2.5 Portfolio management in risk management

Portfolio management has become popular in supporting an organization’s management model. The method is also suitable for risk management.

Risk portfolio management is a systematic, repetitive process, covering risk identification, assessment, prioritization and management activities.

Risk portfolio

Principle 14 of COSO ERM emphasizes the importance of the portfolio view in risk management. If risks are managed in isolation without considering other risks, there may be inefficiency and, possibly, conflicts. For this reason, it is essential to see risks as part of an organization-wide risk portfolio.

Another point of view in favour of portfolios is the assessment of the severity of individual risks. For example, a risk that seems to be significant at the level of a business unit may actually be quite insignificant when combined with other risks and when viewed from a higher organisational level. And vice versa: small separate risks may combine into a large and significant one.

Objectives of risk portfolio management

The following is a list of the objectives of risk portfolio management, which are typically set by companies switching to it.


A risk portfolio is an effective means of communication as the information is in a consistent form and can be easily reported for various purposes. It serves planning, guidance and impact assessment.


When the workflows and the contents of the portfolio are known and accessible to all parties involved, the timing and reasons for decisions are understandable and traceable.

Elimination of overlaps

Especially in large organizations, different units or teams may unknowingly carry out overlapping work. When the contents of the portfolios are openly available to the organization, it is easier to avoid this.

Optimized use of resources

Resource planning, which is an essential part of portfolios, extends beyond one function or project and serves individuals, projects and the entire organization.

Real-time snapshot

Management has an up-to-date picture of the current status, history and future of risks. The risk portfolio clearly indicates whether the company’s risk-taking ability is realized in projects and other activities.

Life cycle thinking

Examining the results and effectiveness of decisions can be extended from ideas to post-evaluation.