This is an update and expansion upon PMI’s popular reference, The Practice Standard for Project Risk Management. Risk Management addresses the fact that certain events or conditions may occur with impacts on project, program, and portfolio objectives. This standard will: identify the core principles for risk management; describe the fundamentals of risk management and the environment within which it is carried out; define the risk management life cycle; and apply risk management principles to the portfolio, program, and project domains within the context of an enterprise risk management approach It is primarily written for portfolio, program, and project managers, but is a useful tool for leaders and business consumers of risk management, and other stakeholders.

The Project Management Institute provides services including the development of standards, research, education, publication, networking-opportunities in local chapters, hosting conferences and training seminars, and providing accreditation in project management.

The Standard for Risk Management in Portfolios, Programs, and Projects

Project Management Institute, Inc.

Contents

INTRODUCTION

Risk is an uncertain event or condition that, if it occurs, has a positive or negative effect on one or more objectives. Positive risks are opportunities, while negative risks are threats.

The practice of risk management includes planning the approach, identifying and analyzing risks, response planning and implementation, and ongoing monitoring of risks. Risk management is an essential aspect of all organizational activities. This standard describes the application of risk management within an enterprise risk management (ERM) context that includes the portfolio, program, and project domains. Risk management shapes the decision-making processes across the organization and within each of the domains.

The degree to which risk management is pursued can be the difference between success and failure. PMI's 2015 Pulse of the Profession report found that for organizations that apply a formal risk management approach, 73% of projects meet their objectives, 61% finish on time, and 64% are completed within the approved budget [1].

Risk management allows an organization to:

[??] Anticipate and manage change,

[??] Improve decision making,

[??] Proactively implement typically lower-cost preventive actions instead of higher-cost reaction to issues,

[??] Increase the chances to realize opportunities for the benefit of the business,

[??] Generate broad awareness of uncertainty of outcomes,

[??] Act upon the transformations taking place in its business environment, and

[??] Support organizational agility and resilience.

Risk management also establishes iterative connections among portfolios, programs, and projects and links these connections with ERM and organizational strategy.

1.1 PURPOSE OF THIS STANDARD

This standard describes the concepts and definitions associated with risk management and highlights the essential components of risk management for integration into the various governance layers of portfolios, programs, and projects with the following major objectives:

[??] Describe the fundamentals of risk management,

[??] Support the objectives of and demonstrate the link to ERM, and

[??] Apply risk management principles, as appropriate, to portfolio, program, and project domains as described in the PMI foundational standards.

This standard fulfills a business need to provide a standard for risk management in portfolio, program, and project management that defines the essential considerations for risk management practitioners. It expands on the knowledge contained on risk management in the relevant sections of the PMI foundational standards.

This standard can be used to harmonize practices between ERM and portfolio, program, and project management, regardless of the life cycle approach used.

PMI is committed to providing global standards that are widely recognized and consistently applied by organizations as well as practitioners. Increasingly, organizations are requiring practitioners to use risk management practices in portfolio, program, and project management as an integral part of their ERM framework.

1.2 APPROACH OF THIS STANDARD

This standard presents the what and why of risk management. The following concepts are elaborated in this standard:

[??] Purpose and benefits of risk management;

[??] Principles and concepts of risk management in portfolios, programs, and projects;

[??] Risk management life cycle in portfolios, programs, and projects; and

[??] Integration of risk management within portfolios, programs, and projects.

This standard provides guidance on integrating risk management practices into all key areas of enterprise, portfolio, program, and project management. The aim is to ensure that the management of risk is an inherent, natural part of all management domains. The scope of this standard is to provide guidance and not to impose uniformity of processes across portfolios, programs, and projects. When planning and implementing risk management, it is essential that each team consider the characteristics of the organization, portfolio, program, or project. The approach presented in this standard is based on risk management principles that can be used as guidance when designing specific management or business processes adapted to the organizational environment and nature of the work.

1.3 PRINCIPLES OF RISK MANAGEMENT

There are specific core principles that underlie the process of risk management. The seven principles provided in Sections 1.3.1 through 1.3.7 guide the risk management processes and are integral to effective risk management.

1.3.1 STRIVE TO ACHIEVE EXCELLENCE IN THE PRACTICE OF RISK MANAGEMENT

Risk management allows organizations and teams to increase the predictability of outcomes, both qualitatively and quantitatively. This principle is about reaching the appropriate level of organizational process maturity (the ability of an organization to apply a certain set of processes in a consistent manner) and the optimal level of performance. Excellence in risk management is not achieved by the strict and exhaustive application of related processes. Rather, excellence can be achieved by (a) balancing the benefits to be obtained with the associated cost and (b) tailoring the risk management processes to the characteristics of the organization and its portfolios, programs, and projects. Process excellence in risk management is itself a risk management strategy.

