Home Blog PfMP

Portfolio Risk Analysis

Table of Contents

1 hour ago

Portfolio Risk Analysis Table of Contents

  • What is Portfolio Risk Management?
  • Portfolio Risk Management Framework
  • Risk Management Plan
  • Portfolio Risk Management Tools and Techniques
  • Wrapping Up

Like the project risk definition, a portfolio risk is an uncertain event or condition that, if it occurs, has a positive or negative effect on one or more portfolio objectives. Portfolio risk management is a structured process for assessing and analyzing portfolio risks with the goal of capitalizing on the potential opportunities and mitigating those events, activities, or circumstances which can adversely impact the portfolio.

What is Portfolio Risk Management?

Risk management identifies and exploits the potential improvements in portfolio component performance that may increase quality, customer satisfaction, service levels, and productivity for both the portfolio components and the organization.  The objective of portfolio risk management is to accept the right amount of risk commensurate with the anticipated reward to deliver the optimum outcomes for the organization in the short, medium, and longer term.

Portfolio risk management differs from project and program risk management in that, in the right circumstances at the portfolio level, the organization may choose to actively embrace appropriate risks in anticipation of high rewards.

While a program or a project is concerned, for the most part, with risks and issues that arise inside the specific program or project, portfolios are concerned with maximizing financial value of the portfolio, tailoring the fit of the portfolio to the organizational strategy and objectives, and determining how to balance the programs and projects within the portfolio given the organization’s capacities and capabilities.

Potential risk conditions include aspects of an organization’s environment that may contribute to portfolio risk, such as poor management practices (a negative risk), integrated management systems (positive), an excessive number of concurrent projects (negative), or dependency on external participants who are highly specialized (positive).

Portfolio Risk Management includes providing reserves (or contingencies) across the threat pool within the component programs and projects. The portfolio manager is in a position to hold an aggregate contingency to cover threats where the expected monetary value is an unreliable guide to contingencies due to a less than statistically significant number of risks within an individual initiative.

A portfolio manager may also aggregate risk responses by using some common characteristic; otherwise, the nature of a portfolio is a collection of initiatives only coincidentally coupled and not joined by outcome (i.e., impact or consequence of the opportunity).

In other words, there isn’t a portfolio risk management element— it is a contingency provision for the constituent projects and programs in cases where each component cannot economically fund protection from threats. This is called equity protection and is commonly used by insurance companies. The opportunity at the equity protection level is the consideration of why an initiative was sanctioned to be in the portfolio in the first place.

Portfolio Risk Management Framework

As shown in figure below, there are four key elements in Portfolio Risk Management: risk management planning, risk identification, portfolio risk analysis, and risk response.

The portfolio risk management framework or architecture supports the overarching principles of risk management and provides the vision for risk management within the portfolio. The portfolio risk management framework is an outline that links organizational risk management processes within the portfolio.

Additionally, the framework links program, project, and operational risk management to the portfolio risk management structure, thus providing a link between the risk concerns that transcend the portfolio and the component risk concerns contained within the portfolio.  A common set of risk-related definitions and the establishment of risk categories or a risk breakdown structure should be provided by the portfolio management team as part of developing the portfolio risk management framework.

Differences are expected between the portfolio, program, project, and operations risk management areas. At the program or project level or when dealing with operations, the focus is on management of negative risks (threats) through avoidance, transfer, or mitigation, as well as managing positive risks (opportunities) through exploitation, sharing, or enhancement.

At the portfolio level, the focus should be on balancing positive and negative risks to support the organizational vision, strategic goals, and objectives of the organization, thus realizing value to the organization. At the portfolio level, risk acceptance may be a more common strategy because many risks are outside of the planning ability or control of the organization.

On the positive side of risk, organizations may exploit, enhance, or share a positive risk. When dealing with an increased product demand, for example, the risk response actions would usually be part of a planned portfolio strategy or marketing effort.

In general, portfolio managers focus on risk balancing beyond what is usually done at the program and project levels; this is due to the wider scope of portfolio management, added complexity at senior levels of management, decreased control, and a generally broader vision across the management structure.

In mature organizations, risk-based decision making facilitates the separation of various risks into risk categories. Risk categories provide a structure that ensures a comprehensive process for systematically identifying risks to a consistent level of detail and that contributes to the effectiveness and quality of risk identification.

An organization can use a previously prepared categorization framework that may take the form of a simple list of categories. Some categories of risks are: performance risk, resource risk, market risk, organizational risk, and budget risk.

Portfolio Risk Management Plan

The portfolio risk management plan is a component of the portfolio management plan. It describes how risk management activities will be structured and performed within the portfolio. It also includes references to risk management guidelines, policies, and procedures that define the organization’s risk strategy and appetite, which includes thresholds and confidence limits.

The portfolio risk management plan provides the approach that is used by governing bodies for assessing risk in portfolio components. its is not a collection of portfolio component risk management plans or a summary of those plans, although there should be common elements between the risk management approach within the portfolio components and the overall portfolio management plan.

