Risk management at the portfolio level--what we can learn from insurance companies
Organizations often burden each project with bearing not only the cost associated with managing risks, but also with including in their budget the cost of the potential risk outcomes. If all costs for all potential risks are included in the project budget, the project will become cost prohibitive. If statistical analysis is done and probability of occurrence is used to come up with a risk “insurance policy”, then some of the project in the organizations will be over budget – because they were hit with more negative impacts than statistically expected, while others will be under budget – because they were hit with fewer than statistically expected risk event related costs.
What becomes important to the organization is that risks are properly identified and managed, and that the organization is not taking more project risks that it can bear. The proposal is to make the risk contingency budget like an insurance policy that is held for all projects at the portfolio level. In effect, what the organization wants is that whereas individual projects may come over or under their risk budget, at the project portfolio level the risk related expenditures are always under or at budget.
Whereas we are not advocating stopping risk management at the project level, the model proposed in this paper is one where project risks management is done at the portfolio level using lessons learned from the insurance company. Both the mitigation strategies and the cost of potential outcomes are shared by all the projects within the portfolio. Thus, Portfolio management will aid in selecting the right mix of projects for an organization, and be used to manage the risks associated with the mix of projects within the portfolio.
Project Portfolio and Risk Management
In recent years Project Portfolio Management has become more widely adopted by organizations. The importance of this discipline is evidenced by the increase in tools available to aid in managing the organization's project portfolio.
Project Portfolio Management Defined
Portfolio management ensures that the collection of projects chosen and completed meets the goals of the organization.
Project portfolio management has six major responsibilities:
- Determining a viable project mix, one that is capable of meeting the goals of the organization
- Balancing the portfolio, to ensure a mix of projects that balances short term vs. long term, risk vs. reward, research vs. development, etc.
- Monitoring the planning and execution of the chosen projects
- Analyzing portfolio performance and ways to improve it
- Evaluating new opportunities against the current portfolio and comparatively to each other, taking into account the organization's project execution capacity
- Providing information and recommendations to decision makers at all levels (Kendall & Rollins, 2003)
Project Portfolio Management and Risk
The idea of having risk management at the portfolio level is not new. How many high-risk projects does the company want or is capable of sustaining? This factor must be known by the portfolio manager and taken into account when assessing the portfolio and making recommendations. If the company's cash flow situation suddenly becomes very poor, the portfolio will need to be balanced differently. If the company's shareholders expect huge breakthroughs in product development or new markets, the risk and reward factors in the portfolio need to reflect these expectations. (Kendall & Rollins, 2003)
Strategic selection of projects MUST include assessment of the overall risk included in the portfolio. Too much risk in the strategic project portfolio spells a risky organizational strategy as the company will be betting its future on uncertain outcomes. Too little risk may be a measure of not enough strategic thinking. The organization might believe that “nothing ventured, nothing lost” – but often nothing gained. In a competitive business environment not taking any risks often means being left behind as you see your consumer base being taken away from you by innovative competitors. However, risk must be commensurate with rewards. A project that contributes with very high risks and very low return in most cases is not a wise investment.
The difference in the model that is being proposed here is at the portfolio level, the Project Portfolio Manager / Program Management Office is not only going to have an active role in the risk identification, but also in the qualitative and quantitative risk analysis, the risk response planning, and especially, the risk monitoring and control. These roles are not commonly part of project portfolio management.
Risk Management and Insurance
Risk Management is the process of measuring, or assessing risk and then developing strategies to manage the risk. In general, the strategies employed include transferring the risk to another party, avoiding the risk, reducing the negative effect of the risk, and accepting some or all of the consequences of a particular risk. (Wikipedia)
Insurance, in law and economics, is a form of risk management primarily used to hedge against the risk of potential financial loss. Insurance is defined as the equitable transfer of the risk of a potential loss, from one entity to another, in exchange for a premium and duty of care. (Wikipedia)
The objectives of Project Risk Management are to increase the probability and impact of positive events, and decrease the probability and impact of events adverse to the project. (PMI, 2004)
There are two major segments for the Insurance Industry: Property & Casualty, and Life & Health. Property & Casualty Insurance covers damage to or loss of policyholders' property and legal liability for damages caused to other people or their property. Property/casualty insurance includes auto, homeowners and commercial insurance.5 For this time of insurance, the companies gather as much information as they can regarding the location where the insured asset resides and has the actuarial department performing statistical analysis on the information. A large insurance company in the Northeast has a database containing all of the fault lines, flood planes, etc. for the United States. When a person wants to insure a property, the database is consulted to see what risk factors threaten the property.
