Abstract
Organisations are taking up the challenge to improve risk management at all levels from project and operations to enterprise risk management. The focus is to ensure that business objectives are met. However, there tends to be a gap in the hierarchical structure of organisations where a strategic approach to risk management is required—at the portfolio level. This paper places the portfolio perspective in context, providing some practical insights into how portfolio risk management can deliver significant financial and non-financial benefits. By embedding portfolio risk management into a risk framework, its complementary approach supports risk management maturity across the organisation. In today's climate of increasing pressure, organisations must get smart about managing risks to meeting objectives. Portfolio risk management can provide quick wins; so start now—there's no time to waste.
The Challenge
At any one time, a large organisation may have a significant number of ongoing projects, of varying types, stages, and sizes, with different stakeholders, customers, suppliers, and deliverables. One thing is certain—these projects will have a significant amount of budget and resources assigned to them; what is uncertain is exactly what benefits they will deliver. Therefore, organisations align their projects with business objectives, in order to ensure they will deliver value. Then, after the business case has been signed off, focus switches to successful project delivery.
However, what is often forgotten is the importance of maintaining the alignment of projects with business objectives, which frequently change over time. Projects are approved with defined scope and cost/time/performance targets; but the environment within which they are executed is constantly evolving (see Exhibit 1). For example:
- External political, environmental and market conditions change
- Sponsors come and go with regular management reorganisations
- Customer expectations change over time
Exhibit 1. Environmental risks impact on projects’ ability to deliver against business objectives.
There are also internal challenges:
- Projects compete for resources and management attention
- Projects are often interdependent, having impact on each other
These challenges are both external and internal to a project's context and are sources of risk to the project's ability to deliver value. So no matter how good an organisation is at keeping projects on track, it may often be overtaken by events beyond its control.
Different Risk Management Perspectives
In order to understand how to keep project deliverables aligned with business objectives, it is useful to understand the different risk management perspectives in an organisation.
Senior managers are responsible for delivering business objectives, which requires awareness of potential market changes and the political environment, as well as responsibilities for strategic direction and governance. Their role is to deliver shareholder (and/or stakeholder) value (see Exhibit 2).
Exhibit 2. Senior manager risk perspective (top down).
Project and programme managers are focused on the balance of time, cost and performance; juggling resources, managing budgets, identifying opportunities, controlling change, as well as handling the interface with the customer and other projects. Their role is to meet the hard targets set as their deliverables (Exhibit 3).
Exhibit 3. Project risk perspective (bottom-up)
Unfortunately, there tends to be a major disconnect between project/programme and senior management perspectives, which needs to be bridged for the organisation to perform effectively.
Addressing the Ddisconnect
The first challenge to be tackled is how to improve communication top down and bottom up (see Exhibit 4). Projects will continue on their predetermined path unless senior managers communicate about significant environmental changes that may affect them. Similarly, managers will assume that strategic objectives will be met unless concerns or assumptions about project delivery are brought to their attention.
Exhibit 4. Top-down and bottom-up communication
The second challenge is to ensure that there is a mechanism to respond to these environmental risks that arise. This may require just a simple realignment of the project; but in extreme cases, a complete review of the business case and major change or cancellation of the project may be necessary.
Many organisations fail in this area, as their inclination or ability to revisit the original business case under new conditions is limited. And even if they do this, the follow-up decision-making process is often slow, contributing to continued inefficiencies.
Responsibility for identifying such issues is often left up to programme and other middle managers; however, they rarely have sufficient oversight of the business or independent objectivity to provide a balanced view.
So, there needs to be some infrastructure in the organisation with responsibility for monitoring and managing risk to business objectives in a proactive and robust way.
Portfolio Risk Management—The Missing Link
A major role of the portfolio manager is to assess and approve business cases. However the responsibility does not stop there—it extends throughout the life of the project. If, at any time, some influence or event threatens the validity of the original business case, then a review should be triggered. If the business case can no longer demonstrate business benefits (independently or relative to other business opportunities) (see Exhibit 5) then an appraisal of the options, with recommendations for action, must be reported to senior management.
Exhibit 5. The portfolio risk management perspective
Focussing on business cases alone would result in a view of projects and programmes that is too narrow. The portfolio level is responsible for optimisation of return on investment (ROI) across projects, provided that sufficient focus is placed on balancing risk and reward, in line with business risk appetite (see Exhibit 6). Organisations should see risk taking as a good thing, as long as it is properly managed. This measured approach is the ongoing focus of portfolio risk management.
Exhibit 6. Bridging the gap between top-down and bottom-up risk management
A major role of the portfolio risk manager is to provide two-way communication of key risk information, and hence assurance that delivery of business benefits is secure.
