APPENDIX X3
PORTFOLIO RISK MANAGEMENT CONTROLS

X3.1 THE PURPOSE OF PORTFOLIO RISK MANAGEMENT CONTROLS

A portfolio is a collection of projects, programs, subsidiary portfolios, and operations managed as a group to achieve strategic objectives. At the portfolio level, projects, programs, and operations are aligned with the organization's investment strategy to assure achievement of strategic objectives through portfolio operations. The focus of portfolio management is on the alignment of programs, projects, and operations with the organization's strategy and balancing risks to achieve strategic objectives. Portfolio managers manage the resources, constraints, and interfaces between subordinate programs, projects, and operational activities.

The primary objective of portfolio risk management is to ensure portfolio components achieve the best possible success according to the organization's strategy and business model. From a risk perspective, this is accomplished through the balancing of positive and negative risks. Risk management controls help to achieve this by seamlessly integrating risk practices into the portfolio life cycle within all of the performance domains. This approach ensures that risk management becomes a natural part of portfolio management and helps achieve success in value delivery.

The selection, tailoring, implementation, and monitoring of particular controls in a given portfolio are a part of the oversight activities. Sections X3.2 through X3.7 provide risk management controls for portfolio risk management along with examples of factors to consider for some of the controls.

X3.2 RISK MANAGEMENT CONTROLS FOR PORTFOLIO STRATEGIC MANAGEMENT

Risk management controls and objectives for portfolio strategic management are provided in Table X3-1.

Table X3-1. Risk Management Controls and Objectives for Portfolio Strategic Management

Control ID	Control Objective
PF.STR.1	Organization's strategic risk attitude and appetite are regularly reassessed and reflected in the portfolio governance documents and other relevant portfolio process assets.
PF.STR.2	Criteria for selection of portfolio components reflect the organization's risk attitude and appetite.
PF.STR.3	Risks related to the correctness of the organizational strategy are identified and actively managed throughout the entire portfolio life cycle.
PF.STR.4	Risks related to strategic changes within the organization that could potentially impact the way that the portfolio or its components are managed, identified, and analyzed are reflected in the portfolio governance documents.
PF.STR.5	Risks related to the interpretation of the portfolio mission, vision, strategic goals, and objectives are identified, analyzed, and acted upon while developing or changing those elements.
PF.STR.6	Organization's environment is regularly monitored for opportunities and threats that could lead to changes at the portfolio level. Critical success factors (CSFs) for strategy realization are given special attention in this context.
PF.STR.7	When optimizing the portfolio, risks related to the realization of value expected from impacted programs and resulting from projects within the portfolio are identified, analyzed, and acted upon.

The following factors should be considered when reassessing the organization's strategic risk attitude and appetite and the selection of portfolio components based on organizational attitude and appetite (Control PF.STR.1 and Control PF.STR.2):

• Overall organization's strategic risk attitude, also considering its market, legal, and political context;
• Degree of uncertainty an organization is willing to accept in anticipation of a reward;
• Degree, amount, or volume of risk that an organization is willing to withstand; and
• Level of risk exposure above which risks are addressed and below which risks may be accepted.

The following factors should be considered when identifying risks related to the correctness of the organizational strategy (Control PF.STR.3):

• Experience and competence level of the team formulating the strategy;
• Reliability, applicability, and accuracy of models and data used for environmental analysis and forecasting;
• Clarity and completeness of strategic vision;
• Definition of strategic objectives;
• Comprehensiveness of the decision-making processes during strategy formulation; and
• Completeness of strategic dimensions taken into consideration (e.g., as suggested by the balanced scorecard technique).

The following factors should be considered when identifying risks related to strategic changes within the organization and when identifying risks related to analysis, execution, and change to portfolio mission, vision, and strategic goals and objectives (Control PF.STR.4):

• Ongoing and planned changes in the organization;
• Ongoing and planned changes in the organization's environment (legal, market, labor);
• Portfolio change control system and its interface with projects, programs, and operational components;
• Interface between other portfolios and entities external to the enterprise;
• Enterprise environmental factors and organizational process assets;
• Stakeholder engagement; and
• Portfolio interface with the organization's enterprise risk management processes.

The following factors should be considered when monitoring CSFs (critical success factors) and opportunities and threats (PF.STR.6):

• New technologies, materials, or tools;
• Availability of new types or increased amounts of resources;
• Changes in political, market, financial, or legal environments; and
• Balancing of opportunities and threats.

