PPM 101 – Portfolio Risk Management

Portfolio risk management enables organizations to protect portfolio investments and balance the level of risk in the portfolio. Organizations focused on improving their portfolio management discipline will be in a position to begin portfolio risk management after they have established work intake and prioritization processes. The COVID-19 crisis with its massive impact on companies and industries is a recent example of why it is important for organizations to establish project portfolio risk management processes to safeguard the portfolio and its value. This post will provide a complete overview of portfolio risk management.

What is Portfolio Risk Management?

The common view of portfolio risk management involves processes to identify, assess, measure, and manage risk within the portfolio. These steps are similar in procedure with traditional project and program risk management. However, unlike project risk management which is focused on events that could impact the project, portfolio risk management is focused on events that could impact the accomplishment of strategic objectives. The scope of portfolio risk management is far broader than program and project risk management and requires senior leadership involvement.

In our overview of project portfolio management, we highlighted that the goal of portfolio management is to maximize business value delivery. Portfolio risk management is an important success factor in an organization’s ability to deliver more business value. Organizations that proactively manage portfolio risk are better equipped to take on more risk, increase portfolio value, and have a higher rate of successful project delivery. Organizations that ignore portfolio risk management will sub-optimize their project delivery and potentially jeopardize high priority projects. For this article, we will refer to risks as having a potential negative impact on the portfolio, and opportunities as having a potential positive impact to the portfolio.

There are two important components of portfolio risk management: portfolio risk tolerance and the risk management of specific portfolio-level risks. Both components help protect portfolio delivery, but in different ways. We will start with the more traditional view of portfolio risk management and then address how organizations can manage the risk tolerance within their portfolio. The diagram below shows how portfolio risk management fits within the portfolio lifecycle.

Portfolio Risk in the Portfolio Lifecycle
Portfolio Risk in the Portfolio Lifecycle

Managing Portfolio-Level Risks

The common view of portfolio risk management involves managing specific portfolio-level risks. These are risks that jeopardize the successfully completion of strategic goals. The purpose of portfolio risk management is to increase the likelihood of positive events and decrease the likelihood of negative effects impacting the project portfolio. This aspect of portfolio risk management largely occurs during the ‘Protect Portfolio Value’ lifecycle phase.

The Project Management Institute says that portfolio risk “is an uncertain event, set of events or conditions that if they occur, have one or more effects, either positive or negative, on at least one strategic business objective of the portfolio”.  According to Rachel Ciliberti, portfolio risk management “includes processes that identify, analyze, respond to, track, and control any risks that would prevent the portfolio from achieving its business objectives. These processes should include reviews of project-level risks with negative implications for the portfolio, ensuring that the project manager has a responsible risk mitigation plan.” Organizations that want to improve the delivery success of their projects need to establish portfolio risk management processes.

Types of Portfolio-Level Risks

Before covering the portfolio risk management process, let’s first look at the common types of portfolio level risks: external business risks, internal business risks, and execution-related risks.

External Business Risks

External business risks are events in the external environment that are outside of the control of the company. Examples include:

  • Disruption in the industry (e.g. customer trends such as having needs met through new technology or services)
  • Changes to competitors (e.g. mergers and acquisitions)
  • Economic conditions (i.e. recessions)
  • Political environment (change of political party that could influence future business developments)
  • Regulatory changes
  • New legal requirements
  • Natural events (e.g. COVID-19)

Any of the above external business risks can prompt a change in business strategy, which can result in certain projects becoming obsolete since they no longer match the business strategy. This can cause significant disruption to the current portfolio and requires strong portfolio governance to adapt to external changes.

Internal Business Risks

Internal business changes or disruptions can impact project and program delivery. Some examples of internal business risks include:

  • Operational challenges: operational challenges such as impacts to a supply chain, delays in launching a new major product or service, or even inadequate business processes can all impact project delivery. Depending on the scope of the Portfolio Governance Team, budget and resources may be available to address these challenges.
  • Leadership/organizational changes: senior leadership changes can affect or influence project priorities and strategic direction. Organizational changes can impact resource teams and project delivery. When these events occur, the Portfolio Governance Team should identify ways of minimizing the negative impact on inflight projects.
  • Portfolio Governance: Portfolio governance is an integral part of portfolio management. Strong portfolio governance enables the organization, and the company, to reap the benefits of portfolio management. When portfolio governance quality degrades, the quality of portfolio management decreases also. The Portfolio Governance Team Chairperson must ensure that portfolio processes are adhered to and attendance at portfolio meetings is strong in order to carry out portfolio management tasks.
  • Financial health: the cash position and revenue forecasts can greatly affect active projects. If a company’s revenue forecast is significantly below plan, it can signal the need to pause or cancel in-flight projects.

