3

FRAMEWORK FOR RISK MANAGEMENT IN PORTFOLIO, PROGRAM, AND PROJECT MANAGEMENT

Risks are present in every organizational activity, especially across endeavors such as portfolios, programs, and projects. Organizational inertia is inherently risky because products and services become stale over time and organizations may lose their competitiveness due to societal and technological changes. Risks can be difficult to manage because a single risk can have a different impact on various components of portfolios and programs, and across the various levels of an organization. Organizations and professionals need to balance threats and opportunities and the dilemmas of inaction versus action. This section addresses this dilemma by providing the framework for risk management across the enterprise and its portfolio, program, and project management activities.

3.1 BUSINESS CONTEXT OF RISK MANAGEMENT IN PORTFOLIO, PROGRAM, AND PROJECT MANAGEMENT

All organizations encounter internal and external factors that influence their ability to achieve desired objectives. Achieving those objectives is rarely ensured. All organizational activities involve risk—even inaction.

An organization manages risk through people, processes, technology, and information. Portfolio, program, and project managers are responsible for risks associated with their endeavors. These managers are responsible for working with stakeholders at various levels of the organization and applying a systematic, integrated approach to risk management.

Figure 3-1 represents the context of organizational activities, from the abstract (or the top of an organization) to the specific (or the bottom) where discrete tasks are completed. Risk permeates throughout the pyramid. The organizational strategy sets the direction through the vision and mission, and strategy defines specific goals and objectives for the organization. This is all-encompassing and includes operational and change activities.

Goals and objectives are aligned with strategies. The attainment of business benefits and value requires the execution of operational and change plans. Organizations realize the benefits of change by executing plans and their associated activities, which result in the successful attainment of portfolio, program, and project objectives. Change by its very nature can be uncertain. For most organizations, change is inevitable and is necessary to maintain and sustain competitiveness. To manage change successfully, organizations require a robust, well-thought-out strategic execution plan to implement portfolios, programs, and projects in a consistent manner over time. This requires the adoption of an effective organizational project management (OPM) implementation. OPM is a framework in which portfolio, program, and project management are aligned with strategy and integrated with organizational enablers in order to achieve strategic objectives. Portfolio, program, and project management targets business objectives that support the organizational strategy. Some threats arise when strategy or business objectives are not aligned with the organization's mission, vision, and core values. Additional threats arise when business objectives do not support strategy or when endeavors, such as portfolios, programs, and projects, are not aligned with business objectives. Opportunities could be enhanced when strategy and business objectives are well aligned.

3.1.1 ORGANIZATIONAL FRAMEWORK

As shown in Figure 3-2, risk management includes all domains of the organization: enterprise, portfolio, program, and project. ERM is an approach to managing risk that reflects the organization's culture, capability, and strategy to create and sustain value. It covers the policies, processes, and methods by which organizations manage risks (both threats and opportunities) to advance the mission and vision of the organization. Portfolio risk management derives its policies, processes, methods, and tolerance from the ERM framework and tailors it for the management of portfolios. Similarly, programs and projects adopt their respective risk management practices from the portfolio framework.

The governance board typically oversees ERM in that it steers the process with significant and proactive management engagement. The portfolio, program, and project managers manage and monitor communications with internal and external stakeholders, which is required to instill the importance and values of risk management, expected culture and behavior, and risk attitude.

3.1.2 ORGANIZATIONAL CONTEXT

The application of ERM is influenced by industry, regulations, and organizational context. By understanding the context in which the organization exists, portfolio, program, and project managers can tailor the optimal approach to risk management for their endeavors and simultaneously assist the organization in assessing and responding to risks. Many factors can also impact the extent of risk management practices. Some of these factors include capital availability, competitive landscape, and risk attitude.

3.1.3 STRATEGIC AND ORGANIZATIONAL PLANNING

Risk management in portfolios, programs, and projects aligns with the setting of strategic vision, mission, goals, values, and business objectives. It provides the inputs for pursuing different alternatives. Strategic goals and business objectives are developed to realize the organization's vision and mission in line with core values. Once these goals and objectives are set, they become inputs for risk management. If there are potential conflicts between strategic goals and the portfolio of work, then the risk is escalated to the proper level of management. See Figure 3.1.

3.1.4 LINKING PLANNING WITH EXECUTION THROUGH PORTFOLIO, PROGRAM, AND PROJECT MANAGEMENT

Portfolio, program, and project management refers to domains in the organizational project management (OPM) framework for managing capabilities and enhancing existing value or creating new value. Portfolio management serves as the bridge that connects strategic planning with business execution. By focusing on selecting the right portfolio components (e.g., programs, projects, and operational initiatives), portfolio management enables organizations to achieve alignment with strategy and to invest their resources wisely and effectively. Program and project management are then responsible for the implementation.

These activities are performed within an environment that is full of risks. While OPM enables an organization to leverage its results and implementation success and supports a healthy organization within a competitive and rapidly changing environment, it is not risk free. Therefore, it is essential for organizational leaders and managers to recognize the importance of managing risks to tackle threats and enable opportunities. Portfolio, program, and project managers work inclusively to (a) identify, analyze, evaluate, prioritize, recommend, plan, and implement risk responses; (b) monitor progress; and (c) adjust risk responses as appropriate.

3.2 SCOPE OF ACCOUNTABILITY, RESPONSIBILITY, AND AUTHORITY

The accountability, responsibility, and authority of risk management are shared by stakeholders involved in portfolio, program, and project management.

• Accountability is individual by nature and derived from a position held in the organization. Accountability is related to authority in that one is usually held accountable within one's limits of authority. However, one still may be held accountable beyond one's authority to act.
• Responsibility resides in an individual by the assignment of a function or task. By accepting the assignment, an individual takes on the associated responsibility. The fact that others higher in the organization may also be held responsible or accountable does not diminish the responsibility held by the individual. The assigning individual still is held accountable for the delegated task, but responsibility is passed to the assigned individual.
• Authority, like responsibility, may be delegated and gives an individual the ability to make decisions within defined bounds.

3.2.1 ACCOUNTABILITY AT THE ENTERPRISE LEVEL

The objective of risk management is to apply knowledge, skills, and good practices to manage the area of focus within the risk threshold that is acceptable to the organization, whether at the enterprise, portfolio, program, or project level. The purpose is to minimize the impact of threats to protect the organization from loss and to embrace opportunities that translate to value. The management of risk across the continuum of portfolios, programs, and projects requires collaboration throughout the enterprise, and the recognition that failure to allocate the appropriate amount of resources could jeopardize the organization's strategic objectives.

Portfolio, program, and project management are responsible for supporting management policies, defining roles and responsibilities, setting targets, and overseeing implementation. The managers of the work are responsible for keeping senior management apprised of ongoing risk exposure and corresponding actions.

3.2.2 ACCOUNTABILITY AT THE PORTFOLIO LEVEL

In some cases, portfolios may exist for brief periods; however, portfolios often exist for as long as the organization itself exists. As a result, portfolio managers may oversee activities or authorize components that may take several years for the organization to realize the value of the investment. Any change in this landscape has direct implications on the organization's strategic objectives. Specific external factors can include regulatory requirements or mandates, market conditions, and organizational restructuring.

Portfolio risk management tackles strategic, execution, and structural risks. Whereas program risk management evaluates risk across a related set of components, portfolio risk management is broad and considers risks that could impact unrelated components and operational activities within the portfolio. As a result, portfolio managers address several challenges when managing risk because portfolio-level risks encompass both external and internal factors by bridging organizational strategy to implementation.

3.2.3 ACCOUNTABILITY AT THE PROGRAM LEVEL

At the program level, the risks that are evaluated span the related components and, if triggered, could have a positive or negative impact on one or more other components. Working with the component managers, it is the responsibility of the program manager to identify and manage these risks. Rather than manage these risks individually within the component, program managers ensure that program risks are managed through coordination.

When managing strategic risk, program managers may identify new risks that exceed the organization's risk appetite and could directly impact the program. Strategic risks present both a threat and an opportunity. The program manager evaluates and reviews a set of response options for consideration with the governance body.

Within the program, risks can affect the delivery of specific components. The program managers advise their component managers of any shared risks and response plans that relate to individual components. There may be economies of scale and scope in that the shared risks may be managed by initiating one risk response at the program level.

3.2.4 ACCOUNTABILITY AT THE PROJECT LEVEL

At the project level, the objective of risk management is to (a) decrease the probability and impact of negative risks and (b) increase the probability and impact of positive risks specific to project deliverables or objectives. Project managers are accountable for evaluating, reporting, and managing both individual and overall project risks within the constraints of the project. They may escalate certain risks to, or receive guidance from, sources such as the program manager, portfolio manager, project management office, governance board, and other leadership entities, depending on the complexity of the initiative and organizational inputs.

All project team members have the responsibility for managing risk, for example, the identification of risk during initiation, clarification of the trigger events, or awareness of potential new risks that could affect the endeavor.

3.3 GENERAL APPROACHES TO RISK MANAGEMENT

As risks are pervasive throughout portfolio, program, and project management activities, a systematic approach for managing risks is essential for the organization to achieve its strategic objectives. In this context of risk management, considerations include, but are not limited to, the following:

• Events or circumstances that may occur in the future (their variability and ambiguity);
• Events that could have a positive or negative impact on one or more objectives of the enterprise, portfolio, program, or project;
• Probability of the event occurring;
• Impact of the event should it occur; and
• Ability of the organization to influence favorable outcomes or minimize negative consequences.

3.3.1 FACTORS FOR EVALUATING RISK

Across the continuum of enterprise, portfolio, program, and project risk management, risks exist at all levels of the organization. Figure 3-3 provides a framework for classifying risks in one of four quadrants based on available information and the degree of ambiguity and variability. See Appendix X8 on Risk Classification for additional information.

In order for risk management to take place, portfolio, program, and project managers need to identify the risk probability and impact.

• Probability. The chance of a risk occurring can range from slightly above 0% to just below 100%.
• Impact. Risks, should they occur, can have either a positive or negative consequence for the organization. The magnitude or significance of the impact may have varying implications and influences.

There are additional factors to consider when evaluating risks. Some are included in Appendix X6 on Techniques for the Risk Management Framework.