Abstract
Risk management can quickly become a gamble if models are not understood and the complexity of dependencies and their impact on risk is underestimated. This paper explores portfolio risk management from both a conceptual and practical perspective with an emphasis on the identification and qualification of interdependencies in portfolios and the potential effect on portfolio risks, based on consulting work and research conducted by the author (Arlt, 2010). The demonstrated activities are tied in with the Project Management Institute's (PMI®) The Standard for Portfolio Management – Second Edition (PMI, 2008b), A Guide to the Project Management Body of Knowledge (PMBOK® Guide) (PMI, 2008a), and the Practice Standard for Project Risk Management (PMI, 2009). The paper discusses first steps in identifying portfolio risks, rather than attempting to provide a comprehensive portfolio risk model. Different types of interdependencies between portfolio components are discussed, which contribute to the overall risk of the portfolio.
Introduction
Financial risk management has made headlines over the past two years in light of widely unexpected and drastic market corrections and the failure of financial risk management models to predict and adequately manage market and credit risk. While project and portfolio risk management distinctly differ from the risk management of financial instruments, some lessons can be learned and, despite the recent challenges, certain financial risk management tools and techniques deserve careful adaptation.
Until the recent financial market collapse, financial risk management had evolved to become a highly regarded discipline with sophisticated quantitative models for the analysis of market, credit, and operational risks. Executives and risk managers had been highly confident that nonsystemic risks associated with individual financial products and systemic risks of the markets—despite their complexity—were well understood and appropriately managed. The collapse of financial institutions like American International Group, Inc. (AIG) and Lehman Brothers and the implosion of credit markets demonstrated that the highly sophisticated and trusted risk models did not pass their ultimate stress test. While there is no consensus opinion on the root causes for the failure of financial risk management, the impact of the crisis could be measured clearly: trillions of dollars of assets were wiped out, the supply of credit collapsed, prospering economies fell into severe recession, unemployment rose significantly, etc.
However, at least one of the weaknesses of current financial risk management models has become apparent: models that suggested preparedness for worst-case scenarios (e.g., through the withholding of capital reserves) either did not account for the unlikeliest of unlikely scenarios or risk managers simply ignored them due to their extremely low probability. In other words, while 99.9% of scenarios were considered, the 0.1% chance for a worst-case scenario outside of those 99.9% was not considered. As it turned out, it is especially the tail ends of the distributions of risk, rather than the more likely scenarios of the distribution (see Exhibit 1), that make risk management interesting.
Exhibit 1. Probability Distribution
What Taleb (2010) calls a black swan event illustrates how blind trust in theoretical models, the sole reliance on historical data and the confusion of probability with certainty can lead to severe unexpected consequences. The metaphor of the black swan refers to the conventional wisdom that no such animals existed, proven by centuries of empirical data, until the discovery of black swans in Australia, which disproved this seemingly solid theory. While the financial market collapse is a perfect example for such black swan, the recent oil spill from the exploration project in the Gulf of Mexico should remind project managers of the possibility of such highly unlikely events with extreme consequences that most likely would not have appeared in project managers’ risk logs. Both the financial market collapse and the oil spill illustrate the need for a deeper understanding and a process of managerial judgment that goes beyond the application of quantitative risk management tools and techniques. Financial risk management further illustrates the complexity in portfolio risk management: portfolios consisting of a large number of components—in this case financial instruments—not only require the understanding of risk for each individual component, but also the ability to understand correlations between the components of the portfolio and volatility over time. This notion can be applied to project portfolios as well; the cumulative risk of a project portfolio is a function of the risk of each project in a portfolio, but further depends on interdependencies between projects, which may—just as risks for individual components—change over time.
Project and Portfolio Risk Management
A Guide to the Project Management Body of Knowledge (PMBOK® Guide) – Fourth Edition and the Practice Standard for Project Risk Management describe project risk as “an uncertain event or condition that, if it occurs, has a positive or a negative effect on a project's objective.” Furthermore, risk management in the project context is performed “to increase the probability and impact of positive events, and decrease the probability and impact of negative events in the project” (PMI, 2008a). The Practice Standard for Project Risk Management adds the objective to “identify and prioritize risk in advance of their occurrence, and provide action-oriented information to project managers” (PMI, 2009). One aspect not captured in this definition is the balance between benefits achieved from risk measurement and management efforts on the one hand, and the effort (and associated cost) required to perform risk management on the other hand. This aspect is covered in Hubbard's definition of risk management as a “coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events” (Hubbard, 2009).
Exhibit 2. Risk Management in the PPM Life Cycle (PMI, 2008b)
The Standard for Portfolio Management – Second Edition describes four elements of the risk management process at the portfolio level, which are embedded in the project portfolio management (PPM) process (see Exhibit 2). As part of the portfolio selection phase, which PMI refers to as the “Aligning” Process Group, portfolio risks are identified and analyzed, and subsequently, portfolio risk responses are developed. During the execution of the projects and programs in a portfolio, where portfolio management performs “Monitoring and Controlling” activities, portfolio risks are monitored and controlled (PMI, 2008b).
