Risk is inherently present in all organizations. Risks present organizations with challenges but may also offer a competitive advantage when both threats and opportunities are managed proactively. Risk management provides a comprehensive and integrated framework for addressing and managing risk at all levels of the organization, from portfolios through programs, projects, and operations.
2.1 KEY CONCEPTS AND DEFINITIONS
All organizations face the uncertainty of both internal and external events. Uncertain present and future challenges can be dealt with by formulating and applying a sound business strategy toward realizing a set of objectives and managing risks. Risk management provides insight into risks that need to be addressed in support of reaching those objectives and takes advantage of opportunities. When opportunities occur, they are called benefits.
2.1.1 RISK
An individual risk is an uncertain event or condition that, if it occurs, has a positive or negative effect on one or more objectives. Overall risk is the effect of uncertainty that affects organizational objectives at different levels or aspects. Risk arises from all sources of uncertainty, including individual risks in the portfolio, program, and project domains. These risks represent the exposure of the organization and its stakeholders to the consequences of uncertainty on the realization of the organization's strategy and business objectives. Once the risk occurs, it is then managed within the various governance layers (enterprise, portfolio, program, and project) by driving the resulting outcomes.
Uncertainty is inherent in the nature of portfolios, programs, and projects. Risk arises out of uncertainty and generates uncertainty. The more risks one can identify, the more uncertainty is indicated. One of the key factors that determines the ability to identify risks is ambiguity. When ambiguity is low, the level of information available is high, which allows the identification of risks. Uncertainty and ambiguity are factors where assessment and open evaluation drive risk management efforts. Assessments and open evaluations allow for the determination of the proper risk management strategy and define how risks will be managed throughout the portfolio, program, and project management life cycles, the iterations of these life cycles, and their interactions.
2.1.2 OPPORTUNITIES
Opportunities are risks that have a positive effect on one or more objectives. Opportunity management helps to identify and understand possible ways in which objectives can be achieved more successfully.
Moving beyond the traditional view of risk as a value destroyer to seeing risk as a potential value enhancer requires creativity and vision, and a system that allows these opportunities to flourish and lead to organizational success.
A consistent portfolio, program, and project management system helps to:
2.1.3 THREATS
Threats are risks that would have a negative effect on one or more objectives. Threat management involves the use of risk management resources to:
Similar to managing opportunities, managing threats is a staged process. Both use a structured life cycle framework to ensure that the process is robust and complete as described in Section 4. Should threats occur, they are called issues and are listed in the issue log.
2.1.4 RISK ATTITUDE
Risk attitude is a disposition toward uncertainty, adopted explicitly or implicitly by individuals and groups, driven by perception, and evidenced by observable behavior. Risk attitude represents an organization's approach to assess and eventually pursue, retain, take, or turn away from risk. Risk attitudes can range from risk averse to risk seeking.
Organizations seek to establish a consistent method for evaluating and responding to risk across the enterprise. One obstacle to developing that consistency is an individual's different or inconsistent attitudes toward risks—and those attitudes may vary according to the circumstance.
In summary, risk attitude is an individual's or group's preference to evaluate a risk situation in a favorable or unfavorable way and to act accordingly. However, risk attitudes are not necessarily stable nor homogeneous.
2.1.5 RISK APPETITE
Risk appetite is the degree of uncertainty an organization or individual is willing to accept in anticipation of a reward. Risk appetite guides the management of risk and the parameters the organization uses in deciding whether or not to take on risk. In addition, risk appetite defines what types of risks an organization pursues.
A risk appetite determination represents the start of embracing risk. Figure 2-1 shows the interrelationship of risk appetite and its direct influence on business strategy, the risk management framework, and the underlying policy and processes. The resulting risk appetite determination defines the amount and type of risk that the organization is willing to take in order to meet its strategic objectives.
Risk appetite expresses the level of risk the organization is willing to take in pursuit of its portfolio, program, and project objectives. Portfolio, program, and project risk is not a singular, but rather a multifaceted concept.
As organizations grow, expand, and evolve, so do the risks they face. The type, prominence, and appetite for risks change at different points in the life cycle of an organization and during the life cycle of its programs and projects.
