8 : Risk

Question 1

What is the purpose of the Risk Theme? Answer in your own words.

Answer 1

The purpose of the risk theme is to provide information on how best to do risk management in your project. A more formal way to say this is the purpose of the Risk Theme is to provide an approach to identify, assess and control uncertainty during a project and as a result, improve the ability of the project to succeed. Remember the words, identify, assess and control risk as this is what Risk Management is all about.

Question 2

What do you think is the connection between a project, change, uncertainty and risk?

Answer 2

Projects are about doing something new, so they are about change. As the exact same project has not been done before there will be some uncertainty about how some parts of the projects will go. Another name for this uncertainty is risk.

Question 3

Is Risk Management just done at the start of the project, for example, when creating the Risk Management Strategy?

Answer 3

Risk management is not just done at the start of the project but is a continuous activity that must be during the full life of the project and therefore one of the main tasks for the Project Manager.

Question 4

Which role is the main person responsible for risk in a project? (Note: I am not asking for the role that will do most of the work and follow up but the main responsible.)

Answer 4

It is the Executive that is responsible for risk in a project. PRINCE2 says that the Executive is accountable for all aspects of Risk Management. They rely on the Project Manager to continually identify, assess and control risks throughout the project.

Question 5

PRINCE2 uses the MOR definition of Risk and MOR is the Risk method from OCG that is focused on Risk. Finish this definition by adding one word. “Risk is a set of events, that should it occur, will have an effect on the achieving of the project ______.”

Answer 5

Risk is a set of events that should it occur will have an effect of the achieving of the project objectives.

Question 6

Name two types of risks?

Answer 6

The two types of Risk are Threats and Opportunities. We are used to see risk as negative but there can also be risks where something positive can happen and this is seen an opportunity. Eg: You are organizing an outdoor event and the risk is that it could be sunny so you can sell ice cream. So from a risk point of view, we say this is an opportunity to sell ice cream.

Question 7

What is at Risk or what does PRINCE2 say is at Risk?

Answer 7

You may say that the project or perhaps user satisfaction is at Risk. PRINCE2 states that the projects objectives are at risk. Remember the project will have objectives for the six project variables: time, cost, quality, scope, benefits and risk. (Think TeCQuila SoBeR, spelt TeCQ)

Question 8

What is Risk Management? (Tip: Begin your answer with “Risk Management is about the steps you take in a systematic way that will enable you to identify……”)

Answer 8

Risk Management is about the steps you take in a systematic way that will enable you to identify risk, assess risk and then to control risk such as how to respond to risk. The Risk theme provides an approach for you to be able to manage risk in a project.

Question 9

Name the three steps to Risk Management. (Tip: First is Identification)

Answer 9

The three steps to Risk Management are: Identification, Assessment and Control
• Identification: How to identify and describe the risk
• Assess the Risk: Ask what is the likelihood, the impact on objectives, when expected
• Control the Risk: How to respond to risk; assign a risk owner, execute responses if the risk occurs, monitor etc.

Question 10

Which other OGC method does PRINCE2 get its Risk Management procedures and principles from?

Answer 10

PRINCE2 makes use of the other OGC method, which is Management of Risk (also referred to as MOR). PRINCE2 takes advantage of all these procedures and principles that have already been defined instead of trying to re-invent the wheel. The MOR method is a generic approach to Risk, which can be used for any type of project.

Question 11

What is normally the first question about Risk that should be asked by the Project Manager when considering risk and the approach to Risk Management?

Answer 11

The first question that should be asked is what risk policies already exist in the company or in the programme environment today that can be used so that there isn’t a need to re-create these. If a policy does exist, then this will save a lot of work and will provide most if not all the information you need to do Risk Management in your project.

Question 12

List some of the information that you would expect to find in a company’s risk policy and procedures to help with Risk Management.

Answer 12

If an in-house policy on Risk Management procedures does exist, then you can expect to have information on the following:
• Your organization’s attitude towards risk also called Risk appetite, Risk tolerances, procedures for escalation, typical roles and responsibilities, example of a Risk Management strategy document, etc.
• It should provide guidelines on how to do Risk Management according to the policy of the company.
• Using a common approach to Risk Management also means that project stakeholders that are already familiar with this approach will be able to understand how risk management is done in your project.

Question 13

What would you advise a Project Manager to do if they don’t have internal Risk Policy in the company?

Answer 13

They can use the Risk theme to provide the necessary information to do Risk Management in their project.

Question 14

What is the advantage for stakeholders to have a common approach to Risk Management?

