The Standard for Risk Management in Portfolios, Programs, and Projects PDF

653521. Not for distribution, sale, or reproduction. THE STANDARD FOR RISK MANAGEMENT IN PORTFOLIOS, PROGRAMS, AND PROJECTS PMI Member benefit licensed to: Ace Juntilla - 10653521. Not for distribution, sale, or reproduction. I Library of Congress Cataloging-in-Publication Data Names: Project Management Institute. Title: The standard for risk management in portfolios, programs, and projects. Description: Newtown Square : Project Management Institute, 2019. | Includes bibliographical references and index. Identifiers: LCCN 2019009876| ISBN 9781628255652 (paperback) | ISBN 9781628255669 (ePub) | ISBN 9781628255676 (kindle) | ISBN 9781628255683 (web pdf) Subjects: LCSH: Project management. | Risk management--Standards. | BISAC: BUSINESS & ECONOMICS / Project Management. Classification: LCC HD69.P75 S7374 2019 | DDC 658.4/04--dc23 LC record available at https://lccn.loc.gov/2019009876 ISBN: 978-1-62825-565-2 Published by: Project Management Institute, Inc. 14 Campus Boulevard Newtown Square, Pennsylvania 19073-3299 USA Phone: +610-356-4600 Fax: +610-356-4647 Email: [email protected] Internet: www.PMI.org ©2019 Project Management Institute, Inc. All rights reserved. Our copyright content is protected by U.S. intellectual property law that is recognized by most countries. To republish or reproduce our content, you must obtain our permission. Please go to http://www.pmi.org/permissions for details. To place a Trade Order or for pricing information, please contact Independent Publishers Group: Independent Publishers Group Order Department 814 North Franklin Street Chicago, IL 60610 USA Phone: +1 800-888-4741 Fax: +1 312-337-5985 Email: [email protected] (For orders only) For all other inquiries, please contact the PMI Book Service Center. PMI Book Service Center P.O. Box 932683, Atlanta, GA 31193-2683 USA Phone: 1-866-276-4764 (within the U.S. or Canada) or +1-770-280-4129 (globally) Fax: +1-770-280-4113 Email: [email protected] Printed in the United States of America. No part of this work may be reproduced or transmitted in any form or by any means, electronic, manual, photocopying, recording, or by any information storage and retrieval system, without prior written permission of the publisher. The paper used in this book complies with the Permanent Paper Standard issued by the National Information Standards Organization (Z39.48—1984). PMI, the PMI logo, PMBOK, OPM3, PMP, CAPM, PgMP, PfMP, PMI-RMP, PMI-SP, PMI-ACP, PMI-PBA, PROJECT MANAGEMENT JOURNAL, PM NETWORK, PMI TODAY, PULSE OF THE PROFESSION and the slogan MAKING PROJECT MANAGEMENT INDISPENSABLE FOR BUSINESS RESULTS. are all marks of Project Management Institute, Inc. For a comprehensive list of PMI trademarks, contact the PMI Legal Department. All other trademarks, service marks, trade names, trade dress, product names and logos appearing herein are the property of their respective owners. Any rights not expressly granted herein are reserved. 10 9 8 7 6 5 4 3 2 1 PMI Member benefit licensed to: Ace Juntilla - 10653521. Not for distribution, sale, or reproduction. N OT IC E The Project Management Institute, Inc. (PMI) standards and guideline publications, of which the document contained herein is one, are developed through a voluntary consensus standards development process. This process brings together volunteers and/or seeks out the views of persons who have an interest in the topic covered by this publication. While PMI administers the process and establishes rules to promote fairness in the development of consensus, it does not write the document and it does not independently test, evaluate, or verify the accuracy or completeness of any information or the soundness of any judgments contained in its standards and guideline publications. PMI disclaims liability for any personal injury, property or other damages of any nature whatsoever, whether special, indirect, consequential or compensatory, directly or indirectly resulting from the publication, use of application, or reliance on this document. PMI disclaims and makes no guaranty or warranty, expressed or implied, as to the accuracy or completeness of any information published herein, and disclaims and makes no warranty that the information in this document will fulfill any of your particular purposes or needs. PMI does not undertake to guarantee the performance of any individual manufacturer or seller’s products or services by virtue of this standard or guide. In publishing and making this document available, PMI is not undertaking to render professional or other services for or on behalf of any person or entity, nor is PMI undertaking to perform any duty owed by any person or entity to someone else. Anyone using this document should rely on his or her own independent judgment or, as appropriate, seek the advice of a competent professional in determining the exercise of reasonable care in any given circumstances. Information and other standards on the topic covered by this publication may be available from other sources, which the user may wish to consult for additional views or information not covered by this publication. PMI has no power, nor does it undertake to police or enforce compliance with the contents of this document. PMI does not certify, test, or inspect products, designs, or installations for safety or health purposes. Any certification or other statement of compliance with any health or safety-related information in this document shall not be attributable to PMI and is solely the responsibility of the certifier or maker of the statement. PMI Member benefit licensed to: Ace Juntilla - 10653521. Not for distribution, sale, or reproduction. III PMI Member benefit licensed to: Ace Juntilla - 10653521. Not for distribution, sale, or reproduction. TABLE O F CO NTENTS 1. INTRODUCTION.........................................................................................................................1 1.1 Purpose of This Standard...............................................................................................2 1.2 Approach of This Standard............................................................................................2 1.3 Principles of Risk Management.....................................................................................3 1.3.1 Strive to Achieve Excellence in the Practice of Risk Management..................3 1.3.2 A lign Risk Management with Organizational Strategy and Governance Practices........................................................................................3 1.3.3 Focus on the Most Impactful Risks...................................................................4 1.3.4 Balance Realization of Value Against Overall Risks.........................................4 1.3.5 Foster a Culture That Embraces Risk Management.........................................4 1.3.6 N avigate Complexity Using Risk Management to Enable Successful Outcomes............................................................................4 1.3.7 Continuously Improve Risk Management Competencies.................................5 1.4 Structure of This Standard.............................................................................................5 2. CONTEXT AND KEY CONCEPTS OF RISK MANAGEMENT.........................................................7 2.1 Key Concepts and Definitions........................................................................................7 2.1.1 Risk.....................................................................................................................7 2.1.2 Opportunities......................................................................................................8 2.1.3 Threats................................................................................................................8 2.1.4 Risk Attitude.......................................................................................................8 2.1.5 Risk Appetite......................................................................................................9 2.1.6 Risk Threshold.................................................................................................10 PMI Member benefit licensed to: Ace Juntilla - 10653521. Not for distribution, sale, or reproduction. V 2.2 Risk Management in Organizations.............................................................................10 2.3 Domains of Risk Management.....................................................................................11 2.3.1 Enterprise.........................................................................................................12 2.3.2 Portfolio............................................................................................................14 2.3.3 Program............................................................................................................14 2.3.4 Project...............................................................................................................15 2.4 Key Success Factors....................................................................................................16 3. F RAMEWORK FOR RISK MANAGEMENT IN PORTFOLIO, PROGRAM, AND PROJECT MANAGEMENT.............................................................................19 3.1 Business Context of Risk Management in Portfolio, Program, and Project Management.............................................................................19 3.1.1 Organizational Framework..............................................................................21 3.1.2 Organizational Context.....................................................................................22 3.1.3 Strategic and Organizational Planning............................................................22 3.1.4 L inking Planning with Execution through Portfolio, Program, and Project Management.................................................................22 3.2 Scope of Accountability, Responsibility, and Authority..............................................23 3.2.1 Accountability at the Enterprise Level............................................................23 3.2.2 Accountability at the Portfolio Level...............................................................24 3.2.3 Accountability at the Program Level...............................................................24 3.2.4 Accountability at the Project Level..................................................................24 3.3 General Approaches to Risk Management..................................................................25 3.3.1 Factors for Evaluating Risk..............................................................................25 