Insights on governance, risk and compliance September 2012
Strategy deployment through portfolio management A risk-based approach
Introduction Today’s economy is increasingly competitive. Greater variation in market performance, sharper market volatility, ceaseless pressure on margins and demanding stakeholders have made for an increasingly interconnected, interdependent and unpredictable global economy. Many organizations are not yet optimized to this new state of the economic landscape, but there is a growing awareness within organizations that they need to adapt and that doing nothing is not an option. As a consequence, many organizations are transforming their businesses to strengthen their organization to save costs, create more client centricity, restore stakeholder confidence, enhance the use of ICT or embed new business models. For many organizations, their long-term success depends on the success of these transformation programs. And while the margin for error is small, the environment in which this needs to happen is becoming increasingly challenging. Businesses — already disoriented by today’s market turmoil — need to execute numerous change programs and projects in parallel, while at the same time keep the business functioning. In many multinational organizations, hundreds of programs and projects are running in parallel across different functions and geographies. Such complexity causes organizations to struggle with “doing the right things” and “doing things right.” Many organizations are therefore getting a poor return from their investment in projects or programs. Doing things right: firstly, organizations may encounter issues with the delivery of their programs and projects. Although they may have selected the right project or program to invest in, it is the execution of the initiatives that causes issues resulting in benefits being delivered too late or the costs becoming excessive. As a result, programs and projects under perform and need attention just when organizations are seeking to spend their hard-earned capital wisely. Doing the right things: secondly, organizations may struggle with selecting the right programs and projects to invest in. The wrong projects or programs will not support the corporate strategy nor add sufficient value to the organization. This is within the scope of portfolio management as it is very much concerned with the translation of the strategy into tangible programs and projects. Effective portfolio management provides the organization with a mechanism to make sure the organization is doing the right things. In this paper we present a risk-based approach to high-performing portfolio management.
ii
Insights on governance, risk and compliance | September 2012
Insights on governance, risk and compliance | September 2012
1
Doing the right things while doing things right
Organizations execute their transformation programs along three main levels: portfolio, program and project management. These three levels have distinctly different objectives but should work coherently to deliver transformations effectively. While project management is focused on delivering a tangible outcome, portfolio management is focused on the decision-making process around which programs and projects should be executed based on their alignment with the goals and objectives of the organization. Program management is the intermediate layer that is focused on the delivery of business benefits. The objectives for portfolio, program and project management are summarized below.
Level
Portfolio management is focused on doing the right things.
Program
A set of interrelated projects, managed in a coordinated way to attain the business objectives and benefits.
Program management is focused on realizing the benefits.
Project
A project is a temporary endeavor to create a unique product, service or result.
Project management is focused on doing the things right.
Insights on governance, risk and compliance | September 2012
Doing the right things
Portfolio management
Key objective
A group of programs and/ or projects managed in a coordinated way to support business strategy and to deliver benefits in line with strategic objectives.
Portfolio
2
Definition
Key objective
Program management
Realizing the benefits
Project management
Doing things right
Organizations have significantly invested in project management over the past decade since the release of PRiNCE2 (1996, Office of Government Commerce), PMBoK® (1996, Project Management Institute) and other — more specialized — methodologies such as Scrum. As a result, the project management capabilities of organizations have been strengthened. And while some organizations may be excellent in the execution of project management, they may not have a mature portfolio management process in place, which causes issues with the strategy alignment of programs and
Key activities ► ► ► ►
Strategic-fit and alignment Governance Agility Funding (re)-allocation
► Verification and validation ► Prioritization ► Resources
► ► ► ►
Scope Quality Cost Time
projects. The result is that organizations deliver projects on time and within budget, but the value delivered from those projects is not optimized or aligned to the organization’s strategy. In times where investment resources are limited, organizations are keen to overcome such potential value leakage. Portfolio management — focused on preventing value leakage — is therefore getting increasingly more attention with large organizations that have poor visibility and control over their project portfolio.
Insights on governance, risk and compliance | September 2012
3
Portfolio management challenges
Many organizations struggle with keeping their project portfolio under control. Typical issues faced by organizations include:
To overcome these challenges, portfolio management needs to be embraced by organizations to achieve three main objectives:
• Too many projects running at the same time that ultimately do not deliver because of a lack of focus
1. Strengthen the strategic alignment of programs and projects to prevent initiatives being undertaken that do not support the enterprise strategy
• Strategic objectives that are not supported by a project or program • Investments in a project or program that are not supported by a strategic objective (i.e., are not aligned to the enterprise strategy). A more comprehensive overview of portfolio management challenges is provided below.
Portfolio management challenges
Strategy
Governance
Management and capabilities
Data and tools
4
Such a triangulated approach, detailed in the graphic below, enables organizations to ensure optimal value creation from their investments in programs and projects
Connected risks
• Alignment of the portfolio to the corporate strategy is not understood • Too many, often overlapping, projects aligned to one strategic driver (e.g., regulation or cost reduction) • Too many “must have” projects • Ineffective prioritization of projects across the organization
• Fail to achieve the business objectives • Delayed or reduced benefits • Opportunity cost of doing the wrong projects
• No effective approach to stopping poor-performing projects • Business cases not subject to effective scrutiny; benefits are unrealistic • Business-as-usual projects being managed outside the portfolio • Sequencing of projects is ineffective, creating problems in delivery
• Inefficient resource allocation • Extended timelines and missed deadlines • Inconsistent decision-making and issues resolution • Ineffective deployment of strategy
• Lack of sufficient experience and capability within portfolio management functions • Project management skills and experience are not seen as critical to the organization’s success • Organization’s capacity to absorb change
• Inefficient delivery and execution • Inconsistent portfolio management • Poor quality skills impacting deliverables • Delays in the delivery and increased costs
• Portfolio data is inconsistent across projects, functions and business units • Lack of effective reporting and aggregation tools • Reporting considered ineffective in the eyes of senior management • Reporting seen as burdensome by project teams
• Poor visibility of the programs and projects in the portfolio • Ineffective monitoring and reporting • Poor data quality • Slow identification of key issues
Insights on governance, risk and compliance | September 2012
2. Enhance the overall economic value of the portfolio in order to get the optimal return on investment. This step is focused on the tangible business benefits of programs and projects.
3. Enhance executive decision making on programs and projects based on company-specific criteria. These criteria may include: how does the initiative fit in the defined enterprise architecture, how do risks and interdependencies come into play, how does the organization deal with compliance initiatives, etc.?
Portfolio management objectives Strategic alignment
Strategic alignment
Economic value
Economic value
Decision framework
Decision framework
Strategic-fit: Are portfolios aligned to strategic business objectives? Strategic alignment: How does the organization ensure consistent top-down alignment (ability to drill down to the lower level)?
Governance: How does the organization ensure that project and program benefits and risks are being managed to optimize the overall value creation from the portfolio? Agility: How do organizations to re-align their portfolio when strategic objectives change?
Resources: How do organizations ensure that supply and demand are matched? What is the basis (e.g., business case) for funding decisions and how is excess program budget identified and reapplied to other programs? Interdependencies: How are interdependecies managed? Risk and issues: How are project/program risks and issues such as budget overruns factored into the decion-making process?
Insights on governance, risk and compliance | September 2012
5
Portfolio management in practice
The portfolio management process Translate strategy into initiatives
1. A translation of the strategy into initiative 2. The identification of programs and projects
4. The approval of the portfolio 5. Identification of risks and associated remediation strategies. Although the last step is closely related to the execution of programs and projects — and hence to doing things right — it’s closely related to portfolio management. It is the linchpin between the two.
