Risk Management in Portfolios, Programs, and Projects: A Practice Guide PDF

Chat with Document Download Quiz & Flashcards

Document Details

CushyInspiration3721

Uploaded by CushyInspiration3721

2024

Tags

risk management project management portfolio management business management

Related

Summary

This guide provides a practice approach to risk management in portfolios, programs, and projects. It is aligned with the PMI project management standards. The guide emphasizes the importance of aligning risk management with organizational strategy and value realization.

Full Transcript

Risk Management in Portfolios, Programs, and Projects: A Practice Guide 653521. Not for distribution, sale, or reproduction. Risk Management in Portfolios, Programs, and Projects: A Practice Guide PMI Member benefit licensed to: Ace Juntilla - 1065...

Risk Management in Portfolios, Programs, and Projects: A Practice Guide 653521. Not for distribution, sale, or reproduction. Risk Management in Portfolios, Programs, and Projects: A Practice Guide PMI Member benefit licensed to: Ace Juntilla - 10653521. Not for distribution, sale, or reproduction. Risk Management in Portfolios, Programs, and Projects: A Practice Guide (paperback) ISBN: 978-1-62825-816-5 Published by: Project Management Institute, Inc. 18 Campus Blvd., Ste. 150 Newtown Square, Pennsylvania 19073-3299 USA PMI.org Phone: +1 610 356 4600 Email: [email protected] ©2024 Project Management Institute, Inc. All rights reserved. Our copyright content is protected by U.S. intellectual property law that is recognized by most countries. To republish or reproduce our content, you must obtain our permission. Please go to http://www.pmi.org/permissions for details. PMI, the PMI logo, PMBOK, OPM3, PMP, CAPM, PgMP, PfMP, PMI-RMP, PMI-SP, PMI-ACP, PMI-PBA, PROJECT MANAGEMENT JOURNAL, PM NETWORK, PMI TODAY, PULSE OF THE PROFESSION and the slogan MAKING PROJECT MANAGEMENT INDISPENSABLE FOR BUSINESS RESULTS. are all marks of Project Management Institute, Inc. For a comprehensive list of PMI trademarks, contact the PMI Legal Department. All other trademarks, service marks, trade names, trade dress, product names and logos appearing herein are the property of their respective owners. Any rights not expressly granted herein are reserved. To place an order or for pricing information, please contact Independent Publishers Group: Independent Publishers Group Order Department 814 North Franklin Street Chicago, IL 60610 USA Phone: 800 888 4741 Fax: +1 312 337 5985 Email: [email protected] (For orders only) Printed in the United States of America. No part of this work may be reproduced or transmitted in any form or by any means, electronic, manual, photocopying, recording, or by any information storage and retrieval system, without prior written permission of the publisher. The paper used in this book complies with the Permanent Paper Standard issued by the National Information Standards Organization (Z39.48—1984). 10 9 8 7 6 5 4 3 2 1 PMI Member benefit licensed to: Ace Juntilla - 10653521. Not for distribution, sale, or reproduction. ii Notice The Project Management Institute, Inc. (PMI) standards and guideline publications, of which the document contained herein is one, are developed through a voluntary consensus standards development process. This process brings together volunteers and/or seeks out the views of persons who have an interest in the topic covered by this publication. While PMI administers the process and establishes rules to promote fairness in the development of consensus, it does not write the document and it does not independently test, evaluate, or verify the accuracy or completeness of any information or the soundness of any judgments contained in its standards and guideline publications. PMI disclaims liability for any personal injury, property or other damages of any nature whatsoever, whether special, indirect, consequential or compensatory, directly or indirectly resulting from the publication, use of application, or reliance on this document. PMI disclaims and makes no guaranty or warranty, expressed or implied, as to the accuracy or completeness of any information published herein, and disclaims and makes no warranty that the information in this document will fulfill any of your particular purposes or needs. PMI does not undertake to guarantee the performance of any individual manufacturer or seller’s products or services by virtue of this standard or guide. In publishing and making this document available, PMI is not undertaking to render professional or other services for or on behalf of any person or entity, nor is PMI undertaking to perform any duty owed by any person or entity to someone else. Anyone using this document should rely on his or her own independent judgment or, as appropriate, seek the advice of a competent professional in determining the exercise of reasonable care in any given circumstances. Information and other standards on the topic covered by this publication may be available from other sources, which the user may wish to consult for additional views or information not covered by this publication. PMI has no power, nor does it undertake to police or enforce compliance with the contents of this document. PMI does not certify, test, or inspect products, designs, or installations for safety or health purposes. Any certification or other statement of compliance with any health or safety-related information in this document shall not be attributable to PMI and is solely the responsibility of the certifier or maker of the statement. PMI Member benefit licensed to: Ace Juntilla - 10653521. Not for distribution, sale, or reproduction. Notice iii PMI Member benefit licensed to: Ace Juntilla - 10653521. Not for distribution, sale, or reproduction. Preface Risk Management in Portfolios, Programs, and Projects: A Practice Guide is a supplemental resource aligned with the PMI series of American National Standards Institute (ANSI)-approved standards, bringing consistency to the customer experience across the PMI publications portfolio. Organizations must adapt their visions, missions, and objectives to changing environments; therefore, PMI practice guides are evolving with them. In addition, the goal of A Guide to the Project Management Body of Knowledge (PMBOK® Guide) is to adapt and implement new project management perspectives and the approaches used to increase benefits and generate value for organizations. This presents a new opportunity to align Risk Management in Portfolios, Programs, and Projects: A Practice Guide with those shifting perspectives related to risk management. During the last few years in particular, new trends have emerged; new management skills are requested in the market; and people continue to improve their capabilities, increasing their knowledge and developing abilities to contribute to the objectives of their organizations. The PMBOK® Guide—Seventh Edition made several changes in the structure and content of the guide, with an enhanced focus on delivering value to organizations and their stakeholders. Those changes were incorporated in the new Risk Management in Portfolios, Programs, and Projects: A Practice Guide, changing the Knowledge Areas to the eight project management performance domains, aligning the concept of a system for value delivery, implementing agile approaches in the risk management process, and including a case study to make the content more relatable to project managers. The new Risk Management in Portfolios, Programs, and Projects: A Practice Guide also aligns risk management more closely with the updated PMI Talent Triangle®, integrating the required skills in Ways of Working, Business Acumen, and Power Skills. These new ways of working will help project professionals navigate business changes and connect outcomes to generating greater value for organizations. Part of the objective of Risk Management in Portfolios, Programs, and Projects: A Practice Guide is to identify the risk management skills that organizations need to increase project success and value. The previous edition of The Standard for Risk Management in Portfolios, Programs, and Projects focused on processes, tools, and techniques, and was aligned with the Process Groups and Knowledge Areas. Risk Management in Portfolios, Programs, and Projects: A Practice Guide responds to the elements that stakeholders have requested in their feedback: It improves the usefulness of the techniques, tools, processes, and good practices of risk management; aligns risk management practices with performance domains and portfolio, program, and project management principles; and is focused on realizing benefits and value through project outputs and outcomes. PMI Member benefit licensed to: Ace Juntilla - 10653521. Not for distribution, sale, or reproduction. Preface v PMI Member benefit licensed to: Ace Juntilla - 10653521. Not for distribution, sale, or reproduction. Table of Contents 1 Introduction.................................................................................................................................. 1 1.1 Purpose of This Practice Guide.........................................................................................................................2 1.2 Approach of This Practice Guide.....................................................................................................................2 1.3 Audience for This Practice Guide.....................................................................................................................3 1.4 Principles of Risk Management........................................................................................................................3 1.4.1 Strive to Achieve Excellence in the Practice of Risk Management........................................3 1.4.2 Align Risk Management with Organizational Strategy, Governance Practices, and Project Management Performance Domains................................................................................4 1.4.3 Focus on the Higher Risk Value..........................................................................................................4 1.4.4 Optimize Risk Responses to Focus on Value Realization...........................................................4 1.4.5 Foster a Culture That Embraces Risk Management.....................................................................5 1.4.6 Navigate Complexity Using Risk Management to Enable Successful Outcomes and Value Realization.............................................................................................................................5 1.4.7 Continuously Improve Risk Management Competencies........................................................5 1.5 Structure of This Practice Guide........................................................................................................................6 2 Context and Key Concepts of Risk Management....................................................................... 7 2.1 Key Concepts and Definitions..........................................................................................................................7 2.1.1 Risk................................................................................................................................................................7 2.1.2 Risk Attitude..............................................................................................................................................9 2.1.3 Risk Appetite.......................................................................................................................................... 10 2.1.4 Risk Threshold........................................................................................................................................ 