The importance of risk

Earlier today I was asked “How should an enterprise portfolio management office deal with risk and align to organisational risk?”. 

Let’s be honest, for most risk is not an interesting subject, in fact when mentioned probably results in a sinking feeling…but it is incredibly powerful, honestly. 

When managing an EPMO, risk is one of the most important things to understand in order to make effective decisions, and it comes from many directions: 

1. Project / Programme risk – these are risks identified on a project or programme in the portfolio. The project needs to understand and track how they are performing, whether the probability of realising the risk is high or low, increasing or decreasing in likelihood, what the consequences of that risk will be to the cost, schedule or outcome realisation, and whether there are clear, actionable mitigations in place which are being implemented to prevent it from occurring. As risks are realised or mitigated the project should be refining the plan, cost and benefits accordingly, and in doing so you will hopefully see cost contingency reduce, while plan and benefits confidence increases. 
2. Portfolio risk – these are the risks that generally sit above individual projects/programmes and impact the portfolio as a whole. These are risk that will stop the portfolio from achieving its objectives, that will impact multiple projects/programmes, reduce capacity, change investment phasing, delay dependencies between activities. They may be external to the portfolio such as environmental or organisational factors or within control of the portfolio, associated with dependency management for example. There may be a few critical risks from individual programmes that rise up to portfolio level just because of the scale of impact, especially if they alone have a material impact on the objectives. 
3. Organisational risk – these are risks that sit within the organisation, whether that be within specific functions, regions or at enterprise level. An EPMO needs to understand these and their relationship to the planned activity. This could manifest in a project specifically required to mitigate an organisation risk, or address an audit action related to a risk. Equally it could be understanding the impact the realisation of a risk or the implementation of a mitigation action will have on planned/in-flight activity. 

The key across all of these types of risk is that they should all be measured and reported on in the same way, they should all have probability and impact scores based on the same criteria, mitigation actions that are realistic and managed. By doing this they can be easily understood, aggregated and summarised, proving transparency and ensuring that when decisions are made at any level, the impact is clear.