Execution-Related Risks

Execution related risks include project dependencies, major project risks that impact two or more other projects, and project management quality.

  • Major Project Risks: some project risks are so severe in their impact that it could jeopardize the delivery of other projects. In these cases, these individual risks can be escalated to the Portfolio Governance Team and monitored at the portfolio level.
  • Project Dependencies: project dependencies pose a great risk to individual projects and to the portfolio as a whole. The larger the number of interdependent projects, the greater the likelihood that the portfolio will be at risk by a schedule slide from any of those projects. In order to maintain consistent project delivery, both the project managers and the Portfolio Governance Team should actively monitor the critical path between dependent projects, which will help both sides anticipate potential schedule slides.
  • Limited Resource Capacity: overutilized resource teams can significantly impact portfolio performance. The Portfolio Governance Team needs to monitor utilization of critical resources and ensure resource teams are working according to established priorities.
  • Project Management Standards: weak project management quality directly affects project delivery. One function of a Project Management Office (PMO) is to ensure the application of good project management discipline to the delivery of projects. The PMO can directly improve project management quality through training and hiring experienced senior project managers (or consultants).

Portfolio Risk Management Process

In this section we will cover the processes of managing specific portfolio risks. According to PMI’s Standard for Portfolio Management, there are four primary portfolio risk management processes:

  • Identify portfolio risks—Portfolio risks may come from several directions. Major project risks are one component of portfolio risks and should be reviewed on a regular basis during portfolio review meetings. Other portfolio risks will be identified by the Portfolio Governance Team.
  • Analyze portfolio risks—The most serious project risks are communicated to the Portfolio Governance Team at a portfolio governance meeting or portfolio review meeting. The Portfolio Governance Team decides which risks are elevated to the portfolio level (see the figure below). The Portfolio Governance Team will also assess the severity and probability of other major portfolio risks.
  • Develop portfolio risk responses—Selected Portfolio Governance Team representatives (or delegate) will be assigned as risk owner(s) to develop options and actions to mitigate threats to portfolio performance. Portfolio level risks should also be prioritized.
  • Monitor and control portfolio risks—Portfolio risks and mitigation plans should be tracked at Portfolio Governance Team meetings.

Depending on the level of rigor that an organization puts into its portfolio risk management processes, it may choose to conduct various levels of risk analysis not limited to cost-benefit analysis, statistical modeling (probability analysis, confidence limits), sensitivity analysis, dependency and timing analysis, etc. For more details on managing portfolio risks, please reference the Standard for Portfolio Management.

Experienced Project Managers will be familiar with the risk matrix below. It can also be used to assess the relative consequence and likelihood of specific portfolio level risks. A portfolio risk log can be used to maintain a record of portfolio risks and should be actively managed by the Portfolio Governance Team.

Portfolio Risk Management Matrix
Portfolio Risk Management Matrix

Opportunity Management

Opportunity management is a risk-related process that companies can use to identify, analyze, and manage project opportunities that enables organizations to achieve more project value or perform better than planned and by definition go beyond the original statement of work of a project. Some opportunities may develop into dedicated projects or the work to capture the opportunity can be added to an existing project or program’s scope.

Although some ideas/opportunities may be great and provide a lot of value, for one reason or another, the timing may not be right or some other constraint makes it difficult to capture the opportunity. It could be a new market opportunity that becomes available, the competitive landscape changes, or an emerging technology is available to advance the organization. For this reason, organizations should establish an opportunity log and periodically review these opportunities and identify a good time to take advantage of the opportunity.

The processes for managing opportunities are similar to the processes for managing risks except that opportunities are future events that could produce positive outcomes for the organization. Opportunities often fall into the “should do” or “could do” priority categories, but enable organizations to achieve more or perform better than planned. Because most organizations are focused on minimizing or eliminating negative impacts to projects (through risk management), only organizations with more advanced portfolio management processes utilize opportunity management.

The diagram below represents a 5×5 opportunity matrix that could be used to graphically represent the current organizational opportunities. The X-axis represents the magnitude of benefit and the Y-axis represents the likelihood of capturing the opportunity. Opportunities in the upper right hand corner represent golden opportunities, those toward the lower left corner represent bronze opportunities, and those in the middle represent silver opportunities.

Opportunity Matrix
Opportunity Matrix

Portfolio Risk Tolerance

Another important facet of portfolio risk management is the risk tolerance of the Portfolio Governance Team in managing the portfolio. Project portfolio management has its base in financial portfolio management where one of the foundational principals is the ability to diversify risk through a broad set of investments. Investors understand that riskier investments should come with a higher rate of return and lower-risk investments (such as US Treasury Bonds) have a lower rate of return. Therefore, it is important for investors to understand their own risk tolerance based on the expected level of return. For instance, young professionals can afford to have a higher-risk retirement plan in order to accelerate the growth of their retirement plan. Seniors on the other hand will shift to a low-risk investment portfolio in order to protect what they have already saved. The risk tolerance is based on the investment strategy.

Understanding the portfolio risk tolerance is an important aspect of the first portfolio lifecycle phase “Define the Portfolio” as discussed in our overview of portfolio management. This is how portfolio governance teams evaluate and select projects. Ironically, many Portfolio Governance Teams do an inadequate job of accounting for risk in their project portfolio. Many take on too many high-risk projects and then wonder why the success rate is too low; this is to blindly manage the portfolio. Smart portfolio management teams have their eyes open to consider the risk tolerance of the company as well as the riskiness of individual projects in order to make wise project investment decisions.

How to Measure Risk Tolerance

In order to measure the portfolio risk level we first need to assess individual project riskiness and then measure each project’s financial and risk contribution to the portfolio.

Assess Project Riskiness

There are different ways of assessing portfolio risk, but our preferred approach is to utilize the prioritization scoring data you should already be collecting. In our post on prioritization we discussed how organizations should incorporate a risk element into their scoring model. These “risk scores” not only assess the relative riskiness of an individual project but can be used to calculate an overall portfolio risk score which we will cover below.

The image below depicts sample risk scoring criteria that a portfolio governance team (or project team) might use to evaluate the riskiness (risk nature) of an individual project.

Sample Project Risk Criteria
Sample Project Risk Criteria

The output of this exercise is a “risk score” by which the relative risk of one project can be compared to another project. This can also be used to evaluate the overall risk level of the portfolio.

Your organization’s risk tolerance is based on your investment strategy

Measure the relative contribution of each project or program to the overall portfolio

The next step is to measure the relative contribution of each project or program to the overall portfolio. Before we walk through those calculations, we want to cover some basic considerations for measuring portfolio risk tolerance.

It is critical that we analyze the relative contribution of a single project to an overall portfolio risk score.

To demonstrate this, we will use two simple illustrations (scenario 1 and scenario 2) to show how an individual project’s risk value impacts the overall portfolio risk score. The boxes below in both scenarios represent projects in the portfolio and the color represents the relative level of risk (green-low, red-high) and that the size of the box corresponds to the relative budget compared to the whole portfolio. For simplicity sake, let’s pretend that the total portfolio budget is $10M and that the red box in scenario 1 represents a single project that is very risky but has a small project budget ($100K).  Does this portfolio have high portfolio risk? No. Even though there is a very risky project, it accounts for a small amount of the portfolio budget. Strictly based on the risk scores and budgetary contribution, the portfolio is not a risky portfolio.

Measuring the Risk Contribution of Projects
Measuring the Risk Contribution of Projects

In scenario 2, let’s pretend that our risky project now costs $7M but the portfolio budget remains $10M. Does this portfolio have high portfolio risk? Yes. The very risky project accounts for the majority of the portfolio budget. By virtue of being a high-risk project that consumes the majority of the portfolio budget, the portfolio contains high risk. What we have shown here is that portfolio risk is based on the relative contribution of risky projects in the portfolio.

Overall portfolio budget levels can also change and have an impact on measuring portfolio risk. Therefore, we also need to realize that portfolio risk is based on the current project portfolio. As demonstrated in the previous example, it is important to measure the portfolio risk based on the budgetary contribution of all projects compared to the overall portfolio budget. Therefore, as portfolio budgets change, the overall portfolio risk score may also change.

Let’s continue the previous example. If the portfolio budget was enlarged to $100M (instead of $10M); our very high-risk project would now only contribute 7% toward the overall portfolio risk score (instead of 70% in scenario 2 above). Assuming that most of the remaining projects were only low to moderate risk, then the overall portfolio risk decreased. The opposite could happen too, if the portfolio budget decreased then every project in the portfolio will have a higher contribution to overall portfolio risk. We use these two simple examples to explain the relationship between project risk scores, project budgets, and overall portfolio budgets.

Measuring the Risk Contribution of Projects to Portfolio Budget
Measuring the Risk Contribution of Projects to Portfolio Budget

 

Outputs of Measuring Portfolio Risk

By doing this work, we can generate two very valuable outputs:

  • A portfolio Risk Gauge
  • The Risk-Value Bubble Chart

The portfolio risk gauge is a simple display to highlight the relative portfolio risk level at a point in time. Organizations that assess project risks and have project budgets can easily measure portfolio risk. By multiplying the budgetary contribution and the risk score and summing this up, we can calculate a portfolio risk score (16.9 in the example below compared against a maximum portfolio risk score of 25).

Portfolio Risk Gauge
Portfolio Risk Gauge

With this we can create a portfolio risk gauge (note: this can be done manually in Excel and there are many tutorials on the web on how to make this, or a tool such as Acuity PPM can create this automatically).

The other major output is a portfolio risk-value bubble chart (which was covered in our post on prioritization). The risk-value bubble chart can be used to help Portfolio Governance Teams balance risk and optimize the portfolio. It helps visualize high-risk but low-value projects that should be screened out. This chart is especially useful in the second portfolio lifecycle phase on optimizing the portfolio.

Risk-Value Bubble Chart
The Risk-Value Bubble Chart

Other Ways of Assessing Portfolio Risk

We will finish this section with a brief summary of other ways organizations can assess portfolio risk

  • Resource capacity: companies that measure resource capacity can use this data to inform portfolio risk. Critical teams that are over-utilized represent a major risk to project delivery. Tracking the number of over-utilized resource teams can inform portfolio risk from the aspect of resource capacity.
  • Excessive multi-tasking: a simpler way of measuring over-utilized team members is to measure how many concurrent projects people are working on. Teams that excessively multi-task often do not have enough working time to keep projects on schedule. This signals another aspect of portfolio risk.
  • Project and portfolio management maturity: a very general proxy for portfolio risk comes in the form of project management maturity. Organizations with low project management maturity are shown to have lower successful delivery rates than higher maturity organizations.

Summary

Portfolio risk management helps safeguard portfolio value and enables Portfolio Governance Teams to proactively manage the risk level of the portfolio.  By proactively managing risk levels, organizations can successfully take on more risk and thereby increase overall portfolio value. Companies need to understand what their own risk tolerance is and measure it appropriately to better manage the portfolio. Some companies and industries are more risk tolerant (e.g. technology firms, biotechnology firms, etc.) whereas other companies are less risk tolerant (e.g. retail, financial services, health care, etc.). Measuring portfolio risk and proactively managing to it will enable greater delivery success and help maximize portfolio value.

If you have questions about managing portfolio risk or need expert help, contact us today for a complementary 15 minute call.

Free Consultation

 

What is project portfolio risk management?

Portfolio Risk Management

Portfolio risk management involves processes to identify, assess, measure, and manage risk within the portfolio and is focused on events that could negatively impact the accomplishment of strategic objectives. The scope of portfolio risk management is far broader than program and project risk management and requires senior leadership involvement.

What are common types of project portfolio risks?

Three categories of project portfolio risks include: external business risks (industry disruption, mergers and acquisitions, economic conditions, political environments, regulatory changes, new legal requirements, natural events such as COVID-19), internal business risks (such as operational challenges, leadership and organizational changes, weak portfolio governance, and company financial health), and execution related risks (major project risks that impact two or more other projects, project dependencies, limited resource capacity, and weak project management standards).

What are the steps of a project portfolio risk management process?

There are four key steps to the portfolio risk management process. 1) Identify portfolio risks 2) Analyze portfolio risks 3)Develop portfolio risk responses 4) Monitor and control portfolio risks — portfolio risks and mitigation plans should be tracked at Portfolio Governance Team meetings.

How do you measure portfolio risk tolerance?

Portfolio Risk Gauge

Portfolio risk tolerance can be measured by first measuring the riskiness of individual projects and programs. This can be accomplished using a good scoring model to evaluate execution risk. Next, measure the relative contribution of each project or program to the overall portfolio. Based on this, you can create an aggregate portfolio risk score which can be displayed in reports such as a portfolio risk gauge.