1.3.2 ALIGN RISK MANAGEMENT WITH ORGANIZATIONAL STRATEGY AND GOVERNANCE PRACTICES

The practice of risk management in organizations is developed and evolved in coexistence with other organizational processes, such as strategy and governance. The nature of portfolios, programs, and projects is such that circumstances may change frequently. Adjustments become necessary as the organization evolves, for example, when changes to decision-making processes, timing, scope, and speed are made.

1.3.3 FOCUS ON THE MOST IMPACTFUL RISKS

Successful organizations are able to effectively and efficiently identify the risks that directly influence goals and objectives. The challenge for most organizations is making the best use of resources by focusing on the right risks. This depends on the characteristics of the organization, its environment, internal maturity, culture, and strategy. Determining the most impactful risks can be difficult. Organizations develop and improve by refining the processes for risk prioritization.

1.3.4 BALANCE REALIZATION OF VALUE AGAINST OVERALL RISKS

Risk management seeks to find the proper balance between the exposure to risk and the expected business value creation or realization. Initiatives presenting a low level of risk may not create a sufficient level of value and performance. On the other hand, initiatives presenting a high, expected performance may expose the organization to an unacceptable level of threat.

1.3.5 FOSTER A CULTURE THAT EMBRACES RISK MANAGEMENT

Risk management is an inherent and essential part of the portfolio, program, and project management framework. The practice of risk management is propagated, recognized, and encouraged throughout the organization. A culture of risk management encourages (a) the identification of threats rather than ignoring them and (b) the identification of opportunities by cultivating a positive mindset within the organization — one that is more open to accept and harness the positive changes impacting the various initiatives.

1.3.6 NAVIGATE COMPLEXITY USING RISK MANAGEMENT TO ENABLE SUCCESSFUL OUTCOMES

Managing risks is an essential part of reducing and handling the complexity within organizational initiatives. The ability to identify and manage risks is directly dependent on the level of complexity of the initiatives. Concentrating efforts on clarifying the objectives, requirements, and scope of initiatives facilitates the identification of risks and enhances the ability to manage them, thus lowering the exposure of these initiatives to unforeseen situations. The more organizations navigate complexity using risk management, the more they will be able to optimize the use of resources, increase the return on investments, and improve overall performance and business results.

1.3.7 CONTINUOUSLY IMPROVE RISK MANAGEMENT COMPETENCIES

The nature of risks to which an organization is exposed and the available technology to manage those risks are changing. Technology allows organizations to manage risks more effectively and to better focus on the risks' impacts. Through continuous improvement of risk management competencies, organizations and individuals can develop sustainable competitive advantages that contribute to overall organizational performance.

1.4 STRUCTURE OF THIS STANDARD

This standard can be used to review portfolio, program, and project management processes from a risk management perspective. It is organized as follows:

Section 1 — Introduction

Section 2 — Context and Key Concepts of Risk Management

Section 3 — Framework for Risk Management in Portfolio, Program, and Project Management

Section 4 — Risk Management Life Cycle in Portfolio, Program, and Project Management

Section 5 — Risk Management in the Context of Portfolio Management

Section 6 — Risk Management in the Context of Program Management

Section 7 — Risk Management in the Context of Project Management

Appendix X1 — Development of The Standard for Risk Management in Portfolios, Programs, and Projects

Appendix X2 — Contributors and Reviewers of The Standard for Risk Management in Portfolios, Programs, and Projects

Appendix X3 — Portfolio Risk Management Controls

Appendix X4 — Program Risk Management Controls

Appendix X5 — Project Risk Management Controls

Appendix X6 — Techniques for the Risk Management Framework

Appendix X7 — Enterprise Risk Management Considerations for Portfolio, Program, and Project Risk Management

Appendix X8 — Risk Classification

CONTEXT AND KEY CONCEPTS OF RISK MANAGEMENT

Risk is inherently present in all organizations. Risks present organizations with challenges but may also offer a competitive advantage when both threats and opportunities are managed proactively. Risk management provides a comprehensive and integrated framework for addressing and managing risk at all levels of the organization, from portfolios through programs, projects, and operations.

2.1 KEY CONCEPTS AND DEFINITIONS

All organizations face the uncertainty of both internal and external events. Uncertain present and future challenges can be dealt with by formulating and applying a sound business strategy toward realizing a set of objectives and managing risks. Risk management provides insight into risks that need to be addressed in support of reaching those objectives and takes advantage of opportunities. When opportunities occur, they are called benefits.

