Effective risk management in an IT project portfolio requires ongoing commitment and discipline. But when executed properly, it can reduce the threat of economic loss caused by unmanaged risks across your portfolio of projects.

In Gartner’s “Six Required Elements of Effective Risk Management” [Gartner, Six Required Elements of Effective Risk Management, Paul Proctor, August 2010, Gartner Foundational 7 October 2014], Paul Proctor writes “Effective risk management includes elements of formalized risk assessment, controls assessment, risk decision making, risk tracking, sign-off for residual risk and accountability”. In this article, we consider the six required elements of risk management as we explore 4 DOs and DON’Ts of effectively managing risk in your project portfolio.

1. DO Incorporate Ongoing Risk Assessments but DON’T Ignore Portfolio Level Risk.

The absence of an ongoing assessment, measurement and management of risk will cause an organization to fall into a reactive mode of dealing with threats as they surface. In this environment, project participants react to risks as they present themselves, or incorporate controls to mitigate risks when they are identified. This misleads the organization into believing they are taking a proactive approach to managing risks when truthfully it is the risks that are managing them.

Risk assessments should be scheduled regularly and include the ongoing analysis of threats and the cost of loss. They should include a measurement of risk, which typically involves a weighted impact and probability, or risk rate. The risk rate will help you quantify the level of the threat which can be measured against the cost or loss to provide insight into the total risk.

This sounds fairly straightforward until portfolio level risks are considered. In a portfolio of projects, there are 2 types of risk assessments. Risks must be identified and measured at the project level, and equally important, risks must be aggregated and analyzed at the portfolio level. Risks that are not properly managed at the portfolio level can cause a ripple effect, since compounded risks can create failures across unrelated or inter-dependent projects.

Portfolio level assessments produce a “total” risk assessment, offering a broader view into organizational risk, rather than a myopic project level view. And ongoing assessments at phase gate reviews will help reduce the potential that project level risks will introduce a larger threat in the portfolio.

2. DO Pay Special Attention to How You Categorize Risks but DON’T Overlap Risk Categories.

Risks should be properly categorized and tracked in a risk register. Risk categories should not overlap and should be mutually exclusive. Risks that are categorized consistently in this manner will aid in better assessments when aggregated at the portfolio level. For example, if you were to categorize staffing availability as a project risk in some cases and as a resource risk in other cases, it would be very difficult to identify a larger threat within the portfolio. When risks are categorized uniformly, your risk assessments become much more effective.

In Gartner’s report “Effective Risk Management for Applications” [Gartner, Effective Risk Management for Applications, Bill Swanton, Jim Duggan and Andy Kyte, September 2010, Gartner Foundational 2 December 2014], analysts Bill Swanton, Jim Duggan and Andy Kyte suggest 6 broad categories for identifying risk in a portfolio. They are: technology risks, business risks, project risks, resource risks, customer risks and IT operational risks. Risks can be broken down further into subcategories, or risk factors, which introduces an additional level of detail and reporting.

3. DON’T Simply Track Your Risks, DO Create and Execute a Treatment Plan.

Your risk team (risk managers, project members, PMO or committee, etc.) must make decisions about how to deal with risks. Risk mitigation begins with a controls assessment. What controls are available to you that will address the risk? In many cases, introduction of technology is used to address risk, but other controls may be available such as acceptance or transfer of the risk.

For example, consider a fire risk in a data center. Technology controls are put in place, such as cooling systems, that significantly reduce the possibility of a fire. Although small, the risk of fire still exists. In this example, any remaining risk can be “transferred’ to an insurance policy that is carried on the data center.

Once all controls have been put in place, any remaining risk, referred to as “residual” risk, must be formally accepted and signed off on.

4. DON’T Point Fingers but DO Introduce Accountability.

We know all too well that things usually do not go as expected. While planning is absolutely necessary, a plan typically becomes an audible play book when in project execution. When things go sideways it is easy to play the blame game, pointing fingers at the people or groups responsible for the issue.

Your team must be held accountable, but their responsibility should lie in proper execution of your organization’s risk management processes. All documents and artifacts that result from risk decisions and acceptance of residual risk must be recorded. Process and governance should dictate what artifacts are required. If your team is following protocol and things still go wrong, which they certainly will, don’t point fingers. Instead, identify what went wrong, learn from mistakes and refine processes to become more mature.

In Summary

A tool such as AlignIT can significantly increase an organization’s ability to track and manage risk across a portfolio of projects, but tools are only as good as the organization’s underlying risk management processes. In “Six Required Elements of Effective Risk Management”, Paul Proctor writes “IT tools can be enablers of risk management processes and can help provide a consistent view of risk across the enterprise, which enables action…”, “However, the results gained from such tools will only be as good as the underlying frameworks, processes and data structures.”

About Elite Value Solutions and AlignIT Software
Elite Value Solutions is equipping IT organizations to deliver higher quality technology solutions with greater efficiency using AlignIT software. AlignIT software is a lightweight and flexible project and portfolio management solution that creates alignment between people and processes in your IT organization. It results in faster work execution, better teamwork and quickly adapts to changes as your business and IT organization evolve. AlignIT is offered both on-premise or in the cloud for rapid deployment. Elite Value Solutions is privately held with headquarters in Woodcliff Lake, New Jersey. For more information, visit