11 2.1.5 Uncertainty............................................................................................................................................. 12 2.2 Risk Management in Organizations............................................................................................................ 12 2.3 Risk Management at Different Organizational Levels.......................................................................... 13 2.3.1 Enterprise................................................................................................................................................ 13 2.3.2 Portfolio................................................................................................................................................... 15 2.3.3 Program.................................................................................................................................................... 16 2.3.4 Project....................................................................................................................................................... 17 2.4 Key Success Factors........................................................................................................................................... 17 3 Framework for Risk Management in Portfolio, Program, and Project Management............ 21 3.1 Business Context of Risk Management in Portfolio, Program, and Project Management....... 21 3.1.1 Organizational Framework................................................................................................................ 22 3.1.2 Organizational Context...................................................................................................................... 24 3.1.3 Strategic and Organizational Planning......................................................................................... 24 3.1.4 Linking Planning with Execution through Portfolio, Program, and Project Management........................................................................................................................... 24 3.2 Scope of Accountability, Responsibility, and Authority....................................................................... 25 3.2.1 Accountability at the Enterprise Level.......................................................................................... 25 3.2.2 Accountability at the Portfolio Level............................................................................................. 26 3.2.3 Accountability at the Program Level............................................................................................. 26 3.2.4 Accountability at the Project Level................................................................................................ 27 3.3 General Approaches to Risk Management............................................................................................... 28 3.3.1 Factors for Evaluating Risk................................................................................................................. 29 3.3.2 Responding to Risks............................................................................................................................ 30 PMI Member benefit licensed to: Ace Juntilla - 10653521. Not for distribution, sale, or reproduction. Table of Contents vii 4 Risk Management Life Cycle in Portfolio, Program, and Project Management..................... 33 4.1 Introduction to the Risk Management Life Cycle................................................................................... 33 Case Study: Introduction to the Compact Wind Turbine Project...................................................... 35 4.1.1 Risk Management in Adaptive, Predictive, and Hybrid Project Management............... 36 4.1.2 Integrating Project Risk Management and Organizational Risk Management.............. 38 4.1.3 Risk Escalation........................................................................................................................................ 41 Case Study: Risk Escalation in the Compact Wind Turbine Project.................................................. 42 4.1.4 Organizational Project Management and Its Application in Risk Management........... 42 4.2 Plan Risk Management..................................................................................................................................... 44 4.2.1 Purpose of Plan Risk Management................................................................................................ 44 Case Study: Tailoring and Scaling the Risk Management Plan in the Compact Wind Turbine Project........................................................................................................... 46 4.2.2 Key Success Factors for Plan Risk Management........................................................................ 46 Case Study: Planning Risk Management in the Compact Wind Turbine Project........................ 47 4.3 Identify Risks........................................................................................................................................................ 47 4.3.1 Purpose of Identify Risks.................................................................................................................... 48 4.3.2 Key Success Factors for Identify Risks............................................................................................ 48 Case Study: Identifying Risks in the Compact Wind Turbine Project............................................ 50 4.4 Perform Qualitative Risk Analysis................................................................................................................. 50 4.4.1 Purpose of Perform Qualitative Risk Analysis............................................................................. 50 4.4.2 Key Success Factors for Perform Qualitative Risk Analysis.................................................... 51 4.5 Perform Quantitative Risk Analysis.............................................................................................................. 51 4.5.1 Purpose of Perform Quantitative Risk Analysis.......................................................................... 51 4.5.2 Key Success Factors for Perform Quantitative Risk Analysis................................................. 52 4.6 Plan Risk Responses.......................................................................................................................................... 52 Case Study: Responses to Threats in the Compact Wind Turbine Project..................................... 53 Case Study: Responses to Opportunities in the Compact Wind Turbine Project........................ 55 4.6.1 Purpose of Plan Risk Responses...................................................................................................... 57 4.6.2 Key Success Factors for Plan Risk Responses.............................................................................. 57 Case Study: Planning Risk Responses in the Compact Wind Turbine Project.............................. 58 4.7 Implement Risk Responses............................................................................................................................. 59 4.7.1 Purpose of Implement Risk Responses......................................................................................... 59 4.7.2 Key Success Factors for Implement Risk Responses................................................................ 59 Case Study: Implementing Risk Responses in the Compact Wind Turbine Project................... 60 4.8 Monitor Risks....................................................................................................................................................... 60 4.8.1 Purpose of Monitor Risks.................................................................................................................... 61 4.8.2 Key Success Factors for Monitor Risks........................................................................................... 61 Case Study: Monitoring Risks in the Compact Wind Turbine Project.............................................. 62 5 Risk Management in the Context of Portfolio Management.................................................. 63 5.1 Interconnectedness of Risks in Portfolios, Programs, and Projects.................................................. 63 5.1.1 Risk Efficiency and Risk-Return Trade-Offs.................................................................................. 63 Case Study: Portfolio Management in the Context of the Compact Wind Turbine Project.... 63 5.1.2 Risk Exposure in Portfolios................................................................................................................ 64 5.1.3 Role of Portfolio Manager.................................................................................................................. 64 5.1.4 Risk-Efficient Boundary and Organizational Strategy............................................................. 64 Case Study: The Risk-Efficient Boundary in the Compact Wind Turbine Project......................... 65 5.1.5 Emerging Trends in Portfolio Risk Management....................................................................... 65 Case Study: Incorporating Emerging Trends in the Compact Wind Turbine Project................. 66 PMI Member benefit licensed to: Ace Juntilla - 10653521. Not for distribution, sale, or reproduction. viii Risk Management in Portfolios, Programs, and Projects: A Practice Guide 5.2 Portfolio Risk Management Life Cycle........................................................................................................ 67 5.2.1 Portfolio Risk Identification............................................................................................................... 67 Case Study: Strategic-Level Portfolio Risks in the Compact Wind Turbine Project.................... 68 5.2.2 Portfolio Risk Qualitative and Quantitative Analyses.............................................................. 68 Case Study: Portfolio Risk Analyses in the Compact Wind Turbine Project.................................. 69 5.2.3 Portfolio Risk Response Strategies................................................................................................. 69 5.2.4 Implementing Portfolio Risk Responses...................................................................................... 70 5.2.5 Monitoring Portfolio Risks................................................................................................................. 70 5.3 Integration of Risk Management into the Portfolio Management Performance Domains..... 70 6 Risk Management in the Context of Program Management................................................... 73 6.1 Distinctions and Challenges in Program Risk Management.............................................................. 73 6.1.1 Understanding Program Risk Management............................................................................... 73 6.1.2 Sources, Nature, and Types of Program Risks............................................................................. 73 6.1.3 Bridging the Risk Management Gaps among the Portfolio, Program, and Project Levels......................................................................................................................................... 74 6.1.4 Managing Program Overall and Individual Risks...................................................................... 76 6.1.5 Achieving Flexibility and Resilience in Program Risk Management.................................. 76 6.1.6 Program Risk Management Implementation Challenges...................................................... 