2

CONTEXT AND KEY CONCEPTS OF RISK MANAGEMENT

Risk is inherently present in all organizations. Risks present organizations with challenges but may also offer a competitive advantage when both threats and opportunities are managed proactively. Risk management provides a comprehensive and integrated framework for addressing and managing risk at all levels of the organization, from portfolios through programs, projects, and operations.

2.1 KEY CONCEPTS AND DEFINITIONS

All organizations face the uncertainty of both internal and external events. Uncertain present and future challenges can be dealt with by formulating and applying a sound business strategy toward realizing a set of objectives and managing risks. Risk management provides insight into risks that need to be addressed in support of reaching those objectives and takes advantage of opportunities. When opportunities occur, they are called benefits.

2.1.1 RISK

An individual risk is an uncertain event or condition that, if it occurs, has a positive or negative effect on one or more objectives. Overall risk is the effect of uncertainty that affects organizational objectives at different levels or aspects. Risk arises from all sources of uncertainty, including individual risks in the portfolio, program, and project domains. These risks represent the exposure of the organization and its stakeholders to the consequences of uncertainty on the realization of the organization's strategy and business objectives. Once the risk occurs, it is then managed within the various governance layers (enterprise, portfolio, program, and project) by driving the resulting outcomes.

Uncertainty is inherent in the nature of portfolios, programs, and projects. Risk arises out of uncertainty and generates uncertainty. The more risks one can identify, the more uncertainty is indicated. One of the key factors that determines the ability to identify risks is ambiguity. When ambiguity is low, the level of information available is high, which allows the identification of risks. Uncertainty and ambiguity are factors where assessment and open evaluation drive risk management efforts. Assessments and open evaluations allow for the determination of the proper risk management strategy and define how risks will be managed throughout the portfolio, program, and project management life cycles, the iterations of these life cycles, and their interactions.

2.1.2 OPPORTUNITIES

Opportunities are risks that have a positive effect on one or more objectives. Opportunity management helps to identify and understand possible ways in which objectives can be achieved more successfully.

Moving beyond the traditional view of risk as a value destroyer to seeing risk as a potential value enhancer requires creativity and vision, and a system that allows these opportunities to flourish and lead to organizational success.

A consistent portfolio, program, and project management system helps to:

• Identify and assess opportunities that are often linked, and
• Improve the organization's ability to accept and pursue opportunities.

2.1.3 THREATS

Threats are risks that would have a negative effect on one or more objectives. Threat management involves the use of risk management resources to:

• Describe risks,
• Analyze risk attributes,
• Evaluate the probability of risk occurrence and impact as well as other characteristics, and
• Implement a planned response, when appropriate.

Similar to managing opportunities, managing threats is a staged process. Both use a structured life cycle framework to ensure that the process is robust and complete as described in Section 4. Should threats occur, they are called issues and are listed in the issue log.

2.1.4 RISK ATTITUDE

Risk attitude is a disposition toward uncertainty, adopted explicitly or implicitly by individuals and groups, driven by perception, and evidenced by observable behavior. Risk attitude represents an organization's approach to assess and eventually pursue, retain, take, or turn away from risk. Risk attitudes can range from risk averse to risk seeking.

Organizations seek to establish a consistent method for evaluating and responding to risk across the enterprise. One obstacle to developing that consistency is an individual's different or inconsistent attitudes toward risks—and those attitudes may vary according to the circumstance.

In summary, risk attitude is an individual's or group's preference to evaluate a risk situation in a favorable or unfavorable way and to act accordingly. However, risk attitudes are not necessarily stable nor homogeneous.

2.1.5 RISK APPETITE

Risk appetite is the degree of uncertainty an organization or individual is willing to accept in anticipation of a reward. Risk appetite guides the management of risk and the parameters the organization uses in deciding whether or not to take on risk. In addition, risk appetite defines what types of risks an organization pursues.

A risk appetite determination represents the start of embracing risk. Figure 2-1 shows the interrelationship of risk appetite and its direct influence on business strategy, the risk management framework, and the underlying policy and processes. The resulting risk appetite determination defines the amount and type of risk that the organization is willing to take in order to meet its strategic objectives.

Risk appetite expresses the level of risk the organization is willing to take in pursuit of its portfolio, program, and project objectives. Portfolio, program, and project risk is not a singular, but rather a multifaceted concept.

As organizations grow, expand, and evolve, so do the risks they face. The type, prominence, and appetite for risks change at different points in the life cycle of an organization and during the life cycle of its programs and projects.

2.1.6 RISK THRESHOLD

Risk threshold is the measure of acceptable variation around an objective that reflects the risk appetite of the organization and its stakeholders. A key element of risk strategy is the establishment and monitoring of enterprise, portfolio, program, and project risk thresholds. Examples of risk thresholds include:

• Minimum level of risk exposure for a risk to be included in the risk register,
• Qualitative or quantitative definitions of risk rating, and
• Maximum level of risk exposure that can be managed before an escalation is triggered.

