A majority of projects are managed not in isolation but as part of a project portfolio or program. The portfolio can include projects managed by one organization, programs which may include multiple organizations or a group of projects which share resources or the same deliverables and stakeholders. In other words portfolios include many related projects.

Managing risks in project portfolios bring some new challenges including:

• How risks are shared between projects
• How to rank a project within a portfolio based on risk exposure
• How to change project priorities based on risk exposure
• How to reallocate resources within a portfolio as a response to risk
• How to perform risk mitigation, if risk is shared between different projects within a portfolio

In order to manage a risk project portfolio, you first need to have two main components:

• Portfolio Risks Register. Portfolio Risk Register in many cases is a corporate risk register, which may include all possible risks: risks shared between different projects as well as risk specifics for a particular project
• Depository of project schedules and other related project information

Here is how portfolio risk analysis is performed:

1. Identify the risk and include it in the corporate risk register. For organizations with established risk management processes, most risks are systemic and most likely already included in the risk register. Therefore, it is recommended to search the risk register and find similar risks.
2. Define the risk property, such as description, trigger, assumption, cause and effect, sunrise and sunset dates, etc. Risks may affect different categories: schedule and cost, which are schedule related risk categories; safety, quality, security, litigation, technology and environment, which are non-scheduled, risk categories.
3. Assign risk visibility and follow risk approval processes. Risk can be visible only for a specific project or can be visibility on the portfolio level. For example, a risk can be very specific to the current project and may not occur for other projects. In this case it will be visible for this project only. At the same time risk “Budgetary problems”, may not be visible at the project level, because management may not want to notify employees working on the particular project. In many cases, any new risk must be approved by an administrator, manager, or special committee before it goes to the corporate risk register.
4. Select a project within the portfolio, open it and assign the risk to a particular task or resource within this project. At this point you can define the probability and impact of the risk. In general, probabilities and impacts of each risk assigned to different projects within a portfolio can be different. The risk assignments may not be correlated to each other, although it can be the same risk. For example, a “Delay with the delivery of a component”, will impact differently for different projects. Moreover, consequence of this risk on specific risk categories can be different. For example, “Defective Components” will affect cost and quality, but will have little impact on schedule and duration.
5. Perform Monte Carlo simulation for the specific project generating a risk adjusted project schedule with sensitivity analysis. A combined risk probability and impact analysis for all risk categories will be calculated.
6. As soon as risks are ranked for a specific project, the ranking will be reflected on the corporate level as well. This ranking will be calculated based on project priorities. For example, the risk impact on one project will be 40%. The impact of the same risk on another project will be 80%, however, the priority of this project within a portfolio will be 25%. Therefore the total impact of the risk on the portfolio will be 40% + 80%*0.25 = 60%.
7. Identify and perform risk mitigation efforts, which can be shared between different projects within a portfolio.

It is important to emphasize that the risk register on a corporate level and for individual projects will be different. Not all risk will be assigned to all projects. Impact and in some cases even probability of risks in a project on the corporate level will be different.  When you open a particular project, you will see a risk register for the project. If all projects are closed, you will see a corporate risk register.