Key activities
3. The optimization of the portfolio
Analyze strategy and confirm objectives Optimize existing initiatives to deliver objectives not met by current portfolio Define new strategic initiatives
Identify programs and projects
Translate new initiatives into defined programs and projects Prepare charters that define scope, high-level plans and realistic business cases
Optimize portfolio
Approach
Approve the optimized portfolio for deployment
Consolidate outputs from prioritization Senior management review and approval
Objective
New initiative
Defined program
Project
Objective
Optimizes initiatives
Project Project Project
Project
Defined project
Project
A
B
Identify program and project improvement opportunities Identify portfolio optimization opportunities
E G Stop
P
F
Evaluate
J
Current state
Accelerate
C
Monitor
H
Q
Future state
X
K
Must do
L
Y
Strategic alignment
Project
Objective
Evaluates interdependency risk between program governance, project management and solution factors Assess current state
Sequential remediation plan
Updated portfolio
Project
Objective
Strategic goal
Project
Objective Strategic goal
Evaluate current portfolio Select the optimal portfolio based on the agreed decision framework (through adding and removing programs and projects) Match supply and demand Establish enterprise architecture control Prioritize portfolio based on the agreed decision framework
Current portfolio
Strategy
Portfolio risk review and remediation
Approve portfolio
Economic value
The portfolio management process itself is a process that is typically executed a couple of times a year. Although it is usually tailored to match the organization’s type of business, culture and company size, the steps outlined below are usually identified as the key steps. These steps include:
Project
Objective
6
Insights on governance, risk and compliance | September 2012
Strategic alignment
Economic value
Strategic alignment
Economic value
Decision framework
Strategic alignment
Economic value
Decision framework
Decision framework Economic value Strategic alignment
Strategic alignment
Economic value
Decision framework
Decision framework
Strategic alignment
Economic value
Decision framework
Insights on governance, risk and compliance | September 2012
Decision framework
Strategic alignment
Economic value
Decision framework
7
Portfolio management in practice
Step 1: Translate strategy into initiatives
This first step is focused on achieving strategic alignment. Here the strategic objectives are confirmed and linked to the existing initiatives. Strategic initiatives — collections of programs and projects that are designed to help the organization achieve its targeted performance — are the means through which a vision is translated into practice. Strategic initiatives are not the same thing as strategic objectives or strategic goals. They are the vehicle for achieving a strategic goal; it is focused on the “how” rather than the “what.” Strategic initiatives are typically a corporate endeavor that activates cross-functional competencies. Although a strategic initiative may coincide with a program, it is possible that it comprises several programs or projects. For example, a strategic objective may be to grow in emerging markets, the initiative defined is to strengthen account management and distribution channels in these geographies. The related programs and projects may be the rollout of a local supply chain management planning organization including the rollout of the supporting ICT.
8
So, the purpose of this step is to make sure strategic objectives are properly supported by the strategic initiatives. The mapping will reveal “unsupported” or “poorly supported” strategic objectives, which are objectives that do not have, or have an ill-defined, initiative to support it. For these objectives, a new initiative is defined or the initiative is optimized. This step will also detect existing initiatives within the organization that are not aligned to any strategic objectives.
Step 2: Identify programs and projects
This step is focused on optimizing economic value for new or optimized initiatives. These will now need to be defined into tangible programs and projects. For this purpose, initiatives, defined at a high level, are translated into project charters that should include action plans, a defined scope, a business case and a risk assessment. Risk plays an important role in this step. Too often, organizations define the scope of their programs and projects too broadly. As a consequence, organizations may set the parameters too wide and miss their objectives, resulting in a high likelihood of failure. A critical success factor in this step is therefore not to take on programs and projects that are too large, but to take a phased approach by cutting strategic initiatives into small manageable programs that deliver specific, measurable business benefits.
Insights on governance, risk and compliance | September 2012
Step 3: Optimize portfolio
In the third step, the decision framework and the preparation of the executive decision-making in the subsequent step come into play. To enable this, the optimized portfolio is prepared including a proposal to stop, start, accelerate and slow down programs and projects. The organization should use a decision framework — with organization-specific factors — to prepare the optimized portfolio proposal. In each case, the organization should use the framework optimize economic value creation and strategy alignment. The specifics of value creation differ per sector, organization and geography. Key input for portfolio optimization is a consolidated overview of all of the organization’s programs and projects, including the proper intelligence to facilitate this process. Such an overview would typically contain information about performance to budget, resource requirements, risks, business benefits, links to strategic objectives and interdependencies. Based on the organizations’ defined decision framework, the organization is now able to select and prioritize programs and projects optimized for the organization. The first key criterion in the organization’s decision framework is the amount of resources required. In order to make the portfolio executable, an organization needs to make sure that enough resources are available to deliver the programs and projects. In
most situations, organizations have a tendency to push more projects into the organization than the organization is able to handle, resulting in “project gridlock,” which is usually referred to as a state of the organization that faces many escalations of project or program delivery issues and a lack of progress. To overcome this issue, organizations put a mechanism in place to match supply and demand. Another common criterion in use by organizations is the management of interdependencies. Organizations use controls such as enterprise architecture to define the current state and the desired future state in terms of ICT systems, business processes and organizational aspects. This allows them to assess whether the programs and projects fit into the vision and to detect and manage interdependencies. While portfolio management is focused on the process and governance, enterprise architecture provides the required content. Another key criterion is risk. Firstly, an organization’s portfolio should be aligned to the organization’s risk appetite to prevent the organization from implementing projects or programs that would impose too much (top-down) risk. Secondly, risks and issues detected (bottom-up) within the programs and projects may be taken into account in starting, stopping, accelerating programs and projects; see also step 5 for further detail.
Insights on governance, risk and compliance | September 2012
9
Portfolio management in practice
Step 4: Approve portfolio
Economic value
Organizations typically invest a material percentage of their revenue in programs and projects. For this reason, the organization’s executive management should formally approve the optimized portfolio beforehand. In the previous step, an optimized portfolio is prepared in order to make this happen. The diagram below shows an optimized portfolio including a proposal for those projects that should be stopped (low economic value and low strategic alignment), those to accelerate (high economic value and high strategic alignment), those that the organization must do (low economic value and high strategic alignment), those that need to be monitored (high economic value and low strategic alignment), and those to evaluate (medium strategic alignment and low economic value). The bubble size typically represents ‘risk’ or ‘budget’ to provide executives with the additional intelligence needed to support their decision making.
A
B E
G
Stop H
P
F
Evaluate J
This last step provides the link with the execution of projects and programs. In this step, the programs and projects are reviewed in accordance with their risks and issues, which enables enhanced insight and decision-making. In practice, these are the programs with the highest economic value or the greatest level of risk to the organization. The information retrieved from such risk reviews allows an organization to feed this into their portfolio optimization process (step 3) and take corrective actions on troubled programs. Organizations need to focus their risk management efforts on the risks that matter. Large, complex and risky programs should therefore receive the most attention in an organization’s efforts to control their enterprise transformation. A holistic portfolio approach enables an organization to do exactly this: by having a centralized overview of all ongoing initiatives, executives will be able install monitoring of the key risks and take that into account in their decision-making.
Accelerate
C
Monitor
Step 5: Portfolio risk review and remediation
Q
We distinguish between bottom-up- and top-down-driven risk activities. Top-down-driven risk activities include: the (risk) monitoring of programs and projects that impose the largest risk to the enterprise. Portfolio risk management provides a similar approach to risk as is commonly done in enterprise risk management used by organizations to integrally manage operational, legal, compliance and financial risks. The output of this activity could, for instance, be an internal or external audit plan for monitoring the programs and projects contained in the portfolio.
of classified risks, issues and interdependencies within the most important programs and projects. Armed with this knowledge, executives are able to take this into account into the decisionmaking. This integrated approach to managing portfolio risk provides executives with a powerful asset — they will now be able to take project and program risk into account when optimizing their portfolio (step 3). The key to this step is that executives can proactively take action on key risks.
Bottom-up-driven risk activities are focused on taking relevant risk information into account in executive decision-making. Such “risk intelligence” is achieved by having a consolidated overview
Bottom-up-driven risk activities • Take project and program risk into consideration in portfolio decision making (risk intelligence)
Portfolio
Top-down-driven risk activities • Risk review and monitoring of highrisk programs and projects • Selection of portfolio with low-risk in line with corporate risk appetite
Project and program
• Set risk language, policies and standards
X Must do
K L
Y
Strategic alignment
10
Insights on governance, risk and compliance | September 2012
Insights on governance, risk and compliance | September 2012
11
Taking action
In this paper, we present an innovative risk-based portfolio management approach that helps enable organizations to manage the risk of their transformation in an integral way. The implementation will enhance the organization’s chance of success in their transformation efforts because it will force the organization to focus on the risks that matter. In addition, the approach will help enable a common risk language within programs and projects, thereby strengthening the organization’s risk culture. The key steps organizations should take to the make this happen are outlined below.