A Framework to Manage Risks
Risk management is driven from the top. People down through the organisation require guidance to allow them to make judgements on the importance and acceptability of different types of risk. This guidance must include a statement on the organisation's risk appetite (quantitative and qualitative thresholds and triggers), explicit assignment of responsibilities for ensuring risks are managed, and support in prioritising key risk response actions, as well as delegated authority and budgets/resources (management reserve) to carry them out. Finally the behaviours demonstrated top down will drive behaviour down through the organisation.
It is the responsibility of the portfolio risk manager (see Exhibit 7) to ensure risk management activities from senior management down through programmes and projects are functioning efficiently.
Exhibit 7. A framework to manage risks.
Having set up this framework, a good structure is required to ensure both significant tactical risks and strategic business risks are being communicated and managed up and down in order to maximise business success. For example, a project may identify a tombstone risk (one that, if it were to occur, would kill the project); if no acceptable mitigation response can be found at the portfolio level, then this risk needs to be brought to the attention of senior management for appropriate action.
A periodic review may show that the project is no longer able to deliver as planned and drastic action might be recommended, even though the project is currently performing very well against its original targets. The result will not necessarily be project closure; it may just need to be adjusted to address the risk or match new business needs.
The Link with Enterprise Risk Management
Enterprise risk management (ERM) requires proactive involvement from the extended organisation (see Exhibit 8). Portfolio risk management provides a key component of ERM because it glues together areas of the organisation that are often disconnected. Business case preparation and ongoing progress reviews involve input from appropriate functional, operations, and logistics departments, as do ongoing assurance and risk management activities. Portfolio risk managers have responsibility for coordinating involvement of various parties; they should be independent of specific business units, functions, programmes, etc., to provide an objective view.
Exhibit 8. The area of ERM covered by portfolio risk management.
Different parts of the enterprise may use different risk guidance, for example PMI or APM for projects, OGC or ISO3100 for wider strategic or business risk. From a portfolio perspective, it doesn't matter that there are different dialects of risk management across the organisation, as they essentially follow the same basic process as can be seen in Exhibit 9.
Exhibit 9. Similarity among various risk process standards.
Implementing Portfolio Risk Management
Very few organisations have moved beyond a very simple implementation of ERM, but many now have reasonably mature project, programme, and other specialised risk management capabilities in place. Portfolio risk management can assist in raising the profile and maturity of risk management, particularly if an organisation operates a gated approval process. A full disclosure of risk should be provided at each stage of the business case appraisal and then through ongoing reporting periods. This means that risk at each stage of the life cycle should be stated, not just the stage currently being reviewed or approved.
Further improvements can be achieved with risk maturity models. For example, some organisations require a project team to demonstrate a minimum level of risk maturity (process and practice). Exhibit 10 shows a risk maturity model with 7 criteria and 4 levels: ad hoc, initial, repeatable, and managed. The lowest score determines the maturity of the team—in this case, it is ad hoc, shown by the red line.
Exhibit 10. An example of a risk maturity model.
While it is unlikely to be the responsibility of the portfolio risk manager to measure and improve risk maturity across the organisation, it is a useful measure in business case appraisal. For example, not only does the business case need to be sound, but a team needs to be put into place to carry out the project needs to prove itself capable of delivery.
Other areas in which portfolio risk management can provide support are to:
- Act as a centre of excellence to support risk management practices
- Support HR in ensuring all staff are trained in risk management
- Promote a consistent approach to risk management
- Run a risk steering group to support proactive communication of risk
- Hold a higher-level budget for show-stopper risks across the organisation?
It will also be necessary to select an enterprise risk management tool to identify, assess, manage, and provide consistent reporting on risks across the organisation. To ensure timely risk management, it is no longer possible to run separate spreadsheet risk registers for different projects, business units, etc. A central database repository for risk and actions that represent business case entities is required.
Portfolio Risk Management—No Time to Waste
The journey to effective risk management can take time, but whatever stage your organisation is currently at, portfolio risk management can provide quick and effective results. Its practical “risk to objective” approach requires only a small number of top-level risks to be identified against each project, allowing a simple risk profile to be communicated to senior management for timely intervention, if required. Any project that does not have clear and current objectives needs to be reviewed immediately.
Once all projects have a risk profile, these should be standardised for review by a wider management group responsible for overseeing projects and programmes. Functional managers should be encouraged to identify common risks across projects, so that strategic actions can be identified, saving money by the elimination of duplicated lower-level actions.
Exhibit 11. A backward and forward looking approach to managing risk.
Once risk appraisal across all projects is in place, the portfolio risk manager should be well placed to look back at risks that have occurred and provide advice across all projects on lessons learned (see Exhibit 11).
Portfolio risk management is currently under-utilised and is therefore an area in which organisations can gain significant competitive advantage. However, the challenge in implementing it should not be underestimated.
