risk decisions 2011

whitepaper

Portfolio Risk Management: aligning projects with business objectives to deliver value

by Val Jonas CEO Risk Decisions Group and Susheel Chumber Professional Services Manager, Risk Decisions Ltd

www.riskdecisions.com

management solutions

Val Jonas & Susheel Chumber: Portfolio Risk Management:

whitepaper

Portfolio Risk Management: aligning projects with business objectives to deliver value
Abstract
Organisations are taking up the challenge to improve risk management at all levels from project and operations to Enterprise Risk Management. The focus is to ensure that business objectives are met. However, there tends to be a gap in the hierarchical structure of organisations where a strategic approach to risk management is required the portfolio level. This paper places the portfolio perspective in context, providing some practical insights into how portfolio risk management can deliver significant financial and non-financial benefits. By embedding portfolio risk management into your risk framework, its complementary approach supports risk management maturity across the organisation. In todays climate of increasing pressure, organisations must focus on managing risks to meeting objectives. Portfolio risk management can provide a quick return; so start now theres no time to waste. change over time. Projects are approved with defined scope and cost / time / performance targets; but the environment within which they are executed is constantly evolving. For example:

External political, environmental and market conditions alter Sponsors come and go with regular management reorganisations Customer expectations change over time
There are also internal challenges:

Projects compete for resources and management attention Projects are often interdependent, having impact on each other
These challenges are both external and internal to a projects context, and are all sources of risk to the projects ability to deliver value. So no matter how good your organisation is at keeping projects on track, they may often be overtaken by events beyond their control.

The challenge
At any one time, a large organisation may have a significant number of ongoing projects, of varying types, stages and sizes, with different stakeholders, customers, suppliers and deliverables. One thing is certain these projects will have a significant amount of budget and resources assigned to them; what is uncertain is exactly what benefits they will deliver. Therefore, organisations align their projects with business objectives, in order to ensure they will deliver value. Then, after the business case has been signed off, focus switches to successful project delivery. However, what is often forgotten is the importance of maintaining the alignment of projects with business objectives, which frequently

Different risk management perspectives

In order to understand how to keep project deliverables aligned with business objectives, it is useful to understand the different risk management perspectives in an organisation. Senior managers are responsible for delivering business objectives, which requires awareness of potential market changes and the political environment, as well as responsibilities for strategic direction and governance. Their role is to deliver shareholder (and/or stakeholder) value.

Figure 1. Environmental risks impact on projects ability to deliver against business objectives

www.riskdecisions.com

risk decisions 2011

whitepaper

Val Jonas & Susheel Chumber: Portfolio Risk Management:

External Context

Busines Objectives
Shareholder, Stakeholder Value

Governance
(Risk, Controls Compliance)

Exhibit 4. Top down and bottom up communication

even if they do this, the follow-on decision-making process is often slow, contributing to continued inefficiencies. Responsibility for identifying such issues is often left up to programme and other middle managers; however, they rarely have sufficient oversight of the business or independent objectivity to provide a balanced view. So, there needs to be some infrastructure in the organisation with responsibility for monitoring and managing risk to business objectives in a proactive and robust way.

Figure 2. Senior manager risk perspective (Top down)

Project and programme managers are focused on the balance of time, cost and performance; juggling resources, managing scope and budgets, identifying opportunities, controlling change, as well as handling the interface with the customer and other projects. Their role is to meet the hard targets set as their deliverables.

Portfolio risk management the missing link

Cost
(Budgets)

Time
(Schedule)

Performance
(Quality, Scope)

Deliverables

A major role of the portfolio manager is to assess and approve business cases. However the responsibility does not stop there it extends throughout the life of the project. If, at any time, some uncertainty, influence or event threatens the validity of the original business case, then a review should be triggered. If the business case can no longer demonstrate business benefits (independently or relative to other business opportunities) then an appraisal of the options, with recommendations for action, must be reported to senior management for decisions to be made. Focussing on individual business cases would result in a view of projects and programmes that is too narrow. So the portfolio level is responsible for optimisation across a set of projects, with focus placed on balancing risk and reward, in line with business risk appetite. Organisations should see risk taking as a good thing, as long as it is properly understood and managed. This measured approach is the ongoing focus of portfolio risk management. A major role of the portfolio risk manager is to provide two-way communication of key risk information, and hence assurance that delivery of business benefits is secure.

Figure 3. Project risk perspective (Bottom up)

Unfortunately, there tends to be a major disconnect between project/programme and senior management perspectives, which needs to be bridged for the organisation to perform effectively.