Establishing risk thresholds is an integral step in linking portfolio, program, and project risk management to strategy alignment and is performed as part of early planning. Based on the risk appetite of the organization, governance may also be responsible for ensuring that risk thresholds are established and observed, and when the risk should be escalated to a higher governance level.

2.2 RISK MANAGEMENT IN ORGANIZATIONS

The organization's governance body is ultimately responsible for setting, confirming, and enforcing risk appetite and risk management principles as part of its governance oversight. An organization's governance also determines which risk management processes are appropriate in terms of organizational strategy, scope, context, and content.

The enterprise risk function often resides in the executive management organization due to the direct relationship between the success of achieving organizational strategic goals and employing an effective risk management process.

When assessing the seriousness of a risk or combination of risks, uncertainty and the effect on endeavors or objectives are considered. The uncertainty dimension is commonly described as probability, and the effect is often referred to as impact.

The definition of risk includes both (a) distinct events that are uncertain but can be clearly described and (b) more general conditions that are less specific but may also give rise to uncertainty.

The definition of risk also encompasses uncertain events that could have a negative or positive effect on objectives. Both of these uncertain situations are considered to be risks when they could have an adverse or positive effect on the achievement of objectives. It is essential to address both situations within an enterprise, portfolio, program, and project risk management process. Addressing threats and opportunities together (i.e., addressing both in the same analysis and coordinating the responses to both when they overlap) allows for synergies and efficiencies.

It is important to distinguish risks from risk-related features. Causes are events or circumstances that currently exist or are certain to exist in the future, which might give rise to risks. Effects are conditional future events or conditions that directly affect one or more objectives if the associated risk occurs.

A risk may have one or more causes and, if it occurs, may have one or more effects. When a risk event occurs, the risk ceases to be uncertain. Threats that occur are termed issues, and opportunities that occur are benefits to the enterprise. Portfolio, program, and project managers are responsible to resolve these issues and manage them efficiently and effectively. Issues may entail actions that are outside the scope of the portfolio, program, and project risk management process; therefore, these issues are escalated to a higher management level according to the organization's governance policy.

2.3 DOMAINS OF RISK MANAGEMENT

Risk management is an integrated framework that spans organizational levels. Aside from simply predicting what could happen, the aim of risk management is to develop the means to support the achievement of organizational objectives, realization of the strategic vision, and creation of value.

Risk management strongly influences decision making at the enterprise, portfolio, program, and project levels. At the enterprise level, the entire organizational strategy is the set of strategic and business management actions for countering business threats and exploiting business opportunities. These decisions and actions are often executed within the portfolio as part of its individual components: programs, projects, and operations.

The various perceptions and perspectives regarding risk management in each portfolio, program, and project management domain feed into one another in an iterative, interactive, and dynamic manner. Risks may be interconnected, have dependencies, and interact via feedback loops (see Figure 2-2). Details of this interaction are provided in Sections 5, 6, and 7.

2.3.1 ENTERPRISE

The primary purpose of risk management is the creation and protection of value. ERM is an approach for identifying major risks that confront an organization and forecasting the significance of those risks to business processes. The way in which risks are managed reflects the organization's culture, capability, and strategy to create and sustain value. ERM addresses risks at the organizational level including the aggregation of all risks associated with the enterprise's portfolio of programs and projects.

When exploring alternative strategies, ERM enables the alignment of each portfolio, program, and project component with the organizational strategy. ERM establishes the connections between the various governance levels through the bottom-up escalation of identified risks and the top-down definition of risk management strategies. The top-down process triggers the creation of programs, projects, and other activities aimed at exploiting specific opportunities and addressing business threats.

ERM provides a systematic, organized, and structured method for:

• Identifying and assessing all risks an organization faces,
• Developing suitable responses,
• Communicating status with stakeholders, and
• Assigning responsibility to monitor and manage risks in alignment with the strategic objectives of the organization.

ERM is an ongoing process that supports the plan-do-check-act sequence for continuous improvement. ERM is not limited to compliance and disclosure requirements nor is ERM a replacement for internal controls and audit. The application of ERM varies depending on the organization and could vary from year to year based on overall risk appetite, stakeholder expectations and requirements, and the internal and external environment.

There is no one-size-fits-all approach to performing ERM. The ERM function, structure, and activities vary with each organization. ERM is responsible for ensuring that all organizational risks are addressed and properly managed and monitored.

Risk management in the enterprise management context of integrated portfolio, program, and project management consists of:

• Elaborating the risk governance framework;
• Identifying operational and contextual risks at each level of the integrated governance framework, including both negative risks (threats) and positive risks (opportunities);
• Analyzing the identified risks from both the qualitative and quantitative perspectives and identifying the governance layer best suited to manage them according to the escalation rules in place within the portfolio, program, and project management framework;
• Defining an appropriate risk management strategy based on increasing the probability and/or impact of positive risks (opportunities) and decreasing the probability and/or impact of negative risks (threats);
• Identifying the risk owner and assigning the risk;
• Implementing the corresponding strategies and activities related to anticipative and/or responsive actions;
• Monitoring the effectiveness and efficiency of the risk management strategies deployed within the enterprise, portfolio, program, and project management framework;
• Ensuring alignment between portfolio, program, and project management risk governance models and the ERM strategy; and
• Promoting effective risk management within the entire enterprise through a risk management culture.

