Management of Risk

RK 01 describe the purpose of the Management of Risk (p)

RK 02 understand the purpose of the Risk Log, where within the eight processes it is created and updated, and the main responsibilities of the PRINCE2® roles in this regard (p)

RK 03 apply the Management of Risk to a given project scenario

RK 04 create, modify or discuss a Risk Log for given project scenario

RK 05 demonstrate the interfaces between the Risk Log and other PRINCE2® products especially Project Issues in a given project scenario

RK 06 identify the relationship between Management of Risk and other PRINCE2® components in a given project scenario

17.1 Risk is uncertainty of outcome: Threat or Opportunity

Whenever the business case is considered risk must be too

17.7 Benefit risk (impacts on the objectives) Identified and addressed during Business Case development & maintenance Risk log is created in SU4 1st time the Business Case is developed (for input to DP1) Benefits risk reconsidered at IP3 & SB4 ? DP2 or DP3

Whenever work is planned or executed risk must be considered

	Delivery risk (risks to or arising from project conduct)
	Identified and addressed during project planning PL6 and project execution
	17.8 Internal and external risk must be addressed Less ability to apply risk process to external risks Contingency may be most appropriate response

17.1 “The task of risk management is to manage a project’s exposure to risk (that is, the probability of specific risks occurring and the potential impact if they did occur). The aim is to manage that exposure by taking action to keep exposure to an acceptable level in a cost-effective way.”

17.2.1 Risk Tolerance “amount of risk the project manager and project board are prepared to tolerate”

IE live with knowing what contingencies are in place and cost of action & inactions

17.2 Project board’s responsibility to recognise and accept costs of risk management

	Spend just enough on management of risk to make balanced judgements between pro-active and reactive costs
	17.5 Budgets needed to cover assessment, management, responses & contingency
	Contingency is resources planned and allocated but only to be used if the linked risk occurs 16.4.1 p.236

Tolerance & responses complicated by interdependency between risks(17.7)

Consider the interaction between risks and countermeasures

Risk tolerance or appetite defines the threshold between proactive management and reactive (contingency) response

Where cost effectiveness of actions is balanced by probability, impact and proximity

Intolerable risks, by definition, require action to address cause and/ or effect

Risk is tolerable when exposure passes the point where “anything else we will only do if the risk happens”

Tolerable risk means any contingencies in place are good enough

Contingency might include “stop the project”

An intolerable risk may be rendered tolerable by proactive means plus contingencies (reactive means)

A.34.1 “to contain all information about the risks, their analysis, countermeasures and status.”

17.3 The risk management cycle

Two halves to PRINCE2® Management of Risk

	17.3.1 Risk Analysis: comprises 4 steps Identify the risk (Describe it) Evaluate the risk (Qualify impact, probability and time horizon) Identify suitable responses (Prevent, Reduce, Accept, Transfer, Contingencies) Select a response
	17.3.2 Risk Management: comprises 2 parts of 2 parts Plan and Resource (include in product model, activity lists, estimates and resource) Monitor and Report (take actions, confirm their effectiveness or not)

Risk analysis performed in

SU4, IP3, SB4, PL6, CS4 (§20.2)

Risk Management performed in

PL3, MP2-->CS2-->CS5

1st Identify the risks

	Consider each entry of Appendix C (see overleaf) for potential risks
	Create the Risk Log entry A.34
	Complete: Id, Author, Date Identified, Description and Category (Apdx C)

2nd Evaluate the risks by considering

	Probability: high medium or low (HML) or quantified if practical (eg 23%)
	Impact: H/ M/ L or quantified if practical and useful P.255 Evaluate for Time, Cost, Quality, Scope, Benefits, People/ resources
	Proximity Time to the event causing the risk or time after which the risk no longer matters

Evaluation must always be accompanied with reasons for every entry recorded in the Risk Log

3rd Identify suitable responses

	Consider 1 or more for each of: Prevent, Reduce, Accept, Transfer & Contingency
	Risks should always consider all 5 response types

4th Select (a response or responses)

	Of the possible responses none, one or more are selected for implementation in risk management
	Selected control action must represent value for money “balancing the cost of taking that action against the likelihood and impact of allowing the risk to occur,” (p256)
	Selected response recorded in the risk log

P.R.A.C.T. (see next section) are the PRINCE2® response types that must be understood for the exam

They are all negative while in reality don’t forget responses to opportunity Encourage, Enhance, Accept (Windfall) and Share or partner,

PRACT (Table 17.1)

	Prevention Stop the problem from occurring or having an impact
	Reduction Reduce the likelihood or limit the impact
	Transference Pass the impact (or action) to a third party (eg insurance/ consultancy) Use of “more competent” sub-contractor is transfer of action ? reduced probability Use of gain-share/ pain-share contract types
	Acceptance Respond to the risk within current constraints if & when it happens Normal state when contingent actions in place are considered sufficient
	Contingency Actions planned to come into force if the risk occurs
	Select [multiple] responses

