.st0{fill:#FFFFFF;}

PRINCE2 Risk Management Approach Example 

 February 27, 2023

By  Dave Litten

Better risk management with PRINCE2

step 1 – having a risk management approach

In my experience risk management approach is something that is talked about a lot but rarely done. One problem is that people don’t know who should be doing what.

To help with this, PRINCE2 introduces a risk management approach. It outlines the way in which risk will be identified, evaluated and dealt with in a project.

It shows who should be responsible for carrying out the various risk management roles. It also sets out how much risk an organisation is willing to bear. The strategy is put together at the outset of the project; everyone reviews and signs up to it.

step 2 – risk management approach identification techniques

Where do you start when it comes to identifying all the potential risks in your project? The new manual gives a number of approaches.

These include reviewing lessons learned from previous projects, carrying out a risk brainstorming session, using an industry specific prompt list showing likely areas of risk or creating a risk breakdown structure.

The latter is a hierarchical diagram like an organisation chart. It can be sub divided in a range of ways, for example by product, by team or using pestle (political risks, economic risks, social risk, technological risks, legal risks, environmental risks)

It can be used as a focal point for a workshop to identify all risks in each area of the project.

Step 3- risk management approach early warning indicators

It is all too easy for a project manager to myopically focus on a small set of performance areas such as work completed to schedule. The new manual suggests a range of other early warning indicators that identify how the project is performing.

For example percentage of approvals accomplished, number of issues being raised and number of defects being captured in quality inspections. Reviewing all aspects of a project increases the likelihood of identifying more critical risks

step 4 – assessing the overall risk management approach exposure

PRINCE2 gives an approach to show the overall risk situation of a project. Each risk is given a likelihood in percentage terms and an impact should it occur in monetary terms.

By multiplying one by the other an expected value can be calculated. Totaling the expected values of all the risks gives a monetary figure that easily shows the exposure of the whole project to risk.

Step 5 – considering the effect of time on a risk.

PRINCE2 has always recommended recording when each risk will occur. It calls this the proximity of the risk. But in this latest release it gives examples of how you might categorise proximity, such as imminent, in the next stage of the project or after the project.

It also recommends considering whether the probability of the risk occurring and/or the impact on the project if they do occur, might vary over time. Having this information can help focus on risks that are of a more pressing concern.

Step 6 – giving a clearer risk management approach approach to help define risks

Rather than just thinking about the event that may or may not occur such as a road collapsing underneath a heavy load, the new manual considers what could cause the event.

This allows for a deeper analysis of any individual risk. If the road collapses it could be caused by heavy rain, bad driving or initial poor construction of the road by the council.

Understanding what are the most likely causes for each potential risk event, can help implement better mitigation plans to deal with them

step 7 – focus on risk management strategy opportunities

Risks can be opportunities. For example a new technology might appear to speed the programming of a software module. PRINCE2 gives three ways of approaching an opportunity: exploit it by doing something that ensures it occurs, increase the probability or impact of the event occurring or simply reject the opportunity.

In practice a good project manager is always looking for opportunities to improve their project, but making this explicitly part of the risk management process, improves the probability of spotting more.

Risk management-a pre-requisite to effective project management

In this ever changing current business environment, organizations are exposed to several unforeseen situations. If favourable, it can leapfrog organizations to prosperity. Similarly, if unfavourable, it can have a detrimental effect on organizational objectives.

Uncertainty can be caused by anything. Hence, the need to deal with such uncertainties and balance the effect of each becomes paramount. Risk can be either threats or opportunities or both.

For example, in an office move project, a possible threat could be an increase in real estate prices due to increase in demand whereas an opportunity could be to contract with suppliers on favourable leasing terms. Hence, threats should be avoided or reduced and opportunities should be maximised.

Risk management, which is the identification, assessment and prioritized control of uncertain events, should be deeply embedded in the organizations way of working.

At the least it should be practiced while managing projects. PRINCE2, a popular project management method details how risks can be managed effectively.

PPRINCE2 details the steps involved in the risk management procedure as identify, assess, plan, implement and communicate with the communicate step running in parallel to the other 4 steps which run sequentially.

These steps are iterative in nature and when additional information is available, it may be necessary to revisit earlier steps.

The steps described provide a sound understanding of the tasks which needs to be carried out and any techniques which can be adopted. For instance, the assess step involves 2 sub-steps: estimate and evaluate.

