Portfolio Risk Management Process

From apppm
Revision as of 10:29, 19 February 2018 by JensMoller (Talk | contribs)

Jump to: navigation, search



It is necessary to work through four aspects of Portfolio Risk Management to control the risks a portfolio is affected by. The various aspects are identification, analysis, development responses and monitoring and control. Hence this article briefly discusses the theory before going in depth with the processes of the four aspects. The first aspect is identification. In the identification phase all the types of risks regarding portfolio management will be found. When the risks have been found, they will be analyzed in terms of portfolio management. A plan of responses will be developed based on the analysis. The plan consists of concrete actions, when to execute the actions and who that has the responsibility to act, when the situation occurs. When the plan has been set, the assigned manager will monitor the risks and the surroundings of the risks. The manager will act if needed. The assigned manager keeps a record of new findings and new experiences. The process of the four aspects should be handled iteratively, so all the aspects are applicable at all times. Three types of iterative processes might have to be done. The first one is from the response phase to the analyze phase. The reason for this is, that the impact of the developed responses have to be analyzed again, to make sure that they work as anticipated in relation to the entire portfolio. Another type of iterative process is occurring, when the conditions of a curtain risk changes and it has to be identified again. The last type of iterative process occurs when an entirely new risk occurs, and risk must be processed through all the phases.

Process overview

Forudsætninger/ good to know/ Needs to be written out. Known >< Unknown Threats >< Oppertunities Risks -> Measurable criteria - estimations - gives tangible experience to furture use. - gives the opportunity to differentiate the responsibilities. Experience Balanced Portfolio - Risk tolerance - BCG matrices - Tactical & strategic objectives Stakeholders might bring information

Identification of the portfolio risks

It is important to realize, that there is 3 types of risks to identify in portfolio risk management[1]. The types of risks are structural risks, component risks and overall risks. The structural risks are the ones related to the interactions between the components. The components consist of either projects or programs. The structural risks are normally threats in form of resource issues but can also be opportunities e.g. in form of niche qualification. Component risks are normally handle by either the project or program manager, but the component risks get relevant for the portfolio manager when the risks escalate and expand out of the mandate, that the component manager has. The reason for this is, that the magnitude of these risks might have significant effect on the portfolio or has a strategic aspect. These kinds of risks are normally related to the three parameters of the iron triangle. The portfolio risk manager has the overall responsibility, which means, that the portfolio manager needs to bring in the project and program related risks also. The last type of risks are the overall risks. The overall risks are the risks that emerges, when components interact in the portfolio. The overall risks i.e. all risks that is not defined in the above-mentioned types of risks. The different components have completely different objectives, missions or visions. Overall risks can also give the opportunity of distributing best practice to other components. Example: A portfolio has four components, called A, B, C and D. Component B finds best practice in a certain area of expertise, that is applicable in component A and D. This gives the opportunity to optimize A and D based on the development in component B.


The identification phase has various kinds of input, that can be used to specify the risks in a portfolio. The main categories are the Enterprise Environmental Factors, Organizational Process Assets, Lists of Selected Portfolio Components, Portfolio Management Plan and Escalated Component Risks. It is important to consider which types of inputs, that is relevant for the specific portfolio. Enterprise Environmental Factors is the public information, that affects the portfolio e.g. academic studies, benchmarking among others. In some experienced company’s internal databases are used to share gained knowledge throughout the organization, these historical files are called Organizational Process Assets. A third type of input is the list of selected portfolio components, which commonly acts as the baseline of the estimated risks. Portfolio management plan provides input from a higher level of management regarding scheduling, risks, cost and quality. The Portfolio management plan shows the known risks in the plan, it allocates the responsibility and budgets, where provision of risks is included. It gathers some processing and governance knowledge and the risks that follows. The risks will often be illustrated in a Risk Breakdown Structure. The last type of input is the Escalated Component Risks. It is heavily related to the type of risks called component risks, which is previously described.

Tools and Techniques

In the process of identifying the risks and making a Portfolio risk register some tools and techniques are very useful. The different tools and techniques are called Documentation Reviews, Information Gathering Techniques, Checklist Analysis, Assumptions Analysis and Diagramming Techniques. All the tools has pros and cons. It is important to use the appropriate tools and techniques for the specific situation. The Documentation Reviews is based on big data gained on component management level and matched it with the portfolio management objectives. The Information Gathering Techniques is done by either brainstorming, Delphi technique, Interviewing, root cause identification or SWOT analysis. The brainstorming is an effective way of making the framework of the identification. It can be done by gathering a group of experts, that simply empty their brains in order to get every possible risk on the table. After this exercise the experts organizes the risks in a risk breakdown structure. When different agendas cloud the objectivity of the process the Delphi technique can be used. The participants of the Delphi technique are a facilitator and a group of experts. They at some point anonymously agree to the facilitators questions regarding the risks. Interviews can be used to interpret the risks. The participants can be stakeholders, component participants experts, sponsors and so forth. Properly the most effective and most difficult tool is the Root cause identification. As the name suggests, the tools focus on the root to the risks. The tool can also be used with the risk breakdown structure, where the risks are categorized by the roots of the risks. To get a broader perspective the risks related to the dimensions of SWOT analysis can be effective. It gives both the inhouse perspective in relation to strength and weakness and the outgoing perspective of opportunities and threats. The Checklist Analysis is a nice quick way to identify the risks. Keep in mind, that it is based on previous experience and new aspects will often be missed when using this tool. When used on routine work it is very effective. The Assumptions Analysis on the other hand, can identify risks, which hasn’t been experienced. Possible assumptions are tested and the outcomes are assessed and validated. The tool is efficient for ´thinking out of the box´. It has the constraints of the participants imagination. Hence it is important to keep the unknown unknowns in mind. The last type of tool is the Diagramming Techniques. It is basically visualizations of causality in relation to possible risks and portfolio objectives e.g. cause-and-effect diagrams, system or process flow charts and influence diagrams. The tools can also help categorize the risks e.g. Risk Component Chart amongst others.


