Effective risk management relies on up to date information, effective decision making supported by analysis and evaluation, agreed risk tolerances and clear monitoring processes (PRINCE2, 2002, p239).These guidelines give an overview of risk management drawing on best practice from PRINCE2, MSP and APMP. These are standard procedures that all project managers should follow to identify, analyse, mitigate, monitor and control risk on their projects.
Risk can be defined as uncertainty of outcome whether positive or negative. The control and containment of risk is critical to project success and it is the task of risk management to manage a project's exposure to risk.(PRINCE2, 2002, p239).
The Risk Management PlanThe Risk Management Plan supports risk management. It sets out the organisation's risk management policy, roles and responsbilities for managing risk, any budgetary considerations and the tools, techniques and templates that must be used.
- Risk Strategy - the high level approach to risk management, the processes and procedures for managing risk and the organisation's risk tolerance or appetite for a certain level of risk. For example risk of budget overruns may be more acceptable than delivery delays. Some risk areas may have much lower tolerances than others, for example the risk of not meeting DDA guidelines may have very low tolerance for a government website.
- Organisation - any roles and responsibilities associated with managing risk. The Project Manager will have main responsibility, but there may be other responsibilities perhaps for the project office or specialist risk consultants for example an Asbestos Consultant on a construction project.
- Risk Budgets - the money and resource that will be set aside to manage risk.
- Tools and techniques - the techniques that will be used to manage risk.
- Risk Management Templates - the templates that should be used e.g. a risk register template and a Risk Management Strategy
The plan should form part of the project and programme governance procedures and should be used throughout the organisation as a guide for managing risk.
The Risk Management ProcessThe risk management process starts with identification of risks, analysis of the impact and probability of those risks (risk assessment), selection of suitable responses, planning responses and monitoring and controlling the process. The OGC's risk management process is defined in Managing Successful Projects with PRINCE2. Figure 1 illustrates the PRINCE2 risk management process.
Risks will be identified throughout the project lifecycle. However, there are key points when risks should be identified:
- during the start up phase of the project when the project brief is developed,
- during initiation when the business case is refined,
- during project planning,
- at the end of each project stage,
- as part of issue management and escalation,
- at the acceptance and authorisation of a work package.
Once identified the risks should be logged on the project risk register. There are varying approaches to risk log contents, but generally risks logs should contain:
- Risk ID - a number or reference uniquely identifying the risk.
- Risk description - a description of the risk including cause and effect.
- Identification date - the date the risk was identified.
- Risk owner - the person responsible for managing the risk to close.
- Probability/likelihood - the predicted likelihood that the risk will be realised. This is either expressed as a number or on a scale such as high/medium/low.
- Impact - the predicted impact the risk could have on the project if it is realised. This is either expressed as a number or on a scale such as high/medium/low.
- Risk Status - whether the risk is open or closed
- Mitigating and contingent actions - the actions that will be taken to respond to the risk including what action will be taken if the risk does occur. Risk Mitigation techniques.
Example Risk Register
Download a full example of the risk log or register snapshot shown above.
The risk register is a key control document for the Project Manager and should be checked and if necessary updated on a daily basis. As the log is updated it should be checked against the agreed risk tolerances and any risk falling outside of the tolerance should be escalated to the project board. Where the project is part of a programme the risk register should be checked for risks that may impact on the programme and those risks should also be escalated. At each sign-off stage the risk register will be a key control document and at project close it feeds into the post-project review and lessons learned reporting.
The response(s) to a given risk should reflect the risk type, criticality and the organisation's attitude to risk. There are a number of possible responses to risks and as risks can be threats or opportunities these include responses that are suitable for potential opportunities. Review a list of Risk Responses.
Read more on Risk Management:
- Risk Assessment
- Business Risk
- Construction Risk Management
- Risk Management Glossary
- Risk Identification
- Risk Mitigation
- NHS Risk Register
- Risk Register template
- Risk Management Report
- Risk Responses
- Prince2 Risk Register
- Prince2 Risk Management Strategy
Risk Management Guidelines - referencesOffice of Government Commerce (2002), Managing Successful Projects with PRINCE2: 2009 Edition, London: TSO.
The Projects Group PLC, 2006, Risk Management Overview, Sutton: The Projects Group plc. Online available from https://www.tpgacademy.com/uk/Online/courses/apmp_en_v4/risk_management/planb.html [accessed 09 September 2007].