Answer 14

Using a common approach to Risk Management enables the project stakeholders that are already familiar with this approach to understand how risk management is done in your project. E.g.: Reports will be easier to understand, the scales for accessing risk will be similar etc. Therefore it is easier to see what is going on and this is also true for the Project Board.

Question 15

Does PRINCE2 recommend using one Risk Management Strategy for all projects in a company or should each project have a separate Risk Management Strategy?

Answer 15

PRINCE2 recommends that each project should have its own Risk Management Strategy document. Creating a Risk Management strategy document for each project may seem a big task but a detailed template can be provided if you are working in a programme environment, so this will make it much easier.

Question 16

What does the Risk Register do? (Tip: use the word capture, maintain and history in your reply)

Answer 16

The Risk Register is used to capture and maintain the risk information (threats or opportunities) of all the risks that were identified and relate to the project. So it provides a record of all risks including their status and history.

Question 17

We know that the 3 steps to Risk Management are: Identification, Assessment and Control. The Risk Management Procedure has 5 steps. Name these. Use the following line to remind you: I Ate Plants In China.

Answer 17

The five steps in the Risk Management Procedure are: Identify, Assess, Plan, Implement and Communicate.

Question 18

Which of the 5 Risk Management Procedure steps are sequential and which steps have to be done constantly? The 5 steps are: Identify, Assess, Plan, Implement and Communicate.

Answer 18

The first 4 steps are sequential (Identify, Assess, Plan and Implement), while Communicate will always be done to let stakeholders know what is going on and to get continual feedback during this process.

Question 19

The first step in the Risk Management Procedure is Identify but there are two important things that have to be done before the project can start to identify risks. Can you name these? (Tip: Appetite and the document that describes how Risk will be done in the project)

Answer 19

The first thing that has to be done is to understand the level of risk that the project is willing to accept. This is also known as the risk appetite. E.g.: If the project is to build a prototype that will just have a life of a few months, then the risk tolerance is said to be very high and so a big risk appetite. If the project is to launch a voting system that will be used in a national election in Europe, then the risk tolerance would be very low as it should work 100% correct. Once the Project Manager and Executive agree on the amount of risk the project can take, then the Project Manager should complete the Risk Management Strategy document.

Question 20

The answers to the questions that are asked to understand the risk management requirements and to be able to prepare the Risk Management Strategy document mostly come from three management products that are available before the Risk Management Strategy document has to be completed. List one or two of these documents. (Tip: The Risk Management Strategy document is created in the Initiation Stage)

Answer 20

Most of the answers to these questions come from the Project Mandate, the Project Brief, and Project Product Description.

Question 21

PRINCE2 recommends that risks should be described in a certain way which should include the cause, the event and something else. Name this something and explain each of the three terms in a few words.

Answer 21

The risk description should include the cause, event and the effect on the objectives of the project. The cause refers to something that is already happening, the event to something that may happen (threat or opportunity) and effect describes the effect on the project.

Question 22

Describe the following example of risk in terms of cause, event and effect on the project objectives. “Less people may come to the event as all planes could be grounded due to ash from the volcano that is blow into UK airspace.” Start with the cause, then the event that is likely to happen and then the effect on your project which is to organize a conference in London for business managers from around Europe who are expected to fly in.

Answer 22

We would write this as follows: Due to the active volcano releasing ash, there is a threat that planes will be grounded if this ash is blown into UK airspace which would cause many people not to be able to make it to the conference in London.
The original cause is the volcano releasing ash, this is already happening, the risk is the threat that this could be blow into UK airspace and the effect on the project is that many people will not be able to travel.

Question 23

Assess Risk is the 2nd step in the Risk Management procedure and it has two steps which are Estimating and Evaluating risk. What is the difference between Estimating and Evaluating risk?

Answer 23

Estimating focuses on assessing one risk at a time while Evaluating is about evaluating all Risk together so as to get an idea of the total risk in a project. So it is better to think of Evaluation as evaluating total Risk. This will make it easier to remember.

Question 24

Which 3 things are assessed when estimating a risk? (Tip: likelihood, cost & when)

Answer 24

Estimating is about assessing the probability, the impact and proximity for each threat or opportunity. These are also three of the columns in a Risk Register. Usually the Project Manager can choose from a scale like Very High, High, Normal, Low & Very Low when filling in the value for impact and these can be linked to different ranges of cost.
E.g.: Impact Value: Very low could be under 2% of the project cost while very high could be more than 40%.
E.g.: Proximity value: Very low could be 12 months away, very high could be in the next month.
All of these scales are decided in the initiation stage are documented in the Risk Management Strategy document.