2.1.6 RISK THRESHOLD
Risk threshold is the measure of acceptable variation around an objective that reflects the risk appetite of the organization and its stakeholders. A key element of risk strategy is the establishment and monitoring of enterprise, portfolio, program, and project risk thresholds. Examples of risk thresholds include:
Establishing risk thresholds is an integral step in linking portfolio, program, and project risk management to strategy alignment and is performed as part of early planning. Based on the risk appetite of the organization, governance may also be responsible for ensuring that risk thresholds are established and observed, and when the risk should be escalated to a higher governance level.
2.2 RISK MANAGEMENT IN ORGANIZATIONS
The organization's governance body is ultimately responsible for setting, confirming, and enforcing risk appetite and risk management principles as part of its governance oversight. An organization's governance also determines which risk management processes are appropriate in terms of organizational strategy, scope, context, and content.
The enterprise risk function often resides in the executive management organization due to the direct relationship between the success of achieving organizational strategic goals and employing an effective risk management process.
When assessing the seriousness of a risk or combination of risks, uncertainty and the effect on endeavors or objectives are considered. The uncertainty dimension is commonly described as probability, and the effect is often referred to as impact.
The definition of risk includes both (a) distinct events that are uncertain but can be clearly described and (b) more general conditions that are less specific but may also give rise to uncertainty.
The definition of risk also encompasses uncertain events that could have a negative or positive effect on objectives. Both of these uncertain situations are considered to be risks when they could have an adverse or positive effect on the achievement of objectives. It is essential to address both situations within an enterprise, portfolio, program, and project risk management process. Addressing threats and opportunities together (i.e., addressing both in the same analysis and coordinating the responses to both when they overlap) allows for synergies and efficiencies.
It is important to distinguish risks from risk-related features. Causes are events or circumstances that currently exist or are certain to exist in the future, which might give rise to risks. Effects are conditional future events or conditions that directly affect one or more objectives if the associated risk occurs.
A risk may have one or more causes and, if it occurs, may have one or more effects. When a risk event occurs, the risk ceases to be uncertain. Threats that occur are termed issues, and opportunities that occur are benefits to the enterprise. Portfolio, program, and project managers are responsible to resolve these issues and manage them efficiently and effectively. Issues may entail actions that are outside the scope of the portfolio, program, and project risk management process; therefore, these issues are escalated to a higher management level according to the organization's governance policy.
2.3 DOMAINS OF RISK MANAGEMENT
Risk management is an integrated framework that spans organizational levels. Aside from simply predicting what could happen, the aim of risk management is to develop the means to support the achievement of organizational objectives, realization of the strategic vision, and creation of value.
Risk management strongly influences decision making at the enterprise, portfolio, program, and project levels. At the enterprise level, the entire organizational strategy is the set of strategic and business management actions for countering business threats and exploiting business opportunities. These decisions and actions are often executed within the portfolio as part of its individual components: programs, projects, and operations.
The various perceptions and perspectives regarding risk management in each portfolio, program, and project management domain feed into one another in an iterative, interactive, and dynamic manner. Risks may be interconnected, have dependencies, and interact via feedback loops (see Figure 2-2). Details of this interaction are provided in Sections 5, 6, and 7.
2.3.1 ENTERPRISE
The primary purpose of risk management is the creation and protection of value. ERM is an approach for identifying major risks that confront an organization and forecasting the significance of those risks to business processes. The way in which risks are managed reflects the organization's culture, capability, and strategy to create and sustain value. ERM addresses risks at the organizational level including the aggregation of all risks associated with the enterprise's portfolio of programs and projects.
When exploring alternative strategies, ERM enables the alignment of each portfolio, program, and project component with the organizational strategy. ERM establishes the connections between the various governance levels through the bottom-up escalation of identified risks and the top-down definition of risk management strategies. The top-down process triggers the creation of programs, projects, and other activities aimed at exploiting specific opportunities and addressing business threats.