Addressing the disconnect

The first challenge to be tackled is how to improve communication top down and bottom up. Projects will continue on their pre-determinded path unless senior managers communicate significant environmental changes that may affect them. Similarly, managers will assume that strategic objectives will be met unless concerns or assumptions about project delivery are brought to their attention. The second challenge is to ensure that there is a mechanism to respond to these environmental risks that arise. This may require just a simple realignment of the project; but in extreme cases a complete review of the business case and major change or cancellation of the project may be necessary. Many organisations fail in this area, as their inclination or ability to revisit the original business case under new conditions is limited. And

Business Case
(decision making)

Optimisation
(maximise ROI)

Balance
(risk and reward)

Benefits

Figure 5. The portfolio risk management perspective

risk decisions 2011

www.riskdecisions.com

Val Jonas & Susheel Chumber: Portfolio Risk Management:

whitepaper

A periodic review may show that a project is no longer able to deliver the required benefits and drastic action might be recommended, even though the project is currently performing very well against its original targets. The result will not necessarily be project closure; it may just need to be adjusted to address the risk or match new business needs.

The link with Enterprise Risk Management

Enterprise risk management (ERM) requires proactive involvement from the extended organisation. Portfolio risk management provides a key component of ERM because it glues together organisational silos. Business case preparation and ongoing progress reviews involve input from appropriate functional, operations and logistics departments, as does ongoing assurance and risk management activities. Portfolio risk managers have responsibility for coordinating involvement of various parties; they should be independent of specific business units, functions, programmes, etc, to provide an objective view.

Figure 6. Bridging the gap between top-down and bottom-up Risk management

A framework to manage risks

Risk management is driven from the top. People down through the organisation require guidance to allow them to make judgements on the importance and acceptability of different types of risk. This guidance must include a statement on the organisations risk appetite (quantitative and qualitative thresholds and triggers), explicit assignment of responsibilities for ensuring risks are managed, support in prioritising key risk response actions, as well as delegated authority and budgets/resources (management reserve) to carry them out. The behaviours demonstrated top down will drive behaviour down through the organisation. It is the responsibility of the portfolio risk manager to ensure risk management activities from senior management at the top and all the way down through programmes and projects are functioning efficiently. Having set up this framework, a good structure is required to ensure both significant tactical risks and strategic business risks are understood, communicated and managed up and down, to inspire confidence, ensure timely decisions are made and maximise business success. For example, a project may identify a tombstone risk (one that, if it were to occur, would kill the project); if no acceptable mitigation response can be found at the portfolio level, then this risk needs to be brought to the attention of senior management, for appropriate action.

Figure 8. The area of ERM covered by portfolio risk management

Different parts of the enterprise may use different risk guidance, for example PMBoK (PMI) or PRAM (APM) for projects, M_o_R (OGC) or ISO3100 for wider strategic or business risk. From a portfolio perspective, it doesnt matter that there are different dialects of risk management across the organisation, as they essentially follow the same basic process as can be seen below.

Figure 7. A framework to manage risks

www.riskdecisions.com

risk decisions 2011

whitepaper

Val Jonas & Susheel Chumber: Portfolio Risk Management:

Figure 9. Similarity between risk process guidelines

Implementing portfolio risk management

Very few organisations have moved beyond a very simple implementation of ERM, but many now have reasonably mature project, programme and other specialised risk management capabilities in place. Portfolio risk management can assist in raising the profile and maturity of risk management, particularly if your organisation operates a gated approval process. A full disclosure of risk should be provided at each stage of business case appraisal and then through ongoing review and reporting periods. This means that risk at each stage of the lifecycle should be stated, not just the stage currently being reviewed or approved. Further improvements can be achieved with risk maturity models. For example, some organisations require a project team to demonstrate a minimum level of risk maturity (process and practice). The example below shows a risk maturity model with 7 criteria and 4 levels: Ad Hoc, Initial, Repeatable and Managed. The lowest score determines the maturity of the team in the example below this is Ad Hoc, shown by the red line. While it is unlikely to be the responsibility of the portfolio risk manager to measure and improve risk maturity across the organisation, it is a useful measure in business case appraisal. For example, not only does the business case need to be sound, but the team put in place to carry out the project needs to prove itself capable of delivery. Other areas in which portfolio risk management can provide support are:
Overall Maturity Level

Manage a higher-level budget for show-stopper risks across the

organisation It will also be necessary to implement an Enterprise Risk Management tool, such as Predict! to identify, assess, manage and provide consistent reporting on risk across the organisation. To deliver joinedup risk management, it is not practicable to operate separate spreadsheet risk registers for different projects, business units etc. A central database repository for assessing risk and approving response actions, with Risk Management Clusters to represent business case entities is required.

