Risk management approach

The risk management approach aims to define how risk will be identified, assessed, managed, and communicated throughout the project. It ensures a consistent and structured process for managing threats and opportunities affecting project objectives.

PRINCE2 recommends that each project has its own risk management approach document. It outlines:

• The risk management procedure to be followed
• The techniques, roles, responsibilities, and reporting requirements
• Any tools, standards, or templates to be used

Timeline

The risk management approach is defined early in the project and may be updated if necessary to reflect changes in how risks are handled:

• During the initiation stage, the project manager obtains and reviews a risk management approach template, often provided by the organisation or programme.
• The template is tailored to the project, including updates to reporting methods, escalation routes, and roles/responsibilities.
• If changes to the risk management approach are required during the project, the project board must formally agree on them.

Contents

The following are the main content of the risk management approach:

• Introduction: This section states the purpose, objectives, and scope and identifies who is responsible for the approach used during the project.
• Risk management process: this section describes the procedure to do the following:
  • Identify risks
  • Analyze risks
  • Response options to consider
  • Decide on how to respond to risks
  • How risk response plans will be developed
• Tools and techniques: List the risk management systems or tools to be used by the project
• Records: The structure and format of the risk register are defined, and perhaps a link to the risk register.
• Reporting: Outline how risk reporting will be done and which documents will be used; e.g., high-level risk should be included in the business case. Perhaps monthly risk reports are needed?
• Timing of risk management activities: Specifies the point at which the risk re-analysis, register updates, and reporting will occur.
• Roles and responsibilities: This section defines who will be responsible for the risk register, who will perform the risk analysis and response plans and who will create reports. The project manager and project support will normally take care of this unless a specific risk role is assigned to the project.
• Scales: The grading criteria for each risk, that is, for the probability and severity score, are defined in this section. For example, ‘very high, high, medium, low, and very low.’ other options include 1-10, and traffic lights.
• Proximity: When the risk is likely to happen as the severity of risks varies depending on when they occur within a project.
• Risk categories: Most projects will divide their risks into categories. E.g., strategic, compliance, operational, financial, supplier, security, resource, etc.
• Risk response categories: e.g., threat, decide to avoid, reduce, fall back, transfer, accept or share.
• Early warning indicators: It is a good idea to be able to identify risks quickly; therefore, it is important to define warning indicators that can be monitored to ensure a rapid response.
• Risk tolerance: Risk tolerance varies significantly from organization to organization; for example, a construction company has a very high tolerance for operational risks, whereas an airline company does not. This is linked to risk appetite. Risk appetite is the level of risk that an organization is prepared to accept in pursuit of its objectives before action is deemed necessary to reduce the risk.
• Risk budget: A Risk budget is often called a contingency budget. A risk budget is a sum of money that is put aside to deal with specific responses to threats or opportunities, and it cannot be used for anything else.

Source data

The risk management approach is derived from the following:

• Project brief
• Business case
• The business risk management guide, strategy, or policy

Quality criteria

The risk management approach should be clear, consistent, and tailored to the project’s risk profile to be effective:

• Responsibilities are clearly defined and understood by both the customer and supplier.
• The risk management procedure is documented in a clear and straightforward manner.
• Definitions for scales, expected value, and proximity are unambiguous and aligned with organisational or programme standards.
• The chosen scales are suitable for the level of control and complexity of the project.
• Risk reporting requirements (what, when, how, and to whom) are fully specified.

Risk management process/procedure

The risk management procedure is a set of five steps that are recommended by prince2. The first four steps are sequential, while communication will always be done to let stakeholders know what is going on and to get continual feedback during this process. Risk management steps:

1. Identify: First, complete the risk management approach document for the project, and then identify the risks (threats and opportunities) that could affect the project.
2. Assess: Assess the risks in terms of their probability and impact on the project objectives.
3. Plan: Here, your plan steps are to prepare the specific response to the threats (e.g., to help reduce or avoid the threat), or this could also be to plan to maximize the opportunity if the risk happens.
4. Implement: Carry out the planned responses mentioned in step 3 plan if the risk occurs.
5. Communicate: Keep communicating with the stakeholders. Use existing management reports that are created during the project (e.g., end stage report).

Tips

Here are a few practical reminders to help you tailor and use the risk management approach effectively in your project:

• It’s the responsibility of the business level to provide a solid starting template for the project manager.
• If you’re new to the document, take time to review it carefully and don’t hesitate to ask questions if anything is unclear.
• Review the document from the perspective of the project board and make any necessary updates — such as project names, contact persons, or escalation paths — to ensure it’s relevant and accurate.

—o—

Written by Frank Turley.

If you have questions or doubts after using this wiki, you can ask for help on the Facebook or LinkedIn study groups.