77 6.2 Program Risk Management Life Cycle........................................................................................................ 80 6.2.1 Program Risk Identification............................................................................................................... 80 Case Study: Program Management in the Context of the Compact Wind Turbine Project.... 80 6.2.2 Program Risk Qualitative and Quantitative Analyses.............................................................. 81 Case Study: Program Risk Analyses in the Compact Wind Turbine Project................................... 82 6.2.3 Program Risk Response Strategies................................................................................................. 83 Case Study: Program Risk Response Strategies in the Compact Wind Turbine Project............ 83 6.2.4 Implementing Program Risk Responses...................................................................................... 84 6.2.5 Monitoring Program Risks................................................................................................................. 84 Case Study: Monitoring Program Risks in the Compact Wind Turbine Project........................... 85 6.3 Integration of Risk Management into the Program Management Performance Domains..... 85 6.3.1 Strategic Alignment............................................................................................................................. 85 6.3.2 Benefits Management......................................................................................................................... 86 6.3.3 Stakeholder Engagement.................................................................................................................. 86 6.3.4 Governance Framework..................................................................................................................... 87 6.3.5 Collaboration......................................................................................................................................... 87 6.3.6 Life Cycle Management...................................................................................................................... 88 Case Study: Program Management Performance Domains in the Compact Wind Turbine Project........................................................................................................... 88 6.3.7 Program Activities................................................................................................................................... 90 Case Study: Program Activities in the Compact Wind Turbine Project........................................... 90 7 Risk Management in the Context of Project Management..................................................... 91 7.1 Risk Management Gaps among the Project and Higher Levels........................................................ 91 7.1.1 Establishing Risk Thresholds............................................................................................................. 91 7.1.2 Addressing Risks from Higher and Strategic Levels................................................................. 92 7.1.3 Project-Level Risk Interfaces with Operations............................................................................. 92 7.2 Project Risk Management Life Cycle........................................................................................................... 92 7.2.1 Enhancing Risk Analysis and Involving the Right Participants............................................ 92 Case Study: Project Management in the Context of the Compact Wind Turbine Project....... 93 PMI Member benefit licensed to: Ace Juntilla - 10653521. Not for distribution, sale, or reproduction. Table of Contents ix 7.2.2 Project Risk Identification.................................................................................................................. 93 Case Study: Project Risk Identification in the Compact Wind Turbine Project............................. 95 7.2.3 Project Risk Qualitative and Quantitative Analyses................................................................. 96 Case Study: Project Risk Analyses in the Compact Wind Turbine Project...................................... 96 7.2.4 Project Risk Response Strategies.................................................................................................... 97 Case Study: Project Risk Response Strategies in the Compact Wind Turbine Project............... 97 7.2.5 Implementing Project Risk Responses.......................................................................................... 97 Case Study: Implementing Project Risk Responses in the Compact Wind Turbine Project.... 97 7.2.6 Monitoring Project Risk...................................................................................................................... 98 Case Study: Monitoring Project Risk in the Compact Wind Turbine Project................................. 98 7.3 Integration of Risk Management into Project Management Processes......................................... 99 7.3.1 Initiating Processes.............................................................................................................................. 99 7.3.2 Planning Processes............................................................................................................................... 99 7.3.3 Executing Processes..........................................................................................................................100 7.3.4 Monitoring and Controlling Processes.......................................................................................100 7.3.5 Closing Processes...............................................................................................................................100 Case Study: Integration of Risk Management into the Project Management Processes in the Compact Wind Turbine Project........................................................................100 7.4 Project Risk Management Controls............................................................................................................102 References...................................................................................................................................... 103 Appendix X1 Contributors and Reviewers of Risk Management in Portfolios, Programs, and Projects: A Practice Guide...................................................................................... 105 X1.1 Contributors....................................................................................................................................................105 X1.2 PMI Team Members......................................................................................................................................107 Appendix X2 Techniques for the Risk Management Framework............................................... 109 X2.1 Risk Management Planning.......................................................................................................................109 X2.2 Identify Risks...................................................................................................................................................110 X2.2.1 Assumptions and Constraints Analysis................................................................................111 X2.2.2 Brainstorming...............................................................................................................................112 X2.2.3 Cause and Effect (Ishikawa) Diagrams.................................................................................112 X2.2.4 Checklists........................................................................................................................................112 X2.2.5 Delphi Technique.........................................................................................................................113 X2.2.6 Document Review.......................................................................................................................113 X2.2.7 Expert Judgment.........................................................................................................................113 X2.2.8 Facilitation......................................................................................................................................113 X2.2.9 Historical Information................................................................................................................114 X2.2.10 Interviews.......................................................................................................................................114 X2.2.11 Prompt Lists...................................................................................................................................114 X2.2.12 Questionnaires.............................................................................................................................114 X2.2.13 Root Cause Analysis....................................................................................................................115 X2.2.14 SWOT Analysis..............................................................................................................................115 X2.2.15 Premortem.....................................................................................................................................116 X2.3 Qualitative Risk Analysis.............................................................................................................................116 X2.3.1 Affinity Diagrams.........................................................................................................................116 X2.3.2 Analytic Hierarchy Process.......................................................................................................116 X2.3.3 Influence Diagrams.....................................................................................................................117 PMI Member benefit licensed to: Ace Juntilla - 10653521. Not for distribution, sale, or reproduction. x Risk Management in Portfolios, Programs, and Projects: A Practice Guide X2.3.4 Nominal Group Technique.......................................................................................................117 X2.3.5 Probability and Impact Matrixes............................................................................................118 X2.3.6 Risk Data Quality Analysis........................................................................................................118 X2.3.7 Assessment of Other Risk Parameters..................................................................................118 X2.3.8 System Dynamics........................................................................................................................119 X2.4 Quantitative Risk Analysis...........................................................................................................................119 X2.4.1 Contingency Reserve Estimation...........................................................................................119 X2.4.2 Decision Tree Analysis................................................................................................................120 X2.4.3 Estimating Techniques Applied to Probability and Impact..........................................120 X2.4.4 Expected Monetary Value........................................................................................................121 X2.4.5 Failure Modes and Effects Analysis/Fault Tree Analysis.................................................121 X2.4.6 Monte Carlo Simulation............................................................................................................121 