In PRINCE2, the Risk theme focuses on managing project risks. Effective risk management maximizes a project’s chance for success.
The first crucial question when defining risk management is “what is a risk?”
- A risk is an event, or a set of related events
- It must be possible, but not necessary, for the event(s) to occur
- The event(s), were it (or they) to occur, would impact on the objectives of the project (i.e., whether, or how, they are achieved)
- This impact can be either positive (an “opportunity”) or negative (a “threat”).
Risk management approach
To ensure effective and consistent risk management during a project, it is important to document how risk management will be integrated into project management activities.
PRINCE2 recommends a risk management approach, which should be produced by the project manager during the initiation stage, for this purpose.
The contents of the risk management approach encompass the goals, procedure and roles/responsibilities (and their reporting requirements) of risk management on the project, as well as the timing, budget, tools, and techniques allocated to risk management activities and interventions.
A further aspect of the risk management approach is risk-taking, i.e., the level of risk that the project board will allow, also referred to as the risk tolerance.
If exposure to a risk is perceived to exceed the tolerance level set by the project board then the project manager must create an exception report to submit to the project board for a decision. This enables the project board to take decisions on risks that fall beyond acceptable levels. Any risk which is within such risk tolerance can simply be monitored for any changes in its circumstances. In other words, it will be accepted.
It is also the case that corporate or programme management can also set risk tolerance for the project. If such risk tolerance were forecast to be exceeded, then the project board would need to escalate such risks to Corporate or Programme Management for a decision.
The risk management approach provides details about two particular risk management roles: the risk owner and the risk actionee. The risk owner is the individual who manages, monitors, and controls the risk, and the response(s) to it. The risk actionee is the person who performs the actual activities required for the risk response.
The budget for risk management is in fact part of the overall project budget but is designated particularly for risk response activities. The project manager calculates a risk budget suitable for the project by assuming a financial approach to the assessment of project risks, i.e., evaluating their impact and likelihood, and the appropriate response.
In addition to a risk management approach, every PRINCE2 project has a risk register, which is similarly created during the initiation stage, and maintained by the project manager or project support.
The risk register is the management product in which all the information about each risk is documented, such as a description of the risk, the people associated with managing the risk (e.g., the risk owner), the response to be carried out, and an evaluation of the risk in terms of expected value (i.e., a quantifiable measure combining probability and financial impact, facilitating appropriate risk prioritization).
Risk management procedure
The risk management procedure recommended by PRINCE2 involves five steps:
- Obtain information about the project, e.g., risk management policy of the organization, otherwise known as the ‘risk appetite’ which is the customer organization’s unique attitude to risk taking
- Clarify project objectives, and identify which are at risk
- Create a risk management approach.
- Identify risks (both threats and opportunities); in terms of the cause of the risk, the uncertain event itself, and its impact were it to occur
- Enter risks into the project’s risk register.
- Probability (how likely the risk is to happen)
- Impact (its effect)
- Proximity (how soon it is likely to take place if nothing is done).
- The purpose of risk evaluation is to describe the net effect of all project risks
- Risk evaluation reveals the overall risk severity of the project.
Once the project risks have been defined and evaluated, the project manager identifies the possible risk responses, and recommends which is to be carried out. The response chosen is included in the appropriate plan.
A risk response will not simply aim at removing a risk. Remember that risks include both threats and opportunities. Risk responses should therefore be proposed and selected to minimize threats and maximize opportunities.
A further consideration in choosing a risk response is to balance the cost of its implementation against the probability and impact of the risk if it were to occur.
Implementation of the risk response, undertaken by the risk actionee, must be appropriately monitored. If its effects do not match what was expected, then it may be necessary to take corrective action. A re-assessment of the risk may be required which would mean repeating the steps of the risk management procedure again.
Key to the success of all project management activities is communication; and risk management is no exception to this rule. Communication activities are performed continually, underpinning all the steps in the PRINCE2 risk management procedure.
It is crucial to communicate risk information, both to project team members and stakeholders external to the project. PRINCE2 recommends several management products that can be used to communicate this information: checkpoint reports and highlight reports, end stage reports and end project reports, and exception reports.
Furthermore, at the end of either a stage or the project, if it were found that risk management was inadequate suggestions for improvements to the risk approach should be documented in a lessons report. This will enable other projects or even this project to benefit from improvements in the approach to risk management.
There are nine categories of risk response within the PRINCE2 risk management framework. These nine categories can be further classified into three groups: responses to threats, responses to opportunities, and responses to both threats and opportunities.
Risk response categories for threats
A change is made (e.g., to project scope) to remove the threat or neutralize its effect on project objectives. By taking these steps, the uncertain event can never occur.
Action to reduce either the probability or the impact of the risk. This, like ‘Avoid’, is a proactive response category (i.e., action is taken before the risk occurs).
- Prepare contingent plans
This response is performed only if the risk occurs, and is therefore reactive rather than proactive. As a result, it does not affect risk probability, but mitigates its impact.
The financial impact of a risk can partly be transferred to a third party (e.g., by taking out insurance, or by building penalty payments into suppliers’ contracts for late delivery).
This is a conscious decision to do nothing. If a risk is accepted, then the situation must be monitored carefully, to make sure that the risk does not move beyond an acceptable level of probability or impact.
Risk response categories for opportunities
Action to force the risk event to occur.
Proactive response, increasing either probability or impact of the risk (direct opposite to ‘Reduce’).
Again, this is a conscious decision to do nothing. In some situations, it may be preferable not to exploit/enhance the risk. Just like ‘Accepted’ threats, a rejected opportunity should be carefully monitored.
Risk response category for both threats and opportunities
The procurement contract may include a pain/gain formula, according to which both (customer and supplier) parties share the gain if costs are lower than planned, and the pain if costs exceed what was expected.
This response is usually performed before the risk event.