Portfolio Risk Management: aligning projects with business objectives to deliver value

Transcription

1 risk decisions 2011 Portfolio Risk Management: aligning projects with business objectives to deliver value by Val Jonas CEO Risk Decisions Group and Susheel Chumber Professional Services Manager, Risk Decisions Ltd management solutions

2 Val Jonas & Susheel Chumber: Portfolio Risk Management: Portfolio Risk Management: aligning projects with business objectives to deliver value Abstract Organisations are taking up the challenge to improve risk management at all levels from project and operations to Enterprise Risk Management. The focus is to ensure that business objectives are met. However, there tends to be a gap in the hierarchical structure of organisations where a strategic approach to risk management is required the portfolio level. This paper places the portfolio perspective in context, providing some practical insights into how portfolio risk management can deliver significant financial and non-financial benefits. By embedding portfolio risk management into your risk framework, its complementary approach supports risk management maturity across the organisation. In today s climate of increasing pressure, organisations must focus on managing risks to meeting objectives. Portfolio risk management can provide a quick return; so start now there s no time to waste. The challenge At any one time, a large organisation may have a significant number of ongoing projects, of varying types, stages and sizes, with different stakeholders, customers, suppliers and deliverables. One thing is certain these projects will have a significant amount of budget and resources assigned to them; what is uncertain is exactly what benefits they will deliver. Therefore, organisations align their projects with business objectives, in order to ensure they will deliver value. Then, after the business case has been signed off, focus switches to successful project delivery. However, what is often forgotten is the importance of maintaining the alignment of projects with business objectives, which frequently change over time. Projects are approved with defined scope and cost / time / performance targets; but the environment within which they are executed is constantly evolving. For example: External political, environmental and market conditions alter Sponsors come and go with regular management reorganisations Customer expectations change over time There are also internal challenges: Projects compete for resources and management attention Projects are often interdependent, having impact on each other These challenges are both external and internal to a project s context, and are all sources of risk to the project s ability to deliver value. So no matter how good your organisation is at keeping projects on track, they may often be overtaken by events beyond their control. Different risk management perspectives In order to understand how to keep project deliverables aligned with business objectives, it is useful to understand the different risk management perspectives in an organisation. Senior managers are responsible for delivering business objectives, which requires awareness of potential market changes and the political environment, as well as responsibilities for strategic direction and governance. Their role is to deliver shareholder (and/or stakeholder) value. Figure 1. Environmental risks impact on projects ability to deliver against business objectives 2 risk decisions 2011

3 Val Jonas & Susheel Chumber: Portfolio Risk Management: External Context Busines Objectives Governance (Risk, Controls Compliance) Shareholder, Stakeholder Value Exhibit 4. Top down and bottom up communication even if they do this, the follow-on decision-making process is often slow, contributing to continued inefficiencies. Figure 2. Senior manager risk perspective (Top down) Project and programme managers are focused on the balance of time, cost and performance; juggling resources, managing scope and budgets, identifying opportunities, controlling change, as well as handling the interface with the customer and other projects. Their role is to meet the hard targets set as their deliverables. Responsibility for identifying such issues is often left up to programme and other middle managers; however, they rarely have sufficient oversight of the business or independent objectivity to provide a balanced view. So, there needs to be some infrastructure in the organisation with responsibility for monitoring and managing risk to business objectives in a proactive and robust way. Cost (Budgets) Performance (Quality, Scope) Time (Schedule) Deliverables Portfolio risk management the missing link A major role of the portfolio manager is to assess and approve business cases. However the responsibility does not stop there it extends throughout the life of the project. If, at any time, some uncertainty, influence or event threatens the validity of the original business case, then a review should be triggered. If the business case can no longer demonstrate business benefits (independently or relative to other business opportunities) then an appraisal of the options, with recommendations for action, must be reported to senior management for decisions to be made. Figure 3. Project risk perspective (Bottom up) Unfortunately, there tends to be a major disconnect between project/programme and senior management perspectives, which needs to be bridged for the organisation to perform effectively. Addressing the disconnect The first challenge to be tackled is how to improve communication top down and bottom up. Projects will continue on their pre-determinded path unless senior managers communicate significant environmental changes that may affect them. Similarly, managers will assume that strategic objectives will be met unless concerns or assumptions about project delivery are brought to their attention. Focussing on individual business cases would result in a view of projects and programmes that is too narrow. So the portfolio level is responsible for optimisation across a set of projects, with focus placed on balancing risk and reward, in line with business risk appetite. Organisations should see risk taking as a good thing, as long as it is properly understood and managed. This measured approach is the ongoing focus of portfolio risk management. A major role of the portfolio risk manager is to provide two-way communication of key risk information, and hence assurance that delivery of business benefits is secure. Business Case (decision making) Optimisation (maximise ROI) The second challenge is to ensure that there is a mechanism to respond to these environmental risks that arise. This may require just a simple realignment of the project; but in extreme cases a complete review of the business case and major change or cancellation of the project may be necessary. Balance (risk and reward) Benefits Many organisations fail in this area, as their inclination or ability to revisit the original business case under new conditions is limited. And Figure 5. The portfolio risk management perspective risk decisions

