Too Many Projects, Too Little Clarity: Portfolio Risk Management in Action

Every project portfolio is inherently risky. Not only operational problems can arise during the process of execution, external factors like economic instability or natural disasters may disrupt portfolio success.

A risk that is often added to many portfolios without even being aware of it is operational risk that arises due to incorrect project scheduling and resource allocation decisions. This is a common problem that plagues many organizations — taking on too many projects without understanding real resource constraints.

This leads to resource overload and increases operational risks because teams can’t deliver projects on time.

In this article, we’ll cover what portfolio risk management is, what techniques you can use, and what steps you need to take to manage portfolio risk in your organization.

Key takeaways:

• Every portfolio has an element of risk to it, whether it’s tied to external factors like economic changes, or internal factors like scheduling issues.
• Portfolio risk management aims to assess portfolio risks, consider different strategies of dealing with risks, and execute a risk mitigation plan.
• Removal of risky projects is the main instrument of minimizing risk of the portfolio.

What Is Portfolio Risk Management?

Risk management in project portfolio management is a complex process aimed at identifying risks at the portfolio level and finding ways to mitigate them. It differs from project risk management both in scope and in the methodologies used.

Project risk management mostly deals with operational problems that affect individual projects, like delays due to schedule overlap or resource shortages. Portfolio risk management takes a high-level view of risk factors of each project in the portfolio along with  external risk factors and aims to balance the risks across the whole portfolio.

The goal of portfolio risk management is to mitigate risks where possible and balance the overall risk profile of the portfolio so that it still delivers value to the organization even if some of the projects fail.

What Are the Benefits of Portfolio Risk Management?

Risk and portfolio management involves a long process of risk calculation and portfolio balancing. Here is what you get for investing your time in this.

• Risk mitigation. The most obvious and the most important benefit of risk management is that you can distribute the risks across a portfolio of projects and not suffer financial or strategic losses if some projects fail.
• Clear decision-making. Having a full understanding of the risks of each project and the portfolio as a whole grants you clarity as to which projects you need to prioritize.
• Strategic alignment. Understanding and mitigating risks of the portfolio allows C-level executives to align it with the organization’s risk tolerance strategy.
• Increased value delivery. A portfolio with an acceptable risk level will perform better and deliver more value to the organization.
• Increased ROI. When projects fail, portfolio ROI suffers. Balancing the risks in it allows risk managers to optimize ROI of the portfolio.

Types of Risks in Portfolio Management

There are different levels of risk in portfolio management. Here are the main ones.

External Risks

External risks are ones that are out of the control of a company. These can include:

• Force majeure events: natural disasters, pandemics, political unrest.
• Regulatory changes: changes in licensing or rules of conducting business.
• Economic changes: global or local recessions, changes in interest rate.
• Industry trend changes: changes in competition or customer demands, innovative breakthroughs.
• Market risks: market fluctuations leading to change in prices of supplies.

Other than studying global political and industry trends, the main line of prevention of such risks is organizational flexibility. Catching the risk early and adjusting the portfolio accordingly is worse than predicting it, but far better than not reacting on time.

Internal Risks

Internal risks are those that come within the company and the company has some power over. They may include:

Operational risks

The risks can disrupt project success due to failure in operational processes. It can include equipment malfunctions, project dependencies leading to critical chain failure.

Read more: Dealing With Project Dependencies In a Multi-Project Environment

Financial risks

Financial risks arise due to compromised company finances that can affect project execution. This can include cash flow problems affecting the ability to purchase equipment necessary for a project, or lack of asset liquidity influencing company risk tolerance.

Resource capacity risks

These risks are constantly present in portfolio management. The most widespread resource capacity risk is resource overload that leads to bottlenecks and operational delays. Lack of skilled talent is another common risk.

Strategic risks

Choosing a particular strategy, whether it’s a general business strategy or a risk strategy, can impact the overall company performance negatively if the strategy isn’t a good fit for the industry as a whole, this particular company, or its current growth stage.

Unlike external risks, most internal risks can be predicted with varying accuracy and accounted for by company efforts. Companies that have a high visibility in all internal processes and can leverage data analytics effectively can fight uncertainty proactively.

Portfolio risk management focuses on operational and resource capacity risks. For instance, with the right PMO tools, risk managers can predict resource capacity deficits based on scheduled projects and allocation decisions. They can manage those risks by rescheduling projects and focusing the limited resources of a company on high priority projects.

This data also informs financial risk management as an updated project delivery schedule changes expected cash flow.

Techniques for Identifying Portfolio Risks

Assessing risks poorly can lead to improper portfolio management decisions and potentially major business failures. Here are a few techniques for assessing risks, both on project and on portfolio level.