Furthermore, PMI's Standard for Portfolio Management—Second Edition differentiates between three types of portfolio risks:
- Component risks, which constitute the risks of individual components in a portfolio (i.e., projects, programs, sub-portfolios and other related work, as per PMI's definition of portfolios),
- Structural risks, “associated with the way in which the portfolio is composed and the potential interactions among the components,” and
- Overall risks, which result from the “interaction between component risks [that] can lead to the emergence of one or more overall risks” and the “quality of the organization's portfolio management.”
While The Standard for Portfolio Management – Second Edition does not provide significant detail in regards to these three portfolio risk types, some similarity to the classification in financial risk management can be observed, where the overall portfolio risk is a function of individual risks of its portfolio components (nonsystemic risk) and portfolio-level risk (systemic risk), which includes interdependencies that exist between portfolio components. These interdependencies may either amplify or reduce risk at the portfolio level. As in financial risk management, risk diversification may occur in project portfolios: e.g., a large number of projects may experience cost overruns, offset by other projects, which are completed below budget (Kendrick, 2009). The amplification of risks can be demonstrated with another example: the risk of the successful delivery of a software development tool may increase the risk of the successful development of the actual software for which the tool is intended to be used. Meanwhile, the pursuit of two parallel product development efforts that aim at the achievement of the same or similar benefits may lead to reduction of the risk that the respective benefit is achieved.
Parallels between financial and project portfolio risk management have been drawn previously; however, the applicability of quantitative methods and techniques from financial risk management to the PPM domain is limited. In fact, Harry Markowitz, the father of Modern Portfolio Theory (MPT) for financial instruments and markets, suggested that MPT is of limited use for selecting project portfolios and portfolio risk management. The nature of projects, which deliver benefits over time and require specific resources and skills versus the immediate impact of the acquisition of a financial instrument, and the characteristic of projects as “unique endeavours” versus the commoditized nature of financial instruments clearly limits the applicability of MPT to PPM (Harder, 2002).
Interdependencies and Risk
Three types of interdependencies between components and their impact on portfolio risk are discussed conceptually and illustrated for a sample portfolio:
- Outcome interdependencies: The achieving of the outcome of a component is dependent on the achieving of the outcome of another project
- Schedule interdependencies: A project's timely start or completion is dependent on the timely start or completion of another project (or a work package within the project), similar to task interdependencies within a project schedule
- Resource interdependencies: A project hinges on the use of the same resources or skills as another project
Outcome interdependencies exist, as portfolios may contain projects that have to be executed in a certain sequence, as the delivery of an outcome hinges on the success of another project. This can be illustrated with product-technology roadmaps by “displaying the interaction between products and technologies over time, taking into account both short- and long-term product and technology aspects” (Groenveld, 1997). The realizing of certain base technologies, i.e., platforms, will enable the development of products that are based on the respective platforms. Consequently, the risk associated with the successful achievement of the outcome of a platform development project will impact the probability of success for the actual product development project.
Exhibit 3 illustrates the outcome interdependencies for a product roadmap of a subset of projects in a software development portfolio, which aims at developing various products and capabilities. The described subset depicts a project that delivers new development tooling (P1), which increases productivity, speed, and quality for the development of new web-based applications (P2, P3, P4). In the example, an unsuccessful pursuit of P1 would lead to greater risk in the attainment of outcomes of projects P2, P3, and P4. Similarly, the successful delivery of the “Application & Data Integration Tool” is the prerequisite for the development of an integrated product suite; if the expected outcome of P5 is not achieved, risks for the product integration (P6) of the three applications increases.
Exhibit 3. Outcome Interdependencies in Roadmap Format
The implication of such outcome interdependencies is evident: similar to a critical path in project planning, it must be understood that the risk of not delivering P1 and P5 successfully has far greater consequences than the potential impact to the project itself, as other components in the portfolio are adversely affected.
Exhibit 4 provides an example of a view of project schedule interdependencies. Portfolio-level Gantt charts provide a familiar tool for experienced project managers. Their use on the portfolio level allows evaluating what projects in a candidate portfolio are realistically implementable within a given time frame, i.e., fiscal year, and what projects are not even feasible. From a risk perspective, schedule variance of individual components will impact the portfolio-level schedule, and therefore impact fiscal year funding needs for the portfolio.
