Risk

Let’s say you have many design documents in your project and you start wondering what happens if something goes wrong with your computers and the files are destroyed. You realize that it will be a disaster, and therefore, decide to take backups at the end of each week. What you did was risk management.

Purpose

The purpose of the risk practice is to provide a structured approach for identifying, assessing, and controlling uncertainty throughout the project. By managing risks effectively, the project’s chances of success are significantly improved.

Since projects involve creating something new or making changes, they inherently introduce uncertainty, and uncertainty equals risk. Projects need to understand how to identify, assess, and control these risks, as they can impact the project’s objectives and outcomes.

Risk management isn’t a one-time task that happens at the start of the project; it’s a continuous activity throughout the entire project lifecycle. As such, it is one of the primary responsibilities of the project manager. While the project executive holds overall responsibility for managing risks, they rely on the project manager to continuously identify, assess, and control risks during the project’s progression.

Definitions

In PRINCE2, the definition of risk is based on MoR® (management of risk). Risk is defined as a set of events that, if they occur, will impact the achievement of the project’s objectives.

An alternative definition is: “Risk is an uncertain event that, if it occurs, can have either a positive or negative impact on a project objective.”

Risk can be categorized as either a threat or an opportunity. While many associate risk with negative outcomes, it’s important to recognize that risk can also present opportunities. For example, imagine a project developing a new CRM system. There is a risk that the cost of the warehouse integration module may be reduced by 50%, saving the project €7,500. This is an opportunity because it positively affects the project’s overall budget.

What is at risk?

If I were to ask, “What is at risk in the project?” you might respond by saying the project itself or perhaps user satisfaction with the final product. However, PRINCE2 takes a different perspective. According to PRINCE2, it’s the project’s objectives that are at risk. These objectives include the seven key performance targets:

• Time
• Cost
• Quality
• Scope
• Risk
• Benefits
• Sustainability

What is risk management?

Risk management involves taking systematic steps to identify, assess, and control risks throughout the project. This practice provides a structured approach to managing risk in PRINCE2 projects. The process is divided into three key steps:

• Identification: Identifying and describing the risk.
• Assessment: Evaluating the likelihood of the risk occurring and its potential impact on project objectives.
• Control: Determining the best response to the risk.

New risks can emerge at any point during the project.

The risk management method

PRINCE2 makes use of the other AXELOS method, which is management of risk (MoR). As a result, PRINCE2 takes advantage of all these procedures and principles that have already been defined instead of trying to reinvent the wheel. The MOR method is a generic approach to risk and has the following approach:

• First, understand the project context, which means understanding the project environment.
• Involve stakeholders, users, suppliers, and teams to help identify risks.
• Establish an approach for the project and document this approach.
• Provide regular reports on risk.
• Define risk roles & responsibilities.

Risk context

When considering risk, it’s important to ask “In what context?"—this helps define how risk is viewed based on the project’s nature and goals.

Example 1: In a high-stakes project like a NASA space mission, where a device must function flawlessly for 10 years in orbit, the project has a very low-risk tolerance.

Example 2: In a simpler scenario, such as developing a short-lived prototype for internal use that will only last 4 months, the project has a higher tolerance for risk, as not everything needs to work perfectly.

Note: Projects with high-risk tolerance are often described as having a “Big-risk appetite,” meaning they can take on more risk.

When first assessing risk, the key question is: What risk policies already exist within the company or program that can be applied, so we don’t have to reinvent the wheel? If a risk policy is in place, it will provide clarity on:

• The organization’s approach to risk (risk appetite)
• Risk tolerances
• Procedures for escalating risks
• Roles and responsibilities
• Examples of a risk management approach document

The risk management approach

PRINCE2 recommends that each project develop its own risk management approach document. This document outlines the procedures for identifying, assessing, controlling, and communicating risks throughout the project.

In simpler terms, the risk management approach describes the specific techniques, standards, and responsibilities for managing risks within the project, ensuring a consistent and effective approach.

While creating a risk management approach might sound like a large task, if your project is part of a program, much of the approach may already be provided in a detailed template, which you can then customize to fit the needs of your specific project. The project manager is responsible for tailoring and finalizing this document during the initiation stage.

