Within large complex organisations, risk management is often considered at the enterprise level and at times, also at the tactical or project level, but rarely are the two lenses of risk brought together in an integrated way.
The reason these lenses are not often brought together is because it is not easy to integrate enterprise and tactical risks without including an additional lense at the operational or portfolio level.
Organisations frequently invest substantial amounts of money to develop an Enterprise Risk Management (ERM) framework, which provides a vehicle by which to identify risks to the organisation at the strategic level, assess the risks according to likelihood and consequence and then develop ‘treatment plans’ or ‘risk minimisation strategies’ by which to manage the risk within acceptable levels. Often this is a process of reporting rather than action to treat the risks.
Equally, at the project level, project managers are often required to have risk registers and report on their risk profile and management as part of their project reporting. But how do the project risks relate to the strategic risks? Are the treatment plans at the strategic and project level correlated and aligned?
There needs to be an intermediate lense at the operational or portfolio level to align the risk identification and treatment at the strategic and project levels. The purpose of the portfolio level is not to ‘cluster’ the project risks but rather to look across the project risks at a thematic level and align this to the organisation’s strategic risks.
This process enables the organisation to identify and manage tactical level risks that extend beyond a single project or business unit. For example, if projects consistently run over budget, are delayed or not delivered on time, then the organisation can identify this risk at the operational level and put in place a treatment plan that can then be applied consistently at the project or business unit level.
This approach also enables an organisation to assess its risk management capability across the enterprise, portfolio and tactical levels and take action as required to address capability gaps. In addition, connectivity between the capability at the enterprise, portfolio and tactical levels in the organisation fosters communication, information sharing, and capability building that can enhance the organisation’s overall risk management practice.
Taking a thematic approach to risk management at the portfolio level, also enables the organisation to take a more detailed look at external risks and upside opportunities, which again enhances the integration of the strategic and tactical risks. This is also often a departure from the traditional approach to risk management which focuses on ‘threats’ and does not consider how to leverage the ‘upside risks’ or opportunities that may exist at the tactical level.
An integrated approach to risk management can create significant strategic advantage by bridging the gap between enterprise level and tactical risks, as well as by dealing with both threats and opportunities. This approach enables both successful project delivery and increased realisation of business benefits.
