How to open the black box of capital project enterprise risk

To improve capital investment performance, executives need to understand where risk lies – not just in individual projects, but across the entire portfolio.

This is challenging for organisations with hundreds or thousands of capital projects.

Most finance teams have the top-line financial metrics of their capital project portfolio at their fingertips. But the same cannot be said for risk.

Capital project enterprise risk is essentially a black box. Organisations with hundreds of millions of dollars invested in capital projects have only a vague idea of where enterprise risk lies across their portfolio – because their current portfolio risk management approach relies on a very shaky assumption.

Risk is not always proportionate to capital value

Most portfolio risk management uses capital value as a proxy for risk. As the theory goes, high-value projects have higher risk; low-value projects have lower risk.

However, some low-value projects come with very high risks, and vice versa.

For example, in the water sector, building a long pipeline is an expensive but low-risk undertaking, while upgrading a sewerage pump station is high-risk, low-cost project.

In our experience, 5% of small projects are high risk. In other words, a portfolio with more than 100 projects will likely have five outlier projects that don't have a level of governance that's proportionate to their risk. 

Risk registers do not provide a measure of project enterprise risk

Most capital projects in your portfolio have a risk register. And, occasionally, some poor soul tries to overlay all those risks into a spreadsheet to get a handle on aggregated risk. However, not only does this result in a nightmare of unwieldly information, it doesn’t tell you anything useful.

While risk register information is vital for managing project delivery risk, it’s not suitable to classify project enterprise risk at the portfolio level for two reasons:

  1. The number of items on a risk register is not a proxy for project enterprise risk. A good project manager will have a thorough risk register, with many entries. A bad one won’t. The number of risks listed is not a predictor of project failure – it’s often a sign that risk is being managed well. 
  2. Risk registers only focus at the project level. They don’t classify risk at the portfolio or enterprise level.

Assess enterprise – not just project – risk

Unlike project risk management, which is focused on events that could impact the project, enterprise risk management is focused on events that could stop you from accomplishing your strategic objectives. These risks require senior leadership attention.

Following ISO31000 processes, a capital project can be initiated to mitigate or avoid an enterprise risk. But, equally, a capital project may introduce new, or compound existing enterprise risks.

To identify enterprise risk, every project (large and small) should be subject to:

  • Red Flag Questions
    These questions, which will be different for each entity, trigger immediate global alarm bells. They should be asked early in the development lifecycle.

  • Project Enterprise Risk Classification
    This new measurement determines a project’s enterprise risk before a stage gate, allowing it to be referred to a Risk Committee, if needed, and enabling executives to make direct comparisons between projects – and understand the shape and profile of the capital portfolio.

How to visualise and understand enterprise risk


Most importantly, this information should not be captured on a spreadsheet, but fed into a cloud-based SaaS business intelligence platform that can help executives to visualise enterprise risk. 

Unless organisations can assess risk at the portfolio level, spending on hundreds or even thousands of capital projects will not receive appropriate oversight.

Executives need to understand the shape of their overall portfolio risk profile. Are they taking on too much risk – or not enough? Is the portfolio vulnerable to uncontrolled risk in the wrong areas?

Without understanding their aggregated portfolio risk, executives will struggle to unlock value from their capital projects portfolio and improve overall capital investment performance.

It's time to shine a light on the inner workings of the black box of enterprise risk and take a new level of control over the millions of dollars being spent on capital projects.


For further information about identifying risk or to have a personalised demonstration of our product, please don’t hesitate to reach out to us.