1

INTRODUCTION

Risk is an uncertain event or condition that, if it occurs, has a positive or negative effect on one or more objectives. Positive risks are opportunities, while negative risks are threats.

The practice of risk management includes planning the approach, identifying and analyzing risks, response planning and implementation, and ongoing monitoring of risks. Risk management is an essential aspect of all organizational activities. This standard describes the application of risk management within an enterprise risk management (ERM) context that includes the portfolio, program, and project domains. Risk management shapes the decision-making processes across the organization and within each of the domains.

The degree to which risk management is pursued can be the difference between success and failure. PMI's 2015 Pulse of the Profession^® report found that for organizations that apply a formal risk management approach, 73% of projects meet their objectives, 61% finish on time, and 64% are completed within the approved budget [1].¹

Risk management allows an organization to:

• Anticipate and manage change,
• Improve decision making,
• Proactively implement typically lower-cost preventive actions instead of higher-cost reaction to issues,
• Increase the chances to realize opportunities for the benefit of the business,
• Generate broad awareness of uncertainty of outcomes,
• Act upon the transformations taking place in its business environment, and
• Support organizational agility and resilience.

Risk management also establishes iterative connections among portfolios, programs, and projects and links these connections with ERM and organizational strategy.

1.1 PURPOSE OF THIS STANDARD

This standard describes the concepts and definitions associated with risk management and highlights the essential components of risk management for integration into the various governance layers of portfolios, programs, and projects with the following major objectives:

• Describe the fundamentals of risk management,
• Support the objectives of and demonstrate the link to ERM, and
• Apply risk management principles, as appropriate, to portfolio, program, and project domains as described in the PMI foundational standards.

This standard fulfills a business need to provide a standard for risk management in portfolio, program, and project management that defines the essential considerations for risk management practitioners. It expands on the knowledge contained on risk management in the relevant sections of the PMI foundational standards.

This standard can be used to harmonize practices between ERM and portfolio, program, and project management, regardless of the life cycle approach used.

PMI is committed to providing global standards that are widely recognized and consistently applied by organizations as well as practitioners. Increasingly, organizations are requiring practitioners to use risk management practices in portfolio, program, and project management as an integral part of their ERM framework.

1.2 APPROACH OF THIS STANDARD

This standard presents the what and why of risk management. The following concepts are elaborated in this standard:

• Purpose and benefits of risk management;
• Principles and concepts of risk management in portfolios, programs, and projects;
• Risk management life cycle in portfolios, programs, and projects; and
• Integration of risk management within portfolios, programs, and projects.

This standard provides guidance on integrating risk management practices into all key areas of enterprise, portfolio, program, and project management. The aim is to ensure that the management of risk is an inherent, natural part of all management domains. The scope of this standard is to provide guidance and not to impose uniformity of processes across portfolios, programs, and projects. When planning and implementing risk management, it is essential that each team consider the characteristics of the organization, portfolio, program, or project. The approach presented in this standard is based on risk management principles that can be used as guidance when designing specific management or business processes adapted to the organizational environment and nature of the work.

1.3 PRINCIPLES OF RISK MANAGEMENT

There are specific core principles that underlie the process of risk management. The seven principles provided in Sections 1.3.1 through 1.3.7 guide the risk management processes and are integral to effective risk management.

1.3.1 STRIVE TO ACHIEVE EXCELLENCE IN THE PRACTICE OF RISK MANAGEMENT

Risk management allows organizations and teams to increase the predictability of outcomes, both qualitatively and quantitatively. This principle is about reaching the appropriate level of organizational process maturity (the ability of an organization to apply a certain set of processes in a consistent manner) and the optimal level of performance. Excellence in risk management is not achieved by the strict and exhaustive application of related processes. Rather, excellence can be achieved by (a) balancing the benefits to be obtained with the associated cost and (b) tailoring the risk management processes to the characteristics of the organization and its portfolios, programs, and projects. Process excellence in risk management is itself a risk management strategy.

