The top scoring aggregated Project risks are not Organisational Portfolio risks. There might be the odd one or two which comes from a Project and affects the whole Portfolio, but generally one set of risks focus’s on delivery of a single project (outputs and plans etc), the other should focus on the impact to the Organisations ability to absorb change, and if there is any risk on the Organisation not achieving its strategic aims and objectives.
‘No single raindrop was to ever be blamed for the flood’
The unofficial standard for for scoring Project risks tends to be the 3 x 3 box matrix (sometimes 5 x 5) prioritising project risks on a Impact vs Probability axis. There is nothing wrong with this approach for single projects, and its one technique I’m often working with Project Managers to use. The challenge for Portfolio’s is that there might be some project risks which are low / low in a project, but then the Organisational Impact can be high.
Using the diagram to the left, Risk number 2 could apply only to that project, yet risk number 1 could apply to the whole Portfolio. Now the purists out there will be saying, the Project Manager should rate is as a High, but the realists will understand that Project Managers are focused on only their project, and there is a ‘risk’ that Project Managers don’t always take into account the impact on the Portfolio.
This can leave a dilemma for the Portfolio Manager….. they haven’t the time to analyse all risks from all projects, yet they also can’t rely on just ‘top’ project risks.
An experience Portfolio Manager will adopt a scoring system for projects which will still use Project Impact and Probability, but also add in another level for Governance (or Escalation or Organisational Impact). Taking a simple adding up of the score e.g. 3 for high, the Portfolio can them filter by the high scores, and help the Project Manager thing about the impact of Project risks on the overall Portfolio.
A word of caution for all Portfolio Managers, this approach of aggregating Project risks in to a Portfolio Risk log does not solve the identifying of Portfolio risks. There should still be the activity for the Portfolio Maanger to work alongside the Exec and Senior Leadership of an organisation to identify and manage delivery risks, strategic risks and operational risks together; spend time out to understand what bad things might happen, and how can we stop them happening.
For more information about Project and Portfolio Risk Management, click on this link for the Risk Management page