Tuesday 22 July 2014

Portfolio risk management – do you have the right focus?

Written by Bryan Fenech, Director - PPM Intelligence.

“Without it [risk management], portfolio management is just a way to organise the view of projects that will certainly fail” – Scott Berinato in CIO July, 2003.

Portfolio risk management is important; if we characterize an organization's projects as an interrelated portfolio of investments then we need a corresponding portfolio risk management process. This has been borne out by various studies, such as the Standish Group’s CHAOS Report, which highlight a persistent trend of high project failure rates.

Over the course of my career I have come across many ineffective portfolio risk management approaches. The most common problem is that risk management at the portfolio level simply duplicates what is being done at the project and program level. By this I mean that the Portfolio Board or Governance Committee reviews a consolidated list of risks (and their treatments) which have already been reviewed by Project and Program Steering Committees, and which are being managed at that delivery level. This is generally wasted effort because it rarely adds value. More importantly, it is a missed opportunity for the organisation to leverage the advantages and value that a portfolio perspective can bring.

Here is an example to illustrate the point. Imagine we are reviewing a consolidated list of project and program risks as members of a Portfolio Board. Very sensibly we focus our attention on risks that have the potential to derail projects that either have the highest spend or from which the greatest benefits are expected to be derived. However, it may be that the greatest threat to these projects comes not from these risks but from risks impacting other projects upon which they have a logical dependency. Or it could be that the combined impact of risks impacting a cluster of lower credentialed inter-dependent projects is more significant in terms of value at risk. We are failing to incorporate into our risk management approach the view of inter-project dependencies that a portfolio perspective can provide. We are running blind and taking a sizable gamble.

Applying a threshold – e.g., only “catastrophic” and “very high” risks are reviewed by the Portfolio Board – is worse still as this is likely to further obscure the significance of inter-dependencies.

In my opinion, portfolio risk management primarily needs to focus on 3 areas:

  1. Investment at risk
  2. Common risks, and
  3. Domino risks.

Investment at risk

Investment at risk is a measure of the number of projects or the dollar value of projects by risk level. Figure 1 provides a graphical depiction of this using a Red-Amber-Green scheme for risk level.

Figure 1
While this seems like a very simple thing to do it is powerful. For example, where investment at risk is high it indicates that the Portfolio Board may need to pause the introduction of new projects and/or revise benefits and cashflow projections.

Common risks

Common risks are categories of risk that occur most frequently across the portfolio. Figure 2 provides a graphical depiction highlighting the incidence of red ratings by category.

Figure 2
Risks that are common to (or similar across) more than one project or program should receive priority attention because resolving them will have a greater positive impact on overall levels of risk and because they can be dealt with together.

Domino risks

Domino risks are risks that, due to dependency relationships, may have a flow on impact across multiple projects. The things to look for here are:

  1. Measuring aggregate value – i.e., the aggregate value, in terms of costs and benefits, of clusters of interdependent projects could be more significant than even the highest priority projects and attention should be focused accordingly
  2. Identifying portfolio breakpoints – i.e., projects with the highest number of dependencies with other projects need the most attention because they may take down a significant number of other projects if they fail.

Figure 3 highlights how our priority focus for risk management might change when we incorporate a view of the aggregate value of clusters of interdependent projects.

Figure 3

Key portfolio risk management themes

The key takeout here is that portfolio risk management is about identifying threats to overall portfolio performance and benefits. It complements and uses as an input the risk management activity that is undertaken at the project level. But it needs to mine that information and look for patterns that have portfolio level significance.

Build your portfolio management capability cost effectively with this exceptional resource.


  1. Risk management attempts to plan for and handle events that are uncertain in that they may or may actually occur. These are surprises. Some surprises are pleasant. We may plan an event for the public and it is so successful that twice as many people attend as we expected. A good turn-out is positive. However, if we have not planned for this possibility, we will not have resources available to meet the needs of these additional people in a timely manner and the positive can quickly turn into a negative

  2. This is generally wasted effort because it rarely adds value. More importantly, it is a missed opportunity for the organisation to leverage the advantages and value that a portfolio perspective can bring.
    gaskets kits