Why the 3×3 Project Risk Scoring Matrix doesn’t work on Portfolio’s?
This has been a frustration of mine for a long time – how many Portfolio’s collect all the Project Risk Logs (or RAIDs) and then say this is the Organisations Portfolio Risk Log….. WRONG!!!
The top scoring aggregated Project risks are not Organisational Portfolio risks. There might be the odd one or two which comes from a Project and affects the whole Portfolio, but generally one set of risks focus’s on delivery of a single project (outputs and plans etc), the other should focus on the impact to the Organisations ability to absorb change, and if there is any risk on the Organisation not achieving its strategic aims and objectives.
‘No single raindrop was to ever be blamed for the flood’
The unofficial standard for for scoring Project risks tends to be the 3 x 3 box matrix (sometimes 5 x 5) prioritising project risks on a Impact vs Probability axis. There is nothing wrong with this approach for single projects, and its one technique I’m often working with Project Managers to use. The challenge for Portfolio’s is that there might be some project risks which are low / low in a project, but then the Organisational Impact can be high.
Using the diagram to the left, Risk number 2 could apply only to that project, yet risk number 1 could apply to the whole Portfolio. Now the purists out there will be saying, the Project Manager should rate is as a High, but the realists will understand that Project Managers are focused on only their project, and there is a ‘risk’ that Project Managers don’t always take into account the impact on the Portfolio.
This can leave a dilemma for the Portfolio Manager….. they haven’t the time to analyse all risks from all projects, yet they also can’t rely on just ‘top’ project risks.
An experience Portfolio Manager will adopt a scoring system for projects which will still use Project Impact and Probability, but also add in another level for Governance (or Escalation or Organisational Impact). Taking a simple adding up of the score e.g. 3 for high, the Portfolio can them filter by the high scores, and help the Project Manager thing about the impact of Project risks on the overall Portfolio.
A word of caution for all Portfolio Managers, this approach of aggregating Project risks in to a Portfolio Risk log does not solve the identifying of Portfolio risks. There should still be the activity for the Portfolio Maanger to work alongside the Exec and Senior Leadership of an organisation to identify and manage delivery risks, strategic risks and operational risks together; spend time out to understand what bad things might happen, and how can we stop them happening.
For more information about Project and Portfolio Risk Management, click on this link for the Risk Management page
I relatively weight the projects in the portfolio and use this as a multiplier for the Impact in order to produce a Portfolio level risk register. I do this because a HIGH impact to a project of low importance should not appear on the portfolio report at the same level as a MED/HIGH impact to a project of high importance. As an aggregation/rollup approach, it works for me.
It is important to remember that Portfolio risk is not just the aggregation of project risks. At the Portfolio level we should also be considering the risks that are upstream from the individual projects(golden thread) and risks that span projects.
We send out a portfolio report once a month which includes our top five risks. These are agreed by PMO and the Project Managers in our regular team meeting. Generally speaking 2-2 are project specific, 1-2 affect multiple projects and 1-2 relate to business planning and strategy.