ERM provides a systematic, organized, and structured method for:
ERM is an ongoing process that supports the plan-do-check-act sequence for continuous improvement. ERM is not limited to compliance and disclosure requirements nor is ERM a replacement for internal controls and audit. The application of ERM varies depending on the organization and could vary from year to year based on overall risk appetite, stakeholder expectations and requirements, and the internal and external environment.
There is no one-size-fits-all approach to performing ERM. The ERM function, structure, and activities vary with each organization. ERM is responsible for ensuring that all organizational risks are addressed and properly managed and monitored.
Risk management in the enterprise management context of integrated portfolio, program, and project management consists of:
2.3.2 PORTFOLIO
Portfolio risk management categorizes risks as structural, component, and overall risk. Structural risks are risks associated with the composition of a group of projects and the potential interdependencies among components. Component risks at the portfolio level are risks that the component manager escalates to the portfolio level for information or action. Overall, portfolio risk considers the interdependencies between components and is, therefore, more than just the sum of individual component risks. Risk efficiency is a key element of managing risk at the portfolio level. Efficiency is achieved through adjusting the mix of portfolio components to balance risk and reward such that overall portfolio risk exposure is managed.
Planning, designing, and implementing an effective portfolio risk management system depends on organizational culture, top management commitment, stakeholder engagement, and open and fair communication processes. Portfolio risk management is important for the success of managing portfolios where the value lost due to component failure is significant, or when the risks of one component impact the risks in another component.
As defined in The Standard for Portfolio Management [2], portfolio risk management ensures that components achieve the best possible success based on the organizational strategy and business model. Portfolio risk management can be viewed as the management activities related to adapting the mix of portfolio components to the evolution of the organization's business environment. Similar to enterprise strategy, the result of portfolio risk management strategy is defining and launching new components or closing other ones. Portfolio components can be responses to identified threats or opportunities in alignment with the organization's overall business strategy.
2.3.3 PROGRAM
Program risk management strategy ensures effective management of any risk that can cause misalignment between the program roadmap and its supported objectives to organizational strategy. It includes defining program risk thresholds, performing the initial program risk assessment, and developing a program risk response strategy.
Program risk management determines how risks are to be communicated to governance layers and strategic levels of the organization. This level of strategic alignment requires that program risk thresholds take into account the organizational strategy and risk attitude. Program risks go beyond the sum of the risks from each project within the program. Program risk management applies the concepts of portfolio risk management to the set of program components.
The Standard for Program Management [3] describes program risk management strategy as:
Program risk management aggregates operational risks for component projects and activities and handles the specific risks at the program level, which is dependent on the layers of accountability defined in the portfolio, program, and project governance models. Also, the perspective on risk at the program level is more focused on the immediate impact of risks than on the expected benefit.
2.3.4 PROJECT
Project Risk Management is a Knowledge Area of project management that identifies and manages project risks that could impact cost, schedule, or scope baselines.
A Guide to the Project Management Body of Knowledge (PMBOK® Guide) [4] describes Project Risk Management as the processes of conducting risk management planning, identification, analysis, response planning, response implementation, and monitoring risk on a project. The objectives of Project Risk Management are to increase the probability and/or impact of opportunities and to decrease the probability and/or impact of threats in order to optimize the chances of project success. The PMBOK® Guide states that when unmanaged, these risks have the potential to cause the project to deviate from the plan and fail to achieve the defined project objectives. Consequently, project success is directly related to the effectiveness of Project Risk Management.
Project Risk Management supports project objectives by adapting or implementing the courses of action and project activities to take advantage of emerging changes in the project environment. Thus, the project baselines (i.e., scope, schedule, and cost) are risk informed. All risks undergo qualitative analysis, and some risks undergo quantitative analysis when the risk impacts the baseline and/or when analysis of the combined effect of multiple risks is required.
2.4 KEY SUCCESS FACTORS
Enterprise (which includes organizational project management [OPM]), portfolio, program, and project risk management is conducted in a manner consistent with practices and policies. In addition, portfolio, program, and project risk management is conducted in a way that is appropriate to the characteristics of the endeavor. Specific criteria for the success of each risk management process are listed in the sections dealing with those processes. These key success factors for risk management enable the realization of the principles discussed in Section 1.3 and are illustrated in Figure 2-3.
The key success factors include: