Quick Links

Webinar Recap: Risk Management Life Cycle in the Context of Project, Program, and Portfolio

Please find below a transcription of the audio portion of Satya N Dash’ session, Risk Management Life Cycle in the Context of Project, Program, and Portfolio, being provided by MPUG for the convenience of our members. You may wish to use this transcript for the purposes of self-paced learning, searching for specific information, and/or performing a quick review of webinar content. There may be exclusions, such as those steps included in product demonstrations. You may watch the live recording of this webinar at your convenience.

Kyle: Hello, everyone, and welcome to today’s MPUG webinar, Risk Management Life Cycle, in Project, Program and Portfolio. My name is Kyle, and I’ll be the moderator today. Today’s session is eligible for one PMI PDU in the technical category. The MPUG activity code for claiming this session with PMI is on the screen now.

Kyle: Like all MPUG webinars, a recording of this session will be posted to MPUG dot com, shortly after the live presentation ends, and all MPUG members can watch the recordings at any time, and still be eligible to earn the PDU credit. All the sessions you watch on demand can be submitted to your webinar history, and the live sessions you attend are automatically submitted.

Kyle: Within your history, you can print or download your transcript, and certificates of completion, including the one for today. You can access that by logging into MPUG dot com, click the “My Account” button, and then click on the transcript link. If you have any questions during today’s presentation, please send those over to us at any time using the chat question box on the GoToWebinar control panel. We do plan to answer those questions for you at the end of the session today. All right, we’ll go ahead and get started with today’s presentation, we’re very happy to welcome back Satya Dash today.

Kyle: Satya is a management professional, speaker, coach, and the author of six books. He has created hands-on courses on risk management, including the course of Practical Risk Management, which has been used by many professionals, and a number of PhD candidates. His latest book on risk management titled, I Want to Be a Risk Management Professional, RMP 2nd Edition, has created many PMI RMPs, and has a 100% success rate so far.

Kyle: Satya’s web presence is at management yogi dot com, and he can be contacted at managementyogi@gmail.com. So with that said, I’d like to welcome you back, Satya, and I’ll hand it over to you at this time to get us started with today’s presentation.

Kyle: Satya, are you there? I’m not-

Satya N Dash: Thank you, Kyle.

Kyle: … Oh great, okay. I can hear you now.

Satya N Dash: Thank you, Kyle for the introduction, much appreciated. Hello everyone, good day to you, and maybe it is good evening or good night, wherever you are in any part of the world. So we are going to have a discussion on risk management life cycle in projects, program and portfolios.

Satya N Dash: So this is the agenda for this meeting that we have, or the webinar that you are having. “What is the risk management framework, and risk management life cycle? What should be the considerations for projects? What should be the considerations for programs? What should be the considerations for portfolios? And how to take an integrated approach in some of the best practices?”

Satya N Dash: While risk management to a certain extent is understood in the context of projects, it is not that well understood or even practiced in the context of programs, or portfolios. So the whole idea of this webinar is to take through the project context, then we’ll see the program context, then portfolio context, and finally have an integrated approach. Because in an organization, you might have a portfolio containing programs and projects, or it may not have portfolios in a program, it might have projects, but still if an organization is following the risk management, it has to be driven down from the top. Because any organization, however small it may be, there will be somebody who’ll be owning the organization, and driving the strategies of the organization. So irrespective of whether they have programs or portfolios, or not? Still you need to have an integrated approach.

Satya N Dash: So first, the framework for risk management. To understand life cycle, you need to understand the framework of risk management. So first we’ll start with the life cycle, and we’ll see how the risk management framework actually is collaborating with the life cycle. Now life cycle is a series of phases that an element, which can be a project, program, or portfolio, passes through from its start to its completion.

Satya N Dash: So when I say “life cycle”, that means there is a beginning, and there is an end. And in the beginning, or during the time frame from beginning to end, you have a set of phases. Now, each phase contains a collection of logically grouped activities. So each phase can have a set of processes, that can result in outputs or outcomes. The risk management life cycle works within the risk management framework. So when I’m talking of “life cycle”, it is closely integrated with the risk management framework. With this, the risks are managed in a structured manner, irrespective of project, program, or portfolio life cycle.

Satya N Dash: And with this approach, you also get consistency, predictability, and ability to scale. It might be a 10 member team, or it might be a 100 or 200 member team. Now, the processes that we are going to have in the risk management framework, these processes are iterative in nature. That is, they are not one time, that you started the project, executed the project, and there are some processes, it is over, it doesn’t happen like that. Because risks continue to emerge throughout the life cycle of the project.

Satya N Dash: It might be in the beginning part of the project, or program, or portfolio. It might be in the middle, or towards the end. In other words, you can say, risks will continue to emerge, and that is why the processes that you are going to use within the framework will be iterative in nature. It is we are going to repeat them, again and again.

Satya N Dash: When a project, program, or portfolio is closed, then these processes are terminated, and the learnings that you are going to have by following this set of processes, in other words, by following the life cycle, are going to be documented for future use. Which can be part of your lesson learned, or kind of a depository where you are going to put your lesson learning.

Satya N Dash: So the framework of risk management contains these seven processes. I’m going to use the processes which are specified by Project Management Institute, or in short, PMI. I find it, the processes they have mentioned are pretty distinct, and they have well defined those processes, and they are exhaustive in nature. So I’m going to use those processes used by PMI.

Satya N Dash: The first process is, “Plan risk management” After that, we have, “Identify risks”, then, “Perform qualitative risk analysis”. In short, I call it as perform “QLRA”. Then you have, “Perform quantitative risk analysis”. In short, I call it as perform “QTRA”. Then we have, “Plan risk responses”. After that we have, “Implement risk responses”. Then we have, “Monitor risks”. Whichever life cycle you are following, as we saw, the life cycle and framework are closely together.

Satya N Dash: Whichever life cycle, it might be a predictive life cycle, that name is “waterfall” approach, or it might be other side of the spectrum, which is “agile”, or adaptive life cycle. Or in something in between, a combination of predictive and adaptive, which you can call it as a “hybrid” life cycle, these processes can be used. So for a predictive life cycle, or waterfall lifecycle, these processes are going to be sequential in nature.

Satya N Dash: Nevertheless, they’re also going to be iterative. For example, in a project, identify risk can happen at any point of time. So you are monitoring the project, a new risk emerged, so you are here. Again, you have to go back to, “Identify risk process”. Similarly, many people think these processes cannot be applied in agile life cycles, but it is perfectly… You can actually apply these processes as well.

Satya N Dash: For example, there is a process called, “Perform QLRA”. Now this Perform QLRA process will be conducted just before the iteration begins. When I say, “agile life cycle”, agile life cycle is basically iterative, as well as incremental. Iterative in a sense, you are refining the requirements as you proceed, because there is a lot of requirement uncertainty.

Satya N Dash: Incremental in a sense, there is a lot of technological uncertainty, but the way you want to proceed. In that case, you give incremental version of the product. So, it is iterative as well as incremental, and because it is iterative, it will have iterations. And at the beginning of iteration, or before the iteration starts, you can conduct a QLRA process, to find out, “What are the risks, probability and impact, and which are the risks we are going to consider for this particular iteration?”

Satya N Dash: So these processes, that we are going to discuss, across project, program, or portfolios, are applicable throughout the life cycle spectrum, which can be predictive, adaptive, or hybrid.

Satya N Dash: Next is, we are going to have one level deep, we are going to dig into the processes. I can go into multiple levels, but it will be not exactly convenient or understandable for you. So one level deeper, I’m getting into the processes. First is planned risk management. This process creates the risk management plan. So it will be applicable for project, or program, or portfolio. It’s about overall risk management strategy through a document, how that risk management processes will be executed, that will be also part of this risk management plan, or RMP? And integration with other activities.

Satya N Dash: It will also have information with respect to the funding requirements, because you need money to manage the risk. I mean requirement, you need time to manage the risk. The probability scale, the impact scale. The PIE matrix, it is the probability and impact matrix.

Satya N Dash: The categorization of the risk, such as you’ll have risk breakdown structure. For example, at a portfolio level, the risk breakdown structure might look different, as compared to the risk breakdown structure at a project level. So all these things will be part of the risk management plan. The risk management activities are integrated into the project, program, or portfolio, in short I call this as “PPP”, the respective individual management plans. For a project, you will have a project management plan, for a program, you’ll have a program management plan, for portfolio, you’ll have a portfolio management plan.

Satya N Dash: The risk management plan will be a subsidiary plan of these plans. And the risk management activities are going to be integrated as part of this plan. Now you will be thinking, “How about an agile approach? An agile approach do you have a plan, project management plan?” Not really, we don’t have a project management plan because the agile follows the concept of less documentation. That is one of the values in agile manifesto, it tells you, “Customer collaboration over comprehensive documentation.” So they have a single product backlog.

Satya N Dash: So in the product backlog itself, we are going to have the risk related items, which you will see, as we proceed. Next is, “Identify risk process”. In, “Identify risk process”, we usually create a risk register. In project management, you might create risk reports as well, the PMBOK guide, which is Project Management Body of Knowledge guide, they are saying, “Risk reports can also be created.” But if you go through the standard of portfolio management, or the standard for program management, you will find risk register is definitely created at a program level, as well as the portfolio level.

Satya N Dash: Now, all possible risks are identified at this stage, in identify risk. The risk owner, who will be owning the individual risks will be assigned. If the risk owner is not assigned at this stage, then the risk owner is going to be assigned in the subsequent processor perform QLRA. It is qualitative risk analysis.

Satya N Dash: Again, I repeat, this process, along with other processors, are iterative in nature. This is not one time. Next phase, perform QLRA, it is qualitative risk analysis. Here we categorize and prioritize the individual project risk, or program risks, or portfolio risks.

Satya N Dash: So, what do I mean by “prioritization”? We find out the probability value, and the impact value. There is a chance of occurrence of this risk, and if it occurs, what is the impact, or the consequences, or the affect of this risk? Those two values we find out, and we’ll multiply these two values. As you multiply we get the risk value, or the risk score. And based on the risk value, or risk score, the risk will be prioritized.

Satya N Dash: You can also take other parameters. For example, there can be risk connectivity, risk [inaudible 00:14:06], risk manageability, risk detectability, there are many other parameters also you can take for prioritization of risk, in the QLRA process. Next is, perform QTRA.

Satya N Dash: That is “quantitative risk analysis”. Here, we provide numerical estimate of the overall risk faced by the PPPs, that is, “project, program, or portfolio”. So we are quantifying, and the overall risk is quantified. We actually not only quantify the overall risk, the individual risks are also quantified, in terms of money or it can be in terms of time.

Satya N Dash: However, this QTRA process is optional. Because it is time-consuming. You need really good analytical skills to do this QTRA. You need to have sophisticated software tools, and an ability to understand those analysis, to do a QTRA process. Here you’ll have various calculations, such as probabilistic calculation, simulation, which will result in [inaudible 00:15:10], correlation among the risk, probabilistic branching, conditional branching, criticality index analysis, those kind of analysis will happen, which will quantify the overall risk.

Satya N Dash: Next process is, “Plan risk responses”. The planned risk responses provide risk response strategy and risk response actions, for individual risk, agile risk, overall PPP risk. At this stage, you assign the risk response owner, not the action owner, the response owner. So there will be a response strategy, or can be a combination of response strategies, and every strategy will be divided into various actions. And those actions will have response action owners.

Satya N Dash: Now, the response strategies for negative risks, which are also called a “threat”, can be escalate, avoid, transfer, mitigate, or accept. The response strategies for positive risk, also known as “opportunities”, will be escalate, exploit, share, enhance, or accept.

Satya N Dash: Our next process is, “Implement risk responses”. In implement risk responses, we implement the risk response strategy. What is the difference in planning? In planning, we plan, “What are the response strategy, what are the response actions?” Here, we are actually implementing it. And when you implement, the communications should be maintained between the risk owners, and the PPP managers, that is project, program, or portfolio managers. The communications should also be maintained between the risk owner, who is owning the risk, as well as the risk response action owners.

Satya N Dash: The last process is, “Monitor risks”. It is about monitoring the implementation of risk response plan, which we did here. Checking the status of existing risks, which you have identified in identify risks. Identify any new risks, because risks continue to emerge, and closing any outdated or obsolete risks, so we can also close an outdated or obsolete risk, which is no value for you. It also checks the effectiveness of risk management processes, and effectiveness of risk response plan.

Satya N Dash: So two things are also pretty crucial here, you are following the processes, are these processes effective, that you check and monitor risks? Next is the effectiveness of risk response plan. Whether the response plan that you executed, are they effective? How will you know? When the score goes down. So we have found out the risk score, as I said, we multiply the probability and impact value, and we get the risk score, or the risk value. And the risk value or the score should be, come down the threshold level. That is called as, “risk threshold”. So the risk threshold is defined in the risk management plan, so the job is to find out that the risk value should be within the risk threshold.

Satya N Dash: If it is there, then of course, the response that you did is effective. Next is, “Risk Management for Projects”. So this is the framework, we are going to use the same framework as I proceed through the project, programs, and portfolios. So this is the seven process, one, two, three, four, five, six, seven processes we have. First is, “plan risk management”. The plan risk management will create a risk management plan, or RMP for short.

Satya N Dash: Now this risk management plan is going to act as an input, through the process of identify risks. In the identification of risk, we identify all possible risks. The individual risk that is going to impact the objectives, individual objective, cost objective, schedule objective, quality objective, those will be documented in the risk register, which is an artifact, the project artifact.

Satya N Dash: The overall project risk will be documented in the risk report, which is another project artifact. Next, what happens? The risk register will be acting as an input to the perform QLRA process. However, the risk report is not going to act as an input. In perform QLRA, we find out the probability value, the impact value, you can also use other parameters, and we prioritize the risks. The high priority risk, of course will be considered further.

Satya N Dash: The low priority risk, we put into a list, and that list is called as “watch list”. Now, once you get the prioritized risk, those prioritized risks will be documented in the risk register, as well as the risk report. Now, the risk report will have the overall project risk, also it will have the summary information, with respect to the prioritized individual risk, whereas the risk register will have information with respect to individual project risks. The prioritized one.

Satya N Dash: At this point I would like to tell the orange color coding is for the risk register, whereas the pink color coding is for the risk report. The process related flow is with respect to the blue color coding, that I’m going to use. Our next process is, “Perform quantitative risk analysis” or the QTRA. Now in this QTRA as I said, it is optional. As you are using QTRA process, both risk register and risk report are going to act as an input to this process. However, you are going to get only the risk report as the output, you are not going to have risk register as the output. In the risk report, you will find out, what is the overall project risk in a quantified manner? That is, what is the chance of meeting the program objective or project objective, because we are talking of project, so project objective. Is it a 75% chance? For example, you are saying, “This particular date, we can meet with a 80% confidence factor. This particular budget for this project, we can meet with a confidence value of 60%. This is the contingency reserve.”

Satya N Dash: So these things will be documented in the risk report. And the risk report, as well as the risk register, will be acting as an input to the next processor, plan risk responses. In “Plan risk responses”, we’ll have strategies for individual project risks, strategies for overall project risk, which should be different. For individual project risk, we have some strategies such as accept, enhance, escalate, avoid, mitigate. For overall project risk, if it is an overall project risk, there is no strategy for escalate. Because you have to address it on your own, because it is for the project. It is the job of the manager, the project manager, to address the overall project risk.

Satya N Dash: Now, once you have these strategies, as well as the response action documented, the risk register, as well as the risk report are going to be updated. So those will be the outputter, planned risk responses. So in the risk register, you’ll have the response strategies, the response action owners, the response actions, which is with respect to the prioritized individual risks.

Satya N Dash: Whereas, for the risk report, you are going to have the overall project risk, the overall risk response strategies, and the summary level information with respect to the prioritized individual risk. Both risk register, as well as risk report, are now going to act as an input to our next processor, implement risk responses, where the actual implementation is happening.

Satya N Dash: And as you implement, again the risk register and the risk report are likely to be updated in the output. It is possible that you might change some response strategies. So in that case, the register will get updated, and simultaneously, the risk report, which contains the summary level information, with respect to the prioritized individual project risks, may also get updated.

Satya N Dash: So finally, we are going to take the risk register, as well as the risk report, and they’re going to act as an input to here, that is, “Monitor risks”. In monitor risk, we are going to monitor. Like, this is the action we have taken, and is it when the risk happens, what is the actual score? One is the reduced score that we planned, then when it happens, what is the actual score? Is there a difference? If there is a difference, then what went wrong?

Satya N Dash: For that, there is a meeting, and that specific meeting is called as “Risk review meeting”. In risk review meeting you find out, is the response effective or not? Or it is possible, in monitor risk you might find new risks, new emergent risks that are coming up. In such a case, again you have to go back to identify risk. From here, again the processes you have to pass through. Or it is possible you want to find out, “What is the effectiveness of processes that we did?”

Satya N Dash: For that, again monitor risk, and there is a specific tool and technique called “risk audit”. There are a number of tools and techniques everywhere, I’m just focusing on some of them, because we really cannot get into all of them, that will be hours of discussion, so risk audit is with respect to effectiveness of the risk management processes. That is also addressed, as part of monitor risks.

Satya N Dash: Now, if you are using agile, it is not needed that you may use all of these processes. You can tailor your processes to your need. Your project or program or portfolio need. And in monitor risk, you can have a burn down chart. That is risk, reserve burn down chart. The reserve that you are having is good enough, or not good enough? Along with the iteration burn down chart, which is for the study points, or the features, you can also have a reserve burn down chart in monitor risks process.