Question 25

How would you explain the following using just a few simple words: probability, impact and proximity? What kind of scale could be used? Use your own words as there are many ways to explain these terms.

Answer 25

Probability: This is the same as the likelihood of the risk happening. You can use a % or choose from very high, high, normal scale.
Impact: The impact the risk will have on the project and must be quantified.
• E.g.: You can choose from a scale 20%.
• Remember, this can be a threat or opportunity.
Proximity: When this risk is most likely to happen.
• Scale can be in time: like in 3 months or 6 months.
• E.g.: Icy roads may not be much of a risk for a summer event but may be a concern if the event was held in November.

Question 26

What is the name of the diagram that PRINCE2 recommends to plot the estimate risk results on so that it becomes very easy to compare risks with each other? (Tip: Summary something, something, diagram)

Answer 26

The name of the diagram is the Summary Risk Profile diagram. Note: You don’t need to know the name for the exam but you should be able to recognize the name and know what it is. From a Project Manager point of view, this is a great diagram to use to communicate project risk.

Question 27

There are a number of advantages to using the Summary Risk Profile Diagram to communicate risk. Can you suggest two advantages? (Tip: just think of the different information that you can get and who will read it.)

Answer 27

Here are most of the advantages of using the Summary Risk Profile Diagram:
• It is easy to get an overview of all the risks.
• It is very useful for communicating the level of risk for the project to the Project Board.
• Can see which risks will need attention and action to be taken.
• Can draw a risk tolerance line on the diagram to distinguish risks that have both a higher impact and a higher probability rate from risks that have a lower level of probability and impact.
• So all risks above this Risk Tolerance line will need some action to be taken.
• The Project Manager is expected to provide risk information to the Executive and Project Board and one of the times they will do this is at the end of each stage. The project manager will include information on any changes to the risk above the Risk Tolerance line in the End Stage Report.
• And the Project Manager will immediately inform the Executive if a risk moves from below to above the Risk tolerance line.

Question 28

Evaluating is the 2nd part of assessing risk after estimating. What is the objective of Evaluating in your own words?

Answer 28

The objective is to evaluate all project risks together (both threats and opportunities) and so you get an overall risk value for the whole project.

Question 29

Why is the Estimate value useful? Answer in your own words.

Answer 29

This is an estimate risk value for the whole project which could be very useful information when the Project Board has to decide to allow the project to start. Also the corporate or Programme Management may have a tolerance level for all projects to be under otherwise they are now allowed to start.

Question 30

Plan the responses is the 3rd step in the Risk Management procedure. What is planned or done in this step?

Answer 30

Planning is about planning the responses to threats and opportunities. Its objective is to prepare specific responses to the threats and opportunities. The objective is to reduce the threats and maximize the opportunities.

Question 31

What do you think happens if the Project Manager does not plan for a risk and the risk occurs?

Answer 31

If the Project Manager fails to plan a response to a risk, they will be caught off guard if this risk materializes. Therefore it is always good to be prepared. The risk can be a lot more damaging for the　project objectives as there is nothing planned to reduce the impact of the risk and it some cases it may be too late to do anything about the risk.
E.g.: If your project is to organize an outdoor event and one of the risk is the threat of rain. If you do nothing to prepare for this and half way during the concert it starts to rain heavy, it’s a bit late to start erecting a tent or ordering plastic ponchos to distribute. So failing to plan is planning to fail.

Question 32

Does the step of planning the responses remove or reduce risks?

Answer 32

Most of the risk response actions taken in a project are done to reduce the risk impact and can also be taken to remove the risk. E.g.: If your project is to organize an outdoor event and one of the risk is the threat of rain you can take such action of pre-ordering plastic ponchos and sell them at the outdoor event. This won’t stop it from raining but it will reduce the impact. If you were to move the event indoors then you would remove the risk.

Question 33

PRINCE2 suggests 6 responses for Threats. Name three of these. The most important thing is to be able to recognize these names if you see them in a question.

Answer 33

The 6 responses for threats: The 6 responses for threats are: Avoid, Reduce, Fallback, Transfer, Share & Accept.

Question 34

PRINCE2 suggests 4 responses for opportunities, name 2 of these and which responses is the same as one of the responses as Threat.

Answer 34

The 4 responses for Opportunity are Exploit, Enhance, Share and Reject. The response Share, is both a response for Threats and Opportunities.

Question 35

Explain the threat response “Avoid”. What effect does it have on the threat and impact? Answer if your own words.

Answer 35

This response involves changing something in the project so the threat no longer can have an impact or can no longer happen. Let us say you are organizing an outdoor concert for 600 people in April the UK. One of the risks would then be Rain. So you decide to move the concert to an indoor facility to avoid the risk. In fact this response has removed the threat. If it now rains, then the rain can have no impact on the concert.