Risk Matrix

The most common way to gauge risk is with a risk matrix like the one below. Essentially, it’s a graph of two Likert scale assessments: likelihood of an event occurring and the severity of its consequences.

To use this matrix, you’ll need to:

• Identify the risks.
• Assess their likelihood.
• Assess the severity of their consequences.
• Calculate the overall risk score for the project.

You can do the assessment by voting with the PPM governance team or by using data from past projects. The latter is always preferable because it’s best to base your risk assessments on data, but not all risks can be analyzed with historical data. This is the case, for example, for projects your organization hasn’t done before.

The same portfolio risk management models can be used for assessing external risks and risks of the portfolio as a whole.

Failure Mode and Effects Analysis (FMEA)

FMEA is a slightly different portfolio risk analysis approach that breaks down each project into several steps and assesses the probability of failure on each of them. Here is how it can be implemented:

• Break down the project into steps.
• For each step find risks that may affect it.
• Assess the probability of each occurrence (O) of each risk.
• Assess how severely (S) failure may impact the project.
• Assess how easy the risk is to detect (D).
• Calculate the RPN score by multiplying the numbers.
• Find ways to manage high-risk events.

This method should be applied to all projects in your portfolio, or to ones you believe to be best suited for this type of analysis. It helps manage portfolio risks by analyzing and reducing operational risks in each project.

Some research suggests that FMEA analytics can be deceiving sometimes due to RPN score masking severity with ease of detection. This can cause organizations to fail to mitigate events with high levels of severity or high risk of occurrence. It’s suggested to analyze all factors separately as well as through the lens of the combined score[1].

Risk-Value Matrix

Project risk-value matrix is a way of assessing the level of risk with a bit more nuance. In it, you need to arrange the projects across two axes: level of risk and potential business value, either in monetary terms or in terms of growth or innovation.

This matrix can help you in prioritizing projects based on the potential returns, not only on the level of risk.

Portfolio Risk Tolerance Score

The most common way to assess the risk of portfolio as a whole is this:

• Determine risks of each individual project.
• Determine what percentage of the portfolio budget is allocated to each of the projects.
• Create a weighted average of risk assessments with budget share as a weight.
• Compare to the maximum risk score in your portfolio risk assessment process.

In this type of calculation, risky projects are assessed by how much of the total portfolio value is allocated to them. A risky project that takes up 15% of the total portfolio value will have a significant impact on the whole portfolio should any risks be realized. In contrast, the same project that only takes 3% will pose less threat to the  whole portfolio, as its overall impact is much smaller.

Represent your maximum risk score as percentiles. The first 25% is little to no risk, the middle 50% is medium risk, and the last 25% show a high risk portfolio. If your maximum risk score is 10, and the weighted average is 7, you’re approaching a danger zone, and need to take steps to mitigate the risks.

Challenges of Portfolio Risk Management

The portfolio risk management process is complicated and is bound to have multiple challenges associated with it. Here are the main ones.

Limited Portfolio Visibility

A problem many organizations struggle with while implementing PPM is limited portfolio visibility. It may impact risk management as without it, organizations tend to take on too many projects, which overloads resources and leads to operational risks.

Use portfolio management tools to understand your project portfolio and prevent operational risks from arising.

Stakeholder Resistance

Stakeholder resistance is a problem relevant to project portfolio management as a whole. Having too many projects in a portfolio and little to no way to understand their risk level and impact on a portfolio leads to bottlenecks in critical project chains, resource overload, low productivity, and poor portfolio performance. And yet, it remains a common occurrence in far too many companies.

The common reason for this is a lack of stakeholder determination to make the necessary changes in a portfolio, either because of their overly optimistic expectations, or because of favoritism towards certain projects.

You can solve this problem with a combination of communication skills and project risk management software. Present the projections to the board and explain why taking certain decisions like reducing the number of risky projects are necessary for long-term company health.

Ineffective Risk Identification

Risk management relies in many ways on subjective judgement of team members. Not only risk assessments can be wrong, but the very first step in risk management, the identification of potential risks, can fail to find all of them.

To combat this, use historical data on project and portfolio performance and include more people in risk management meetings.

Wrong Risk Strategy

A lot of project portfolio management relies on the strategic course the organization takes. If the organization chooses a risk strategy that doesn’t work for its current capabilities, the solution is outside of the scope of PMO risk management.

For instance, following a risk-taking portfolio risk management strategy as a small company with a very limited resource pool with a heavy emphasis on R&D may backfire in the company losing cash flow while chasing large high-risk opportunities. Inversely, following a risk-averse approach in an industry where innovation is paramount can lead to a company slowly losing cash flow over time as its products become obsolete.

