Portfolio Risk Management
Table of Contents
Handling risks at the individual project level is a lot easier, because there are only a few factors involved and need to be controlled. But when risk management is required at the overall enterprise level or project portfolio management, an organization will need a portfolio risk management strategy. After all, it only takes one program or project to go wrong for an entire portfolio to fail meeting the organization’s strategic objectives.
Portfolio risk management, however, does not mean avoiding risky projects entirely to ensure success. But to have a better understanding of the overall level of risk in a portfolio, and then adjust project risks accordingly.
What is Portfolio Risk Management?
Any uncertain event or condition that will have either a negative or positive effect on portfolios’ objectives is considered a portfolio risk. It could be the weakest or strongest link that went bad at some point. There are many causes behind a portfolio risk, and the impact is not always foreseen as either positive or negative, thus the need for portfolio risk management to eliminate uncertainties as much as possible, and limit the damage so the portfolio won’t be derailed.
To keep risk at a minimum or at a desirable level, portfolio risk management must be a structured assessment and analysis of portfolio risk through risk management. The goal is to mitigate activities, events, and circumstances that will have a negative impact on a portfolio, and to capitalize on potential opportunities.
In portfolios, there is usually some interdependencies between high-priority components, portfolio risk management is then crucial, because of the significant impact a component failure will have. In some instances, one portfolio component risk can potentially increase the risk of another, underlining the importance of portfolio risk management.
Apart from identifying causes of potential failure, risk management also identifies potential portfolio improvements and exploit them to increase quality, service levels, customer satisfaction and productivity. In some cases, new portfolio components may be discovered through portfolio risk management.
Portfolio Risk Management vs. Project and Program Risk Management
Portfolio risk management accepts the right amount of risk with the anticipation of an equal or higher reward, while project and program risk management focuses on identifying, analyzing and controlling risks and potential threats that can impact a project. There’s simply no room for project failures in a project-driven organizations.
But portfolio-based organizations actively embrace appropriate risks, knowing that strategic portfolio risk management will yield high rewards. For instance, an organization may invest in new technology that has yet to be tested, in anticipation of high pro table sales. The potential risk, under the circumstances, is the possibility that the technology may not work. If it does, however, then portfolio risk management would prove beneficial.
At its most basic, project concerns and risks are often specific to a program or project, but portfolios focus on their entirety, taking into account the financial value of a portfolio, alignment of the portfolio to the organizational objectives and strategy, and the balance of the projects and programs within the portfolio.
Between portfolio risk management and project and program risk management, the former is more difficult because of the projects’ inherent inconsistencies. There is no one magic formula that will work for an entire portfolio. In fact, what will work for one component, may not necessarily work for another.
One thing is certain, however, portfolio risk management will find ways to decrease potential threats that will impact the value, balance and strategic fitness of a portfolio, and increase positive events for a positive impact.
What are Portfolio Risk Management Processes?
Portfolio risk management is one of the many portfolio management processes, but it has specific roles to play that can impact the overall portfolio. In a nutshell, it involves risk planning, assessment and response.
• Develop Portfolio Risk Management Plan
In this stage of the portfolio risk management process, the tolerances of portfolio risks are identified, in order to create the next step of the process, which is management of portfolio risks.
In a dynamic environment, an organization’s portfolio is vulnerable to many risk conditions that are either positive or negative, and at either organizational or team level. Examples of negative risks are poor management practices and excessive number of concurrent projects, while positive risks are integrated management systems, and dependency on highly specialized external participants.
In order to achieve a desirable overall risk level, or to tip the scale to the positive side, a portfolio risk management plan must be developed. Due to the downstream impact on portfolio components, however, portfolio risk management must touch on the root cause of potential threats. That is, correction of negative risks must be done at the root level. Capitalization of positive risks, however, should be done at the organizational and portfolio level.
Development of a portfolio risk management plan, starts with a risk management plan, which will describe the structure of risk management activities and how each one will be performed. This is where the plan is laid out, complete with procedures, timeline and reference to corporate policies, risk management guidelines, and the procedures that define the risk tolerances, thresholds and strategy of an organization.
The same risk management plan will also serve as a guide for governing bodies when evaluating potential threats in proposals of new portfolio components. Under the circumstances, however, portfolio risk management is focused primarily in determining whether the new initiative / component would increase the overall risk of a portfolio to an unacceptable level. If this is the case, a portfolio risk manager may consider a complete termination, or to modify, postpone or accept the proposed project, while developing plans to mitigate the negative impact.
After all, portfolio risk management is not just about doing the projects right, but also doing the right projects, risks and all. Restructuring of the new proposal and creating a risk management plan should help achieve balance.
• How are risks identified?