17.3.2 Two major steps, four steps in total

	Plan and Resources Add tasks and actual resources required for countermeasures and contingency to plans Seek approval for revised plans 17.3.2 Countermeasures funded from project budget Contingent actions (Plan B) funded from Contingency Budget
	Monitor and Report Create mechanisms to check ongoing status of risks Watch and model trends Report Risk status in Highlight and End Stage Reports Possibly using a Risk profile Fig:17.5

Risk Log influences the project at many points in PRINCE2®

Fig 17.6

Plan and Resource

“plan …new or modified Work Packages [to respond to the risk]”

Risk Profile [and Reporting]

17.2.3 Ownership sets out who is responsible for:

	“The risk framework in totality
	… policy and … [deciding] willingness to take risk
	… the risk process, such as identifying threats, through to producing risk response and reporting
	Implementation … measures … in response to the risks
	Interdependent risks that cross organisational boundaries...”

17.2.2 Risk Responsibilities

	“one of the most important parts of the job done by the Project Board and the Project Manager”
	17.2.3 “Overall ownership of the risk management process is likely to lie with the Executive”

17.2. 3 Risk ownership: Each risk has an “owner”

	“the person best situated to keep an eye on it”
	"[has the] responsibility of monitoring each risk that they own…the actual task of monitoring may be delegated
	Project Manager normally suggest the ‘owner’ and the Project Board should make the decision

Owner often a member of the Project Management Team

Executive

	Overall ownership of the risk management process
	Ensure all parts of risk management are owned
	Take special responsibility for risks with business case implications

Project Board

	Notifying the Project Manager of any external risk exposure to the project
	Making decisions on the Project Manager’s recommended reactions to risk
	Striking a balance between the level of risk and the potential benefits that the project may achieve
	Notifying corporate or programme management of any risks that affect the project’s ability to meet corporate or programme objectives
	Be the ‘Owners’ of risks. Particularly risks from sources external to the project
	[& will delegate the day-to-day eye-balling]
	Take special responsibility for User / Supplier risks as appropriate)

Project Manager responsibilities

	Ensuring that risks are identified, recorded and regularly reviewed
	Modifying plans to include agreed actions to avoid or reduce the impact of risks
	Develop contingency plans
	Respond via contingencies or deal with the Project Issue under Change Control
	17.2.3 keeping a watching brief over all risks and check that defined actions, including monitoring, are taking place and are having the desired effect
	Typically via reminders in the Daily Log
	Reporting via Highlight Reports and the End Stage Report

Team Manager

	Log risks they identify during MP1 and PL6
	Otherwise raise new risks via Project Issue to CS3
	Manage team level/ Work Package risks
	Reporting via the Checkpoint Reports
	Contribute to identification of or responses to risks
	Take required actions (via work packages)

Organisation’s Management

	Input to risk analysis [for assessment of Impact, Probability, Proximity & suggestion of potential responses under each heading in P.R.A.C.T. see 6 slides ahead]
	Kept informed by the Project Board of the risk analysis results

Programme Management

	[Ensure] procedures used by the project are consistent and compatible with those of the programme
	Involve affected projects in programme risks

Project Assurance & Project Support & PSO

	Ensure monitoring
	Provide specialist management techniques and tools

A. 34. 3 “… risks may have been identified in work that led up to the Project Mandate. Risks may have been identified in the Project Brief and should be considered during project initiation when the Project Plan is being created. There should be a check for any new risks every time the Risk Log is reviewed, minimally at each end stage assessment. The Project Board has the responsibility to check external events continually for external risks.”

“Risks to a Stage Plan should be examined as part of the production of that plan (SB1 or SB6 & SB4, PL6)

They should be reviewed each time the Stage Plan is updated” (CS2, CS5)

The Risk Log is created along with the Business Case in Preparing a Project Brief (SU4)

Updated with the Business Case in SB3 & SB4

A risk whose event is inescapable is now a Project Issue

The risk may have been raised as an issue initially

RK03 Apply the Management of Risk to a given project scenario

RK04 Create, modify or discuss a Risk Log for given project scenario

RK05 Demonstrate the interfaces between the Risk Log and other PRINCE2® products especially Project Issues in a given project scenario

RK06 Identify the relationship between Management of Risk and other PRINCE2® components in a given project scenario

Turn to Section:5 Sample Practitioner questions and try question 4

Do this question (and all subsequent ones) against the clock Consider how long will you have in the exam for reading & answering

Re-read the scenario S:5.1 if you need to

	Be sure to read ‘Additional Information’ that is specific to Question 4
	Disregard the ‘Additional Information’ you read for Qn1 even if it is contradictory to Qn4. Every ‘Additional Information’ entry is stand-alone

Answer the question using a blank answer grid from S:5.3 then mark your answer using S:5.4

Research any questions where you disagree with the marking scheme

How long did you spend? By the time you come to the exam your target is 15mins

The next chunk, controls is fairly long but all has been seen in the context of the processes – so reasonably easy material and takes you past the ?rds point and towards the home straight