The Output of the Identification is the Portfolio Risk Register. It is a supplement to the Portfolio management plan. It consists of a list of identified risks, risk owners, list of potential responses, root causes of risks and updated risk categories. It is basically a summarize of the work above. I.e. The risks are lined up with the dedicated manager and the mandated responses. It might also contain the root of the risks, if it is known. The Portfolio Risk Register should be updated whenever it is needed and a now risk breakdown structure is made.

Analyze Portfolio Risks


The input for the Analyze Portfolio Risks phase is the output of the Identification phase. The input of the Analyze Portfolio Risks is as mentioned above the output of the Identify Portfolio Risks. It consists of the Portfolio Risk Register and the Risk Management Plan. The risks found in the identification phase will be analyzed. The risks will be prioritized based on the impact and the probability. The impact can have different parameters e.g. financial, environmental, strategic et cetera. The tolerance of the risks will also be a part of the analysis. The time gives an extra dimension to the analysis in terms of immediate responses to the risks. If the information is subject to bias or in other ways not comprehensive the acting manager should gather the missing information. The analysis must be checked routinely to make sure, that the assumptions hasn’t changed, and if so a new analysis should be made.

Tools and techniques

The tools used for the analysis is normally divided in two categories. The Risk Probability and Impact Assessment and the Risk Combining and Modeling Techniques. Risk Probability and Impact Assessment investigates the probability of a certain risk of happening and the actual impact if it happens. It is very important to keep the quality of the input in mind during this process. The risks should be formulated in measurable variables and parameters in order to calculate the probability as objectively as possible. The bigger the amount of data is the better. The probability is normally visualized in distributions e.g. normal distribution. The impact and probability is typically investigated by experts in the interviews or Delphi technique. The impact and probability is not worth much without each other. Hence the two are often combined in the analysis with tools like Probability and Impact Matrix or financial tools combined with scenario analysis. The Risk Combining and Modelling Techniques analyzes the components both in terms of structure and composition. The analysis reaches beyond the accumulated risks of the components, that escalates in magnitude into the portfolio level. It is also about the risks that exists because of the interaction of the components. It is typically done by using sensitivity analysis and modelling and simulation. The sensitivity analysis investigates the risks with the biggest impact on the portfolio. It does that when the other parameters are held to the baseline. It shows the sensitivity of on parameter, which is not the worst-case scenario, but a relatively more likely scenario. The visual output of the Sensitivity Analysis could be the tornado diagram. This is a strong tool for prioritizing the risks and where to focus the action and response. The Modeling and simulation could be a Monte Carlo Technique. The simulations and Modeling is based on parametric optimization. The parameters can be several portfolio objectives, that is iteratively randomly simulated. The parameters can have financial, time, quality aspects and basically every important measurable variable can be a parameter. The iteration is typically computer generated. The output can be the most likely scenario or the worst-case scenario.


The output of the Analyze Portfolio Risks is an update of the Portfolio Risk Register and a Portfolio Risk Exposure charts. The update consists of a ranking of the list of portfolio risks. The priority can be divided into different objectives and give the portfolio manager a better overview on the objectives and the overall goals. The risk breakdown structure should be categorized into either root causes or portfolio objectives by now. Some immediate responses can be a part of the output, but focus should but on the risks in the near future. The risks that is not prioritized should be formulated on a watch-list for monitoring. Since the processes is iterative, some of the risks will occur in the analysis more than once. Therefor information about overall trends should be gathered to control if the anticipated affect is accordingly. The trend-monitoring could also end up in need for urgent responses. Portfolio Risk Exposure Charts - Outcome probability analysis of the portfolio - Probability of achieving portfolio objectives

Developed and planned responses to the analyzed risks

- Needs to be written out.

General theory Input Tools and techniques output

Monitoring and responding to Portfolio risks

- Needs to be written out.

General theory Input Tools and techniques output


- Needs to be written out.


  1. The Standard for Portfolio Management, Second Edition, Project Management Institute, 2008
The Standard for Portfolio Management, Second Edition, Project Management Institute, 2008
Personal tools