1.3.2 ALIGN RISK MANAGEMENT WITH ORGANIZATIONAL STRATEGY AND GOVERNANCE PRACTICES

The practice of risk management in organizations is developed and evolved in coexistence with other organizational processes, such as strategy and governance. The nature of portfolios, programs, and projects is such that circumstances may change frequently. Adjustments become necessary as the organization evolves, for example, when changes to decision-making processes, timing, scope, and speed are made.

1.3.3 FOCUS ON THE MOST IMPACTFUL RISKS

Successful organizations are able to effectively and efficiently identify the risks that directly influence goals and objectives. The challenge for most organizations is making the best use of resources by focusing on the right risks. This depends on the characteristics of the organization, its environment, internal maturity, culture, and strategy. Determining the most impactful risks can be difficult. Organizations develop and improve by refining the processes for risk prioritization.

1.3.4 BALANCE REALIZATION OF VALUE AGAINST OVERALL RISKS

Risk management seeks to find the proper balance between the exposure to risk and the expected business value creation or realization. Initiatives presenting a low level of risk may not create a sufficient level of value and performance. On the other hand, initiatives presenting a high, expected performance may expose the organization to an unacceptable level of threat.

1.3.5 FOSTER A CULTURE THAT EMBRACES RISK MANAGEMENT

Risk management is an inherent and essential part of the portfolio, program, and project management framework. The practice of risk management is propagated, recognized, and encouraged throughout the organization. A culture of risk management encourages (a) the identification of threats rather than ignoring them and (b) the identification of opportunities by cultivating a positive mindset within the organization—one that is more open to accept and harness the positive changes impacting the various initiatives.

1.3.6 NAVIGATE COMPLEXITY USING RISK MANAGEMENT TO ENABLE SUCCESSFUL OUTCOMES

Managing risks is an essential part of reducing and handling the complexity within organizational initiatives. The ability to identify and manage risks is directly dependent on the level of complexity of the initiatives. Concentrating efforts on clarifying the objectives, requirements, and scope of initiatives facilitates the identification of risks and enhances the ability to manage them, thus lowering the exposure of these initiatives to unforeseen situations. The more organizations navigate complexity using risk management, the more they will be able to optimize the use of resources, increase the return on investments, and improve overall performance and business results.

1.3.7 CONTINUOUSLY IMPROVE RISK MANAGEMENT COMPETENCIES

The nature of risks to which an organization is exposed and the available technology to manage those risks are changing. Technology allows organizations to manage risks more effectively and to better focus on the risks’ impacts. Through continuous improvement of risk management competencies, organizations and individuals can develop sustainable competitive advantages that contribute to overall organizational performance.

1.4 STRUCTURE OF THIS STANDARD

This standard can be used to review portfolio, program, and project management processes from a risk management perspective. It is organized as follows:

Section 1—Introduction

Section 2—Context and Key Concepts of Risk Management

Section 3—Framework for Risk Management in Portfolio, Program, and Project Management

Section 4—Risk Management Life Cycle in Portfolio, Program, and Project Management

Section 5—Risk Management in the Context of Portfolio Management

Section 6—Risk Management in the Context of Program Management

Section 7—Risk Management in the Context of Project Management

Appendix X1—Development of The Standard for Risk Management in Portfolios, Programs, and Projects

Appendix X2—Contributors and Reviewers of The Standard for Risk Management in Portfolios, Programs, and Projects

Appendix X3—Portfolio Risk Management Controls

Appendix X4—Program Risk Management Controls

Appendix X5—Project Risk Management Controls

Appendix X6—Techniques for the Risk Management Framework

Appendix X7—Enterprise Risk Management Considerations for Portfolio, Program, and Project Risk Management

Appendix X8—Risk Classification

¹ The numbers in brackets refer to the list of references at the end of this standard.