In this phase, our plan is to devise and execute risk management procedures and instruments that cater to the entire portfolio of projects and the distinct risks associated with each individual project (enterprise risk management).

The chief objective of portfolio risk management is to ensure that the projects within the portfolio reach their maximum potential in line with the organization’s strategy and business model. This is attained by balancing opportunities with threats and by identifying and adjusting risk factors (like environmental, human, legislative, industrial, etc.). Interdependencies among these factors can sometimes trigger risks, warranting modifications to the entire project portfolio, and occasionally sparking new projects.

The portfolio risk management framework equips portfolio managers with the ability to allocate existing funds and resources, bearing in mind the organization’s limited capacity. Factors taken into consideration include:

  • Overall risk tolerance;
  • Frequency, severity, and threshold values of risks;
  • The structure of key portfolio stakeholders;
  • Risk thresholds;
  • Coverage limits.

Typically, the following recurring (usually annual or quarterly) processes are incorporated into the project portfolio management business process:

  1. Revision of the project portfolio strategy.
  2. Identification of organizational and portfolio risks (including a review of the existing risk register).
  3. Risk evaluation/re-evaluation (including cost-benefit analysis).
  4. Development of response measures (including the initiation of new projects).

Risk Management

In terms of individual project risks, the primary goal of project risk management is to minimize the likelihood and/or mitigate the impact of risks to maximize the success probability of the project. This methodology includes processes related to risk identification, analysis, response planning, response implementation, and risk monitoring within each project. Risks within each project exist on two levels:

  1. Individual project risk: an uncertain event or condition, which, if it occurs, adversely affects one or more project objectives.
  2. Cumulative project risk: the effect of uncertainty on the entire project, stemming from any sources of uncertainty, including individual risks. This represents the impact of variations in project results on stakeholders.

For effective risk management of a specific project, the team needs to understand the acceptable level of risk tolerance when working towards achieving project goals. This is determined through measurable risk thresholds, communicated from the portfolio level of risk management, reflecting the organization’s and stakeholders’ risk appetite. Risk thresholds indicate the acceptable degree of variations within the project’s scope.

Project Portfolio Risk Management

An example of a summary report on all risks of individual projects

The risk management phase also incorporates Agile Project Management principles, ensuring flexibility and adaptability. This means, as new risks emerge or current ones evolve, teams can pivot and adapt quickly. In addition, the Governance Framework establishes clear decision-making processes and responsibility allocation for managing risk, ensuring transparency and accountability throughout the project lifecycle.

Outcomes of this stage include:

  1. The business process of project portfolio risk management has been developed, configured in the Project Management Information System (PMIS), and fine-tuned. The link with the project initiation process has been established to transfer portfolio risk management calculations and developments to new projects.
  2. A register of portfolio risks, risk submission forms, and a risk notification system have been established in PMIS.
  3. The risk management business process of individual projects has been developed, configured in PMIS, and put into place.
  4. Project risk registers, risk submission forms, a risk notification system, and the allocation of risk responsibilities have been set up in PMIS.
  5. Customized risk reports automatically generated in Power BI format:
    • Organization and portfolio risk report.
    • Aggregate report for all individual project risks.
    • Detailed report on the risks of each individual project.
  6. Modifications have been made to the PMIS documents of regulations/standards and to the PMIS work processes, encapsulating the process of risk identification, analysis, planning, response implementation, and risk monitoring.
  7. The customer’s employees have received risk management training.
The duration of this phase is 20 business days.


The Contractor’s responsibility is to provide a business analyst, a risk manager, and a programmer for system configuration and adjustment. They should also provide the tools and practices necessary for developing risk management processes and tools.

The Customer’s responsibility is to appoint a project portfolio risk manager and to provide access to information necessary for the development of risk management processes.