Question 36

Explain the response “Reduce”. What effect does this have on the threat? Explain in your own words. (Tip: Comment on probability and impact)

Answer 36

The reduce response plans actions to:
1) Reduce the probability (the likelihood) of the risk OR
2) Reduce the impact if they risk does occur
Reduce response is the most common way of dealing this risk.

Question 37

Give an example of Reduce probability; in other words – reduce the likelihood of a risk happening. Use example of organizing an outdoor concert the UK in April and the threat is rain as it will have an effect on the concertgoers.

Answer 37

Reduce the probability is to reduce the likelihood or probability of the risk happening. Using the concert example with the threat from rain, we could move the concert from April to July where is 2.5 less times less likely to rain. This is a clear example of reducing the probability but the risk is still there.

Question 38

Give an example of Reduce impact if the Risk occurs. Use example of organizing an outdoor concert the UK in April and the threat is rain as it will have an effect on the concertgoers.

Answer 38

Here the objective is to reduce the impact in case the risk occurs. E.g.: The organizers order a load of sponsored plastic ponchos that will be offered to the concertgoers when they arrive at the concert. If it does rain during the concert, then most people will only get partly wet and thus you have reduced the impact of the rain.

Question 39

Explain the response “Fallback”. When is this response put into action? What is the effect on the impact of the risk?

Answer 39

Fallback is also referred to as contingency. This is fallback plan of actions that will be done if the risk occurs and the risk has now become an issue, so action is only done if the risk occurs. These actions will help to reduce the impact of the threat.

Question 40

Give an example of fallback using the following scenario. “There is a big game on center court Wimbledon and there is a threat that it might rain. The Center course now has a roof but it takes about 10 minutes to close.”

Answer 40

The fallback plan is to close the roof once it starts to rain. This will not stop it from raining but it does reduce the impact of the rain and allows the game to continue. Note: The action of closing the roof is only done once the threat of rain occurs. If you decided to start the game with the roof closed, then you will be taking action to avoid the response.

Question 41

Give an example of Transfer response using the example of the concert. The threat that you wish to respond to is that one of your top acts may not be able to play at the event due to illness or some other reason. This may cost you a lot of money as people may ask for their money back and you have spent a lot of money organizing this event.

Answer 41

You could take out an insurance policy to cover any losses you can incur if this risk happens. E.g.: all the cost of planning another date for the concert or allowing people to claim their money back would be covered by this insurance policy. The response is that you are transferring the risk to another party.

Question 42

Give me an example of the response Accept using the following example and why you would choose this response. “There is a risk that another outdoor concert can be held around the same day as your concert and this may affect tickets sales.”

Answer 42

After some consideration, you decide to do nothing about it and continue as normal. Moving the concert to another time will just cost too much and some people have already bought tickets, so you just live with the risk. You monitor the risk during the project and see how this affects your project.

Question 43

Share is both a response for threats and opportunity where both parties share the gain if the costs are less that the planned costs and share the loss if the costs are exceeded. Give an example of share using the following scenario again with the outdoor concert: You have a supplier that provides VIP toilet facilities and people are charged €1 for each service but there is a certain fixed cost you must pay to provide this service:

Answer 43

You could agree with the supplier to share the profits if the revenue is above this fixed cost amount and share the losses if below this amount.

Question 44

What is meant by response Exploit an opportunity? Answer in your own words.

Answer 44

Exploit is where you decide to make use of the risk if it happens. E.g.: There is a risk (an opportunity) that the government department for technology may give subsidies in a few months time for certain technology projects. If this opportunity happens, you can then take the decision to exploit it and apply for a subsidy and it can cover 25% cost of the project.

Question 45

What is meant by the response Enhance an opportunity? Answer in your own words.

Answer 45

Enhance is where you take actions to improve the likelihood of the event occurring and you enhance the impact if the opportunity should occur. This is not the same as exploit but doing certain things will give a greater chance for the opportunity to happen. E.g.: The cause is that your local government is running a technology competition and the top 5 projects entered will get a subsidy of €20,000. So there is an opportunity to win this money, which will result in lowering the costs of the project and giving a better ROI for the company. Your plan response is Enhance, so you enter your project in this competition and put a good deal of effort in this to enhance your chances of getting this subsidy.

Question 46

What is meant by the response Reject an opportunity? And give an example.

Answer 46

Reject is where you identify an opportunity and decide not to take any action on this opportunity. There can be many reasons not to do this. E.g.: It may result in losing focus on your main objective or the return on this opportunity could be low compared to the rest of the project. E.g.: You understand there is an opportunity that the local government will offer a subsidy of 25% of the cost of each project like the project you are doing. However, after looking into this you see that the information you give will be made public and you may have to wait up to 18 months to receive the subsidy. So your response to this opportunity will be to reject it.

Question 47

What is the objective of Implement the planned responses? (Tip: Also think of what is done after you after you take action.)

Answer 47

The goal of this step is to ensure that the planned responses to risk are done; monitored and corrective action is taken if the planned responses are not as effective as expected. Actually the main thing to decide in this step is who is going to monitor this threat or opportunity to see if this risk happens and who will carry out the planned responses that have been decided on. The person monitoring will also check that the responses have the expected effect. So there are clear roles and responsibilities defined.

Question 48

There are two specific roles to Implement the responses. Name these. (Tip: they both start with Risk.

Answer 48

The two roles are Risk Owner and Risk Actionee.
• The Risk Owner is responsible for managing & monitoring risks aspects. They can also carryout actions that have been assigned to them. So see them as the main responsible.
• The Risk actionee is someone who is assigned to carry out a particular action and they support the risk owner. So they are not responsible monitoring or managing the risk.
• Note: The Risk Owner and Risk Actionee can also be the same person.

Question 49

What happens in the communicate step which is the 5th step of the Risk Management procedure and when is communication done?

Answer 49

Communication is done throughout the risk management procedure so this is continually done. This communicate step ensures that the information related to the threats and opportunities faced by the project are communicated within and outside the project to all necessary stakeholders. Good communication also builds trust and is necessary to allow stakeholders to provide better feedback about existing and new risks.

Question 50

Name two of the existing management reports that are used to communicate threats and opportunities after the Initiation stage has completed.

Answer 50

The following management reports can be used to communicate risk to the stakeholders:
• Highlight Reports, End Stage Reports, Lessons Reports, Checkpoint reports

Question 51

Where are the guidelines for how to communicate risk information to stakeholders? (Tip: this is not the Risk Management Strategy document)

Answer 51

The guidelines for reporting come from the Communication Management Strategy document. When working on the above reports the Project Manager should always ask, “What I need to communicate regarding risk?” “What has changed since the last report?” as risk is never static.

Question 52

What is a risk budget? Is it mandatory and when is created?

Answer 52

A risk budget is a sum of money that is put aside just to deal with specific responses to threats or opportunities and it cannot be used for anything else. Certain responses to risk will require certain actions to be done that cost money and this will be budgeted in the risk budget. A Risk Budget is not mandatory and is created during the initiation stage of the project.

Question 53

If the risk budget is still not used late in the project, can it be used to help with extra change requests that have been agreed?

Answer 53

PRINCE2 states that the Risk Budget cannot be used for any other purpose. If the end of the project does not use the risk budget used, it is handed back to the Project Board.

Question 54

Who is responsible for the following in the Risk theme?
• Are accountable for all aspects of the risk management
• Ensure that the Risk Management Strategy exits
• Ensure that risks associate with the Business Case are identified, assessed and controlled
• Escalate risk to the cooperate or programme management as necessary

Answer 54

This is the Executive.

Question 55

Who is responsible for the following in the Risk theme?
• Ensure that risks to the user are identified, assessed and controlled
• This encourages them to identify risks and provide information to the Project Manager and to read the reports provided by the Project Manager

Answer 55

This is the Senior User.

Question 56

Who is responsible for the following in the Risk theme?
• Create the Risk Management Strategy document,
• Create and maintain the Risk Register and they can get assistance from Project Support
• Ensure that risks are continually identified, assessed and controlled throughout the project lifecycle
• Keep the summary risk diagram up to date and communicate to the project stakeholders

Answer 56

This is the Project Manager.

Question 57

Who is responsible for the following in the Risk theme?

• Provide the corporate risk management policy and risk management process guide, or similar documents

Answer 57

This is corporate or Programme Management.

Question 58

Who is responsible for the following in the Risk theme?
• Help with the identification, assessment and control of risk.
• For example, they will be asked to participate in the workshops used to identify risks
• Include risk information in the checkpoint reports

Answer 58

This is the Team Manager.

Question 59

Who is responsible for the following in the Risk theme?
• Review the risk management practices to make sure they are performed in line with the projects Risk Management Strategy. Actually they do this for the 4 strategy documents

Answer 59

This is Project Assurance.

Question 60

Who is responsible for the following in the Risk theme?

• Assist the Project Manager in maintaining the projects risk register

Answer 60

This is Project Support.