The estimate step proposes that each risk should be assessed for probability, impact and proximity without neglecting the stakeholders’ viewpoint. The evaluate step assess the net effect of all threats and opportunities on a project when aggregated together and whether the project has continued business justification.

It also lists some examples of techniques such as monte carlo analysis or expected monetary value which can be used to evaluate risks. It provides guidance on the possible risk responses which can be carried out and the aspects of risks which these responses can control.

It goes a step forward and explains the need of a risk budget which is used to fund risk responses and that it is a combination of budget set aside for known risks and provisions for unknown risks.

PRINCE2 also provides templates for the risk management approach, an approved reference document maintained as part of a project which contains all necessary information required to manage project risks and the risk register, where information regarding specific risks are documented for the various stakeholders.

Therefore, risk management taught as part of prince2 serves as a checklist of the activities involved in risk management and a precursor to the more detailed “management of risk (mor)” framework.

Risk management approach on projects

How does project risk management differ from any other type of risk management?

Well in most regards it doesn’t. However, as this is a project focused activity it helps simplify the overall focus by looking only at the core project fundamentals of scope – which are cost, quality and time.

Remember that, I may test you later!

There are a number of good training videos available on youtube that cover this principal. I’ve added a couple below to help bring home the point of this article. I find watching a presentation often easier to take in than reading some else’s thoughts.

Project risk management

So what is project risk management is all about?

In an earlier article I talk about what risk and risk management are about. If you are still confused about what risks are and what risk management is about then read this article, it should bring you into the picture. On projects we talk about risk as any event that could cause an unplanned change to the projects scope – i.e. impact the project costs, timeline or quality of the deliverables, or any combination of the three.

What isn’t always obvious when talking about project risk management is that we also need to consider the positive impact a risk may have on a project – i.e. reduce costs, decrease the time line or increase the quality of deliverables.

In reality it’s not very often that project risks present positive opportunities. Never the less, as project managers we have a responsibility to recognize and act on these risks positive or negative. That’s project risk management.

Without getting imbedded in any particular methodology, the general approach to project risk management should follow a similar framework to this:

There is a 7 -step risk management strategy process

step 1: having a risk management approach

this means setting up a process and procedure and getting full buy-in from stake holders in how the organization will manage risk management for the project.

Step 2: risk management identification techniques

Where do you start in the identification of risks around a project? There are many risk management techniques and david suggests a few which are excellent.

However, I like to take a step back and make a list of all the critical elements of a project on the basis of “if this task doesn’t happen will it be a show stopper?” This helps be build a prioritized list of critical tasks against which I can then consider the risks – what could go wrong to impact this task.

Here’s my thought process on risk identification outlined:

step 3: risk management early warning indicators

Don’t rely on basic performance of the project as an indicator that everything is going well. Status reports showing a steady completion of tasks could be hiding a potential risk.

In risk management a number of other factors need to be on the project managers radar on daily basis.

Things that I always look for are delivery dates from vendors – how confirmed are they, is there a movement in delivery dates (you’ll only see this if you regularly ask for confirmation updates from the vendor), resource issues – key individuals taking sick leave or personal leave more often than normal.

Delays in getting certain approvals signed-off by the steering committee or other governance bodies – will this impact orders going out or decisions being made on critical tasks?

Getting qualified people in for inspections and certification (new buildings for example require a lot of local regulatory inspections). These are just a few of the daily challenges a project manager will face and all can be indicators of trouble to come.

As you gain more experience in risk management you start to instinctively recognize the early warning signs and challenge the culprits earlier in the process.

You’ll also find a good project manager will build-in mitigation for the common project ailments at the very start, sometimes seeing the tell-tale signs when selecting vendors or suppliers will be enough to select better alternatives and this is what I call dynamic risk management at work.

Also keep an eye on the world around you – economic or geological events elsewhere can have a dramatic impact on local suppliers and supplies of key project materials.

For example, flooding in thailand has impacted the delivery of various computer components that are manufactured there, causing impact in both supply lines and pricing.

Step 4: assessing the overall risk exposure in risk management

pPRINCE2 gives an approach to show the overall risk situation of a project.

Each risk is given a likelihood in percentage terms and an impact should it occur in monetary terms.

By multiplying one by the other an expected value can be calculated. Totaling the expected values of all the risks gives a monetary figure that easily shows the exposure of the whole project to risk.”