Lack of Flexibility

Portfolio management with risk assessment is an ongoing process. As time passes, some risks may become irrelevant, and some may come to prominence. By making your risk management process rigid and fixing it at, say, quarterly rate, you fail to respond to new risks in time.

A good approach to portfolio risk management does have structure and a schedule for reassessing risks, but also has enough flexibility to step in and change the portfolio in case an increased risk comes into view.

Lack of Quality Data

Risk management relies on accurate data and its analysis. If your team doesn’t have access to quality data, the chances of correct risk assessment are small. Make sure you track and store historical project performance data to have the right information to analyze. Getting access to the latest industry trends and economic situation analysis is also a good idea for having a better understanding of external risks.

This challenge also applies to lack of expert data. If the team that is assessing risks of a certain project is relatively inexperienced, they might have far too optimistic expectations. In this case, having senior team members on the discussion board or contracting consultants can bring much better results.

Overreliance on Data

Paradoxically, even though portfolio and risk management for businesses relies on data, relying on it too much can be a major pitfall. Probability is not certainty, both when it comes to the chances of an event happening and the chances of it not happening.

Now, planning for the worst-case scenario isn’t always the best option to approach events like these. The right way is to plan ahead, have contingency plans for the risks that have the most severe consequences, and leave enough room for flexibility in your portfolio management approach to implement them.

How to Identify Risks in Your Portfolio in 7 Steps

The exact process of risk evaluation would depend on what resources your organization has and the methods you use. Here are the seven basic steps that you can follow directly or modify to your needs.

Understand the Risk Strategy

The first step is to understand what risk strategy your organization has. This won’t affect how you measure risks, but will affect what risk management decisions you’ll need to make. Generally, you can put risk management strategies into three categories:

• Risk-averse strategy: the organization wants to minimize the risks.
• Balanced risk management: the organization seeks a balance between risk and stability.
• Risk-taking strategy: the organization is willing to take risks to innovate or grow.

In practical terms, you can imagine these three as percentiles of portfolio risk tolerance score the company is willing to accept. Risk averse companies will proceed only if a portfolio is in the first 25%. Companies that seek a balanced portfolio might go with anything under 50%, and risk-taking companies might accept up to 75% of the risk score. The remaining 25% shouldn’t be pursued by any company.

This doesn’t mean that you should automatically accept high risks as a risk-taking company. Look for minimizing risks while keeping potential rewards high.

If your organization doesn’t have a well-defined risk management strategy, you can either optimize the portfolio in a balanced way or hold a meeting with executives and stakeholders to define a strategy.

Take Inventory of Projects in a Portfolio

Next, inventorize your portfolio. Go through the projects and gather practical information about them. If you can access information on historical project performance, it can be great for analytics.

PPM software can help you take inventory of the portfolio, spot operational risks, and review resource allocation decisions.

Identify Project Risks

Hold a meeting with stakeholders and subject matter experts to identify potential risks in each project. The risks related to project execution may include:

• Scope creep.
• Delivery delays.
• Lack of skilled resources.
• Budget overruns.

The people with the best skillsets for each project can be included in meetings to determine potential project risks.

Identify Portfolio-Level Risks

Hold a meeting with the senior leadership, data analysts, and potentially consultants to identify risks at the portfolio level. These can include any major risks originating from a program, individual projects or a chain of projects, as well as external risks.

Develop Risk Assessment Criteria

When all of the potential risks are identified, create a set of criteria for assessing their likelihood and severity of impact. Also create a vision of what portfolio risk is acceptable for the organization.

This includes both choosing the framework for risk assessment and the methods of assessing it. For instance, you can decide you want to use the basic 5×5 risk matrix and assess the two metrics that are on it with a combination of stakeholder voting and historical project performance data.

Calculate the Current Portfolio Risk Level

Apply the criteria to each project and the portfolio as a whole. Rank each project on the risk assessment matrix or use another way of measuring risk. Then combine project risks and other risk factors to understand your current portfolio risk level.

If the level of risk is within the acceptable range, you can do minimal adjustments to the portfolio. If it’s out of range, though, large changes in the portfolio will have to be made.

Develop Portfolio Risk Responses

Develop a response adequate to the risk level of your portfolio and the acceptable level of it. Since raising the budget significantly to negate the impact a few risky projects have on the portfolio is out of the question, here are your main options:

• Remove a project from a portfolio. In a portfolio that is too risky, you’ll likely have to remove several.
• Postpone a project. If the level of risk can fall in the future or if a project being executed now poses a critical chain risk, move it in the timeline.
• Improve chances of project success. If the risk level can be improved by assigning more personnel or hiring consultants, it can be the right decision.

