How to open the black box of capital project enterprise risk

To improve capital investment performance and maintain business continuity, executives and top management need to understand where risk lies – not just in individual projects, but across the entire portfolio.

Managing risk is challenging for organisations with hundreds or thousands of capital projects.

Enterprise risk management starts with effectively monitoring risks

Most finance teams have the top-line financial metrics of their capital project portfolio at their fingertips. But the same cannot be said for quantifying risks. Risk management processes are often limited to the core elements of a project rather than viewing risk management strategically.

Capital project enterprise risk is essentially a black box. Organisations with hundreds of millions of dollars invested in capital projects have only a vague idea of where enterprise risk lies across their portfolio – because their current portfolio risk management approach relies on a very shaky assumption.

Risk is not always proportionate to capital value

For most companies, the portfolio risk management process often uses capital value as a proxy for risk assessment. As the theory goes, high-value projects have higher risk; low-value projects have lower risk.

However, some low-value projects come with very high internal and external risks, and vice versa.

For example, in the water sector, building a long pipeline is an expensive but low-risk undertaking, while upgrading a sewerage pump station is a high-risk, low-cost project.

"In our experience, 5% of small projects are high risk. In other words, a portfolio with more than 100 projects will likely have five outlier projects that don't have a level of risk management governance that's proportionate to their risk."

Risk registers do not provide a measure of project enterprise risk

Most capital projects in your portfolio have a risk register. And, occasionally, some poor soul tries to overlay all those critical risks into a spreadsheet to get a handle on aggregated risks. However, not only does this result in a nightmare of unwieldly information, it doesn't tell you anything useful to mitigate risk. Also, new risks can go undetected because the lens of monitoring doesn't include enterprise risk management.

While risk register information is vital for managing project delivery risk, it's not suitable to classify project enterprise risk at the portfolio level for two reasons:

  1. The number of items on a risk register is not a proxy for project enterprise risk. A good project manager will have a thorough risk register, with many entries. A bad one won't. The number of risks listed is not a predictor of project failure – it's often a sign that risk response is being managed well. 
  2. Risk registers only focus at the project level. They don't identify risks at the portfolio or enterprise level.

Assess enterprise risk – not just project risk

Unlike project risk management, which is focused on events that could impact the project, enterprise risk management is focused on events that could stop you from accomplishing your strategic objectives. The risks related to business objectives and strategic initiatives require senior leadership attention.

Classifying risk types and asking red flag questions are essential to enterprise risk management. Image of a red flag in the desert.

Following ISO31000 processes, a capital project can be initiated to mitigate or avoid an enterprise risk. But, equally, a capital project may introduce new risks, or compound existing enterprise risks.

To identify enterprise risk, every project (large and small) should be subject to:

  • Red Flag Questions 
    These risk-evaluating questions will be different for each entity and designed to trigger immediate global alarm bells. They should be asked early in the project development lifecycle for adequate risk reduction.


  • Project Enterprise Risk Classification
    This new risk assessment measurement determines a project's enterprise risk before a stage gate, allowing it to be referred to a Risk Committee, if needed, and enabling executives to make direct comparisons between projects – and understand the shape and profile of the capital portfolio. This gives business leaders the competitive advantage of knowledge and insight for effective decision making.

How to visualise and understand enterprise risk management
Risk management processes for enterprise risk management protect operational efficiency.

Most importantly, this information should not be captured on a spreadsheet, but fed into a cloud-based dynamic software solution that can help executives to visualise and manage risks

Unless organisations can assess potential risk at a portfolio level, spending on hundreds or even thousands of capital projects will not receive appropriate oversight.

Executives need to understand the shape of their overall portfolio risk profile. Are they taking on too much risk – or not enough? Is the portfolio vulnerable to uncontrolled, significant risk in the wrong areas? Are business units incorporating risk appetite into their strategic planning?

Without understanding their aggregated risk profile, executives will struggle to unlock value from their capital project portfolio and improve overall capital investment performance.

It's time to shine a light on the inner workings of the black box of enterprise risk management and take a new level of control over the millions of dollars being spent on capital projects.

For further information about identifying risk or to have a personalised demonstration of our product, please don’t hesitate to reach out to us.