5
RISK MANAGEMENT IN THE CONTEXT OF PORTFOLIO MANAGEMENT
The purpose of risk management within the portfolio domain is to secure efficient and effective value delivery, which is pursued through the realization of the organization's strategic objectives. It is achieved by combining the management of opportunities and threats.
At the portfolio level, risk management takes into account the entire organizational framework. A portfolio is a collection of projects, programs, subsidiary portfolios, and operations managed as a group to achieve strategic objectives. Risk management in the portfolio domain ensures that all of the components implement effective processes to manage the entire risk management life cycle.
One of the main goals of portfolio management is to build a risk-efficient portfolio, where the organization chooses to take an appropriate amount of risk within the portfolio in order to achieve the required value in the overall organizational strategy. This is achieved by adding or removing portfolio components, based on their contributions to the overall risk exposure and strategic value.
5.1 PORTFOLIO RISK MANAGEMENT LIFE CYCLE
The life cycle of risk management as described in Section 4 generally applies to portfolio management. However, there are a number of additional considerations to the corresponding processes that need to be taken into account in this context.
5.1.1 PORTFOLIO RISK IDENTIFICATION
Risk identification at the portfolio level is focused on (a) identifying the risks that have an impact on the delivery of the expected business performance and (b) the ability of the organization to implement its strategy and achieve its strategic objectives.
There are two levels of risk:
- Strategic risks. Strategic risks are risks identified directly at the portfolio level and triggered by portfolio activities. Strategic risks include activities related to the generation of business performance by the portfolio components and those having an impact on the ability of the organization to achieve its strategic objectives.
- Tactical risks. Tactical risks are risks identified either by management processes at the portfolio level or escalated from the portfolio's components.
Risks that can impact portfolio components typically include the following categories:
- Changing business needs, environment, or context;
- Availability of resources;
- Interactions between components; and
- Conflicting component objectives.
5.1.2 PORTFOLIO RISK QUALITATIVE AND QUANTITATIVE ANALYSES
The evaluation of risks at the portfolio level is performed by taking into account the impact of risks on the realization of the expected business performance or the execution of the organizational strategy. One of the reasons these analyses are conducted is to evaluate whether the level of impact can be contained within the scope of the portfolio manager's accountability.
When the impact affects the portfolio's business performance or strategic objectives, then the impact is typically addressed at the portfolio level in an operational manner. When the impact affects the ability of the organization to execute strategy and realize the intended value, the risk and responsibility to respond to the risk is escalated to a higher governance level.
5.1.3 PORTFOLIO RISK RESPONSE STRATEGIES
In portfolio risk management, the focus of risk responses is oriented toward exploiting business opportunities and maximizing value creation for the organization and its stakeholders. It goes beyond treating threats, which, in the portfolio domain, are merely limitations to actions. Portfolio management also includes responding to risks escalated by its components in order to ensure that these are effectively and efficiently addressed at the appropriate level.
In principle, all of the potential responses listed in Section 4.6 can be used when responding to risks at the portfolio level.
The risk response strategies developed at the portfolio level consist of the activities documented in the portfolio risk management plan. In addition, some responses are developed as a result of escalation from the component level. These activities are budgeted accordingly and funded from the relevant sources. Examples of relevant funding sources are the portfolio's or component's budget for preventive responses, relevant contingency reserves for handling occurrences of known risks, or management reserves for handling unforeseen risk-related issues.
Risk responses can be planned as additional portfolio components such as projects, programs, subsidiary portfolios, or elements of the portfolio governance framework. These components are aimed at maximizing business performance or enhancing the execution of organizational strategy to achieve the strategic objectives. In some cases, the risk response can also lead to the removal of components from the portfolio.
5.1.4 IMPLEMENTING PORTFOLIO RISK RESPONSES
The implementation of risk responses within a portfolio includes:
- Triggering risk responses as they have been defined in the portfolio risk management plan,
- Transferring the corresponding budget from the contingency reserve into the budget at completion, and
- Updating the portfolio baselines accordingly.
The risk responses planned as new components become part of the portfolio and are subject to the application of the standard portfolio delivery and deployment processes.
Any formally approved risk response becomes an integral part of the portfolio management plan. The implementation of such a response is not a change to the portfolio that is initiated through a formal portfolio change management procedure. However, any new responses planned to address emergent risks become part of the portfolio change management procedure.
5.1.5 MONITORING PORTFOLIO RISKS
Monitoring the risks at the portfolio level is both a tactical and strategic activity, described as follows:
- Tactical activity. Oversees the aspects related to the execution of the anticipative and responsive actions undertaken to respond to identified risks. Also ensures that operational risks or systemic risks that could impact the portfolio are properly handled.
- Strategic activity. Addresses the evolution of the risk characteristics of each portfolio component, the overall portfolio risk profile, and the impact of that evolution on business performance. The focus is on development and implementation of the organizational strategy and the achievement of strategic objectives. These risk profiles are regularly analyzed in order to identify any potential trends that might indicate new risks or the inefficiency or ineffectiveness of the response strategies.
The monitoring of risk responses is conducted according to quantitative parameters and the use of qualitative assessments. These risk responses are intended to be effective at treating the specific risk they are addressing in order to enhance or maintain the realization of the expected business performance and the execution of the organizational strategy. The qualitative assessment is performed by revising the risk analysis to ensure these plans are efficient and effective.
Monitoring risks at the portfolio level includes ensuring that risk-related elements of the governance framework are properly implemented by the portfolio's components and are effective.
5.2 INTEGRATION OF RISK MANAGEMENT INTO THE PORTFOLIO MANAGEMENT PERFORMANCE DOMAINS
In order to achieve the portfolio objectives, there are a number of risk management practices that can be applied across the portfolio life cycle within all of the performance domains (see Figure 5-1). These practices typically cover the areas shown in Table 5-1.
Table 5-1. Areas of the Portfolio Management Performance Domains Typically Covered by Risk Management Practices
| Performance Domain | Areas Covered by Risk Management Practices |
| Portfolio Strategic Management | • Alignment with organization's risk attitude and strategy • Quality of the organization's strategy • Impact of strategic changes within the organization • Interpretation of the portfolio mission, vision, strategic goals, and objectives • Impact of external opportunities and threats |
| Portfolio Governance | • Portfolio governance structures, policies, and procedures • Assignment of individuals to key governance roles • Risk-based audits • Use of audit reports |
| Portfolio Capacity and Capability Management | • Impact of the portfolio on other activities in the organization • Impact of the other activities of the organization • Key human, financial, and intellectual capital • Availability and fit for use of the key assets • Capacity required to manage risk • Impact of the organizational culture, structure, and key processes • Capacity of the partners and suppliers • Use of performance reports • Impact of portfolio optimization on value delivery |
| Portfolio Stakeholder Engagement | • Methods for stakeholder identification, categorization, and analysis • Attitude of key portfolio stakeholders • Interactions and conflicts of interests • Ways of engaging stakeholders • Scope, channels, techniques, and frequency of communications |
| Portfolio Value Management | • Opportunities to increase value delivery • Trends in the portfolio environment • Alignment of value targets with risk attitude • Impact of component risks on value delivery • Approach to the expected value negotiations |
| Portfolio Risk Management | • Risk management approach • General portfolio risks • Cumulative effects of component risks • Risk escalation policies |
5.2.1 PORTFOLIO STRATEGIC MANAGEMENT
The essence of Portfolio Strategic Management is to ensure the enhancement/exploitation of strategic opportunities and the avoidance/mitigation of threats that could potentially prevent the organization from achieving its full potential. Therefore, risk management in the context of portfolio strategic management focuses on the identification and active management of those opportunities and threats that potentially have a substantial impact on the realization of the organizational strategy.
5.2.2 PORTFOLIO GOVERNANCE
The purpose of Portfolio Governance is to ensure that the portfolio is managed in an appropriate way. This includes meeting the legal, regulatory, and organizational governance requirements. The role of risk management within portfolio governance is to use the organization's potential to (a) efficiently secure adequate governance and management practices and (b) avoid or mitigate threats that could lead to misconduct or ineffective management of the portfolio.
5.2.3 PORTFOLIO CAPACITY AND CAPABILITY MANAGEMENT
Risk management in the context of Portfolio Capacity and Capability Management focuses on the mutual impact of the portfolio and related operations. In addition, risk management in the context of capacity and capability management ensures the proper use and development of capital and assets entrusted to the portfolio manager for the component programs and projects.
5.2.4 PORTFOLIO STAKEHOLDER ENGAGEMENT
Key stakeholders at the portfolio level typically include executive leaders and managers of the organization and their equivalents in the key partner, supplier, and customer organizations. Another key group of stakeholders is the component managers. From this perspective, portfolio risk management focuses on (a) opportunities to increase effectiveness in realizing the organization's strategy and (b) threats that could potentially lower the ability to do so.
5.2.5 PORTFOLIO VALUE MANAGEMENT
Portfolio Value Management focuses on ensuring that the investment in portfolio components leads to the delivery of expected value. Risk management, in this context, focuses on (a) maximizing opportunities to increase value delivered and (b) responding to threats that could potentially lower the value or probability of value delivery.
5.2.6 PORTFOLIO RISK MANAGEMENT
Portfolio Risk Management focuses on ensuring that risk at the portfolio and its component level is recognized and managed effectively. It is achieved through risk management and risk governance practices. Because these practices are essential for dealing with uncertainty at the portfolio level, they are also analyzed from the risk perspective. Adequate measures are then taken to ensure that the application of risk management is robust and effective.