Satya N Dash: Now, this risk management plan will be acting as an input to all these processes. It is definitely acting as an input to identify risk, as I have shown. It is also acting as an input to QLRA, to QTRA, also to plan risk responses, implement risk responses, as well as monitor risk process. Because it has the needed information to do these things, that is what you should do in these processes.

Satya N Dash: Next is, “Risk Management for Programs”. If you have gone through my teaser, or the brief that I have posted at the MPUG site, with the help of my editor as well as MPUG team, so you’ll have seen there is a code, “Project creates, Program guides, Portfolio decides.” And there is a very incisive thing, because your fundamentals have to be very clear. And based on your fundamentals, you can easily stretch, whether it is a program or a portfolio or a project.

Satya N Dash: So first let us understand the definition of a “program”. “Program” is a group of related projects. Sub-programs, program activities, managed in a coordinated way, to obtain benefits, which is otherwise not available if you manage them individually. So first thing is, the components of a program, which can be projects, sub-program, program activities, program activities can be operational activities, can be training activities, these are related. And why you are having the program?

Satya N Dash: To get benefits. Whereas project is… With respect to the definition of “project” is, it’s a temporary endeavor to create a unique product or service or result. So “project” is creating something, whereas “program” is coordinating something. So that is what I said, “Project creates, Program coordinates, or guides. Portfolio on the other hand, will decide.”

Satya N Dash: Now, “program” may contain work outside the discrete projects inside it. So that can be work which is outside the discrete project. Now that there are many differences between project and program, which is fundamental to understand the life cycle of risk within the context of program, however I’m going to focus on some of them, considering the risks.

Satya N Dash: So one is “uncertainty”. If program is more uncertain compared to a project. Next is, “a risk”. If a risk is impacting a single project, it will be managed at the level of a project. However, if the risk is, or a set of risks, are impacting multiple relative projects, then they will be managed at the level of a program. Complexity, program will be more complex compared to projects. There will be many factors which will be resulting in complexity.

Satya N Dash: So these are the three differences, and we’re going to talk about them in the context of risk management for programs. As we saw, program is primarily about benefits, whereas project is primarily about creation of a product, service, or result. Now the risk management, at the level of programs, is about optimal realization of benefits. So it addresses opportunities to increase the benefits, and addresses threats, which you’ll try to reduce the threat.

Satya N Dash: Another aspect we saw is complexity. So, at a program level, risk management is about using opportunities, that is positive risks, as I said, in the beginning. Positive risk is opportunities, negative risk is threat. So at the level of a program, you use opportunities to reduce the complexity. And you address threats that come off, due to the complexity of a program.

Satya N Dash: So we have seen the framework, the seven processes. Similar kind of processes, also you can apply, in the context of program. However, there will be some additional considerations, or some variations. Now, identify risk, at the level of a program. So it will document the risks that are going to impact the benefits, at the level of the program. It is not about individual objectives, project is documenting the risk, which is impacting the objective. The definition of a risk, at the level of a project is, “An uncertain event, or a condition. If it happens, it will impact the objective of a project, positively or negatively. However, at the level of a program, you document the risk, which will impact the benefits of the program.”

Satya N Dash: At the level of program when you do identification, there are three levels of risk. One is portfolio risks, which are cascaded, so let’s put here “P”, that is for “portfolio”. There is program, and there’s project. So the risks, which are cascaded, term, portfolio, to program, these will be addressed. At the level of program, there also can be risks, due to the program activities that you are conducting. There will be component dependencies, which can result in risks, and there is also possibilities of risk, as you integrate these components.

Satya N Dash: So some risk can come at the program level later. And some of the risks can be escalated from the project level, to the program level. If you remember, one of the response strategies I said is “escalate”. So if the project manager, or the project sponsor, they believe this risk, that individual project risk cannot be addressed, at the level of the project, and the sponsor agrees, the sponsor, for an internal project, maybe the program manager. So that time, that risk, which escalated from the project level, will be addressed at the level of the program.

Satya N Dash: So things from the portfolio level, which can be cascaded, program level, due to the activities of the program, project level risk, which are escalated can also addressed at the program level, and they have to be identified, and you can maintain a program risk register.

Satya N Dash: Next is, “Perform QLRA and QTRA”, which is basically, you are doing here, quantification and qualification, analysis part. After you identified, you are doing analysis part. Now, qualitative and quantitative analysis are based on, “To what extent the risks are impacting the realization of benefits?” At this stage, you are asking, “Can this be addressed at the program level? Can this be addressed within the program budget, or the program timeline?” If the risks are impacting the realization of benefits, then you are going to proceed further. However, if the risks are impacting the organizational performance, or organizational value creation, then these risks, you are going to escalate to the level of portfolio, or it can be go up to the level of enterprise.

Satya N Dash: Our next process is, “Plan risk responses.” After you do an analysis, you will go to the next process, or plan risk responses, in the context of program. So what you would do, in the context of program, you can apply the previous risk response strategies, for positive risks, as well as negative risks. For positive risks, you can have share, enhance, exploit, accept, those are the response strategies. For negative risk, you can have again, avoid, mitigate, transfer, accept, escalate, those are the things that you can have.

Satya N Dash: Some response deal with escalated, once from the components. So as I said, there are three levels of risk. So some of the components are, it can be a project, it can be a sub-program, it can be other program works. So if the risks are escalated from the component level of the program, they have to be addressed, and the response planning will happen at the level of the program.

Satya N Dash: Now, the response can be addition of components. You can add a new component, removal of components. And updation of program baseline. So like project will have a baseline, project will have baseline if you look at typical, theoretical baseline, you will have scope baseline, schedule baseline, cost baseline. But in a practical level, it is single integrated baseline, and we call it as the [inaudible 00:33:49] baseline, for the project.

Satya N Dash: Similarly, at the level of the program, you’ll also have program baseline, and as you integrate the risk response actions, at the level of the program, the program baseline can be updated. However, as I said, the focus will be always with respect to the benefits. Next is, “Implement risk responses”, that process in the context of program. The formally approved risk responses, including the escalated ones from the components, will be part of the program management plan. New components that you are going to add, to address the risks at the level of a program will be within the program scope. That is, the program manager has to handle those risks.