The risk register

The risk register is a key tool for documenting and tracking all identified risks related to the project, including both threats and opportunities. It provides a comprehensive record of each risk, including its current status and history, helping to ensure that risks are managed effectively throughout the project lifecycle.

Risk register layout:

• Risk identifier: A unique number assigned to each risk (e.g., 042).
• Risk author: The person who identified and raised the risk.
• Date registered: The date the risk was first logged.
• Risk category: Categories specific to the project, such as quality, network, legal, or supplier.
• Risk description: Describes the risk using a specific format (e.g., cause, event, and effect).
• Probability/impact: The likelihood and impact of the risk, typically assessed using a predefined scale (e.g., very low, low, normal, high).
• Proximity: The estimated time frame for when the risk is likely to occur.
• Risk response category:
  • For threats: Decide whether to avoid, reduce, transfer, accept, or share the risk.
  • For opportunities: Decide whether to enhance, exploit, reject, or share the opportunity.
• Risk response: A list of actions to resolve the risk, based on the selected response strategy.
• Risk status: The current status of the risk (e.g., active or closed).
• Risk owner: The individual responsible for managing the risk.
• Risk actionee: The person tasked with carrying out the response actions (this may be the same as the risk owner).

One final point regarding the risk register is that while the project manager is ultimately responsible for its contents, it is the project support role that typically maintains and updates it. The risk management approach document will outline the configuration and usage of the risk register, providing guidance on how it should be managed throughout the project.

The risk management technique

The risk management technique in PRINCE2 is composed of five key steps. To help remember these steps, use this mnemonic: I ate peaches in China – identify, assess, plan, implement, and communicate. The first four steps follow a sequential process, while communication is an ongoing activity to keep stakeholders informed and gather continual feedback. Risk management steps:

• Identify: Start by completing the risk management approach document for the project, then identify all risks (both threats and opportunities) that could potentially impact the project.
• **Assess:**evaluate each identified risk based on its likelihood and potential impact on the project objectives.
• Plan: Develop specific actions to respond to the risks. This could involve mitigating threats (e.g., reducing or avoiding them) or enhancing opportunities if the risk occurs.
• Implement: Execute the planned actions from the previous step when the risk is triggered to manage its impact.
• Communicate: Consistently communicate risk-related information to stakeholders. Use existing management reports (e.g., end stage reports) for updates and ongoing feedback.

Step 1/5 — identify

The identify step can be further broken down into several actions:

• Identify the context and understand the project’s risk perspective by determining its risk tolerance.
• Consider these questions:
  • What type of project is this?
  • How many people will use the product?
  • What could be the financial impact if the product fails?
  • How complex is the project, and what is the organization’s approach to risk?
• Complete the risk management approach document.
• Identify risks using various techniques:
• Review lessons learned and risk and issue logs from previous projects.
• Check if any checklists (prompt lists) are available.
• Conduct brainstorming sessions with the team and invite specialists to facilitate.
• Use the cause, event, and effect method to describe each risk.

Step 2/5 — assess

This step is to assess the probability and impact of each risk, ensuring stakeholders can identify and focus on the most critical risks. This involves evaluating:

• The probability that the risk will occur (often estimated based on frequency or likelihood).
• The impact of each risk in relation to project objectives (e.g., if time and cost are key objectives, the impacts should also be measured in those terms).
• How the risk could affect the stage plan, project plan, and business case.
• The potential changes in the risk’s impact over the course of the project.
• Whether the project team can manage the risk effectively or if it needs to be escalated to the project board, a program, or a corporate body.

The risk register must be updated regularly with this information.

Understanding the combined effect of all identified risks is essential to determine if the overall risk exposure aligns with the project’s risk appetite, as set by the business and overseen by the project board. Control actions must be planned if the risk exposure exceeds the agreed threshold.

Consistent with PRINCE2’s continued business justification principle, the project’s justification should always be assessed in light of its current risk exposure. No project is risk-free, and understanding how risk exposure compares with risk tolerance helps determine the level of effort required for effective risk responses.

