APPENDIX X7
ENTERPRISE RISK MANAGEMENT CONSIDERATIONS FOR PORTFOLIO, PROGRAM, AND PROJECT RISK MANAGEMENT

Enterprise risk management (ERM) considers all of an organization's risks as an interrelated collection. It is a systematic, organized, and structured methodology of examining and measuring all risks facing an organization, developing suitable responses, and communicating, monitoring, and managing these to align with the strategic objectives of the organization. For ERM to deliver maximum benefits, it is essential that a common approach to risk management be used across the enterprise.

A common risk management approach allows for all risks, whether portfolio, program, or project risks, to be normalized and aggregated. Risk aggregation allows for a risk position to be stated for any part of the organization. This is essential for understanding the organization's proximity to its stated risk appetite and tolerance.

The risk management process that is employed at each level of the organization should be appropriate, scalable, and tailorable. In other words, the process should have a graded approach to risk. At the lowest levels of the organization or for very small organizations, the risk management process may be very simple and entirely qualitative. At the highest levels of the organization, the risk management process may need to be quite sophisticated, because of the risk-based decisions that are made at this level. As different as these two contexts may appear, it is possible for them to use a common process which is scaled and tailored to their needs.

For larger organizations, ERM is usually a top-down and bottom-up process, with risk review boards operating at multiple levels in the organization. Each level is chartered with established escalation criteria to determine which risks are escalated to the next level. Escalation is usually implemented for one of two reasons: situational awareness or to activate a help chain that is necessary to address the risk. For example, this could happen if one of a program's projects experiences a risk that not only threatens the project's planned output, but also has the potential to affect the program's benefits. Conversely, risk may cascade from the top of the organization to its lower levels through the same communication channels.

Portfolios, programs, and projects reflect core aspects of ERM as it supports the setting and management of strategies and business objectives. Risks from portfolios, programs, and projects should be reflected as ERM risks that may result in changes to business objectives or even strategies. The alignment process between ERM and the portfolio of programs and projects could result in elevating the portfolio or program and project risks to the ERM level or result in additions of ERM top-down risks to the portfolio of programs and projects. Interprogram and interproject risks could also be the outcome of the alignment process. The prioritization, probabilities, and impacts of risks escalated, cascaded, or identified during the alignment process may vary from one level to the other, and could decrease, increase, or stay the same. Alignment between ERM and portfolio, program, and project risks should be reexamined as changes are made to ERM, to the portfolio of programs and projects, and as part of the risk controls processes.

The connection between ERM indicators and portfolio, program, and project risk indicators depends on the degree of integration and alignment. Indicators reflecting strategy and business goals could be cascaded to the portfolio risks to promote integration of ERM indicators and connection to enterprise targets and goals.

ERM is an approach to managing risk that reflects the organization's culture, capability, and strategy to create and sustain value (Figure X7-1). Many of the benefits of ERM are common to the benefits of portfolio risk management. ERM supports the organization's mission, vision, core values, and strategy. ERM is based on the organization's risk appetite and supports broad aspects of the strategy and objectives as well as specific targets and goals that may be relevant to the organization's success. Other objectives of ERM include, but are not limited to:

• Prioritization of resources,
• Shaping of strategy,
• Protecting strategic objectives,
• Protecting existing value,
• Driving profitability and growth by using risk management techniques to generate value, and
• Ensuring regulatory compliance, which protects the organization from negative regulatory intervention and avoids penalties.

ERM emphasizes the trade-offs between benefits and their associated level of risk exposure. ERM examines different scenarios and their associated level of risks. The ERM view of portfolios, programs, and projects is a chosen scenario between a variety of risk result options, each with its own confidence level and associated risks. When ERM is fully integrated into the management of the organization and its culture, it brings clarity to the organization, addressing all of its uncertainty.