8 : Risk

Question 1

What is risk?

Answer 1

A risk is “an uncertain event that, should it occur, will have an effect on the achievement of objectives. It consists of a comnbination of the probability of a percieved threat or opportunity occuring, and the magnitude of its impact on objectives”

Question 2

What are the two types of risks?

Answer 2

The two types of Risk are Threats and Opportunities.

• Threats are risks with negative impact
• Opportunity are risks with a positive impact.

Question 3

What is the purpose of the Risk Theme?

Answer 3

The purpose of the risk theme is to provide information on how best to do risk management in your project.

A more formal way to say this is the purpose of the Risk Theme is to provide an approach to identify, assess and control uncertainty during a project and as a result, improve the ability of the project to succeed.

Remember the words, identify, assess and control risk as this is what Risk Management is all about.

Question 4

What is the connection between a project, change, uncertainty and risk?

Answer 4

Projects are about doing something new, so they are about change. As the exact same project has not been done before there will be some uncertainty about how some parts of the projects will go. Another name for this uncertainty is risk.

Question 5

When is project Risk Management undertaken?

Answer 5

Risk management is not just done at the start of the project but is a continuous activity that must be during the full life of the project and therefore one of the main tasks for the Project Manager.

Question 6

Which role is the main person responsible for risk in a project? (Note: I am not asking for the role that will do most of the work and follow up but the main responsible.)

Answer 6

It is the Executive that is responsible for risk in a project. PRINCE2 says that the Executive is accountable for all aspects of Risk Management. They rely on the Project Manager to continually identify, assess and control risks throughout the project.

Question 7

What can be at risk?

Answer 7

PRINCE2 states that the projects objectives are at risk.

Remember the project will have objectives for the six project variables: time, cost, quality, scope, benefits and risk. (Think TeCQuila SoBeR, spelt TeCQ)

Question 8

What is Risk Management?

Answer 8

Risk Management is the systematic application of procedures to the tasks of identifying and assessing risk, and then planning and implementing risk responses.

The Risk theme provides an approach for you to be able to manage risk in a project.

Question 9

What are the 4 risk management steps?

Answer 9

The four steps to Risk Management are: Identification, Assessment, planning, and Control

1. Identification: Identify and describe the risk
2. Assess: What is the likelihood, the impact on objectives, when expected?
3. Planned for: Identifying suitable responses to risk and assigning owners
4. Control the Risk: Making sure the responses are implmented and controlled

Question 10

What are the Prince2 Risk principles? (9 things)

Answer 10

1. Understanding the project context
2. Involve the stakeholders
3. Establishing clear project objectives
4. Developing a project risk management approach
5. reporting on risks regularly
6. Defining clear roles and responsibilities
7. Establishing a support structure and supportive culture for risk management
8. Monitoriing for early warning indicators
9. Establishing a review cycle and seek continual improvement

Question 11

What are the Prince2 minimum requirements for risk? (4 things)

Answer 11

1. Define the risk management approach which must cover:
   
   1. The way we identify and assess risks, implement responses and communicate risk
   2. Assess whether the risks might affect the business justification
   3. The roles and responsibilities
2. We musst also maintain a risk register
3. Ensure risks are identified, assessed, managed and reviewed
4. Use lessons learnt to inform risk identifiation and management

Question 12

What is the risk Management approach?

Answer 12

The risk management approach outlines how risks will be managed including the processes, procedures, techniques and responsibilities.

The risk approach/strategy is created during the Initiating a project stage.

Question 13

Which other OGC method does PRINCE2 get its Risk Management procedures and principles from?

Answer 13

PRINCE2 makes use of the other OGC method, which is Management of Risk (also referred to as MOR). PRINCE2 takes advantage of all these procedures and principles that have already been defined instead of trying to re-invent the wheel. The MOR method is a generic approach to Risk, which can be used for any type of project.

Question 14

What is the Risk Register?

Answer 14

The Risk Register is used to capture and maintain the risk information (threats or opportunities) of all the risks that were identified and relate to the project.

So it provides a record of all risks including their status and history.

The risk register is created during the Initiating a project stage. Any risks identified earlier (i.e. in the starting up a project stage) should be recorded in the PM’s daily log, and transferred to the Risk register during the Initiating a project stage.

Question 15

What info should be included in the risk register? (12 things)

Answer 15

1. Risk identifier
2. Risk author: The person who raised the risk
3. Date registered
4. Risk category: the type of risk
5. Risk description
6. Probability, impact and expected value of the risk
7. Proximity (how soon could the risk occur)
8. Risk response category
9. Risk response
10. Risk status
11. Risk owner
12. Risk actionee

Question 16

What is normally the first question about Risk that should be asked by the Project Manager when considering risk and the approach to Risk Management?