Removal of projects from the portfolio is the hardest part. You need to know which projects to remove and how many of them should no longer be in the portfolio. Simply removing the riskiest projects might not be the right option if they have high business value or ROI estimates.

To balance the risks in a portfolio well, use specialized project risk management software. Epicflow’s Portfolio Optimizer is a tool developed to solve this exact problem: it helps you create a combination of projects with maximum business value potential with regard to existing constraints.

If you want to learn more about how EPO can help your portfolio risk management strategy, book a call with Epicflow team.

Monitor & Iterate

After management decisions are approved and implemented, monitor how well the portfolio performs. Track both portfolio performance metrics like lead time and business outcomes of the executed projects.

Change your approach to risk management if the results are not in line with your expectations.

Best Strategies for Portfolio Risk Management

This list of best practices applies to all approaches and methodologies of project portfolio risk management.

Choosing the Right Strategy

The most important success factor in risk management is choosing the right strategy on the higher organizational level. The job of a portfolio manager is to align the portfolio with the company’s risk management strategy. If that vision is not right either for the company and its resource pool or for the current situation on the market, this alignment is not going to be effective.

Proactive Risk Management

If you’re using a reactive risk management strategy, you’re responding to risks too late, when they have already impacted the portfolio’s performance. Instead, you should run predictive analytics to understand when a risk is likely to occur and manage it proactively. This way, you divert all or most of the damage to the portfolio.

Standardization

Standardizing your approach to portfolio risk management and defining each step of the process allows PMOs to achieve two crucial things.

• First, it makes your decision-making process very easy. You don’t need to think through every step, just follow the methodology.
• Second, if something goes wrong in the process of risk assessment or portfolio management, you can always trace it back to a specific documented step and change it to avoid poor results in the future.

Managing Resource Constraints

When it comes to operational risks, the main constraint that most companies have is the resources available to them. Not having a clear understanding of what resource capacity is at an organization often leads to taking on too many projects, overloading your resources, and causing due date delivery delays.

Analyzing future resource load allows risk managers to avoid delays by rescheduling projects based on priority. Integrating resource constraints management into company-wide decision making helps prevent most of these risks at the planning stage.

Flexibility

Standardizing how you do portfolio risk management doesn’t mean the approach is set in stone. Your risk management strategy needs to be flexible enough: you may need to change it  if it’s not working well and to add new risk factors or weights to the existing ones if needed.

Using Analytical Tools

Risk always deals with uncertainties, and subjective judgement always has the risk of under or overestimating the actual level of risk. To do risk management right, you need to make decisions based on data and reduce the level of subjectivity in your assessments. Using analytical tools is one of the ways to do that.

Analytical tools help you calculate risks in a portfolio and resource management software helps to allocate resources to the right projects based on risk projections and other data makes portfolio management much easier. They can take on the technical side of risk management and make accurate predictions about portfolio performance without adding data analytics talent to the PMO team.

How Epicflow Can Help with Risk Management

Epicflow is a portfolio management tool that allows businesses to improve visibility into portfolio performance, find bottlenecks, and create a portfolio that can deliver more business value to your business. Here is how it can assist your risk management efforts in several ways.

• Pipeline overview in Epicflow dashboard can visualize your portfolio and identify projects at risk of not meeting milestones.
• Its capacity planning software shows future bottlenecks based on resources’ involvement in projects and assists in proactive risk management.
• What-if analysis allows you to test scenarios and find the optimal portfolio composition to avoid bottlenecks and delays.
• Epicflow AI Portfolio Optimizer can analyze resource constraints and project priority to create a combination of projects that maximizes business value delivery while minimizing operational risks.

Book a call with our team if you want to know more about how EPO and other Epicflow tools can help you with risk management.

Conclusion

Portfolio risk management is a difficult process that defines a lot of portfolio success. Its effective implementation ensures that even if some projects fail, the portfolio as a whole can deliver business value. Implementation of the risk management process involves analyzing risks and creating risk mitigation strategies. Most often, those include removal or postponement of projects with high risk and low business priority.

References

1. Kwai-Sang Chin, Ying-Ming Wang, Gary Ka Kwai Poon, Jian-Bo Yang, Failure mode and effects analysis using a group-based evidential reasoning approach, Computers & Operations Research, Volume 36, Issue 6, 2009, Pages 1768-1779, ISSN 0305-0548, https://doi.org/10.1016/j.cor.2008.05.002. (https://www.sciencedirect.com/science/article/pii/S030505480800097X)