Master Project Risk with PRINCE2 7th Edition

The main purpose of a project is to take us from the old or ‘before project’ state to the new – hence any project is an enabler of change, and therefore you need to understand PRINCE2 Project Risk! Because whenever you introduce change then you will also introduce uncertainty and this of course is at the very heart of project risk management.

A simple definition of project risk would be something that hasn’t happened yet, but it may happen at some point in the future, and if it does it will have an impact on my project.  Knowing this, it makes sense to design and embed a project risk management procedure that identifies, assesses and goes on to control project risk that threaten or enhance one or more of the projects objectives. This is the main purpose of the PRINCE2 Risk Theme.

The ultimate success of a project is that the end product once in operational use, goes on to realize business benefits contained within the Business Case. If it were otherwise, projects would merely be consumers of time and resource.  Therefore the management of project risk must be a continuous undertaking that is performed throughout the life of the project, and is therefore a prerequisite for the PRINCE2 continued business justification principle.

The surprise for most novices studying project risk, is that project risk can be positive as well as negative.  The normal use of the word project risk infers that it is a threat, and this is true, since it is an uncertain prevent that could have a negative impact on meeting the project objectives.  However, the project risk may instead, be called an opportunity defined as an uncertain event that would have a positive impact on the project objectives.

The common thread here is the word uncertainty, the only difference is that you would want to reduce the probability and impact of threats, and enhance the probability and impact of opportunities.

When we talk about the project objectives being threatened for example, then we are talking about the six performance aspects that are; time, cost, quality, scope, benefits and risk.  And hence for project risk management to be effective, risks need to be first identified and understood, then assessed in terms of their probability, impact, timing, overall risk level, implement responses, and going on to be monitored and controlled.

The first step in the project risk management sequence is to adopt and tailor the organization’s project risk management policy which describes how project risk management will be implemented.  In addition an understanding of an organization’s project risk appetite towards project risk taking must be understood, and this will culminate within a PRINCE2 project by the creation of the risk management strategy document laying out how project risk should be managed by this particular project.

This forms part of the project initiation documentation developed during the Initiating a Project process.

The first PRINCE2 process that is used is starting up a project, and this is triggered by the project mandate being issued by corporate or programme management.  This should include any known project risk at that point in time.  The daily log is created here, and used as a temporary ‘risk register’ to capture and manage any known project risk at this time.

New and modified project risk will be added during starting up a project as the project approach and project brief is created including creation of the outline business case, and when creating the plan for the initiation stage.

During the initiating a project process, the project risk register is created at the same time as the project risk management strategy, and any outstanding project risk details contained in the daily log are now transferred to the newly created project risk register. The Business case is now refined into the detailed business case, and the business case contents include a summary of the main business project risk.

This register contains a set of details on each threat and opportunity, and will contain most of the information explained in the remainder of this article for each project risk. The activities update the PRINCE2 project plan and Business Case are used here.

When in a PRINCE2 delivery stage, the project risk responses are implemented, monitored and controlled.  The project manager is responsible here and uses the PRINCE2 process Controlling a Stage. Of particular importance, is the fact that project risk management is an ongoing activity throughout the project, and as such, existing project risk may change; either their probability, impact and severity, or new project risk may arise.

The PRINCE2 Change Theme addresses how issues are dealt with. For example whenever an issue (problem, concern, request for change, off-specification) is raised, as part of issue evaluation, their impact on project risk should be determined because this may change existing project risk or create additional project risk. This takes place within the PRINCE2 activity capture and examine issues and risks.

At the end of each stage, using the managing a stage boundary process, new project risk may come to light as part of using the PRINCE2 product based planning technique for the creation of the next stage plan, and hence the project risk situation forms part of the project board decision-making at each end stage assessment via the end stage report.

Within PRINCE2, project risk is not just acted upon for management and control purposes, but they are also used as a basis for making critical decisions at key points throughout the project.  For the project board to make informed choices at each end stage assessment for example, the project risk situation is considered as part of this decision making.

The PRINCE2 Project Risk Procedure

The PRINCE2 procedure for project risk management is summarized in five simple steps:

• Identify.  First the context of the project is determined to understand the specific objectives that are at risk, and develop the risk management strategy.  Now all the threats and opportunities are identified and are entered along with early warning indicators, onto the project risk register.
• Assess.  This is done by determining the probability, impact and proximity (when the risk will occur) of each project risk if no action was taken.  The next step is that all the identify threats and opportunities are now aggregated together to evaluate the overall severity of the project risk to ensure that these remain within risk tolerance set by the project board, and hence determine whether the project has continued business justification.
• Plan.  This is where appropriate responses for each of the threats and opportunities are identified in order to reduce the former and maximize the latter.
• Implement.  The project risk responses identified above, are now actioned, and how effective each response is will be monitored and corrected where necessary to achieve the desired effect.
• Communicate.  Unlike the first four sequences above, this is a parallel and ongoing activity to ensure that information on all of the threats and opportunities are communicated both internally and externally to the project.

I will now expand on these five PRINCE2 project risk management steps:

project risk – Identify context

A main factor here will be the importance, complexity and scale of the project for the organisation concerned, along with understanding the specific project objectives that are at risk.  There are a number of key inputs to be considered in creating the project risk management strategy document, and these include the customer’s quality expectations, the project mandate, the project brief, and the project product description. All of these will have a bearing on how risks are to be managed for this particular project.

The project risk management strategy will include decisions such as the risk procedure, tools and techniques to be used, records, reporting plus roles and responsibilities, risk scales and responses, early warning indicators and risk tolerances.

project risk – Identify risks

This covers not only the identify threats and opportunities being entered on the project risk register, but also the early warning indicators are prepared for each risk.  These give advance warning that one or more of the project objectives may be at risk.  Examples here are the completion of work packages to schedule, approval rate and reworks of products, the frequency of issues and the resolution, and the ability of the stage and project to remain on budget and schedule. Such data will be collected by the project manager as part of the PRINCE2 Controlling  a Stage process.

There are many ways to identify project risk and these include brainstorming techniques, risk workshops, use of risk prompt and checklists, the use of lessons from previous projects, and a project risk breakdown structure is which is a hierarchical decomposition of the project environment relating to each project risk source.

As part of identifying project risk it is vital to express each risk in an unambiguous manner. PRINCE2 recommends first identifying the project risk cause or source of the project risk, then go on to describe the project risk events which is the area of uncertainty for each threat or opportunity, and then to describe the project risk affect or impact should the project risk materialize.

An example here would be “as a result of postal delays due to threatened strike action (cause), there may be delays in receiving raw materials for the creation of the product (uncertain event), and this will mean we will miss our payment milestone (impact).”

project risk – Assess

Each threat or opportunity is first estimated in terms of their probability of occurring, and their impact. This must include the proximity of each project risk in terms of when they might materialize (this allows us to establish when such responses are needed, also that the severity of a threat – or the potential benefit of an opportunity, will depend upon when it occurs).

There are various techniques to help estimate such project risk.  An example is the use of probability trees.  These predict an outcome in a qualitative way using historical data and provide a graphical representation of possible events derived from the given circumstances.

The project risk probability/impact grid

The net effect of all of the identify threats and opportunities are now evaluated, and there are various tools and approaches used both for estimating and evaluating.  Of particular use here is the probability impact grid which is used for project risk ranking:

This tool is a matrix plotting probability of a vertical scale against impact on the horizontal scale.  Each are divided into sections ranging from very low to very high which also contains a numerical number.  Each of these are multiplied together to produce a grid showing the severity of each project risk and hence enable risks to be ranked so that their management time and effort can be prioritized.

The project risk summary project risk profile

Another useful way of summarizing the set of resource and their estimates is to plot them onto a summary project risk profile. This differs from the probability impact grid, in the that although it also features a grid of probability against impact, it plots each risk number in the form of a scatter diagram and hence provides a simple visual summary of the number and severity of the aggregated project risk:

The project risk expected monetary value

Since the main goal of the evaluate step is to assess the net effect of the aggregated project risk, then the expected monetary value technique provides quick and easy evaluation of the overall value by multiplying the probability for each project risk with its monetary value, and then summarizing such values.

PRINCE2 identifies five project risk responses the threats and three responses for opportunities along with a common response that is suitable for both. These responses will be built into the PRINCE2 Project Plan and each Stage or Exception Plan.

The project risk responses For Threats are:

• Avoid.  This entails taking some action upfront and hence changing some aspect of the project such that the project risk probability becomes zero and/or there will be no impact.
• Reduce.  Again taking action upfront, such that either the probability or impact is reduced, although the action reduces both.
• Transfer.  A third party is made responsible for all or some of the financial impact of the project risk, and this is normally done in the form of contract clauses that come into force as a result of such a risk, or it could be implemented in the form of insurance.
• Accept.  A decision to accept the project risk and take no response action.  This is usually done by evaluating that the severity of the project risk is less than the cost or complexity of implementing a response action.  Such threats must be continually monitored to ensure that the accept response remains tolerable, and if not, then one of the other responses should be substituted.
• Fallback.  This is different to the first three in that no action is taken up front.  This may also be called contingency, because it entails creating a fallback plan with actions to be implemented only if the linked project risk occurs.  For this reason it can only affect the impact of the project risk – not its probability.

Project Risk Budget

Another aspect of project risk management is the use or otherwise of a project risk budget, which is a sum of money included within the project budget but set aside to fund the specific management responses to the project threats and opportunities.  Although this could be appropriate for any of the responses, it is particularly useful for when fallback is used, since it will only be implemented should the linked project risk actually occur.

If such a budget is to be used then both the amount and how it is to be used should be documented within the project risk management strategy document.

The responses for an opportunity are:

• Exploit.  This entails taking some action upfront that will seize the opportunity ensuring that it will occur and that the positive impact will be realized.
• Enhance.  This is taking action was upfront to enhance or increase both the probability of the event happening along with maximizing its positive impact.
• Reject.  A deliberate decision not to exploit or enhance the opportunity.  This is normally chosen much like the accept response to threats, that is, because it is not economical to take such an action.  In a similar way, the reject response should be monitored to ensure it remains the best choice for this individual opportunity, and a different response chosen if required.

Share

There is one project risk response which can be used for either a negative threat or a positive opportunity type of project risk. These responses will be included as part of creating the next stage plan or exception plan.  This response is a form of project risk sharing between two or more parties and is normally built into a contract.

It uses some form of a pain/gain formula, and prescribed limits are used between the parties that divides up either the financial pain or gain if the opportunity or threat does not materialize.

Implement

This is where the planned project risk responses are put into action, and their ongoing effectiveness is monitored with appropriate corrective actions taken if needed. Although the project manager is responsible for project risk management, PRINCE2 suggests that responsibility for the management of specific project risk are delegated to an individual called the ‘risk owner’.

In turn, the responsibility of carrying out each project risk action or response, may be given to a ‘risk actionee’, who will support and take direction from the risk owner. In some cases the risk owner and risk actionee can be the same individual.

Communicate

Since project risk management within a project is an ongoing and continuous activity, then so too is the communicate step.  The PRINCE2 communication management strategy document should articulate how the communication of project risk aspects within the project is to be implemented.  Although there are many methods for communication, the various PRINCE2 reports play a major part in the communication of project risk between the project management team and other key stakeholders.

Such reports would include the regular checkpoint reports from the team manager and the highlight reports from the project manager, both giving progress and project risk status information within the work package and current stage.  The lessons reports may be created at the end of each stage and always at the end of the project, and such reports can include the learnings and recommendations from the management of project risk.

In addition, each end stage report and the end project report will again communicate aspects of project risk management as an aid to understand project risk status and for decision-making.

Finally, it is important to understand that although the project board executive is accountable for all aspects of project risk management, is the project manager that is responsible for creating the strategy, register, and ensuring that project risk is identified assessed, managed and controlled throughout the project.

PRINCE2® 7 Foundation and Practitioner

5.0

Learn PRINCE2® 7 Foundation and Practitioner Online

** Enhance your PRINCE2 career now **

PRINCE2® Masterclass gives you the skills necessary to manage projects effectively and achieve your objectives.

• Optional:   Official Online Exam
• Course type: E-learning
• Duration: Approx 45 hours
• Delivery: Online

Get 7 days a week 12 months one to one coaching with ex PRINCE2 examiner Dave Litten.

PRINCE2® is a globally recognized project management framework. By completing both the Foundation and Practitioner courses through our self-paced e-learning, you will develop an understanding of the methodology and learn how to effectively adapt it to any project.

The PRINCE2® 7 Foundation and Practitioner Masterclass is PeopleCert Accredited and guarantees to take you from PRINCE2 Novice to PRINCE2 Practitioner with our famous video learning, study guides and practice exams.

• Overview

• Objectives

• Exam information

• Duration

What Does the Masterclass Cover?

The PRINCE2 Foundation examination assesses your knowledge and comprehension of the PRINCE2 project management methodology as detailed in the syllabus. The PRINCE2 Practitioner examination, on the other hand, gauges your ability to apply and tailor the PRINCE2 method. Candidates who pass the Practitioner exam should be able to start implementing the method on an actual project with some guidance. However, their effectiveness may differ based on their experience in project management, the complexity of the project, and the level of support they receive in their work environment.

• Prepare for your PRINCE2 7 Foundation and PRINCE2 7 Practitioner Exams with our famous on-line course with streaming HD Video Lessons, PDF study guides and Mock Eams. 
• We are a PEOPLECERT (AXELOS) Business Partner – Our PRINCE2 Masterclass is fully certified for PRINCE2 7th Edition Foundation and Practitioner.
• Bite Sized Lessons  The sheer size of PRINCE2 can be daunting. The Masterclass will guide you through the syllabus in easy to consume bite sized lessons
• Enjoy yourself!  This PRINCE2 Foundation & Practitioner online course is broken into bite-size lessons, combining leading edge multimedia and interactive exercises for optimum enjoyment and knowledge retention
• Take your time  Study at your own pace by bookmarking your progress and picking up where you left off at a speed that suits you
• Be prepared and confident for the exams  Test your knowledge in a fun, entertaining environment with the PRINCE2 Foundation & practitioner exam revision tools
• In the last 20+ years we have had 9,000+ Academy students successfully transform their careers as PRINCE2 Practitioners.

What will you learn?

The PRINCE2 MASTERCLASS will teach you:

• Key concepts relating to projects and PRINCE2
• The relationship between people and successful projects
• PRINCE2 principles within the PRINCE2 method
• PRINCE2 processes and how they are carried out throughout the project
• how to apply the PRINCE2 principles in context
• how to apply and tailor relevant aspects of PRINCE2 practices in context

Official PRINCE2 Exams from PEOPLECERT

Examinations are conducted online through a remote proctor. Within 48 hours of purchasing the exam voucher, you will receive an email invitation to register on the Peoplecert portal. After registration, you can schedule your online exams for a date and time that suits you. It is your responsibility to book your exams. For details on the examination process and technical requirements, please refer to the provided information.

Duration

This PRINCE2 Masterclass will take approximately 40 hours to complete.

Subscribe to PRINCE2 MASTERCLASS Now