There are many similar ways i’ve seen risk calculated in organizations variations on risk management.

As long as there is a common approach for showing all risks, prioritization and impact on a project then risk management will work and add value in protecting the investment in the project.

Each project and each organization will have their own requirements in terms of how they want to see risks analysed and presented. By and large it doesn’t matter how this is done, as long as it is doesn’t and it makes sense in the context of the project and organization.

There are risk management tools to help organise and manage this.

Step 5: considering the effect of time on a risk and risk management

The effect of time when analysing risks is that the more imminent a risk the higher priority it may take. I say “may” as it may be that a very low priority risk with low impact may be about to happen where as a higher priority risk may be weeks or months away.

How do you manage this?

Common sense (of which there is no such thing) would suggest that if the higher priority risks are still a long time away then the imminent lower priority risks should be dealt with first, as a higher priority…? Perhaps?

You’ll have to take a pragmatic view on this, every situation needs to be taken on its merits and in risk management, not being an exact science, you’ll be expected to make judgment calls and discuss options with your client and project board or steering committee.

After all, the governance board of a project has a responsibility to steer such decisions so the role of a good project manager should be to collate the facts and present the data with recommendations. Let the higher paid guys make the big decisions.

Step 6: giving a clearer approach to help define risks in risk management

I think essentially what this focuses on is the “mechanics” of the risks in such a way as to help us understand and look at the cause and effect of scenarios that could lead to the risk happening. In this way we can focus on the lowest common denominator(s) that will generate the risk and mitigate those items. Is that a little confusing?

The principal is, I believe to nip the problem in the bud by recognizing what or where the bud is. Don’t get hung up on this, I would say this is something you’d tend to do naturally as you gain experience in reviewing risks and dealing with risk mitigation (prevention).

Step 7: focus on opportunities in risk management

Finally – last but not least, where can we make or recognize risks as opportunities. An example David talks about suggests that, for example, a new release of a software product that would offer major benefits if included in the project would be a possible “positive” risk.

This I can relate to more, with the experience of being asked to change the specification on a traders dealing system half way through a major project because the manufacturer had released a major systems improvement, a completely new model, that the bank saw as a strategic advantage.

The analysis of this risk covered the obvious change in costs, the new system was more expensive, the implementation was zero impact compared to the older system however there was a large element of re-training the trading staff and proving the system for the bank before go live. This became the biggest challenge once the cost differential had been signed-off by the project board.

The additional training time required was squeezed into evenings and weekends so the final project delivery schedule was not impacted – but getting vendor and project resources to support the additional work and making sure the system was fully functional and supported operationally when the new facility went live, added cost and stress that hadn’t been anticipated. This is where risk management and change management overlap – a topic for another article.

The client was happy with the result and additional investment made. Simple risk management gets the job done.

PRINCE2 Masterclass

Fully compliant with the current PRINCE2 2023 Syllabus

5.0
Prince2 Practitioner Masterclass

Your Route To PRINCE2 Practitioner

Prepare for your PRINCE2 Foundation and Practitioner Exams with our famous on-line course with streaming HD Video Lessons, study guides and mock exams. In the last fifteen years we have had 6,000+ Academy students successfully transform their careers as PRINCE2 Practitioners.

  • Bite Sized Lessons  The sheer size of PRINCE2 can be daunting. The Masterclass will guide you through the syllabus in easy to consume bite sized lessons
  • Be prepared and confident for the exams  Test your knowledge in a fun, entertaining environment with the PRINCE2 Foundation & practitioner exam revision tools
  • Enjoy yourself!  This PRINCE2 Foundation & Practitioner online course is broken into bite-size lessons, combining leading edge multimedia and interactive exercises for optimum enjoyment and knowledge retention
  • Feel confident with full tutorial support  Benefit from fast access to experienced, one-to-one learning support as you study via email and phone, so there is no need to feel isolated while you are learning
  • Take your time  Study at your own pace by bookmarking your progress and picking up where you left off at a speed that suits you

Dave Litten


Dave spent 25+ years as a senior project manager for UK and USA multinationals and has deep experience in project management. He now develops a wide range of Project Management Masterclasses, under the Projex Academy brand name. In addition, David runs project management training seminars across the world, and is a prolific writer on the many topics of project management.

The Projex Academy

related posts:

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Project Management Masterclasses