The main thought process about risk management at these levels is to share ownership at the project level with those at the program and portfolio levels. Probability and impact ratings vary at different levels and risk rarely occurs at a single level without affecting higher levels. When risk is identified at multiple levels, this constitutes a very high level of risk management complexity.

Program Risk Management

Risk at the program level include threats that are often present at the project level. Typically, risks are present in both existing and successive projects within a program. Quite often, these risks can be mitigated early with the same actions across a program. Program risks have the potential to have a cascading effect on projects within a program, resulting in more effort to resolve.

A common viewpoint of the program manager is that a single project’s contribution has a very limited impact at the program level. The program manager often feels that the resolution to project related risk that impacts a program is best resolved by termination. In the case of a risky but critical project in a program, removal is not an option. Projects within a program have different levels of criticality and the overall level of acceptable risk is based on the organization’s risk tolerance level.

Portfolio Risk Management

Most companies measure risk from within an enterprise portfolio. Every program must examine each project to determine if the risk level is within an acceptable range. High risk often results in high returns and the lower the risk, the lower the expected return. It is important to create a balance of high and low risk projects and programs to provide the maximum amount of return. Effective risk management should be developed to incorporate and provide protection for the entire organization.

Risk management at the portfolio level starts at the upper management level and should include all stakeholders. The process begins by taking an inventory of the ongoing projects. Leaders in the organization should define goals in terms of what should be accomplished. A predictable measure for risk at the portfolio level should be defined. Risks are categorized based on possible outcomes, impact and probability of occurrence. Many organizations use portfolio risk management software because it offers a framework for the establishment of communication requirements. Such tools are known to create a leveled playing field that excludes personalities, politics and favored projects.

Identification of Portfolio Risks

After the identification of portfolio risks, mitigation activities must be defined. Executives in the organization reviews all initiatives for elimination after the risk analysis process. The remaining group of initiatives for consideration are re-evaluated and re-prioritized with their mitigation strategies. The executive leaders will select the initiatives that will grow the company in the proper direction. Initiatives are then decomposed into projects. This begins the lifecycle of corporate initiatives and related projects. The takeaway from risk management at the portfolio level is that organizational cultures must value risk. In real life, change will undoubtedly occur and risk and opportunities can come to fruition quickly. It is beneficial for an organization to establish risk management at the enterprise level because of the following benefits:

• Communication and participation is improved for all stakeholders
• Improvements in corporate processes that propose and approve investments
• Process transparency and consistency results in faster organizational consensus
• Prioritization of investments provide savings based on the portfolio’s merit
• Timely identification of programs and projects at risk
• Release of funding needed to invest in new initiatives for business transformations
• Lessons learned that add value to consistent refinement of the portfolio management process
• Project management balance that optimizes business value for the entire portfolio

We found these books great for finding out more information on Agile Scrum:

Agile Risk Management

On agile projects, all Scrum Team (Scrum Master, Product Owner and Development Team) members are responsible for the identification of risks that have the potential to impact development sprints, projects or programs. Scrum ceremonies provide the venue for risk identification on a regular basis. Risks are identified during the following Scrum encounters:

• Daily Scrum
  • The main forum for risk and issue identification daily
• Retrospectives
  • Risks can be uncovered during continuous improvement discussions
• Requirements Analysis
  • The Product Owners leads requirement discussions for the purposes of maximining value and minimizing risks
• Sprint Planning
  • During this meeting, the team identifies, evaluates and provides risk responses for identified risk
• Sprint Review
  • Stakeholders are kept in the “know” and risk mitigation activities are discussed
• Scrum of Scrums
  • Risks and issues are addressed at the team, project and program levels
• Planning Poker
  • Story size estimation occurs and provides the opportunity for risk reduction by eliminating user stories that are too large and need to be broken down

There are four ways to address risk in agile environments:

1. Mitigate – An agile team implements risk mitigation by focusing on their velocity or capacity to develop the features tied to the user stories. They agree to the amount of work that they feel confident can be completed and nothing more.
2. Avoid – Projects or components of a project are cancelled to avoid threats in their entirety. The product owner will remove or change stories to eliminate this type of risk.
3. Contain – The agile team agrees to just “deal with” the low impact and probability risk when it occurs.
4. Evade – No risk action is taken when it is evaded. This typically pertains to risks that have been determined to have very little impact on the objectives of the project.

Risk management at any level adds value to the organization and this ultimately impacts profitability. Leaders can proactively manage expected variances in programs and portfolios with adequate risk mitigation strategies.