X3.1 THE PURPOSE OF PORTFOLIO RISK MANAGEMENT CONTROLS
A portfolio is a collection of projects, programs, subsidiary portfolios, and operations managed as a group to achieve strategic objectives. At the portfolio level, projects, programs, and operations are aligned with the organization's investment strategy to assure achievement of strategic objectives through portfolio operations. The focus of portfolio management is on the alignment of programs, projects, and operations with the organization's strategy and balancing risks to achieve strategic objectives. Portfolio managers manage the resources, constraints, and interfaces between subordinate programs, projects, and operational activities.
The primary objective of portfolio risk management is to ensure portfolio components achieve the best possible success according to the organization's strategy and business model. From a risk perspective, this is accomplished through the balancing of positive and negative risks. Risk management controls help to achieve this by seamlessly integrating risk practices into the portfolio life cycle within all of the performance domains. This approach ensures that risk management becomes a natural part of portfolio management and helps achieve success in value delivery.
The selection, tailoring, implementation, and monitoring of particular controls in a given portfolio are a part of the oversight activities. Sections X3.2 through X3.7 provide risk management controls for portfolio risk management along with examples of factors to consider for some of the controls.
X3.2 RISK MANAGEMENT CONTROLS FOR PORTFOLIO STRATEGIC MANAGEMENT
Risk management controls and objectives for portfolio strategic management are provided in Table X3-1.
Control ID | Control Objective |
PF.STR.1 | Organization's strategic risk attitude and appetite are regularly reassessed and reflected in the portfolio governance documents and other relevant portfolio process assets. |
PF.STR.2 | Criteria for selection of portfolio components reflect the organization's risk attitude and appetite. |
PF.STR.3 | Risks related to the correctness of the organizational strategy are identified and actively managed throughout the entire portfolio life cycle. |
PF.STR.4 | Risks related to strategic changes within the organization that could potentially impact the way that the portfolio or its components are managed, identified, and analyzed are reflected in the portfolio governance documents. |
PF.STR.5 | Risks related to the interpretation of the portfolio mission, vision, strategic goals, and objectives are identified, analyzed, and acted upon while developing or changing those elements. |
PF.STR.6 | Organization's environment is regularly monitored for opportunities and threats that could lead to changes at the portfolio level. Critical success factors (CSFs) for strategy realization are given special attention in this context. |
PF.STR.7 | When optimizing the portfolio, risks related to the realization of value expected from impacted programs and resulting from projects within the portfolio are identified, analyzed, and acted upon. |
The following factors should be considered when reassessing the organization's strategic risk attitude and appetite and the selection of portfolio components based on organizational attitude and appetite (Control PF.STR.1 and Control PF.STR.2):
The following factors should be considered when identifying risks related to the correctness of the organizational strategy (Control PF.STR.3):
The following factors should be considered when identifying risks related to strategic changes within the organization and when identifying risks related to analysis, execution, and change to portfolio mission, vision, and strategic goals and objectives (Control PF.STR.4):
The following factors should be considered when monitoring CSFs (critical success factors) and opportunities and threats (PF.STR.6):
The following factors should be considered when identifying risks related to the realization of value contribution expected from programs, projects, and operations within the portfolio (PF.STR.7):
X3.3 RISK MANAGEMENT CONTROLS FOR PORTFOLIO GOVERNANCE
Risk management controls and objectives for portfolio governance are provided in Table X3-2.
Control ID | Control Objective |
PF.GOV.1 | Risks related to portfolio governance structures, policies, and procedures are identified and actively managed throughout the entire portfolio life cycle. |
PF.GOV.2 | Risks related to the assignment of particular individuals to key governance roles within the portfolio are identified and actively managed throughout the entire portfolio. |
PF.GOV.3 | Audits conducted as part of portfolio governance are based on risk analysis in order to ensure the right focus and minimize impact on portfolio components. |
PF.GOV.4 | Audit reports are used as an input for portfolio and component-level risk identification. |
PF.GOV.5 | Audits conducted as part of portfolio governance are performed according to agreed standards by qualified personnel independent from the portfolio and component management roles. |
PF.GOV.6 | Risks related to the interface of the portfolio governance structure and policies and procedures with the enterprise risk management processes are identified and actively managed throughout the entire portfolio life cycle. |
The following factors should be considered when identifying risks related to portfolio governance structure and policies and procedures (Control PF.GOV.1):
The following factors should be considered when identifying risks related to assignment of particular individuals to key governance roles within the portfolio (Control PF.GOV.2):
The following factors should be considered when planning and staffing audits as part of portfolio governance (Control PF.GOV.5):
The following factors should be considered when identifying risks related to the interface of portfolio governance structures and policies and procedures with enterprise risk management processes (Control PF.GOV.6):
X3.4 RISK MANAGEMENT CONTROLS FOR PORTFOLIO CAPACITY AND CAPABILITY MANAGEMENT
Risk management controls and objectives for portfolio capacity and capability management are provided in Table X3-3.
Control ID | Control Objective |
PF.CAP.1 | Risks related to the impact of the portfolio on other activities of the organization and its partners are identified and actively managed throughout the entire portfolio life cycle. |
PF.CAP.2 | Risks related to other activities of the organization and its partners that impact the portfolio are identified and actively managed throughout the entire portfolio life cycle. |
PF.CAP.3 | Risks related to availability and performance of key human capital are identified and actively managed throughout the entire portfolio life cycle. |
PF.CAP.4 | Risks related to availability and stability of key financial capital are identified and actively managed throughout the entire portfolio life cycle. |
PF.CAP.5 | Risks related to availability and fit for use of the key assets are identified and actively managed throughout the entire portfolio life cycle. |
PF.CAP.6 | Risks related to the availability and development of key intellectual capital are identified and actively managed throughout the entire portfolio life cycle. |
PF.CAP.7 | Capacity required to manage risk at the portfolio and its component level is regularly identified, monitored, and (whenever needed) increased or reduced to maintain the optimal level. |
PF.CAP.8 | Risks related to the culture of the organization and its partners are identified and actively managed throughout the entire portfolio life cycle. |
PF.CAP.9 | Risks related to the structure of the organization and its partners are identified and actively managed throughout the entire portfolio life cycle. |
PF.CAP.10 | Risks related to key processes within the organization are identified and actively managed throughout the entire portfolio life cycle. |
PF.CAP.11 | Whenever partners or suppliers play a significant role in providing portfolio capacity, risks related to their involvement are identified and actively managed throughout the entire portfolio life cycle. |
PF.CAP.12 | Portfolio, program, and project performance reports, together with KPIs within the organization, are used to identify risks and recognize their potential impact on portfolio capacity and capability as early as possible. |
PF.CAP.13 | When optimizing portfolio capacity, risks related to the realization of value expected from impacted programs and resulting from projects within the portfolio are identified, analyzed, and acted upon. |
The following factors should be considered when identifying risks related to both the impact of the portfolio on other activities of the organization and its partners, and risks related to other activities of the organization and its partners that impact on the portfolio (Control PF.CAP.1 and PF.CAP.2):
The following factors should be considered when identifying risks related to the availability and performance of key human capital (Control PF.CAP.3):
The following factors should be considered when identifying risks related to the availability and performance of financial capital (Control PF.CAP.4):
The following factors should be considered when identifying risks related to the availability and fit for use of the key assets (Control PF.CAP.5):
The following factors should be considered when identifying risks related to the availability and development of key intellectual capital (Control PF.CAP.6):
The following types of risk management-related activities should be considered when analyzing the capacity required to manage risk at the portfolio and its component level (Control PF.CAP.7):
The following factors should be considered when identifying risks related to the culture of the organization and its partners (Control PF.CAP.8):
The following factors should be considered when identifying risks related to the structure of the organization and its partners (Control PF.CAP.9):
The following process areas should be considered when identifying risks related to the key processes within the organization (Control PF.CAP.10):
The following factors should be considered when identifying risks related to the involvement of partners and suppliers (Control PF.CAP.11):
The following indicators should be considered from the risk perspective when analyzing portfolio, program, and project performance reports, together with KPIs within the organization (Control PF.CAP.12):
The following should be considered when identifying, analyzing, and responding to risks associated with optimizing portfolio capacity to realize value (Control PF.CAP.13):
X3.5 RISK MANAGEMENT CONTROLS FOR PORTFOLIO STAKEHOLDER ENGAGEMENT
Risk management controls and objectives for portfolio stakeholder engagement are provided in Table X3-4.
Control ID | Control Objective |
PF.STK.1 | Risks related to key portfolio stakeholders are regularly identified and actively managed throughout the entire portfolio life cycle. |
PF.STK.2 | Decisions to engage certain stakeholders at the portfolio, program, or project level are evaluated from the risk perspective. |
PF.STK.3 | Risk appetite, attitude, and threshold of key portfolio stakeholders are assessed regularly. Whenever there are differences between the individual's factors just listed and the corresponding organizational factors, related risks are identified and actively managed. |
PF.STK.4 | Potential interactions and conflicts of interest among key portfolio stakeholders are taken into consideration when identifying risks. |
PF.STK.5 | Risks related to the selected approach to analysis, categorization, and grouping of stakeholders are identified and addressed when planning Portfolio Stakeholder Engagement. |
PF.STK.6 | Risks related to selected communication techniques and related communication infrastructure are identified and actively managed throughout the entire portfolio life cycle. |
PF.STK.7 | Risks related to the scope, frequency, and form of communications at the portfolio level are identified and actively managed throughout the entire portfolio life cycle. |
The following factors should be considered when identifying risks related to key portfolio stakeholders (Control PF.STK.1):
The following factors should be considered when identifying risks related to decisions to engage certain stakeholders at the portfolio, program, or project level (Control PF.STK.2):
The following factors should be considered when identifying risks related to disconnects between individual key stakeholders and organizational risk appetite, attitude, and threshold (Control PF.STK.3):
The following factors should be considered when identifying risks related to potential interactions and conflicts of interest among key portfolio stakeholders (Control PF.STK.4):
The following factors should be considered when identifying risks related to the selected approach to analyze, categorize, and group stakeholders (Control PF.STK.5):
The following factors should be considered when identifying risks related to the selected communication techniques and related communication infrastructure (Control PF.STK.6):
The following factors should be considered when identifying risks related to the scope, frequency, and form of communications at the portfolio level (Control PF.STK.7):
X3.6 RISK MANAGEMENT CONTROLS FOR PORTFOLIO VALUE MANAGEMENT
Risk management controls and objectives for portfolio value management are provided in Table X3-5.
Control ID | Control Objective |
PF.VAL.1 | Opportunities to increase value delivery are regularly identified and actively managed throughout the entire portfolio life cycle. |
PF.VAL.2 | Trends in enterprise environmental factors and changes to organizational process assets are regularly analyzed in order to identify risks that could potentially impact value delivery. |
PF.VAL.3 | Portfolio is regularly reassessed and balanced from the organizational risk appetite and attitude perspective in order to ensure the right set of portfolio components. |
PF.VAL.4 | Key portfolio component risks are regularly assessed from the perspective of their impact on delivering expected value. |
PF.VAL.5 | Techniques used for component performance optimization are assessed from the perspective of risks that can impact value contribution. |
PF.VAL.6 | Techniques and processes selected for expected value negotiations are evaluated from the risk perspective. |
The following factors should be considered when identifying risks related to the opportunities to increase value delivery and the trends in enterprise environmental factors and changes to organizational process assets (Control PF.VAL.1 and Control PF.VAL.2):
The following factors should be considered when the portfolio is reassessed and balanced from an organizational risk appetite and attitude perspective in order to ensure the right set of portfolio components to maximize delivery of value (Control PF.VAL.3):
The following factors should be considered when key portfolio component risks are assessed from the perspective of their impact on delivering expected value (Control PF.VAL.4):
The following factors should be considered when techniques used for component performance optimization are assessed from the perspective of risks that can impact value contribution (Control PF.VAL.5):
The following factors should be considered when identifying risks related to the techniques and processes selected for expected value negotiations (Control PF.VAL.6):
X3.7 RISK MANAGEMENT CONTROLS FOR PORTFOLIO RISK MANAGEMENT
Risk management controls and objectives for portfolio risk management are provided in Table X3-6.
Control ID | Control Objective |
PF.RSK.1 | Risks related to the selection of a particular risk management approach within the portfolio are identified, analyzed, and considered when developing the portfolio risk management framework and management plans. |
PF.RSK.2 | Risk management at the portfolio level includes identification and management of general portfolio risks and cumulative effects of component risks. |
PF.RSK.3 | Risk escalation policies are in place in order to ensure the optimal management of portfolio and component risks and to ensure the correct visibility of component-level risks. This policy is reflected in the management plans at the component level. |
PF.RSK.4 | There are clear policies for integrating component risk activities with enterprise risk management. |
The following factors should be considered when identifying risks related to the selection of a particular risk management approach within the portfolio (Control PF.RSK.1):
The following factors should be considered to ensure management of general portfolio risks and cumulative effects of component risks (Control PF.RSK.2):
The following factors should be considered for risk escalation policies at the level of portfolio (Control PF.RSK.3):
The following factors should be considered when integrating component risk activities within enterprise risk management (Control PF.RSK.4):