The following factors should be considered when identifying risks related to the realization of value contribution expected from programs, projects, and operations within the portfolio (PF.STR.7):

• Accuracy and continued applicability of the portfolio's business case and subordinate components’ business cases,
• Linkages between portfolio value delivery and achievement of strategic objectives, and
• Linkages between and across any other portfolios and the managed portfolio.

X3.3 RISK MANAGEMENT CONTROLS FOR PORTFOLIO GOVERNANCE

Risk management controls and objectives for portfolio governance are provided in Table X3-2.

Table X3-2. Risk Management Controls and Objectives for Portfolio Governance

Control ID	Control Objective
PF.GOV.1	Risks related to portfolio governance structures, policies, and procedures are identified and actively managed throughout the entire portfolio life cycle.
PF.GOV.2	Risks related to the assignment of particular individuals to key governance roles within the portfolio are identified and actively managed throughout the entire portfolio.
PF.GOV.3	Audits conducted as part of portfolio governance are based on risk analysis in order to ensure the right focus and minimize impact on portfolio components.
PF.GOV.4	Audit reports are used as an input for portfolio and component-level risk identification.
PF.GOV.5	Audits conducted as part of portfolio governance are performed according to agreed standards by qualified personnel independent from the portfolio and component management roles.
PF.GOV.6	Risks related to the interface of the portfolio governance structure and policies and procedures with the enterprise risk management processes are identified and actively managed throughout the entire portfolio life cycle.

The following factors should be considered when identifying risks related to portfolio governance structure and policies and procedures (Control PF.GOV.1):

• For portfolio governance structures:

• Complexity,
• Clearness of accountability,
• Level of interdependencies,
• Integration with other structures within the organization, and
• Degree of key stakeholders’ representation.

• For portfolio policies and decision-making processes:

• Complexity,
• Transparency,
• Involvement of key stakeholders,
• Fairness,
• Time to make decisions, and
• Quality mechanisms.

The following factors should be considered when identifying risks related to assignment of particular individuals to key governance roles within the portfolio (Control PF.GOV.2):

• Competences,
• Level of power,
• Position in the organization,
• Reputation,
• Availability, and
• Shared and conflicting interests.

The following factors should be considered when planning and staffing audits as part of portfolio governance (Control PF.GOV.5):

• Competency of the auditing entity,
• Willingness of stakeholders to accept audit results,
• Applicability of audit results to portfolio and portfolio component processes, and
• Applicability of audit results to enterprise risk management processes.

The following factors should be considered when identifying risks related to the interface of portfolio governance structures and policies and procedures with enterprise risk management processes (Control PF.GOV.6):

• Governance processes defined by enterprise risk management,
• Applicability of enterprise risk management to specific portfolio processes and actions, and
• Linkages between portfolio governance and management processes with senior management and enterprise risk management.

X3.4 RISK MANAGEMENT CONTROLS FOR PORTFOLIO CAPACITY AND CAPABILITY MANAGEMENT

Risk management controls and objectives for portfolio capacity and capability management are provided in Table X3-3.

Table X3-3. Risk Management Controls and Objectives for Portfolio Capacity and Capability Management

Control ID	Control Objective
PF.CAP.1	Risks related to the impact of the portfolio on other activities of the organization and its partners are identified and actively managed throughout the entire portfolio life cycle.
PF.CAP.2	Risks related to other activities of the organization and its partners that impact the portfolio are identified and actively managed throughout the entire portfolio life cycle.
PF.CAP.3	Risks related to availability and performance of key human capital are identified and actively managed throughout the entire portfolio life cycle.
PF.CAP.4	Risks related to availability and stability of key financial capital are identified and actively managed throughout the entire portfolio life cycle.
PF.CAP.5	Risks related to availability and fit for use of the key assets are identified and actively managed throughout the entire portfolio life cycle.
PF.CAP.6	Risks related to the availability and development of key intellectual capital are identified and actively managed throughout the entire portfolio life cycle.
PF.CAP.7	Capacity required to manage risk at the portfolio and its component level is regularly identified, monitored, and (whenever needed) increased or reduced to maintain the optimal level.
PF.CAP.8	Risks related to the culture of the organization and its partners are identified and actively managed throughout the entire portfolio life cycle.
PF.CAP.9	Risks related to the structure of the organization and its partners are identified and actively managed throughout the entire portfolio life cycle.
PF.CAP.10	Risks related to key processes within the organization are identified and actively managed throughout the entire portfolio life cycle.
PF.CAP.11	Whenever partners or suppliers play a significant role in providing portfolio capacity, risks related to their involvement are identified and actively managed throughout the entire portfolio life cycle.
PF.CAP.12	Portfolio, program, and project performance reports, together with KPIs within the organization, are used to identify risks and recognize their potential impact on portfolio capacity and capability as early as possible.
PF.CAP.13	When optimizing portfolio capacity, risks related to the realization of value expected from impacted programs and resulting from projects within the portfolio are identified, analyzed, and acted upon.

