Organisations are taking up the challenge to improve risk management at all levels from project and operations to Enterprise Risk Management. The focus is to ensure that business objectives are met. However, there tends to be a gap in the hierarchical structure of organisations where a strategic approach to risk management is required – the portfolio level.
This article places the portfolio perspective in context, providing some practical insights into how portfolio risk management can deliver significant financial and non-financial benefits. By embedding portfolio risk management into your risk framework, its complementary approach supports risk management maturity across the organisation. In today’s climate of increasing pressure, organisations must focus on managing risks to meeting objectives. Portfolio risk management can provide a quick return; so start now – there’s no time to waste.
At any one time, a large organisation may have a significant number of ongoing projects, of varying types, stages and sizes, with different stakeholders, customers, suppliers and deliverables. One thing is certain – these projects will have a significant amount of budget and resources assigned to them; what is uncertain is exactly what benefits they will deliver. Therefore, organisations align their projects with business objectives, in order to ensure they will deliver value. Then, after the business case has been signed off, focus switches to successful project delivery.
However, what is often forgotten is the importance of maintaining the alignment of projects with business objectives, which frequently change over time. Projects are approved with defined scope and cost / time / performance targets; but the environment within which they are executed is constantly evolving. For example:
- External political, environmental and market conditions alter
- Sponsors come and go with regular management reorganisations
- Customer expectations change over time
There are also internal challenges:
- Projects compete for resources and management attention
- Projects are often interdependent, having impact on each other
These challenges are both external and internal to a project’s context, and are all sources of risk to the project’s ability to deliver value. So no matter how good your organisation is at keeping projects on track, they may often be overtaken by events beyond their control.
Different risk management perspectives
In order to understand how to keep project deliverables aligned with business objectives, it is useful to understand the different risk management perspectives in an organisation.
Senior managers are responsible for delivering business objectives, which requires awareness of potential market changes and the political environment, as well as responsibilities for strategic direction and governance. Their role is to deliver shareholder (and/or stakeholder) value.
Project and program managers are focused on the balance of time, cost and performance; juggling resources, managing scope and budgets, identifying opportunities, controlling change, as well as handling the interface with the customer and other projects. Their role is to meet the hard targets set as their deliverables.
Unfortunately, there tends to be a major disconnect between project/program and senior management perspectives, which needs to be bridged for the organisation to perform effectively.
Addressing the disconnect
The first challenge to be tackled is how to improve communication top down and bottom up. Projects will continue on their pre-determined path unless senior managers communicate significant environmental changes that may affect them. Similarly, managers will assume that strategic objectives will be met unless concerns or assumptions about project delivery are brought to their attention.
The second challenge is to ensure that there is a mechanism to respond to these environmental risks that arise. This may require just a simple realignment of the project; but in extreme cases a complete review of the business case and major change or cancellation of the project may be necessary.
Many organisations fail in this area, as their inclination or ability to revisit the original business case under new conditions is limited. And even if they do this, the follow-on decision-making process is often slow, contributing to continued inefficiencies.
Responsibility for identifying such issues is often left up to program and other middle managers; however, they rarely have sufficient oversight of the business or independent objectivity to provide a balanced view.
So, there needs to be some infrastructure in the organisation with responsibility for monitoring and managing risk to business objectives in a proactive and robust way.
Portfolio risk management – the missing link
A major role of the portfolio manager is to assess and approve business cases. However the responsibility does not stop there – it extends throughout the life of the project. If, at any time, some uncertainty, influence or event threatens the validity of the original business case, then a review should be triggered. If the business case can no longer demonstrate business benefits (independently or relative to other business opportunities) then an appraisal of the options, with recommendations for action, must be reported to senior management for decisions to be made.
Focusing on individual business cases would result in a view of projects and programs that is too narrow. So the portfolio level is responsible for optimisation across a set of projects, with focus placed on balancing risk and reward, in line with business risk appetite. Organisations should see risk taking as a good thing, as long as it is properly understood and managed. This measured approach is the ongoing focus of portfolio risk management.
A major role of the portfolio risk manager is to provide two-way communication of key risk information, and hence assurance that delivery of business benefits is
A framework to manage risks
Risk management is driven from the top. People down through the organisation require guidance to allow them to make judgements on the importance and acceptability of different types of risk. This guidance must include a statement on the organisation’s risk appetite (quantitative and qualitative thresholds and triggers), explicit assignment of responsibilities for ensuring risks are managed, support in prioritising key risk response actions, as well as delegated authority and budgets/resources (management reserve) to carry them out. The behaviours demonstrated top down will drive behaviour down through the organisation.