Step 3/5 — plan

In this step, we identify the best actions to take for managing risks. These actions aim to reduce threats or take advantage of opportunities. Common risk responses include avoiding, reducing, transferring, or accepting risks.

For bigger risks, we might need early warning signs to spot if the risk will happen and create a plan for managing it if it does.

Sometimes, the project team isn’t the best group to handle a risk. This may happen if:

• The team can’t address the risk within its control.
• The risk could seriously affect the project’s success.
• The risk is part of a larger program and should be handled at that level.
• The response could push the project outside of its limits (like breaking regulations).

If a risk is within the project’s tolerances, the project manager can handle it. If not, the issue should be escalated to the project board or higher management. It’s important to escalate risks early, as this gives more time to act.

Responses to threats

There are 6 general types of response to threats:

• Avoid a threat
  • Objective: Take action so the threat no longer has an impact or can no longer happen.
  • Example: You are organizing an outdoor concert for 600 people in April in the UK. One of the risks is that it may rain, so you decide to move the concert indoors to avoid the risk. This response has removed the threat. Now, if it rains, it will not impact the concert. Another example of avoid is to cancel the concert.
• Reduce a threat
  • Here, actions are taken to reduce the probability of the risk. Reduce the impact if the risk does occur. To help understand this, I will give an example of both reduce probability and reduce impact. Reduce response is the most common way of dealing with risks.
  • Example to reduce probability: The objective is to reduce the probability of the risk happening. Using the concert example with the threat of rain, we could move it to July, where it’s 3 times less likely to rain. This is a clear example of reducing the probability, but the risk remains.
  • Example to reduce impact: The objective is to reduce the impact if the risk occurs. Here, the organizers could order a load of sponsored plastic ponchos for the concert-goers when they arrive. If it does rain during the concert, the people will not get soaked from the rain; thus, you have reduced the impact of the rain.
• Fallback / prepare contingent plans
  • Fallback is also referred to as contingency. See fallback as a fallback plan of actions that would be done if the risk occurs and would become an issue. These actions would help to reduce the impact of the threat.
  • Example: There is an important tennis game at Wimbledon in centre court which now has a roof that can be closed. The fallback plan is to close the roof once it starts to rain. This would not stop it from raining and it takes 5 minutes to close the roof of the tennis court, so the grass could still get a few drops of rain. This fallback reduces the impact of the rain and, yet, it allows the game to continue after the roof has been closed.
  • Note: The action of closing the roof is only done once the threat is real.
• Transfer the risk
  • Here, you can transfer the financial risk to another party. For example, using an insurance policy, you could recover the costs if the threat does happen.
  • Example: Let’s use the example of the concert again. One of the threats is that one of your top acts might not be able to play at the event due to illness or some other reason. Concertgoers might want to have their money back, but you have already spent a lot of money just organizing the event. So, you take out an insurance policy to cover any losses you could incur if this risk does occur.
• Accept the risk
  • Here, a decision is taken to accept the risk. It may just cost too much money to do something about it, or it may not be possible to do anything about it. However, you keep this risk’s status open and continue to monitor it.
  • Example: There is a risk that another outdoor concert could be held around the same day as your concert and this might affect ticket sales. After some consideration, you decide to do nothing about it and continue as normal. Moving the concert to another time would just cost too much, and some people have already bought tickets, so you just live with the risk.
• Share the risk
  • Share is both a response for threats and opportunities. Share is very common in customer/supplier projects where both parties share the gain if the costs are less than the planned costs, and share the loss if the costs are exceeded.
  • Example: Using the concert example, suppose you want to provide VIP car parking, there is a certain fixed cost that you must pay and you agree with the supplier to share the profits if the revenue is above this fixed cost amount. You would also share the losses if they were below this amount.