Anyone in an organization can identify risks in portfolio management, from the portfolio management team to executive management, and everyone else in between. The kind of threats they will recognize, however, will vary based on which organizational level they belong in. This makes portfolio risk management a mixed bag of sorts that will take a unified direction once a risk management plan is developed.
For executive management, for example, risks are anything that can affect a portfolio’s value, funding and investment measures, and time to market process. These include customer brand, impact on organizational strategy and objectives, and existing products and services. This is why executive managers focus on protecting company assets and shareholder’s investment, while identifying and managing liabilities, when developing a portfolio risk management plan.
Operations management is generally concerned about issues that can arise from services, product and project development, organization products, and the processes that must be carried out to support or lessen the impact of organizational changes.
Portfolio managers, on the other hand, are more concerned on the risks that can impact data accuracy, reporting, quality of portfolio, and the alignment between portfolio and organizational strategy. They will focus on these risks when creating a portfolio risk management strategy.
Risk concerns of the program and project team focus on the time, cost, and scope a portfolio’s component, which can be affected by lack of organizational integrity and transparency issues, which are considered internal risks under portfolio risk management.
• Managed portfolio risks
There are four stages involved in managing portfolio risks – identify, analyze, develop response, and monitor and control potential threats throughout the portfolio risk management process.
To better analyze risks, it is important to identify where they arise or originate from. Most of the potential threats identified during the development of portfolio risk planning may stem from either external or internal sources.
External sources of risk include:
- Financial market
- Legal and regulatory requirements
- Political events
- Technological advances
- Natural events and/or environmental concerns
- Pressures of globalization
For competitor-related risks, huge amounts of significant data must be gathered and then investigated through benchmark analysis, as part of the portfolio risk management process. Organizational data is then used to compare against high performers and peers. Whatever variances found are then translated as either an opportunity or a threat.
Internal sources of risk include:
- Management decisions
- Shifting priorities
- Corporate/organizational realignments
- Funding reallocation
- Lack of integrity
Environmental aspects of an organization that can contribute to portfolio risks are also considered as sources of internal risk, and should be taken into account when developing a portfolio risk management plan.
Based on risk sources, the next step in the portfolio risk management process is to classify them as structural or execution risks.
These refer to events and conditions that hamper an organization’s ability to organize its portfolios, according to the hierarchical and clustered structures set. Considering that these structures define how an organization operates and carries out its tasks, failure to align them will result in ineffective portfolio risk management plan.
Structural risks are also affected by an organization’s portfolio management. Overambitious plans and rapidly changing strategies pose a risk to a portfolio. But effective portfolio governance and best practices will provide opportunities for improvement.
This refers to risks that can arise from portfolio execution or of its components. In portfolio risk management, it is a test against an organization’s ability to manage change, and coordinate and supervise to achieve its mission and strategic objectives. Portfolio risk management should also take into account the risks of each initiative that may arise from the interaction between portfolio components. An organization may use a special set of tools to evaluate how interlinked component risks can affect strategic objectives.
Organizational risk tolerance
Part of the portfolio risk management plan is to identify an organization’s risk threshold or attitude towards the effects of risks, whether positive or negative. Depending on the data gathered, a portfolio can be identified as risk tolerant or risk intolerant.
Characteristics of a risk-tolerant organization
An organization willing to put their portfolio risk management strategies to the test is willing to take more risks to increase impact and probability of positive events. It will not back down from opportunities to move more quickly into new markets or heavily invest in new product development, even when the impact could spread to existing products, services, and forecasted results.
With an effective portfolio risk management plan, an organization will take risk, without losing sight of the benefits that a program or project could generate.
A risk-intolerant organization, on the other hand, would prefer a risk-free portfolio, which is often impossible with portfolio management, where components are bound to have potential threats one way or another.
What is the role of a Portfolio Manager?
Apart from managing risks, a portfolio manager also needs to provide reserves or contingencies essential to portfolio risk management. When something goes wrong, what is the plan B or C? It is the portfolio manager’s responsibilities to manage an aggregate contingency to ensure threats with low probability and high impact are covered, if and when they happen.
Part of their duty is to aggregate risk responses as well based on common characteristics, instead of a portfolio risk management element. This is called equity protection, where no portfolio risk management element is considered, only the initiatives of a portfolio that are coincidentally coupled.
This is similar to what insurance companies use to provide protection at equity level. In portfolio risk management, the opportunity at equity protection level is the reason that a sanction is added in the portfolio in the first place.
The main objective of portfolio risk management is to reduce the impact of negative events, and increase the impact of positive events on a portfolio. Portfolio risk management then requires a balancing act for portfolio managers and everyone concerned, what with portfolio components being dynamic, changing and shifting every time a program and/or a project is improved, delayed or manipulated to achieve balance and strategic fitness of a portfolio.