Summarizes the 5-step risk management process in PRINCE2 to effectively identify, assess, and control project uncertainties.
Risk
The purpose of the PRINCE2 risk practice is to identify, assess, and control uncertainty that may affect project objectives, thereby improving the project’s ability to succeed.
Core Definitions
Risk is one or more uncertain events that, if they occur, will have an impact on project objectives.
Two dimensions:
Threat: Something that has a negative (adverse) impact on objectives.
Opportunity: Something that has a positive (beneficial) impact on objectives.
Roles:
Risk owner: A person assigned responsibility for the management of a risk.
Risk actionee: A person assigned to carry out specific risk actions.
Measurement elements:
Probability: The likelihood of the risk occurring.
Impact: The effect if the risk occurs.
Proximity: When the risk is likely to occur.
Velocity: How quickly the impact will be felt once the risk materialises.
Risk attitudes:
Risk exposure: The overall level to which a particular objective is exposed to risk.
Risk appetite: The amount and type of risk that is acceptable.
Risk tolerance: The specific acceptable thresholds for each objective.
Risk budget: Funds set aside specifically for risk responses.
5-Step Risk Management Process (Guidance)
Effective risk management contributes to confidence that project objectives will be achieved and business justification maintained.
5-step risk management cycle
Step
Description
1. Identify
Define the context and describe each risk using cause, event, and effect
2. Assess
Prioritise qualitatively and quantitatively; understand aggregate risk exposure
3. Plan
Select appropriate responses and assign owners
4. Implement
Execute planned actions and monitor their effectiveness
5. Communicate
Share risk information continuously through all reports
1. Identify
The first step of risk management: define the context and identify specific risks.
Define context and objectives: Gather background information to create a shared understanding of what is at risk.
Key influencing factors: User quality expectations, stakeholder needs, inter-organisational relationships, project scale, complexity, delivery method, assumptions, external environment (legal, governance), organisational policies and standards, whether part of a programme
Information sources: Project mandate, Project Brief, Project Product Description
Note: Events that do not impact defined objectives are not considered risks.
Identify threats and opportunities: Any project member can raise risks at any time; once identified, they are immediately recorded in the Risk Register.
Risk components:
Item
Description
Risk cause
The event or situation (trigger) that may give rise to the risk
Risk event
The area of uncertainty itself
Risk effect
The impact on project objectives if the risk materialises
2. Assess
Analyse and evaluate risks from multiple angles to determine response priorities.
Qualitative analysis: Assess probability, impact, proximity, and velocity. Use a risk matrix to visualise trends.
Quantitative analysis: Use modelling techniques such as Monte Carlo analysis to quantify overall risk exposure (quantitative risk cost analysis, quantitative risk schedule analysis).
Assess aggregate risk profile: Evaluate not just individual risks but the overall aggregate risk exposure of the project. If it exceeds risk appetite, develop additional management measures.
3. Plan — Risk Responses
Response option
Description
Notes
Avoid / Exploit
Remove the cause, eliminating uncertainty
Address through plan changes; may have cost implications
Reduce / Enhance
Reduce (or increase) probability or impact
Adjust residual risk to acceptable levels
Transfer
Pass part of the risk to a third party (insurance, outsourcing)
Not all risks can be transferred
Share
Share burden and benefit across the supply chain
Effective approach to promote collaboration
Accept
Take no action; accept the full impact if it occurs
Cannot be used if risk exceeds tolerance
Contingency
Prepare a fallback plan (Plan B) if the risk materialises
Typically used alongside acceptance
Secondary risks: New risks that arise as a result of implementing a response. These must also be identified and managed.
Escalation: If the risk is within tolerance, the Project Manager can decide. Otherwise, escalate to the Project Board or higher. Early escalation is good practice.
4. Implement
Execute responses: Carry out planned risk actions.
Review effectiveness: Confirm whether implemented actions are achieving expected results.
Corrective action: If responses prove insufficient, promptly take corrective action.
Role assignment: It is essential to identify and agree on the responsibilities of the risk owner and risk actionee for each risk. Avoid assigning too many risks to any single individual.
5. Communicate
Continuous sharing: Share information about threats and opportunities at appropriate times.
Key communication channels: Checkpoint Reports, Highlight Reports, End Stage Reports, Exception Reports, Issue Reports, End Project Reports
Diverse communication methods: Utilise dashboards, notice boards (including electronic), information radiators, discussion threads, and meetings.
Dynamic risk management: Project risk exposure changes constantly; continuously capture new and changing risks and share promptly.
Supporting Techniques
Technique
Applicable Steps
Overview
Cause-and-effect diagram (Fishbone)
Identify, Plan, Implement
Effective for identifying root causes
PESTLE / SWOT analysis
Identify
Extract threats and opportunities from external and internal environments
Prompt list
Identify
Checklist based on past lessons and risk breakdown structures (RBS)
Pre-mortem analysis
Identify, Assess, Plan
Identify risks by working backwards from a hypothetical future failure or success
Swiss cheese model
Plan, Implement
Consider risks that arise when holes in multiple defences align
Use of data
Identify, Assess, Plan, Implement
Gain deeper insight into risk relationships using data and facts
Risk Culture and Biases
Optimism bias: Overconfidence that things will go well, leading to underestimation of threats.
Loss aversion: Extreme aversion to loss rather than pursuit of gain.
Groupthink: Prioritising group harmony and suppressing dissent and risk identification.
Proximity bias: Overestimating near-term risks and underestimating distant ones.
Applying the Practice
Organisational Context
Alignment with organisational standards: Align with centrally defined risk management policies, standards, tools, and competency frameworks.
Programme integration: If the project is part of a programme, the Risk Management Approach identifies the types of risks managed at project level and criteria for escalation to the programme.
Commercial Context
Multiple risk registers: Some project risks may be specific to one party, and there may be legitimate reasons not to share the Risk Register with the other party.
Delivery Method
Waterfall: Control is rigorous but risk of slow response to changing user needs.
Agile: High flexibility for change but risk of losing control over agreed baselines.
Management Products Supporting the Practice
Risk Management Approach (part of Project Initiation Documentation)
Purpose: Describe how risk management will be performed in the project. Includes specific procedures, techniques, standards, and responsibilities.
High-level content:
Scope: Description of the scope of the Risk Management Approach
Risk management procedures: Identify, assess, plan, implement, communicate (deviations from business standards highlighted with justification)
Risk tolerance guidance: Additional guidance on risk tolerance levels defined in the Business Case
Responsibilities: Including responsibilities of risk owners and risk actionees
Standards: Rating systems used to assess probability, impact, proximity, and velocity
Risk Register (part of the Project Log)
Purpose: Capture and provide status and history for risks identified in relation to the project.
High-level content:
Risk identifier: Unique reference code for the risk
Risk description: Summary of the risk’s cause, event, and effect
Probability: Estimate of the likelihood of the risk event occurring
Impact: Estimate of the effect of the risk
Risk response: Selected action to respond to the risk
Risk owner: Person responsible for managing the risk
Risk actionee: Person responsible for carrying out risk response actions
Key Roles and Responsibilities
Role
Key responsibilities
Business Layer
Provide risk management policies, standards, and frameworks. Define project risk appetite. Set project-level risk tolerances and risk budget
Project Executive
Approve the Risk Management Approach. Set stage-level risk tolerances and risk budget. Make decisions on escalated risks with emphasis on business justification
Senior User
Ensure risks to users are identified, assessed, and controlled. Make decisions on escalated risks with emphasis on protecting expected benefits
Senior Supplier
Ensure risks related to supplier aspects are identified, assessed, and controlled. Agree to the Risk Management Approach
Project Manager
Develop and maintain the Risk Management Approach. Establish and maintain risks in the Risk Register. Ensure project risks are identified, assessed, and controlled
Team Manager
Implement risk management procedures agreed in the Work Package Description. Contribute to risk identification, assessment, and control
Project Assurance
Advise the Project Manager on the Risk Management Approach. Assure the Project Board that risks are being managed appropriately
Project Support
Provide administrative support for risk controls. Create and maintain the Risk Register
Key Relationships with Principles
Principle
How achieved
Result
Ensure continued business justification
Assess whether identified risks materially impact the Business Case and business justification
Greater confidence that investment is worthwhile and risk levels are acceptable
Manage by exception
Empower those best placed to manage risks and implement risk actions. Escalate risks forecast to exceed tolerances
Confidence that threats and opportunities are managed at the appropriate level
Focus on products
Understand risks related to defining, developing, and delivering specialist and management products
Clarity about threats and opportunities related to product development
Tailor to suit the project
Ensure the Risk Management Approach and procedures are appropriate for the type, size, and complexity of the project
Clearly defined threat and opportunity management aligned with relevant organisational standards
If you enjoyed this, leave a comment~