PRINCE2 risk managementRisk Management in a PRINCE2 project.

Taking a simplistic definition of risk; “an event that has yet to happen, it may or may not happen at some point in the future, but if it does it will have an impact on my project”, you may be fooled into thinking that risk management is hard.  But you would be wrong!

Many projects fail due to poor risk management which is totally unnecessary as there is a very logical and straightforward approach to the management of risks within a PRINCE2 project.

By taking the mindset “what could possibly go wrong with my project” making a list of such situations, and then working out how to either prevent or minimize the risk (at a minimum just to control it), would greatly reduce the number of failed projects.

Performing risk management will protect your project and prevents or controls situations that would have as a minimum, caused problems, and at a maximum, potentially ruin the project.

PRINCE2 includes a well documented risk theme that covers all potential project and organisational risks.

A definition of risk is “the adverse consequences of future events” but this only assumes that a risk is some form of negative threat to the project objectives, whereas in fact, a risk may also give rise to a positive outcome and this is called an opportunity.

In keeping with this fact, PRINCE2 now defines risk as “an uncertain event or set of events that, should it occur, would have an effect on the achievement of objectives”.

The first step in the risk management is to develop the risk management strategy so that you clearly understand how risks will be handled during the project.  This is the project risk “how-to” document!

As part of tailoring PRINCE2 according to the individual project risk environment, the risk management strategy will define the your risk approach for a particular project and this forms part of the project initiation documentation created within the initiation stage.

As part of managing risk, responses for each risk will be determined, and such responses will require actions and resources to carry them out.  Therefore risk management does not come free but instead needs to be budgeted for accordingly.  This is called the risk budget.

The risk budget has several advantages as it makes clear what portion of the project funding will be put aside for each risk, and since this budget forms part of the whole project budget, then the project manager already has the authority to use it.

The key management tool used here is the risk register which provides a record of all identified risks within the project and includes their status and history.

PRINCE2 Risk Management model.

PRINCE2 has a procedural based risk management model consisting of four elements, with a fifth element called ‘communicate’ which works in parallel with the previous four:

prince2 risk management






risk managementSince PRINCE2 projects are the mechanisms for change, and therefore will always include risk aspects when changing from the old to the new ways of working, they must use risk management in order to be successful. More precisely, risk is really uncertainty and it is this that must be managed.

In the context of PRINCE2 project it is the project objectives that are at risk, and it is important to establish and maintain a cost effective risk management procedure.

To perform effective risk management we need to understand risk causes, the probability, there impact and timing, and select a suitable response or set of responses for each risk. Care should be taken not to spend more avoiding the risk than the impact of the risk itself.

Risk management starts at the very beginning of PRINCE2 and is a continual activity carried out throughout the life of the project, without this, it would not be possible to have the confidence that the project is able to meet its objectives and should therefore be continued. In other words, risk management threatens the Business Case and hence the continued business justification principle.

A simple way of describing a risk is, an event which may or may not occur at some point in the future, but if it does occur it will have an impact on the project objectives.

There are two types of risk; those with a negative impact and those with a positive impact: risks which have a negative impact are called threats and those with a positive impact are called opportunities – both have the common characteristic of uncertainty.

A risk management system is one which first identifies risks and then assesses them, followed by the planning and implementation of risk responses.

Having been first identified (usually done in a risk or planning workshop), in terms of their impact, and timing, the overall of risk associated with the project often called the aggregated risk, needs to be understood and agreed by the project board for effective risk management within PRINCE2.

Each risk will now need an appropriate response followed by the assignment of a risk owner, and then monitoring and controlling (and hence risk management) of those responses.

In the Starting up the Project process, the project manager will use the Daily Log to capture and manage any known risks; these will be used as part of the evidence put before the project board to decide whether or not to proceed.

In the initiation stage The Risk Management Strategy will be created to describe how risk management will be embedded within the project. At the same time, The Risk Register will be created and any risks currently within the Daily Log will now be transferred to this register.

Using The Project Brief and the Project Product Description, The Risk Management Strategy will include the following information: the risk management procedure to be applied including tools and techniques to be used, records, reporting and timing of risk management activities, risk responsibilities, risk tolerances and a risk budget if it is to be used.

One aspect to consider here is the project board’s attitude towards risk taking as this will influence the amount of risk that is acceptable and the most effective responses required.

The Risk Register is a project management tool used to contain information on all of the identified threats and opportunities within a project.

It will contain information such as the category and description of the risk, its probability, impact and expected value, its proximity and risk responses, its current status and the risk owner. Project support will normally maintain this for the project manager.

It is vital that risks are clearly and unambiguously described, and it is useful to consider each risk in terms of the risk cause (the source of the risk), the risk event describing the area of uncertainty, and the risk effect describing the impact of the risk should it occur.

CLICK HERE For My PRINCE2 Primer – and pass your exams first time!

Click here: for more information on Passing Your PRINCE2 Exam! 

I hope you enjoyed my article on risk management!