Risk management approach

This template provides explanations and guidance on the kinds of information necessary for the risk
management approach for PRINCE2 6th edition.

Contents

1 Introduction............................................................................................................................................4
2 Risk management process or procedure.................................................................................................4
3 Tools and techniques..............................................................................................................................5
4 Records...................................................................................................................................................5
5 Reporting................................................................................................................................................5
6 Timing of risk management activities....................................................................................................6
7 Roles and responsibilities.......................................................................................................................6
8 Scales......................................................................................................................................................7
9 Proximity................................................................................................................................................9
10 Risk categories....................................................................................................................................9
11 Risk response categories.....................................................................................................................9
12 Early warning indicators...................................................................................................................10
13 Risk tolerance...................................................................................................................................10
14 Risk budget.......................................................................................................................................10

Guidance on how to complete

(Note: following completion of the Risk Management Approach this guidance can be deleted)

PRINCE2® | Copyright© PeopleCert International Ltd

Used under permission and in accordance with the Terms and Conditions of Sale. All rights reserved.

1
PURPOSE
A risk management approach describes how risk will be managed on the project. This includes the
specific processes, procedures, techniques, standards, and responsibilities to be applied.

COMPOSITION
The risk management strategy includes the following:
 Introduction This states the purpose, objectives and scope, and identifies who is
responsible for the approach.
 Risk management process or procedure This describes (or refers to) the risk
management process or procedure to be used. Any variance from corporate, programme
management, or customer standards should be highlighted, together with a justification for
the variance. The process or procedure must describe how:
o risks are identified and assessed
o risk responses are planned and implemented
o risk management activities are communicated.
 Tools and techniques This refers to any risk management systems or tools to be used, and
any preference for techniques which may be used for each step in the risk management
procedure.
 Records This defines the composition and format of the risk register and any other risk
records to be used by the project.
 Reporting This describes any risk management reports that are to be produced, including
their purpose, timing, and recipients.
 Timing of risk management activities This states when formal risk management
activities are to be undertaken (e.g. at the end of management stages).
 Roles and responsibilities This defines the roles and responsibilities for risk management
activities.
 Scales This defines the scales for estimating probability and impact for the project to ensure
that the scales for cost and time (for instance) are relevant to the cost and timeframe of the
project. These may be shown in the form of probability impact grids giving the criteria for
each level within the scale (e.g. for ‘very high’, ‘high’, ‘medium’, ‘low’ and ‘very low’).
 Proximity This provides guidance on how proximity for risk events is to be assessed.
Proximity reflects the fact that risks will occur at particular times and the severity of their
impact will vary according to when they occur. Typical proximity categories will be: imminent,
within the management stage, within the project, beyond the project.
 Risk categories This defines the risk categories to be used (if at all). These may be derived
from a risk breakdown structure or prompt list. If no risks have been recorded against a
category, this may suggest that the risk identification has not been as thorough as it should
have been.
 Risk response categories This defines the risk response categories to be used, which
themselves depend on whether a risk is a perceived threat or an opportunity.
 Early warning indicators This defines any indicators to be used to track critical aspects of
the project so that if certain predefined levels are reached corrective action will be triggered.
They will be selected for their relevance to the project objectives.

PRINCE2® | Copyright© PeopleCert International Ltd

Used under permission and in accordance with the Terms and Conditions of Sale. All rights reserved.

2
  Risk tolerance This defines the threshold levels of risk exposure which, when exceeded,
require the risk to be escalated to the next level of management. (For example, a project-
level risk tolerance could be set as any risk that, should it occur, would result in loss of
trading. Such risks would need to be escalated to corporate, programme management or the
customer.) The risk tolerance should define the risk expectations of corporate, programme
management or customer and the project board.
 Risk budget This describes whether a risk budget is to be established and, if so, how it will
be used.

DERIVATION
The risk management approach is derived from the following:
 project brief
 business case
 where relevant, any corporate, programme management or customer risk management
guides, strategies, or policies.

FORMAT AND PRESENTATION

A risk management approach can take a number of formats, including:
 a stand-alone document
 a section of the PID
 an entry in a project management tool.

QUALITY CRITERIA
The following quality criteria apply to the risk management approach:
 Responsibilities are clear and understood by both customer and supplier.
 The risk management procedure is clearly documented and can be understood by all parties.
 Scales, expected value, and proximity definitions are clear and unambiguous.
 The chosen scales are appropriate for the level of control required.
 Risk reporting requirements are fully defined.

PRINCE2® | Copyright© PeopleCert International Ltd

Used under permission and in accordance with the Terms and Conditions of Sale. All rights reserved.

3
1 Introduction
This document describes how risk management should be performed within a
project. The purpose of the document is to describe the use of risk management
processes, roles and responsibilities, the techniques and tools applied, and the
documentation kept for risk management. The risk management approach
described below is based on the PRINCE2® method and uses PRINCE2®
terminology. The degree of formalization of risk management established in this
document is determined on the basis of project size, its complexity, analysis of
the overall risk of the project, and strategic importance for the organization.
The executive holds accountability for this document and its appropriate
application within the project. Any change suggestions to the risk management
approach should be addressed to the project manager.

2 Risk management process or procedure

The risk management procedure for the project is based on the PRINCE2®
method and consists of the steps described in the table below:

Step High-level description

Identify Analysis of the project environment – external (business, social,

context technological, political, legal, environmental aspects) and internal
(regulations and processes of the company) in terms of their impact on
the overall level of risk in the project.
Identify the Identification of opportunities and threats affecting the project, carried
risks out with the participation of the entire project team and a wide range of
stakeholders. The risk register should be filled in with the following
information: ID, reported person, date of application, category,
description (cause – risk – effect)
Assess – Assessment of the importance of individual risks, carried out with the
estimate participation of risk owners, subject matter experts and stakeholders to
whom a given risk (or group of risks) relates. The risk register should be
filled in with the following information: probability, impact, expected
value, proximity.
Assess – Measurable assessment of the overall project risk in order to determine
evaluate whether it remains within tolerances. Identification and analysis of all
relationships and interdependencies between risks, in order to select
the most efficient and effective responses to risks.
Plan (risk Selection and decision on the optimal and most efficient and effective
responses) risk responses, taking into account their overall importance, proximity,
and relationships between them. The risk register should be filled in
with the following information: risk response category, risk response,
risk status, risk owner, risk actionee, probability, and impact of a
residual risk.
Implement Execution of planned responses, monitoring the course of action,
(risk efficiency and effectiveness and implementation of corrective actions in
responses) case of limited effectiveness of the response. Monitoring the overall
project risk with respect to tolerances. The risk register should be
updated according to new information gathered through monitoring

PRINCE2® | Copyright© PeopleCert International Ltd

Used under permission and in accordance with the Terms and Conditions of Sale. All rights reserved.

4
 risks and risk responses.
Communicatin Ongoing communication related to project risk through reports, risk
g register reviews, meetings, and conversations. Continuous updating of
the probability and impact matrix (risk map) and ensuring access to it
by the project board.

3 Tools and techniques

Step Tools and techniques to be used

Identify SWOT analysis, PESTLE analysis, technical analysis of the solution

context
Identify the Cause and effect (Ishikawa) diagram, assumption analysis, constraints
risks analysis, risk checklists, risk breakdown structure
Assess – Probability assessment, impact assessment, proximity assessment,
estimate expected value assessment, estimation poker
Assess – Probability and impact matrix (risk map), expected monetary value
evaluate analysis
Analysis of relationships and interdependencies between risks

Plan (risk Risk response planning (using risk response categories), response
responses) effectiveness analysis, decision trees
Implement Response effectiveness analysis, risk exposure trends
(risk
responses)
Communicatin Probability and impact matrix (risk map), reporting, risk register
g reviews

4 Records
A risk register is kept for the project in an Excel spreadsheet, available to the
entire project team in a dedicated project area(for example on Sharepoint), in
accordance with the risk register template.

5 Reporting
Risks should be reported in project progress reports. These reports should
include at least the following information:

Highlight  risks identified in this reporting period

report  risk responses carried out in this reporting period
 risks directly related to the work in the next reporting period
 risk responses to be implemented in the next reporting period.
Checkpoint  risks identified by the team in the current reporting period
report  risk responses carried out in the current reporting period
 risks directly related to the work in the next reporting period
 risk responses to be implemented in the next reporting period.
End stage  summary of risk management activities carried out during the

PRINCE2® | Copyright© PeopleCert International Ltd

Used under permission and in accordance with the Terms and Conditions of Sale. All rights reserved.

5
 report stage (responses to the most important risks)
 summary of new risks identified during the stage
 top 5 open risks, along with their assessment and planned
responses
 risk responses planned to be implemented in the next stage.
End project  summary of the most important risks and responses
report implemented
 assessment of the effectiveness and efficiency of risk
management activities.

6 Timing of risk management activities

 Monitoring identified risks and identification of new risks should be
performed on an ongoing basis, throughout the life cycle of the project.
 Detailed risks identification should be carried out: during initiation stage,
at the end of stages when planning subsequent stages, and when analysis
of the impact of issues to the project is performed.
 The risk register review should take place at least once a month during
the project team meetings.
 The risk management audit is to be carried out in the middle of the project
(end of stage II) and during the closure of the project.

7 Roles and responsibilities

Role Responsibilities

 identification of risks related to their work within the project

All project
 participation in the steps of the risk management procedure at
team
members the request of the project manager.

 leading the team in identifying and assessing risks

 determining (in cooperation with risk owners) risk responses
 assigning risk response actions to the project team members
Project  ongoing (daily) monitoring of project risks
manager  reporting the status of the risks to the project board
 ensuring the timeliness and correctness of entries in the risk
register.

 monitoring project risks

 monitoring the project environment in terms of risks
 verifying the correctness and validity of entries in the risk
Project
assurance register
 reviewing risk management practices to ensure that they are
performed in line with the project’s risk management approach.

Project  setting up, maintaining, and updating the risk register on an

support

PRINCE2® | Copyright© PeopleCert International Ltd

Used under permission and in accordance with the Terms and Conditions of Sale. All rights reserved.

6
 ongoing basis
 collecting and maintaining the risk-related data and
administering risk-related documentation.

 ensuring the identification, analysis and control of risks

associated with the business (executive), functionality and
usability of the solution and impact on the benefits (senior user),
feasibility and technical integrity (senior supplier)
Project board
 approval of risk response expenditure exceeding 10 000 GBP
 making decisions about risks exceeding tolerances
 making decisions when the overall risk tolerance is exceeded.

 monitoring of risks owned

 informing the project manager about each identified change in
the probability and impact of the risks owned
 cooperating with the project manager in planning and
Risk owners
implementing responses to the risks owned
 monitoring the effectiveness and efficiency of the response to
the risks owned.

 identification of risks related to your area of activity in the

All project project
team  participation in the remaining steps of the risk management
members procedure at the request of the Project Manager.

8 Scales
Risk probability will be determined using a five-point scale:

Descriptive
Very low Low Medium High Very high
scale
Definition (%) < 10% 10-30% 30-50% 50-70% 70-90%
Numerical scale 0,1 0,3 0,5 0,7 0,9

Risk impact will be determined on a five-point scale. The impact will be

determined on the basis of the impact on the individual dimensions of the project
objectives in accordance with the table below:

Descriptive
Insignificant Low Moderate High Critical
scale
Numerical
0,05 0,1 0,2 0,4 0,8
scale
Budget Insignificant Cost increase Cost increase Cost increase Cost
Impact

increase in by less than from 3 to 15 from 15 to increase

costs 3000 GBP thousand GBP 100 thousand above
GBP 100 000 GBP

PRINCE2® | Copyright© PeopleCert International Ltd

Used under permission and in accordance with the Terms and Conditions of Sale. All rights reserved.

7
 Duration Duration
Insignificant Duration Duration
increase by increase by
Schedule delay in increase from increase from
less than 5 more than
schedule 5 to 15 days 15 to 30 days
days 30 days
Must-have
requirements
affected.
Could-have Should-have The project
Insignificant Scope
Scope requirements requirements product is
scope impact reduction
affected affected useless
unacceptable
for the
on the project

customer
Must-have
requirements
affected.
Could-have Should-have The project
Insignificant Quality
Quality requirements requirements product is
scope impact reduction
affected affected useless
unacceptable
for the
customer
Loss of more
Loss of up to Loss of 15- than 30% of
Insignificant Loss of 5-15%
5% of 30% of benefits, the
Benefits reduction in of estimated
estimated estimated project loses
benefits benefits
benefits benefits business
justification

The probability and impact matrix (risk map) is a tool for compiling and
prioritizing risks and communicating all risks identified in the project. It will be
applied by mapping risks in accordance with the following table:

Very high
0,9 0,05 0,09 0,18 0,36 0,72
70-90%
High
0,7 0,04 0,07 0,14 0,28 0,56
50-70%
Probability

Medium
0,5 0,03 0,05 0,10 0,20 0,40
30-50%
Low
0,3 0,02 0,03 0,06 0,12 0,24
10-30%
Very low
0,1 0,01 0,01 0,02 0,04 0,08
> 10%
0,05 0,1 0,2 0,4 0,8
Insignific Moderat
Low High Critical
ant e
Impact

The way of applying the risk map:

Red cell  The appearance of an individual risk in this cell requires

PRINCE2® | Copyright© PeopleCert International Ltd

Used under permission and in accordance with the Terms and Conditions of Sale. All rights reserved.

8
 immediate escalation to the project board (exception
report) together with the proposed action.

 Risk requires preparation of an active response for its

Yellow complete elimination or reduction of the probability and/or
cell impact.

Green  The risk may be accepted but needs to be monitored.

cell

9 Proximity
Risk proximity will be determined on a five-point scale, containing the following
categories of proximity:
• at any moment,
• in the current stage,
• in subsequent stages,
• at the end of the project,
• after the end of the project.

10 Risk categories
Risks will be assigned to the following categories:
• technological
• business
• contractual
• management
• social
• external.

11 Risk response categories

Risk responses will be assigned to the following categories:

Category Description

Making uncertain situation certain by removing the risk, e.g., by

Avoid (a threat)
removing the cause of a threat.
Exploit (an Making uncertain situation certain, e.g., by implementing the
opportunity) cause of an opportunity.
Undertaking definite action now to reduce the probability and/or
Reduce (a threat)
the impact of the risk.
Enhance (an Undertaking definite action now to increase the probability and/or
opportunity) the impact of the risk.
Transfer (threat or
Passing part of the risk to a third party, e.g., by insurance.
opportunity)
Share (threat or Sharing the risk between multiple parties on a pain/gain share

PRINCE2® | Copyright© PeopleCert International Ltd

Used under permission and in accordance with the Terms and Conditions of Sale. All rights reserved.

9
 opportunity) basis.
Accept (threat or Taking the chance that the risk will occur, with its full impact if it
opportunity) did.
Prepare contingent
Preparing plans now, but not taking action now. The action will be
plans (threat or
taken should the risk occur.
opportunity)

12 Early warning indicators

Risk to project
Early warning indicators
objectives
 schedule variance (delay) against the baseline exceeding 10
days
 two subsequent milestones during the stage achieved with
Schedule risks the delay
 increasing number of delays reported by team managers
comparing to previous stage.

 cost variance against the baseline exceeding 10 days.

Cost risks
 number of products that failed at quality control exceeding
four during one stage
 number of requested changes to products’ quality specs
Quality risks exceeding five by stage
 increasing number of reservations from users on products’
quality and usability comparing to previous stage.

 number of requested changes to project scope exceeding

Scope risks five by stage.

 variance between forecasted and realized benefits reported

Benefits risks from benefits review at the end of a stage exceeding 10%.

13 Risk tolerance
 The tolerance threshold for the total project's risk exposure calculated
using the expected monetary value method is £180,000.
 Tolerance threshold for a single risk: according to the probability and
impact matrix (red box).
 Exceeding the tolerance thresholds requires immediate notification of the
project board.

PRINCE2® | Copyright© PeopleCert International Ltd

Used under permission and in accordance with the Terms and Conditions of Sale. All rights reserved.

10
14 Risk budget
 The costs of management activities related to risks are financed from the
project budget: Section 6. Project management.
 The costs of risks responses are covered by the risk budget, set at 15% of
the project budget.
 Funds from the risk budget are at the disposal of the project manager.
 Expenditures on risk responses exceeding £10,000 must be approved by
the project board, along with approval of actions planned in response to
the risk.

PRINCE2® | Copyright© PeopleCert International Ltd

Used under permission and in accordance with the Terms and Conditions of Sale. All rights reserved.

11