Portfolio risk management may be seen as a threat for projects that have a vested interest in maintaining the status quo. However, in an environment where cash is short and resources are stretched, it is likely that an increasing number of projects have an uncertain future. Ensuring continuous alignment with current objectives, even if that means significant change for a project, could in turn save a project from closure.
Closing a project isn't necessarily bad. It could be that a project no longer meets business requirements and closing it means that more beneficial projects can then proceed. So start managing risk from a porfolio perspective today—there's no time to waste.
Appendix 1. Glossary of Terms
Where 'source’ is in brackets, minor amendments have been incorporated to the original definition.
| Term | Definition | Source |
| Budget | The resource estimate (in £/$ or hours) assigned for the accomplishment of a specific task or group of tasks. | Risk Decisions |
| Change Control (Management) | Identifying, documenting, approving, or rejecting and controlling change. | (PMBOK® Guide) |
| Control Account | A management control point at which actual costs can be accumulated and compared to earned value and budgets (resource plans) for management control purposes. A control account is a natural management point for budget/schedule planning and control since it represents the work assigned to one responsible organisational element on one work breakdown structure (WBS) element. | APM EVM guideline |
| Cost-Benefit Analysis | The comparison of costs before and after taking an action, in order to establish the saving achieved by carrying out that action. | Risk Decisions |
| Cost Risk Analysis | Assessment and synthesis of the cost risks and/or estimating uncertainties affecting the project to gain an understanding of their individual significance and their combined impact on the project's objectives, to determine a range of likely outcomes for project cost. | (PRAM) |
| Enterprise Risk Map | The structure used to consolidate risk information across the organisation, to identify central responsibility and common response actions, with the aim of improving top down visibility and managing risks more efficiently. | Risk Decisions |
| Enterprise Risk Management (ERM) | The application of risk management across all areas of a business, from contracts, projects, programmes, facilities, assets, and plant to functions, financial, business, and corporate risk. | Risk Decisions |
| Left Shift | The practice by which an organisation takes proactive action to mitigate risks when they are identified rather than when they occur with the aim of reducing cost and increase efficiency. | Risk Decisions |
| Management Reserve (MR) | Management Reserve may be subdivided into:
| APM EV/Risk Working Group |
| Non-specific Risk Provision | The amount of budget / schedule / resources set aside to cover the impact of emergent risks, should they occur. | APM EV/Risk working group |
| Operational Risk | The different types of risks managed across an organisation, typically excluding financial and corporate risks. | Risk Decisions |
| Opportunity | An upside, beneficial risk event. | PRAM |
| Baseline | An approved scope/schedule/budget plan for work, against which execution is compared, to measure and manage performance. | (PMBOK® Guide) |
| Performance Measurement | The objective measurement of progress against the baseline. | APM EV/Risk Working Group |
| Proactive Risk Response | An action or set of actions to reduce the probability or impact of a threat or increase the probability or impact of an opportunity. If approved, they are carried out in advance of the occurrence of the risk. They are funded from the project budget. | (PRAM) |
| Reactive Risk Response | An action or set of actions to be taken after a risk has occurred in order to reduce or recover from the effect of the threat or to exploit the opportunity. They are funded from the management reserve. | (PRAM) |
| Risk Appetite | The amount of risk exposure an organisation is willing to accept in connection with delivering a set of objectives. | APM EV/Risk Working Group |
| Risk Event | An uncertain event or set of circumstances, that should it or they occur, would have an effect on the achievement of one or more objectives. | PRAM |
| Risk Exposure | The difference between the total impact of risks should they all occur and the risk provision. | APM EV/Risk Working Group |
| Risk Provision | The amount of budget/schedule/resources set aside to manage the impact of risks. Risk provision is a component part of management reserve. | APM EV/Risk Working Group |
| Risk Response Activities | Activities carried out to implement a proactive risk response. | APM EV/Risk Working Group |
| Schedule Risk Analysis | Assessment and synthesis of schedule risks and/or estimating uncertainties affecting the project ability to meet key milestones. | (PRAM) |
| Schedule Reserve | The schedule component of management reserve. | APM EV/Risk working group |
| Specific Risk Provision | The amount of budget/schedule/resources set aside to cover the impact of known risks, should they occur. It is not advisable to net opportunities against threats and so a separate value is calculated for each. | APM EV/Risk working group |
| Threat | A downside, adverse risk event | PRAM |
| Uncertainty | The spread in estimates for schedule, cost, and performance arising from the expected range of outcomes. Often referred to as estimating error. | APM EV/Risk Working Group |
| Uncertainty | The spread in estimates for schedule, cost, performance arising from the expected range of outcomes. Often termed estimating error. | APM EV/Risk Working Group |
