unacceptable and explore different strategies. Or it may decide to absorb the cost and re-analyze how it would effect other initiatives either under consideration or already underway.
This cause-and-effect reasoning ultimately will lead the executive team to select the initiatives it feels confident will grow the company in the right direction. Once it has chosen what endeavors will build value and why, it can begin the process of determining how to execute them. Each initiative is broken down into projects, schedules are developed, project teams are put in place, and projects are launched or continued.
However, that is not the end of the decision-making. It's the beginning of the lifecycle of the initiatives and the projects that support them.
Managing the lifecycle
Because the total cost of ownership of every asset involves every project that ever touched it, the lifecycle of that asset extends beyond the projects that created it. For instance, a software product developed and marketed will require ongoing updates and modifications as new technologies emerge, more companies (or countries) enter the market, or customers experience a shift in their demands.
Further, what looks good today, may not look good tomorrow. So the organization needs to monitor and adjust its initiatives, continuously looking at things that include:
- Measuring performance to ensure that programs and projects are collectively meeting the portfolio strategy;
- Identifying and taking corrective action on programs or projects not in compliance with portfolio objectives and commitments;
- Maintaining effective communication and reporting mechanisms that enable timely, fact-based decision-making regarding projects, programs and the overall portfolio;
- Implementing a process to continuously improve the portfolio. (Ciliberti, 2005)
These endeavors continue to build over time. As each new analysis is conducted, data from previous analyses can be entered into the mix, creating an ever richer environment of probabilities.
Organizations must create a culture that values risk. Accept the fact that the world is a volatile place, things change rapidly, and that bad as well as good things can happen.
The benefits of an enterprise risk management program include:
- Improved communication and active participation among all stakeholders;
- Agreement on a common and shared process for proposing and approving investments;
- A transparent process consistently applied that results in organizational buy-in;
- Rationalization and prioritization of existing investments that can offer savings to the portfolio's value;
- Early identification of troubled programs and projects;
- Freeing up of funds to invest in innovations that contribute to business transformation;
- Lessons learned that can be used to continuously refine the portfolio management process;
- An overall project balance that optimizes business value.
Today, as many companies are increasingly driven by security threats and regulatory compliance, they are beginning to take a much broader view of risk, expanding risk management processes across the enterprise, from IT to product development, product marketing, and beyond. These forward-looking organizations will continue to integrate project risk analysis, portfolio analysis and project management solutions across their investments’ lifecycles.
Risk management processes bring power to an organization.. Industry leaders armed with a “heads up” to the potential for variance from expectations, and the ability to develop appropriate mitigation strategies, can now embrace risk with confidence, and ultimately deliver a better bottom line.
Basel2® (2006) Basel2 Portal Retrieved from http://www.basel2.hk/index.html
Ciliberti, R. April 2005. Using Project Portfolio Management to Improve Business Value. Retrieved on May 28, 2007 from http://www.ibm.com/developerworks/rational/library/apr05/ciliberti/index.html.
CIO.com (1996) Information Technology Management Reform Act (Clinger/Cohen Act) Washington DC: Chief Information Officers Council Retrieved from http://www.cio.gov/Documents/it_management_reform_act_Feb_1996.html
Findlaw.com (2002) Sarbanes Oxley, HR 3763. Retrieved from http://fl1.findlaw.com/news.findlaw.com/hdocs/docs/gwbush/sarbanesoxley072302.pdf
Groenendaal, H. and Zagmutt, F.J. 2006, August. Financial Planning for Worst-Case Scenarios. Risk Management Magazine [Electronic Version] Retrieved on May 28, 2007 from http://www.crystalball.com/finplan/papers.html.
Merkhofer, L. 2002-2007. Characterizing Risks with Probabilities. Retrieved on May 28, 2007 from http://www.prioritysystem.com/reasons4c.html.
Project Management Institute. (2004) A Guide to the Project management Body of Knowledge (PMBOK® Guide) Newtown Square, PA: Project Management Institute.
©2007, Richard K. Faris and Dan Patterson
Originally published as part of 2007 PMI Global Congress Proceedings – Atlanta, Ga.