X2.4.7 Program or Project Evaluation and Review Technique..................................................122 X2.5 Plan Risk Responses......................................................................................................................................122 X2.5.1 Contingency Planning...............................................................................................................123 X2.5.2 Force Field Analysis.....................................................................................................................123 X2.5.3 Multicriteria Selection Technique..........................................................................................124 X2.5.4 Scenario Analysis.........................................................................................................................124 X2.5.5 Simulation......................................................................................................................................124 X2.6 Response Plan Implementation...............................................................................................................124 X2.7 Monitor Risks...................................................................................................................................................125 X2.7.1 Data Analytics...............................................................................................................................125 X2.7.2 Reserve Analysis...........................................................................................................................125 X2.7.3 Residual Impact Analysis..........................................................................................................125 X2.7.4 Risk Audit........................................................................................................................................125 X2.7.5 Risk Breakdown Structure........................................................................................................125 X2.7.6 Risk Reassessment......................................................................................................................126 X2.7.7 Sensitivity Analysis......................................................................................................................126 X2.7.8 Status Meetings...........................................................................................................................127 X2.7.9 Trend Analysis...............................................................................................................................127 X2.7.10 Variance Analysis.........................................................................................................................127 X2.8 Risk Management Techniques Recap.....................................................................................................127 Appendix X3 Risk Classification................................................................................................... 133 Glossary.......................................................................................................................................... 135 Index............................................................................................................................................... 139 PMI Member benefit licensed to: Ace Juntilla - 10653521. Not for distribution, sale, or reproduction. Table of Contents xi PMI Member benefit licensed to: Ace Juntilla - 10653521. Not for distribution, sale, or reproduction. List of Figures and Tables Figures Figure 2-1. Risk Appetite and Its Relationship with Organizational Strategy....................................... 10 Figure 2-2. Cascading of Risk Management Strategy into Portfolios, Programs, and Projects....... 14 Figure 2-3. Key Success Factors for Risk Management..................................................................................18 Figure 3-1. Risk across the Various Levels of the Organization...................................................................22 Figure 3-2. Impact of Strategy on Organizational Environment................................................................23 Figure 3-3. Risk Management across Levels of Organizational Activities...............................................23 Figure 3-4. Set-Based Design Illustration............................................................................................................28 Figure 3-5. Risk Classification..................................................................................................................................30 Figure 4-1. The Risk Management Life Cycle Framework.............................................................................34 Figure 4-2. Portfolio Overview for the Municipality.......................................................................................35 Figure 4-3. Integrating Project Risk Management and Organizational Risk Management.............. 39 Figure 4-4. Primary Reasons for Integrating Project Risk Management and Organizational Risk Management..................................................................................................40 Figure 4-5. Monitor Risks..........................................................................................................................................61 Figure 5-1. Portfolio Management Performance Domains..........................................................................71 Figure 6-1. Understanding Program Risk Management...............................................................................74 Figure 6-2. Managing Program Overall and Individual Risks......................................................................77 Figure 6-3. Program Management Performance Domains..........................................................................86 Figure X2-1. Key Areas of Focus for Plan Risk Management........................................................................110 Figure X2-2. The Relationship among Cause, Risk, and Effect.....................................................................111 Figure X2-3. Example of a Constraint Analysis with Fields for Description and Analysis Results...................................................................................................................................112 Figure X2-4. Example of a Cause and Effect or Ishikawa Diagram.............................................................112 Figure X2-5. Example (Partial) of a Checklist with Typical Structure of Category, Subcategory, Specific Risks, and Effect.......................................................................................113 Figure X2-6. Three Well-Known Examples of Prompt Lists That Can Be Useful for Risk Identification...............................................................................................................................114 Figure X2-7. Example of a Root Cause Analysis................................................................................................115 Figure X2-8. Example of a SWOT Analysis Structure.......................................................................................115 Figure X2-9. Example of Definitions for Levels of Probability and Impact on Three Specific Objectives Used to Evaluate Individual Risks..............................................116 Figure X2-10. Example of Analytic Hierarchy Process Computations to Determine the Relative Weighting of Four Objectives Related to a Project.................117 Figure X2-11. Example of Probability and Impact Matrix Used to Sort Risks into Very High (VH), High (H), Moderate (M), Low (L), and Very Low (VL) Classes................118 Figure X2-12. Example of a Decision Tree Diagram...........................................................................................120 Figure X2-13. Example of Monte Carlo Simulation of a Project Cost..........................................................122 Figure X2-14. Example of a Force Field Analysis and the Balance of Forces for and against Change...........................................................................................................................123 Figure X2-15. Example of Multicriteria Weighting and Analysis...................................................................124 Figure X2-16. Example of a Generic Risk Breakdown Structure for a Project...........................................126 PMI Member benefit licensed to: Ace Juntilla - 10653521. Not for distribution, sale, or reproduction. List of Figures and Tables xiii Tables Table 5-1. Areas of the Portfolio Management Performance Domains Typically Covered by Risk Management Practices......................................................................72 Table 6-1. Areas of the Program Management Performance Domains Typically Covered by Risk Management Practices......................................................................87 Table X2-1. Matrix of Risk Management Techniques Mapped to Risk Management Life Cycle Stages...............................................................................................128 PMI Member benefit licensed to: Ace Juntilla - 10653521. Not for distribution, sale, or reproduction. xiv Risk Management in Portfolios, Programs, and Projects: A Practice Guide 1 Introduction Risk is an uncertain event or condition that, if it occurs, has a positive or negative effect on one or more project objectives. Positive risks are opportunities, while negative risks are threats. The practice of risk management includes developing a strategy for identifying, analyzing, and prioritizing risks; planning and implementing appropriate responses; and monitoring risks on an ongoing basis until the portfolio, program, or project is completed. Identified risks may or may not materialize, but it is important to monitor them as they can have a significant impact on a portfolio, program, project, or operations. Consequently, risk management is an essential aspect of the business environment and organizational activities. This practice guide describes the application of risk management within an enterprise risk management (ERM) context that includes the portfolio, program, and project levels. Ultimately, risk management shapes the decision-making processes across the organization and within each of its components. Risk management is essential for portfolios, programs, and projects to be successful; to be delivered on time with quality; and to fully realize the benefits and value these components bring to their organizations. A vital technical and managerial skill, risk management is also augmented by “soft” or “interpersonal” skills that foster collaboration with others and empower project professionals to succeed in the workplace. Furthermore, this dynamic range of abilities, also known as “power skills,” significantly enhances the performance of multiple key drivers of success, including benefits realization management (BRM) maturity, organization agility, and project management maturity, according to the PMI Pulse of the Profession®—Power Skills: Redefining Project Success report.1 Risk management allows an organization to: Anticipate and manage change; Cultivate a corporate culture that balances risk, creativity, innovation, safety, and thoughtfulness; Be more agile and adaptable to lean innovation and startups, while also supporting organizational agility and resilience; Improve decision-making process; Proactively implement potentially lower-cost/time preventive actions instead of higher-cost/time corrective actions to issues; Engage stakeholders effectively; Increase the chances to realize opportunities for the benefit of the organization; Integrate sustainable, continuous improvement throughout the life cycle of the portfolio, program, or project; Promote awareness of uncertainties and associated impacts; and Act upon the transformations taking place in the organizational environment. Risk management also establishes interconnected relationships among portfolios, programs, and projects—working with different approaches and frameworks such as adaptive, predictive, or hybrid—and links these connections to ERM and organizational strategy, with a focus on value 1 The numbers in brackets refer to the list of references at the end of this practice guide. PMI Member benefit licensed to: Ace Juntilla - 10653521. Not for distribution, sale, or reproduction. Introduction 1 delivery. As a result, this practice guide is useful and applicable to any organization, regardless of industry, location, size, or approach. 1.1 Purpose of This Practice Guide This practice guide describes the concepts and definitions associated with risk management and highlights the essential components of risk management for integration into the various management and governance layers of portfolios, programs, and projects—with the following major objectives: Describe the fundamentals of risk management, Support the objectives of ERM and demonstrate how activities link to ERM, and Apply risk management principles, as appropriate, to portfolio, program, and project management performance domains as described in PMI standards. This practice guide fulfills an organizational need to provide good practices for risk management in portfolio, program, and project management that defines the essential considerations for risk management practitioners. It expands upon the existing knowledge contained within the relevant sections of PMI standards. This practice guide can be used to harmonize practices among ERM and portfolio, program, and project management, regardless of the life cycle approach taken for delivering value to the organization’s strategy. In addition, organizations are increasingly requiring practitioners to use risk management practices in portfolio, program, and project management as integral parts of their ERM framework. 1.2 Approach of This Practice Guide This practice guide presents the why, what, and how of risk management and elaborates on the following concepts: Purpose and benefits of risk management; Principles and concepts of risk management in portfolios, programs, and projects; Risk management life cycle in portfolios, programs, and projects; and Integration of risk management within portfolios, programs, and projects. This practice guide provides guidance on integrating risk management practices into all key areas of enterprise, portfolio, program, and project management. Its aim is to ensure that risk management is considered as an inherent and natural part of all management levels. This practice guide also strives to provide direction and guidance while avoiding the imposition of uniformity of processes. Furthermore, this practice guide focuses more on intended outcomes than on deliverables, thus aligning to the principles-based approach adopted for A Guide to the Project Management Body of Knowledge (PMBOK® Guide). When planning and implementing risk management, it is essential that each team considers the characteristics of its organization, portfolio, program, or project and tailors its risk management approach accordingly. For example, in adaptive and hybrid project environments, the need for ongoing feedback is greater because the project teams are exploring and developing project PMI Member benefit licensed to: Ace Juntilla - 10653521. Not for distribution, sale, or reproduction. 2 Risk Management in Portfolios, Programs, and Projects: A Practice Guide elements within specific increments. Also, the requirements for adaptive projects are not well defined at the start, so a stronger emphasis on iterative risk management is needed because of the higher level of uncertainty. The approaches and techniques presented in this practice guide are based on risk management principles that can be applied when designing specific management or business processes adapted to the organizational environment and nature of the work. 1.3 Audience for This Practice Guide This practice guide provides guidance to stakeholders participating in a portfolio, program, or project. This includes, but is not limited to, portfolio managers, program managers, project managers, project coordinators, project practitioners, project planners, business analysts, risk managers, risk consultants, consultants, agile practitioners, agile consultants, product owners, sponsors, and vendors who: Work on a portfolio, program, project, or initiative either full or part time; Work in a portfolio, program, or project management office; Are responsible for identifying and/or managing the risks of an initiative (portfolio, program, or project); Teach or study risk management; and Are involved in any aspect of the project value delivery chain. 1.4 Principles of Risk Management The seven principles outlined in Sections 1.4.1 through 1.4.7 guide the risk management process and are integral to effective risk management. They are: 1.4.1 Strive to Achieve Excellence in the Practice of Risk Management 1.4.2 Align Risk Management with Organizational Strategy, Governance Practices, and Project Management Performance Domains 1.4.3 Focus on the Higher Risk Value 1.4.4 Optimize Risk Responses to Focus on Value Realization 1.4.5 Foster a Culture That Embraces Risk Management 1.4.6 Navigate Complexity Using Risk Management to Enable Successful Outcomes and Value Realization 1.4.7 Continuously Improve Risk Management Competencies 1.4.1 Strive to Achieve Excellence in the Practice of Risk Management Risk management allows organizations and teams to increase the predictability of outcomes, both qualitatively and quantitatively, and improves the delivery of value supporting the organization’s strategy. This principle is about reaching the appropriate level of organizational process maturity (the ability of an organization to apply a certain set of processes in a consistent manner) and the optimal level of performance. Excellence in risk management is not achieved by the strict and PMI Member benefit licensed to: Ace Juntilla - 10653521. Not for distribution, sale, or reproduction. Introduction 3 exhaustive application of related processes. Rather, it can be attained by (a) balancing the benefits to be obtained with the associated cost and (b) tailoring the risk management processes to the characteristics of the organization and its portfolios, programs, and projects. Process excellence in risk management is itself a risk management strategy. Effective and appropriate risk management can reduce individual and overall threats while increasing individual and overall opportunities in a portfolio, program, project, or operation. 1.4.2 Align Risk Management with Organizational Strategy, Governance Practices, and Project Management Performance Domains The practice of risk management in organizations is developed and evolved in coexistence with other organizational processes such as strategy and governance. The nature of portfolios, programs, and projects is such that circumstances may change frequently. Adaptability, agility, and resiliency are critical in risk management in order to respond to changing conditions and recover quickly from a setback or failure. Adjustments become necessary as the organization evolves (e.g., when changes to decision-making processes, timing, scope, and speed are made). The varying types of adjustments to risk management practices will be informed by the ongoing evaluation of the exposure to risk whenever these changes are implemented as recommended by the project management principle of optimizing risk responses. Establishing an appropriate cadence of risk reviews and feedback sessions with stakeholders is helpful for navigating project risk and being proactive with risk responses. Risk management interacts with the Stakeholders, Team, Development Approach and Life Cycle, Planning, Project Work, Delivery, Measurement, and Uncertainty project management performance domains, so successful risk management should be built seamlessly into these activities. 1.4.3 Focus on the Higher Risk Value Successful organizations are able to effectively and efficiently identify and respond to the risks that directly influence goals and objectives. The challenge for most organizations is making the best use of resources by focusing on the right risks. This depends on the characteristics of the organization and its environment, internal maturity, culture, and organizational strategy. Determining the most impactful risks can be difficult. Organizations iteratively develop and improve their ability by refining the processes for risk prioritization. Organizations should also strengthen their capacity to anticipate threats and opportunities; maintain an acute awareness of the environment in which their project is implemented; and constantly monitor changes in the technical, social, political, market, and economic environments, as recommended in the Uncertainty project management performance domain. 1.4.4 Optimize Risk Responses to Focus on Value Realization Risk management seeks to find the right balance among risk exposure, the cost of managing the risk, and the expected creation or realization of business value. Risk responses should be appropriate for the significance of the risk. The risk responses should be aligned to a planned strategy to achieve the desired value. Organizations should strike a comprehensive balance among the risk exposure and the potential costs and benefits of the portfolios, programs, and projects, and then make provisions for contingency reserves and buffers, thus securing the means to effectively respond to a risk if it materializes. PMI Member benefit licensed to: Ace Juntilla - 10653521. Not for distribution, sale, or reproduction. 4 Risk Management in Portfolios, Programs, and Projects: A Practice Guide 1.4.5 Foster a Culture That Embraces Risk Management Risk management is an inherent and essential part of the portfolio, program, and project management framework. The practice of risk management is propagated, recognized, and encouraged throughout the organization. A culture of risk management encourages (a) the proactive identification of threats and (b) the identification of opportunities by cultivating a positive mindset within the organization—one that is more open to accepting and harnessing the positive innovations and changes impacting the various initiatives. It is important to identify the organizational culture, the behavior of the project management team, and environmental factors to begin implementing a risk management culture across functions or areas of the organization. Risk management should be integrated as part of the project management team’s culture by deliberately including it within team norms, as well as by modeling risk management practices through the behaviors and actions of project team management. 1.4.6 Navigate Complexity Using Risk Management to Enable Successful Outcomes and Value Realization Managing risk is critical to navigating, and even reducing, complexity and uncertainty within organizational initiatives. It is not an easy task as complexity is the result of human behavior, system interactions, uncertainty, rapid changes in the environment, technological innovation, and ambiguity. Yet, the ability to identify and manage risk depends directly on the type and level of complexity within an initiative. Take project complexity, for example, which is the culmination of a multitude of individual elements that work toward a common goal within a portfolio, program, or project. It can be effectively controlled through risk management by clarifying the objectives, requirements, and scope of a particular initiative; identifying potential risks; and creating a plan to address such risks, thus reducing the possibility of unforeseen complexities that may be hindering the initiative. In fact, the more organizations navigate complexity using risk management, the more effectively they can optimize the use of resources, increase returns on investment, and improve overall performance and business results. A strong focus on risk management can lay the groundwork for attaining success and valuable outcomes. 1.4.7 Continuously Improve Risk Management Competencies The nature of risks to which an organization is exposed—and the available technology to manage those risks—is changing. Technology, such as artificial intelligence (AI) and machine learning (ML), allows organizations to manage risks more effectively and better focus on their impacts. By continuously improving risk management competencies, a team can bolster its ability to anticipate threats and opportunities, understand the consequences of issues, and balance the risk, responding to any associated costs and its value realization systematically. This will allow the team to: Maximize the probability of positive risks. If a positive risk occurs, it may provide an opportunity that could lead to benefits, such as reduced time, costs, or effort; and Decrease exposure to negative risks to avoid issues, such as delays, cost overruns, loss of reputation, or any other threats that may harm the organization. Consequently, the team can become more proficient and efficient in its risk management approach. PMI Member benefit licensed to: Ace Juntilla - 10653521. Not for distribution, sale, or reproduction. Introduction 5 1.5 Structure of This Practice Guide This practice guide can be used to review portfolio, program, and project management processes from a risk management perspective. It is organized as follows: Section 1 Introduction Section 2 Context and Key Concepts of Risk Management Section 3 Framework for Risk Management in Portfolio, Program, and Project Management Section 4 Risk Management Life Cycle in Portfolio, Program, and Project Management Section 5 Risk Management in the Context of Portfolio Management Section 6 Risk Management in the Context of Program Management Section 7 Risk Management in the Context of Project Management Appendix X1 Contributors and Reviewers of Risk Management in Portfolios, Programs, and Projects: A Practice Guide Appendix X2 Techniques for the Risk Management Framework Appendix X3 Risk Classification PMI Member benefit licensed to: Ace Juntilla - 10653521. Not for distribution, sale, or reproduction. 6 Risk Management in Portfolios, Programs, and Projects: A Practice Guide 2 Context and Key Concepts of Risk Management Risk is inherently present in all organizations. While it presents challenges, it may also offer a competitive advantage when both threats and opportunities are managed proactively. Risk management provides a comprehensive, integrated framework for addressing and managing risk at all levels of the organization, from portfolios through programs, projects, and operations. Stakeholders should proactively identify risks throughout the portfolio, program, project, and organization to eliminate or minimize the impacts of threats as well as maximize the impact of opportunities. In today’s dynamic and interconnected world, businesses face a wide range of risks, including technological, regulatory, market, and competitive risks. Other risks could be because of increased globalization that can expose organizations to risks originating from different parts of the world, thus necessitating a more holistic, integrated approach to risk management. Furthermore, regulatory requirements related to risk management have become more stringent, requiring organizations to implement robust risk management processes to ensure compliance and avoid penalties. The pace of change in business environments, driven by technological advancements and changing consumer preferences, has made it more challenging for organizations to anticipate and respond to risks effectively. 2.1 Key Concepts and Definitions All organizations face uncertainties with both internal and external events. Uncertain challenges may be dealt with by formulating and applying a sound business strategy focused on realizing a set of objectives and managing risks. Risk management provides insight into risks that need to be addressed in support of reaching those objectives, while also taking advantage of opportunities. When such opportunities occur, they are called benefits; when negative risks or threats occur, they are called issues. If the overall threats or issues to the portfolio, program, or project are too high, the organization may choose to cancel the effort. 2.1.1 Risk An individual risk is an uncertain event or condition that, if it occurs, has a positive or negative effect on one or more objectives. For example, a positive risk is a potential upcoming change in policy that could benefit a project. A negative risk can be an unanticipated increase of labor or material cost, which may cause the project to surpass the original budget. In this case, the problem becomes more specific, with a causal factor, instead of just stating that the project will be over budget. Overall risk is the impact of uncertainty that affects organizational objectives at different levels or aspects. Risks can arise from all sources of uncertainty and assumptions, including individual risks at the portfolio, program, and project levels. These risks represent the exposure of the organization and its stakeholders to the consequences of uncertainty regarding the organization’s strategy and business objectives. Once a risk occurs, it is then managed within the various governance layers (enterprise, portfolio, program, and project) by driving the resulting outcomes. PMI Member benefit licensed to: Ace Juntilla - 10653521. Not for distribution, sale, or reproduction. Context and Key Concepts of Risk Management 7 Uncertainty is inherent to the nature of portfolios, programs, and projects. Uncertainty refers to a lack of comprehension or awareness regarding issues, events, or potential solutions. It involves assessing probabilities of various actions, reactions, and outcomes. Uncertainty encompasses unknown-unknowns and black swans, representing emerging factors beyond current knowledge or experience. Risk both arises out of uncertainty and generates uncertainty through a lack of awareness about potential outcomes or the likelihood of occurrence. Thus, the more risks one can identify, the better one can plan and prepare for them. Some of the key factors determining the ability to identify risks include ambiguity and uncertainty, which is a state of being unclear, of not knowing what to expect or how to comprehend a situation, or continuously evaluating the common sources of complexity, as explained in the PMBOK® Guide. When ambiguity is low, the level of integral information is sufficient, and there is clarity and a high degree of certainty in terms of what to expect, which allows for the identification of risks. Though complexity cannot be controlled, project teams can modify their activities to control and address impacts that occur as a result of complexity, as described in the PMBOK® Guide. When it comes to uncertainty and ambiguity, assessment and open evaluation drive risk management efforts. All initiatives, including portfolios, programs, and projects, possess risks since they are unique undertakings with varying degrees of uncertainty. Assessments and open evaluations help determine the right risk management strategy as well as how risks will be handled across the entire portfolio, program, and project management life cycles, including their various stages and interactions. Open evaluation in risk management refers to the transparent and inclusive assessment of risks, and involves actively involving stakeholders, experts, and relevant parties in the evaluation process to gather diverse perspectives and insights. Establishing a frequent synchronization, rhythm, cadence, or schedule of review-and-feedback sessions (e.g., weekly, biweekly, monthly, etc.) for team members and stakeholders is helpful for navigating risks and being proactive with risk management. In projects following an adaptive approach, if used by the team, a daily meeting (e.g., daily standup meetings) can be instrumental in identifying potential risks. During such meetings, potential obstacles or impediments can be identified, thus reducing the likelihood of these becoming issues. A SWOT (strengths, weaknesses, opportunities, threats) analysis can help with risk assessment, enabling a team to identify risks in a portfolio, program, or project. SWOT analysis evaluates initiatives from each of the SWOT perspectives, identifies and lists organizational strengths and weaknesses, and then derives opportunities from both the strengths and the threats from those weaknesses. Below are examples of how this approach can be carried out. 2.1.1.1 Strengths Strengths are characteristics that give an organization a competitive advantage over others and contribute to the success of portfolios, programs, and projects. This is accomplished by: Identifying portfolios, programs, or projects in trouble more easily; Minimizing surprises; Providing better-quality data for decision-making; Enhancing communication; and Improving budget estimates. PMI Member benefit licensed to: Ace Juntilla - 10653521. Not for distribution, sale, or reproduction. 8 Risk Management in Portfolios, Programs, and Projects: A Practice Guide 2.1.1.2 Weaknesses Weaknesses place an organization at a disadvantage and negatively impact the success of portfolios, programs, and projects. Examples include: Exorbitant training costs, Loss of focus due to automation, and Data security issues. 2.1.1.3 Opportunities Opportunities are risks that would have a positive effect on one or more project objectives. Opportunity management helps to point out and understand the possible ways in which objectives can be achieved more successfully. Moving beyond the traditional view of risk as a value destroyer to seeing it as a potential value enhancer requires creativity and vision, and may help organizations to develop a system for allowing these opportunities to flourish and result in organizational success. A consistent portfolio, program, and project management system helps to: Identify and assess opportunities that are often linked, and Improve the organization’s ability to accept and pursue opportunities. Risk responses should be developed for the opportunities and should be reviewed to see whether the planned responses may have introduced any secondary risks. 2.1.1.4 Threats Threats are risks that would have a negative effect on one or more project objectives. Threat management specifically focuses on addressing potential negative events or threats, and is a subset of risk management. It involves the use of risk management resources to: Describe risks; Analyze risk attributes (e.g., specific characteristics or qualities associated with risks); Evaluate the probability of risk occurrence and impacts, as well as other characteristics; and Implement a planned response, when appropriate. A response to a specific threat may include multiple strategies. If the threat cannot be avoided, it may be mitigated to a level where it becomes viable to transfer or to accept it and respond in such a way that the project is not negatively affected. Creating a contingency reserve will support the risk response strategies by ensuring sufficient funds are set aside in the event of a risk being identified or other applicable events (e.g., supply chain issues or budget overruns). Similar to managing opportunities, handling threats is a staged process. Both use a structured life cycle framework to ensure the process is robust and complete, as described in Section 4. Should threats occur, they are called issues and are listed in the issue log. 2.1.2 Risk Attitude Risk attitude is a disposition toward uncertainty, adopted explicitly or implicitly by individuals and groups, driven by perception and previous personal experience, and evidenced by observable behavior. Risk attitude represents an organization’s approach to assessing and eventually pursuing, PMI Member benefit licensed to: Ace Juntilla - 10653521. Not for distribution, sale, or reproduction. Context and Key Concepts of Risk Management 9 retaining, taking, or turning away from risk. It is a function of risk appetite and risk threshold and can range from risk averse to risk seeking. Organizations seek to establish a consistent method for evaluating and responding to risk across the enterprise. One obstacle to developing that consistency is an individual’s different or inconsistent attitudes toward risks—and those attitudes may vary according to the circumstance. However, organizations can choose to change the risk attitudes of individuals and groups by providing them with tools and techniques they can use to learn how to assess each situation and then consciously choose a risk attitude explicitly. This empowers them to select the attitude most appropriate to the situation and offers the best chance of achieving portfolio, program, and project objectives. In summary, risk attitude is an individual or group preference when evaluating a risk situation in a favorable or unfavorable way and then acting accordingly. While risk attitudes are not necessarily stable or homogeneous, organizations can adopt tools and techniques designed to coach and mentor staff on how to change their risk attitudes. It is important to identify and assess the level of adaptability and resiliency of the organization. Adaptability is the ability to respond to changing conditions, and resiliency is the ability to absorb impacts and recover quickly from a setback or failure. The risk attitude will reflect the level of adaptability and resiliency of the team. 2.1.3 Risk Appetite Risk appetite is how much uncertainty an organization is okay with while pursuing its goals. It’s about finding a middle ground between being open to taking risks and being cautious. Other elements that complement the appetite for risk include risk tolerance and risk capacity. A risk appetite determination represents the start of embracing risk. Figure 2-1 shows the interrelationship of risk appetite and its direct influence on business strategy, the risk management framework, and the underlying organizational policies and processes. The resulting risk appetite determination defines the amount and type of risk that the organization is willing to accept in order to meet its strategic objectives. Risk Appetite Strategy and Business Value Drivers Risk Management Framework Risk Management Policy Figure 2-1. Risk Appetite and Its Relationship with Organizational Strategy PMI Member benefit licensed to: Ace Juntilla - 10653521. Not for distribution, sale, or reproduction. 10 Risk Management in Portfolios, Programs, and Projects: A Practice Guide Additionally, risk appetite expresses the level of risk the organization is willing to take in pursuit of its portfolio, program, and project objectives. Portfolio, program, and project risk is a multifaceted rather than singular concept. As organizations grow, expand, and evolve, so do the risks they face. The type, prominence, and appetite for risks may change at different points in the life cycle of an organization and during the life cycle of its portfolios, programs, and projects. The risk appetite of an organization should take into consideration some of the more common sources of complexity, such as: Human behavior. The interplay of conduct, demeanors, attitudes, and experiences of people that influence risk attitude and risk appetite. System behavior. The result of dynamic interdependencies within and among project elements. Uncertainty and ambiguity. A state of being unclear, of not knowing what to expect or how to comprehend a situation. Technological innovation. New technology, along with the uncertainty of how that technology will be used, contributes to complexity. These sources of complexity could impact the risk appetite of an organization, project team, or individual person. It is important to take into consideration these common sources of complexity to understand the variance of risk appetites among organizations, project teams, or individual persons. 2.1.4 Risk Threshold Risk threshold is the measure of acceptable variation around an objective that reflects the risk appetite of the organization and its stakeholders. A key element of risk strategy is the establishment and monitoring of enterprise, portfolio, program, and project risk thresholds. Risk threshold thus represents the level of risk below which an organization will accept, and above which an organization will not accept. Examples of risk thresholds include: Minimum level of risk exposure for a risk to be included in the risk register, Qualitative or quantitative definitions of risk rating, and Maximum level of risk exposure that can be managed before an escalation is triggered. A project manager conducts a qualitative analysis of identified risks, prioritizes them based on their probability of occurrence and impact, and establishes risk response plans. Consider a software development project aiming to create a new mobile application. In qualitative risk analysis, the project team and stakeholders identify potential risks related to the project’s objectives, timeline, resources, and technology. Some identified risks could include integrating new technologies or platforms that the team is not familiar with, which could lead to delays or errors in development. For data to be suitable for quantitative risk analysis, it should be studied for a long period of time or observed in multiple situations. PMI Member benefit licensed to: Ace Juntilla - 10653521. Not for distribution, sale, or reproduction. Context and Key Concepts of Risk Management 11 Establishing risk thresholds is an integral step in linking portfolio, program, and project risk management to strategy alignment. This is performed as part of the definition of risk policies in the organization or, if common definitions do not exist, as part of the project definition before including it in the portfolio. Based on the risk appetite of the organization, governance may also be responsible for ensuring risk thresholds are established and observed, and for deciding when a risk should be escalated to a higher governance level. Making use of technological advances and emergent technologies such as artificial intelligence, organizations can automate the determination of when risk thresholds are reached and put in place predetermined workflows that include escalation to higher governance levels when risk thresholds are exceeded. The risk threshold reflects the risk appetite. Therefore, a risk threshold of ±5% around a cost objective reflects a lower risk appetite than a risk threshold of ±10%. The risk appetite and risk threshold inform how the project team and other stakeholders navigate risk in a project. 2.1.5 Uncertainty Uncertainty is directly related to risk and it stems from a lack of understanding and awareness of issues, events, paths to follow, or solutions to pursue. Broadly, it refers to a state of not knowing or unpredictability. According to the PMBOK® Guide , successful navigation of uncertainty starts with an understanding of the larger environment in which the organization operates. Options for responding to uncertainty may include: Gathering more information, Preparing for multiple outcomes, Set-based design, and Building in resilience. 2.2 Risk Management in Organizations The organization’s governance body is ultimately responsible for setting, confirming, and enforcing risk appetite and risk management principles as part of its governance oversight. An organization’s governance also determines which risk management processes are appropriate in terms of organizational strategy, scope, context, and content. The enterprise risk function often resides in the executive management organization due to the direct relationship between the success of achieving organizational strategic goals and employing an effective risk management process. When assessing the seriousness of a risk or combination of risks, uncertainty and its effect on endeavors or objectives are considered. The uncertainty dimension is commonly described as probability and the effect is often referred to as impact. The definition of risk includes both (a) distinct events that are uncertain but can be clearly described and (b) more general conditions that are less specific but may also give rise to uncertainty. The definition of risk also encompasses uncertain events that could have a negative or positive effect on objectives. Both of these uncertain situations are considered to be risks when they could have an adverse or positive effect on the achievement of objectives. It is essential to address both situations within an enterprise, portfolio, program, or project risk management process. PMI Member benefit licensed to: Ace Juntilla - 10653521. Not for distribution, sale, or reproduction. 12 Risk Management in Portfolios, Programs, and Projects: A Practice Guide Addressing threats and opportunities together (i.e., addressing both in the same analysis and coordinating the responses to both when they overlap) allows for synergies and efficiencies. It is important to distinguish risks from risk-related features. Causes are events or circumstances that currently exist or are certain to exist in the future, which may give rise to risks. Effects are conditional future events or conditions that directly affect one or more objectives if the associated risk occurs. A risk may have one or more causes and, if it occurs, may have one or more effects. When a risk event happens, the risk ceases to be uncertain. Threats that occur are termed issues, and opportunities that occur are benefits to the enterprise, portfolio, program, or project. Portfolio, program, and project managers are responsible for resolving these issues and managing them efficiently and effectively. Issues may entail actions that are outside the scope of the portfolio, program, and project risk management processes, or above the ability of a certain manager; therefore, these issues are escalated to a higher management level according to the organization’s governance policy. 2.3 Risk Management at Different Organizational Levels Risk management is an integrated framework that spans organizational levels. Aside from simply predicting what could happen, the aim of risk management is to develop the means to support the achievement of organizational objectives, realization of the strategic vision, and creation of value. Risk management strongly influences decision-making at the enterprise, portfolio, program, project, and product levels. Product management considerations are applicable to projects where the deliverables are products; these fall outside of the scope of this document. At the enterprise level, the entire organizational strategy is the set of strategic and business management actions for countering business threats and exploiting business opportunities. These decisions and actions are often executed within the portfolio as part of its individual components. The various perceptions and perspectives regarding risk management at the portfolio, program, and project management levels feed into one another in an iterative, interactive, and dynamic manner. Risks may be interconnected, have dependencies, and interact via feedback loops (see Figure 2-2). Details of these interactions are provided in Sections 5, 6, and 7. 