Answer 16

The first question that should be asked is what risk policies already exist in the company or in the programme environment today that can be used so that there isn’t a need to re-create these. If a policy does exist, then this will save a lot of work and will provide most if not all the information you need to do Risk Management in your project.

Question 17

What is a risk policy?

Answer 17

If an in-house policy on Risk Management procedures does exist, then you can expect to have information on the following:

• Your organization’s attitude towards risk also called Risk appetite, Risk tolerances, procedures for escalation, typical roles and responsibilities, example of a Risk Management strategy document, etc.
• It should provide guidelines on how to do Risk Management according to the policy of the company.
• Using a common approach to Risk Management also means that project stakeholders that are already familiar with this approach will be able to understand how risk management is done in your project.

Question 18

What if there isn’t an existing Risk Policy?

Answer 18

They can use the Risk theme to provide the necessary information to do Risk Management in their project.

Question 19

Why have a common approach to Risk Management?

Answer 19

Using a common approach to Risk Management enables the project stakeholders that are already familiar with this approach to understand how risk management is done in your project. E.g.: Reports will be easier to understand, the scales for accessing risk will be similar etc. Therefore it is easier to see what is going on and this is also true for the Project Board.

Question 20

Does each project need its own Risk Management Strategy?

Answer 20

PRINCE2 recommends that each project should have its own Risk Management Strategy document. Creating a Risk Management strategy document for each project may seem a big task but a detailed template can be provided if you are working in a programme environment, so this will make it much easier.

Question 21

We know that the 3 steps to Risk Management are: Identification, Assessment and Control. The Risk Management Procedure has 5 steps. Name these. Use the following line to remind you: I Ate Plants In China.

Answer 21

The five steps in the Risk Management Procedure are: Identify, Assess, Plan, Implement and Communicate.

Question 22

What are the steps in the risk management procedure? (5 steps)

Answer 22

1. Identify
2. Assess
3. Plan
4. Implement
5. Communicate

Question 23

Are the Risk management procedure steps sequential?

Answer 23

The first 4 steps are sequential (Identify, Assess, Plan and Implement), while Communicate will always be done to let stakeholders know what is going on and to get continual feedback during this process.

Question 24

What must be done before the risk management procedure?

Answer 24

The first thing that has to be done is to understand the level of risk that the project is willing to accept. This is also known as the risk appetite. E.g.: If the project is to build a prototype that will just have a life of a few months, then the risk tolerance is said to be very high and so a big risk appetite. If the project is to launch a voting system that will be used in a national election in Europe, then the risk tolerance would be very low as it should work 100% correct. Once the Project Manager and Executive agree on the amount of risk the project can take, then the Project Manager should complete the Risk Management Strategy document.

Question 25

What happens in the Risk identification step of the risk management procedure?

Answer 25

1. Identify the context by examining the project documents including:
   
   1. Risk mgmt approach
   2. Project mandate
   3. Project brief
   4. Project product description
2. Identify the risks and record them in the risk register

Question 26

Where should risk management requirements come from?

Answer 26

Most of the risk management requirements come from the:

1. Project Mandate,
2. the Project Brief, and
3. the Project Product Description

Question 27

How can risks be identified?

Answer 27

• Review lessons
• Risk checklists
• Risk prompt lists
• Brainstorming
• Risk breakdown structures

Question 28

How should risks be described?

Answer 28

The risk description should include the cause, event and the effect on the objectives of the project.

The cause refers to something that is already happening, the event to something that may happen (threat or opportunity) and effect describes the effect on the project.

Question 29

Describe the following example of risk in terms of cause, event and effect on the project objectives. “Less people may come to the event as all planes could be grounded due to ash from the volcano that is blow into UK airspace.” Start with the cause, then the event that is likely to happen and then the effect on your project which is to organize a conference in London for business managers from around Europe who are expected to fly in.

Answer 29

We would write this as follows: Due to the active volcano releasing ash, there is a threat that planes will be grounded if this ash is blown into UK airspace which would cause many people not to be able to make it to the conference in London.
The original cause is the volcano releasing ash, this is already happening, the risk is the threat that this could be blow into UK airspace and the effect on the project is that many people will not be able to travel.

Question 30

What happens during the risk assessment step of the risk management procedure?

Answer 30

Assess Risk is the 2nd step in the Risk Management procedure and involves Estimating and Evaluating risk.

