Identifying and treating risk in a project portfolio
Analysing risks—consequence
As stated previously, it is reasonable to assume that one consequence of project failure is the loss of expected benefits. To enable a comparative analysis between the risks each project or program poses to the portfolio, each of these consequences need to be graded or ranked in the same manner that the consequences of individual events are rated for a project or program.
For consistency across risk management approaches used within an organisation’s project, program and portfolio management environment, it is recommended that portfolio risk consequence, that is, the loss of benefits from projects/programs, be ranked as either Severe, Major, Moderate, Minor or Insignificant.
The description/quantification of each of these rankings will differ between organisations, however it is suggested that they align to the same categories used when the organisation undertook its assessment of risks when it first determined which projects or programs would form part of the portfolio.
Analysing risks—risk rating
As with the rating of risks in other environments, the following matrix of risk likelihood and consequence can be used to determine a rating for the level of risk a project or program poses to the portfolio or organisation.
Evaluating risks
Portfolio risk ratings do not lend themselves to the evaluation and treatment of risks per se. Rather, portfolio risk ratings are used to rank/order projects and programs for consideration and/or review at an organisation’s governance forums.
In this way, governance forum members will be encouraged to focus their attention on projects and programs that pose a high risk to the organisation rather than projects and programs with high risks.
Treating risks
As noted previously, as projects and programs progress their likelihood of failure, and hence their portfolio risk rating may change. In response to changes in a project/program’s portfolio risk rating an organisation’s governance forum should reconsider the ongoing viability of that project or program and may elect to:
- Choose an alternative, lower risk, approach for delivering the project /program outcomes;
- Place the project/program on hold until existing/new technology becomes ‘proven’. In this way a project/program will reduce its risk rating by stepping back from the ‘bleeding edge’;
- Reduce the scope of the project/program to reduce risk exposure, acknowledging that there may be a consequential reduction in costs and expected benefits; or
- Terminate the project/program and accept the loss associated with the expenditure incurred to date.
Monitor and review risks
In accordance with an organisation’s normal project and program governance processes, project and program managers would be expected to provide regular, typically monthly, status reports. The performance information, for example schedule, cost, can be used to recalculate a project’s likelihood of failure (see above) and hence a project’s new portfolio risk rating.
The recalculation of the portfolio risk rating for all projects and programs within a portfolio may result in some project and programs rising up in the order of priority for consideration by the organisation’s governance forum.
The above portfolio risk management approach will ensure that an organisation’s governance forum focuses on projects and programs that pose the greatest risk to its success, rather than the projects and programs that have the greatest number of high risks.