INTRODUCTION

Risk is an uncertain event or condition that, if it occurs, has a positive or negative effect on one or more objectives. Positive risks are opportunities, while negative risks are threats.

The practice of risk management includes planning the approach, identifying and analyzing risks, response planning and implementation, and ongoing monitoring of risks. Risk management is an essential aspect of all organizational activities. This standard describes the application of risk management within an enterprise risk management (ERM) context that includes the portfolio, program, and project domains. Risk management shapes the decision-making processes across the organization and within each of the domains.

The degree to which risk management is pursued can be the difference between success and failure. PMI's 2015 Pulse of the Profession report found that for organizations that apply a formal risk management approach, 73% of projects meet their objectives, 61% finish on time, and 64% are completed within the approved budget [1].

Risk management allows an organization to:

[??] Anticipate and manage change,

[??] Improve decision making,

[??] Proactively implement typically lower-cost preventive actions instead of higher-cost reaction to issues,

[??] Increase the chances to realize opportunities for the benefit of the business,

[??] Generate broad awareness of uncertainty of outcomes,

[??] Act upon the transformations taking place in its business environment, and

[??] Support organizational agility and resilience.

Risk management also establishes iterative connections among portfolios, programs, and projects and links these connections with ERM and organizational strategy.

1.1 PURPOSE OF THIS STANDARD

This standard describes the concepts and definitions associated with risk management and highlights the essential components of risk management for integration into the various governance layers of portfolios, programs, and projects with the following major objectives:

[??] Describe the fundamentals of risk management,

[??] Support the objectives of and demonstrate the link to ERM, and

[??] Apply risk management principles, as appropriate, to portfolio, program, and project domains as described in the PMI foundational standards.

This standard fulfills a business need to provide a standard for risk management in portfolio, program, and project management that defines the essential considerations for risk management practitioners. It expands on the knowledge contained on risk management in the relevant sections of the PMI foundational standards.

This standard can be used to harmonize practices between ERM and portfolio, program, and project management, regardless of the life cycle approach used.

PMI is committed to providing global standards that are widely recognized and consistently applied by organizations as well as practitioners. Increasingly, organizations are requiring practitioners to use risk management practices in portfolio, program, and project management as an integral part of their ERM framework.

1.2 APPROACH OF THIS STANDARD

This standard presents the what and why of risk management. The following concepts are elaborated in this standard:

[??] Purpose and benefits of risk management;

[??] Principles and concepts of risk management in portfolios, programs, and projects;

[??] Risk management life cycle in portfolios, programs, and projects; and

[??] Integration of risk management within portfolios, programs, and projects.

This standard provides guidance on integrating risk management practices into all key areas of enterprise, portfolio, program, and project management. The aim is to ensure that the management of risk is an inherent, natural part of all management domains. The scope of this standard is to provide guidance and not to impose uniformity of processes across portfolios, programs, and projects. When planning and implementing risk management, it is essential that each team consider the characteristics of the organization, portfolio, program, or project. The approach presented in this standard is based on risk management principles that can be used as guidance when designing specific management or business processes adapted to the organizational environment and nature of the work.

1.3 PRINCIPLES OF RISK MANAGEMENT

There are specific core principles that underlie the process of risk management. The seven principles provided in Sections 1.3.1 through 1.3.7 guide the risk management processes and are integral to effective risk management.

1.3.1 STRIVE TO ACHIEVE EXCELLENCE IN THE PRACTICE OF RISK MANAGEMENT

Risk management allows organizations and teams to increase the predictability of outcomes, both qualitatively and quantitatively. This principle is about reaching the appropriate level of organizational process maturity (the ability of an organization to apply a certain set of processes in a consistent manner) and the optimal level of performance. Excellence in risk management is not achieved by the strict and exhaustive application of related processes. Rather, excellence can be achieved by (a) balancing the benefits to be obtained with the associated cost and (b) tailoring the risk management processes to the characteristics of the organization and its portfolios, programs, and projects. Process excellence in risk management is itself a risk management strategy.

1.3.2 ALIGN RISK MANAGEMENT WITH ORGANIZATIONAL STRATEGY AND GOVERNANCE PRACTICES

The practice of risk management in organizations is developed and evolved in coexistence with other organizational processes, such as strategy and governance. The nature of portfolios, programs, and projects is such that circumstances may change frequently. Adjustments become necessary as the organization evolves, for example, when changes to decision-making processes, timing, scope, and speed are made.

1.3.3 FOCUS ON THE MOST IMPACTFUL RISKS

Successful organizations are able to effectively and efficiently identify the risks that directly influence goals and objectives. The challenge for most organizations is making the best...