PRINCE2® wiki
« Themes


Other languages: nl fr es pt pl it Nederlands Français Español Português Polski Italiano

Most Project Managers don’t really get a chance to practice Risk Management. This is covered very well in all the Project Management methods, but it seems to get forgotten about as soon as the project starts up. Even if Project Managers spend an appropriate amount of time on Risk Management, they may stop once they realize that nobody is interested in the Risk information, as there may be very little awareness of Risk Management in the organization.

Project Managers are not to blame. They first need a Risk Management Approach to follow, and the rest of the organization also has to be aware of the importance of Risk Management. If you are working in a Program environment, there will most likely be a standard approach to Risk Management and hopefully you will have received training.

If you are not working in a Program environment, then you should check if there are standard procedures available for Risk Management in the company or in use by other Project Managers.

The knowledge provided in this Risk Theme provides an excellent approach to Risk Management that you will be able to understand and use. I believe that the most important thing to understand in this theme is the structure of the Risk Register, how to use it to enter Risk information, and how to track risks during the project.

A good tip to remember is to ask your Executive “How should risk be assessed, tracked and communicated during the project? This will give you a very good idea on Risk awareness for the project and perhaps for the organization.


The purpose of the Risk Theme is to provide an approach to “identify, assess and control uncertainty during a project and as a result, improve the ability of the project to succeed”

You could also say that the purpose of the Risk Theme is that “it looks at identifying, assessing and controlling uncertainty and improves the ability of the project to succeed”.

Why is there Risk in a project?

As projects are about doing something new, the change introduces uncertainty and uncertainty is risk. The project needs to know how to identify risk, how to assess this risk, and how to control this risk, as risk may affect the project objectives.

When is Risk Management done in the project?

Risk Management is not just done at the start of the project but must be a continual activity during the full life of the project; it is therefore one of the main tasks for the Project Manager. It is the Executive that is responsible for Risk in a project, and they rely on the Project Manager to continually identify, assess and control risks throughout the project.

Risk Definitions

What is Risk?

PRINCE2 has a specific definition for Risk, which is taken from the MoR® method.

Risk is a set of events that, should they occur, will have an effect on achieving the project objectives.

Another definition is:

Risk is an uncertain event that, if it occurs, will have a positive or negative effect on a project objective.

Risk can be seen as positive or negative. Another way to say this is a Risk can be seen as a Threat or Opportunity. Describing Risk as a positive – or should I say an opportunity – might be new for you, so here is an example. There is a project to develop a new CRM system (sales system) and there is a Risk that we can get a reduction of 50% on the warehouse integration module which has a value of €15,000. This Risk is an opportunity, as it will have a positive impact on the project.

What is at risk?

If I were to ask you the question, “What is at risk in the project?” you might say that the project was at risk, or perhaps User satisfaction with using the product was at risk. PRINCE2 takes another view on this. It states the Project’s objectives are at risk and these include the six performance targets, of time, cost, quality, scope, benefits and risk.

What is Risk Management?

Risk Management is about the steps you take in a systematic way that will enable you to identify, assess and control risk. This Risk Theme provides an approach to manage Risk in a project. There are three steps to Risk Management which are Identification, Assessment and Control:

A new Risk can arise at any time in the project. The Project Manager should ask questions, like:

The Management of Risk Method and Risk Context

PRINCE2 makes use of the other AXELOS method, which is Management of Risk (MoR). As a result, PRINCE2 takes advantage of all these procedures and principles that have already been defined instead of trying to re-invent the wheel. The MOR method is a generic approach to Risk and has the following approach:

Risk Context

If someone asks you what a certain word means, you may ask “in what context?”. Here, you are asking what the context is from a Risk point of view.

Example 1: If the project is a NASA space project and a device has to work for 10 years in orbit, this is a good example of a very low risk-tolerance project.

Example 2: We are developing a simple prototype for in-house use only and this product will have a lifetime of less than 4 months, so not everything has to work with this product. This is an example of a high-risk tolerance project.

Note: A project that has a high-risk tolerance is said to have a big-risk appetite as it can take on lots of risk.

When first considering Risk, the first question should be: What risk policies already exist in the company or in the Programme environment today that can be used so there is no need to re-identify them?” If a policy does exist, then it will provide the following information:

The Risk Management Approach

PRINCE2 recommends that each project have its own Risk Management Approach document. This document defines the project procedures for Risk Management, in terms of how Risk will be identified, assessed, controlled and communicated in the project.

Another way to say this is: the Risk Management Approach describes the specific risk management techniques and standards to be applied during the project, and the responsibilities to provide a good and consistent risk management procedure.

This might seem like a big task, but if your project is part of a program, then most of the Risk Management Approach will already be provided to you in a detailed template that you can update to suit the project. The Risk Management Approach is created (customized to suit the project) in the Initiation stage by the Project Manager.

The Risk Register

The Risk Register captures and maintains the information (both threats and opportunities) on all the risks that were identified and relate to the project. So it provides a record of all risks including their status and history.

Risk Register Example:

Risk Register Sample

The last point I would like to make about the Risk Register is that the Project Manager is responsible for it but it is the Project Support role that will maintain it. The Risk Management Approach document will describe how the Risk Register should be configured and used.

The Risk Management Procedure

The Risk Management Procedure is a set of five steps that are recommended by PRINCE2. To help remember this, think of the following sentence when you think of Risk: I Ate Peaches In China Identify, Assess, Plan, Implement and Communicate. The first 4 steps are sequential, while Communicate will always be done to let stakeholders know what is going on and to get continual feedback during this process.

Risk management steps:

  1. Identify: First complete the Risk Management Approach document for the project, and then identify the risks (threats and opportunities) that could affect the project.
  2. Assess: Assess the risks in terms of their probability and impact on the project objectives.
  3. Plan: Here, your Plan steps are to prepare the specific response to the threats (e.g., to help reduce or avoid the threat), or this could also be to plan to maximize the opportunity if the risk happens.
  4. Implement: Carry out the planned responses mentioned in step 3 Plan if the risk occurs.
  5. Communicate: Keep communicating to the stakeholders. Use existing management reports that are created during the project (e.g., End Stage Report).

Step 1: Identify

The Identify step can be divided into a number of smaller steps.

Step 2: Assess Risk

Assess Risk covers two actions: Estimating and Evaluating Risk. You will see that these go together.

Estimating is about assessing the probability, the impact, and the proximity for each threat or opportunity. These are three of the columns in the Risk Register.

Evaluating is to group all the risks together (both threats and opportunities) and get an overall Risk Value for the whole project.


There are a number of techniques for estimating Risk, such as probability trees, expected value, Pareto analysis, and probability impact grid. You do not need to know these for the exam. I will give one example, so that you’ll have a good idea of how to use one of these.

The Expected Value technique: This technique combines impact cost (e.g., €80,000) with the probability (e.g., 5%). In other words, it combines the cost of impact.

PRINCE2 recommends that the following is understood for each threat and each opportunity:

Let us say there is a threat that a supplier will take 20% longer to do their tasks than planned. The impact at the start of a project is for the whole project, while the impact towards the end may cover only one stage. So, the Impact of this risk gets lower as the project goes on.

PRINCE2 recommends plotting the estimates on a Summary Risk Profile diagram. This is a Probability versus Impact diagram and it’s an easy way to compare risks with each other. I would strongly advise you to take a good look the Summary Risk Diagram example and understand its structure.

Summary Risk Profile

There are a number of advantages to this diagram:

The Project Manager is expected to provide Risk information to the Executive and Project Board e.g., at the end of each stage. So the Project Manager will include information on any changes to the Risk above the Risk Tolerance line (see red dotted line) in the End Stage Report. The Project Manager will immediately inform the Executive if a risk moves from below to above the Risk Tolerance line.


The objective of Evaluate is to assess all the risks together (both threats and opportunities) and get an overall Risk Value for the whole project. From a Corporate, Programme Management or Project Board point of view, such a figure for each project before it starts would be very useful. For example, a Project Board might want to continue with a project only if the risk for the project is less than an agreed tolerance.

How do you think we could get a risk value for the whole project?

Earlier in this theme we gave an example using the expected monetary value technique to assign a value to a risk. The calculation in the example was €1,600. Imagine adding all these values together for each risk. This would give you the Risk Value of the whole project. Remember to include any opportunities into the calculation. As you can imagine, opportunities will have positive amounts, while threats will have negative amounts.

To summarize, Estimate deals with one risk at a time, and evaluate groups all risks together to give one Risk Value for the whole project.

Step 3: Plan is about planning the Responses

Planning the responses is about planning specific responses to the threats and opportunities: The objective of planning the responses to risk is to reduce the threats and maximize the opportunities.

If the Project Manager fails to plan a response to a risk, they will be caught off-guard if this risk materializes. It is always good to be prepared. After all, failing to plan is planning to fail. For example, if your project is to organize an outdoor event and one of the risks is a threat of rain…if you do nothing to prepare for this and halfway during the concert it starts to rain heavily, it’s a bit too late to start erecting a tent or ordering plastic ponchos to distribute.

Risk Responses

Responses to Threats

PRINCE2 suggests 6 responses for threats and four responses for opportunities.

The 6 responses for threats are: Avoid, Reduce, Fallback, Transfer, Share and Accept The 4 responses for Opportunity are Exploit, Enhance, Share and Reject. Note: Our goal is to reduce / prevent the risk from having an effect on our project. For instance, we could prevent the rain from having an effect on our concert if we move it indoors. It still could rain, but it will no longer have an impact as far as the concert project is concerned.

Responses to Opportunities

The responses to opportunities are: Share, Exploit, Enhance and Reject. Note: For the exam, you just need to be able to recognize these responses.

Step 4: Implement the Responses

Forecast. The main thing to decide in this step is:

The PRINCE2 manual mentions two specific roles which are: Risk Owner and Risk Actionee.

Note: The Risk Owner and Risk Actionee could be the same person.

Step 5: Communicate

Communicate is the 5th step in the PRINCE2 Risk Management procedure, but is actually done throughout the whole Risk Management procedure. This communication step ensures that the information related to the threats and opportunities faced by the project are communicated within and outside the project to all necessary stakeholders.

How do you think the Project Manager communicates?

The existing management report products are used to communicate Risk information, such as:

And the guidelines for reporting come from the Communication Management Approach document.

How does the Project Manager decide which risk information to communicate?

The Project Manager will ask such questions as, “What has changed since the last report?” as Risk is never static. Think again of the Summary Risk Diagram and that a Risk can move around the diagram or even above or below the Risk threshold line during the project as conditions change.

Other less formal methods such as meetings and memos can also be used.

Risk Budget

A Risk Budget is a sum of money that is put aside just to deal with specific responses to threats or opportunities. It cannot be used for anything else. Certain responses to Risk will require certain actions to be done that cost money; this will be budgeted in the Risk Budget.

What can the Risk Budget be used for?

The PRINCE2 manual reminds us that this budget is used for responding to risks that occur. It should not be used to fund extra requirements that are introduced in the project or cover the cost of any delays. The Risk Budget has nothing to do with the Change Budget, so it should not be raided if the Change Budget is empty.

Roles and Responsibilities

discussion icon PRINCE2 wiki is open-source and published for free under a Creative Commons license.

discussion icon Written by Frank Turley (his LinkedIn profile)