Many organisations choose to run groups of related projects as a portfolio, aiming to create synergies and savings by managing them together. Risk is one of the most important aspects that must be managed at portfolio level. But it is clear that risk is not simply additive, so we cannot determine the level of portfolio risk exposure just by adding up all the risk exposures of the projects. So how do we assess and manage the risk associated with a portfolio of projects?
This is important when we initially establish the portfolio, when we need to be sure that the overall level of risk exposure is acceptable. But we must also assess and manage the changing and emergent risk exposure as we execute the projects within our portfolio, to be sure that they stay within our risk tolerance.
To assess risk exposure when we are building a portfolio of projects, the first challenge is to clearly define the objectives of the portfolio. Then we need to define risk thresholds against each objective, to reflect the risk appetite of the main stakeholders.
The next step is to list the candidate projects for possible inclusion in the portfolio. At this stage we need to consider all possible projects, including high-risk ones as well as those that are not so challenging. For each project, the benefits should be quantified against the defined objectives of our portfolio, to assess how much each project would contribute towards achieving the overall portfolio objectives.
Next we need a common framework against which we can assess the relative riskiness of each candidate project. A generic portfolio-level Risk Breakdown Structure (RBS) could be used as a common framework to identify risks for each project. We can then assess each risk against the portfolio-level risk thresholds that we defined earlier. This allows us to determine an overall risk rating for each project in the portfolio.
Developing a risk-balanced portfolio
Having assessed the riskiness of each candidate project, the portfolio manager together with key stakeholders should review the list of projects and build a risk-balanced portfolio. This means balancing the risk against the reward for each project, and choosing the right group of projects that offer the required level of reward but with an acceptable level of risk exposure.
The concept of risk efficiency is important here. This considers the two dimensions of risk and reward, and aims to balance the two, giving maximum reward for a given level of risk, or aiming for the minimum risk exposure associated with a desired level of reward.
Finally when we have built and launched our portfolio of projects, we need to manage the risks within each project, using the standard project risk management process. But we do not lose interest in the riskiness of the projects. At regular intervals the portfolio manager should review all projects to ensure that they remain within the acceptable risk range, and to ensure that they are delivering the expected benefits. This requires a way of calculating the overall risk exposure of each project, as well as addressing individual risks within each project. It may also be necessary at key review points to change the mix of projects in the portfolio, stopping some projects and adding others, driven by the principles of risk efficiency.
Portfolios are an important way of managing groups of related projects in a way that delivers benefits and value while addressing overall risk exposure. Managing risk at portfolio level requires a balanced approach and the exercise of management judgement, both when we build our portfolio and as we execute the projects within it. We will only gain the synergies and savings that portfolio management offers if we actively manage the risks within our projects as well as the overall risk exposure of the portfolio.
This article should be read alongside Identifying and treating risk in a project portfolio for comparison.