The following factors should be considered when identifying risks related to both the impact of the portfolio on other activities of the organization and its partners, and risks related to other activities of the organization and its partners that impact on the portfolio (Control PF.CAP.1 and PF.CAP.2):

• Strategic plans of the organization and its partners,
• KPIs within the organization and its partners,
• Utilization level of organization's and partners’ resources,
• Components within partners’ portfolios that could impact the involvement of the partner in the organization's components realization,
• Governance across the enterprise,
• Management interfaces between portfolios,
• Management interfaces between the portfolio and senior management,
• Dealing with complexity across organizational structures,
• Dealing with product-, service-, or capability-related complexities as part of the portfolio's component processes, and
• Integration of operations with project and program actions within and external to the portfolio.

The following factors should be considered when identifying risks related to the availability and performance of key human capital (Control PF.CAP.3):

• Opportunities:

• Learning new skills,
• Personal growth,
• Promotion, and
• Development of successors.

• Threats:

• Geographical distribution,
• Cultural differences,
• Learning curves,
• Unavailability of key talent, and
• Job market competition.

The following factors should be considered when identifying risks related to the availability and performance of financial capital (Control PF.CAP.4):

• Currency rate changes,
• Availability of cash at certain moments in time,
• Timing and results of decisions by key stakeholders providing financial capital,
• Financial condition of the key stakeholders providing financial capital, and
• Changing credit ability of the key stakeholders providing financial capital.

The following factors should be considered when identifying risks related to the availability and fit for use of the key assets (Control PF.CAP.5):

• Other users and priorities of their assignments,
• Procedures of sharing with other users,
• Availability,
• Fit for use, and
• Learning curves.

The following factors should be considered when identifying risks related to the availability and development of key intellectual capital (Control PF.CAP.6):

• Development of unique intellectual capital that could lead to competitive advantage,
• Protection of intellectual capital (e.g., patents, information security), and
• Use of intellectual capital to obtain additional benefits (e.g., selling licenses).

The following types of risk management-related activities should be considered when analyzing the capacity required to manage risk at the portfolio and its component level (Control PF.CAP.7):

• Risk identification, analysis, and monitoring at the portfolio level,
• Responses to risks escalated from components to the portfolio level,
• Responses to risks identified at the portfolio level, and
• Responses to unknown events that might occur for the portfolio and its components.

The following factors should be considered when identifying risks related to the culture of the organization and its partners (Control PF.CAP.8):

• Decision-making culture,
• Ways of working,
• Cooperation style, and
• Reporting culture and power distance.

The following factors should be considered when identifying risks related to the structure of the organization and its partners (Control PF.CAP.9):

• Location of the key portfolio governance and management roles within the organization's structure,
• Clarity of key decision-making roles,
• Conflicts and common objectives between portfolio roles and other roles within the organization,
• Clarity of ownership of the key resources, and
• Integration between the portfolio and operations divisions and roles.

The following process areas should be considered when identifying risks related to the key processes within the organization (Control PF.CAP.10):

• Strategic planning and decision making,
• High-level planning of operations,
• Resource allocation,
• Procurement, and
• Human resource management.

The following factors should be considered when identifying risks related to the involvement of partners and suppliers (Control PF.CAP.11):

• Strategic direction of their development,
• Ability to provide competitive advantage,
• Access to talent and intellectual property,
• Stability,
• Ability to scale,
• Mutual and conflicting objectives,
• Cooperation potential and conflicts with organization's internal structures, and
• Alternative suppliers or products/services.

The following indicators should be considered from the risk perspective when analyzing portfolio, program, and project performance reports, together with KPIs within the organization (Control PF.CAP.12):

• Resource utilization,
• Delivery velocity,
• Cost and schedule performance,
• Turnover ratio,
• Resource and service lead times,
• Amount of open sales leads, and
• Lead conversion ratio.

The following should be considered when identifying, analyzing, and responding to risks associated with optimizing portfolio capacity to realize value (Control PF.CAP.13):

• Balancing of portfolio projects, programs, and operational actions,
• Balancing of related opportunities and threats, and
• Relationship of program benefits or project deliverables to portfolio strategic objectives supporting the delivery of value to the enterprise.

X3.5 RISK MANAGEMENT CONTROLS FOR PORTFOLIO STAKEHOLDER ENGAGEMENT

Risk management controls and objectives for portfolio stakeholder engagement are provided in Table X3-4.

Table X3-4. Risk Management Controls and Objectives for Portfolio Stakeholder Engagement

Control ID	Control Objective
PF.STK.1	Risks related to key portfolio stakeholders are regularly identified and actively managed throughout the entire portfolio life cycle.
PF.STK.2	Decisions to engage certain stakeholders at the portfolio, program, or project level are evaluated from the risk perspective.
PF.STK.3	Risk appetite, attitude, and threshold of key portfolio stakeholders are assessed regularly. Whenever there are differences between the individual's factors just listed and the corresponding organizational factors, related risks are identified and actively managed.
PF.STK.4	Potential interactions and conflicts of interest among key portfolio stakeholders are taken into consideration when identifying risks.
PF.STK.5	Risks related to the selected approach to analysis, categorization, and grouping of stakeholders are identified and addressed when planning Portfolio Stakeholder Engagement.
PF.STK.6	Risks related to selected communication techniques and related communication infrastructure are identified and actively managed throughout the entire portfolio life cycle.
PF.STK.7	Risks related to the scope, frequency, and form of communications at the portfolio level are identified and actively managed throughout the entire portfolio life cycle.

The following factors should be considered when identifying risks related to key portfolio stakeholders (Control PF.STK.1):

• Risk appetite, attitude, and threshold;
• Interests aligned or conflicting with portfolio objectives;
• Personal views and preferences;
• Areas of accountability and related objectives;
• Impact of portfolio benefits on the stakeholder's objectives;
• Level of decision power;
• Ability to influence other stakeholders;
• Stakeholder culture, training, education, and experience;
• Stakeholder biases; and
• Trust between stakeholders.

The following factors should be considered when identifying risks related to decisions to engage certain stakeholders at the portfolio, program, or project level (Control PF.STK.2):

• Stakeholders’ ability to influence portfolio capacity and capability,
• Ability to engage and manage a given stakeholder at the portfolio or component level,
• Opportunities and threats from dealing with a given stakeholder at the portfolio level, and
• Opportunities and threats from dealing with a given stakeholder at the component level.

The following factors should be considered when identifying risks related to disconnects between individual key stakeholders and organizational risk appetite, attitude, and threshold (Control PF.STK.3):

• Interests and goals of the stakeholders and organization,
• Key concerns of the stakeholders and organization,
• Key opportunities for the stakeholders and organization,
• Potential stakeholders’ strategies to mitigate threats introduced by the portfolio that are unacceptable by them,
• Potential stakeholders’ strategies to exploit their opportunities related to the portfolio that are not taken care of by portfolio components.

The following factors should be considered when identifying risks related to potential interactions and conflicts of interest among key portfolio stakeholders (Control PF.STK.4):

• Shared and conflicting objectives,
• Existing and potential coalitions, and
• Personal conflicts.

The following factors should be considered when identifying risks related to the selected approach to analyze, categorize, and group stakeholders (Control PF.STK.5):

• Accuracy and currency of stakeholder-related data,
• Accuracy and completeness of analytical techniques,
• Ability to adequately address all key stakeholders,
• Impact of assumptions, and
• Impact of biases.

The following factors should be considered when identifying risks related to the selected communication techniques and related communication infrastructure (Control PF.STK.6):

• Ability to transmit certain forms of information (e.g., visual, sound, or text),
• Noise level,
• Traceability of information,
• Authentication level,
• Familiarity of stakeholders to use the required techniques and related technology,
• Reliability and availability of the required technology,
• Stakeholder access to the required technology, and
• Stakeholder culture and communication preferences.

The following factors should be considered when identifying risks related to the scope, frequency, and form of communications at the portfolio level (Control PF.STK.7):

• Stakeholder culture and communications preferences;
• Stakeholder training, education, and experience;
• Stakeholder technical capabilities to receive, analyze, and respond to communication;
• Stakeholder bias;
• Management and governance approaches; and
• Trust between stakeholders.

X3.6 RISK MANAGEMENT CONTROLS FOR PORTFOLIO VALUE MANAGEMENT

Risk management controls and objectives for portfolio value management are provided in Table X3-5.

