Also available in: Nederlands Français Español Português Polski Italiano
Most Project Managers don’t really get a chance to practice Risk Management. This is covered very well in all the Project Management methods, but it seems to get forgotten about as soon as the project starts up. Even if Project Managers spend an appropriate amount of time on Risk Management, they may stop once they realize that nobody is interested in the Risk information, as there may be very little awareness of Risk Management in the organization.
Project Managers are not to blame. They first need a Risk Management Approach to follow, and the rest of the organization also has to be aware of the importance of Risk Management. If you are working in a Program environment, there will most likely be a standard approach to Risk Management and hopefully you will have received training.
If you are not working in a Program environment, then you should check if there are standard procedures available for Risk Management in the company or in use by other Project Managers.
The knowledge provided in this Risk Theme provides an excellent approach to Risk Management that you will be able to understand and use. I believe that the most important thing to understand in this theme is the structure of the Risk Register, how to use it to enter Risk information, and how to track risks during the project.
A good tip to remember is to ask your Executive “How should risk be assessed, tracked and communicated during the project? This will give you a very good idea on Risk awareness for the project and perhaps for the organization.
The purpose of the Risk Theme is to provide an approach to “identify, assess and control uncertainty during a project and as a result, improve the ability of the project to succeed”
You could also say that the purpose of the Risk Theme is that “it looks at identifying, assessing and controlling uncertainty and improves the ability of the project to succeed”.
Why is there Risk in a project?
As projects are about doing something new, the change introduces uncertainty and uncertainty is risk. The project needs to know how to identify risk, how to assess this risk, and how to control this risk, as risk may affect the project objectives.
When is Risk Management done in the project?
Risk Management is not just done at the start of the project but must be a continual activity during the full life of the project; it is therefore one of the main tasks for the Project Manager. It is the Executive that is responsible for Risk in a project, and they rely on the Project Manager to continually identify, assess and control risks throughout the project.
What is Risk?
PRINCE2 has a specific definition for Risk, which is taken from the MoR® method.
Risk is a set of events that, should they occur, will have an effect on achieving the project objectives.
Another definition is:
Risk is an uncertain event that, if it occurs, will have a positive or negative effect on a project objective.
Risk can be seen as positive or negative. Another way to say this is a Risk can be seen as a Threat or Opportunity. Describing Risk as a positive – or should I say an opportunity – might be new for you, so here is an example. There is a project to develop a new CRM system (sales system) and there is a Risk that we can get a reduction of 50% on the warehouse integration module which has a value of €15,000. This Risk is an opportunity, as it will have a positive impact on the project.
What is at risk?
If I were to ask you the question, “What is at risk in the project?” you might say that the project was at risk, or perhaps User satisfaction with using the product was at risk. PRINCE2 takes another view on this. It states the Project’s objectives are at risk and these include the six performance targets, of time, cost, quality, scope, benefits and risk.
What is Risk Management?
Risk Management is about the steps you take in a systematic way that will enable you to identify, assess and control risk. This Risk Theme provides an approach to manage Risk in a project. There are three steps to Risk Management which are Identification, Assessment and Control:
- Identification: How to identify and describe the risk.
- Assess the Risk: Likelihood of the risk and impact on objectives.
- Control the Risk: How best to respond to a risk.
A new Risk can arise at any time in the project. The Project Manager should ask questions, like:
- “How will this Risk affect the Business Case?”
- “How does Risk issue affect any of the current risks already registered?”
The Management of Risk Method and Risk Context
PRINCE2 makes use of the other AXELOS method, which is Management of Risk (MoR). As a result, PRINCE2 takes advantage of all these procedures and principles that have already been defined instead of trying to re-invent the wheel. The MOR method is a generic approach to Risk and has the following approach:
- First, understand the project context, which means understand the project environment.
- Involve Stakeholders, Users, Suppliers, and Teams to help identify risks.
- Establish an approach for the Project and document this approach.
- Provide regular reports on Risk.
- Define risk Roles & Responsibilities.