Managed

Repeatable

Initial

To act as a centre of excellence to support risk

management practices

Support HR in ensuring all staff are trained in risk

management

Ad Hoc

Promote a consistent approach to risk

management
Context Identity Analyse Evaluate Treat

Run a risk steering group to support proactive

communication of risk

Monotor review

Culture

Figure 10. An example risk maturity model

risk decisions 2011

www.riskdecisions.com

Val Jonas & Susheel Chumber: Portfolio Risk Management:

whitepaper

Portfolio risk management no time to waste

The journey to effective risk management can take some time, but whatever stage your organisation is currently at, portfolio risk management can deliver quick and effective results. Its practical risk to objective approach requires only a small number of key top level risks to be identified and assessed against each project, allowing a clear risk profile to be communicated to senior management for timely intervention if required. Any project that does not have clear and current objectives needs to be reviewed immediately. Once all projects have a risk profile, these should be standardised for review by a wider management group responsible for overseeing projects and programmes. Functional managers should be encouraged to identify common risks across projects, so that strategic actions can be identified, saving money by eliminating duplicated lower level actions. Once risk appraisal across all projects is in place, the portfolio risk manager should be well placed to look back at risks that have occurred and provide advice across all projects on lessons learned. Portfolio risk management is currently under utilised and is therefore an area in which organisations can gain significant competitive advantage. However, the challenge in implementing it should not be underestimated. Portfolio risk management may be seen as a threat by projects with a vested interest in maintaining the status quo. In an environment where cash is short and resources are stretched, it is likely that an increasing number of projects have an uncertain future. Ensuring continuous alignment with current objectives, even if that means significant change for a project, could in turn save it from closure. And remember, closing a project isnt necessarily bad. It could be that it just no longer meets business requirements and closing it will mean that more beneficial projects can then proceed. So start managing risk from a porfolio perspective today theres no time to waste.

References
Association for Project Management (2004) Project Risk Analysis & Management Guide, 2nd Edition, Association for Project Management, High Wycombe, Bucks, UK; ISBN 1-903494-03-5 Association for Project Management (2002) Earned Value Management: APM Guideline for the UK, Association for Project Management, High Wycombe, Bucks, UK; ISBN 1-903494-03-6. Project Management Institute (2004) A Guide to the Project Management Body of Knowledge (PMBoK), 3rd edition, Project Management Institute, Philadelphia, US; ISBN 1-930699-45-X Association of Project Management (2008) Interfacing Risks and Earned Value Management, Association for Project Management, High Wycombe, Bucks, UK; ISBN 10: 1-903494-24-9; ISBN 13; 978-1903494-24-0

Now

Progress

Benefits

Risk?

Response actions Lessons learned

Figure 11. A backward and forward looking approach to managing risk

www.riskdecisions.com

risk decisions 2011

whitepaper

Val Jonas & Susheel Chumber: Portfolio Risk Management:

Appendix 2: Glossary
Where source is in brackets, minor amendments have been incorporated to the original definition.
Term
Budget Change Control (Management) Control Account (CA) Definition The resource estimate (in /$s or hours) assigned for the accomplishment of a specific task or group of tasks. Identifying, documenting, approving or rejecting and controlling change. A management control point at which actual costs can be accumulated and compared to earned value and budgets (resource plans) for management control purposes. A control account is a natural management point for budget/schedule planning and control since it represents the work assigned to one responsible organisational element on one Work Breakdown Structure (WBS) element. The comparison of costs before and after taking an action, in order to establish the saving achieved by carrying out that action. Assessment and synthesis of the cost risks and/or estimating uncertainties affecting the project to gain an understanding of their individual significance and their combined impact on the projects objectives, to determine a range of likely outcomes for project cost. The structure used to consolidate risk information across the organisation, to identify central responsibility and common response actions, with the aim of improving top down visibility and managing risks more efficiently. Source Risk Decisions (PMBoK) APM EVM guideline

Cost Benefit Analysis Cost Risk Analysis (CRA)

Risk Decisions (PRAM)

