www.riskdecisions.com

Portfolio Risk Management: aligning projectswith business objectives to deliver value

by

Val Jonas CEO Risk Decisions Group and

Susheel Chumber Professional Services Manager, Risk Decisions Ltd

m a n a g e m e n t s o l u t i o n s

whitepaper© risk decisions 2011

Val Jonas & Susheel Chumber: Portfolio Risk Management: whitepaper

2 www.riskdecisions.com © risk decisions 2011

Portfolio Risk Management: aligning projects withbusiness objectives to deliver value

AbstractOrganisations are taking up the challenge to improve risk managementat all levels from project and operations to Enterprise RiskManagement. The focus is to ensure that business objectives are met.However, there tends to be a gap in the hierarchical structure oforganisations where a strategic approach to risk management isrequired – the portfolio level. This paper places the portfolio perspectivein context, providing some practical insights into how portfolio riskmanagement can deliver significant financial and non-financialbenefits. By embedding portfolio risk management into your riskframework, its complementary approach supports risk managementmaturity across the organisation. In today’s climate of increasingpressure, organisations must focus on managing risks to meetingobjectives. Portfolio risk management can provide a quick return; sostart now – there’s no time to waste.

The challengeAt any one time, a large organisation may have a significant numberof ongoing projects, of varying types, stages and sizes, with differentstakeholders, customers, suppliers and deliverables. One thing is certain– these projects will have a significant amount of budget and resourcesassigned to them; what is uncertain is exactly what benefits they willdeliver. Therefore, organisations align their projects with businessobjectives, in order to ensure they will deliver value. Then, after thebusiness case has been signed off, focus switches to successful projectdelivery.

However, what is often forgotten is the importance of maintaining thealignment of projects with business objectives, which frequently

change over time. Projects are approved with defined scope and cost/ time / performance targets; but the environment within which theyare executed is constantly evolving. For example:

• External political, environmental and market conditions alter

• Sponsors come and go with regular management reorganisations

• Customer expectations change over time

There are also internal challenges:

• Projects compete for resources and management attention

• Projects are often interdependent, having impact on each other

These challenges are both external and internal to a project’s context,and are all sources of risk to the project’s ability to deliver value. So nomatter how good your organisation is at keeping projects on track, theymay often be overtaken by events beyond their control.

Different risk management perspectivesIn order to understand how to keep project deliverables aligned withbusiness objectives, it is useful to understand the different riskmanagement perspectives in an organisation.

Senior managers are responsible for delivering business objectives,which requires awareness of potential market changes and the politicalenvironment, as well as responsibilities for strategic direction andgovernance. Their role is to deliver shareholder (and/or stakeholder)value.

Figure 1. Environmental risks impact on projects’ ability to deliver against business objectives

whitepaper Val Jonas & Susheel Chumber: Portfolio Risk Management:

www.riskdecisions.com 3© risk decisions 2011

Project and programme managers are focused on the balance oftime, cost and performance; juggling resources, managing scope andbudgets, identifying opportunities, controlling change, as well ashandling the interface with the customer and other projects. Their roleis to meet the hard targets set as their deliverables.

Unfortunately, there tends to be a major disconnect betweenproject/programme and senior management perspectives, whichneeds to be bridged for the organisation to perform effectively.

Addressing the disconnectThe first challenge to be tackled is how to improve communication topdown and bottom up. Projects will continue on their pre-determindedpath unless senior managers communicate significant environmentalchanges that may affect them. Similarly, managers will assume thatstrategic objectives will be met unless concerns or assumptions aboutproject delivery are brought to their attention.

The second challenge is to ensure that there is a mechanism to respondto these environmental risks that arise. This may require just a simplerealignment of the project; but in extreme cases a complete review ofthe business case and major change or cancellation of the project maybe necessary.

Many organisations fail in this area, as their inclination or ability torevisit the original business case under new conditions is limited. And

even if they do this, the follow-on decision-making process is oftenslow, contributing to continued inefficiencies.

Responsibility for identifying such issues is often left up to programmeand other middle managers; however, they rarely have sufficientoversight of the business or independent objectivity to provide abalanced view.

So, there needs to be some infrastructure in the organisation withresponsibility for monitoring and managing risk to business objectivesin a proactive and robust way.

Portfolio risk management – the missing linkA major role of the portfolio manager is to assess and approve businesscases. However the responsibility does not stop there – it extendsthroughout the life of the project. If, at any time, some uncertainty,influence or event threatens the validity of the original business case,then a review should be triggered. If the business case can no longerdemonstrate business benefits (independently or relative to otherbusiness opportunities) then an appraisal of the options, withrecommendations for action, must be reported to senior managementfor decisions to be made.

Focussing on individual business cases would result in a view ofprojects and programmes that is too narrow. So the portfolio level isresponsible for optimisation across a set of projects, with focus placedon balancing risk and reward, in line with business risk appetite.Organisations should see risk taking as a good thing, as long as it isproperly understood and managed. This measured approach is theongoing focus of portfolio risk management.

A major role of the portfolio risk manager is to provide two-waycommunication of key risk information, and hence assurance thatdelivery of business benefits is secure.

Figure 2. Senior manager risk perspective (Top down)

Figure 3. Project risk perspective (Bottom up)

Exhibit 4. Top down and bottom up communication

Figure 5. The portfolio risk management perspective

BusinesObjectives

External Context

Governance(Risk, ControlsCompliance)

Shareholder,Stakeholder

Value

Time(Schedule)

Cost(Budgets)

Performance(Quality, Scope)

Deliverables

Optimisation(maximise ROI)

Business Case(decision making)

Balance(risk and reward)

Benefits

Val Jonas & Susheel Chumber: Portfolio Risk Management: whitepaper

4 www.riskdecisions.com © risk decisions 2011

A framework to manage risksRisk management is driven from the top. People down through theorganisation require guidance to allow them to make judgements onthe importance and acceptability of different types of risk. This guidancemust include a statement on the organisation’s riskappetite (quantitative and qualitative thresholds andtriggers), explicit assignment of responsibilities forensuring risks are managed, support in prioritisingkey risk response actions, as well as delegatedauthority and budgets/resources (managementreserve) to carry them out. The behavioursdemonstrated top down will drive behaviour downthrough the organisation.

It is the responsibility of the portfolio risk manager toensure risk management activities from seniormanagement at the top and all the way downthrough programmes and projects are functioningefficiently.

Having set up this framework, a good structure isrequired to ensure both significant tactical risks andstrategic business risks are understood,communicated and managed up and down, to inspire confidence,ensure timely decisions are made and maximise business success. Forexample, a project may identify a tombstone risk (one that, if it wereto occur, would kill the project); if no acceptable mitigation responsecan be found at the portfolio level, then this risk needs to be broughtto the attention of senior management, for appropriate action.

Figure 7. A framework to manage risks

Figure 6. Bridging the gap between top-down and bottom-upRisk management

A periodic review may show that a project is no longer able to deliverthe required benefits and drastic action might be recommended, eventhough the project is currently performing very well against its originaltargets. The result will not necessarily be project closure; it may justneed to be adjusted to address the risk or match new business needs.

The link with Enterprise Risk ManagementEnterprise risk management (ERM) requires proactive involvement fromthe extended organisation. Portfolio risk management provides a keycomponent of ERM because it glues together organisational silos.Business case preparation and ongoing progress reviews involve inputfrom appropriate functional, operations and logistics departments, asdoes ongoing assurance and risk management activities. Portfolio riskmanagers have responsibility for coordinating involvement of variousparties; they should be independent of specific business units,functions, programmes, etc, to provide an objective view.

Different parts of the enterprise may use different risk guidance, forexample PMBoK (PMI) or PRAM (APM) for projects, M_o_R (OGC) orISO3100 for wider strategic or business risk. From a portfolioperspective, it doesn’t matter that there are different dialects of riskmanagement across the organisation, as they essentially follow thesame basic process as can be seen below.

Figure 8. The area of ERM covered by portfolio risk management

whitepaper Val Jonas & Susheel Chumber: Portfolio Risk Management:

Implementing portfolio risk managementVery few organisations have moved beyond a very simpleimplementation of ERM, but many now have reasonably matureproject, programme and other specialised risk management capabilitiesin place. Portfolio risk management can assist in raising the profile andmaturity of risk management, particularly if your organisation operatesa gated approval process. A full disclosure of risk should be provided ateach stage of business case appraisal and then through ongoing reviewand reporting periods. This means that risk at each stage of the lifecycleshould be stated, not just the stage currently being reviewed orapproved.

Further improvements can be achieved with risk maturity models. Forexample, some organisations require a project team to demonstrate aminimum level of risk maturity (process and practice). The examplebelow shows a risk maturity model with 7 criteria and 4 levels: Ad Hoc,Initial, Repeatable and Managed. The lowest score determines thematurity of the team – in the example below this is Ad Hoc, shown bythe red line.

While it is unlikely to be the responsibility of theportfolio risk manager to measure and improve riskmaturity across the organisation, it is a useful measurein business case appraisal. For example, not only doesthe business case need to be sound, but the team putin place to carry out the project needs to prove itselfcapable of delivery.

Other areas in which portfolio risk management canprovide support are:

• To act as a centre of excellence to support risk

management practices

• Support HR in ensuring all staff are trained in risk

management

• Promote a consistent approach to risk

management

• Run a risk steering group to support proactive

communication of risk

• Manage a higher-level budget for show-stopper risks across the

organisation

It will also be necessary to implement an Enterprise Risk Managementtool, such as Predict!® to identify, assess, manage and provideconsistent reporting on risk across the organisation. To deliver joined-up risk management, it is not practicable to operate separatespreadsheet risk registers for different projects, business units etc. Acentral database repository for assessing risk and approving responseactions, with Risk Management Clusters® to represent business caseentities is required.

Figure 9. Similarity between risk process guidelines

Figure 10. An example risk maturity model

OverallMaturity

Level Managed

Repeatable

Initial

Ad Hoc

Context Identity Analyse Evaluate Treat Monotor Culturereview

www.riskdecisions.com 5© risk decisions 2011

Val Jonas & Susheel Chumber: Portfolio Risk Management: whitepaper

6 www.riskdecisions.com © risk decisions 2011

ReferencesAssociation for Project Management (2004) Project Risk Analysis &Management Guide, 2nd Edition, Association for ProjectManagement, High Wycombe, Bucks, UK; ISBN 1-903494-03-5

Association for Project Management (2002) Earned ValueManagement: APM Guideline for the UK, Association for ProjectManagement, High Wycombe, Bucks, UK; ISBN 1-903494-03-6.

Project Management Institute (2004) A Guide to the ProjectManagement Body of Knowledge (PMBoK), 3rd edition, ProjectManagement Institute, Philadelphia, US; ISBN 1-930699-45-X

Association of Project Management (2008) Interfacing Risks andEarned Value Management, Association for Project Management,High Wycombe, Bucks, UK; ISBN 10: 1-903494-24-9; ISBN 13; 978-1-903494-24-0

Portfolio risk management – no time to wasteThe journey to effective risk management can take some time, butwhatever stage your organisation is currently at, portfolio riskmanagement can deliver quick and effective results. Its practical ‘riskto objective’ approach requires only a small number of key top levelrisks to be identified and assessed against each project, allowing a clearrisk profile to be communicated to senior management for timelyintervention if required. Any project that does not have clear andcurrent objectives needs to be reviewed immediately.

Once all projects have a risk profile, these should be standardised forreview by a wider management group responsible for overseeingprojects and programmes. Functional managers should be encouragedto identify common risks across projects, so that strategic actions canbe identified, saving money by eliminating duplicated lower levelactions.

Once risk appraisal across all projects is in place, the portfolio riskmanager should be well placed to look back at risks that have occurredand provide advice across all projects on lessons learned.

Portfolio risk management is currently under utilised and is thereforean area in which organisations can gain significant competitiveadvantage. However, the challenge in implementing it should not beunderestimated.

Portfolio risk management may be seen as a threat by projects with avested interest in maintaining the status quo. In an environment wherecash is short and resources are stretched, it is likely that an increasingnumber of projects have an uncertain future. Ensuring continuousalignment with current objectives, even if that means significantchange for a project, could in turn save it from closure.

And remember, closing a project isn’t necessarily bad. It could be thatit just no longer meets business requirements and closing it will meanthat more beneficial projects can then proceed. So start managing riskfrom a porfolio perspective today – there’s no time to waste.

Figure 11. A backward and forward looking approach tomanaging risk

Now

Progress Benefits Risk?

Lessons learned

Response actions

whitepaper Val Jonas & Susheel Chumber: Portfolio Risk Management:

www.riskdecisions.com 7© risk decisions 2011

Appendix 2: GlossaryWhere ‘source’ is in brackets, minor amendments have been incorporated to the original definition.

Term Definition Source

Budget The resource estimate (in £/$s or hours) assigned for the accomplishment of a specific task or Risk Decisions group of tasks.

Change Control (Management) Identifying, documenting, approving or rejecting and controlling change. (PMBoK)

Control Account (CA) A management control point at which actual costs can be accumulated and compared to earned value APM EVM and budgets (resource plans) for management control purposes. A control account is a natural management guidelinepoint for budget/schedule planning and control since it represents the work assigned to one responsible organisational element on one Work Breakdown Structure (WBS) element.

Cost Benefit Analysis The comparison of costs before and after taking an action, in order to establish the saving achieved Risk Decisionsby carrying out that action.

Cost Risk Analysis (CRA) Assessment and synthesis of the cost risks and/or estimating uncertainties affecting the project to (PRAM)gain an understanding of their individual significance and their combined impact on the project’s objectives, to determine a range of likely outcomes for project cost.

Enterprise Risk Map The structure used to consolidate risk information across the organisation, to identify central Risk Decisionsresponsibility and common response actions, with the aim of improving top down visibility and managing risks more efficiently.