Estimating focuses on assessing one risk at a time while Evaluating is about evaluating all Risk together so as to get an idea of the total risk in a project.

Question 31

How are risks estimated?

Answer 31

Estimating is about assessing the probability, the impact and proximity for each threat or opportunity.

1. Probability: how likely are they to happen?
2. Impact: What will happen if it does?
3. Proximity: when will it happen?

Question 32

How should risk impact be assessed?

Answer 32

Consider the impact on the project objectives assuming you do nothing, as well as the impact on project benefits.

Question 33

What is probability, impact and proximity?

Answer 33

Probability: This is the same as the likelihood of the risk happening. You can use a % or choose from very high, high, normal scale.

Impact: The impact the risk will have on the project and must be quantified.
• E.g.: You can choose from a scale 20%.
• Remember, this can be a threat or opportunity.

Proximity: When this risk is most likely to happen.
• Scale can be in time: like in 3 months or 6 months.
• E.g.: Icy roads may not be much of a risk for a summer event but may be a concern if the event was held in November.

Question 34

What is a probability impact grid?

Answer 34

A probability and impacts matrix that provides an assessment of risk severity and therefore the ability to rank risks.

It therefore allows the project to set a risk tolerance level.

Question 35

What is the Summary Risk Profile diagram?

Answer 35

The Summary risk profile diagram is what PRINCE2 recommends to plot the estimate risk results on so that it becomes very easy to compare risks with each other.

From a Project Manager point of view, this is a great diagram to use to communicate project risk.

Question 36

What is the advantage of using a Summary Risk Profile Diagram?

Answer 36

Here are most of the advantages of using the Summary Risk Profile Diagram:
• It is easy to get an overview of all the risks.
• It is very useful for communicating the level of risk for the project to the Project Board.
• Can see which risks will need attention and action to be taken.
• Can draw a risk tolerance line on the diagram to distinguish risks that have both a higher impact and a higher probability rate from risks that have a lower level of probability and impact.
• So all risks above this Risk Tolerance line will need some action to be taken.
• The Project Manager is expected to provide risk information to the Executive and Project Board and one of the times they will do this is at the end of each stage. The project manager will include information on any changes to the risk above the Risk Tolerance line in the End Stage Report.
• And the Project Manager will immediately inform the Executive if a risk moves from below to above the Risk tolerance line.

Question 37

What is risk evaluating?

Answer 37

The objective is to evaluate all project risks together (both threats and opportunities) and so you get an overall risk value for the whole project.

Question 38

What is a secondary risk?

Answer 38

A secondary risk is a risk that relate to a new situation should a risk response be implemented.

Question 39

What happens during the planning step of the Risk Management procedure?

Answer 39

Planning is about planning the responses to threats and opportunities. Its objective is to prepare specific responses to the threats and opportunities. The objective is to reduce the threats and maximize the opportunities.

Question 40

What do you think happens if the Project Manager does not plan for a risk and the risk occurs?

Answer 40

If the Project Manager fails to plan a response to a risk, they will be caught off guard if this risk materializes. Therefore it is always good to be prepared. The risk can be a lot more damaging for the　project objectives as there is nothing planned to reduce the impact of the risk and it some cases it may be too late to do anything about the risk.
E.g.: If your project is to organize an outdoor event and one of the risk is the threat of rain. If you do nothing to prepare for this and half way during the concert it starts to rain heavy, it’s a bit late to start erecting a tent or ordering plastic ponchos to distribute. So failing to plan is planning to fail.

Question 41

Does the step of planning the responses remove or reduce risks?

Answer 41

Most of the risk response actions taken in a project are done to reduce the risk impact and can also be taken to remove the risk. E.g.: If your project is to organize an outdoor event and one of the risk is the threat of rain you can take such action of pre-ordering plastic ponchos and sell them at the outdoor event. This won’t stop it from raining but it will reduce the impact. If you were to move the event indoors then you would remove the risk.

Question 42

What are the possible responses to threats?

Answer 42

1. Avoid
2. Reduce
3. Prepare contingent plans
4. Transfer
5. Share
6. Accept

Question 43

What are the possible responses to opportunities?

Answer 43

The 4 responses for Opportunity are

1. Exploit
2. Enhance
3. Share
4. Accept
5. Transfer
6. Prepare contingent plans

Question 44

What is the Prepare Contingent Plans risk response?

Answer 44

Prepare Contingent Plans response is relevant to both threats and opportunities.

This involves creating plans to deal with the threat should it eventuate. The planned action is only done if the risk occurs. These actions will help to reduce the impact of the threat.

Question 45

What is the Accept risk response?

Answer 45

This risk response involves simply accepting the risk, not creating any contingent plans, or any action to minimise the threat or maximise the opportunity.

Question 46

What is the Avoid risk response?

Answer 46

This response involves changing something in the project so the threat no longer can have an impact or can no longer happen.

This response is only relevant to threats.

Let us say you are organizing an outdoor concert for 600 people in April the UK. One of the risks would then be Rain. So you decide to move the concert to an indoor facility to avoid the risk. In fact this response has removed the threat. If it now rains, then the rain can have no impact on the concert.

Question 47

What is the Share risk response?

Answer 47

Share is both a response for threats and opportunity where both parties share the gain if the costs are less that the planned costs and share the loss if the costs are exceeded.

An example of share using the following scenario again with the outdoor concert: You have a supplier that provides VIP toilet facilities and people are charged €1 for each service but there is a certain fixed cost you must pay to provide this service:

You could agree with the supplier to share the profits if the revenue is above this fixed cost amount and share the losses if below this amount.

Question 48

What is the Reduce risk response?

Answer 48

The reduce response plans actions to:

1) Reduce the probability (the likelihood) of the risk OR
2) Reduce the impact if they risk does occur

Reduce response is the most common way of dealing with risk.

Reduce is only relevant to threats.

Question 49

What is the Accept risk response?

Answer 49

Accept is where you identify an opportunity or a threat and decide not to take any action on it.

There can be many reasons not to do this and usually is because the threat or opportunity isn’t big enough to warrant any action.

Question 50

What is the Exploit risk response?

Answer 50

Exploit is where you decide to make use of the risk if it happens. E.g.: There is a risk (an opportunity) that the government department for technology may give subsidies in a few months time for certain technology projects. If this opportunity happens, you can then take the decision to exploit it and apply for a subsidy and it can cover 25% cost of the project.

Question 51

What is the Transfer risk response?

Answer 51

Transfer is transfering the risk to a 3rd party, usually via a contract. Taking out insurance is an example of Transferring risk, and so is making a contractor liable for the risk..

Question 52

What is the Enhance risk response?

Answer 52

Enhance is where you take actions to improve the likelihood of the event occurring and you enhance the impact if the opportunity should occur.

This is not the same as exploit but doing certain things will give a greater chance for the opportunity to happen. E.g.: The cause is that your local government is running a technology competition and the top 5 projects entered will get a subsidy of €20,000. So there is an opportunity to win this money, which will result in lowering the costs of the project and giving a better ROI for the company. Your plan response is Enhance, so you enter your project in this competition and put a good deal of effort in this to enhance your chances of getting this subsidy.

Question 53

Give an example of Reduce probability; in other words – reduce the likelihood of a risk happening. Use example of organizing an outdoor concert the UK in April and the threat is rain as it will have an effect on the concertgoers.

Answer 53

Reduce the probability is to reduce the likelihood or probability of the risk happening. Using the concert example with the threat from rain, we could move the concert from April to July where is 2.5 less times less likely to rain. This is a clear example of reducing the probability but the risk is still there.

Question 54

Give an example of Reduce impact if the Risk occurs. Use example of organizing an outdoor concert the UK in April and the threat is rain as it will have an effect on the concertgoers.

Answer 54

Here the objective is to reduce the impact in case the risk occurs. E.g.: The organizers order a load of sponsored plastic ponchos that will be offered to the concertgoers when they arrive at the concert. If it does rain during the concert, then most people will only get partly wet and thus you have reduced the impact of the rain.

Question 55

Give an example of Preparing contingent plans using the following scenario. “There is a big game on center court Wimbledon and there is a threat that it might rain. The Center course now has a roof but it takes about 10 minutes to close.”

Answer 55

The fallback plan is to close the roof once it starts to rain. This will not stop it from raining but it does reduce the impact of the rain and allows the game to continue. Note: The action of closing the roof is only done once the threat of rain occurs. If you decided to start the game with the roof closed, then you will be taking action to avoid the response.

Question 56

Give an example of Transfer response using the example of the concert. The threat that you wish to respond to is that one of your top acts may not be able to play at the event due to illness or some other reason. This may cost you a lot of money as people may ask for their money back and you have spent a lot of money organizing this event.

Answer 56

You could take out an insurance policy to cover any losses you can incur if this risk happens. E.g.: all the cost of planning another date for the concert or allowing people to claim their money back would be covered by this insurance policy. The response is that you are transferring the risk to another party.

Question 57

Give me an example of the response Accept using the following example and why you would choose this response. “There is a risk that another outdoor concert can be held around the same day as your concert and this may affect tickets sales.”

Answer 57

After some consideration, you decide to do nothing about it and continue as normal. Moving the concert to another time will just cost too much and some people have already bought tickets, so you just live with the risk. You monitor the risk during the project and see how this affects your project.

Question 58

What is the objective of Implement the planned responses?

Answer 58

The goal of this step is to ensure that the planned responses to risk are done; monitored and corrective action is taken if the planned responses are not as effective as expected. Actually the main thing to decide in this step is who is going to monitor this threat or opportunity to see if this risk happens and who will carry out the planned responses that have been decided on. The person monitoring will also check that the responses have the expected effect. So there are clear roles and responsibilities defined.

Question 59

What are the two specific roles related to risks?

Answer 59

The two roles are Risk Owner and Risk Actionee.

Question 60

What is the Risk owner responsible for?

Answer 60

The Risk Owner is responsible for managing & monitoring and controlling risks. They can also carryout actions that have been assigned to them.

Question 61

What is the Risk actionee responsible for?

Answer 61

The Risk Actionee is responsible for actually responding to risk.

They are supported by the risk owner.

Question 62

What happens in the communicate step of the risk management procedure?

Answer 62

Communication is done throughout the risk management procedure so this is continually done.

This communicate step ensures that the information related to the threats and opportunities faced by the project are communicated within and outside the project to all necessary stakeholders.

Communication about risks should occur within all the project reports including

1. Highlight reports
2. End stage reports
3. End project reports
4. Exception reports
5. Checkpoint reports

Question 63

What reports contain risk information? (4 reports)

Answer 63

The following management reports can be used to communicate risk to the stakeholders:

1. Highlight Reports,
2. End Stage Reports,
3. Lessons Reports,
4. Checkpoint reports

Question 64

Where are the guidelines for how to communicate risk information to stakeholders?

Answer 64

The guidelines for reporting come from the Communication Management Strategy document. When working on the above reports the Project Manager should always ask, “What I need to communicate regarding risk?” “What has changed since the last report?” as risk is never static.

Question 65

What is a risk budget?

Answer 65

A risk budget is a sum of money that is put aside just to deal with specific responses to threats or opportunities and it cannot be used for anything else.

Certain responses to risk will require certain actions to be done that cost money and this will be budgeted in the risk budget.

A Risk Budget is not mandatory and is created during the initiation stage of the project.

Question 66

Can the risk budget be redistributed if unused?

Answer 66

PRINCE2 states that the Risk Budget cannot be used for any other purpose. If the end of the project does not use the risk budget used, it is handed back to the Project Board.

Question 67

What is the Executive responsible for with regards to risks? (3 things)

Answer 67

They are accountable for all aspects of risk management. In particular they:

1. Ensure that the Risk Management Strategy exits
2. Ensure that risks associate with the Business Case are identified, assessed and controlled
3. Should escalate risk to the corporate or programme management as necessary

Question 68

What is the Senior User responsible for with regards to risk? (1 thing)

Answer 68

They are responsible for ensuring user risks are identified, assessed, and controlled.

In particular, they are responsible for identifying impacts and or risks related to the project benefits.

Question 69

What is the Senior Supplier responsible for with regards to risks? (1 thing)

Answer 69

They are responsible for ensuring supplier risks are identified, assessed, and controlled.

Question 70

What is the Project Manager responsible for with regards to risk? (3 things)

Answer 70

They are responsible for:

1. Create the Risk Management Strategy document,
2. Create and maintain the Risk Register
3. Ensuring that risks are continually identified, assessed and controlled throughout the project lifecycle

They can get support from Project Support for these activities.

Question 71

What are Corporate or Programme Management responsible for with regards to risk? (2 things)

Answer 71

They are responsible for:

1. Providing the corporate risk management policy (or similar)
2. Providing the risk management process guide (or similar)

Question 72

What is the Team Manager responsible for with regards to risk? (2 things)

Answer 72

They are responsible for:

1. Help with the identification, assessment and control of risk. For example, they will be asked to participate in the workshops used to identify risks
2. Include risk information in the checkpoint reports

Question 73

What are Project Assurance responsible for with regards to risk? (1 thing)

Answer 73

They are responsible for:

1. Reviewing the risk management practices to make sure they are performed in line with the projects Risk Management Strategy.

Question 74

What are Project Support responsible for with regards to risk? (1 thing)

Answer 74

They assist the Project Manager in maintaining the projects risk register

Question 75

What is risk tolerance?

Answer 75

How much risk you can take.