Responses to opportunities

The following are the types of responses PRINCE2 describes for opportunities:

• Share the risk
  • I already covered “share” when discussing the planning responses to threats. It’s where you share the profits and losses with another party.
• Accept the risk
  • When accepting an opportunity, the business decides to “take the chance” that the opportunity will occur and handle its impact if it does. There is no cost incurred now to prepare for the opportunity, but the business is ready to manage it if it materializes.
  • For example, a company might choose not to invest in strategies to capitalize on a potential market trend, but instead, simply accept the possibility of gaining profits if the trend works out.
• Enhance an opportunity
  • Enhance is where you take actions to improve the likelihood of the event occurring and you enhance the impact if the opportunity should occur. This is not the same as “exploit,” but doing certain things will give a greater chance for the opportunity to happen.
  • Example: The risk is that the weather may be very good and you can sell a lot of ice cream. You take the following action to enhance this opportunity. Contact the ice cream company and get them to supply ice cream, stands, advertising, etc., at short notice if required. Contact an employment agency to supply salespersons at short notice if required. So what is the difference with the exploit? With an exploit, if the risk does happen, then you take advantage of it. With enhancement, you try to increase the chances of making it happen or enhance the impact if the risk does occur.
• Transfer the risk
  • When transferring an opportunity, the project passes the potential benefit to a third party. For example, a third party might gain a cost-benefit, while the project might receive a different advantage, like shared resources or expertise.
  • This approach allows the project to leverage external capabilities to take advantage of the opportunity, while still benefiting in another way. However, transferring opportunities is less commonly used than transferring threats.
• Prepare contingent plans
  • When responding to an opportunity, a contingent plan is about preparing a backup plan, just in case the opportunity doesn’t work out as expected.
  • This means that while you’re actively trying to seize the opportunity, you also prepare a plan for what to do if things don’t go as planned. The goal is to be ready to act if the opportunity doesn’t deliver the expected benefits.

Step 4/5 — implement the responses

Forecast. The main thing to decide in this step is:

• Who is going to monitor these risks? (risk owner).
• Who is going to carry out the planned risk responses? (risk actionee).

The PRINCE2 manual mentions two specific roles: Risk owner and risk actionee.

• The risk owner is responsible for managing and monitoring risks aspects. They can also carry out actions that have been assigned to them.
• The risk actionee is someone who is assigned to carry out a particular action and they support the risk owner. So, they are not responsible for monitoring or managing the risk.

Note: The risk owner and risk actionee could be the same person.

Step 5/5 — communicate

Communicate is the 5th step in the PRINCE2 risk management procedure, but is actually done throughout the whole risk management procedure. This communication step ensures that the information related to the threats and opportunities faced by the project are communicated within and outside the project to all necessary stakeholders.

How do you think the project manager communicates? The existing management report products are used to communicate risk information, such as:

• Checkpoint report
• End stage report
• Highlight report
• Exception report
• Issue report
• End project report

And the guidelines for reporting come from the communication management approach document.

How does the project manager decide which risk information to communicate?
The project manager will ask such questions as, “what has changed since the last report?” as risk is never static. Other less formal methods such as meetings and memos can also be used.

Risk budget

A risk budget is a sum of money that is put aside just to deal with specific responses to threats or opportunities. It cannot be used for anything else. Certain responses to risk will require certain actions to be done that cost money; this will be budgeted in the risk budget.

The PRINCE2 manual reminds us that this budget is used for responding to risks that occur. It should not be used to fund extra requirements that are introduced in the project or cover the cost of any delays. The risk budget has nothing to do with the change budget, so it should not be raided if the change budget is empty.

Roles and responsibilities

• Business
  • Provide the corporate risk management policy and information.
• Project executive
  • Accountable for all aspects of the risk management.
  • Ensure that a risk management approach exists.
  • Ensure business case risks are followed up.
• Senior user
  • Ensure that risks to the users are identified, assessed and controlled.
• Senior supplier
  • Ensure that risks to the supplier are identified, assessed and controlled.
• Project manager
  • Create the risk management approach document.
  • Create and maintain the risk register & summary risk profile.
  • Ensure that risks are continually identified, assessed and controlled.
• Team manager
  • Help with identifying, assessing and controlling risk.
• Project assurance
  • Review the risk management practices against the project risks. Management strategy.
• Project support
  • Assist the project manager in maintaining the project’s risk register.

—o—

Written by Frank Turley.

If you have questions or doubts after using this wiki, you can ask for help on the Facebook or LinkedIn study groups.