Enterprise Risk Map

Risk Decisions

Enterprise Risk Management (ERM) The application of risk management across all areas of a business, from contracts, projects, programmes, facilities, assets and plant, to functions, financial, business and corporate risk. Left Shift Management Reserve (MR) The practice by which an organisation takes proactive action to mitigate risks when they are identified rather than when they occur with the aim of reducing cost and increase efficiency. Management Reserve may be subdivided into: Specific Risk provision to manage identifiable and specific risks Non-Specific Risk Provision to manage emergent risks Issues provision The amount of budget / schedule / resources set aside to cover the impact of emergent risks, should they occur. An upside, beneficial Risk Event. An approved scope/schedule/budget plan for work, against which execution is compared, to measure and manage performance. The objective measurement of progress against the Baseline An action or set of actions to reduce the probability or impact of a threat or increase the probability or impact of an opportunity. If approved they are carried out in advance of the occurrence of the risk. They are funded from the project budget. An action or set of actions to be taken after a risk has occurred in order to reduce or recover from the effect of the threat or to exploit the opportunity. They are funded from Management Reserve. The amount of risk exposure an organisation is willing to accept in connection with delivering a set of objectives. An uncertain event or set of circumstances, that should it or they occur, would have an effect on the achievement of one or more objectives. The difference between the total impact of risks should they all occur and the Risk Provision. Functionality in Risk Decisions Predict! risk management software that enables users to organise different groups of risks to form a single, enterprise-wide risk map. The amount of budget / schedule / resources set aside to manage the impact of risks Risk provision is a component part of Management Reserve Activities carried out to implement a Proactive Risk Response. Assessment and synthesis of schedule risks and/or estimating uncertainties affecting the project ability to meet key milestones. The schedule component of Management Reserve. The amount of budget / schedule / resources set aside to cover the impact of known risks, should they occur. It is not advisable to net opportunities against threats and so a separate value is calculated for each. A downside, adverse Risk Event The spread in estimates for schedule, cost, performance arising from the expected range of outcomes. Often termed estimating error.

Risk Decisions Risk Decisions APM EV/Risk working group

Non-specific Risk Provision Operational Risk Opportunity Baseline Performance Measurement Proactive Risk Response

APM EV/Risk working group PRAM (PMBoK) APM EV/Risk working group (PRAM)

The different types of risks managed across an organisation, typically excluding financial and corporate risks. Risk Decisions

Reactive Risk Response Risk Appetite Risk Event Risk Exposure Risk Management Clusters Risk Provision Risk Response Activities Schedule Risk Analysis Schedule Reserve Specific Risk Provision Threat Uncertainty

(PRAM) APM EV/Risk working group PRAM APM EV/Risk working group Risk Decisions working group APM EV/Risk working group APM EV/Risk working group (PRAM) APM EV/Risk working group APM EV/Risk working group PRAM APM EV/Risk Working Group

risk decisions 2011

www.riskdecisions.com

Val Jonas & Susheel Chumber: Portfolio Risk Management:

whitepaper

About Risk Decisions

Risk Decisions Limited is part of Risk Decisions Group, a pioneering global risk management solutions company, with offices in the UK, USA and Australia. The company specialises in the development and delivery of enterprise solutions and services that enable risk to be managed more effectively on large capital projects as well as helping users to meet strategic business objectives and achieve compliance with corporate governance obligations. Risk Decisions has introduced many innovative features that have since become standard features in the industry including the risk hierarchy tree, combined threat and opportunity risk impact grids and automated schedule risk analysis. The company plays a significant role in influencing risk management policy, making important contributions to APM, OGC and PMI risk management guides and standards, including guidance on interfacing risk with other disciplines, such as Earned Value and Systems Engineering. Clients include Lend Lease, Mott MacDonald, National Grid, Eversholt Rail, BAE Systems, Selex Galileo, Raytheon, Navantia, UK MoD, Australian Defence Materiel Organisation and New Zealand Air Force.

For further information visit: www.riskdecisions.com or contact Alex Leggatt at: Risk Decisions Ltd, Whichford House, Parkway Court, Oxford Business Park South, Oxford, OX4 2JY Tel: 01865 718666 Email: alex@riskdecisions.com

European HQ For enquiries from the UK and mainland Europe. Risk Decisions Ltd Whichford House Parkway Court Oxford Business Park South Oxford OX4 2JY United Kingdom For general enquiries: Tel: Fax: Email: +44 (0)1865 718666 +44 (0)1865 718600 enquiries@riskdecisions.com

For help desk support: Tel: Fax: Email: +44 (0)1865 395698 +44 (0)1865 718600 support@riskdecisions.com

www.riskdecisions.com

management solutions