It is the responsibility of the portfolio risk manager to ensure risk management activities from senior management at the top and all the way down through programmes and projects are functioning efficiently.
Having set up this framework, a good structure is required to ensure both significant tactical risks and strategic business risks are understood, communicated and managed up and down, to inspire confidence, ensure timely decisions are made and maximise business success. For example, a project may identify a tombstone risk (one that, if it were to occur, would kill the project); if no acceptable mitigation response can be found at the portfolio level, then this risk needs to be brought to the attention of senior management, for appropriate action.
A periodic review may show that a project is no longer able to deliver the required benefits and drastic action might be recommended, even though the project is currently performing very well against its original targets. The result will not necessarily be project closure; it may just need to be adjusted to address the risk or match new business needs.
The link with Enterprise Risk Management
Enterprise risk management (ERM) requires proactive involvement from the extended organisation. Portfolio risk management provides a key component of ERM because it glues together organisational silos. Business case preparation and ongoing progress reviews involve input from appropriate functional, operations and logistics departments, as does ongoing assurance and risk management activities. Portfolio risk managers have responsibility for coordinating involvement of various parties; they should be independent of specific business units, functions, programs, etc, to provide an objective view.
Different parts of the enterprise may use different risk guidance, for example PMBoK (PMI) or PRAM (APM) for projects, M_o_R (OGC) or ISO3100 for wider strategic or business risk. From a portfolio perspective, it doesn’t matter that there are different dialects of risk management across the organisation, as they essentially follow the same basic process.
Implementing portfolio risk management
Very few organisations have moved beyond a very simple implementation of ERM, but many now have reasonably mature project, program and other specialised risk management capabilities in place. Portfolio risk management can assist in raising the profile and maturity of risk management, particularly if your organisation operates a gated approval process. A full disclosure of risk should be provided at each stage of business case appraisal and then through ongoing review and reporting periods. This means that risk at each stage of the lifecycle should be stated, not just the stage currently being reviewed or approved.
Further improvements can be achieved with risk maturity models. For example, some organisations require a project team to demonstrate a minimum level of risk maturity (process and practice). The example below shows a risk maturity model with 7 criteria and 4 levels: Ad Hoc, Initial, Repeatable and Managed. The lowest score determines the maturity of the team – in the example below this is Ad Hoc, shown by the red line.
While it is unlikely to be the responsibility of the portfolio risk manager to measure and improve risk maturity across the organisation, it is a useful measure in business case appraisal. For example, not only does the business case need to be sound, but the team put in place to carry out the project needs to prove itself capable of delivery.
Other areas in which portfolio risk management can provide support are:
- To act as a centre of excellence to support risk management practices
- Support HR in ensuring all staff are trained in risk management
- Promote a consistent approach to risk management
- Run a risk steering group to support proactive communication of risk
- Manage a higher-level budget for show-stopper risks across the organisation
It will also be necessary to implement an Enterprise Risk Management tool, such as Predict! to identify, assess, manage and provide consistent reporting on risk across the organisation. To deliver joined up risk management, it is not practicable to operate separate spreadsheet risk registers for different projects, business units etc. A central database repository for assessing risk and approving response actions, with Risk Management Clusters to represent business case entities is required.
Portfolio risk management – no time to waste
The journey to effective risk management can take some time, but whatever stage your organisation is currently at, portfolio risk management can deliver quick and effective results. Its practical ‘risk to objective’ approach requires only a small number of key top level risks to be identified and assessed against each project, allowing a clear risk profile to be communicated to senior management for timely intervention if required. Any project that does not have clear and current objectives needs to be reviewed immediately.
Once all projects have a risk profile, these should be standardised for review by a wider management group responsible for overseeing projects and programs. Functional managers should be encouraged to identify common risks across projects, so that strategic actions can be identified, saving money by eliminating duplicated lower level actions.
Once risk appraisal across all projects is in place, the portfolio risk manager should be well placed to look back at risks that have occurred and provide advice across all projects on lessons learned. Portfolio risk management is currently under utilised and is therefore an area in which organisations can gain significant competitive advantage. However, the challenge in implementing it should not be underestimated.
Portfolio risk management may be seen as a threat by projects with a vested interest in maintaining the status quo. In an environment where cash is short and resources are stretched, it is likely that an increasing number of projects have an uncertain future. Ensuring continuous alignment with current objectives, even if that means significant change for a project, could in turn save it from closure.
And remember, closing a project isn’t necessarily bad. It could be that it just no longer meets business requirements and closing it will mean that more beneficial projects can then proceed. So start managing risk from a portfolio perspective today – there’s no time to waste.