Skip to main content
All playbooks
Portfolio Manager 11 min

Managing Portfolio-Level Risk

Portfolio risk is not the sum of programme risks. It's the systemic threats that affect multiple investments simultaneously — market shifts, resource constraints, technology failures, and strategic misalignment.

Portfolio Risk vs Programme Risk

Programme Managers manage risks within their programmes. The Portfolio Manager manages risks that:

  • Affect multiple programmes simultaneously (systemic risk)
  • Arise from the portfolio composition itself (concentration risk)
  • Relate to the organisation's overall delivery capability (capacity risk)
  • Connect to external factors beyond any single programme's control (market risk)

Portfolio Risk Categories

1. Concentration Risk

Too much investment in one area creates vulnerability:

  • Technology concentration: 80% of the portfolio depends on one platform. If it fails, everything fails.
  • Vendor concentration: One vendor delivers across multiple programmes. Their failure cascades.
  • Skill concentration: One architect or specialist is critical to 3 programmes. Their departure is catastrophic.
  • Market concentration: All initiatives target the same market segment. If that segment declines, the entire portfolio loses value.

Mitigation: Diversify. Spread investment across technologies, vendors, skills, and markets. Set concentration limits (no single vendor >30% of portfolio delivery).

2. Capacity Risk

The portfolio demands more than the organisation can deliver:

  • Resource exhaustion: Key skills are over-allocated across too many initiatives
  • Change fatigue: The organisation can't absorb the volume of change being delivered
  • Support overload: New systems increase BAU support burden, reducing capacity for new work
  • Attrition spiral: Overwork causes people to leave, increasing load on remaining staff

Mitigation: Maintain portfolio WIP limits. Don't start more than the organisation can absorb. Monitor team health across the portfolio.

3. Dependency Risk

Cross-programme dependencies create cascading failure potential:

  • Programme A's delay causes Programme B to slip, which causes Programme C to miss its regulatory deadline
  • A shared platform upgrade affects all programmes simultaneously
  • A vendor delivering to multiple programmes fails on one, consuming resources needed for others

Mitigation: Map cross-programme dependencies. Identify critical chains. Build buffer at dependency points. Reduce dependencies through architecture and team design.

4. Strategic Risk

The portfolio becomes misaligned with organisational strategy:

  • Strategy changes but the portfolio doesn't adapt (inertia)
  • Market conditions invalidate the assumptions behind multiple business cases
  • Competitor actions make planned initiatives irrelevant
  • Regulatory changes affect multiple programmes simultaneously

Mitigation: Quarterly strategic alignment review. Willingness to stop or pivot initiatives when strategy changes. Scenario planning for major external changes.

5. Delivery Capability Risk

The organisation's ability to deliver is compromised:

  • Delivery maturity is insufficient for the portfolio's ambition
  • Tooling and infrastructure can't support the delivery volume
  • Governance is too heavy (slows everything) or too light (things fall through cracks)
  • Knowledge loss from attrition degrades delivery capability over time

Mitigation: Invest in delivery capability alongside delivery output. Platform teams, tooling, training, and process improvement are portfolio-level investments.

The Portfolio Risk Register

Maintain a portfolio-level risk register separate from programme registers:

| Risk | Category | Probability | Impact | Score | Owner | Mitigation | Status | |---|---|---|---|---|---|---|---| | [Description] | [Category] | 1-5 | 1-5 | P×I | [Person] | [Action] | [RAG] |

Scoring at portfolio level:

  • Impact 5 = Multiple programmes fail, strategic objectives missed, >£5M loss
  • Impact 4 = 2+ programmes significantly delayed, >£2M loss
  • Impact 3 = 1 programme significantly affected, £500K-£2M impact
  • Impact 2 = Minor delays across portfolio, <£500K impact
  • Impact 1 = Negligible portfolio-level impact

Portfolio Risk Governance

Monthly Portfolio Risk Review

  • Review top 10 portfolio risks (by score)
  • Assess whether probability or impact has changed
  • Check mitigation action progress
  • Identify new portfolio-level risks from programme escalations
  • Update the portfolio risk dashboard

Quarterly Risk Deep-Dive

  • Full portfolio risk register review
  • Concentration analysis (are we too exposed to any single factor?)
  • Scenario planning (what if [major external event] happens?)
  • Capacity risk assessment (can we deliver what we've committed to?)
  • Strategic alignment check (are our risks aligned with our risk appetite?)

Risk Appetite Statement

Define the organisation's risk appetite at portfolio level:

  • How much delivery risk is acceptable? (% of initiatives that may fail)
  • How much financial risk? (Maximum acceptable portfolio overrun)
  • How much strategic risk? (Willingness to invest in unproven areas)
  • How much concentration risk? (Maximum exposure to any single factor)

Investment decisions should be made within the risk appetite. Initiatives that exceed it require explicit executive approval.

Portfolio Risk Metrics

  • Portfolio risk exposure: Sum of (probability × financial impact) across all portfolio risks. Track trend.
  • Risk concentration: Maximum exposure to any single risk factor (vendor, technology, person). Target: <30%.
  • Cross-programme dependency count: Total dependencies between programmes. Target: decreasing.
  • Risk mitigation completion rate: % of mitigation actions completed on time. Target: >80%.
  • Surprise rate: Portfolio-level issues that weren't previously identified as risks. Target: <10%.

Anti-Patterns

Aggregating programme risks: Simply combining all programme risk registers into one list. This misses systemic and concentration risks. Fix: portfolio risks are different in kind, not just in scale.

Risk without appetite: Managing risks without a defined risk appetite. Every risk is treated equally regardless of the organisation's tolerance. Fix: define risk appetite explicitly and use it to guide investment decisions.

Ignoring correlation: Treating risks as independent when they're correlated. (If the economy declines, multiple market-dependent initiatives fail simultaneously.) Fix: identify correlated risks and assess their combined impact.

Risk theatre: Maintaining a register that's never used for decisions. Fix: reference the risk register in every investment decision. "Given our current risk exposure, should we add this initiative?"

---

Download the [Programme RAID Register template](/templates) for a risk register format adaptable to portfolio level.

More playbooks

Scrum Master · 11 min

Agile Metrics That Actually Matter

Read Program Manager · 12 min

Benefits Realisation — From Business Case to Outcomes

Read Portfolio Manager · 11 min

Benefits Tracking Across the Portfolio

Read
All playbooks