Themes « About PRINCE2 « References

Why is it important?

Taking risks is inevitable in projects. Projects allow changes and changes introduce uncertainties, hence risks. Managing risks is therefore necessary to increase the changes of success.

No matter how small a risk may seem: without giving the necessary attention on this risk, it can undermine the entire project. Effective management of risk is thus a prerequisite for a continued business justification.

Terms and definitions

A risk is defined as an uncertainty in reaching objectives, and this both negatively (threat) as postively (opportunity). In the context of a project, it is the project's objectives that are at risk.

The term risk management refers to the systematic application of procedures for identifying and assessing of risks, and then planning and implementing a number of risk responses.

Risk management is applied from strategic, programme, project and operational point of view.
The approach for this can be common across all of these perspectives, however procedures should be tailored for each separate perspective.

Figure 8.1 Organizational perspectives

What is the PRINCE2 approach?

The PRINCE2 approach to risk management is based on Management of Risk: Guidance for Practitioners (TSO, 2007), published by AXELOS Limited.

Risk management procedure
When new information becomes available, it often is necessary to repeat earlier previous steps to achieve the most effective result. The risk management procedure is thus a cyclic process which must take place on a regular basis.

Figure 8.2 The risk management procedure

The risk management procedure comprises the following 5 steps.

Identify context: obtain information about the project.
The starting point for each project is the corporate or programme risk management policy and processes. During Initiating a Project, the project mandate, Project Brief and the Project Product Description are used to determine how risk management will be embedded in the project's activities. The risk management procedure describes that procedure, with the responsibilities, the timing of risk management activities, thr reporting requirements and the tools and techniques that will be used. Striking a balance between the level of risk and the potential benefits which the project may achieve is important, the ability to accept the uncertainties of a risk is referred to as risk tolerance.
At the end of each stage, during Managing a Stage Boundary, the approach is reviewed and possibly updated.

Identify risks: determine the threats and opportunities.
During this step risks are identified and recorded in the Risk Register, these risks are discussed with stakeholders and possible early warning indicators are prepared to monitor critical aspects of the project.
It is important that risks are expressed in a clear and unambiguous manner.
It can be useful to consider the following aspects of each risk:
Risk cause: the event or situation that gives rise to the risk.
Risk event: the area of uncertainty in terms of threat or opportunity.
Risk effect: the impact if the risk would occur.

Estimate: assessing the individual threats and opportunities.
How likely is it that a risk will occur (probability), what is the impact if a risk occurs, when will a risk occur (proximity)?
The impact is measured in terms of time, cost, scope, quality, benefits and resources. When measuring risks we use a quantitative criterion, e.g. them as high, medium or low. Quantification of risks can be presented using a risk profile (a graph with the impact shown on the horizontal axis and the probability on the vertical axis). Risks in the upper right corner (above the line for the risk tolerance) will possibly not be accepted.

Evaluate: assessing the total of threats and opportunities.
What is the severity of all the risk when aggregated together, is this level of risk within risk tolerance and has the project continued business justification?

A number of possible responses are examined to reduce or remove the threats and to maximize the opportunities. Possible types of response are:
Avoid: remove the threat, so probability and impact becomes zero.
Reduce: reduce the probability and/or impact of the threat to an acceptable level.
Fallback: actions are planned in case the threat should occur.
Transfer: the financial impact of the threat is transferred to a third party (e.g. insurances or penalty clauses).
Accept: accept the threat.
Share: parties share the loss if a threat occurs and share the profit if an opportunity occurs (both within agreed limits).
Exploit: actions are planned to ensure the opportunity will happen and the impact is realized.
Enhance: enhance the probability and/or impact of an opportunity.
Reject: the opportunity is not exploited.

The decision-making concerning the selection of responses will be a balance of the costs of those responses against the impact and probability of allowing the risk to occur.
Risk responses often remove only a part of the risk (inherent risk), leaving a remainder of the risk (residual risk). However, this residual risk can still cause considerable damage to the project, as a result of which it can be appropriate to select more than one risk response. Each response will, after implementation, change one ore more aspects of the project, what possibly will lead to new risks (secondary risks). It is important that also these risks are identified, assessed and controlled.

Selected responses are subsequently added to the appropriate level of plan (Project Plan, Stage Plan and Work Packages).

This step ensures that planned risk responses are actioned, their effectiveness is monitored and, if necessary, corrective action is undertaken. Important is that it must be clear what the responsibilities are of everyone involved in managing the risks. The main roles in this respect are:
Risk owner: the individual who is responsible for management, monitoring and control of a certain risk.
Risk actionee: the individual assigned to carry out risk responses. The risk actionee supports and takes direction from the risk owner.

Communication is an iterative step which ensures that internal and external stakeholders receive the necessary information concerning risks. The Communication Management Strategy should describe what the most appropriate method will be.

Risk budget
Besides time and tools also a risk budget is extremely important to be able to manage risks in a good manner.
A risk budget is a sum of money, available in the project budget, to fund responses to threats and opportunities.

What are the responsibilities?

Corporate or programme management
Provide the corporate or programme risk management policy and processes
(or similar documents)
Be responsible for all aspects of risk management and ensure that there is a Risk Management Strategy
Ensure Business Case risks are identified, assessed and controlled
Escalate risks to corporate or programme management (when necessary)
Senior User
Ensure user risks are identified, assessed and controlled (such as the impact on benefits, operational use and maintenance)
Senior Supplier
Ensure supplier risks are identified, assessed and controlled (such as the development of te project's products)
Project Manager
Prepare and maintain the Risk Register
Ensure project risks are identified, assessed and controlled throughout the project lifecycle
Team Manager
Participate in the identification, assessment and control of risks
Project Assurance
Assure the implementation of the Risk Management Strategy
Project Support
Assist the Project Manager in maintaining the Risk Register

Used sources

Managing Successful Projects with PRINCE2, 2009 edition