Key steps to strengthening risk culture 1. Review the corporate strategy and transformation objectives. 2. Translate the strategic objectives into initiatives. 3. Optimize strategic initiatives to enhance strategic alignment. 4. Translate strategic initiatives into programs and projects by means of project charters. 5. Evaluate current project and program portfolio. 6. Optimize portfolio by adding new programs and projects based on enterprise architecture alignment, risks, business case and other criteria. 7. Balance demand and supply and potentially stop programs and projects that may cause project gridlock to the organization. 8. Prepare a consolidated overview of projects to monitor, evaluate, accelerate, stop and “must do” to support executive decision-making. 9. Perform risk reviews of high-risk and must-do programs and projects. 10. Use risk and issue information to support executive decision and portfolio optimization.
12
Insights on governance, risk and compliance | September 2012
Ernst & Young Assurance | Tax | Transactions | Advisory About Ernst & Young Ernst & Young is a global leader in assurance, tax, transaction and advisory services. Worldwide, our 152,000 people are united by our shared values and an unwavering commitment to quality. We make a difference by helping our people, our clients and our wider communities achieve their potential. Ernst & Young refers to the global organization of member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit www.ey.com. About Ernst & Young’s Advisory Services The relationship between risk and performance improvement is an increasingly complex and central business challenge, with business performance directly connected to the recognition and effective management of risk. Whether your focus is on business transformation or sustaining achievement, having the right advisors on your side can make all the difference. Our 25,000 advisory professionals form one of the broadest global advisory networks of any professional organization, delivering seasoned multidisciplinary teams that work with our clients to deliver a powerful and superior client experience. We use proven, integrated methodologies to help you achieve your strategic priorities and make improvements that are sustainable for the longer term. We understand that to achieve your potential as an organization you require services that respond to your specific issues, so we bring our broad sector experience and deep subject-matter knowledge to bear in a proactive and objective way. Above all, we are committed to measuring the gains and identifying where the strategy is delivering the value your business needs. It’s how Ernst & Young makes a difference. © 2012 EYGM Limited. All Rights Reserved. EYG no. AU1275
How Ernst & Young makes a difference At Ernst & Young, our services focus on our individual clients’ specific business needs and issues because we recognize that each is unique to that business. IT is a key to allowing modern organizations to compete. It offers the opportunity to become closer to customers and more focused and faster in responses, and it can redefine the effectiveness and efficiency of operations. But as opportunity grows, so does risk. Effective ITRM helps you to improve the competitive advantage of your IT operations by making these operations more cost-efficient and managing down the risks related to running your systems. Our 6,000 IT risk professionals draw on extensive personal experience to give you fresh perspectives and open, objective advice — wherever you are in the world. We work with you to develop an integrated, holistic approach to your IT risk or to deal with a specific risk and information security issue. We understand that to achieve your potential, you need tailored services as much as consistent methodologies. We work to give you the benefit of our broad sector experience, our deep subject-matter knowledge and the latest insights from our work worldwide. It’s how Ernst & Young makes a difference. For more information on how we can make a difference in your organization, contact your local Ernst & Young professional or a member of our team listed below.
Contact details of our leaders Global Paul van Kessel
+31 88 407 1271
[email protected]
Randall J Miller
+1 312 879 3536
[email protected]
Michael L Herrinton
+1 703 747 0935
[email protected]
Bernard R Wedge
+1 404 817 5120
[email protected]
Jonathan Blackmore
+44 20 7951 1616
[email protected]
Manuel Giralt Herrero
+34 91 572 7479
[email protected]
Jenny S Chan
+86 21 2228 2602
[email protected]
Rob Perry
+61 3 9288 8639
[email protected]
Yoshihiro Azuma
+81 3 3503 1100
[email protected]
Haruyoshi Yokokawa
+81 3 3503 2846
[email protected]
Area Americas
EMEIA
Asia-Pacific
Japan In line with Ernst & Young’s commitment to minimize its impact on the environment, this document has been printed on paper with a high recycled content. This publication contains information in summary form and is therefore intended for general guidance only. It is not intended to be a substitute for detailed research or the exercise of professional judgment. Neither EYGM Limited nor any other member of the global Ernst & Young organization can accept any responsibility for loss occasioned to any person acting or refraining from action as a result of any material in this publication. On any specific matter, reference should be made to the appropriate advisor.
ED None