4 Val Jonas & Susheel Chumber: Portfolio Risk Management: A periodic review may show that a project is no longer able to deliver the required benefits and drastic action might be recommended, even though the project is currently performing very well against its original targets. The result will not necessarily be project closure; it may just need to be adjusted to address the risk or match new business needs. Figure 6. Bridging the gap between top-down and bottom-up Risk management A framework to manage risks Risk management is driven from the top. People down through the organisation require guidance to allow them to make judgements on the importance and acceptability of different types of risk. This guidance must include a statement on the organisation s risk appetite (quantitative and qualitative thresholds and triggers), explicit assignment of responsibilities for ensuring risks are managed, support in prioritising key risk response actions, as well as delegated authority and budgets/resources (management reserve) to carry them out. The behaviours demonstrated top down will drive behaviour down through the organisation. The link with Enterprise Risk Management Enterprise risk management (ERM) requires proactive involvement from the extended organisation. Portfolio risk management provides a key component of ERM because it glues together organisational silos. Business case preparation and ongoing progress reviews involve input from appropriate functional, operations and logistics departments, as does ongoing assurance and risk management activities. Portfolio risk managers have responsibility for coordinating involvement of various parties; they should be independent of specific business units, functions, programmes, etc, to provide an objective view. It is the responsibility of the portfolio risk manager to ensure risk management activities from senior management at the top and all the way down through programmes and projects are functioning efficiently. Having set up this framework, a good structure is required to ensure both significant tactical risks and strategic business risks are understood, communicated and managed up and down, to inspire confidence, ensure timely decisions are made and maximise business success. For example, a project may identify a tombstone risk (one that, if it were to occur, would kill the project); if no acceptable mitigation response can be found at the portfolio level, then this risk needs to be brought to the attention of senior management, for appropriate action. Figure 8. The area of ERM covered by portfolio risk management Different parts of the enterprise may use different risk guidance, for example PMBoK (PMI) or PRAM (APM) for projects, M_o_R (OGC) or ISO3100 for wider strategic or business risk. From a portfolio perspective, it doesn t matter that there are different dialects of risk management across the organisation, as they essentially follow the same basic process as can be seen below. Figure 7. A framework to manage risks 4 risk decisions 2011

5 Val Jonas & Susheel Chumber: Portfolio Risk Management: Figure 9. Similarity between risk process guidelines Implementing portfolio risk management Very few organisations have moved beyond a very simple implementation of ERM, but many now have reasonably mature project, programme and other specialised risk management capabilities in place. Portfolio risk management can assist in raising the profile and maturity of risk management, particularly if your organisation operates a gated approval process. A full disclosure of risk should be provided at each stage of business case appraisal and then through ongoing review and reporting periods. This means that risk at each stage of the lifecycle should be stated, not just the stage currently being reviewed or approved. Further improvements can be achieved with risk maturity models. For example, some organisations require a project team to demonstrate a minimum level of risk maturity (process and practice). The example below shows a risk maturity model with 7 criteria and 4 levels: Ad Hoc, Initial, Repeatable and Managed. The lowest score determines the maturity of the team in the example below this is Ad Hoc, shown by the red line. Manage a higher-level budget for show-stopper risks across the organisation It will also be necessary to implement an Enterprise Risk Management tool, such as Predict! to identify, assess, manage and provide consistent reporting on risk across the organisation. To deliver joinedup risk management, it is not practicable to operate separate spreadsheet risk registers for different projects, business units etc. A central database repository for assessing risk and approving response actions, with Risk Management Clusters to represent business case entities is required. While it is unlikely to be the responsibility of the portfolio risk manager to measure and improve risk maturity across the organisation, it is a useful measure in business case appraisal. For example, not only does the business case need to be sound, but the team put in place to carry out the project needs to prove itself capable of delivery. Other areas in which portfolio risk management can provide support are: To act as a centre of excellence to support risk management practices Support HR in ensuring all staff are trained in risk management Promote a consistent approach to risk management Run a risk steering group to support proactive communication of risk Overall Maturity Level Context Identity Analyse Evaluate Treat Monotor Culture review Figure 10. An example risk maturity model Managed Repeatable Initial Ad Hoc risk decisions

6 Val Jonas & Susheel Chumber: Portfolio Risk Management: Portfolio risk management no time to waste The journey to effective risk management can take some time, but whatever stage your organisation is currently at, portfolio risk management can deliver quick and effective results. Its practical risk to objective approach requires only a small number of key top level risks to be identified and assessed against each project, allowing a clear risk profile to be communicated to senior management for timely intervention if required. Any project that does not have clear and current objectives needs to be reviewed immediately. Once all projects have a risk profile, these should be standardised for review by a wider management group responsible for overseeing projects and programmes. Functional managers should be encouraged to identify common risks across projects, so that strategic actions can be identified, saving money by eliminating duplicated lower level actions. References Association for Project Management (2004) Project Risk Analysis & Management Guide, 2nd Edition, Association for Project Management, High Wycombe, Bucks, UK; ISBN Association for Project Management (2002) Earned Value Management: APM Guideline for the UK, Association for Project Management, High Wycombe, Bucks, UK; ISBN Project Management Institute (2004) A Guide to the Project Management Body of Knowledge (PMBoK), 3rd edition, Project Management Institute, Philadelphia, US; ISBN X Association of Project Management (2008) Interfacing Risks and Earned Value Management, Association for Project Management, High Wycombe, Bucks, UK; ISBN 10: ; ISBN 13; Once risk appraisal across all projects is in place, the portfolio risk manager should be well placed to look back at risks that have occurred and provide advice across all projects on lessons learned. Portfolio risk management is currently under utilised and is therefore an area in which organisations can gain significant competitive advantage. However, the challenge in implementing it should not be underestimated. Portfolio risk management may be seen as a threat by projects with a vested interest in maintaining the status quo. In an environment where cash is short and resources are stretched, it is likely that an increasing number of projects have an uncertain future. Ensuring continuous alignment with current objectives, even if that means significant change for a project, could in turn save it from closure. And remember, closing a project isn t necessarily bad. It could be that it just no longer meets business requirements and closing it will mean that more beneficial projects can then proceed. So start managing risk from a porfolio perspective today there s no time to waste. Now Progress Benefits Risk? Lessons learned Response actions Figure 11. A backward and forward looking approach to managing risk 6 risk decisions 2011

7 Val Jonas & Susheel Chumber: Portfolio Risk Management: Appendix 2: Glossary Where source is in brackets, minor amendments have been incorporated to the original definition. Term Definition Source Budget The resource estimate (in /$s or hours) assigned for the accomplishment of a specific task or Risk Decisions group of tasks. Change Control (Management) Identifying, documenting, approving or rejecting and controlling change. (PMBoK) Control Account (CA) A management control point at which actual costs can be accumulated and compared to earned value APM EVM and budgets (resource plans) for management control purposes. A control account is a natural management guideline point for budget/schedule planning and control since it represents the work assigned to one responsible organisational element on one Work Breakdown Structure (WBS) element. Cost Benefit Analysis The comparison of costs before and after taking an action, in order to establish the saving achieved Risk Decisions by carrying out that action. Cost Risk Analysis (CRA) Assessment and synthesis of the cost risks and/or estimating uncertainties affecting the project to (PRAM) gain an understanding of their individual significance and their combined impact on the project s objectives, to determine a range of likely outcomes for project cost. Enterprise Risk Map The structure used to consolidate risk information across the organisation, to identify central Risk Decisions responsibility and common response actions, with the aim of improving top down visibility and managing risks more efficiently. Enterprise Risk Management (ERM) The application of risk management across all areas of a business, from contracts, projects, programmes, Risk Decisions facilities, assets and plant, to functions, financial, business and corporate risk. Left Shift The practice by which an organisation takes proactive action to mitigate risks when they are identified Risk Decisions rather than when they occur with the aim of reducing cost and increase efficiency. Management Reserve (MR) Management Reserve may be subdivided into: APM EV/Risk Specific Risk provision to manage identifiable and specific risks Non-Specific Risk Provision to manage emergent risks Issues provision Non-specific Risk Provision The amount of budget / schedule / resources set aside to cover the impact of emergent risks, APM EV/Risk should they occur. Operational Risk The different types of risks managed across an organisation, typically excluding financial and corporate risks. Risk Decisions Opportunity An upside, beneficial Risk Event. PRAM Baseline An approved scope/schedule/budget plan for work, against which execution is compared, to measure (PMBoK) and manage performance. Performance Measurement The objective measurement of progress against the Baseline APM EV/Risk Proactive Risk Response An action or set of actions to reduce the probability or impact of a threat or increase the probability (PRAM) or impact of an opportunity. If approved they are carried out in advance of the occurrence of the risk. They are funded from the project budget. Reactive Risk Response An action or set of actions to be taken after a risk has occurred in order to reduce or recover from (PRAM) the effect of the threat or to exploit the opportunity. They are funded from Management Reserve. Risk Appetite The amount of risk exposure an organisation is willing to accept in connection with delivering a APM EV/Risk set of objectives. Risk Event An uncertain event or set of circumstances, that should it or they occur, would have an effect on the PRAM achievement of one or more objectives. Risk Exposure The difference between the total impact of risks should they all occur and the Risk Provision. APM EV/Risk Risk Management Clusters Functionality in Risk Decisions Predict! risk management software that enables users to organise Risk Decisions different groups of risks to form a single, enterprise-wide risk map. Risk Provision The amount of budget / schedule / resources set aside to manage the impact of risks Risk provision APM EV/Risk is a component part of Management Reserve Risk Response Activities Activities carried out to implement a Proactive Risk Response. APM EV/Risk Schedule Risk Analysis Assessment and synthesis of schedule risks and/or estimating uncertainties affecting the project (PRAM) ability to meet key milestones. Schedule Reserve The schedule component of Management Reserve. APM EV/Risk Specific Risk Provision The amount of budget / schedule / resources set aside to cover the impact of known risks, should they APM EV/Risk occur. It is not advisable to net opportunities against threats and so a separate value is calculated for each. Threat A downside, adverse Risk Event PRAM Uncertainty The spread in estimates for schedule, cost, performance arising from the expected range of outcomes. APM EV/Risk Often termed estimating error. Working Group risk decisions

8 Val Jonas & Susheel Chumber: Portfolio Risk Management: About Risk Decisions Risk Decisions Limited is part of Risk Decisions Group, a pioneering global risk management solutions company, with offices in the UK, USA and Australia. The company specialises in the development and delivery of enterprise solutions and services that enable risk to be managed more effectively on large capital projects as well as helping users to meet strategic business objectives and achieve compliance with corporate governance obligations. Risk Decisions has introduced many innovative features that have since become standard features in the industry including the risk hierarchy tree, combined threat and opportunity risk impact grids and automated schedule risk analysis. The company plays a significant role in influencing risk management policy, making important contributions to APM, OGC and PMI risk management guides and standards, including guidance on interfacing risk with other disciplines, such as Earned Value and Systems Engineering. Clients include Lend Lease, Mott MacDonald, National Grid, Eversholt Rail, BAE Systems, Selex Galileo, Raytheon, Navantia, UK MoD, Australian Defence Materiel Organisation and New Zealand Air Force. For further information visit: or contact Alex Leggatt at: Risk Decisions Ltd, Whichford House, Parkway Court, Oxford Business Park South, Oxford, OX4 2JY Tel: alex@riskdecisions.com European HQ For enquiries from the UK and mainland Europe. Risk Decisions Ltd Whichford House Parkway Court Oxford Business Park South Oxford OX4 2JY United Kingdom For general enquiries: Tel: +44 (0) Fax: +44 (0) enquiries@riskdecisions.com For help desk support: Tel: +44 (0) Fax: +44 (0) support@riskdecisions.com management solutions