PRINCE2 Foundation and Practitioner - Risk Theme Tutorial

8.1 Risk Theme

Hello and welcome to PRINCE2® Foundation Certification course offered by Simplilearn. This lesson is about Risk theme. Risk taking is inevitable in Projects since they are enablers of change, which introduces uncertainty. Risk is one of the seven themes of PRINCE2® methodology.

8.2 Objectives

After completing this lesson, you will be able to: ?Define Risk theme ?Explain PRINCE2® approach to Risk theme ?Define the roles and responsibilities in Risk theme

8.3 Purpose of Risk Theme

The purpose of Risk theme is to identify, assess and control uncertainty and, as a result, improve the ability of the project to succeed. As shown in the image, Risks are identified throughout the project, which makes it a continual activity. The moment it is seen that an event can occur that would affect the project positively or negatively, a note should be made of it. Whenever change occurs, its impact on the project and the risks that may arise due to the implementation of the change need to be understood. Risks are always thought of negatively, however many times uncertainties can have positive impact on the project as well. Such risks are called good risk or opportunities.

8.4 Risk Terms—Definitions

Risk is as an uncertain event or set of events that may have an effect on the achievement of objectives. The effect can be good or bad for the project. If the effect is bad, it is a threat to the project. Threat is defined as an uncertain event that could have a negative impact on objectives If the effect is good, it is an opportunity for the project. Opportunity is defined as an uncertain event that could have a favorable impact on objectives. It is the project’s objectives that are at risk. These include completing the project by covering a number of targets such as time, cost, quality, scope, benefits and risks.

8.5 Risk—Example

When the project began for the construction of the Sydney Opera House in March 1959, one of the risks identified was that the change in government could affect the project. As it turned out, in 1965, the new Australian government forced design changes in the Sydney Opera house’s architecture, leading to the resignation of Jorn Utzon, the architect who designed it.

8.6 Risk Management

Risk management is the systematic application of procedures to the tasks of identifying and assessing risks and then planning and implementing risk responses. This means there should be a well-defined process of identifying, assessing and controlling the risks. This is an on-going process throughout the project and is not a onetime activity. As shown in the image, risk management applies from the strategic, operational, project and programme perspective. The approach to the management of risk can be common across all of these perspectives but risk management procedures should be tailored to suit each one.

8.7 PRINCE2® Approach to Risk

To apply risk management procedure in the project, it is important to identify whether there are any corporate or programme policies and processes that need to be applied. This information may be in the form of a risk management policy and or risk management process guide. The risk management process guide should describe the series of steps and their respective associated activities necessary to implement risk management. An organisation’s risk management policy should communicate how risk management will be implemented throughout the organisation.

8.8 Risk Management Strategy

Risk Management Strategy explains how risk management activities will be embedded in the project management activities. A key decision that needs to be recorded within the Risk Management Strategy is the Project Board’s attitude towards risk taking, which in turn dictates the amount of risk that it considers acceptable. This information is captured in the form of risk tolerances, which represents the levels of exposure that, when exceeded, will trigger an Exception Report to bring the situation to the attention of the Project Board. The important point to note here is that risk appetite varies depending upon various factors such as organisation, culture and industry. A start-up organisation may be more prone to taking risks and introducing changes to achieve faster growth, where as a large organisation may like to take a cautious approach. While performing various risk management activities, the detailed information about the threats and opportunity needs to be documented. The widely used document is called the Risk Register.

8.9 Risk Register

The purpose of the Risk Register is to capture and maintain information of all the identified project threats and opportunities. Project Support will typically maintain the Risk Register on behalf of the Project Manager. Each risk in the Risk Register is described as: unique identifier, who raised the risk, when it was raised, category and description of risk.

8.10 Risk Register (contd.)

Each risk in the Risk Register is also described as: probability, impact, expected value, proximity, risk response category, risk response actions, risk status, risk owner and risk actionee.

8.11 Risk Management Procedure

PRINCE2® recommends a risk management procedure comprising five steps. The first step is to identify the threats and opportunities that may affect the project’s objectives. Once it’s done, the second step is to assess the impact of the identified risks on project objective. The third step is to plan how to take care of the risk. This is to ensure that the risk impact on the project objectives is minimised or removed. The fourth step is to implement the plans identified in step three. The fifth step is to communicate. The first four steps, which are to identify, asses, plan and implement are sequential with the ‘communicate’ step running in parallel, as the findings of any of the other steps may be communicated prior to the completion of the overall process. All of the steps are iterative in nature that is when additional information is available, it is often necessary to revisit earlier steps and carry them out again to achieve the most effective result.

8.12 Risk Management Procedure—Identify

Identify is the first of the four sequential steps of the risk management procedure. It includes two sub steps ‘identify context’ and ‘identify risks’. The primary goal of the ‘identify context’ step is to obtain information about the project to understand the specific objectives that are at risk and to formulate the Risk Management Strategy for the project. The goal of the ‘identify risks’ step is to recognise the threats and opportunities that may affect the project’s objectives.

8.13 Risk Identification Techniques

There are many risk identification techniques used. Those are: review lessons, risk checklists, risk prompt lists, brainstorming and risk breakdown structure. Let us take an example of brainstorming. In this technique the project team members can think aloud and can try to identify risk by using their previous experience of working on a similar type of project. Another technique risk breakdown structure. This is illustrated in the image where financial risk is broken down to identify risks. An important aspect of identifying risks is being able to provide a clear and unambiguous expression of it. A useful way of expressing risk is to consider the following aspects of risk: Risk cause: This should describe the source of the risk, that is the event or situation that gives rise to the risk. Risk event: This should describe the area of uncertainty in terms of threat or opportunity. Risk effect: This should describe the impact of risk on the project objectives.

8.14 Example of Identify

The objective of the Maasvlakte 2 project at the Port of Rotterdam was to increase the capacity of Europe’s largest port. This is an example of identify context. Dutch House of Representatives, one of the stakeholder’s of the project, cited inability to meet deadlines, scope creep and over-expensive budgets as risks. This is an example of identify risks.

8.15 Risk Cause, Risk Event and Risk Effect

Risk cause, event and effect help in getting a better understanding about the risk. The image shown illustrates risk cause, event and effect. Risk cause is the event or situation that gives rise to risk. Risk event is the area of uncertainty in terms of the threat or the opportunity. Risk effect describes the impact(s) that the risk would have on the project objectives.

8.16 Example of Risk Cause, Risk Event and Risk Effect

Due to heavy rainfall this year, National Institute of Malaria Research has opined that there is a possibility of more people being effected by malaria which will affect its project to control malaria. In this example, the risk cause is the heavy rainfall. Risk event is the possibility of people being effected by malaria. Risk effect is affecting the project undertaken by National Institute of Malaria Research to control malaria.

8.17 Risk Management Procedure—Assess

Once the risks are identified, the next step is to ‘Assess’ them. This step in turn has two sub steps, which are estimate and evaluate. The primary goal of the ‘estimate’ step is to assess the threats and the opportunities to the project in terms of their probability and impact. It also estimates the proximity of these threats and opportunities with regard to when they might materialise. The primary goal of the ‘evaluate’ step is to assess the net effect of all the identified threats and opportunities on a project when aggregated. Suppose a project has hundreds of risks identified, it will not have resources to manage all those identified risks and hence it is important that risks are evaluated and those risks which have a greater impact on the project are addressed.

8.18 Probability Impact Grid

Probability impact grid is a popular technique of estimating the Risk. As shown in the image, for every identified risk, the probability to the threats and opportunities in terms of how likely they are to occur and the impact of each threat and opportunity in terms of the project objectives are identified. If the objectives are measured in terms of time and cost, the impact should also be measured in same units.

8.19 Risk Management Procedure—Plan

The primary goal of the ‘plan’ step is to prepare specific management responses to the threats and opportunities identified, ideally to remove or reduce the threats and to maximise the opportunities. The ‘plan’ step involves identifying and evaluating a range of options for responding to threats and opportunities. It is important that the risk response is proportional to the risk and that it offers value for money. Risk responses do not necessarily remove the inherent risks in its entirety, leaving residual risks. A key factor in the selection of responses is balancing the cost of implementing the responses against the probability and impact of allowing the risk to occur. In some cases, implementing a risk response may lead to secondary risk, that is Risks that may occur as a result of revoking a risk response.

8.20 Threat and Opportunity Responses

As shown in the table, the types of responses for threats are: Avoid: typically involves changing some aspects of the project–which includes the scope, procurement route, supplier or sequence of activities–so that the threat can either no longer have an impact or cannot occur. For example, a critical meeting can be threatened by air travel disruption so the project chooses to hold the meeting through video conference instead. Reduce refers to the proactive actions taken to reduce the probability of the event occurring by performing some form of control to reduce the impact of the event—should it occur. This reduces the probability and/or the impact. For example, organisations conduct a number of training events on a new product. This will increase the likelihood of users’ adoptability towards the product introduced. Fallback refers to implementing a fallback plan for the actions to be taken to reduce the impact of the threat—should the risk occur. This is a reactive form of the ‘reduce’ response, which has no impact on likelihood. This reduces the threat only. For example, the company’s test facility is only available for two weeks in August. To reduce the impact, in case the product is not be available in time, there is a fallback plan to hire an alternate test facility, may be at a greater expense. Transfer refers to a third party taking on responsibility for some of the financial impacts of the threat. For example, it can be through insurance or by means of appropriate clauses in a contract. This is a form of the ‘reduce’ response which reduces impact and often only the financial impact of the threat. For example, a prototype is insured to reduce the financial impact in case it is damaged in transit. Accept refers to a conscious and deliberate decision taken to retain the threat, having discerned that it is more economical to do so than to attempt a threat response action. The threat should continue to be monitored to ensure that it remains tolerable. For example, there is a threat that a competitor may launch a rival product first thus affecting the expected market share for the product. The choice is to accelerate the project by increasing the resources, reducing the product’s scope so that it can be finished earlier, or do nothing. Accelerating the project may lead to product quality issues and reducing the scope may make the product less appealing; so the risk is accepted and the ‘do nothing’ option is chosen. Share: Modern procurement methods commonly entail a form of risk sharing through the application of a pain or gain formula: both parties share the gain, within pre-agreed upon limits, if the cost is less than the cost plan; and share the pain, again within pre-agreed upon limits, if the cost plan is exceeded. Several industries include risk-sharing principles within their contracts with third parties. For example, the cost of the project could be adversely affected due to fluctuations in crude oil prices. The customer and supplier agree to share the cost of price increases or the savings from price reductions equally from a midpoint fixed at the time of agreeing to the contract. Now let us talk about positive risks or opportunity responses. Exploit refers to seizing an opportunity to ensure that the opportunity will occur and that the impact will be realised. For example, there is a risk that the project will be delayed. If it is delayed, a later version of software could be implemented instead, which would reduce on-going maintenance. The Project Board agrees to change the project timescale and scope enabling the later version of the software to be bought and implemented. Enhance refers to proactive actions taken to enhance the probability of the event occurring and/or enhance the impact of the event. For example, it is possible that the product completes user acceptance testing in a single test cycle, rather than the scheduled two, enabling it to be delivered early and prior to a competitor’s rival product. The Project Board decides to hold a test rehearsal to increase the likelihood that the product will pass its first user acceptance tests, and prepare for the option of an earlier launch date. Reject refers to a conscious and deliberate decision taken not to exploit or enhance the opportunity, having discerned that it is more economical not to attempt an opportunity response action. The opportunity should continue to be monitored. For example, it is possible that the product completes user acceptance testing in a single cycle, rather than the schedule two, enabling it to be delivered earlier and prior to a competitor’s rival product. The Project Board decides not to take advantage of an early release and stick with the planned launch date.

8.21 Example of Risk Responses

Consider a scenario where none of the Ministry of Petroleum’s (MP) employees on the project management team has any experience in reorganisation. In this case the following steps can be taken: The first option is to hire experienced reorganisation contractors to assist MP staff throughout the project. This is an example of ‘reduce’. The next option is to include a clause in the agreement with the selected external supplier stating that, if the full functionality of the software solution is not delivered, the selected external supplier will reduce their fees consequently. This is an example of ‘transfer’. The third option is to rely on the selected external supplier to provide advice that will protect MP’s interests. This is an example of ‘accept’. Finally, MP can also request assistance from federal government if difficulties arise in understanding what is happening. This is an example of ‘fallback’.

8.22 Example of Risk Responses (contd.)

Consider another scenario where a project to manufacture a smartphone handset is in stage two. The Project Manager has heard about the possibility of a competitor mobile handset developer launching a similar product earlier than the target date for this project. In this case the following steps can be taken: The company can decide not to compete and cancel the project. This is an example of ‘avoid’. Alternatively, the company can also wait for confirmation of the rival’s product and, if required, include additional gifts, which includes mobile covers and screen guards with the handset as an extra incentive. This is an example of ‘fallback’.

8.23 Risk Management Procedure—Implement

An important part of the ‘implement’ step is to ensure that there are clear roles and responsibilities allocated to support the Project Manager in the management of project risks. The primary goal of the ‘implement’ step is to ensure that the planned risk responses are actioned, their effectiveness is monitored, and corrective action is taken where responses do not match expectations. The main roles in this theme are: Risk owner is a named individual who is responsible for the management, monitoring and controlling of all aspects of a risk assigned to them. This includes the implementation of the selected responses to address the threats or to maximise the opportunities. Risk actionee is an individual assigned to carry out a risk response action or actions to respond to a risk or set of risks. They support and take direction from the risk owner. In many cases, the risk owner and risk actionee are likely to be the same person.

8.24 Example of Implement

A multinational bank identified one of its supplier, an IT service provider, as a potential risk after a corporate scandal was detected in the latter’s organisation. A commercial director at the bank was appointed as a risk owner. One of the risk responses identified was to terminate the contract with the IT service provider and find an alternate supplier. The Procurement Manager for the project was made the risk actionee.

8.25 Risk Management Procedure—Communicate

One of the reasons for the failure of a project is lack of communication. Communication is a step that should be carried out continually. The ‘communicate’ step in the risk management procedure should ensure that information related to the threats and opportunities faced by the project is communicated both within the project and externally to stakeholders. Risks are communicated as part of the management products and these management products are: Checkpoint Reports, Highlight Reports, End Stage Reports, End Project Reports and Lessons Reports.

8.26 Risk Budget

Substantial amount of efforts and time are spent in managing the risks. Management of risks involves resources such as people, equipment and time. So, the cost of resources should be considered in the project cost. A risk budget, if used, is a sum of money included within the project budget and set aside to fund specific management responses to the project’s threats and opportunities. To arrive at a risk budget for the project, a financial approach to risk management is needed. The expected monetary value for responses and impacts for a set of risks determines the risk budget. This is a part of the project budget and is influenced by the risk appetite of the organisation sponsoring the project.

8.27 Roles and Responsibilities in Risk Theme

The various roles defined in PRINCE2® also have responsibilities towards risk management in the project. As shown in the table, corporate or programme management provides the corporate risk management policy and risk management process guide (or similar documents). Every organisation has its own risk management policy and the senior management expects that the policies or standards are followed in the organisation. The corporate or programme management should share such policies or guidelines with the project management team. Executive is accountable for the project and is responsible for all aspects of risk management and in particular, ensure a project Risk Management Strategy exists and implementation of risk management procedure. Executive ensures that risks associated with the Business Case are identified, assessed and controlled and also escalate risks to corporate or programme management as necessary. Senior User ensures that risks to the users are identified, assessed and controlled (such as the impact on benefits, operational use and maintenance). As shown in the table, Senior Supplier ensures that risks relating to the supplier aspects are identified, assessed and controlled (such as the creation of the project’s products). Project Manager creates the Risk Management Strategy and creates and maintains the Risk Register. Project Manager also ensures that the project risks are being identified, assessed and controlled throughout the project lifecycle. Team Manager participates in the identification, assessment and control of risks. Project Assurance review risk management practices to ensure that they are performed in line with the project’s Risk Management Strategy. Project Support assists the Project Manager in maintaining the project’s Risk Register.

8.28 Quiz

The quiz section will help to check your understanding of the concepts covered.

8.29 Summary

Here is a quick recap of what we have learnt in this lesson: ?The purpose of the Risk theme is to identify, assess and control uncertainty and as a result, improve the ability of the project to succeed. ?A risk is as an uncertain event or set of events that may have an effect on the achievement of objectives. ?To apply risk management procedure in the project, it is important to identify whether there are any corporate or programme policies and processes that need to be applied.

8.30 Thank You

In the next lesson, we will discuss the next theme Change.

Find our PRINCE2® Foundation and Practitioner Online Classroom training classes in top cities:

Name Date Place
PRINCE2® Foundation and Practitioner 1 May -23 May 2021, Weekend batch Your City View Details
PRINCE2® Foundation and Practitioner 14 May -22 May 2021, Weekdays batch Your City View Details
  • Disclaimer
  • PMP, PMI, PMBOK, CAPM, PgMP, PfMP, ACP, PBA, RMP, SP, and OPM3 are registered marks of the Project Management Institute, Inc.

Request more information

For individuals
For business
Phone Number*
Your Message (Optional)
We are looking into your query.
Our consultants will get in touch with you soon.

A Simplilearn representative will get back to you in one business day.

First Name*
Last Name*
Work Email*
Phone Number*
Job Title*