PRINCE2 2009 - Risk part 13
of the Cabinet Office under delegated authority from the Controller of HMSO.
The PRINCE2® approach
Risk management procedure
© Crown copyright 2005 Reproduced under licence from OGC
Plan
The primary goal of the ‘Plan’ step is to prepare specific management responses to the threats and opportunities identified, ideally to remove or reduce the threats and to maximize the opportunities.
Attention to the Plan step ensures as far as possible that the project is not taken by surprise if a risk materializes.
The Plan step involves identifying and evaluating a range of options for responding to threats and opportunities.
It is important that the risk response is proportional to the risk and that it offers value for money.
A key factor in the selection of responses will be balancing the cost of implementing the responses against the probability and impact of allowing the risk to occur.
Any chosen responses should be built into the appropriate level of plan, with a provision made for any fallback plans.
The various types of response for threats and opportunities are summarized in the diagram above.
The types of response are explained further below.
| Response | Avoid (threat) |
| Definition | Typically involves changing some aspect of the project, i.e. the scope, procurement route, supplier or sequence of activities, so that the threat either can no longer have an impact or can no longer happen. |
| Example | A critical meeting could be threatened by air travel disruption so the project chooses to hold the meeting by conference call instead. |
| Response | Reduce (threat) |
| Definition | Proactive actions taken to: Reduce the probability of the event occurring, by performing some form of control Reduce the impact of the event should it occur. |
| Example | To reduce the likelihood of users not using a product, the number of training events is increased. To reduce the timescale impact should a prototype be damaged in transit, two prototypes are built. |
| Response | Fallback (threat) |
| Definition | Putting in place a fallback plan for the actions that will be taken to reduce the impact of the threat should the risk occur. This is a reactive form of the ‘reduce’ response which has no impact on likelihood. |
| Example | The company’s test facility is only available for two weeks in August. To reduce the impact should the product not be available in time, there is a fallback plan to hire an alternate test facility (at a greater expense). |
| Response | Transfer (threat) |
| Definition | A third party takes on responsibility for some of the financial impact of the threat. (For example, through insurance or by means of appropriate clauses in a contract.) This is a form of the ‘reduce’ response which only reduces the financial impact of the threat. |
| Example | To reduce the financial impact should a prototype be damaged in transit, it is insured. To reduce the financial impact if a product is not available to launch in time [see 'The Complete Time Management package'] for a trade show, the contract with the supplier includes liquidated damage clauses for any delays. |
| Response | Accept (threat) |
| Definition | A conscious and deliberate decision is taken to retain the threat, having discerned that it is more economical to do so than to attempt a threat response action. The threat should continue to be monitored to ensure that it remains tolerable. |
| Example | There is a threat that a competitor may launch a rival product first, thus affecting the expected market share for the product. The choice is to accelerate the project by increasing the resources, to reduce the product’s scope so that it can be finished earlier, or to do nothing. Accelerating the project may lead to product quality issues; reducing the scope may make the product less appealing; so the risk is accepted and the ‘do nothing’ option is chosen. |
| Response | Share (threat or opportunity) |
| Definition | Modern procurement methods commonly entail a form of risk sharing through the application of a pain/gain formula: both parties share the gain (within pre-agreed limits) if the cost is less than the cost plan; and share the pain (again within pre-agreed limits) if the cost plan is exceeded. Several industries include risk-sharing principles within their contracts with third parties. |
| Example | The cost of the project could be adversely affected due to fluctuations in the cost of oil. The customer and supplier agree to share the cost of price increases or the savings from price reductions equally from a midpoint fixed at the time of agreeing the contract. |
| Response | Exploit (opportunity) |
| Definition | Seizing an opportunity to ensure that the opportunity will happen and that the impact will be realized. |
| Example | There is a risk that the project will be delayed. If it is delayed, a later version of software could be implemented instead which would reduce ongoing maintenance. The Project Board agree to change the project timescale and scope, enabling the later version of the software to be bought and implemented. |
| Response | Enhance (opportunity) |
| Definition | Proactive actions taken to: Enhance the probability of the event occurring Enhance the impact of the event should it occur. |
| Example | It is possible that the product completes user acceptance testing in a single test cycle, rather than the scheduled two, enabling it to be delivered early and prior to a competitor’s rival product. The Project Board decide to hold a test rehearsal to increase the likelihood that the product will pass its first user acceptance tests, and prepare for the option of an earlier launch date. |
| Response | Reject (opportunity) |
| Definition | A conscious and deliberate decision is taken not to exploit or enhance the opportunity, having discerned that it is more economical not to attempt an opportunity response action. The opportunity should continue to be monitored. |
| Example | It is possible that the product completes user acceptance testing in a single test cycle, rather than the scheduled two, enabling it to be delivered early and prior to a competitor’s rival product. The Project Board decide not to take advantage of an early release and to stick with the planned launch date. |
Risk responses do not necessarily remove the inherent risk in its entirety, leaving residual risk.
If the inherent risk was significant and the risk response was only partially successful, the residual risk can be considerable.
It may be appropriate to select more than one risk response.
In some cases, implementing a risk response will reduce or remove other related risks.
It is also possible that the responses to risks, once implemented, will change some aspect of the project.
This in turn may lead to secondary risks, i.e. risks that may occur as a result of invoking a risk response.
It is essential that these are identified, assessed and controlled in the same way as the inherent risk.
It is advisable to review lessons from previous similar projects when planning risk responses.
This will help in identifying the range of responses available and in evaluating how effective they are likely to be.
Consideration should also be given to the effect the possible responses could have on:
- The Project Plan, Stage Plan and Work Packages
- The Business Case
- Corporate and/or programme management.
Risk management is a large area and is covered in depth in ‘The Complete Risk Management package’.
PRINCE2® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries.
Managing Successful Projects with PRINCE2 - 2005 edition
Managing successful Projects with PRINCE2 – 2009 edition
Directing Projects with PRINCE2.
plus:
The Complete Project Management package.
And much more besides - at a fantastic price.