2.3.2 PORTFOLIO

Portfolio risk management categorizes risks as structural, component, and overall risk. Structural risks are risks associated with the composition of a group of projects and the potential interdependencies among components. Component risks at the portfolio level are risks that the component manager escalates to the portfolio level for information or action. Overall, portfolio risk considers the interdependencies between components and is, therefore, more than just the sum of individual component risks. Risk efficiency is a key element of managing risk at the portfolio level. Efficiency is achieved through adjusting the mix of portfolio components to balance risk and reward such that overall portfolio risk exposure is managed.

Planning, designing, and implementing an effective portfolio risk management system depends on organizational culture, top management commitment, stakeholder engagement, and open and fair communication processes. Portfolio risk management is important for the success of managing portfolios where the value lost due to component failure is significant, or when the risks of one component impact the risks in another component.

As defined in The Standard for Portfolio Management [2], portfolio risk management ensures that components achieve the best possible success based on the organizational strategy and business model. Portfolio risk management can be viewed as the management activities related to adapting the mix of portfolio components to the evolution of the organization's business environment. Similar to enterprise strategy, the result of portfolio risk management strategy is defining and launching new components or closing other ones. Portfolio components can be responses to identified threats or opportunities in alignment with the organization's overall business strategy.

2.3.3 PROGRAM

Program risk management strategy ensures effective management of any risk that can cause misalignment between the program roadmap and its supported objectives to organizational strategy. It includes defining program risk thresholds, performing the initial program risk assessment, and developing a program risk response strategy.

Program risk management determines how risks are to be communicated to governance layers and strategic levels of the organization. This level of strategic alignment requires that program risk thresholds take into account the organizational strategy and risk attitude. Program risks go beyond the sum of the risks from each project within the program. Program risk management applies the concepts of portfolio risk management to the set of program components.

The Standard for Program Management [3] describes program risk management strategy as:

• Identifying program risk thresholds,
• Performing an initial program risk assessment,
• Developing a high-level program risk response strategy, and
• Determining how risks are to be communicated and managed as part of governance.

Program risk management aggregates operational risks for component projects and activities and handles the specific risks at the program level, which is dependent on the layers of accountability defined in the portfolio, program, and project governance models. Also, the perspective on risk at the program level is more focused on the immediate impact of risks than on the expected benefit.

2.3.4 PROJECT

Project Risk Management is a Knowledge Area of project management that identifies and manages project risks that could impact cost, schedule, or scope baselines.

A Guide to the Project Management Body of Knowledge (PMBOK^® Guide) [4] describes Project Risk Management as the processes of conducting risk management planning, identification, analysis, response planning, response implementation, and monitoring risk on a project. The objectives of Project Risk Management are to increase the probability and/or impact of opportunities and to decrease the probability and/or impact of threats in order to optimize the chances of project success. The PMBOK^® Guide states that when unmanaged, these risks have the potential to cause the project to deviate from the plan and fail to achieve the defined project objectives. Consequently, project success is directly related to the effectiveness of Project Risk Management.

Project Risk Management supports project objectives by adapting or implementing the courses of action and project activities to take advantage of emerging changes in the project environment. Thus, the project baselines (i.e., scope, schedule, and cost) are risk informed. All risks undergo qualitative analysis, and some risks undergo quantitative analysis when the risk impacts the baseline and/or when analysis of the combined effect of multiple risks is required.

2.4 KEY SUCCESS FACTORS

Enterprise (which includes organizational project management [OPM]), portfolio, program, and project risk management is conducted in a manner consistent with practices and policies. In addition, portfolio, program, and project risk management is conducted in a way that is appropriate to the characteristics of the endeavor. Specific criteria for the success of each risk management process are listed in the sections dealing with those processes. These key success factors for risk management enable the realization of the principles discussed in Section 1.3 and are illustrated in Figure 2-3.

The key success factors include:

• Recognizing the value of risk management. Portfolio, program, and project risk management is recognized by organizational management, stakeholders, and team members as a valuable discipline that provides a positive return on investment.
• Individual commitment/responsibility. Portfolio, program, and project participants and stakeholders accept responsibility for undertaking risk-related activities as required. Risk management is everyone's responsibility.
• Open and honest communication. Everyone is involved in the risk management process. Any actions or attitudes that hinder communication about risk reduce the effectiveness of risk management regarding proactive approaches and effective decision making.
• Organizational commitment. Organizational commitment is established only when risk management is aligned with the organization's goals, values, and ERM policies. Risk management actions may require the approval of or response from others at levels above the portfolio, program, or project manager.
• Tailoring risk effort. Risk management activities are consistent with the value of the endeavor to the organization and with its level of risk, scale, and other organizational constraints.
• Integration with organizational project management. Risk management does not exist in a vacuum isolated from other organizational project management processes. Successful risk management requires the appropriate execution of organizational project management and ERM processes, including the allocation of resources necessary for the effective application of risk management.