Risk is defined as an uncertain event or condition that, if it occurs, has a positive or negative effect on a project’s objectives. Simply put, it is the possibility of losing something of value.
Projects have objectives, that is, a product or service that it needs to be produced, or a stakeholder it needs to satisfy. Risks events are those events that could jeopardize the achievement of those objectives.
For that reason, the Risk Management Approach is one of the most important planning documents in the PRINCE2 project management system. It describes how risk will be managed, including the specific processes, procedures, techniques, standards, and responsibilities to be applied.
In PRINCE2, the Risk Management Approach includes the following items:
States the purpose, objectives and scope, and identifies who is responsible for the approach.
- Risk management process or procedure
This section describes how risk events will be identified and analyzed, as well as how risk response plans will be developed. Risk management breaks down into the following components:
- Risk Identification develops a risk register which itemizes risk events which might occur that impact the project’s objectives, and allows for their tracking throughout the course of the project. Of course, you can’t itemize every possible event, but those that are considered important enough are chosen to be included in the risk register.
- Risk Analysis determines the underlying two variables of each risk: Probability of Occurrence and Severity. Risk analysis also develops a priority ranking of each risk in the risk register.
- Risk Response planning develops response plans for the most important risks. Only the most important risks within the risk register require pre-developed response plans, but almost every project has a few important risks where due diligence would suggest some sort of response.
- Tools and techniques
Any risk management systems or tools to be used by the project are identified.
The composition and format of the risk register is defined. Templates can be specified. Any other records to be used by the project are identified.
Most large projects require some form of risk reporting, whether monthly reports that provide risk analysis updates or periodic reporting of one specific risk.
- Timing of risk management activities
Specifies the point at which the risk re-analysis, register updates, and reporting will take place.
- Roles and responsibilities
This section defines who will be responsible for the risk register, who will perform the risk analysis and response plans and who will create reports.
The grading criteria for each risk, that is, for the Probability and Severity score, are defined in this section. For example, ‘Very High, High, Medium, Low, and Very Low.’ Other options include 1-10, or A-E.
Since the severity of risks varies depending on when they occur within a project, the proximity defines when the risk will be re-assessed, for example, imminently, within the management stage, or within the project.
- Risk categories
Large projects will divide their risks into categories. That way, for example, I.T. risks can be dealt with separately from financial risks, and so on.
- Risk response categories
Likewise, the risk responses can be grouped into categories to expedite analysis.
- Early warning indicators
For many risks it is not immediately evident that they are occurring. Hence, it is important to define warning indicators which can be monitored to ensure a rapid response.
- Risk tolerance
Risk responses need to be tailored to the risk tolerance of the organization, or they will create problems on their own. Risk tolerance varies greatly from organization to organization, for example, a construction company has a very high tolerance for operational risks whereas an insurance company does not.
- Risk budget
Many projects often have a budget solely devoted to project risk occurrences. This is also called a contingency, and can be applied on the overall project or on the individual task level.
There are three PRINCE2 documents which are used to produce the Risk Management Approach:
- Project Brief
The project brief outlines the organization’s thoughts and intentions when initiating the project, and it may contain the organization’s primary risk tolerance and response information.
- Business Case
The business case defines the expected return on investment as well as other expectations, hence the risks have to be looked at from the point of view of the business case.
- Any corporate, programme or customer risk management guides, strategies or policies
Risk management policy which has been developed and passed down to the project must be incorporated into the risk management approach.
Format and Presentation
The format of the risk management approach is not as relevant as its ability to provide a strong risk management strategy to the project management team. It can be:
- A stand-alone document
- A section of the Project Initiation Document (PID)
- An entry in a project management tool
There are five quality criteria specified for the risk management approach in PRINCE2:
- Responsibilities are clear and understood by both customer and supplier
- The risk management procedure is clearly documented and can be understood by all parties
- Scales, expected value and proximity definitions are clear and unambiguous
- The chosen scales are appropriate for the level of control required
- Risk reporting requirements are fully defined