Published here March 2015.


Musings Index

How Do Project Risks Impact Programs and Portfolios?

The approach to managing risks at the project level, i.e. project risk management, is well established by the various project management associations. At this level in an organizational hierarchy, Project Risk may be defined as follows:[1]

"The cumulative effect of the chances of uncertain occurrences that will adversely affect project objectives. It is the degree of exposure to negative events and their probable consequences. Project risk is characterized by three risk factors namely: risk event, risk probability and the amount at stake. In an uncertain environment, risk is the opposite of opportunity."

There are of course other shorter definitions, but this one is the most informative.

Quite a bit if time may be spent by the project's team on assessing the extent of risks on a project and finding ways to mitigate them in the interests of the success of their own project. But what if the project in question is one of several others that together form a program? How will the risks of all of these projects be accounted for at the program level? And might this not be an unnecessary duplication of project effort that could be a source of savings at the program level?

The Standard for Program Management, 3rd Edition, suggests that:[2]

"[Program Risks] arise from the program components (i.e. projects and other work) and their interaction with each other, from technical complexity, schedule and/or cost constraints, and with the broader environment in which the program is managed." Note, by the way, that all projects, and "other work" that form a part of a program are all chargeable to the program.

To the uninformed reader, one might assume from this description that all you have to do is to add up all the risks of all the projects and, voilą, you have the level of risk at the program level, i.e. program risk. Well, O-K, there will be some risks, such as a general worker shortage that pervades all the projects in the program, and hence are not exactly additive.

Still, the following definition is a little more helpful. At the program level, one of the definitions in the Wideman Glossary makes these observations:[3]

"Program risks are those that not only encompass the risks of individual projects but specifically identify those risks that may be repeated in subsequent projects in the program and hence may be mitigated by an early single uniform action. Program risks may also have a snowball effect on subsequent projects in the program and their associated systems. The latter class becomes progressively more work intensive to resolve.

But not all projects are created equal. It is quite possible that one particular project ("component", in PMI's program terminology) encounters a particularly difficult challenge (i.e. risk event). The solution to the challenge is expensive but essential to the creation of the product, and hence the completion of the project. Of course, the Project Manager's mandate is to complete the project successfully.

However, from the Program Manager's perspective, the contribution of the project's product to the program as a whole may be relatively limited. Hence the Program Manager's solution to the Project Manager's dilemma of facing the cost of fixing the problem, is to cut that project altogether. On the other hand, suppose instead the product of this project is critical to the whole program. Then failure is not an option. Hopefully, not all the other projects in the program are at the same level of criticality, so that the level of overall program risk lies somewhere in between the two choices.

From these simple examples, it is clear that assessing program level risks is not a matter of adding up all the risks in the respective projects in the program. Nevertheless, one way or another, project risks are the source of all program risks. If you are in any doubt, consider this: if there were no projects, there would be no program - and with no program there would be no risks!

Now, if we go up the ladder to the next level, that is to project portfolio management, we encounter exactly the same difficulties, only more so. But now the source of most risks are further away, i.e. at the bottom of the ladder, while the impacts are potentially more significant, being closer to the source of all the activity, the corporate strategy.

In an Email, a friend of mine put it this way:[4]

"In any business, risk does not exist at any one level; it pervades each level even though the likelihood, consequence and/or impact will have differing outcomes. Consider the Corporate risk model in Figure 1 shown below:

Figure 1: The Integrated Risk Model
Figure 1: The Integrated Risk Model

What we see is that the "risk impact" bar (red line) meanders through each of the levels but importantly will reflect the overall risk appetite at the Corporate level and the overall 'riskiness' at each of the other levels; it's slope and shape are obviously dependent upon what is happening on the journey up and down the risk ladder."

"This identification of risk at the various levels has got to be one of the most difficult areas of the Management of Risk - but it is also potentially the most satisfying. The objective is to obtain and retain within the project team joint ownership of the management of risk together with the Program (and/or portfolio) Manager Responsible, as you move up the levels in the business Integrated Risk Model. At no time is it suggested that accountability is anywhere else."

Whatever approach is taken to arrive at an overall risk profile for the project, program and/or portfolio as a whole, it is important that the executives at the corporate level understand the variability surrounding estimates of risk exposure - and, given their level of risk appetite, how that may influence their deliberations.

1. Wideman, R. Max,The Wideman Comparative Glossary of Project Management Terms v5.5, AEW Services, Vancouver, BC, Canada, 2000-2012, Ref. #D01719.
2. Project Management Institute, The Standard for Program Management, 3rd Edition, Section 8.7, p95
3. Ibid, Ref. # D06241.
4. Graham Selkirk, by Email 3/3/14. The Integrated Risk Model is copyright to Graham Selkirk.
Home | Issacons | PM Glossary | Papers & Books | Max's Musings
Guest Articles | Contact Info | Search My Site | Site Map | Top of Page