Risk Management Approach
PRINCE2 recommends that each project have its own Risk Management Approach document. This document defines the project procedures for risk management in terms of how risk will be identified, assessed, controlled, and communicated in the project. Another way to say this is: The risk management approach describes the specific risk management techniques and standards to be applied during the project, and the responsibilities to provide a good and consistent risk management procedure.
This might seem like a big task, but if your project is part of a program, then most of the risk management approach will already be provided to you in a detailed template that you can update to suit the project.
Timeline Risk Management Approach
- During the Initiation Stage, the Project Manager will obtain a Risk Management Approach template.
- They will then review it and see what needs to changed: Reports to use, who to report to, etc.
- The Risk Management Approach may be updated during the project but this must be agreed by the Project Board.
Risk Management Approach Sample
Risk Management Approach contents
- Introduction: This section states the purpose, objectives and scope, and identifies who is responsible for the approach during the project.
- Risk management process: This section describes the procedure to do the following: 1) identify risks, 2) analyse risks, 3) response options to consider, 4) decide on to respond to risks, and 5) how risk response plans will be developed.
- Tools and techniques: List the risk management systems or tools to be used by the project
- Records: The structure and format of the Risk Register is defined and perhaps a link to Risk Register.
- Reporting: Outline how risk reporting will be done and which documents will be used; e.g., High level risk should be included in the Business Case. Perhaps monthly risk reports are needed?
- Timing of risk management activities: Specifies the point at which the risk re-analysis, register updates, and reporting will take place.
- Roles and responsibilities: This section defines who will be responsible for the risk register, who will perform the risk analysis and response plans and who will create reports. The Project Manager and Project Support will normally take care of this unless a specific risk role is assigned to the project.
- Scales: The grading criteria for each risk, that is, for the Probability and Severity score, are defined in this section. For example, ‘Very High, High, Medium, Low, and Very Low.’ Other options include 1-10, traffic lights
- Proximity: When the risk is likely to happen as the severity of risks varies depending on when they occur within a project.
- Risk categories: Most projects will divide their risks into categories. E.g., Strategic, Compliance, Operational, Financial, Supplier, Security, Resource, etc…
- Risk response categories: e.g., Threat, decide to avoid, reduce, fall back, transfer, accept or share.
- Early warning indicators: It is a good idea to be able to quickly identify risks therefore it is important to define warning indicators which can be monitored to ensure a rapid response.
- Risk tolerance: Risk tolerance varies greatly from organization to organization, for example, a construction company has a very high tolerance for operational risks whereas an airline company does not. This is linked to Risk Appetite. Risk appetite is the level of risk that an organization is prepared to accept in pursuit of its objectives, before action is deemed necessary to reduce the risk
- Risk budget: As risk budget is often referred to as a contingency budget. A Risk Budget is a sum of money that is put aside just to deal with specific responses to threats or opportunities and it cannot be used for anything else.
This is an example of a Risk Register and the layout is defined in the Risk Management Approach:
Source data for the Risk Management Approach
- Project Brief ; Business Case
- The corporate or programme management’s risk management guide, strategy, or policy
Format of the Risk Management Approach
- This is normally a stand-alone document (Word/PDF)
- Sometimes it can also be a document in a project management tool.
Quality criteria for the Risk Management Approach
- Responsibilities are clear and understood by both customer and supplier
- The risk management procedure is clearly and simply documented
- Scales, expected value and proximity definitions are clear and similar to other projects
- The chosen scales are appropriate for the level of control required
- Risk reporting requirements are fully defined.
Risk Management Process/Procedure
The Risk Management Procedure is a set of five steps that are recommended by PRINCE2. The first 4 steps are sequential, while Communicate will always be done to let stakeholders know what is going on and to get continual feedback during this process. Risk management steps:
- Identify: First complete the Risk Management Approach document for the project, and then identify the risks (threats and opportunities) that could affect the project.
- Assess: Assess the risks in terms of their probability and impact on the project objectives.
- Plan: Here, your Plan steps are to prepare the specific response to the threats (e.g., to help reduce or avoid the threat), or this could also be to plan to maximize the opportunity if the risk happens.
- Implement: Carry out the planned responses mentioned in step 3 Plan if the risk occurs.
- Communicate: Keep communicating to the stakeholders. Use existing management reports that are created during the project (e.g., End Stage Report).
Tips from Frank
- It is up to the Corporate or Programme to supply a good template to the Project Manager.
- Review this document if you are new to it and ask questions if something is unclear.
- Then review this document from the point of view of the Project Board and see if something needs to changed; e.g., Project Names, Contact persons.