The risk factors determine whether or not the property is insured, and what the premiums will be. For auto insurance the companies have statistics about theft and accidents in the area where the car is going to be housed, as well as information about the drivers to be insured. A car housed in East Las Vegas will pay additional insurance when compared to the same car if it was housed in Henderson, 5 miles away. A $75 fine on a moving violation, translates to $150 additional insurance a year for several years. This is because the insurance company in order to minimize the risk in their portfolio performs quantitative risk analysis.
Life Insurance is a policy that combines protection against premature death with a savings account either as cash value or as investments in stocks, bonds, and money market mutual funds. (III, no date) Death is only one of two certainties in life. So how can insurance companies make money while providing life insurance? The key once again lies in information, statistical analysis, and learning from adverse events. When you apply for a life insurance policy, the company finds out information about the health risk factors such as smoking, dangerous hobbies (e.g., skydiving) or occupation (e.g., test pilot), life expectancy for your location, etc. In the early 1980's AIDS was virtually unknown. Individuals diagnosed as HIV positive or with AIDS where able to obtain insurance policies, which the companies had to pay when the insured died prematurely. Insurance companies learned from this, and for more than 10 years now insurance companies require for applicants to take an HIV test before they will insure them.
The policies in the Health Insurance sector provide benefits packages that policyholders pay a premium to enjoy health care services, and include fixed-fee policies and managed care networks. In this sector, the insurance companies struggle to keep costs down and make money. As a result of escalating health care costs, insurance companies increase their health insurance premiums yearly. This shows that whereas the insurance companies have been unable to control the escalating costs, they still manage the risk in their portfolio in this line of business.
Insurance companies are profitable. Property and casualty insurers netted $40.5 billion in profits and increased the industry surplus to more than $400 billion in 2004. Canada's insurance companies are coming off a record year, with $2.63 billion in profit in 2003, a 673 per cent increase over the previous year. So they are managing the risk in their portfolio effectively and there is much that we can learn for project risk management.
Conventional insurance works by pooling the risks of many people or firms, all of whom might claim but in practice only a few actually do. The cost of providing assistance to those that claim is spread over all the potential claimants, thus making the insurance affordable to all.5 The basic tenet of this paper is that for project management, the pooling of risks should be done at the portfolio level, thus making project risk management affordable for all projects.
What Can Portfolio and Project Risk Management Learn from Insurance Companies?
Know the risks in your project portfolio! Insurance companies understand the risk at the individual level. They understand what are the contributing risk factors based on information and statistical analysis.
Control the risks in your project portfolio! Insurance companies do not undertake undue risks. Private firms are unwilling to provide insurance if they are uncertain about the likely cost of providing sufficient cover, especially if it is potentially unlimited. (Economist, no date)
Understand the risks in your project portfolio! Insurance companies understand the risk at the portfolio level Insurance companies look at the types of policies issued and their risks and refuse to insure additional participants that have risk characteristics that are pervasive in their portfolio. Whereas insurance agents sell at the individual level, actuarial department also looks at the risk in the portfolio. The decision to insure a specific asset is made on the collective understanding of the risk being undertaken. As a result, the portfolio risk is diversified.
The Project Portfolio “Insurance Company” Initiative
When the organization implements the Project Portfolio Insurance Initiative being proposed here, Project Managers continue to manage the risk at the project level, but Portfolio Managers manage the risk at the portfolio level. Individual projects assess their risk factors; perform qualitative and quantitative risk analysis which will help determine the “insurance” premium that they must contribute to the project portfolio for the portfolio risk management.
Since the risk is being actively managed at a higher level, risk factors and risk assessment are consistent for all projects. The insurance premiums are collected from individual projects based on information and statistical analysis rather than on best guesses.
Because the organization actively manages the projects within the portfolio, lessons learned are collected for all projects, which include risk information, such as risks identified for the project, risks successfully managed, and identification of successful and unsuccessful risk management strategies. Moreover, lessons learned information collected and warehoused at the portfolio level. The portfolio manager or program management office will be responsible for the maintenance and update of the Lessons Learned Database, which at project initiation all project managers will be able to consult to help identify potential project risk factors and strategies. Lessons learned become institutional rather than individual.
In this model, Risk monitoring and risk analysis at the portfolio level. However, statistical analysis of risks still continues to be performed at the project level, but additional analysis performed at the portfolio level. This way common risk factors shared by multiple projects can be identified, and shared strategies can be implemented. This way risk management and response costs can be reduced.
An important part of this model, the financial management of the pooled funds for risk events is done at the portfolio level. The goal is to have at the portfolio level sufficient funds to cover the risk events that do happen without overburdening individual projects. Unlike insurance companies, the goal is not to make a profit on the insurance premiums, but to collect sufficient money to cover all the risk adverse impacts that happen to the projects within the portfolio. Most important, funds associated with risk management, risk response, and risk contingency are not part of the project P&L.
It is important to remember that having the financial coverage performed at the Portfolio level does not relieve the Project Manager from managing risks. This is the same as when you take auto insurance – just because you have insurance, it does not mean that you drive recklessly or you leave your car unlocked with the keys in the ignition!
The project manager can concentrate on managing the project and its risks, rather than worrying about whether s/he can improve project profitability by not spending the risk management budget. Thus, the project budget and project profitability are not separated from the risk management.
Since the project portfolio is aligned with the organization strategic direction, it has the attention of senior management. Therefore, risk management will get higher executive level of attention.
With more fact based, more focused portfolio risk management; projects in the portfolio will have a better probability of achieving positive, rather than adverse, outcomes.
Cappels, T. M, (2004) Financially Focused Project Management. Boca Raton, Florida: J. Ross Publishing.
Economist (no date) Glossary of Terms Retrieved from www.Economist.com,
Insurance Information Institute,(no date) Glossary of Terms, Retrieved from http://www.iii.org/media/glossary/
Kendall, G. I. & Rollins, S. C., (2003) Advanced Project Portfolio Management and the PMO: Multiplying ROI at Warp Speed. Boca Raton, FL: J. Ross Publishing.
Kerzner, H., (2000) Applied Project Management: Best Practices on Implementation. New York, NY: John Wiley & Sons, Inc.
Kerzner, H. (2001) Strategic Planning for Project Management Using a Project Management Maturity Model. New York, NY: John Wiley & Sons, Inc.
Manas, J. (2006) Napoleon on Project Management: Timeless Lessons in Planning, Execution, and Leadership. Nashville, TN: Thomas Nelson Publishers.
Project Management Institute. (2004) A guide to the project management body of knowledge (PMBOK® Guide) (3rd Ed.). Newtown Square, PA: Project Management Institute.
Rad, P. F. & Levin, G. (2002) The Advanced Project Management Office—A Comprehensive Look at Function and Implementation. Boca Raton, Florida: St. Lucie Press.
Wideman, R. M. (ed), (1992) Project and Program Risk Management: A Guide to Managing Project Risks and Opportunities. Newtown Square, PA: Project Management Institute.
Wikipedia, (no date) Retrieved from http://en.wikipedia.org/
Wysocki, R.t K. & McGary, R (2003) Effective Project Management, Third Edition. New York, New York: John Wiley & Sons, Inc.
© 2006, Jacqueline S Luciano, MA, MS, CCP, PMP
Originally published as a part of 2006 PMI Global Congress Proceedings – Santiago, Chile