While many organisations undertake a risk-based assessment when determining which projects or programs to include in their portfolio of work, this assessment tends to be static rather than dynamic. That is, the risk-based assessments are only undertaken at the beginning of the funding cycle and those assessments are not revisited at anytime during the life of a project or program. Thereafter, portfolio risk management is typically relegated to a simple administrative task of collecting, collating and summarising the risks facing the individual projects and programs that make up the portfolio.
Such an approach can lead organisations to lose sight of the forest because it has been focusing on the trees, focusing on the statistics and forget the bigger picture. Portfolio risk management should be more than the summation of risks to its component projects and programs. Portfolio risk management should be about looking at projects and programs that pose a high risk to the portfolio or organisation rather than looking at projects or programs that have a large number of high risks.
Using the International Standard for Risk Management (ISO 31000) as a guide, let’s look at how portfolio risk management might look at under the paradigm of focusing on projects and programs that pose high risks rather than focusing on projects and programs with high risks.
Establishing the risk management context
Risks posed by a project or program have the potential to damage organisational capability and/or objectives due to the failure of the project or program. This damage will be the greater of:
- The direct cost of the project or program;
- The expected benefits from the project or program; or
- The expected benefits from another project or program that would have been undertaken but for the fact that the resources were allocated to this project.
- The expected benefits from any dependent projects or programs; and/or
- The impact on business should the performance of any production system be degraded by the establishment and embedding of the project.
Unfortunately, many of the expected benefits claimed for projects and programs are not expressed in fiscal terms. Therefore it is not possible to compare direct costs of a project or program with its expected benefits to determine whichever is the greater. That said, given the rigour most organisations undertake in selecting projects and programs in the first instance, it should be reasonable to assume that:
- The expected benefits outweigh the direct costs of the project or program; and
- The ratio of expected benefits versus costs of a project or program are better than the same ratio for any other project or program that has not been undertaken due to resources being expended on this project.
Therefore, for the purpose of determining the risk posed by a project or program, the expected benefits from the project or program could be used as the basis for determining the potential damage caused by the failure of the project or program.
As stated at the outset, the form of portfolio risk management proposed by this paper treats each project or program as a risk to the portfolio or organisation. Hence, just as each project or program has individual risks that pose a threat to their success, the projects and programs also pose a threat and are hence the risk to the success of the portfolio or organisation. Accordingly, each project and program is a risk to the portfolio or organisation.
In the context of portfolio risk management, risk likelihood is akin to the likelihood a particular project or program will fail. Enter now the dynamic element of portfolio risk management because the likelihood of project or program failure may vary over time. Furthermore, there is more than one factor that contributes to likelihood of project failure. While the literature is replete with material on why projects fail, a portfolio manager could do far worse than look at the following to provide likelihood ratings for portfolio risks: