Project Management - Risk

Published 2026-04-17 12:12 1814 words 10 min read

issyuu avatar

issyuu

Quiet waters, shimmering Lakeheart Retreat; thoughts and daily musings woven by the peaceful waterside.

Summarizes the 5-step risk management process in PRINCE2 to effectively identify, assess, and control project uncertainties.

Risk

The purpose of the PRINCE2 risk practice is to identify, assess, and control uncertainty that may affect project objectives, thereby improving the project’s ability to succeed.

Core Definitions

Risk is one or more uncertain events that, if they occur, will have an impact on project objectives.

  • Two dimensions:
    • Threat: Something that has a negative (adverse) impact on objectives.
    • Opportunity: Something that has a positive (beneficial) impact on objectives.
  • Roles:
    • Risk owner: A person assigned responsibility for the management of a risk.
    • Risk actionee: A person assigned to carry out specific risk actions.
  • Measurement elements:
    • Probability: The likelihood of the risk occurring.
    • Impact: The effect if the risk occurs.
    • Proximity: When the risk is likely to occur.
    • Velocity: How quickly the impact will be felt once the risk materialises.
  • Risk attitudes:
    • Risk exposure: The overall level to which a particular objective is exposed to risk.
    • Risk appetite: The amount and type of risk that is acceptable.
    • Risk tolerance: The specific acceptable thresholds for each objective.
    • Risk budget: Funds set aside specifically for risk responses.

5-Step Risk Management Process (Guidance)

Effective risk management contributes to confidence that project objectives will be achieved and business justification maintained.

5-step risk management cycle
5-step risk management cycle
StepDescription
1. IdentifyDefine the context and describe each risk using cause, event, and effect
2. AssessPrioritise qualitatively and quantitatively; understand aggregate risk exposure
3. PlanSelect appropriate responses and assign owners
4. ImplementExecute planned actions and monitor their effectiveness
5. CommunicateShare risk information continuously through all reports

1. Identify

The first step of risk management: define the context and identify specific risks.

  1. Define context and objectives: Gather background information to create a shared understanding of what is at risk.
  • Key influencing factors: User quality expectations, stakeholder needs, inter-organisational relationships, project scale, complexity, delivery method, assumptions, external environment (legal, governance), organisational policies and standards, whether part of a programme
  • Information sources: Project mandate, Project Brief, Project Product Description
  • Note: Events that do not impact defined objectives are not considered risks.
  1. Identify threats and opportunities: Any project member can raise risks at any time; once identified, they are immediately recorded in the Risk Register.
  • Risk components:
    ItemDescription
    Risk causeThe event or situation (trigger) that may give rise to the risk
    Risk eventThe area of uncertainty itself
    Risk effectThe impact on project objectives if the risk materialises

2. Assess

Analyse and evaluate risks from multiple angles to determine response priorities.

  • Qualitative analysis: Assess probability, impact, proximity, and velocity. Use a risk matrix to visualise trends.
  • Quantitative analysis: Use modelling techniques such as Monte Carlo analysis to quantify overall risk exposure (quantitative risk cost analysis, quantitative risk schedule analysis).
  • Assess aggregate risk profile: Evaluate not just individual risks but the overall aggregate risk exposure of the project. If it exceeds risk appetite, develop additional management measures.

3. Plan — Risk Responses

Response optionDescriptionNotes
Avoid / ExploitRemove the cause, eliminating uncertaintyAddress through plan changes; may have cost implications
Reduce / EnhanceReduce (or increase) probability or impactAdjust residual risk to acceptable levels
TransferPass part of the risk to a third party (insurance, outsourcing)Not all risks can be transferred
ShareShare burden and benefit across the supply chainEffective approach to promote collaboration
AcceptTake no action; accept the full impact if it occursCannot be used if risk exceeds tolerance
ContingencyPrepare a fallback plan (Plan B) if the risk materialisesTypically used alongside acceptance
  • Secondary risks: New risks that arise as a result of implementing a response. These must also be identified and managed.
  • Escalation: If the risk is within tolerance, the Project Manager can decide. Otherwise, escalate to the Project Board or higher. Early escalation is good practice.

4. Implement

  • Execute responses: Carry out planned risk actions.
  • Review effectiveness: Confirm whether implemented actions are achieving expected results.
  • Corrective action: If responses prove insufficient, promptly take corrective action.
  • Role assignment: It is essential to identify and agree on the responsibilities of the risk owner and risk actionee for each risk. Avoid assigning too many risks to any single individual.

5. Communicate

  • Continuous sharing: Share information about threats and opportunities at appropriate times.
  • Key communication channels: Checkpoint Reports, Highlight Reports, End Stage Reports, Exception Reports, Issue Reports, End Project Reports
  • Diverse communication methods: Utilise dashboards, notice boards (including electronic), information radiators, discussion threads, and meetings.
  • Dynamic risk management: Project risk exposure changes constantly; continuously capture new and changing risks and share promptly.

Supporting Techniques

TechniqueApplicable StepsOverview
Cause-and-effect diagram (Fishbone)Identify, Plan, ImplementEffective for identifying root causes
PESTLE / SWOT analysisIdentifyExtract threats and opportunities from external and internal environments
Prompt listIdentifyChecklist based on past lessons and risk breakdown structures (RBS)
Pre-mortem analysisIdentify, Assess, PlanIdentify risks by working backwards from a hypothetical future failure or success
Swiss cheese modelPlan, ImplementConsider risks that arise when holes in multiple defences align
Use of dataIdentify, Assess, Plan, ImplementGain deeper insight into risk relationships using data and facts

Risk Culture and Biases

  • Optimism bias: Overconfidence that things will go well, leading to underestimation of threats.
  • Loss aversion: Extreme aversion to loss rather than pursuit of gain.
  • Groupthink: Prioritising group harmony and suppressing dissent and risk identification.
  • Proximity bias: Overestimating near-term risks and underestimating distant ones.

Applying the Practice

Organisational Context

  • Alignment with organisational standards: Align with centrally defined risk management policies, standards, tools, and competency frameworks.
  • Programme integration: If the project is part of a programme, the Risk Management Approach identifies the types of risks managed at project level and criteria for escalation to the programme.

Commercial Context

  • Multiple risk registers: Some project risks may be specific to one party, and there may be legitimate reasons not to share the Risk Register with the other party.

Delivery Method

  • Waterfall: Control is rigorous but risk of slow response to changing user needs.
  • Agile: High flexibility for change but risk of losing control over agreed baselines.

Management Products Supporting the Practice

Risk Management Approach (part of Project Initiation Documentation)

  • Purpose: Describe how risk management will be performed in the project. Includes specific procedures, techniques, standards, and responsibilities.
  • High-level content:
    • Scope: Description of the scope of the Risk Management Approach
    • Risk management procedures: Identify, assess, plan, implement, communicate (deviations from business standards highlighted with justification)
    • Risk tolerance guidance: Additional guidance on risk tolerance levels defined in the Business Case
    • Responsibilities: Including responsibilities of risk owners and risk actionees
    • Standards: Rating systems used to assess probability, impact, proximity, and velocity

Risk Register (part of the Project Log)

  • Purpose: Capture and provide status and history for risks identified in relation to the project.
  • High-level content:
    • Risk identifier: Unique reference code for the risk
    • Risk description: Summary of the risk’s cause, event, and effect
    • Probability: Estimate of the likelihood of the risk event occurring
    • Impact: Estimate of the effect of the risk
    • Risk response: Selected action to respond to the risk
    • Risk owner: Person responsible for managing the risk
    • Risk actionee: Person responsible for carrying out risk response actions

Key Roles and Responsibilities

RoleKey responsibilities
Business LayerProvide risk management policies, standards, and frameworks. Define project risk appetite. Set project-level risk tolerances and risk budget
Project ExecutiveApprove the Risk Management Approach. Set stage-level risk tolerances and risk budget. Make decisions on escalated risks with emphasis on business justification
Senior UserEnsure risks to users are identified, assessed, and controlled. Make decisions on escalated risks with emphasis on protecting expected benefits
Senior SupplierEnsure risks related to supplier aspects are identified, assessed, and controlled. Agree to the Risk Management Approach
Project ManagerDevelop and maintain the Risk Management Approach. Establish and maintain risks in the Risk Register. Ensure project risks are identified, assessed, and controlled
Team ManagerImplement risk management procedures agreed in the Work Package Description. Contribute to risk identification, assessment, and control
Project AssuranceAdvise the Project Manager on the Risk Management Approach. Assure the Project Board that risks are being managed appropriately
Project SupportProvide administrative support for risk controls. Create and maintain the Risk Register

Key Relationships with Principles

PrincipleHow achievedResult
Ensure continued business justificationAssess whether identified risks materially impact the Business Case and business justificationGreater confidence that investment is worthwhile and risk levels are acceptable
Manage by exceptionEmpower those best placed to manage risks and implement risk actions. Escalate risks forecast to exceed tolerancesConfidence that threats and opportunities are managed at the appropriate level
Focus on productsUnderstand risks related to defining, developing, and delivering specialist and management productsClarity about threats and opportunities related to product development
Tailor to suit the projectEnsure the Risk Management Approach and procedures are appropriate for the type, size, and complexity of the projectClearly defined threat and opportunity management aligned with relevant organisational standards

Comparison with Other Frameworks

ConceptPRINCE2PMBOKPgMP
Risk management process structure5 steps (Identify, Assess, Plan, Implement, Communicate)6 processes (Plan, Identify, Qualitative Analysis, Quantitative Analysis, Response Planning, Monitor & Control)(TBD)
Risk documentsRisk Management Approach, Risk RegisterRisk Management Plan, Risk Register(TBD)
Risk response typesAvoid, Reduce, Transfer, Share, Accept, ContingencyAvoid, Mitigate, Transfer, Accept (threats); Exploit, Enhance, Share (opportunities)(TBD)

If you enjoyed this, leave a comment~

© 2020 - 2026 issyuu @Lakeheart Retreat
Powered by theme astro-koharu · Inspired by Shoka