Risk management approach

The risk management approach describes how risks will be identified, assessed, controlled, and monitored throughout the life of the project.

It sets out the procedures, techniques, standards, and responsibilities for managing threats and opportunities in order to protect the project’s objectives and optimise potential benefits.

This approach ensures that:

• Risks are managed in a consistent and transparent way.
• The project remains within the risk tolerance levels agreed in the business case.
• Roles and responsibilities for risk management are clearly defined.

It covers areas such as:

• Risk identification, assessment, and planning.
• Implementation of risk responses.
• Communication of risk information to stakeholders.

Life cycle

The risk management approach is applied throughout the project, aligning with PRINCE2’s processes:

1. Starting up a project (SU) – Any obvious risks are captured in the daily Log for early consideration. No formal risk management activities are carried out at this stage.
2. Initiating a project (IP) – The project manager creates the risk management approach, defining the scope, procedures, tolerances, timing, and responsibilities for managing risk. This includes describing how probability, impact, proximity, and velocity will be assessed, as well as the composition and format of the risk register.
3. Directing a project (DP) – The project board reviews and approves the risk management approach as part of approving the project initiation documentation.
4. Controlling a stage (CS) – Risks are monitored and managed during day-to-day project activities. New risks are identified, assessed, and recorded in the risk register. Risk responses are implemented and tracked.
5. Managing product delivery (MP) – Team managers escalate any new risks or changes in existing risks to the project manager, following the agreed procedures.
6. Managing a stage boundary (SB) – The project manager reviews the current risk status, updates the risk management approach if required, and plans risk activities for the next stage.
7. Closing a project (CP) – The project manager confirms that all planned risk responses have been implemented, that residual risks are documented, and that any lessons relating to risk are recorded for future projects.

Contents

A risk management approach document will normally include:

• Scope: The scope of the project’s risk management activities, including any exclusions.
• Risk management procedures: The process for identifying, assessing, planning, implementing, and communicating risks; and any approved variations from organisational standards.
• Risk tolerance guidance: Additional guidance on tolerance levels specific to the project, aligned with the business case.
• Timing of risk management activities: When formal risk activities will take place (e.g., at the end of each stage, during major reviews).
• Responsibilities: Who is responsible for risk management activities, including risk owners and risk action owners.
• Resources: People, tools, and facilities needed for effective risk management.
• Supporting tools and techniques: Methods such as risk workshops, pre-mortems, and software systems used to assess and monitor risks.
• Standards: The grading system used to assess probability, impact, proximity, and velocity; format of the risk register; and any organisational or industry standards that apply.
• References: Links to related documents such as corporate risk management frameworks or supplier risk policies.

Tips

The following help improve your risk management approach:

• Start early – Identify and assess major risks during initiation to shape the project plan.
• Keep it active – Risk management should be an ongoing activity, not a one-off exercise.
• Clarify roles – Ensure everyone knows who is responsible for each aspect of risk management.
• Communicate effectively – Share risk information with stakeholders in a clear, timely manner.
• Focus on both threats and opportunities – Opportunities can be just as valuable to manage as threats.
• Review regularly – Update the risk register and reassess risks at stage boundaries and after major changes.

—o—

Written by Frank Turley.

If you have questions or doubts after using this wiki, you can ask for help on the Facebook or LinkedIn study groups.