Table X3-5. Risk Management Controls and Objectives for Portfolio Value Management

Control ID	Control Objective
PF.VAL.1	Opportunities to increase value delivery are regularly identified and actively managed throughout the entire portfolio life cycle.
PF.VAL.2	Trends in enterprise environmental factors and changes to organizational process assets are regularly analyzed in order to identify risks that could potentially impact value delivery.
PF.VAL.3	Portfolio is regularly reassessed and balanced from the organizational risk appetite and attitude perspective in order to ensure the right set of portfolio components.
PF.VAL.4	Key portfolio component risks are regularly assessed from the perspective of their impact on delivering expected value.
PF.VAL.5	Techniques used for component performance optimization are assessed from the perspective of risks that can impact value contribution.
PF.VAL.6	Techniques and processes selected for expected value negotiations are evaluated from the risk perspective.

The following factors should be considered when identifying risks related to the opportunities to increase value delivery and the trends in enterprise environmental factors and changes to organizational process assets (Control PF.VAL.1 and Control PF.VAL.2):

• Balancing of threats and opportunities within the portfolio and its component elements,
• Market demand,
• Market share,
• Prices of related product categories,
• Costs of labor and materials, and
• Supply of key talent and materials.

The following factors should be considered when the portfolio is reassessed and balanced from an organizational risk appetite and attitude perspective in order to ensure the right set of portfolio components to maximize delivery of value (Control PF.VAL.3):

• Alignment of component and portfolio vision, goals, and objectives;
• Alignment of individual stakeholder and organizational risk appetite and attitude at the project, program, and portfolio levels; and
• Integration of operational risks into the balancing equation.

The following factors should be considered when key portfolio component risks are assessed from the perspective of their impact on delivering expected value (Control PF.VAL.4):

• Fit of the component scope to enable value realization,
• Continuity of the sponsorship throughout the entire component life cycle,
• Ability to deliver key component deliverables necessary to realize value,
• Timing of delivery at the component level in the context of value opportunity windows, and
• Overall costs at the component level in relation to the business case.

The following factors should be considered when techniques used for component performance optimization are assessed from the perspective of risks that can impact value contribution (Control PF.VAL.5):

• Impact on the value contribution,
• Applicability of techniques to the assessed items,
• Applicability and timeliness of data used in techniques, and
• Acceptance of techniques by stakeholders.

The following factors should be considered when identifying risks related to the techniques and processes selected for expected value negotiations (Control PF.VAL.6):

• Focus on the right value,
• Ability to match the strategic risk appetite and attitude, and
• Inclusion of the appropriate stakeholders.

X3.7 RISK MANAGEMENT CONTROLS FOR PORTFOLIO RISK MANAGEMENT

Risk management controls and objectives for portfolio risk management are provided in Table X3-6.

Table X3-6. Risk Management Controls and Objectives for Portfolio Risk Management

Control ID	Control Objective
PF.RSK.1	Risks related to the selection of a particular risk management approach within the portfolio are identified, analyzed, and considered when developing the portfolio risk management framework and management plans.
PF.RSK.2	Risk management at the portfolio level includes identification and management of general portfolio risks and cumulative effects of component risks.
PF.RSK.3	Risk escalation policies are in place in order to ensure the optimal management of portfolio and component risks and to ensure the correct visibility of component-level risks. This policy is reflected in the management plans at the component level.
PF.RSK.4	There are clear policies for integrating component risk activities with enterprise risk management.

The following factors should be considered when identifying risks related to the selection of a particular risk management approach within the portfolio (Control PF.RSK.1):

• Alignment with enterprise risk management processes,
• Ability to match the organization's strategic risk attitude,
• Ability to deal with expected portfolio complexity,
• Fit to the organizational culture,
• Level of risk transparency,
• Ability to follow the approach by the key stakeholders,
• Fit to the categories and level of risk expected in the portfolio,
• Clarity of integration with risk management approach at the component level, and
• Speed of key processes in comparison with the dynamics of the portfolio environment.

The following factors should be considered to ensure management of general portfolio risks and cumulative effects of component risks (Control PF.RSK.2):

• Management of risks that might occur as a result of the combination of individual component risks, and
• Management of risks that appear only at the portfolio level and are beyond the scope of individual components, even though these components may be within their impact.

The following factors should be considered for risk escalation policies at the level of portfolio (Control PF.RSK.3):

• Level of potential impact,
• Potential interdependencies between portfolio components,
• Risk categories in relation to competencies to handle certain types of risk, and
• Authorization levels of particular portfolio stakeholders.

The following factors should be considered when integrating component risk activities within enterprise risk management (Control PF.RSK.4):

• Placement of risk-related decision authorities,
• Stakeholder lines of communication,
• Risk governance processes, and
• Senior management processes and procedures.