Portfolios of Risk

I’ve been thinking, and worrying, about portfolio risk and especially cross-portfolio risk in federated environments. In federated environments or extended enterprises it is not unheard of for strong programme management to have a good clear view of the risks in their scope of activity and in some more effective enterprises the dependencies that different activities within their scope have on each other but it is rare to have a coherent and complete view of external dependencies between portfolios and as the pace and variety of change increases this could be a problem.

Fitting out a new building for desktop PCs or VDI terminals only makes sense if you’ve checked the digital transformation isn’t planning to move everyone to BYOD laptops and tablets. Changing the back office of one business that relies on another business in the same group who are changing their front office at the same time is a concern. As is moving all that infrastructure into a public IAAS cloud when the business are building on PAAS and experimenting with serverless. It is possible for all of these changes to be happening in an extended enterprise concurrently and due to federated organisational structures for there to be limited visibility of dependencies and assumptions between them.

At the same time we are seeing a rocky geo-political landscape and a heightened regulatory environment provide us with changing risk profiles in BAU capabilities as the change programmes are in flight. If we were all agile and communicating broadly then less of a concern but in practice in large extended enterprises some change programmes can become organisations in their own right, disconnected from the BAU teams that are coping with real world change.

Modelling risks and dependencies across and within portfolios and against BAU capabilities is at heart a relatively simple problem but there is a lot of footwork involved in filling the gaps.

Portfolio Risk Matrix
Portfolio Risk Matrix

The matrix above is a simple relationship view of how risks, projects, capabilities and organisations interrelate. There is a lot of semantic complexity complexity hidden here but as a first pass tool that can be implemented in excel in a hurry you may find this useful.

The first key concept to understand is that this is a bottom-up tool, it works from Risk up to Organisation and the entity relationships work from top to left as below:

Entity Relationships
Entity Relationships

However, the nature of the relationship is characterised in the cell that links two entities, for example A risk is managed by a project whereas a project can be managed by, dependent on or impacted by different types of entities. Using a consistent definition for what the entities are it becomes possible to collect tables of risks, projects, capabilities and organisations and map these relationships to identify total exposure at the Organisation, Capability and Project Level.

Exposure Flow
Exposure Flow

This flow of risk exposure up to the top level entities allows for the identification of both risk hotspots and risk dependency hotspots. If you can see those then you can worry a little less about cross-portfolio risk, but only a little.

I often find that a seemingly complex problem can be simplified into a matrix of entities and relationships.