Enterprise Risk Management (ERM) The application of risk management across all areas of a business, from contracts, projects, programmes, Risk Decisionsfacilities, assets and plant, to functions, financial, business and corporate risk.

Left Shift The practice by which an organisation takes proactive action to mitigate risks when they are identified Risk Decisionsrather than when they occur with the aim of reducing cost and increase efficiency.

Management Reserve (MR) Management Reserve may be subdivided into: APM EV/Risk• Specific Risk provision to manage identifiable and specific risks working group• Non-Specific Risk Provision to manage emergent risks • Issues provision

Non-specific Risk Provision The amount of budget / schedule / resources set aside to cover the impact of emergent risks, APM EV/Riskshould they occur. working group

Operational Risk The different types of risks managed across an organisation, typically excluding financial and corporate risks. Risk Decisions

Opportunity An ‘upside’, beneficial Risk Event. PRAM

Baseline An approved scope/schedule/budget plan for work, against which execution is compared, to measure (PMBoK)and manage performance.

Performance Measurement The objective measurement of progress against the Baseline APM EV/Riskworking group

Proactive Risk Response An action or set of actions to reduce the probability or impact of a threat or increase the probability (PRAM)or impact of an opportunity. If approved they are carried out in advance of the occurrence of the risk. They are funded from the project budget.

Reactive Risk Response An action or set of actions to be taken after a risk has occurred in order to reduce or recover from (PRAM)the effect of the threat or to exploit the opportunity. They are funded from Management Reserve.

Risk Appetite The amount of risk exposure an organisation is willing to accept in connection with delivering a APM EV/Riskset of objectives. working group

Risk Event An uncertain event or set of circumstances, that should it or they occur, would have an effect on the PRAMachievement of one or more objectives.

Risk Exposure The difference between the total impact of risks should they all occur and the Risk Provision. APM EV/Risk working group

Risk Management Clusters® Functionality in Risk Decisions’ Predict! risk management software that enables users to organise Risk Decisionsdifferent groups of risks to form a single, enterprise-wide risk map. working group

Risk Provision The amount of budget / schedule / resources set aside to manage the impact of risks Risk provision APM EV/Risk is a component part of Management Reserve working group

Risk Response Activities Activities carried out to implement a Proactive Risk Response. APM EV/Risk working group

Schedule Risk Analysis Assessment and synthesis of schedule risks and/or estimating uncertainties affecting the project (PRAM) ability to meet key milestones.

Schedule Reserve The schedule component of Management Reserve. APM EV/Risk working group

Specific Risk Provision The amount of budget / schedule / resources set aside to cover the impact of known risks, should they APM EV/Risk occur. It is not advisable to net opportunities against threats and so a separate value is calculated for each. working group

Threat A downside, adverse Risk Event PRAM

Uncertainty The spread in estimates for schedule, cost, performance arising from the expected range of outcomes. APM EV/Risk Often termed estimating error. Working Group

Val Jonas & Susheel Chumber: Portfolio Risk Management: whitepaper

About Risk DecisionsRisk Decisions Limited is part of Risk Decisions Group, a pioneering global riskmanagement solutions company, with offices in the UK, USA and Australia. Thecompany specialises in the development and delivery of enterprise solutions andservices that enable risk to be managed more effectively on large capital projects aswell as helping users to meet strategic business objectives and achieve compliancewith corporate governance obligations.

Risk Decisions has introduced many innovative features that have since becomestandard features in the industry including the risk hierarchy tree, combined threat andopportunity risk impact grids and automated schedule risk analysis. The companyplays a significant role in influencing risk management policy, making importantcontributions to APM, OGC and PMI risk management guides and standards, includingguidance on interfacing risk with other disciplines, such as Earned Value and SystemsEngineering.

Clients include Lend Lease, Mott MacDonald, National Grid, Eversholt Rail, BAESystems, Selex Galileo, Raytheon, Navantia, UK MoD, Australian Defence MaterielOrganisation and New Zealand Air Force.

For further information visit: www.riskdecisions.comor contact Alex Leggatt at: Risk Decisions Ltd,

Whichford House, Parkway Court,Oxford Business Park South,Oxford, OX4 2JY

Tel: 01865 718666

Email: alex@riskdecisions.com

European HQ

For enquiries from the UK and mainland Europe.

Risk Decisions LtdWhichford HouseParkway CourtOxford Business Park SouthOxfordOX4 2JYUnited Kingdom

For general enquiries:

Tel: +44 (0)1865 718666

Fax: +44 (0)1865 718600

Email: enquiries@riskdecisions.com

For help desk support:

Tel: +44 (0)1865 395698

Fax: +44 (0)1865 718600

Email: support@riskdecisions.com

www.riskdecisions.com m a n a g e m e n t s o l u t i o n s