4

RISK MANAGEMENT LIFE CYCLE IN PORTFOLIO, PROGRAM, AND PROJECT MANAGEMENT

Organizations build adaptive frameworks to ensure alignment with environmental competitiveness and confront increasing complexity associated with goal attainment and decision making. Complexity is an inherent characteristic of portfolios, programs, and projects and their environment, which is difficult to manage due to various aspects involved in the workflow: human behavior, system behavior, uncertainty, and ambiguity. Complexity impacts stability, predictability, and capacity of both the organization and its activities to sustain its business. For additional information, refer to Navigating Complexity: A Practice Guide [5].

An integrated view of risk management is required to define the right construct in the organization's governance and operations. By establishing the appropriate framework, an organization is able to:

• Articulate objectives,
• Define external and internal parameters for processing an effective risk management life cycle, and
• Establish risk criteria within the scope for the remaining processes through iterative activities.

The purpose of establishing a framework is to align resources and processes to the organization's strategies and objectives. The risk management life cycle works within the risk management framework to ensure risks are managed in a structured manner regardless of the portfolio, program, or project life cycle approach.

4.1 INTRODUCTION TO THE RISK MANAGEMENT LIFE CYCLE

The risk management life cycle described in this section illustrates a structured approach for undertaking a comprehensive view of risk throughout the enterprise, portfolio, program, and project domains. Even though the way of managing risks differs between these domains and from one organization to another, an overall life cycle approach outlines a sequence of logical phases that can be iterated and includes the following processes:

• Plan Risk Management,
• Identify Risks,
• Perform Qualitative Risk Analysis,
• Perform Quantitative Risk Analysis,
• Plan Risk Responses,
• Implement Risk Responses, and
• Monitor Risks.

The risk management life cycle is shown in Figure 4-1. It has a dedicated, procedural, and iterative workflow of activities and processes, supported and performed across the enterprise and within the portfolio, program, and project domains. Because of the evolutionary nature of risk, the risk management life cycle ensures a repeatable workflow of processes that supports strategic decision making. All these activities are performed in an integrated way within and across the portfolio, program, and project domains.

The iterative workflow of the risk management life cycle is embedded within a strategic execution framework where portfolio, program, and project management are linked to organizational cultural foundations, capabilities, and the use of organizational functions or performance domains. It is understood that once a portfolio, program, or project is closed, the risk management process terminates and the appropriate lessons learned are documented. The framework enables the overall risk processes to be implemented through a risk management plan within each domain as described in Sections 5, 6, and 7.

4.2 PLAN RISK MANAGEMENT

Effective risk management requires the creation of a risk management plan. This plan describes how the risk management processes are to be carried out and how they fit in with other processes. On a broader level, the risk management plan describes the relationships among the risk management processes; general portfolio, program, or project management; and the management processes in the rest of the organization. Initial risk management planning is carried out early in the overall planning of the work, and the corresponding activities are integrated into the overall management plan. The risk management plan may need to be adapted as the needs of the work and stakeholders become clearer or change.

The feasibility of risk management planning is dependent upon the features of the organization in which it is carried out. The rules and guidelines defined in the risk management plan reflect (a) the culture of the organization, (b) its capabilities regarding people and facilities, and (c) its values, goals, and objectives. The risk management plan identifies and describes relevant organizational procedures and any other enterprise environmental factors that apply, such as strategic risk management, enterprise risk management (ERM), and corporate governance processes.

4.2.1 PURPOSE OF PLAN RISK MANAGEMENT

The objectives of the Plan Risk Management process are to: develop the overall risk management strategy, decide how the risk management processes will be executed, and integrate risk management with all other activities. The risk management plan defines both the normal frequency for repeating the processes in addition to specific or exceptional conditions under which the corresponding actions are initiated. The corresponding risk management activities are integrated into the portfolio, program, or project management plan.

4.2.1.1 RISK APPETITE IN PLAN RISK MANAGEMENT

The level of risk that is considered acceptable depends on the risk appetite of the relevant stakeholders. The risk appetite of the stakeholders may be influenced by a number of factors. These factors include the stakeholders’ ability to tolerate uncertainty and the relative importance of achieving specific objectives. The output of this analysis is then considered when applying the risk management processes.

Guidelines and rules for escalating risk-related information to management and other stakeholders reflect the stakeholder's risk appetite and expectations. As the work evolves, maintaining effective communications with the stakeholders enables portfolio, program, and project managers to become aware of any changes in the stakeholders’ attitudes and adapt the risk management approach to take into account any new factors.

The risk management plan provides terminology used to describe risks, which allows participants to share a common understanding of the terms. The risk management plan also defines the critical values of risk management and the thresholds that serve as parameters in a manner consistent with the scope of the work and the attitudes of the stakeholders. Similarly, the risk management plan specifies the key numerical values required in quantitative analysis or for decision making in risk response planning or risk monitoring.

4.2.1.2 TAILORING AND SCALING THE RISK MANAGEMENT PLAN

Portfolios, programs, and projects are exposed to different types of risk, so each step in the risk management life cycle is tailored and scaled to meet the various risk characteristics. The management processes are also tightly integrated between the portfolio, program, and project domains.

The results from this initial step are documented and communicated, and subsequently reviewed by the stakeholders to ensure a common understanding of the scope and objectives for the risk management process.

The risk management plan includes the tailored risk management processes, which are based on the process maturity of the organization. Scalable elements of the process that are a part of risk management planning include, but are not limited to:

• Available resources,
• Escalation paths,
• Methodology and processes used,
• Tools and techniques used,
• Supporting infrastructure,
• Review and update frequency, and
• Reporting requirements.

4.2.2 SUCCESS FACTORS FOR PLAN RISK MANAGEMENT

The criteria for a valid risk management plan include:

• Acceptance by the stakeholders,
• Identification of bias and correcting for it,
• Alignment with the internal and external constraints and priorities,
• Balance between cost or effort and benefit, and
• Completeness with respect to the needs of the risk management process.

4.3 IDENTIFY RISKS

Once the risk management scope and objectives are agreed, the process of identifying risks begins, with care taken to distinguish genuine risks from nonrisks, such as concerns and issues. It is unlikely that all risks are, or even can be, identified at the outset. Over time, the level of risk exposure may change as a result of the decisions and actions taken previously and of externally imposed changes.

4.3.1 PURPOSE OF IDENTIFY RISKS

The purpose of risk identification is to identify risks to the extent practicable. The emergent nature of risk requires the risk management process to be iterative, repeating the risk identification activities in order to find risks that were not previously evident.

A variety of risk identification techniques is available, each with its own strengths and weaknesses (see Appendix X6 on Techniques for the Risk Management Framework). One or more techniques are selected, as appropriate, for meeting the needs of a specific portfolio, program, or project. The aim is to expose and document all knowable risks, recognizing that some risks are inherently unknowable and others emerge later in the work. Input is sought from a wide range of stakeholders when identifying risks, since each stakeholder may have a different perspective on the risks facing the portfolio, program, or project. Historical records and documents may also be reviewed to help identify risks.

When a risk is first identified, preliminary responses may be identified at the same time. These are recorded during the Identify Risks process and are considered for immediate action when such action is appropriate. When such responses are not implemented immediately, they should be considered during the Plan Risk Responses process.

All identified risks are recorded, and a risk owner may be identified at the same time. The risk owner is the individual responsible for monitoring the risk and for selecting and implementing an appropriate risk response strategy. It is the responsibility of the risk owner to manage the corresponding risk throughout the subsequent risk management processes.

4.3.2 KEY SUCCESS FACTORS FOR IDENTIFY RISKS

Success in achieving the objectives of Identify Risks includes, but is not limited to:

• Early identification,
• Iterative identification,
• Emergent identification,
• Comprehensive identification,
• Explicit identification of opportunities,
• Multiple perspectives,
• Risks linked to objectives,
• Complete risk statement,
• Ownership and level of detail,
• Frequent and effective communication, and
• Objectivity to minimize bias.

4.4 PERFORM QUALITATIVE RISK ANALYSIS

Qualitative risk analysis evaluates the importance of each risk in order to categorize and prioritize individual risks for further attention. It also provides a mechanism for evaluating the level of overall portfolio, program, or project risk.

4.4.1 PURPOSE OF PERFORM QUALITATIVE RISK ANALYSIS

Qualitative techniques are used to gain a better understanding of individual risks. Qualitative techniques consider a range of characteristics such as probability or likelihood of occurrence, degree of impact on the objectives, manageability, timing of possible impacts, relationships with other risks, and common causes or effects.

Assessing individual risks using qualitative risk analysis evaluates the probability that each risk, if it occurs, would have on the portfolio, program, or project objectives. As such, this assessment does not directly address the overall risk that results from the combined effect of all risks and their potential interactions with each other. This can, however, be achieved through the use of quantitative risk analysis techniques.

Qualitative risk analysis is applied to the list of risks created or updated by the Identify Risks process to provide management with the characteristics of the risks that have the most influence (positive or negative) on achieving the objectives. Risks that are assessed as high priority, which either threaten or enhance the achievement of objectives, are highlighted in the Plan Risk Responses process. These risks may be further analyzed using quantitative risk analysis.

4.4.2 KEY SUCCESS FACTORS FOR PERFORM QUALITATIVE RISK ANALYSIS

Success in achieving the objectives of the Perform Qualitative Risk Analysis process includes, but is not limited to:

• Use agreed approach,
• Use agreed definitions of risk terms,
• Collect credible information about risks, and
• Perform iterative qualitative risk analysis.

4.5 PERFORM QUANTITATIVE RISK ANALYSIS

The Perform Quantitative Risk Analysis process provides insight into the combined effect of identified risks on the desired outcome. This process takes into account probabilistic or component-wide effects, such as correlation between risks, interdependency, and feedback loops. It provides an indication of the degree of overall risk faced by the portfolio, program, or project.

4.5.1 PURPOSE OF QUANTITATIVE RISK ANALYSIS

The Perform Quantitative Risk Analysis process provides a numerical estimate of the overall effect of risk on the objectives. Results from this analysis are used to evaluate the likelihood of success in achieving objectives and to estimate any contingency reserves.

Analyzing uncertainty using quantitative techniques provides a more realistic estimate than a nonprobabilistic approach. However, quantitative risk analysis is not always required or possible. Therefore, during the Plan Risk Management process, the benefits of quantitative risk analysis should be weighed against the effort required to ensure that the additional insights and value justify the additional effort.

However, a partial risk analysis, such as qualitative risk analysis, prioritizes only individual risks and therefore does not produce measures of overall risk where all risks are considered simultaneously. Calculating estimates of overall risk is the focus of the Perform Quantitative Risk Analysis process. Specific risks are usually best understood and quantified at a detailed level. By contrast, objectives are specified at a higher level. An overall risk analysis, such as one that uses quantitative techniques, estimates the implication of all quantified risks. Thus, quantitative risk analysis and subsequent assessments of risks are enhanced by a comprehensive understanding of the individual risks and their relative importance with respect to objectives. The overall risk may determine the priority that should be placed on particular individual risks.

Estimating overall risk using quantitative methods helps to distinguish the quantified risks that threaten objectives beyond the tolerance of the stakeholders from those risks that are within acceptable tolerances even when the risk is considered. The risks that threaten objectives beyond the stakeholders’ tolerance may be targeted for vigorous risk responses aimed at protecting the objectives that are most important to the stakeholders.

4.5.2 KEY SUCCESS FACTORS FOR PERFORM QUANTITATIVE RISK ANALYSIS

Success in achieving the objectives of quantitative risk analysis includes, but is not limited to:

• Prior risk identification and qualitative risk analysis,
• Appropriate model,
• Competence with the corresponding technical analysis tools,
• Commitment to collecting credible risk data,
• Unbiased data, and
• Interrelationships between risks in quantitative risk analysis.

4.6 PLAN RISK RESPONSES

The Plan Risk Responses process determines the effective response actions that are appropriate for the priority of the individual risks and for the overall risk. This process takes into account the stakeholders’ risk attitudes and the conventions specified in the risk management plan, in addition to any constraints and assumptions that were determined when the risks were identified and analyzed. Once individual risks have been prioritized, appropriate risk responses are developed for both threats and opportunities. This process continues until an optimal set of responses has been developed. A range of possible responses exists for both threats and opportunities.

Five responses may be considered for dealing with threats:

• Escalate. Escalation is appropriate when a threat is outside of the portfolio, program, or project scope or when the proposed response exceeds a given manager's authority. Escalated risks are managed at the enterprise domain, portfolio domain, program domain, or other relevant part of the organization. Ownership of escalated threats is accepted by the relevant party in the organization. A threat is usually escalated to the appropriate level that matches the objective that would be affected if the threat occurred.
• Avoid. Risk avoidance is when the portfolio, program, or project team acts to eliminate a threat or protect activity from risk impact. It may be appropriate for a high-priority threat with a high probability of occurrence and a large negative impact. Avoidance may involve changing some aspect of the management plan or changing the objective that is in jeopardy in order to eliminate the threat impact entirely. Should the risk materialize, it would have no effect with respect to the objective. The risk owner may also take action to isolate the objective from the risk's impact if it were to occur.
• Transfer. Transfer involves shifting responsibility of a threat to a third party to manage the risk and to bear the impact if the threat occurs. Risk transfer often involves payment of a risk premium to the party taking on the threat.
• Mitigate. In risk mitigation, action is taken to reduce the probability of occurrence and/or impact of a threat. Early mitigation action is often more effective than trying to repair the damage after the threat has occurred. Where it is not possible to reduce probability, a mitigation response might reduce the impact by targeting factors that drive the severity.
• Accept. Risk acceptance acknowledges the existence of a threat, but no proactive action is taken. This strategy may be appropriate for low-priority threats, and it may also be used where it is not possible or cost effective to address a threat in any other way. Acceptance can be either active or passive. The most common active acceptance strategy is to establish a contingency reserve, including amounts of time, money, or other resources to handle the threat if it occurs. Passive acceptance involves no proactive action apart from periodic review of the threat to ensure that it does not change significantly.

Five responses may be considered for dealing with opportunities:

• Escalate. This risk response strategy is appropriate when an opportunity is outside the portfolio, program, or project scope or when the proposed response exceeds a given manager's authority. Escalated opportunities are managed at the program domain, portfolio domain, or other relevant part of the organization. It is important that ownership of an escalated opportunity is accepted by the relevant party in the organization. Opportunities are usually escalated to the right level that matches the objectives that would be affected if the opportunity occurred.
• Exploit. The exploit strategy may be selected for high-priority opportunities where the organization wants to ensure that the opportunity is realized. This strategy seeks to capture the benefit associated with a particular opportunity by ensuring that it definitely happens, increasing the probability of occurrence to 100%.
• Share. Sharing involves transferring ownership of an opportunity to a third party so that the third party shares some of the benefit if the opportunity occurs. It is important to carefully select the new owner of a shared opportunity to ensure capture of the opportunity for the benefit of the portfolio, program, or project. Risk sharing often involves payment of a risk premium to the party taking on the opportunity.
• Enhance. The enhance strategy is used to increase the probability and/or impact of an opportunity. Early enhancement action is often more effective than trying to improve the benefit after the opportunity has occurred. The probability of occurrence of an opportunity may be increased by focusing attention on its causes. Where it is not possible to increase probability, an enhancement response might increase the impact by targeting factors that drive the size of the potential benefit.
• Accept. Accepting an opportunity acknowledges its existence, but no proactive action is taken. This strategy may be appropriate for low-priority opportunities, and it may also be adopted where it is not possible or cost effective to address an opportunity in any other way. Acceptance can be either active or passive. The most common active acceptance strategy is to establish a contingency reserve, including amounts of time, money, or other resources to take advantage of the opportunity if it occurs. Passive acceptance involves no proactive action apart from a periodic review of the opportunity to ensure that it does not change significantly.

Responses are planned at a general, strategic level, and the strategy is validated and agreed prior to developing the detailed tactical approach. Once that is accomplished, the responses are expanded into actions at the tactical level and integrated into the relevant management plans. This activity may generate additional secondary risks, which need to be addressed at this time.

In addition to individual risk responses, actions may be taken to respond to overall portfolio, program, or project risk. All response strategies and actions are documented and communicated to key stakeholders and incorporated into the relevant plans.

4.6.1 PURPOSE OF PLAN RISK RESPONSES

The purpose of the Plan Risk Responses process is to determine the set of actions that provides the highest chance of success while complying with applicable constraints. Once risks have been identified, analyzed, and prioritized, plans are developed for addressing every risk that the team considers to be sufficiently important, either because of the threat it poses to the objectives or the opportunity it offers. The plans describe the agreed actions to be taken and the potential changes that these actions might cause.

Risk responses, when implemented, can have potential effects on the objectives and as such, can generate additional risks. These are known as secondary risks and are analyzed and planned for in the same way as those risks that were initially identified. There may be residual risks that remain after the responses are implemented. These residual risks are clearly identified, analyzed, documented, and communicated to all relevant stakeholders until they are satisfied.

4.6.2 KEY SUCCESS FACTORS FOR PLAN RISK RESPONSES

Success in achieving the objectives of the Plan Risk Responses process includes, but is not limited to:

• Clearly define risk-related roles and responsibilities;
• Specify the timing of risk responses;
• Provide resources, budget, and schedule for responses;
• Address the interaction of risks and responses taking into account secondary and residual risks;
• Ensure appropriate, timely, effective, and agreed responses; and
• Address both threats and opportunities.

4.7 IMPLEMENT RISK RESPONSES

Once the planning of risk responses is complete, all of the approved unconditional response actions are included and defined in the relevant management plans. These actions may be delegated to action owners as appropriate. The risk owner monitors actions to determine their effectiveness and to identify any secondary risks that may arise because of the implementation of risk responses.

The risk owners and risk action owners are briefed on any changes that may affect their responsibilities. Effective communications are maintained between the risk owners and the portfolio, program, or project managers so that the designated stakeholders (a) accept accountability for controlling the potential outcomes of specific risks, (b) apply their best efforts to track the associated trigger conditions, and (c) carry out the agreed responses in a timely manner.

In addition to the response actions and trigger conditions, a mechanism for measuring the effectiveness of the response is provided as part of the risk response planning. The risk action owner keeps the risk owner aware of the status of the response actions. The risk owner then decides whether the risk has been effectively dealt with, or whether additional actions need to be planned and implemented. This ensures that the agreed actions are carried out within the normal portfolio, program, or project execution framework.

4.7.1 PURPOSE OF IMPLEMENT RISK RESPONSES

The objective of the Implement Risk Responses process is to carry out the agreed risk response action should the risk occur. Proper attention to the Implement Risk Responses process helps to ensure that the agreed risk responses are executed accordingly.

4.7.2 KEY SUCCESS FACTORS FOR IMPLEMENT RISK RESPONSES

Success in achieving the objectives of the Implement Risk Responses process includes, but is not limited to:

• A risk owner is accountable for each risk,
• Stakeholders commit to implementing risk responses according to plan,
• Effective communications management is used,
• Cost of the risk responses is determined and calculated as part of the planning, and
• Contingency and management reserves are made available.

4.8 MONITOR RISKS

The Monitor Risks process enables the portfolio, program, or project management team to reevaluate the status of previously identified risks; to identify emergent, secondary, and residual risks; and to determine the effectiveness of the risk management processes.

The portfolio, program, or project environment may change as some risks occur, whether foreseen or unforeseen, and other risks become or cease to be relevant. The management team ensures that the planning documents are kept current as additional information becomes available. Periodic risk reassessment using the risk management life cycle is repeated at reasonable intervals or in response to relevant events.

In the event of major organizational changes, risk management planning may need to be revisited prior to performing risk reassessment.

In addition to regular status reviews, periodic risk audits are performed to determine strengths and weaknesses in handling risks within the portfolio, program, or project. This entails identifying any barriers to effectiveness or keys to success in risk management, the recognition of which could help to improve risk management of the current or future portfolios, programs, or projects.

At the end of the program or project, an integrated analysis of the risk management process is carried out with a focus on long-term process improvements. This analysis consolidates the findings of the periodic audits to identify lessons that are applicable to a large proportion of the organization's future programs or projects, such as appropriate levels of resources, adequate time for the analysis, use of tools, level of detail, etc.

The result of the risk management process audit is consolidated with specific information with respect to the experience of risk in the portfolio, program, or project. The results are highlighted, and potential actions are proposed for applying them in the future. This includes any generally applicable guidelines for the organization, and the results can lead to an update of the corresponding organizational process assets.

4.8.1 PURPOSE OF MONITOR RISKS

The primary objectives of the Monitor Risks process are to track identified risks and maintain viability of response plans. In addition to tracking and managing the risk response actions, the effectiveness of all of the risk management processes are periodically reviewed to provide improvements to the management of the current work as well as future work with an activity such as lessons learned.

For each risk or set of risks for which a contingent response has been defined, the corresponding set of trigger conditions are specified. It is the responsibility of the risk owner to ensure that these conditions are effectively monitored and that the corresponding actions are carried out as defined in a timely manner.

4.8.2 KEY SUCCESS FACTORS FOR MONITOR RISKS

Key success factors related to maintaining risk awareness throughout the life cycle include, but are not limited to:

• Integrated risk monitoring,
• Continuous monitoring of risk trigger conditions, and
• Maintaining risk awareness.