4. R ISK MANAGEMENT LIFE CYCLE IN PORTFOLIO, PROGRAM, AND PROJECT MANAGEMENT................................................................................................27 4.1 Introduction to the Risk Management Life Cycle........................................................28 4.2 Plan Risk Management................................................................................................30 4.2.1 Purpose of Plan Risk Management.................................................................30 4.2.1.1 Risk Appetite in Plan Risk Management..........................................30 4.2.1.2 Tailoring and Scaling the Risk Management Plan...........................31 4.2.2 Success Factors for Plan Risk Management..................................................31 PMI Member benefit licensed to: Ace Juntilla - 10653521. Not for distribution, sale, or reproduction. VI Table of Contents 4.3 Identify Risks................................................................................................................32 4.3.1 Purpose of Identify Risks.................................................................................32 4.3.2 Key Success Factors for Identify Risks...........................................................33 4.4 Perform Qualitative Risk Analysis...............................................................................33 4.4.1 Purpose of Perform Qualitative Risk Analysis................................................33 4.4.2 Key Success Factors for Perform Qualitative Risk Analysis...........................34 4.5 Perform Quantitative Risk Analysis.............................................................................34 4.5.1 Purpose of Quantitative Risk Analysis............................................................34 4.5.2 Key Success Factors for Perform Quantitative Risk Analysis........................35 4.6 Plan Risk Responses....................................................................................................35 4.6.1 Purpose of Plan Risk Responses.....................................................................37 4.6.2 Key Success Factors for Plan Risk Responses...............................................38 4.7 Implement Risk Responses..........................................................................................38 4.7.1 Purpose of Implement Risk Responses...........................................................38 4.7.2 Key Success Factors for Implement Risk Responses.....................................39 4.8 Monitor Risks................................................................................................................39 4.8.1 Purpose of Monitor Risks.................................................................................40 4.8.2 Key Success Factors for Monitor Risks...........................................................40 5. R ISK MANAGEMENT IN THE CONTEXT OF PORTFOLIO MANAGEMENT..................................41 5.1 Portfolio Risk Management Life Cycle.........................................................................41 5.1.1 Portfolio Risk Identification.............................................................................42 5.1.2 Portfolio Risk Qualitative and Quantitative Analyses.....................................42 5.1.3 Portfolio Risk Response Strategies.................................................................43 5.1.4 Implementing Portfolio Risk Responses.........................................................43 5.1.5 Monitoring Portfolio Risks...............................................................................44 5.2 Integration of Risk Management into the Portfolio Management Performance Domains..................................................................................................45 5.2.1 Portfolio Strategic Management......................................................................47 5.2.2 Portfolio Governance........................................................................................47 5.2.3 Portfolio Capacity and Capability Management..............................................47 5.2.4 Portfolio Stakeholder Engagement..................................................................47 5.2.5 Portfolio Value Management............................................................................48 5.2.6 Portfolio Risk Management.............................................................................48 PMI Member benefit licensed to: Ace Juntilla - 10653521. Not for distribution, sale, or reproduction. VII 6. RISK MANAGEMENT IN THE CONTEXT OF PROGRAM MANAGEMENT...................................49 6.1 Program Risk Management Life Cycle........................................................................49 6.1.1 Program Risk Identification.............................................................................49 6.1.2 Program Risk Qualitative and Quantitative Analyses.....................................50 6.1.3 Program Risk Response Strategies.................................................................51 6.1.4 Implementing Program Risk Responses.........................................................51 6.1.5 Monitoring Program Risks...............................................................................52 6.2 Integration of Risk Management into the Program Management Performance Domains..................................................................................................53 6.2.1 Program Strategy Alignment...........................................................................54 6.2.2 Program Benefits Management.......................................................................54 6.2.3 Program Stakeholder Engagement.................................................................55 6.2.4 Program Governance.......................................................................................55 6.2.5 Program Life Cycle Management....................................................................55 6.2.6 Supporting Program Activities........................................................................56 7. R ISK MANAGEMENT IN THE CONTEXT OF PROJECT MANAGEMENT.....................................57 7.1 Project Risk Management Life Cycle...........................................................................57 7.1.1 Project Risk Identification...............................................................................58 7.1.2 Qualitative and Quantitative Project Risk Analyses........................................59 7.1.3 Project Risk Response Strategies...................................................................59 7.1.4 Implementing Project Risk Responses............................................................60 7.1.5 Monitoring Project Risk...................................................................................60 7.2 Integration of Risk Management into Project Management Process Groups............60 7.2.1 Initiating Processes.........................................................................................62 7.2.2 Planning Processes..........................................................................................62 7.2.3 Executing Processes........................................................................................63 7.2.4 Monitoring and Controlling Processes............................................................63 7.2.5 Closing Processes............................................................................................63 PMI Member benefit licensed to: Ace Juntilla - 10653521. Not for distribution, sale, or reproduction. VIII Table of Contents APPENDIX X1 DEVELOPMENT OF THE STANDARD FOR RISK MANAGEMENT IN PORTFOLIOS, PROGRAMS, AND PROJECTS...............................................................................65 APPENDIX X2 CONTRIBUTORS AND REVIEWERS OF THE STANDARD FOR RISK MANAGEMENT IN PORTFOLIOS, PROGRAMS, AND PROJECTS...........................................................................67 X2.1 The Standard for Risk Management in Portfolios, Programs, and Projects Core Committee..................................................................67 X2.2 Significant Contributors.............................................................................................68 X2.3 Reviewers...................................................................................................................68 X2.3.1 SME Review....................................................................................................68 X2.3.2 Consensus Body Review................................................................................69 X2.3.3 Public Exposure Draft Review.......................................................................69 X2.4 PMI Standards Program Member Advisory Group....................................................71 X2.5 Harmonization Team..................................................................................................71 X2.5.1 Core Team.......................................................................................................71 X2.5.2 PMI Staff.........................................................................................................72 X2.6 Production Staff.........................................................................................................72 APPENDIX X3 PORTFOLIO RISK MANAGEMENT CONTROLS.............................................................................73 X3.1 The Purpose of Portfolio Risk Management Controls...............................................73 X3.2 Risk Management Controls for Portfolio Strategic Management............................74 X3.3 Risk Management Controls for Portfolio Governance..............................................76 X3.4 Risk Management Controls for Portfolio Capacity and Capability Management.............................................................................................78 X3.5 Risk Management Controls for Portfolio Stakeholder Engagement.........................83 X3.6 Risk Management Controls for Portfolio Value Management..................................86 X3.7 Risk Management Controls for Portfolio Risk Management....................................88 PMI Member benefit licensed to: Ace Juntilla - 10653521. Not for distribution, sale, or reproduction. IX APPENDIX X4 PROGRAM RISK MANAGEMENT CONTROLS..............................................................................91 X4.1 The Purpose of Program Risk Management Controls...............................................91 X4.2 Risk Management Controls for Program Strategy Alignment..................................91 X4.3 Risk Management Controls for Program Benefits Management..............................93 