3.1 Preparation

The definition of risk portfolio management includes the definition of the organization and process, as well as the definition of the portfolio. Representatives of the company’s management and risk management and the necessary representatives of the various functions shall participate in the definition. Other parties and experts can be included as needed.

Setting objectives

It is good to define short-term and long-term goals for a risk portfolio. The objectives may be related to the delimitation, schedule and parties of portfolio management. At the beginning, the risk portfolio could be limited to certain risk categories or parts of the organization and later expanded to be comprehensive. Limiting the initial phase helps to get started and gain experience before large-scale implementation.

You can also set the goal that starting from a certain date, all risks must be handled in the portfolio.

Portfolio definition process

The process of defining a portfolio does not have to be extensive if it is assisted by an experienced entity. The definition requires preliminary preparation and a few workshops and calendar time of 4–5 weeks.

If you intend to acquire a suitable software solution for risk portfolio management, it is also good to involve its supplier early in the process.

The preliminary preparation before the definition includes finding out the risk management model in use. If there are several models, choosing the most representative one as the starting point for definition and harmonization is recommended. At the same time, it is worthwhile considering why several models exist and whether there is a real need for them.

Definition work

At the beginning of the definition, it is necessary to clarify the concepts of risk management.

The definition team has to think about what the types of risk categories and information about individual risks are that are relevant for decision-making and management actions. It is recommended to start with the smallest possible amount of data with which the portfolio can be managed. Otherwise, it may be like packing suitcases, where you take things with you just to be safe, which will eventually become just ballast.

Once the essential information about the risks has been defined, you can move onwards to the portfolio level. At the portfolio level, reporting is a key requirement. Those involved in the definition must consider what kind of reports serve portfolio management from the perspectives of different parties.

Definitions can be tested with data from already documented risks and necessary fine-tuning can be carried out.

Information model of the risk portfolio

The information model of the risk portfolio is always specific to the organization, but 70-90% of the information structure of the portfolios is usually similar. The following is a characterization of frequently repeated data.

Tags and description

  • Identifier that identifies the risk
  • Brief description of the risk
  • A broader description of the risk (e.g. the causes of the risk)
  • Status of the risk in the risk management process


  • The owner of the risk (person)
  • The organization that owns the risk
  • The registrar of the risk

The classification of the risk

  • Risk category


  • Product line etc.
  • Position in the risk hierarchy
  • Related risks


  • Impact of the risk (e.g. on a scale of 1…5)
  • Probability of the risk (e.g. on a scale of 1…5)
  • Cost of the risk (e.g. euros)

Related measures, which may be several per risk

  • Management measure
  • Description
  • Type
  • Schedule
  • Responsible person
  • Situation
  • Publishing

The information model may also contain links to checklists and other documents or resources.

The risk portfolio data model