For example, when the culture of the organization is one of risk taking, then the portfolio risk approach should be more tolerant of risks, and the embracing of risks should be a common theme throughout the components of the portfolio. The portfolio risk control plan includes references to risk management guidelines, policies, and procedures that define the organization’s risk strategy, and presents the organization’s risk appetite and risk tolerance thresholds.

The portfolio risk management plan extends the vision articulated within the portfolio risk management framework. The portfolio risk management plan outlines the processes by which risk will be managed at the portfolio level. However, the portfolio risk control plan should not be prescriptive down to the project level or define how operations will be managed with respect to risk within the portfolio. Managers working within portfolio components should align risk plans to the framework for managing portfolio risks, and the individual component risk management plans should support the portfolio risk management plan.

While management concerns within portfolio components often differ from concerns at the portfolio level (i.e., time, impact, span of effect, or complexity), the risk management plan of each component is not a mere subset of the portfolio risk management plan for an entire portfolio.

Portfolio Risk Management Tools and Techniques

Manage Portfolio Risks consists of four stages: (1) risks are identified, (2) portfolio risk analysis, (3) risk responses are developed, and (4) risks are monitored and controlled throughout the Manage Portfolio Risk process. Portfolio risk management tools and techniques may include the following:

  1. Weighted Ranking and Scoring Techniques. As a part of the portfolio risk management, the governing board uses weighted ranking and scoring techniques during recurring governance meetings to conduct portfolio risk assessment and identify whether any new risks have arisen.

These techniques may be used in meetings dedicated to reviewing risks or those where the review of key risks is an agenda item but not necessarily the overall purpose of the meeting, for example, executive governance meetings, organizational strategy meetings, or investment meetings, etc.

  1. Quantitative Analysis. Quantitative portfolio risk tools are generally used to measure financial metrics. Financial metrics include but are not limited to the following: net present value (NPV)—a measure of a series of cash flows; estimated net present value (ENPV)—a measure of future NPVs; payback or payback period (PBP)—a measure of the time required for a return on investment; return on investment (ROI)—a measure of the efficiency of an investment; and internal rate of return (IRR)—the discount rate used in budgeting, which makes the NPV equal to zero.
  2. Sensitivity analysis. As part of the portfolio risk analysis, sensitivity analysis helps to determine which risks have the most potential impact on the portfolio. It examines the extent to which the uncertainty of each element affects the respective objective when all other uncertain elements are held at their baseline values. One typical output of sensitivity analysis is the tornado diagram; this is useful for displaying which parameters lead to a high degree of variability and which have less effect.

  1. Modeling and simulation. Simulation uses a model that translates the uncertainties specified at a detailed level of the portfolio into their potential combined impact on portfolio objectives. Simulations are typically performed using the Monte Carlo technique.

In a simulation, the model is computed many times (iterated). At each iteration, the input values (such as cost of project elements or duration of scheduled activities) are randomized in accordance with the probability distribution of the corresponding variable. The outputs of each iteration are consolidated to provide a frequency distribution for the values of each key parameter (such as total cost or completion date).

  1. Qualitative Analysis. Qualitative portfolio risk tools are generally used to provide a way to measure domains of portfolio risks that are not specifically quantitative. These may include risk probability and impact assessment, sensitivity analysis, modeling and simulation, assumptions analysis, influence diagrams, risk-portfolio component chart, weighted ranking and scoring techniques, heat maps, and ranking and scoring of portfolio risks.
  1. Investment Choice Analysis. Investment choice pertains to the alignment of the portfolio. This analysis focuses on the new and changing strategic objectives/goals and indicates where there are gaps in investment within the portfolio as a whole. Gaps may constitute portfolio risks. Investment choice analysis. Investment choice pertains to the alignment of the portfolio. This analysis focuses on the new and changing strategic objectives/goals and indicates where there are gaps in investment within the portfolio as a whole. Gaps may constitute portfolio risks.


In conclusion, the primary objective of Portfolio Risk Management is to make sure that portfolio components will achieve the best possible success according to the organization’s strategy and business model. From a risk perspective, this is done through the balancing of risks, both positive (opportunities) and negative (threats).

The management of risks below the portfolio level is usually thought of as exploiting opportunities and avoiding threats. However, when dealing with complexity at the portfolio level, the simple approach of avoiding threats and exploiting opportunities may not result in a complete balancing of portfolio risks. Portfolio Risk Management aligns portfolio components, organizational strategy, the business model, and environmental factors toward the objective of portfolio value optimization and results in a synchronized portfolio execution across portfolio components.

If you are curious to know more about the PfMP certification exam, I highly recommend you check out this blog. Feel free to have a look at our PfMP exam preparation workshop, and watch the first three sections before you make up your mind, you can access it through the link here. Also, do not hesitate to reach us out through [email protected] whenever you have a question about the PfMP exam preparation journey.

PMBOK®, PfMP®, and PMI® have registered trademarks of the Project Management Institute, Inc.