X4.4 Risk Management Controls for Program Stakeholder Engagement........................94 X4.5 Risk Management Controls for Program Governance..............................................96 X4.6 Risk Management Controls for Program Life Cycle Management...........................98 X4.7 Risk Management Controls for Supporting Program Activities...............................99 APPENDIX X5 PROJECT RISK MANAGEMENT CONTROLS..............................................................................101 X5.1 The Purpose of Project Risk Management Controls...............................................101 X5.2 Risk Management Controls for Project Integration Management..........................102 X5.3 Risk Management Controls for Project Scope Management..................................103 X5.4 Risk Management Controls for Project Schedule Management.............................106 X5.5 Risk Management Controls for Project Cost Management....................................109 X5.6 Risk Management Controls for Project Quality Management................................111 X5.7 Risk Management Controls for Project Resource Management............................114 X5.8 Risk Management Controls for Project Communications Management................117 X5.9 Risk Management Controls for Project Risk Management....................................119 X5.10 Risk Management Controls for Project Procurement Management....................121 X5.11 Risk Management Controls for Project Stakeholder Management......................124 APPENDIX X6 TECHNIQUES FOR THE RISK MANAGEMENT FRAMEWORK.....................................................127 X6.1 Risk Management Planning.....................................................................................127 X6.2 Identify Risks............................................................................................................129 X6.2.1 Assumptions and Constraints Analysis......................................................130 X6.2.2 Brainstorming..............................................................................................131 PMI Member benefit licensed to: Ace Juntilla - 10653521. Not for distribution, sale, or reproduction. X Table of Contents X6.2.3 Cause and Effect (Ishikawa) Diagrams.......................................................131 X6.2.4 Checklists.....................................................................................................131 X6.2.5 Delphi Technique..........................................................................................132 X6.2.6 Document Review........................................................................................132 X6.2.7 Expert Judgment..........................................................................................133 X6.2.8 Facilitation....................................................................................................133 X6.2.9 Historical Information..................................................................................133 X6.2.10 Interviews...................................................................................................133 X6.2.11 Prompt Lists...............................................................................................133 X6.2.12 Questionnaire.............................................................................................134 X6.2.13 Root-Cause Analysis..................................................................................134 X6.2.14 SWOT Analysis...........................................................................................135 X6.3 Qualitative Risk Analysis.........................................................................................136 X6.3.1 Affinity Diagrams.........................................................................................136 X6.3.2 Analytic Hierarchy Process..........................................................................136 X6.3.3 Influence Diagrams......................................................................................138 X6.3.4 Nominal Group Technique............................................................................138 X6.3.5 Probability and Impact Matrix.....................................................................138 X6.3.6 Risk Data Quality Analysis...........................................................................139 X6.3.7 Assessment of Other Risk Parameters.......................................................139 X6.3.8 System Dynamics........................................................................................140 X6.4 Quantitative Risk Analysis.......................................................................................140 X6.4.1 Contingency Reserve Estimation.................................................................140 X6.4.2 Decision Tree Analysis.................................................................................140 X6.4.3 Estimating Techniques Applied to Probability and Impact........................141 X6.4.4 Expected Monetary Value............................................................................142 X6.4.5 FMEA/Fault Tree Analysis............................................................................142 X6.4.6 Monte Carlo Simulation...............................................................................143 X6.4.7 PERT (Program or Project Evaluation and Review Technique)...................143 PMI Member benefit licensed to: Ace Juntilla - 10653521. Not for distribution, sale, or reproduction. XI X6.5 Plan Risk Responses................................................................................................144 X6.5.1 Contingency Planning..................................................................................144 X6.5.2 Force Field Analysis.....................................................................................144 X6.5.3 Multicriteria Selection Technique................................................................145 X6.5.4 Scenario Analysis........................................................................................146 X6.5.5 Simulation....................................................................................................146 X6.6 Response Plan Implementation...............................................................................146 X6.7 Monitor Risks...........................................................................................................146 X6.7.1 Data Analytics..............................................................................................147 X6.7.2 Reserve Analysis..........................................................................................147 X6.7.3 Residual Impact Analysis............................................................................147 X6.7.4 Risk Audit.....................................................................................................147 X6.7.5 Risk Breakdown Structure..........................................................................148 X6.7.6 Risk Reassessment......................................................................................149 X6.7.7 Sensitivity Analysis......................................................................................149 X6.7.8 Status Meetings...........................................................................................149 X6.7.9 Trend Analysis..............................................................................................149 X6.7.10 Variance Analysis.......................................................................................149 X6.8 Risk Management Techniques Recap.....................................................................150 APPENDIX X7 ENTERPRISE RISK MANAGEMENT CONSIDERATIONS FOR PORTFOLIO, PROGRAM, AND PROJECT RISK MANAGEMENT......................................................................157 APPENDIX X8 RISK CLASSIFICATION..............................................................................................................161 REFERENCES............................................................................................................................163 GLOSSARY................................................................................................................................165 INDEX.......................................................................................................................................169 PMI Member benefit licensed to: Ace Juntilla - 10653521. Not for distribution, sale, or reproduction. XII Table of Contents LIST OF TA BL ES AND F I GU RES Figure 2-1. Risk Appetite and Its Relationship with Organizational Strategy...................9 Figure 2-2. Cascading of Risk Management Strategy into Portfolios, Programs, and Projects.................................................................12 Figure 2-3. Key Success Factors for Risk Management...................................................16 Figure 3-1. Risk across the Various Levels of the Organization.......................................20 Figure 3-2. Risk Management across Domains of Organizational Activities...................21 Figure 3-3. Risk Classification...........................................................................................26 Figure 4-1. The Risk Management Life Cycle Framework................................................29 Figure 5-1. Portfolio Management Performance Domains...............................................45 Figure 6-1. Program Management Performance Domains...............................................53 Figure X6-1. Key Areas of Focus for Plan Risk Management...........................................128 Figure X6-2. The Relationship between Cause, Risk, and Effect......................................129 Figure X6-3. Example of a Constraint Analysis with Fields for Description and Analysis Results.....................................................................................130 Figure X6-4. Example of a Cause and Effect or Ishikawa Diagram..................................131 Figure X6-5. Example (Partial) of a Checklist with Typical Structure of Category, Subcategory, Specific Risks, and Effect.......................................................132 Figure X6-6. Three Well-Known Examples of Prompt Lists That Can Be Useful for Risk Identification....................................................134 Figure X6-7. Example of a Root-Cause Analysis...............................................................135 PMI Member benefit licensed to: Ace Juntilla - 10653521. Not for distribution, sale, or reproduction. XIII Figure X6-8. Example of a SWOT Analysis