2.3.1 Enterprise The primary purpose of risk management is the creation and protection of value. Enterprise risk management (ERM) is an approach for identifying major risks that confront an organization as well as forecasting the significance of those risks to business processes. The way in which risks are managed reflects the organization’s culture, capability, and strategy to create and sustain value. ERM addresses risks at the organizational level, including the aggregation of all risks associated with the enterprise’s portfolio of programs and projects. When exploring alternative strategies, ERM enables the alignment of each portfolio, program, and project component with the organizational strategy. ERM establishes the connections among the various governance levels through the bottom-up escalation of identified risks and the top- down definition of risk management strategies. The top-down process triggers the creation of programs, projects, and other activities aimed at exploiting specific opportunities and addressing business threats. PMI Member benefit licensed to: Ace Juntilla - 10653521. Not for distribution, sale, or reproduction. Context and Key Concepts of Risk Management 13 Strategy Consolidating Risk Profiles and Risk Management Efficiency/Effectiveness Identify Business Risks (Threats and Opportunities) Translate risk management strategy into actions Cascading Risk Management Strategy Portfolios Translate strategic objectives into organizational value and capabilities Programs Define tangible benefits and capability triggers Projects Escalate to higher levels when necessary Figure 2-2. Cascading of Risk Management Strategy into Portfolios, Programs, and Projects ERM provides a systematic, organized, and structured method for: Identifying and assessing the key risks an organization faces, Developing suitable responses, Communicating status with stakeholders, and Assigning responsibility for monitoring and managing risks in alignment with the strategic objectives of the organization. ERM is an ongoing process that supports the plan-do-check-act (PDCA) cycle for continuous improvement. ERM is not limited to compliance and disclosure requirements, nor is it a replacement for internal controls and audits. The application of ERM varies depending on the organization and could change from year to year based on overall risk appetite, stakeholder expectations and requirements, and the internal and external environment. There is no one-size-fits-all approach to performing ERM. Its function, structure, and activities vary with each organization. ERM ensures that all key organizational risks are addressed and properly managed and monitored, and that a culture of effective risk management is established and cascaded down to the portfolio, program, and project levels. PMI Member benefit licensed to: Ace Juntilla - 10653521. Not for distribution, sale, or reproduction. 14 Risk Management in Portfolios, Programs, and Projects: A Practice Guide Risk management in the enterprise management context of integrated portfolio, program, and project management consists of: Elaborating the risk governance framework; Identifying operational and contextual risks at each level of the integrated governance framework, including both negative risks (threats) and positive risks (opportunities); Analyzing the identified risks from both the qualitative and quantitative perspectives and identifying the governance layer best suited to manage them, according to the escalation rules in place within the portfolio, program, and project management framework; Defining an appropriate risk management strategy based on increasing the probability and/or impact of positive risks (opportunities) and decreasing the probability and/or impact of negative risks (threats); Identifying the risk owner and assigning the risk; Implementing the corresponding strategies and activities related to anticipatory and/or responsive actions; Monitoring the effectiveness and efficiency of the risk management strategies deployed within the enterprise, portfolio, program, and project management framework; Ensuring alignment among portfolio, program, and project management risk governance models and the ERM strategy; and Promoting effective risk management within the entire enterprise through a risk management culture. 2.3.2 Portfolio Portfolio risk management categorizes risks as structural, component, and overall risks. Structural risks are associated with the composition of a group of projects and the potential interdependencies among components. Component risks at the portfolio level are those the component manager escalates to the portfolio level for information or action. Overall, portfolio risk considers the interdependencies among components and is therefore more than just the sum of individual component risks. Risk efficiency is a key element of managing risk at the portfolio level. Risk efficiency is achieved by adjusting the mix of portfolio components to balance risk and reward so that overall portfolio risk exposure is managed. Planning, designing, and implementing an effective portfolio risk management system depends on organizational culture, top management commitment, stakeholder engagement, and open and fair communication processes. Portfolio risk management is important for the success of managing portfolios where the value lost due to component failure is significant, or when the risks of one component impact the risks in another component. One of the purposes of portfolio risk management is to meet the strategic plan and achieve organizational goals and objectives. As defined in The Standard for Portfolio Management , portfolio risk management ensures that components achieve the best possible success based on the organizational strategy and business model. Portfolio risk management can be viewed as the management activities related to adapting the mix of portfolio components to the evolution of the organization’s business environment. Similar to enterprise strategy, the result of portfolio risk management strategy is defining and launching new components or closing other ones. Portfolio components can be responses to identified threats or opportunities in alignment with the organization’s overall business strategy. PMI Member benefit licensed to: Ace Juntilla - 10653521. Not for distribution, sale, or reproduction. Context and Key Concepts of Risk Management 15 Portfolio risk management involves the identification and balancing of risk factors (environmental, human, legislation, compliance, etc.) to effectively and efficiently enable portfolio value delivery. A risk factor refers to any variable, condition, or circumstance that increases the likelihood of a negative event occurring or the severity of its impact. In various contexts, risk factors are elements that contribute to uncertainty, a potential threat, or an opportunity. Managing risk at all levels is an active process involving continuous planning, analysis, response, and monitoring and control. A desired outcome from portfolio risk management is utilizing a structured risk-planning-and-response effort in order to reduce management inaction and decision delay. Risk not addressed at the portfolio level could be addressed through governance processes at the strategic level. In the final analysis, if a risk becomes an issue, it may be handled through the organization’s portfolio, program, and project structure and not at the strategic governance level. Risk management plays a significant role in decision-making processes—and has the capability to affect decision-making timeframes and activities. For example, identifying potential risks can lead the team to consider factors they might have otherwise overlooked, which can influence the timeframe and activities involved. It can also prompt the team to adjust their timelines or activities to respond (i.e., mitigate or avoid certain risks altogether). In addition, risk management doesn’t stop once a decision is made. It involves ongoing monitoring and review of risks to ensure that the decision remains viable. Risk management involves a comprehensive process of identifying, assessing, prioritizing, and responding to risks, including escalation to higher levels of management (i.e., program and portfolio levels) as necessary. In many cases, decisions regarding resource allocation, project prioritization, and strategic planning are informed by risk assessments and considerations. 2.3.3 Program Program risk management strategy ensures effective management of any risk that can cause misalignment between the program roadmap and its supported objectives to organizational strategy. It includes defining program risk thresholds, performing the initial program risk assessment, and developing a program risk response strategy. Program risk management determines how risks are to be communicated to governance layers and strategic levels of the organization. This level of strategic alignment requires that program risk thresholds take into account the organizational strategy and risk attitude. Program risks go beyond the sum of the risks from each project within the program. Program risk management applies the concepts of portfolio risk management to the set of program components. The Standard for Program Management describes program risk management strategy as: Identifying program risk thresholds, Performing an initial program risk assessment, Developing a high-level program risk response strategy, and Determining how risks are to be communicated and managed as part of governance. Program risk management aggregates operational risks for component projects and activities and handles the specific risks at the program level, which is dependent on the layers of accountability defined in the portfolio, program, and project governance models. Also, the perspective on risk PMI Member benefit licensed to: Ace Juntilla - 10653521. Not for distribution, sale, or reproduction. 16 Risk Management in Portfolios, Programs, and Projects: A Practice Guide at the program level is, in many cases, more focused on the immediate impact of threats than on the expected benefit of achieving opportunities. A program risk is an event or series of events or conditions that may affect the success of the program. These risks arise from the program components and their interactions with one another; from technical complexity, schedule, or cost constraints; and from the broader environment in which the program is managed. Two aspects of risk should be assessed during program definition: (a) an identification of the key risks that the program may encounter and (b) an assessment of the organization’s willingness to accept and deal with risks, sometimes referred to as its risk appetite. 2.3.4 Project Project risk management is addressed in the Uncertainty project management performance domain that comprises activities and functions associated with risk and uncertainty that could impact cost, schedule, or scope baselines. The PMBOK® Guide embeds project risk management as part of the system for value delivery for an organization by including it as one of the principles of project management—Optimize Risk Responses—and as a project management performance domain—Uncertainty. This ensures that project risk management is part of the value chain that links those and other business capabilities to advancing organizational strategy, value, and business objectives. Risk management steps include the processes of conducting risk management planning, identification, analy

Use Quizgecko on...
Browser
Open
Browser
Browser