Satya N Dash: Next is the, “Monitor risks”, in the context of program. In monitor risks, we are having both strategic, as well as tactical considerations. Program is actually two-faced. When it is facing towards the project, it is tactical in nature. Whereas program, when it is facing towards the portfolio, it will strategic in nature. It is actually sitting in between the portfolio and the projects, considering PPP structure in an organization. So when you are monitoring the risk, we are considering both strategic, as well as tactical aspects of program risk monitoring.

Satya N Dash: When you take tactical, it checks the individual risks happening at the program level. So at the level of a program, you will have some risks, and those will be tactically addressed. Whereas, the strategic risks are with respect to monitoring the impact of each component on the program’s risk profile. And the impact, more importantly, the impact on business benefits, as we saw, the definition of a program. “Program is a set of interrelated projects, also programs, or operations, or other works, which are managed together to give you benefits, which is otherwise not possible, if you manage them individually.” So this is what we do at the level of a program, and we are following as you can see pretty much the same framework for risk management.

Satya N Dash: Which is, within the risk management life cycle. Next is the, “Risk Management for Portfolios”. So what do we do in the context of portfolio? Again, the fundamentals, very important. If you understand the fundamental, a lot of conceptual understanding will be easier for you. So first, a definition. Portfolio is a collection of projects, program, sub-portfolios and operations managed as a group to achieve the strategic objectives of an organization. So it’s a collection, there is no relation. There may be relation, may not be relation.

Satya N Dash: And these are managed as a group. And you are managing them as a group, the main focus is, “To achieve the strategic objectives of an organization.” So in the beginning I said, “Project creates, Program guides, and Portfolio decides.” So why decide? At the level of portfolio, you decide which project to take. Which project to drop. Which program to take, which program to drop.

Satya N Dash: So you can refine that wording that I said sometime before, you can say, “Project creates and delivers. Program coordinates, because they’re managing the components in a coordinated way. Coordinates and guides, whereas Portfolio is deciding, as well as driving.” So the decisions to drop a program, or add a program? Drop a project or add a project? That decision is taken at the level of the portfolio, in order to achieve the strategic objectives of an organization.

Satya N Dash: There are many differences when I compare portfolios, programs, and projects. Right now, I am going to compare portfolio with programs, we have already seen the differences between programs and projects, and when I’m taking the differences I’m going to consider risks. One is relatedness. So, the components of a portfolio, components of this, it can be projects, programs, or sub-portfolio. So the components of the portfolio may be related, may not be related.

Satya N Dash: However, there will be some commonalities, so there is no relatedness, but there will be some commonalities, and that is why you are managing them as a group. The commonalities can be with respect to the geographical location, technology being used, funding, the funding that you are getting from your executive sponsors. Resources, if the resources in the same area, or the same kind of resources. On that basis, you decide on the portfolios.

Satya N Dash: Another aspect is the ROI, return on investment. The return on investment calculation is done at the level of portfolio. Because portfolio is about the value maximization. Value delivery in an organization, in order to meet or achieve the strategic objectives. So everything is actually aligned towards the strategic objective, the project is aligned towards the strategic objective. Program is also aligned towards the strategic objective, however portfolio in particular is there to achieve the strategic objective, it is not aligned. It is there to achieve.

Satya N Dash: So portfolio is primarily about meeting the strategic objectives, or achieving an optimal value creation, delivery for an organization. Now, risk management at the level of portfolio is about two things. Developing risk efficient portfolio. The organization decides to take risk to have this kind of portfolio. So the portfolio, so it would be compact and risk efficient, that is, maximization of opportunities, minimization of threats.

Satya N Dash: Then optimal value delivery. This optimal value delivery can be done by adding or removing portfolio components. Again, considering the risk management framework, the portfolio risk management, or the portfolio risk management life cycle, will be pretty similar with some additional considerations, or some variations. So first one is, “Identify risks in the context of portfolio.” You document the risks that impacts the organization’s strategic objectives, and organization’s value delivery. If you remember, at the level of a project it is about project objectives, and this risk you are documenting. As I said, the definition of risk is, “An uncertain event or condition which when happens, will impact the objectives of the project, positively or negatively.” Whereas, at the level of a program, we are talking about the documentation of risks, which are going to impact the benefits of the program.

Satya N Dash: Whereas at the level of portfolio, we are talking about risk which impacts the organization’s strategic objectives, and value delivery. Unlike three levels of risk management at the level of program, there is identification of risk. Here, we have two levels of risk, at the level of portfolio. The risks identify at the level of portfolio, and escalated from portfolio components. So these are the risks that will be addressed, at the level of portfolio. Which are identified because of portfolio activities, and the portfolio components, it might be escalated from a program, it might be escalated from a project, or it might be escalated from an operation? Because we saw in the definition, “Portfolio is a collection of a… Set, collection of projects, programs, sub-portfolios or operations which are managed as a group to achieve the organization’s strategic objective.”

Satya N Dash: So operation, program, project, sub-portfolios, sub-programs can raise risk, and if it has to be addressed at the level of portfolio, it has to be addressed by the portfolio manager.

Satya N Dash: Next is, “Perform QLRA and QTRA”. We are going to do the analysis part after we have identified. Now, qualitative and quantitative analysis are based on, “To what extent the risks are impacting the expected portfolio business performance, or execution of strategy?” If risks are impacting the organization’s ability to execute strategy, not the portfolio’s ability, the organization’s ability to execute the strategy, then the risk will be escalated.

Satya N Dash: So that risk is not going to be managed at the level of portfolio, that risk will be escalated to the level of enterprise. For that, there is a totally different concept called “enterprise risk management”. In short, ERM. Which is pretty popular nowadays, in last seven, eight years, it is getting a lot of acceptance, because organizations, bigger organizations particularly, operate in silos. They’ll have marketing department, sales department, operation department, production department, research and development, finance, legal… And everyone is in their own zone, and no one knows this risk, for example, what is happening in legal, will it impact the product development? Or if you have a product development, will it impact the finance team?

Satya N Dash: So, that is enterprise risk management. And if the risk cannot be addressed at the level of portfolio, because it is impacting the organization’s ability to execute strategy, it will get escalated to the level of enterprise. But that is beyond the scope of this discussion, enterprise risk management. We are focused on risk management in the context of projects, program and portfolio.

Satya N Dash: Next is, “Plan risk responses”, in the portfolio context. The risk response here is about exploiting business opportunities, and maximizing organizational value creation. So when you plan for risk responses, this is what the focus will be. Like program, here response also can be additional portfolio components, [inaudible 00:44:00] portfolio components.

Satya N Dash: Next is, “Implement risk responses”, in the context of portfolio. The formally approved risk responses, including the escalated ones from the components of the portfolio, will be part of the portfolio management plan. It is pretty similar, like program management plan. Similarly, project management plan, the risk response which are approved will be integrated into that project management plan. If you are adding the new components into your portfolio, because you planned for those responses, as we saw previously? Then those will be also considered within the portfolio scope.

Satya N Dash: Now, monitor risks in the context of portfolio. So this can be also strategic and tactical. When you are talking of tactical in nature, it ensures operational risk, or systemic risk, impacting the portfolio. When you are talking of the strategic aspect of monitor risk, so the monitoring is at two aspects. There are two aspects, impact of each component on the portfolio’s risk profile, is a component of the portfolio, and implementation and achieving the organizational strategic objectives, because portfolio is about achieving the organizational strategic objectives.

Satya N Dash: Well as you can see, the processes are common, the way we are looking at, they’re common, but there are subtleties and differences. In program, we saw with respect to uncertainty, higher uncertainty. Complexity, risk, benefits. Whereas when we are coming to the portfolio level, we are talking of value maximization, achieving the strategic objective, operational or systemic risk, which escalated from the portfolio component level.

Satya N Dash: So there are subtleties, but if your fundamentals are clear, “What is this program is doing?” Portfolio is doing, the project is doing? Then you can easily understand, depending on the situation, you’ll be able to apply your understanding, what to do in such a case. In case you are sitting in a corporate office, and you are looking at a number of projects, program and portfolio. Of course, if it is a small organization, you may not have that kind of a PPP structure, however in a large organization, in case they are following a project, portfolio, program structure, then of course you need to understand how risks can be managed.

Satya N Dash: Now you’ll be thinking, “How about coming to an organizational level? How these are integrated together?” So for that, I have this screen. Vision, mission, goals, strategy, objective, portfolio, programs, project, operations. Some call this view as a “pyramid structure”, they might have it in a pyramid structure, vision on top, then mission, then you have goals, then strategy, then objective. Some might have, with respect to maybe a house of, vision, mission, structure. House with pillars, then on top they have a roof.

Satya N Dash: I take it as a protocol structure. A protocol structure is actually inspired by programing, so if you are using [TCP IP 00:47:12] protocol, which is the fundamental, or which is the basic of internet communication. So in a protocol, you have stacks. And every stack is communicating with the upper stack. The upper stack is also communicating with the lower stack.

Satya N Dash: So I consider that this is as a stack structure. A protocol stack structure. Nevertheless, if you are using a pyramid structure, or a house with walls and roofs, that is also fine. So considering this as a stack structure, first is vision. This is organizational vision, not program vision or portfolio vision, organizational vision. The vision of an organization is the future state of an organization. What the organization wants to be in five years, or seven years, or three years time? Vision is accompanied with mission. Mission is the purpose of the organization, every organization will have vision, as well as mission.

Satya N Dash: Vision, the future state, mission, the purpose. Then you have organizational goals. Organizational goals will be taken in a three year or two year or five year… It is a multi year period on which you are going to consider the goals. The goals are telling what you want to do in a multi year period.

Satya N Dash: Goals will have strategy and objective, whereas goals tell you what you want to do, the strategy you are going to tell you, how you are going to achieve that goal? And when it comes to objectives, objectives will be associated with strategy, to achieve the goals. So where are these things documented? These things are documented actually in a strategic plan of an organization.

Satya N Dash: A real organization, following business value which is serious about business value creation, and have hundreds of thousands of employees, they will have a strategic plan. The strategic plan of an organization is created as part of the strategic planning cycle, the strategic planning cycle may be in a three year or five year period? But considering the world that we are currently living in, the strategic plan can be a one year cycle as well.

Satya N Dash: Now, the strategic plan of an organization will have vision, mission, goals, strategy, and objectives. Next, what we do, we take this strategic plan of the organization and it is broken down into multiple initiatives. Initiative 1, Initiative 2, Initiative 3… Let us an organization is having 20 initiatives, over a period of three years. Now, some of these initiatives will be combined together to create a portfolio. Say for example, Initiative 1, Initiative 5, Initiative 9 is one portfolio. Initiative 7, Initiative 11, Initiative 15 is another portfolio.

Satya N Dash: So the portfolios are created to achieve the strategic objectives of the organization, as we saw in the definition. Within the portfolio, you’ll have programs, projects and operation. The program is about benefits, whereas project is about creation of a product, service, or result, which is giving the benefits, and these benefits in turn are going to help you to achieve the strategic objectives of an organization.

Satya N Dash: Now, where does risk fit in here, when I’m going to the context of PPP risk management? We saw, address the project, program, portfolio risk management, where will risk fit in? It is the thing. This first four stacks of the stack, I am calling it as a “stack” approach, layers. These first four layers, in this protocol stack that we are having, will be addressed by the executive management. These four layers that we are having, one, two, three and four, these will be addressed by portfolio, program, project and operational management.

Satya N Dash: Now, when you have a risk management strategy is actually decided at the executive level. This strategy will cascade down to the level of portfolio, to the level of program, to the level of project, to the level of operation. On the other hand, the risks can also get escalated, as we saw. If the project manager is unable to manage a risk, and the sponsor is agreeing, “Yes, this cannot be managed.” Or the high level manager is agreeing, “This risk can be managed”? Then it will be escalated to the level of program.

Satya N Dash: Now, the level of program, that is also possible that you might have some risk which cannot be addressed, as we saw. If it is with respect to the program performance, then the program manager responds to it. However, if it is impacting the organizational performance, or achieving the organizational strategy, that has an impact? That time, that risk will get escalated to the level of portfolio. And at the portfolio level, we saw there will be two levels of management of risk, and identification of risk, here we have three levels, here we have two levels.

Satya N Dash: Two levels with respect to one is portfolio level itself, and the risks that are getting escalated, from the portfolio level will be addressed, and the level of portfolio. The component risk, which are escalated to the level of portfolio.

Satya N Dash: As I said, sometime before as well, what about the risk which are happening at the level of portfolio? That will get escalated further. Will will be enterprise risk management, ERM for short. So this is what the big picture, considering an organization which is genuinely trying to manage the risk, cutting across the projects, programs, and portfolio.

Satya N Dash: Now, some of the best practices, so there are many best practices people can use, I’m just highlighting a few of them. One, have appropriate governance structure. You’ll be surprised the kind of organization who have no governance structure at all, so it will happen, risk will happen and it will be ad hoc management. Like for example, COVID came up. Nobody is prepared for such a kind of thing, in fact, it is difficult to prepare, but considering what happened, like if you are speaking… I speak with a lot of professional, literally they are running for 30 or 45 days out of 24 hours, they are working 20 hours a day, they don’t know what to do. [inaudible 00:53:29] risen, no governance structure.

Satya N Dash: There is no governance structure, so the governance structure can be at the level of project, program, portfolio, but that should be all synchronized together. So first, have appropriate governance structure, and follow the governance principles and rules, without which, you are going to fail.

Satya N Dash: Second, enterprise risk management. Organizations operate in silos. For example, a product got released, do you realize if a product is released what will impact on the legal aspects? Many. Do you even understand there will be a legal department? Like for example, you’ve used a kind of a copyrighted code, or a copyleft code, and that is actually… You have not thought about it, you’ll have serious legal consequences. Companies have paid billions of dollars to avoid legal hashes.

Satya N Dash: Or APIs, application programing interface, tech companies are fighting, billions of dollars of lawsuit. So, for that you need to have not silos, or the individual compartmentalized risk management, but the enterprise risk management, you need to have. That is a must.

Satya N Dash: Another thing is, you need to have executive involvement, the top level executive, they should be involved in managing the risks. So when there is a storm, it’s going to hit, for example COVID-19 is hitting. We don’t know, for example in last December if you are, like I am operating out of India, around 4:00 or 5:00 PM, I am using my site, my site is saying it doesn’t exist.

Satya N Dash: Then I am going to log into my email account, the email account is saying it doesn’t exist. It happened on 14th of December, sometime 4:00 or 5:00 PM India time. Then I’m trying to do payment, the payment app is saying it doesn’t exist. I thought, “What is happening? Is it real? They are saying account doesn’t exist, I cannot log into my email account, I cannot see my business site, and I’m using a lot of cloud apps. And here that is the dashboard of projects which is a large dashboard of applications for these big, big companies, and everyone is showing green.

Satya N Dash: 10 minutes into this issue, everyone is green. Why these things kind… Why this thing happen? Again. Siloed risk management. So you have apps with respect to say, document management. Apps with respect to payments, and everything is down. For one hour, it is down. There are also… And homes, which are tech-enabled homes, the light will come up, the temperature will be properly maintained, the refrigerator will be properly maintained, all are down. The smart homes are all down. Hacking.

Satya N Dash: In mid-December, there was a hacking, which impacted a number of users worldwide. Again, lack of risk management. So those issues that we have seen, the COVID issue, or the issue that we saw in December last year, just one month before, these are not one time issue. This will come again, and again, and again, unless [inaudible 00:56:28] the risk management is done in a structured way.

Satya N Dash: And I hope, with this you have an understanding, if you are operating in an organization, you can take some of these learnings, and apply those learnings in your risk management, for projects, programs, or portfolios.

Satya N Dash: So with this, I am coming to a conclusion. And these are the references I have taken. The first reference is, the book I Want To Be A RMP, 2nd Edition, this is the link. Then there is a course, which is Practical RMP, that is risk management professional, with Primavera Risk Analysis, as well as MS Project software. Then this MPUG article, which talks about the framework of risk management, and I would suggest that you go to, this article is free to read, and thanks to MPUG they have published this article. And I have used The Standard for Risk Management in Projects, Program and Portfolio by Project Management Institute. Lot of terms and terminologies, I have taken from them.

Satya N Dash: With this, I am coming to an end, and I’m going to take your questions depending on the time, so Kyle, over to you.

Kyle: Thanks, Satya. We do have a few questions, let’s jump right in.

Kyle: The first one here, “How practical is it to actually conduct all the risk management at the project, program and portfolio level when there are so many daily moving dynamic aspects to things with the projects, programs, and portfolio?”

Satya N Dash: Okay, so if you are talking of there is a dynamic aspects of project. So I assume that you are talking of agile. Uncertainties are high. There is requirement uncertainty. Lot of changes are coming, complexities are there. You don’t know what is the requirement, or what is the scope of that project? In that case, of course, you have agile. And as I said, in agile, we have a single product backlog, so the approach is a bit different. So you need not apply all these things in agile. In product backlog itself, you will have these items which are part of the product backlog, and those product backlog items will be risk adjusted.

Satya N Dash: I have in fact written an article, how to do that, so I’ll just tell you.

Satya N Dash: So I think it was product… I don’t remember, it was again published by [inaudible 00:59:08]. Yeah. So it is in January 7, nearly one year before, more than one year before, actually. So here, so if you are using a project which is highly uncertain, highly complex, lot of uncertainties, lot of risks, in that case of course, you are not going to have an elaborate, dedicated, exhaustive set of processes. Rather, you are going to use a project backlog based risk management, because that is your main artifact. And here, while prioritizing I’ve clearly noted.

Satya N Dash: You have, risk is one of the major factors here. So you have value, cost, compliance, knowledge, resources, dependency, and in addition to that, you have risk as a factor, while you are prioritizing the backlog components. Now, another aspect is, if you are a small organization, your organization is very small. In that case of course, you don’t need it. However, if your organization is big, okay, and it is like… Even if it is a matrix organization or functional organization, it doesn’t matter. If your organization is big, then you should have a structured approach, a disciplined approach, for risk management.

Satya N Dash: But if your organization is small, 10 people or 5 people organization, you don’t need to have all these things. Still, some learnings you can apply, maintain a small risk register. Continuously see and evaluate the risk, analyze the risk, mitigate the risk, and see whether the mitigation has been effective? Even if it is a small project, so scale it down, tailor it, and you can use it.

Kyle: Thanks, Satya. Maybe we’ll sneak one more question in before we close out, this one is, “Do you have any recommendations on what probability categories to use? For example, low, medium, high, versus one, two, three, four? And what probability thresholds do you usually use? For example, low is up to 50%, medium is 50-70, et cetera?”

Satya N Dash: Right, so okay. So again, I have written an article. So, that will help you the most, again by MPUG. So it is there in… Here.

Satya N Dash: So this is one article, Risk Matrix Reporting. Another article I will suggest is quantitative… Yes. Sorry, I think it is qualitative. Because probability impact will be first in qualitative.

Kyle: And Satya I’ll chat, [crosstalk 01:01:54], there’s a link to your bio on MPUG, which links to all your content you’ve published, so that people can easily access that. So that’ll be in the chat box for everyone.

Satya N Dash: Okay, so just to answer that question, the probability and impact, what will be the… Here, it is clearly defined. “What can be the probability value? Considering the probability of occurrence, very high, high, medium, low, or very low? And what will be the chances? If it is 80%, very high. If it is 51-80%, then it is high, like that. And impact, the scale of impact, very low, low, medium, high. Schedule 1-5 days impact, very low. Greater than 30 days impact, very high.”

Satya N Dash: Like that, then you have the tolerance scales, and then how to calculate. And as I said, the probability and impact value was first decided in the qualitative risk analysis, so this article is going to give you more details, with respect to how probability and impact values are analyzed, and documented and managed.

Satya N Dash: Another article again, in my site, I’m going to tell this… So I think it is the difference between… Okay, again. This is the site, so you can go for qualitative versus quantitative. “Quantitative.”

Satya N Dash: This is not by MPU, this is a long, old, very old article. Yeah, “Qualitative versus Quantitative Risk Analysis”. So as you go through this, deep dive into risk management [inaudible 01:03:18] it should help you. Next is understanding qualitative risk analysis, which I also believe will help you. And finally also you might want to check qualitative risk analysis versus quantitative risk analysis, and how they differentiate with respect to probability and impact scale.

Satya N Dash: Because P and I scales are also going to be used in the quantitative risk analysis. Many people miss that aspect. So here it is qualify. In QTRA, that is quantitative risk analysis, you are quantifying. The impact will be quantified in terms of money, or time, $10,000 impact, or 10 days of delay. Like that, it will be there. So I would suggest that you also go through this article of qualitative versus quantitative risk analysis.

Kyle: Great, thanks Satya, and just a reminder to everyone, you should be able to see that now, but it’s Managementyogi dot com, is Satya’s website. And yeah, that does it for today’s session, anything else before we close out, Satya?

Satya N Dash: Just one thing, again. So we are still in January, okay? So the year has begun. So again, I want to thank you for listening, and thank you for your time, and wish you a very, very happy New Year. 2021, I really wish and hope that this new year brings happiness to you, and you have a much better year compared to the previous year. Which was really very tough, on many and any of us.

Kyle: Well we appreciate that, Satya. I definitely wish the same for everyone, and I want to thank you for this session today. I know this isn’t a convenient time for your location, so we really appreciate your efforts in presenting to the MPUG community.

Kyle: For those of you that are claiming the PDU credit for today, I will get that info back on the screen for you now. Today’s session is eligible for one tactical PDU, and the code to claim that is on the screen.

Satya N Dash: Kyle, may I interrupt you for one moment?

Kyle: Sure thing.

Satya N Dash: Yeah, instead of technical, I would suggest go for strategic. Because we are talking of program and portfolios, which is very strategic in nature.

Kyle: Well it’s already been applied, because risk management falls under the technical category, so at PMI’s directive they’ve asked that it’s in the technical category. But that’s available to everyone, and if you missed any of today’s session, you would like to go back and review anything that was shared? The recording will be posted to MPUG dot com later today. And you’ll receive an email in just a couple hours with that link. You have full access to the PDU eligible library of on-demand webinars, as an MPUG member.

Kyle: We do have some great sessions coming up on the calendar, I have chatted over a link to get to those and register. Next week we’ll begin a three part course on Power BI for Business Users and Project Managers. So we hope to see you there.

Kyle: After that, March 3rd, we will have a session by Ravi Raman on Transformative Leadership: How to Elevate your Impact with Less Effort and None of the Stress. So those sessions are posted, along with many others, so be sure to register for those, and we’ll see you at those events.

Kyle: And that does it for today’s session, so thanks once again Satya, thanks to everyone that joined us live, or is watching this on-demand. We hope you have a great rest of your day, and we’ll see you back soon for the next live webinar. Thanks.


Watch the on-demand recording


Avatar photo
Written by Satya Narayan Dash

Satya Narayan Dash is a management professional, coach, and author of multiple books. Under his guidance, over 2,000 professionals have successfully cracked PMP, ACP, RMP, and CAPM examinations – in fact, there are over 100 documented success stories written by these professionals. His course, PMP Live Lessons – Guaranteed Pass, has made many successful PMPs, and he’s recently launched RMP Live Lessons – Guaranteed Pass and ACP Live Lessons – Guaranteed Pass. His web presence is at https://managementyogi.com, and he can be contacted via email at managementyogi@gmail.com.


Share This Post

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>