Structure........................................................135 Figure X6-9. Example of Definitions for Levels of Probability and Impact on Three Specific Objectives Used to Evaluate Individual Risks......................136 Figure X6-10. Example of Analytic Hierarchy Process Computations to Determine the Relative Weighting of Four Objectives Related to a Project..................137 Figure X6-11. Example of Probability-Impact Matrix Used to Sort Risks into Very High (VH), High (H), Moderate (M), Low (L), and Very Low (VL) Classes..............138 Figure X6-12. Example of a Decision Tree Diagram............................................................141 Figure X6-13. Example Histogram from Monte Carlo Simulation of a Project Schedule............................................................................................143 Figure X6-14. Example of a Force Field Analysis and the Balance of Forces for and against Change.....................................................................145 Figure X6-15. Example of Multicriteria Weighting and Analysis........................................145 Figure X6-16. Example of a Generic Risk Breakdown Structure for a Project...................148 Figure X7-1. Elements Contributing to the Degree of Alignment between ERM and Portfolio, Program, and Project Risk Management......................................158 Table 5-1. Areas of the Portfolio Management Performance Domains Typically Covered by Risk Management Practices........................................46 Table 6-1. Areas of the Program Management Performance Domains Typically Covered by Risk Management Practices........................................54 Table 7-1. Areas of the Project Management Process Groups and Knowledge Areas Typically Covered by the Risk Management Practices........................61 Table X3-1. Risk Management Controls and Objectives for Portfolio Strategic Management.....................................................................74 Table X3-2. Risk Management Controls and Objectives for Portfolio Governance...........76 PMI Member benefit licensed to: Ace Juntilla - 10653521. Not for distribution, sale, or reproduction. XIV Table of Contents Table X3-3. Risk Management Controls and Objectives for Portfolio Capacity and Capability Management.............................................78 Table X3-4. Risk Management Controls and Objectives for Portfolio Stakeholder Engagement.................................................................83 Table X3-5. Risk Management Controls and Objectives for Portfolio Value Management...........................................................................86 Table X3-6. Risk Management Controls and Objectives for Portfolio Risk Management.............................................................................88 Table X4-1. Risk Management Controls for Program Strategy Alignment.......................91 Table X4-2. Risk Management Controls for Program Benefits Management...................93 Table X4-3. Risk Management Controls for Program Stakeholder Engagement..............94 Table X4-4. Risk Management Controls for Program Governance....................................96 Table X4-5. Risk Management Controls for Program Life Cycle Management.................98 Table X4-6. Risk Management Controls for Supporting Program Activities.....................99 Table X5-1. Risk Management Controls for Project Integration Management...............102 Table X5-2. Risk Management Controls for Project Scope Management.......................103 Table X5-3. Risk Management Controls for Project Schedule Management..................106 Table X5-4. Risk Management Controls for Project Cost Management..........................109 Table X5-5. Risk Management Controls for Project Quality Management......................111 Table X5-6. Risk Management Controls for Project Resource Management..................114 Table X5-7. Risk Management Controls for Project Communications Management.....117 Table X5-8. Risk Management Controls for Project Risk Management..........................119 Table X5-9. Risk Management Controls for Project Procurement Management............121 Table X5-10. Risk Management Controls for Project Stakeholder Management.............124 Table X6-1. Matrix of Risk Management Techniques Mapped to Risk Management Life Cycle Stages............................................................151 PMI Member benefit licensed to: Ace Juntilla - 10653521. Not for distribution, sale, or reproduction. XV PMI Member benefit licensed to: Ace Juntilla - 10653521. Not for distribution, sale, or reproduction. 1 IN TRODUCTI ON Risk is an uncertain event or condition that, if it occurs, has a positive or negative effect on one or more objectives. Positive risks are opportunities, while negative risks are threats. The practice of risk management includes planning the approach, identifying and analyzing risks, response planning and implementation, and ongoing monitoring of risks. Risk management is an essential aspect of all organizational activities. This standard describes the application of risk management within an enterprise risk management (ERM) context that includes the portfolio, program, and project domains. Risk management shapes the decision-making processes across the organization and within each of the domains. The degree to which risk management is pursued can be the difference between success and failure. PMI’s 2015 Pulse of the Profession ® report found that for organizations that apply a formal risk management approach, 73% of projects meet their objectives, 61% finish on time, and 64% are completed within the approved budget.1 Risk management allows an organization to: Anticipate and manage change, uu Improve decision making, uu Proactively implement typically lower-cost preventive actions instead of higher-cost reaction to issues, uu Increase the chances to realize opportunities for the benefit of the business, uu Generate broad awareness of uncertainty of outcomes, uu Act upon the transformations taking place in its business environment, and uu Support organizational agility and resilience. uu Risk management also establishes iterative connections among portfolios, programs, and projects and links these connections with ERM and organizational strategy. 1 The numbers in brackets refer to the list of references at the end of this standard. PMI Member benefit licensed to: Ace Juntilla - 10653521. Not for distribution, sale, or reproduction. 1 1.1 PURPOSE OF THIS STANDARD This standard describes the concepts and definitions associated with risk management and highlights the essential components of risk management for integration into the various governance layers of portfolios, programs, and projects with the following major objectives: Describe the fundamentals of risk management, uu Support the objectives of and demonstrate the link to ERM, and uu Apply risk management principles, as appropriate, to portfolio, program, and project domains as described in uu the PMI foundational standards. This standard fulfills a business need to provide a standard for risk management in portfolio, program, and project management that defines the essential considerations for risk management practitioners. It expands on the knowledge contained on risk management in the relevant sections of the PMI foundational standards. This standard can be used to harmonize practices between ERM and portfolio, program, and project management, regardless of the life cycle approach used. PMI is committed to providing global standards that are widely recognized and consistently applied by organizations as well as practitioners. Increasingly, organizations are requiring practitioners to use risk management practices in portfolio, program, and project management as an integral part of their ERM framework. 1.2 APPROACH OF THIS STANDARD This standard presents the what and why of risk management. The following concepts are elaborated in this standard: Purpose and benefits of risk management; uu Principles and concepts of risk management in portfolios, programs, and projects; uu Risk management life cycle in portfolios, programs, and projects; and uu Integration of risk management within portfolios, programs, and projects. uu PMI Member benefit licensed to: Ace Juntilla - 10653521. Not for distribution, sale, or reproduction. 2 The Standard for Risk Management in Portfolios, Programs, and Projects This standard provides guidance on integrating risk management practices into all key areas of enterprise, portfolio, program, and project management. The aim is to ensure that the management of risk is an inherent, natural part of all management domains. The scope of this standard is to provide guidance and not to impose uniformity of processes across portfolios, programs, and projects. When planning and implementing risk management, it is essential that each team consider the characteristics of the organization, portfolio, program, or project. The approach presented in this standard is based on risk management principles that can be used as guidance when designing specific management or business processes adapted to the organizational environment and nature of the work. 1.3 PRINCIPLES OF RISK MANAGEMENT There are specific core principles that underlie the process of risk management. The seven principles provided in Sections 1.3.1 through 1.3.7 guide the risk management processes and are integral to effective risk management. 1.3.1 STRIVE TO ACHIEVE EXCELLENCE IN THE PRACTICE OF RISK MANAGEMENT Risk management allows organizations and teams to increase the predictability of outcomes, both qualitatively and quantitatively. This principle is about reaching the appropriate level of organizational process maturity (the ability of an organization to apply a certain set of processes in a consistent manner) and the optimal level of performance. Excellence in risk management is not achieved by the strict and exhaustive application of related processes. Rather, excellence can be achieved by (a) balancing the benefits to be obtained with the associated cost and (b) tailoring the risk management processes to the characteristics of the organization and its portfolios, programs, and projects. Process excellence in risk management is itself a risk management strategy. 1.3.2 ALIGN RISK MANAGEMENT WITH ORGANIZATIONAL STRATEGY AND GOVERNANCE PRACTICES The practice of risk management in organizations is developed and evolved in coexistence with other organizational processes, such as strategy and governance. The nature of portfolios, programs, and projects is such that circumstances may change frequently. Adjustments become necessary as the organization evolves, for example, when changes to decision-making processes, timing, scope, and speed are made. PMI Member benefit licensed to: Ace Juntilla - 10653521. Not for distribution, sale, or reproduction. 3 1.3.3 FOCUS ON THE MOST IMPACTFUL RISKS Successful organizations are able to effectively and efficiently identify the risks that directly influence goals and objectives. The challenge for most organizations is making the best use of resources by focusing on the right risks. This depends on the characteristics of the organization, its environment, internal maturity, culture, and strategy. Determining the most impactful risks can be difficult. Organizations develop and improve by refining the processes for risk prioritization. 1.3.4 BALANCE REALIZATION OF VALUE AGAINST OVERALL RISKS Risk management seeks to find the proper balance between the exposure to risk and the expected business value creation or realization. Initiatives presenting a low level of risk may not create a sufficient level of value and performance. On the other hand, initiatives presenting a high, expected performance may expose the organization to an unacceptable level of threat. 1.3.5 FOSTER A CULTURE THAT EMBRACES RISK MANAGEMENT Risk management is an inherent and essential part of the portfolio, program, and project management framework. The practice of risk management is propagated, recognized, and encouraged throughout the organization. A culture of risk management encourages (a) the identification of threats rather than ignoring them and (b) the identification of opportunities by cultivating a positive mindset within the organization—one that is more open to accept and harness the positive changes impacting the various initiatives. 1.3.6 NAVIGATE COMPLEXITY USING RISK MANAGEMENT TO ENABLE SUCCESSFUL OUTCOMES Managing risks is an essential part of reducing and handling the complexity within organizational initiatives. The ability to identify and manage risks is directly dependent on the level of complexity of the initiatives. Concentrating efforts on clarifying the objectives, requirements, and scope of initiatives facilitates the identification of risks and enhances the ability to manage them, thus lowering the exposure of these initiatives to unforeseen situations. The more organizations navigate complexity using risk management, the more they will be able to optimize the use of resources, increase the return on investments, and improve overall performance and business results. PMI Member benefit licensed to: Ace Juntilla - 10653521. Not for distribution, sale, or reproduction. 4 The Standard for Risk Management in Portfolios, Programs, and Projects 1.3.7 CONTINUOUSLY IMPROVE RISK MANAGEMENT COMPETENCIES The nature of risks to which an organization is exposed and the available technology to manage those risks are changing. Technology allows organizations to manage risks more effectively and to better focus on the risks’ impacts. Through continuous improvement of risk management competencies, organizations and individuals can develop sustainable competitive advantages that contribute to overall organizational performance. 1.4 STRUCTURE OF THIS STANDARD This standard can be used to review portfolio, program, and project management processes from a risk management perspective. It is organized as follows: Section 1—Introduction Section 2—Context and Key Concepts of Risk Management Section 3—Framework for Risk Management in Portfolio, Program, and Project Management Section 4—Risk Management Life Cycle in Portfolio, Program, and Project Management Section 5—Risk Management in the Context of Portfolio Management Section 6—Risk Management in the Context of Program Management Section 7—Risk Management in the Context of Project Management Appendix X1—Development of The Standard for Risk Management in Portfolios, Programs, and Projects Appendix X2—Contributors and Reviewers of The Standard for Risk Management in Portfolios, Programs, and Projects Appendix X3—Portfolio Risk Management Controls Appendix X4—Program Risk Management Controls Appendix X5—Project Risk Management Controls Appendix X6—Techniques for the Risk Management Framework Appendix X7—Enterprise Risk Management Considerations for Portfolio, Program, and Project Risk Management Appendix X8—Risk Classification PMI Member benefit licensed to: Ace Juntilla - 10653521. Not for distribution, sale, or reproduction. 5 PMI Member benefit licensed to: Ace Juntilla - 10653521. Not for distribution, sale, or reproduction. 2 C ON TEXT A ND KEY CO NC EP TS OF RI S K M ANAGEM ENT Risk is inherently present in all organizations. Risks present organizations with challenges but may also offer a competitive advantage when both threats and opportunities are managed proactively. Risk management provides a comprehensive and integrated framework for addressing and managing risk at all levels of the organization, from portfolios through programs, projects, and operations. 2.1 KEY CONCEPTS AND DEFINITIONS All organizations face the uncertainty of both internal and external events. Uncertain present and future challenges can be dealt with by formulating and applying a sound business strategy toward realizing a set of objectives and managing risks. Risk management provides insight into risks that need to be addressed in support of reaching those objectives and takes advantage of opportunities. When opportunities occur, they are called benefits. 2.1.1 RISK An individual risk is an uncertain event or condition that, if it occurs, has a positive or negative effect on one or more objectives. Overall risk is the effect of uncertainty that affects organizational objectives at different levels or aspects. Risk arises from all sources of uncertainty, including individual risks in the portfolio, program, and project domains. These risks represent the exposure of the organization and its stakeholders to the consequences of uncertainty on the realization of the organization’s strategy and business objectives. Once the risk occurs, it is then managed within the various governance layers (enterprise, portfolio, program, and project) by driving the resulting outcomes. Uncertainty is inherent in the nature of portfolios, programs, and projects. Risk arises out of uncertainty and generates uncertainty. The more risks one can identify, the more uncertainty is indicated. One of the key factors that determines the ability to identify risks is ambiguity. When ambiguity is low, the level of information available is high, which allows the identification of risks. Uncertainty and ambiguity are factors where assessment and open PMI Member benefit licensed to: Ace Juntilla - 10653521. Not for distribution, sale, or reproduction. 7 evaluation drive risk management efforts. Assessments and open evaluations allow for the determination of the proper risk management strategy and define how risks will be managed throughout the portfolio, program, and project management life cycles, the iterations of these life cycles, and their interactions. 2.1.2 OPPORTUNITIES Opportunities are risks that have a positive effect on one or more objectives. Opportunity management helps to identify and understand possible ways in which objectives can be achieved more successfully. Moving beyond the traditional view of risk as a value destroyer to seeing risk as a potential value enhancer requires creativity and vision, and a system that allows these opportunities to flourish and lead to organizational success. A consistent portfolio, program, and project management system helps to: Identify and assess opportunities that are often linked, and uu Improve the organization’s ability to accept and pursue opportunities. uu 2.1.3 THREATS Threats are risks that would have a negative effect on one or more objectives. Threat management involves the use of risk management resources to: Describe risks, uu Analyze risk attributes, uu Evaluate the probability of risk occurrence and impact as well as other characteristics, and uu Implement a planned response, when appropriate. uu Similar to managing opportunities, managing threats is a staged process. Both use a structured life cycle framework to ensure that the process is robust and complete as described in Section 4. Should threats occur, they are called issues and are listed in the issue log. 2.1.4 RISK ATTITUDE Risk attitude is a disposition toward uncertainty, adopted explicitly or implicitly by individuals and groups, driven by perception, and evidenced by observable behavior. Risk attitude represents an organization’s approach to assess and eventually pursue, retain, take, or turn away from risk. Risk attitudes can range from risk averse to risk seeking. PMI Member benefit licensed to: Ace Juntilla - 10653521. Not for distribution, sale, or reproduction. 8 The Standard for Risk Management in Portfolios, Programs, and Projects Organizations seek to establish a consistent method for evaluating and responding to risk across the enterprise. One obstacle to developing that consistency is an individual’s different or inconsistent attitudes toward risks—and those attitudes may vary according to the circumstance. In summary, risk attitude is an individual’s or group’s preference to evaluate a risk situation in a favorable or unfavorable way and to act accordingly. However, risk attitudes are not necessarily stable nor homogeneous. 2.1.5 RISK APPETITE Risk appetite is the degree of uncertainty an organization or individual is willing to accept in anticipation of a reward. Risk appetite guides the management of risk and the parameters the organization uses in deciding whether or not to take on risk. In addition, risk appetite defines what types of risks an organization pursues. A risk appetite determination represents the start of embracing risk. Figure 2-1 shows the interrelationship of risk appetite and its direct influence on business strategy, the risk management framework, and the underlying policy and processes. The resulting risk appetite determination defines the amount and type of risk that the organization is willing to take in order to meet its strategic objectives. Risk Appetite Strategy and Business Value Drivers Risk Management Framework Risk Management Policy Figure 2-1. Risk Appetite and Its Relationship with Organizational Strategy PMI Member benefit licensed to: Ace Juntilla - 10653521. Not for distribution, sale, or reproduction. 9 Risk appetite expresses the level of risk the organization is willing to take in pursuit of its portfolio, program, and project objectives. Portfolio, program, and project risk is not a singular, but rather a multifaceted concept. As organizations grow, expand, and evolve, so do the risks they face. The type, prominence, and appetite for risks change at different points in the life cycle of an organization and during the life cycle of its programs and projects. 2.1.6 RISK THRESHOLD Risk threshold is the measure of acceptable variation around an objective that reflects the risk appetite of the organization and its stakeholders. A key element of risk strategy is the establishment and monitoring of enterprise, portfolio, program, and project risk thresholds. Examples of risk thresholds include: Minimum level of risk exposure for a risk to be included in the risk register, uu Qualitative or quantitative definitions of risk rating, and uu Maximum level of risk exposure that can be managed before an escalation is triggered. uu Establishing risk thresholds is an integral step in linking portfolio, program, and project risk management to strategy alignment and is performed as part of early planning. Based on the risk appetite of the organization, governance may also be responsible for ensuring that risk thresholds are established and observed, and when the risk should be escalated to a higher governance level. 2.2 RISK MANAGEMENT IN ORGANIZATIONS The organization’s governance body is ultimately responsible for setting, confirming, and enforcing risk appetite and risk management principles as part of its governance oversight. An organization’s governance also determines which risk management processes are appropriate in terms of organizational strategy, scope, context, and content. The enterprise risk function often resides in the executive management organization due to the direct relationship between the success of achieving organizational strategic goals and employing an effective risk management process. When assessing the seriousness of a risk or combination of risks, uncertainty and the effect on endeavors or objectives are considered. The uncertainty dimension is commonly described as probability, and the effect is often referred to as impact. PMI Member benefit licensed to: Ace Juntilla - 10653521. Not for distribution, sale, or reproduction. 10 The Standard for Risk Management in Portfolios, Programs, and Projects The definition of risk includes both (a) distinct events that are uncertain but can be clearly described and (b) more general conditions that are less specific but may also give rise to uncertainty. The definition of risk also encompasses uncertain events that could have a negative or positive effect on objectives. Both of these uncertain situations are considered to be risks when they could have an adverse or positive effect on the achievement of objectives. It is essential to address both situations within an enterprise, portfolio, program, and project risk management process. Addressing threats and opportunities together (i.e., addressing both in the same analysis and coordinating the responses to both when they overlap) allows for synergies and efficiencies. It is important to distinguish risks from risk-related features. Causes are events or circumstances that currently exist or are certain to exist in the future, which might give rise to risks. Effects are conditional future events or conditions that directly affect one or more objectives if the associated risk occurs. A risk may have one or more causes and, if it occurs, may have one or more effects. When a risk event occurs, the risk ceases to be uncertain. Threats that occur are termed issues, and opportunities that occur are benefits to the enterprise. Portfolio, program, and project managers are responsible to resolve these issues and manage them efficiently and effectively. Issues may entail actions that are outside the scope of the portfolio, program, and project risk management process; therefore, these issues are escalated to a higher management level according to the organization’s governance policy. 2.3 DOMAINS OF RISK MANAGEMENT Risk management is an integrated framework that spans organizational levels. Aside from simply predicting what could happen, the aim of risk management is to develop the means to support the achievement of organizational objectives, realization of the strategic vision, and creation of value. Risk management strongly influences decision making at the enterprise, portfolio, program, and project levels. At the enterprise level, the entire organizational strategy is the set of strategic and business management actions for countering business threats and exploiting business opportunities. These decisions and actions are often executed within the portfolio as part of its individual components: programs, projects, and operations. The various perceptions and perspectives regarding risk management in each portfolio, program, and project management domain feed into one another in an iterative, interactive, and dynamic manner. Risks may be interconnected, have dependencies, and interact via feedback loops (see Figure 2-2). Details of this interaction are provided in Sections 5, 6, and 7. PMI Member benefit licensed to: Ace Juntilla - 10653521. Not for distribution, sale, or reproduction. 11 Strategy Identify Business Risks (Threats and Opportunities) Co ns Translate risk management oli da Ef strategy into actions tin fic g R ien isk cy/ Pro Effe Portfolios file cti s a ven Translate strategic objectives nd ess into organizational value Ris kM and capabilities an ag em Ca sca en t din Programs gR isk Define tangible benefits and Ma capability triggers na gem en t Str ate Projects gy Escalate to higher levels when necessary Figure 2-2. Cascading of Risk Management Strategy into Portfolios, Programs, and Projects 2.3.1 ENTERPRISE The primary purpose of risk management is the creation and protection of value. ERM is an approach for identifying major risks that confront an organization and forecasting the significance of those risks to business processes. The way in which risks are managed reflects the organization’s culture, capability, and strategy to create and sustain value. ERM addresses risks at the organizational level including the aggregation of all risks associated with the enterprise’s portfolio of programs and projects. PMI Member benefit licensed to: Ace Juntilla - 10653521. Not for distribution, sale, or reproduction. 12 The Standard for Risk Management in Portfolios, Programs, and Projects When exploring alternative strategies, ERM enables the alignment of each portfolio, program, and project component with the organizational strategy. ERM establishes the connections between the various governance levels through the bottom-up escalation of identified risks and the top-down definition of risk management strategies. The top-down process triggers the creation of programs, projects, and other activities aimed at exploiting specific opportunities and addressing business threats. ERM provides a systematic, organized, and structured method for: Identifying and assessing all risks an organization faces, uu Developing suitable responses, uu Communicating status with stakeholders, and uu Assigning responsibility to monitor and manage risks in alignment with the strategic objectives of the organization. uu ERM is an ongoing process that supports the plan-do-check-act sequence for continuous improvement. ERM is not limited to compliance and disclosure requirements nor is ERM a replacement for internal controls and audit. The application of ERM varies depending on the organization and could vary from year to year based on overall risk appetite, stakeholder expectations and requirements, and the internal and external environment. There is no one-size-fits-all approach to performing ERM. The ERM function, structure, and activities vary with each organization. ERM is responsible for ensuring that all organizational risks are addressed and properly managed and monitored. Risk management in the enterprise management context of integrated portfolio, program, and project management consists of: Elaborating the risk governance framework; uu Identifying operational and contextual risks at each level of the integrated governance framework, including uu both negative risks (threats) and positive risks (opportunities); Analyzing the identified risks from both the qualitative and quantitative perspectives and identifying the uu governance layer best suited to manage them according to the escalation rules in place within the portfolio, program, and project management framework; Defining an appropriate risk management strategy based on increasing the probability and/or impact of positive uu risks (opportunities) and decreasing the probability and/or impact of negative risks (threats); Identifying the risk owner and assigning the risk; uu Implementing the corresponding strategies and activities related to anticipative and/or responsive actions; uu PMI Member benefit licensed to: Ace Juntilla - 10653521. Not for distribution, sale, or reproduction. 13 Monitoring the effectiveness and efficiency of the risk management strategies deployed within the enterprise, uu portfolio, program, and project management framework; Ensuring alignment between portfolio, program, and project management risk governance models and the uu ERM strategy; and Promoting effective risk management within the entire enterprise through a risk management culture. uu 2.3.2 PORTFOLIO Portfolio risk management categorizes risks as structural, component, and overall risk. Structural risks are risks associated with the composition of a group of projects and the potential interdependencies among components. Component risks at the portfolio level are risks that the component manager escalates to the portfolio level for information or action. Overall, portfolio risk considers the interdependencies between components and is, therefore, more than just the sum of individual component risks. Risk efficiency is a key element of managing risk at the portfolio level. Efficiency is achieved through adjusting the mix of portfolio components to balance risk and reward such that overall portfolio risk exposure is managed. Planning, designing, and implementing an effective portfolio risk management system depends on organizational culture, top management commitment, stakeholder engagement, and open and fair communication processes. Portfolio risk management is important for the success of managing portfolios where the value lost due to component failure is significant, or when the risks of one component impact the risks in another component. As defined in The Standard for Portfolio Management , portfolio risk management ensures that components achieve the best possible success based on the organizational strategy and business model. Portfolio risk management can be viewed as the management activities related to adapting the mix of portfolio components to the evolution of the organization’s business environment. Similar to enterprise strategy, the result of portfolio risk management strategy is defining and launching new components or closing other ones. Portfolio components can be responses to identified threats or opportunities in alignment with the organization’s overall business strategy. 2.3.3 PROGRAM Program risk management strategy ensures effective management of any risk that can cause misalignment between the program roadmap and its supported objectives to organizational strategy. It includes defining program risk thresholds, performing the initial program risk assessment, and developing a program risk response strategy. PMI Member benefit licensed to: Ace Juntilla - 10653521. Not for distribution, sale, or reproduction. 14 The Standard for Risk Management in Portfolios, Programs, and Projects Program risk management determines how risks are to be communicated to governance layers and strategic levels of the organization. This level of strategic alignment requires that program risk thresholds take into account the organizational strategy and risk attitude. Program risks go beyond the sum of the risks from each project within the program. Program risk management applies the concepts of portfolio risk management to the set of program components. The Standard for Program Management describes program risk management strategy as: Identifying program risk thresholds, uu Performing an initial program risk assessment, uu Developing a high-level program risk response strategy, and uu Determining how risks are to be communicated and managed as part of governance. uu Program risk management aggregates operational risks for component projects and activities and handles the specific risks at the program level, which is dependent on the layers of accountability defined in the portfolio, program, and project governance models. Also, the perspective on risk at the program level is more focused on the immediate impact of risks than on the expected benefit. 2.3.4 PROJECT Project Risk Management is a Knowledge Area of project management that identifies and manages project risks that could impact cost, schedule, or scope baselines. A Guide to the Project Management Body of Knowledge (PMBOK® Guide) describes Project Risk Management as the processes of conducting risk management planning, identification, analysis, response planning, response implementation, and monitoring risk on a project. The objectives of Project Risk Management are to increase the probability and/or impact of opportunities and to decrease the probability and/or impact of threats in order to optimize the chances of project success. The PMBOK® Guide states that when unmanaged, these risks have the potential to cause the project to deviate from the plan and fail to achieve the defined project objectives. Consequently, project success is directly related to the effectiveness of Project Risk Management. Project Risk Management supports project objectives by adapting or implementing the courses of action and project activities to take advantage of emerging changes in the project environment. Thus, the project baselines (i.e., scope, schedule, and cost) are risk informed. All risks undergo qualitative analysis, and some risks undergo quantitative analysis when the risk impacts the baseline and/or when analysis of the combined effect of multiple risks is required. PMI Member benefit licensed to: Ace Juntilla - 10653521. Not for distribution, sale, or reproduction. 15 2.4 KEY SUCCESS FACTORS Enterprise (which includes organizational project management [OPM]), portfolio, program, and project risk management is conducted in a manner consistent with practices and policies. In addition, portfolio, program, and project risk management is conducted in a way that is appropriate to the characteristics of the endeavor. Specific criteria for the success of each risk management process are listed in the sections dealing with those processes. These key success factors for risk management enable the realization of the principles discussed in Section 1.3 and are illustrated in Figure 2-3. Recognizing the Value of Risk Management Integration with Individual Organizational Commitment/ Project Responsibility Management (OPM) Risk Life Cycle Management Performance Success Domain Open and Tailoring Honest Risk Effort Communication Organizational Commitment Figure 2-3. Key Success Factors for Risk Management PMI Member benefit licensed to: Ace Juntilla - 10653521. Not for distribution, sale, or reproduction. 16 The Standard for Risk Management in Portfolios, Programs, and Projects The key success factors include: Recognizing the value of risk management. Portfolio, program, and project risk management is recognized uu by organizational management, stakeholders, and team members as a valuable discipline that provides a positive return on investment. Individual commitment/responsibility. Portfolio, program, and project participants and stakeholders accept uu responsibility for undertaking risk-related activities as required. Risk management is everyone’s responsibility. Open and honest communication. Everyone is involved in the risk management process. Any actions or uu attitudes that hinder communication about risk reduce the effectiveness of risk management regarding proactive approaches and effective decision making. Organizational commitment. Organizational commitment is established only when risk management is uu aligned with the organization’s goals, values, and ERM policies. Risk management actions may require the approval of or response from others at levels above the portfolio, program, or project manager. Tailoring risk effort. Risk management activities are consistent with the value of the endeavor to the uu organization and with its level of risk, scale, and other organizational constraints. Integration with organizational project management. Risk management does not exist in a vacuum uu isolated from other organizational project management processes. Successful risk management requires the appropriate execution of organizational project management and ERM processes, including the allocation of resources necessary for the effective application of risk management. PMI Member benefit licensed to: Ace Juntilla - 10653521. Not for distribution, sale, or reproduction. 17 PMI Member benefit licensed to: Ace Juntilla - 10653521. Not for distribution, sale, or reproduction. 3 FRAME WOR K FO R R I SK M ANAGEM ENT I N P ORTFOLI O, PROGRAM, A ND PRO JECT M ANAGEM ENT Risks are present in every organizational activity, especially across endeavors such as portfolios, programs, and projects. Organizational inertia is inherently risky because products and services become stale over time and organizations may lose their competitiveness due to societal and technological changes. Risks can be difficult to manage because a single risk can have a different impact on various components of portfolios and programs, and across the various levels of an organization. Organizations and professionals need to balance threats and opportunities and the dilemmas of inaction versus action. This section addresses this dilemma by providing the framework for risk management across the enterprise and its portfolio, program, and project management activities. 3.1 BUSINESS CONTEXT OF RISK MANAGEMENT IN PORTFOLIO, PROGRAM, AND PROJECT MANAGEMENT All organizations encounter internal and external factors that influence their ability to achieve desired objectives. Achieving those objectives is rarely ensured. All organizational activities involve risk—even inaction. An organization manages risk through people, processes, technology, and information. Portfolio, program, and project managers are responsible for risks associated with their endeavors. These managers are responsible for working with stakeholders at various levels of the organization and applying a systematic, integrated approach to risk management. Figure 3-1 represents the context of organizational activities, from the abstract (or the top of an organization) to the specific (or the bottom) where discrete tasks are completed. Risk permeates throughout the pyramid. The organizational strategy sets the direction through the vision and mission, and strategy defines specific goals and objectives for the organization. This is all-encompassing and includes operational and change activities. PMI Member benefit licensed to: Ace Juntilla - 10653521. Not for distribution, sale, or reproduction. 19 Context of Vision Management Organizational of Risks Activities Mission Organizational Strategy and Objectives Portfolio Management Strategic Planning and Management of Programs, Projects, and Operations Management of Management of Ongoing Operations Authorized Programs and Projects (recurring activities) (projectized activities) Producing Value Increasing Value Production Capability Organizational Resources Figure 3-1. Risk across the Various Levels of the Organization Goals and objectives are aligned with strategies. The attainment of business benefits and value requires the execution of operational and change plans. Organizations realize the benefits of change by executing plans and their associated activities, which result in the successful attainment of portfolio, program, and project objectives. Change by its very nature can be uncertain. For most organizations, change is inevitable and is necessary to maintain and sustain competitiveness. To manage change successfully, organizations require a robust, well-thought-out strategic execution plan to implement portfolios, programs, and projects in a consistent manner over time. This requires the PMI Member benefit licensed to: Ace Juntilla - 10653521. Not for distribution, sale, or reproduction. 20 The Standard for Risk Management in Portfolios, Programs, and Projects adoption of an effective organizational project management (OPM) implementation. OPM is a framework in which portfolio, program, and project management are aligned with strategy and integrated with organizational enablers in order to achieve strategic objectives. Portfolio, program, and project management targets business objectives that support the organizational strategy. Some threats arise when strategy or business objectives are not aligned with the organization’s mission, vision, and core values. Additional threats arise when business objectives do not support strategy or when endeavors, such as portfolios, programs, and projects, are not aligned with business objectives. Opportunities could be enhanced when strategy and business objectives are well aligned. 3.1.1 ORGANIZATIONAL FRAMEWORK As shown in Figure 3-2, risk management includes all domains of the organization: enterprise, portfolio, program, and project. ERM is an approach to managing risk that reflects the organization’s culture, capability, and strategy to create and sustain value. It covers the policies, processes, and methods by which organizations manage risks (both threats and opportunities) to advance the mission and vision of the organization. Portfolio risk management derives its policies, processes, methods, and tolerance from the ERM framework and tailors it for the management of portfolios. Similarly, programs and projects adopt their respective risk management practices from the portfolio framework. Risk Management Enterprise Portfolio Program Project Operations Figure 3-2. Risk Management across Domains of Organizational Activities PMI Member benefit licensed to: Ace Juntilla - 10653521. Not for distribution, sale, or reproduction. 21 The governance board typically oversees ERM in that it steers the process with significant and proactive management engagement. The portfolio, program, and project managers manage and monitor communications with internal and external stakeholders, which is required to instill the importance and values of risk management, expected culture and behavior, and risk attitude. 3.1.2 ORGANIZATIONAL CONTEXT The application of ERM is influenced by industry, regulations, and organizational context. By understanding the context in which the organization exists, portfolio, program, and project managers can tailor the optimal approach to risk management for their endeavors and simultaneously assist the organization in assessing and responding to risks. Many factors can also impact the extent of risk management practices. Some of these factors include capital availability, competitive landscape, and risk attitude. 3.1.3 STRATEGIC AND ORGANIZATIONAL PLANNING Risk management in portfolios, programs, and projects aligns with the setting of strategic vision, mission, goals, values, and business objectives. It provides the inputs for pursuing different alternatives. Strategic goals and business objectives are developed to realize the organization’s vision and mission in line with core values. Once these goals and objectives are set, they become inputs for risk management. If there are potential conflicts between strategic goals and the portfolio of work, then the risk is escalated to the proper level of management. See Figure 3.1. 3.1.4 LINKING PLANNING WITH EXECUTION THROUGH PORTFOLIO, PROGRAM, AND PROJECT MANAGEMENT Portfolio, program, and project management refers to domains in the organizational project management (OPM) framework for managing capabilities and enhancing existing value or creating new value. Portfolio management serves as the bridge that connects strategic planning with business execution. By focusing on selecting the right portfolio components (e.g., programs, projects, and operational initiatives), portfolio management enables organizations to achieve alignment with strategy and to invest their resources wisely and effectively. Program and project management are then responsible for the implementation. These activities are performed within an environment that is full of risks. While OPM enables an organization to leverage its results and implementation success and supports a healthy organization within a competitive and rapidly changing environment, it is not risk free. Therefore, it is essential for organizational leaders and managers PMI Member benefit licensed to: Ace Juntilla - 10653521. Not for distribution, sale, or reproduction. 22 The Standard for Risk Management in Portfolios, Programs, and Projects to recognize the importance of managing risks to tackle threats and enable opportunities. Portfolio, program, and project managers work inclusively to (a) identify, analyze, evaluate, prioritize, recommend, plan, and implement risk responses; (b) monitor progress; and (c) adjust risk responses as appropriate. 3.2 SCOPE OF ACCOUNTABILITY, RESPONSIBILITY, AND AUTHORITY The accountability, responsibility, and authority of risk management are shared by stakeholders involved in portfolio, program, and project management. Accountability is individual by nature and derived from a position held in the organization. Accountability is uu related to authority in that one is usually held accountable within one’s limits of authority. However, one still may be held accountable beyond one’s authority to act. Responsibility resides in an individual by the assignment of a function or task. By accepting the assignment, uu an individual takes on the associated responsibility. The fact that others higher in the organization may also be held responsible or accountable does not diminish the responsibility held by the individual. The assigning individual still is held accountable for the delegated task, but responsibility is passed to the assigned individual. Authority, like responsibility, may be delegated and gives an individual the ability to make decisions within uu defined bounds. 3.2.1 ACCOUNTABILITY AT THE ENTERPRISE LEVEL The objective of risk management is to apply knowledge, skills, and good practices to manage the area of focus within the risk threshold that is acceptable to the organization, whether at the enterprise, portfolio, program, or project level. The purpose is to minimize the impact of threats to protect the organization from loss and to embrace opportunities that translate to value. The management of risk across the continuum of portfolios, programs, and projects requires collaboration throughout the enterprise, and the recognition that failure to allocate the appropriate amount of resources could jeopardize the organization’s strategic objectives. Portfolio, program, and project management are responsible for supporting management policies, defining roles and responsibilities, setting targets, and overseeing implementation. The managers of the work are responsible for keeping senior management apprised of ongoing risk exposure and corresponding actions. PMI Member benefit licensed to: Ace Juntilla - 10653521. Not for distribution, sale, or reproduction. 23 3.2.2 ACCOUNTABILITY AT THE PORTFOLIO LEVEL In some cases, portfolios may exist for brief periods; however, portfolios often exist for as long as the organization itself exists. As a result, portfolio managers may oversee activities or authorize components that may take several years for the organization to realize the value of the investment. Any change in this landscape has direct implications on the organization’s strategic objectives. Specific external factors can include regulatory requirements or mandates, market conditions, and organizational restructuring. Portfolio risk management tackles strategic, execution, and structural risks. Whereas program risk management evaluates risk across a related set of components, portfolio risk management is broad and considers risks that could impact unrelated components and operational activities within the portfolio. As a result, portfolio managers address several challenges when managing risk because portfolio-level risks encompass both external and internal factors by bridging organizational strategy to implementation. 3.2.3 ACCOUNTABILITY AT THE PROGRAM LEVEL At the program level, the risks that are evaluated span the related components and, if triggered, could have a positive or negative impact on one or more other components. Working with the component managers, it is the responsibility of the program manager to identify and manage these risks. Rather than manage these risks individually within the component, program managers ensure that program risks are managed through coordination. When managing strategic risk, program managers may identify new risks that exceed the organization’s risk appetite and could directly impact the program. Strategic risks present both a threat and an opportunity. The program manager evaluates and reviews a set of response options for consideration with the governance body. Within the program, risks can affect the delivery of specific components. The program managers advise their component managers of any shared risks and response plans that relate to individual components. There may be economies of scale and scope in that the shared risks may be managed by initiating one risk response at the program level. 3.2.4 ACCOUNTABILITY AT THE PROJECT LEVEL At the project level, the objective of risk management is to (a) decrease the probability and impact of negative risks and (b) increase the probability and impact of positive risks specific to project deliverables or objectives. PMI Member benefit licensed to: Ace Juntilla - 10653521. Not for distribution, sale, or reproduction. 24 The Standard for Risk Management in Portfolios, Programs, and Projects Project managers are accountable for evaluating, reporting, and managing both individual and overall project risks within the constraints of the project. They may escalate certain risks to, or receive guidance from, sources such as the program manager, portfolio manager, project management office, governance board, and other leadership entities, depending on the complexity of the initiative and organizational inputs. All project team members have the responsibility for managing risk, for example, the identification of risk during initiation, clarification of the trigger events, or awareness of potential new risks that could affect the endeavor. 3.3 GENERAL APPROACHES TO RISK MANAGEMENT As risks are pervasive throughout portfolio, program, and project management activities, a systematic approach for managing risks is essential for the organization to achieve its strategic objectives. In this context of risk management, considerations include, but are not limited to, the following: Events or circumstances that may occur in the future (their variability and ambiguity); uu Events that could have a positive or negative impact on one or more objectives of the enterprise, portfolio, uu program, or project; Probability of the event occurring; uu Impact of the event should it occur; and uu Ability of the organization to influence favorable outcomes or minimize negative consequences. uu 3.3.1 FACTORS FOR EVALUATING RISK Across the continuum of enterprise, portfolio, program, and project risk management, risks exist at all levels of the organization. Figure 3-3 provides a framework for classifying risks in one of four quadrants based on available information and the degree of ambiguity and variability. See Appendix X8 on Risk Classification for additional information. PMI Member benefit licensed to: Ace Juntilla - 10653521. Not for distribution, sale, or reproduction. 25 Unknown–Known Unknown–Unknown (Hidden fact) (Emergent risk) Knowledge exists in the Knowledge does not exist community but not with the within the sphere of entity working on the influence. endeavor. Known–Known

The Standard for Risk Management in Portfolios, Programs, and Projects PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue