Prince2 header
products page

PRINCE2 - Management of Risk part 1

What is it?

[see, the area of risk management is covered in much more detail in the 'The Complete Risk Management package‘].

You will not be able to run a project in the absence of risk.
It concerns uncertainty in the outcome of an event. This may take the form of a positive opportunity or a threat.
All major risks must be identified and a process put in place to minimise their impact on the project.

You cannot manage risk in a reactive manner. This would involve hoping that they did not occur and if they did just trying to tidy up any adverse effects. Risk management must be proactive. You must understand what the risks are and have plans in place to deal with them.

These would be planned proactive contingencies. As you will be aware they could occur you will often set a ‘trigger’ that will mean the contingency plan will be put into effect. Some risks will only become apparent ‘as they occur’. These are unavoidable and must be dealt with at the time to reduce their impact. The knowledge of such events will help in the management of subsequent stages and projects.

Risk management requires:

  • Good information concerning risks
  • A process from which decisions can be made
  • Control through monitoring the risks


Projects mean change which often goes hand-in-hand with new technologies and hence risks.

Effective risk management requires:

Management of risk - principlesManagement of risk - principles large
  • The Project Board must support the need to assess risk and the resources that may be required
  • Risk management policies and its benefits are understood to all concerned
  • The project management process gives due regard to the management of risk
  • Risk management must be seen as an essential part of business objectives
  • Risks must be managed
  • There is a clear structure into which all risk assessment should fall
  • All risks at project level must be flagged up to higher level programme management as necessary

Risk tolerance

This reflects just how much risk the Project Board and Project Manager is prepared to accept.
This will depend on various factors and impacts. For example,

  • What budget is available?
  • What would be the effect on other parts of the organisation or programmes
  • What are the external affects? For example, public relations
  • What is the company stance on health and safety risks?

There must be a system that can evaluate risk in terms of impact versus probability .

Risk responsibilities

The Project Board has the following responsibilities:

  • They must notify the Project Manager of any external risk that may have an impact on the project
  • They make decisions on the Project Manager’s recommendations of risk management
  • They must provide a balance between the level of risk and potential benefits that the project may achieve
  • They must notify corporate or programme management of any risks that may affect the completion of their objectives

The Project Manager must ensure any risks are identified, recorded and reviewed.

Following risk reviews and agreed actions the Project Manager must update the Project Plan.

Any processes used to identify, record and review risks for a project must be consistent with any processes used at programme level.
Any exceptions to this must be justified.
Risk analysis is a cross project affair. Where risks are identified at programme level that may affect integral projects they must be informed.
Individuals should be involved from a variety of projects where risk may impact.

Risk ownership

Risk must be owned. Without this risks will drift and people will believe that someone else is looking after them.
The Project Manager must appoint individuals to monitor and own each identified risk these might require approval by the Project Board. Even the Project Board may be the owners of the risk, particularly for anything external.

Ownership should cover:

  • The whole of the risk framework in total (this is likely to rest with the Executive)
  • Setting of the risk policy and the project team’s willingness to take a risk
  • Elements of the process such as identifying risks through to responses and reporting
  • Implementation of any measures identified to alleviate the risks
  • The ownership of any risks that cross organisational boundaries

All aspects of ownership must be agreed, defined and documented.

In the case of a Project Board member owning the risk it may be delegated but accountability remains with the Project Board member. The Executive has overall accountability for risk and the Project Manager must see that any action are implemented, monitored and that desirable outcomes result.

Risks will be reported in various documents:

  • Checkpoint Reports (team level)
  • Highlight Report (prepared by the Project Manager)
  • End Stage Report

When a risk actually occurs it is the Project Manager’s responsibility to implement the contingency plan.

Risk management cycle

Risk is not static. Like many things in a project it can change.
This means that risk must be reviewed at intervals. This is usually at the end of a stage but can be sooner.
The impact and probability of it happening may well alter throughout the project.

This product contains EVERYTHING in the publications:

Managing Successful Projects with PRINCE2 - 2005 edition
Managing successful Projects with PRINCE2 – 2009 edition
Directing Projects with PRINCE2.
The Complete Project Management package.

And much more besides - at a fantastic price.