Exhibit 4. Schedule Interdependencies as a Portfolio Gantt Chart
Resource interdependencies have been recognized as a significant challenge of PPM (Engwall & Jerbrant, 2003). Many PPM software solutions have implemented algorithms for portfolio optimization (Laslo, 2009); however, the management of resource interdependencies remains complex—especially for large organizations—for several reasons:
- With regard to granularity, accuracy and completeness of skill sets captured in the resource database, does a meaningful classification of skill sets exist? For most project organizations the designation “Technical Project Manager” would not suffice, because it does not provide sufficient information about the degree of experience and technical expertise. In reality, resource requirements are often more specific than what is provided in a resource database.
- Skill sets of individuals evolve over time and teams change constantly. For example, learning effects from consecutive projects need to be anticipated and reflected upon; for example, resources used on one development project, which have acquired a certain specialized skill set, also may be required to be deployed on another similar or follow-up project.
- Soft skills aspects and organizational politics can hardly be captured in resource management systems but play an important role in reality, e.g., to avoid the assembly of dysfunctional project teams.
Identifying resource-related risks that result from interdependencies should focus on aspects that reach beyond the mechanics of matching skill sets against resource needs, including aspects such as the following:
- Resources or teams that must or should work on consecutive projects, due to learning effects, i.e., skills acquired progressively throughout the projects (i.e., consecutive R&D efforts that require the exact same research teams)
- Resources that should or should not be involved in certain projects due to cultural or political conflict with other team members or project stakeholders in the respective project or other linked projects.
Stakeholder management tools, such as power-influence diagrams or the Stakeholder Circle™ (Bourne, 2006), may be useful for the identification of resource risks in portfolios, however, a more advanced tool that focuses on the portfolio aspects of resource risks has yet to be developed. Some recommendations can be followed to properly manage portfolio risks: portfolio managers should constantly revisit interdependencies and risks and do so from different angles and include the wisdom of all stakeholders and outsiders with different perspectives on the portfolio. Brainstorming techniques can be applied for the identification of the previously discussed highly unlikely, high impact risk scenarios, which may lead to the further elaboration of such risk scenarios with catastrophic outcomes and the evaluation of both necessity and cost of contingency scenarios. While such extreme risk scenarios in most cases cannot be hedged or reduced, they should at least be recognized and analyzed.
Qualifying and Quantifying Portfolio-Level Risks
Outcome, schedule, and resource interdependencies contribute to portfolio-level risks that can be identified with the tools and techniques previously illustrated. However, fully qualifying and quantifying such risks is a more challenging task. Project managers typically determine the magnitude of a risk as a product of probability of an adverse effect occurring and the expected impact.
Financial risk management has provided a large array of quantitative techniques for risk management. Despite the previous discussion of model failure in the context of the recent financial crisis and the limited applicability of MPT to PPM, some techniques can be used. For example, Monte-Carlo Simulation can be used to simulate portfolio risk for schedule dependencies.
Other techniques include tree maps to calculate risks from projects with outcome dependencies, as applied in the calculation of the Expected Commercial Value (ECV) from a development effort. ECV calculates the future stream of earnings from the projects, the possibilities of both commercial and technical successes along with commercialization and execution costs. For the portfolio illustrated in Exhibit 5, which consists of a development and a product launch project, the probability of development success is Pds and the probability of commercial success post launch is Pcs, while the project cost for development (D) and commercial launch (C) and present value (PV) of future earnings are further variables that contribute to the Expected Commercial Value: ECV = [(PV×Pds – C)×Pes]–D
Exhibit 5. Determining the ECV (Cooper et al., 2001, p. 35)
For more complex scenarios, decision tree analysis can be combined with Monte-Carlo Simulation, which allows—instead of the calculation of discrete values for risk—probabilistic statements, such as the following: “under the given assumptions, there is 95% probability, that the commercial value will exceed $10 million.”
Such probabilistic statements are very valuable for decision-making, as long as they are properly interpreted by the decision-maker: the above probabilistic statement implies that there is a 5% probability of losses over $1 million, and even a chance that such losses may far exceed that number. Such relatively unlikely events need to be considered, even if managers decide to accept the risk of their occurrence. Furthermore, the statement “under the given assumptions” points in the direction of potential risk management failure through misunderstanding risk models and their assumptions. As the financial markets meltdown demonstrated, such model risk can create a false sense of security from quantitative risk management that may lead to catastrophic consequences.
Conclusion
Although there is to date no complete model for the management of risk at the project portfolio level, an understanding of interdependencies of portfolio components and the associated risks should point in the right direction. Project portfolio managers shouldn't fall into the same trap as financial risk managers when it comes to risk management. Jan L.A. van de Snepscheut was quoted as saying, “In theory there is no difference between theory and practice. But, in practice, there is”—risk models are an aid for decision-making but not a replacement and their diligent use requires a thorough understanding of the mechanics and assumptions of the models.
PPM constitutes an emerging discipline in the field of project management and overall maturity in the majority of organizations can be described as low (Arlt, 2009). In this regard, portfolio-level risk management warrants significant exploration in both theory and practice in order to better understand overall portfolio risk and manage it accordingly.