Lee Merkhofer Consulting Priority Systems
Implementing project portfolio management

Project Selection Risk


As explained on the previous page, the types of risk addressed by project planning and project execution are primarily cost risks, schedule risks, and risks related to achieving the deliverables established for each individual project. Project selection risk, in contrast, is more concerned that project choices might threaten the successful achievement of the organizations objectives. If such risks are present, then, obviously, they should be fully understood before deciding to include specific projects within the project portfolio.

A paper by the accounting firm Ernst & Young provides this example [4]:

A company conducted a project to install new equipment to increase capacity. However, the project planning team failed to consider whether there would be a market for the increased supply. Narrowly defined, the project was a success because the new equipment was installed successfully, on time and on budget. However, because there was insufficient demand, the company could not sell its extra output at its prevailing price. It ultimately had to shut down some of its production lines.

As illustrated by the example, project selection risks often arise from external considerations not entirely within the domain of responsibility or expertise of project managers. Project selection risk management is, therefore, typically a responsibility of the project portfolio management office, not the project team.

Diversifiable versus Non-Diversifiable Risk

A distinction critical to project selection risk management is whether a project risk is diversifiable or non-diversifiable. Diversifiable risks, also called idiosyncratic risks, are risks that are unique to the project and independent of the risks associated with other projects. With diversifiable risks, an unexpected bad outcome for one project will likely be offset by a good outcome on another. For example, a large pharmaceutical company's R&D project is affected by the uncertain outcomes related to the specific compound involved. If the company is working on a number of different compounds, a failure with one will likely be counterbalanced by a success somewhere else. Diversifiable risks, provided that the project portfolio is well-diversified, are of lesser concern to larger organizations. However, diversifiable risks can be important for small to mid-sized organizations, especially if only a few important projects are being conducted.

Non-diversifiable risks, sometime called systemic risks, are risks common to all projects of a given type or to the enterprise as a whole. Systemic risk cannot be eliminated by portfolio diversification. For example, though the pharmaceutical company's R&D project is affected by the uncertain outcomes surrounding the specific compound, the value of many of its projects could be impacted by a change in regulations governing the protocol for testing. Similarly, a petroleum firm's exploration project depends on uncertainty over whether oil is present at the given location, but uncertainties over the market price of oil affect many projects. Thus, a goal of project selection risk management is to understand whether project risks are diversifiable or not and to give preference to projects whose returns are not highly correlated with the firm's other projects or assets.

Example risks

Figure 31:   Examples of diversifiable and non-diversifiable project risks.

Project Deferral Risk

In addition to non-diversifiable project risk, project deferral risk can be important for project selection. Project deferral risk refers to the risks associated with choosing not to do a project. Project deferral risk is a common concern for maintenance projects—doing the project may simply maintain the status quo, failing to do the project increases the likelihood of failure of the assets requiring maintenance. Large project deferral risks often occur for organizations responsible for managing systems whose failure might produce large-scale health, safety, environmental or financial consequences (such as a large electric transmission network, an oil refinery, or a railroad system operator). Project deferral risk can also occur if there is only a limited window of opportunity for conducting a project—if the project is not conducted now, there may be a risk that it might never be possible to effectively do it later.

Project portfolio management (ppm) provides an opportunity to account for external as well as internal risks and to get senior executives to take ownership of diversifiable and non-diversifiable risks before the project commences. Likewise, including consideration of project deferral risk within ppm helps ensure that senior executives understand and accept the risks that result from decisions to postpone projects.

Identifying and Characterizing Project Selection Risks

The methods for identifying and characterizing risks relevant to project selection are much the same as those used to support risk management in project planning and execution. These methods include:

  • Brainstorming. The group technique for generating ideas for solving problems. The full project team should participate.
  • Interviewing. Talking with experienced team members and subject matter experts. Face-to-face interactions are best since individuals may be reluctant to raise their risk concerns in an open forum
  • Root cause analysis. Looking for the underlying causes of problems
  • Diagramming. Including system and process flow charts, decision trees, event trees, and influence diagrams
  • Checklists. Lists of risks developed from historical experience and documentation
  • SWOT. (Strengths, Weaknesses, Opportunities, Threats) analysis

The output from the risk identification and characterization steps is a list of the identified risks, plus root causes and downstream effects. As noted above, you may need two lists, one listing risks to the successful completion of the project and the other listing risks associated with not doing the project.

The risk identification step frequently generates a large amount of information, and it is easy to go overboard. Once the list is created, qualitative and/or quantitative analysis may be conducted (see below) to determine which risks warrant spending more time and money on.

Qualitative Risk Analysis Using a Risk Matrix

The project risks that remain after a project plan has been modified to mitigate identified risks are the residual risks that must be considered when selecting projects. Most organizations determine what to do about such residual risks based on qualitative analysis. For example, an identified risk might be categorized as high, medium, or low with respect to likelihood and consequence. As shown in Figure 32, the assessments may be used to position projects on a 3×3 display known as a risk matrix (also called a risk map or a risk-response table), with recommended actions. Color codes (e.g., green, yellow, and red "traffic lights") may be used to help communicate risk judgments.

Scenario building

Figure 32:   Risk matrix and risk map for qualitative risk analysis.

If the risk is identified and understood, ideas may be generated for modifying the project plan to mitigate the risk. Also, routinely identifying and analyzing project risks generates a database of project risks and associated risk-reducing actions, useful when considering similar projects in the future.

Adjusting Project Priorities based on Qualitative Risk Analysis

The risk matrix provides a qualitative method for factoring risk into project prioritization. Suppose, for example, that projects are initially ranked without consideration of risk as in the left table below:

Project ranking

Figure 33:   Risk scoring checklist and risk matrix.

The second table shows hypothetical risk evaluations for the projects. Projects G and M decline in ranking because they are estimated to have medium and high project risk, respectively. Project U ranks higher because it has high project deferral risk. As illustrated, significant project risks or project deferral risks can be used to judgmentally alter a risk-neutral ranking.

Qualitative versus Quantitative Risk Analysis Methods

Risks should be characterized using a level of detail and precision sufficient to allow the specific impacts to objectives to be identified and specific actions to address the risk to be evaluated. Qualitative risk analysis methods may be adequate for screening purposes or in situations where risks are not very serious. The major strength of qualitative methods is that they can be applied quickly without the need for complex mathematics. However, the words used in qualitative analysis, such as "high," "medium," and "low," are imprecise and mean different things to different people. A lower-level manager might have a very different notion of what qualifies as a high risk compared to that of the CEO. If risks are significant, they can have a significant impact on the projects that should be included within the project portfolio. Methods for identifying value-maximizing project portfolios with risks exist, but they require risks to be quantified.

The risks identified and evaluated using qualitative methods may be summarized in a risk register, a table listing identified risks and their estimated severity. Risks that appear more severe based on qualitative assessment can be selected for further analysis using quantitative methods, described on the following pages.

Scenario building

Figure 34:   Qualitative risk analysis as a means for selecting risks requiring quantitative analysis.

Quantitative Methods for Valuing Risk

There are two alternative approaches for valuing risk:

  1. Compute the decrement (or increment) to the worth of the project caused by project and project deferral risk.
  2. Adjust the discount rate (cost of capital) to reflect the specific level of project risk for each project.

The former approach, which requires that risks be quantified using probabilities, is described on the following two pages. The latter approach involves using project hurdle rates. Hurdle rates are simpler, but as explained below, they have serious limitations.

Be Careful Using Hurdle Rates

Most organizations that account for risks when valuing projects do so using hurdle rates. The hurdle rate is a risk adjusted discount rate typically related to the cost of capital and used to discount future project costs and benefits. Increased hurdle rates are applied to projects considered to be more risky.

Using hurdle rates may be preferable to ignoring risk or treating it as an intangible. However, hurdle rates have limitations. For one thing, hurdle rates only address project risk, they can't account for project deferral risk. Also, organizations are frequently unclear about what hurdle rate should be applied based on project risk. Studies have shown that the rates used by firms vary considerably. According to finance theory, the "correct" hurdle rate is the opportunity cost of the investment, which is the return available from investing in securities equivalent to the risk of the project being evaluated. Most companies don't adjust the hurdle rate for risk nearly enough.

A more fundamental problem is reflected in research on real options showing that the discount rate needs to vary with the project management strategy (e.g., an irreversible project investment would call for a higher hurdle rate) as well as with time (the discount rate is not a constant, but changes depending on when the discounted future outcomes will occur). Using a constant hurdle rate for a project implicitly assumes that uncertainty increases over time in a specific way (geometrically). Hurdle rates tend to create a bias toward short-term, quick-payoff projects because they severely penalize project benefits that occur in the longer term.