If someone asks you what a certain word means, you may ask “in what context?”. Here, you are asking what the context is from a Risk point of view.
Example 1: If the project is a NASA space project and a device has to work for 10 years in orbit, this is a good example of a very low risk-tolerance project.
Example 2: We are developing a simple prototype for in-house use only and this product will have a lifetime of less than 4 months, so not everything has to work with this product. This is an example of a high-risk tolerance project.
Note: A project that has a high-risk tolerance is said to have a big-risk appetite as it can take on lots of risk.
When first considering Risk, the first question should be: What risk policies already exist in the company or in the Programme environment today that can be used so there is no need to re-identify them?” If a policy does exist, then it will provide the following information:
- The organization’s attitude towards Risk (also called Risk Appetite).
- Risk Tolerances.
- Procedures for escalation.
- Typical Roles & Responsibilities.
- Example of a Risk Management Approach document.
The Risk Management Approach
PRINCE2 recommends that each project have its own Risk Management Approach document. This document defines the project procedures for Risk Management, in terms of how Risk will be identified, assessed, controlled and communicated in the project.
Another way to say this is: the Risk Management Approach describes the specific risk management techniques and standards to be applied during the project, and the responsibilities to provide a good and consistent risk management procedure.
This might seem like a big task, but if your project is part of a program, then most of the Risk Management Approach will already be provided to you in a detailed template that you can update to suit the project. The Risk Management Approach is created (customized to suit the project) in the Initiation stage by the Project Manager.
The Risk Register
The Risk Register captures and maintains the information (both threats and opportunities) on all the risks that were identified and relate to the project. So it provides a record of all risks including their status and history.
Risk Register Example:
- Risk Identifier: This is just a unique number (ex: 042).
- Risk Author: Person who raised the Risk.
- Date Registered: Date the Risk was registered.
- Risk Category: A project can have its own categories. One of these will be selected, such as quality, network, legal and supplier.
- Risk Description: This is written is a specific way (e.g., cause, event and effect).
- Probability Impact: Choose value from an agree scale (very low, low, normal, etc.).
- Proximity: How soon (when) the risk is likely to happen.
- Risk Response Category:
- If a Threat, decide to avoid, reduce, fall back, transfer, accept or share.
- If an Opportunity, decide to enhance, exploit, reject or share.
- Risk Response: List of actions to resolve the Risk.
- Risk Status: Current status of the Risk: Active or Closed.
- Risk Owner: Mention one person who is responsible for managing the Risk.
- Risk Actionee: Person who will carry out the actions described in the response (Note: Can also be same person as the Risk owner).
The last point I would like to make about the Risk Register is that the Project Manager is responsible for it but it is the Project Support role that will maintain it. The Risk Management Approach document will describe how the Risk Register should be configured and used.
The Risk Management Procedure
The Risk Management Procedure is a set of five steps that are recommended by PRINCE2. To help remember this, think of the following sentence when you think of Risk: I Ate Peaches In China Identify, Assess, Plan, Implement and Communicate. The first 4 steps are sequential, while Communicate will always be done to let stakeholders know what is going on and to get continual feedback during this process.
Risk management steps:
- Identify: First complete the Risk Management Approach document for the project, and then identify the risks (threats and opportunities) that could affect the project.
- Assess: Assess the risks in terms of their probability and impact on the project objectives.
- Plan: Here, your Plan steps are to prepare the specific response to the threats (e.g., to help reduce or avoid the threat), or this could also be to plan to maximize the opportunity if the risk happens.
- Implement: Carry out the planned responses mentioned in step 3 Plan if the risk occurs.
- Communicate: Keep communicating to the stakeholders. Use existing management reports that are created during the project (e.g., End Stage Report).
Step 1: Identify
The Identify step can be divided into a number of smaller steps.
- Identify the context: which is to understand the project from a risk point of view; whether this is a high- or low-risk tolerance project. Ask questions like:
- What type of project is this? Or, how many people will use the product?
- What is the cost to the company if the product does not work?
- How complex is this project and the organization approach to risk?
- Complete the Risk Management Approach document. The Risk Management Approach will provide information on the Risk Management Procedure to follow, the structure of the Risk * Register, Risk categories, reports, roles & responsibilities, scales for likelihood, impact, proximity, etc. Identify the risks using a number of techniques:
- Review Lessons and Risk and Issue Logs from older projects.
- Check if checklists are available (prompt lists).
- Brainstorm and invite specialists into a room to facilitate.
- Describe the risks in terms of cause, event and effect, see next topic.
Step 2: Assess Risk
Assess Risk covers two actions: Estimating and Evaluating Risk. You will see that these go together.
Estimating is about assessing the probability, the impact, and the proximity for each threat or opportunity. These are three of the columns in the Risk Register.
Evaluating is to group all the risks together (both threats and opportunities) and get an overall Risk Value for the whole project.
There are a number of techniques for estimating Risk, such as probability trees, expected value, Pareto analysis, and probability impact grid. You do not need to know these for the exam. I will give one example, so that you’ll have a good idea of how to use one of these.
The Expected Value technique: This technique combines impact cost (e.g., €80,000) with the probability (e.g., 5%). In other words, it combines the cost of impact.
PRINCE2 recommends that the following is understood for each threat and each opportunity:
- The probability of the risk (i.e., the likelihood of it happening).
- The impact (quantify in terms of project objectives, i.e., what will be the damage done?).
- The proximity of these threats, i.e., when this is likely to happen. (E.g., icy roads may be 5 months away for a summer event, but much nearer if the event was held in November.).
- And how the impact of the risk may change over the life of the project. I think I need to give an example to explain this:
Let us say there is a threat that a supplier will take 20% longer to do their tasks than planned. The impact at the start of a project is for the whole project, while the impact towards the end may cover only one stage. So, the Impact of this risk gets lower as the project goes on.
PRINCE2 recommends plotting the estimates on a Summary Risk Profile diagram. This is a Probability versus Impact diagram and it’s an easy way to compare risks with each other. I would strongly advise you to take a good look the Summary Risk Diagram example and understand its structure.
There are a number of advantages to this diagram:
- It is easy to get an overview of all the risks.
- It is very useful for communicating the project’s level of risk to the Project Board.
- You can see which risks will need attention.
- You can draw a Risk Tolerance line on the diagram to distinguish risks that have both a higher impact and higher probability rate from risks that have a lower level of probability and impact.
- All risks above this Risk Tolerance line might need action to be taken.
The Project Manager is expected to provide Risk information to the Executive and Project Board e.g., at the end of each stage. So the Project Manager will include information on any changes to the Risk above the Risk Tolerance line (see red dotted line) in the End Stage Report. The Project Manager will immediately inform the Executive if a risk moves from below to above the Risk Tolerance line.
The objective of Evaluate is to assess all the risks together (both threats and opportunities) and get an overall Risk Value for the whole project. From a Corporate, Programme Management or Project Board point of view, such a figure for each project before it starts would be very useful. For example, a Project Board might want to continue with a project only if the risk for the project is less than an agreed tolerance.
How do you think we could get a risk value for the whole project?
Earlier in this theme we gave an example using the expected monetary value technique to assign a value to a risk. The calculation in the example was €1,600. Imagine adding all these values together for each risk. This would give you the Risk Value of the whole project. Remember to include any opportunities into the calculation. As you can imagine, opportunities will have positive amounts, while threats will have negative amounts.
To summarize, Estimate deals with one risk at a time, and evaluate groups all risks together to give one Risk Value for the whole project.
Step 3: Plan is about planning the Responses
Planning the responses is about planning specific responses to the threats and opportunities: The objective of planning the responses to risk is to reduce the threats and maximize the opportunities.
If the Project Manager fails to plan a response to a risk, they will be caught off-guard if this risk materializes. It is always good to be prepared. After all, failing to plan is planning to fail. For example, if your project is to organize an outdoor event and one of the risks is a threat of rain…if you do nothing to prepare for this and halfway during the concert it starts to rain heavily, it’s a bit too late to start erecting a tent or ordering plastic ponchos to distribute.
Responses to Threats
PRINCE2 suggests 6 responses for threats and four responses for opportunities.
The 6 responses for threats are: Avoid, Reduce, Fallback, Transfer, Share and Accept The 4 responses for Opportunity are Exploit, Enhance, Share and Reject. Note: Our goal is to reduce / prevent the risk from having an effect on our project. For instance, we could prevent the rain from having an effect on our concert if we move it indoors. It still could rain, but it will no longer have an impact as far as the concert project is concerned.
- Response: Avoid
- Objective: Take action so the threat no longer has impact or can no longer happen.
- Example: You are organizing an outdoor concert for 600 people in April in the UK. One of the risks is that it may rain, so you decide to move the concert indoors thus avoiding the risk. This response has removed the threat. Now, if it rains, it would have no impact on the concert. Another example of avoid is to cancel the concert.
- Response: Reduce
- Here, actions are taken to reduce the probability of the risk. Reduce the impact if the risk does occur. To help understand this, I will give an example of both reduce probability and reduce impact. Reduce response is the most common way of dealing with risks.
- Example to Reduce Probability: The objective is to reduce the probability of the risk happening. Using the concert example with the threat from rain, we could move the concert to July where it’s 3 less times less likely to rain. This is a clear example of reducing the probability, but the risk is still there.
- Example to Reduce Impact: The objective is to reduce the impact in case the risk occurs. Here, the organizers could order a load of sponsored plastic ponchos to be offered to the concert-goers when they arrive. If it does rain during the concert, the people would not get soaked from the rain and thus, you have reduced the impact of the rain.
- Response: Fallback
- Fallback is also referred to as contingency. See fallback as a fallback plan of actions that would be done if the risk occurs and would become an issue. These actions would help to reduce the impact of the threat.
- Example: There is an important tennis game at Wimbledon in Centre Court which now has a roof that can be closed. The fallback plan is to close the roof once it starts to rain. This would not stop it from raining and it takes 5 minutes to close the roof of the tennis court, so the grass could still get a few drops of rain. This fallback reduces the impact of the rain and, yet, it allows the game to continue after the roof has been closed.
- Note: The action of closing the roof is only done once the threat is real.
- Response: Transfer
- Here you can transfer the financial risk to another party. For example, using an insurance policy, you could recover the costs if the threat does happen.
- Example: Let’s use the example of the concert again. One of the threats is that one of your top acts might not be able to play at the event due to illness or some other reason. Concertgoers might want to have their money back but you have spent a lot of money already just organizing the event. So you take out an insurance policy to cover any losses you could incur if this risk does occur.
- Response: Accept
- Here, a decision is taken to accept the risk. It just may cost too much money to do something about it or it may not be possible to do anything about it. However, you do keep the status of this risk open and continue to monitor it.
- Example: There is a risk that another outdoor concert could be held around the same day as your concert and this might affect ticket sales. After some consideration, you decide to do nothing about it and continue as normal. Moving the concert to another time would just cost too much and some people have already bought tickets, so you just live with the risk.
- Response: Share
- Share is both a response for threats and opportunities. Share is very common in customer/supplier projects where both parties share the gain if the costs are less than the planned costs, and share the loss if the costs are exceeded.
- Example: Using the concert example, suppose you want to provide VIP Car Parking, there is a certain fixed cost that you must pay and you agree with the supplier to share the profits if the revenue is above this fixed cost amount. You would also share the losses if it were below this amount.
Responses to Opportunities
The responses to opportunities are: Share, Exploit, Enhance and Reject. Note: For the exam, you just need to be able to recognize these responses.
- Response: Share
- I already covered “Share” when discussing the planning responses to threats. It’s where you share the profits and losses with another party.
- Response: Exploit
- Exploit is where, if the risk does happen, you would take advantage of it and use it.
- Example: I will use the outdoor concert event project. The Risk is that the weather may be very good and you can sell a lot of ice cream. If this risk does happen, then you will exploit it.
- Response: Enhance
- Enhance is where you take actions to improve the likelihood of the event occurring and you enhance the impact if the opportunity should occur. This is not the same as “Exploit,” but doing certain things will give a greater chance for the opportunity to happen.
- Example: The Risk is that the weather may be very good and you can sell a lot of ice cream. You take the following action to enhance this opportunity. Contact ice-cream company and get them to supply ice cream, stands, advertising, etc., at short notice if required. Contact an employment agency to supply salespersons at short notice if required. So what is the difference with Exploit? With Exploit, if the risk does happen, then you take advantage of it. With Enhance, you try to increase the chances of making it happen or enhance the impact if the risk does occur.
- Response: Reject
- This is where you identify an opportunity and decide not to take any action on this opportunity. There can be many reasons not to do this. For example, it could cause you to lose focus on your main objective, or the return on this opportunity could be low.
- Example: There is an opportunity to invite another equally known guest star free from the same label as your lead top act; however, you decide not to go ahead with this, as you cannot mention the artist’s name on the posters and advertising, so you would not sell any extra tickets. Also, it will cost you extra to provide facilities for this extra artist. So it sounded like a cool idea, but did not bring any extra value to the bottom line for the concert, only extra costs.
Step 4: Implement the Responses
Forecast. The main thing to decide in this step is:
- Who is going to monitor these Risks? (Risk Owner).
- Who is going to carry out the planned Risk Responses? (Risk Actionee).
The PRINCE2 manual mentions two specific roles which are: Risk Owner and Risk Actionee.
- The Risk Owner is responsible for managing and monitoring risks aspects. They can also carry out actions that have been assigned to them.
- The Risk Actionee is someone who is assigned to carry out a particular action and they support the Risk Owner. So they are not responsible for monitoring or managing the risk.
Note: The Risk Owner and Risk Actionee could be the same person.
Step 5: Communicate
Communicate is the 5th step in the PRINCE2 Risk Management procedure, but is actually done throughout the whole Risk Management procedure. This communication step ensures that the information related to the threats and opportunities faced by the project are communicated within and outside the project to all necessary stakeholders.
How do you think the Project Manager communicates?
The existing management report products are used to communicate Risk information, such as:
And the guidelines for reporting come from the Communication Management Approach document.
How does the Project Manager decide which risk information to communicate?
The Project Manager will ask such questions as, “What has changed since the last report?” as Risk is never static. Think again of the Summary Risk Diagram and that a Risk can move around the diagram or even above or below the Risk threshold line during the project as conditions change.
Other less formal methods such as meetings and memos can also be used.
A Risk Budget is a sum of money that is put aside just to deal with specific responses to threats or opportunities. It cannot be used for anything else. Certain responses to Risk will require certain actions to be done that cost money; this will be budgeted in the Risk Budget.
What can the Risk Budget be used for?
The PRINCE2 manual reminds us that this budget is used for responding to risks that occur. It should not be used to fund extra requirements that are introduced in the project or cover the cost of any delays. The Risk Budget has nothing to do with the Change Budget, so it should not be raided if the Change Budget is empty.
Roles and Responsibilities
- Provide the Corporate Risk Management policy and information.
- Accountable for all aspects of the Risk Management.
- Ensure that a Risk Management Approach exists.
- Ensure Business Case Risks are followed up.
- Senior User
- Ensure that Risks to the users are identified, assessed and controlled.
- Senior Supplier
- Ensure that risks to the supplier are identified, assessed and controlled.
- Project Manager
- Create the Risk Management Approach document.
- Create and maintain the Risk Register & Summary Risk Profile.
- Ensure that risks are continually identified, assessed and controlled.
- Team Manager
- Help with the identifying, assessing and controlling risk.
- Project Assurance
- Review the Risk Management practices against the projects Risk. Management Strategy.
- Project Support
- Assist the Project Manager in maintaining the projects Risk Register.