2.1.1 RISK

An individual risk is an uncertain event or condition that, if it occurs, has a positive or negative effect on one or more objectives. Overall risk is the effect of uncertainty that affects organizational objectives at different levels or aspects. Risk arises from all sources of uncertainty, including individual risks in the portfolio, program, and project domains. These risks represent the exposure of the organization and its stakeholders to the consequences of uncertainty on the realization of the organization's strategy and business objectives. Once the risk occurs, it is then managed within the various governance layers (enterprise, portfolio, program, and project) by driving the resulting outcomes.

Uncertainty is inherent in the nature of portfolios, programs, and projects. Risk arises out of uncertainty and generates uncertainty. The more risks one can identify, the more uncertainty is indicated. One of the key factors that determines the ability to identify risks is ambiguity. When ambiguity is low, the level of information available is high, which allows the identification of risks. Uncertainty and ambiguity are factors where assessment and open evaluation drive risk management efforts. Assessments and open evaluations allow for the determination of the proper risk management strategy and define how risks will be managed throughout the portfolio, program, and project management life cycles, the iterations of these life cycles, and their interactions.

2.1.2 OPPORTUNITIES

Opportunities are risks that have a positive effect on one or more objectives. Opportunity management helps to identify and understand possible ways in which objectives can be achieved more successfully.

Moving beyond the traditional view of risk as a value destroyer to seeing risk as a potential value enhancer requires creativity and vision, and a system that allows these opportunities to flourish and lead to organizational success.

A consistent portfolio, program, and project management system helps to:

[??] Identify and assess opportunities that are often linked, and

[??] Improve the organization's ability to accept and pursue opportunities.

2.1.3 THREATS

Threats are risks that would have a negative effect on one or more objectives. Threat management involves the use of risk management resources to:

[??] Describe risks,

[??] Analyze risk attributes,

[??] Evaluate the probability of risk occurrence and impact as well as other characteristics, and

[??] Implement a planned response, when appropriate.

Similar to managing opportunities, managing threats is a staged process. Both use a structured life cycle framework to ensure that the process is robust and complete as described in Section 4. Should threats occur, they are called issues and are listed in the issue log.

2.1.4 RISK ATTITUDE

Risk attitude is a disposition toward uncertainty, adopted explicitly or implicitly by individuals and groups, driven by perception, and evidenced by observable behavior. Risk attitude represents an organization's approach to assess and eventually pursue, retain, take, or turn away from risk. Risk attitudes can range from risk averse to risk seeking.

Organizations seek to establish a consistent method for evaluating and responding to risk across the enterprise. One obstacle to developing that consistency is an individual's different or inconsistent attitudes toward risks — and those attitudes may vary according to the circumstance.

In summary, risk attitude is an individual's or group's preference to evaluate a risk situation in a favorable or unfavorable way and to act accordingly. However, risk attitudes are not necessarily stable nor homogeneous.

2.1.5 RISK APPETITE

Risk appetite is the degree of uncertainty an organization or individual is willing to accept in anticipation of a reward. Risk appetite guides the management of risk and the parameters the organization uses in deciding whether or not to take on risk. In addition, risk appetite defines what types of risks an organization pursues.

A risk appetite determination represents the start of embracing risk. Figure 2-1 shows the interrelationship of risk appetite and its direct influence on business strategy, the risk management framework, and the underlying policy and processes. The resulting risk appetite determination defines the amount and type of risk that the organization is willing to take in order to meet its strategic objectives.

Risk appetite expresses the level of risk the organization is willing to take in pursuit of its portfolio, program, and project objectives. Portfolio, program, and project risk is not a singular, but rather a multifaceted concept.

As organizations grow, expand, and evolve, so do the risks they face. The type, prominence, and appetite for risks change at different points in the life cycle of an organization and during the life cycle of its programs and projects.

2.1.6 RISK THRESHOLD

Risk threshold is the measure of acceptable variation around an objective that reflects the risk appetite of the organization and its stakeholders. A key element of risk strategy is the establishment and monitoring of enterprise, portfolio, program, and project risk thresholds. Examples of risk thresholds include:

[??] Minimum level of risk exposure for a risk to be included in the risk register,

[??] Qualitative or quantitative definitions of risk rating, and

[??] Maximum level of risk exposure that can be managed before an escalation is triggered.

Establishing risk thresholds is an integral step in linking portfolio, program, and project risk management to strategy alignment and is performed as part of early planning. Based on the risk appetite of the organization, governance may also be responsible for ensuring that risk thresholds are established and observed, and when the risk should be escalated to a higher governance level.

2.2 RISK MANAGEMENT IN ORGANIZATIONS

The organization's governance body is ultimately responsible for setting, confirming, and enforcing risk appetite and risk management principles as part of its governance oversight. An organization's governance also determines which risk management processes are appropriate in terms of organizational strategy, scope, context, and content.