The Risk Theme - Part 3


PRINCE2 Foundation

The course is part of this learning path

Start course

The course focuses on the components of the method and how they help to structure project delivery. Delegates should note that evening work will be assigned which is not expected to exceed two hours per night.

Specific course content will include:

PRINCE2 Overview

  • The structure of the method and the guide will be introduced before we discuss the context within which a PRINCE2 project operates.
  • Principles
  • The seven PRINCE2 principles provide the framework for managing the project and are built on good practice developed from successful and failed projects.
  • Themes and Processes


The seven PRINCE2 themes are aspects of the project that must be continually addressed and integrated as the project journeys through its life cycle.

  1. Business Case
  2. Organization
  3. Quality
  4. Plans
  5. Risk
  6. Change
  7. Progress


The seven PRINCE2 processes encompass the chronological activities that are required to direct, manage and deliver the project successfully. The activities include pre-project, initiation and delivery, and end with project closure.

  1. Starting up a Project
  2. Directing a Project
  3. Initiating a Project
  4. Controlling a Stage
  5. Managing Product Delivery
  6. Managing a Stage Boundary
  7. Closing a Project


PRINCE2® is a [registered] trade mark of AXELOS Limited, used under permission of AXELOS Limited. All rights reserved.

The Swirl logo™ is a trade mark of AXELOS Limited, used under permission of AXELOS Limited. All rights reserved


- Welcome to Module 10, Part three where we finish off the risk theme. We've already introduced the risk management procedure and now we complete it by looking at plan, implement and communicate. In the identify step, we thought about the risk approach, writing that and filling in a risk register with all our different identified risks and then in the assessed step, we assess them in probability impact proximity and how that might change over time. So now we look at the plan step and here we think about our risk responses and there are a number of different risk responses that PRINCE2 recommends, and there are different risk responses depending on whether or not we think that risk is a threat or whether or not we think it's an opportunity. So I'm going to take a look at these different risk responses. Some of them are actually the same for threats and opportunities, we'll look at that too. The first risk response for threat is to avoid and so in the avoid risk response, we're taking actions to make sure that there is zero chance of that risk occurring. If we take these steps and avoid the risk, that means there is no uncertainty anymore, it won't happen. So there is zero chance if we avoid of this risk occurring and avoiding a risk is sometimes not possible because the risk might be to do with the weather or competitors and we simply don't have the ability to avoid it completely, might not be cost effective to avoid either. In fact, we might have to actually not avoid it, we might take other steps and other risk responses but just for now, let's think of avoid, getting rid of the uncertainty. If this was an opportunity the other side of the coin here, if we want to make it happen, then we would say that we are exploiting it, our risk response would be to exploit the risk. So if we manage to exploit the risk, we make it happen, there is now a 100% chance of this risk occurring so again, there's no more uncertainty here, it will happen. And again, we might not be able to exploit uncertainty or an opportunity, because to do with competitors or the weather, for example, it might not be cost effective. So there are other responses that we can carry out instead. If it is a threat and we can't avoid it, we may instead want to reduce it and here we're taking steps to reduce probability or impact or both. So can we reduce the chance of that occurring? Can we reduce the impact if it does? And if we look at the opportunity side of things if we can't exploit it, if we can't make it happen can we enhance the chance of it occurring? Can we enhance the impact? So here we're increasing probability and or impact of the opportunity, hopefully. So there we've got two each there two for the threats two for the opportunities, the other risk responses actually work for both so the next one is to transfer and when we transfer threats, we pass it on to a third party and it's usually a financial aspects only. So for example, if you want to transfer a threat, we might take insurance out, or we might think about penalty clauses or service credits that we might want to get back from a third party, if they then take responsibility for the risk and actually it's probably good time for me to introduce an example here, because one of my delegates a while back, told me that one of the biggest risks in their project was that the ceiling of their project office would fall down on their heads. I'm serious, this is true, they said this was a serious risk in their project, they would walk in the project office every day can look at the sealing and go, you know, is today the day. Now, I never really asked the right questions about this and I never really found out why they didn't avoid this threat of the ceiling falling on their heads by moving office, that would mean a really quick way to avoid the risk of a ceiling falling on their heads. But strangely enough, that didn't happen and they were instead forced to reduce the risk instead and they actually put in supports, scaffolding supports to prop up the ceiling, it's weak point, so that was reducing the chance of the ceiling falling down the probability and the impact if it did, that was a good reduce response there. But they also took out insurance, majorly like a buildings insurance. So if parts of the ceiling or the whole ceiling fell down, then the insurance would pay to get it fixed. Now, they would also have to wait for it to be fixed so you can't get back time but they could get back the money, they've transferred that risk to a third party so they don't actually have to pay anymore, other than the agreed access to get it fixed, so that's transferring the threat. Transfer for opportunities, it's a little bit more complex and I was having a think about this and think about now what we could give as an example here and transferring might be a risk, maybe where we might want to make more streamlined choices or better decision when it comes to dealing with IT issues. So an opportunity might be to transfer this to a third party, which in other words, we'll outsource the IT for our project and this means the IT company will get paid for the job but we gain their expertise and probably some cost savings as well. So there's an opportunity there, we'll pass that on to a third party, yes they benefit because they're paid but we benefit more, because we will now have fewer problems, you know, that's an opportunity there. So that's what not so common, but something to think about there as a transfer opportunities, you can pass a financial aspects on to another party, okay, and get maybe financial gains. So let's move on and our next line is to think about the share response, we can share our uncertainties and here we've got to think about, is there a pain is there gain on both sides, we're really talking about joint ventures partnerships and so whether it's a threat or an opportunity, it's kind of almost irrelevant here but if we're going to share the uncertainty to other third party, they will share the costs with us, but they will also share the gains. So if we had increased sales, we profit share with them, then we could say that that was a true share response. We could accept the uncertainty, it might be that we can't actually find a suitable risk response for it that is cost effective and so we will just say, we just hope it doesn't happen. Obviously, we'd be more concerned if it was one of those risks which is you know, high probability, high impact but to remember that impact grid where we talked about there was a risk at low low level that was very low probability, very low impact. We might just accept those risks and say, well, it's unlikely to happen, we won't plan a response. We will keep an eye on it, in fact we'll keep an eye on all of our risks but if you accept a risk, you're really just doing nothing. You're just keeping an eye on it, you're just monitoring it so whether that risk is a threat or an opportunity, if you accept it, it means that you're not doing anything about it except keeping an eye on it. Our last risk response for both threat and opportunity is contingent plans, as PRINCE2 puts it, in fact, in a previous version of PRINCE2 they used to call this fallback, plan B, your backup plan. So if the risk occurs, what are we going to do about it? And if you're thinking about threat, if the risk occurs, what can we do to reduce the impact? And thinking about our GPS ceiling it if the ceiling falls down, well, the contingent plan would be that some people work from home, we rearrange the office while the people come in and fix the ceiling and in fact, actually, the project should continue fine. So there's a contingent plan, plan B, or we might actually just consider it there being a sum of money, a contingency budget almost that's set aside that will be used to spend if the ceiling falls down. So you're talking about an if then statement here with contingent plans, if the risk occurs, then we do whatever we need to do. And the same would go for an opportunity if the risk occurs, what can we do to make the most of that opportunity. So those are the different risk responses and it's worth certainly for the foundation exam and even on going to practitioner being aware of the different type of risk responses and for foundation roughly what they mean so we've got a fairly good understanding, and certainly understanding the difference between the threat responses and the opportunity responses. Now that was part of the plan step, the final step in our wheel at least is the implement step so we'll go to communicate after this, but the implement step is where we take those planned risk responses and then we need to give them out to the risk owner to manage. The risk owner is responsible for the management and monitoring of the risk they've been given. And they don't have to be in the project management team, they just need to be the person most capable of dealing with that risk. So if this was a legal risk that we had, we would go and find somebody who had legal experience and that might not be in your project management team. Now, that person, the risk owner might actually decide to carry out the risk response themselves, in which case, they would also be the risk actionee, but in a lot of cases, the risk owner who's responsible for the risk might give out responsibilities to carry out the action to the risk actionee, so the risk actionee will carry out the risk responses and the risk owner will keep an eye on them and monitor them and report on their progress. So with our ceiling example, it might be the office manager who's going to be the risk owner and they will go out and find somebody who can put in scaffolding supports and that would be the risk actionee. And if you had several actions, you may well have several actionees. So the risk could be a risk actionee as well themselves and often they are, but they don't have to be and neither the risk owner or the risk actually have to be in the project management team if that's not appropriate. Now, when we implement we're carrying out these risk responses, that'll cost money a lot of the time and we may use a risk budget if we have one. The risk budget is a sum of money set aside just to deal with the risk and we would have recorded whether or not we have one in our risk management approach. The final step is the communicate step and it's in the middle there because we should have been communicating all the way through this process. We would be in the identify step gathering ideas and getting people together to brainstorm or risks. In the assess step, we'll be talking to people so that they can share their ideas about what the probability and impact and proximity might be. This is not the project manager sitting in a darkened room by themselves, they're going to need some advice on this so they need to communicate and when we plan responses, we're going to have to get quotes of cost and time and certainly we need to talk to people about that. In the implement step, we need to tell the risk owner and the risk actionees that they have got something to do and there will be reporting coming back from that. So you can see how important communication really is to our risk management procedure here. And so there you are, that's the risk management procedure from start to finish and hopefully now, you can feel happy that we finished the risk theme module.

About the Author
Learning Paths

A hard working, self-motivated and dedicated IT Consultant with extensive experience and a proven track record in the areas of Management, Networking, Communications and Security. A capable organiser, quick to grasp and make good use of new ideas and concepts. Reliable and conscientious in all work aspects. Possesses exceptional interpersonal skills and utilises communicative abilities to build, develop and maintain effective relationships. A motivational and inspirational manager, who enjoys being part of a successful and productive team, and thrives in highly pressurised and challenging working environments.