RISK MANAGEMENT STRATEGY EXAMPLE

Prince2 Documentation

Release Status: FINAL

Author: John Aldridge, Senior Project Manager

Date: 08 November 2013

Filename & Version: p2_risk_management_strategy_example_v01

Project ID:PRDOC01
Methodology: PRINCE2 2009

FMD Consultants Limited assumes no responsibility for the usage of any information
contained in this document and the way it is handled and disclaims all liability in respect of
such information and its provision. Subject to this disclaimer, you may copy and utilise the
material contained in the document.
This information is based on OGC PRINCE2 material. PRINCE2 is a registered trade mark
of the Office of Government Commerce in the United Kingdom and other countries. All
registered trademarks recognised & accepted.

1 Document History
1.1 Location
This document is stored in the following location:
Filename

p2_risk_management_strategy_example_v01

Location

www.fmdconsultants.co.uk\web

1.2 Revision History

This document has been through the following revisions:
Project ID: PRDOC01
RISK
MANAGEMENT
EXAMPLE

Doc Ref: p2_risk_management_strategy_example_v01

STRATEGY

Page 2 of 17

Date of Issue:08/11/2013

Version
No.

Revision
Date

Filename/Location
stored:

Brief Summary of Changes

VXX

06/10/11

XXXXXXXXXX

XXXXXXXXXX

VXX

13/10/11

XXXXXXXXXX

XXXXXXXXXX

1.3 Authorisation
This document requires the following approvals:
AUTHORISATION
Executive
Senior User
Senior Supplier

Name

Signature

Date

Version Issued

Date of Issue

XXXXXXXXXX
XXXXXXXXXX
XXXXXXXXXX

1.4 Distribution
This document has been distributed to:
Name

Title

1.5 Related Documents

Summary of filenames and locations of related documents:
Document Type

Filename/Location stored:

Project Brief

XXXXXXXXXX

Business Case

XXXXXXXXXX

Corporate Risk Management

Strategy

XXXXXXXXXX

Risk Register Template

XXXXXXXXXX

Communications
Management Strategy

XXXXXXXXXX

2 Contents
1

DOCUMENT HISTORY.............................................................2
1.1
1.2
1.3
1.4
1.5

LOCATION.......................................................................................... 2
REVISION HISTORY...............................................................................2
AUTHORISATION.................................................................................. 2
DISTRIBUTION..................................................................................... 2
RELATED DOCUMENTS..........................................................................3

CONTENTS............................................................................4

INTRODUCTION.....................................................................5
3.1
3.2
3.3
3.4

RISK................................................................................................. 5
OBJECTIVES OF RISK MANAGEMENT.........................................................5
SCOPE OF THIS RISK MANAGEMENT STRATEGY..........................................6
RESPONSIBILITY OF THIS RISK MANAGEMENT STRATEGY...............................6

RISK MANAGEMENT PROCEDURE...........................................6

4.1 IDENTIFY RISKS RISK CATEGORIES........................................................7
4.2 RISK ASSESSMENT............................................................................... 7
4.2.1 Risk Scales................................................................................ 7
4.2.2

Risk Actions..............................................................................8

4.3 PLAN................................................................................................. 8
4.3.1 Objective of Risk Planning........................................................8
4.3.2
4.4
4.5

Risk Response Categories.........................................................9

IMPLEMENT......................................................................................... 9
COMMUNICATE.................................................................................. 10

TOOLS AND TECHNIQUES.....................................................10

RECORDS...........................................................................10

REPORTING.........................................................................10

TIMING OF RISK MANAGEMENT ACTIVITIES...........................11

ROLES AND RESPONSIBILITIES.............................................11

10

PROXIMITY.......................................................................12

10.1 CATEGORISING RISK PROXIMITY............................................................12

10.2 RISK PROXIMITY ACTIONS....................................................................12
11

EARLY WARNING INDICATORS............................................12

12

RISK TOLERANCE..............................................................13

13

RISK BUDGET...................................................................13
Appendix A Risk Prompt List..........................................................14
Appendix B Risk Register...............................................................15

Introduction

3.1 Risk
Risk is the chance or possibility of loss, damage, injury or failure to
achieve objectives caused by an unwanted or uncertain action or event.
Risk management is the planned and systematic approach to the
identification, evaluation and control of risk. The objective of risk
management is to secure the assets and reputation of the organisation
and to ensure the continued financial and organisational well-being.

3.2 Objectives of Risk Management

Good risk management is about identifying what might go wrong, what the
consequences might be of something going wrong and finally, deciding
what can be done to reduce the possibility of something going wrong. If it
does go wrong, as some things inevitably will, making sure that the impact
is kept to a minimum.
Risk management should ensure that an organisation makes cost effective
use of a risk framework that has a series of well-defined steps. The aim is
to support better decision making through a good understanding of risks
and their likely impact.
Risk management should be a continuous and developing process which
runs throughout the organisations strategy and the implementation of
that strategy, methodically addressing all risks surrounding the councils
activities past, present and future.
FMD Consultants Limited is committed to establishing and maintaining a systematic
approach to the identification and management of risk.
The risk management objectives are to:
Ensure that risk management is clearly and consistently integrated and
evidenced in the culture of the organisation.
Manage risk in accordance with best practice.
Anticipate and respond to changing social, environmental and legislative
requirements.
Consider compliance with health and safety, insurance and legal
requirements as a minimum standard.
Prevent death, injury, damage and losses, and reduce the cost of risk.
Inform policy and operational decisions by identifying risks and their likely
impact.
Raise awareness of the need for risk management by all those connected
with the organisations delivery of service.
These objectives will be achieved by:
Clearly defining the roles, responsibilities and reporting lines within the
organisation for risk management.
Including risk management issues when writing reports and considering
decisions.
Continuing to demonstrate the application of risk management principles in
the activities of the organisation, its employees and member companies.

Reinforcing the importance of effective risk management as part of the

everyday work of employees and members.
Maintaining a register of risks linked to the organisations business, corporate
and operational objectives, also those risks linked to working in partnership.
Maintaining documented procedures of the control of risk and provision of
suitable information, training and supervision.
Maintaining an appropriate system for recording health and safety incidents
an identifying preventative measures against recurrence.
Preparing contingency plans to secure business continuity where there is a
potential for an event to have a major impact upon the organisations ability to
function.
Monitor arrangements continually and seek continuous improvement.

3.3 Scope of this Risk Management Strategy

FMD Consultants Limited maintains a corporate risk management strategy
which controls risks associated with the company as a whole, its
relationship with its clients and the management of new and existing
business relationships.
This Risk Management Strategy is a subset of the corporate Risk
Management Strategy and relates specifically to procedures related to the
development of software applications, provision of methodology
documentation and the presentation of that information to the general
public as a whole.

3.4 Responsibility of this Risk Management Strategy

The responsibility for the creation, maintenance and periodic review of this
Risk Management Strategy is held by John Aldridge, Senior Project
Manager, FMD Consultants Limited.
It will be reviewed on a monthly basis and changed ratified through peergroup review.

Risk Management Procedure

The Risk Management Procedure encompasses 5 activities:

Communicate

4.1 Identify Risks Risk Categories

Involved parties detailed in Roles and Responsibilities, below, should
concentrate on events that might effect the organisations achievement of
its objectives. This should focus on areas which may impact costs,
timescales, quality of deliverables, maintainability or usability of any
products. Strategic risks linked to the Corporate Objectives and
Operational risks linked to service and project plans need (as a minimum)
to be identified and monitored. Techniques recommended to identify risks
are:
Review Lessons - Review lessons learned logs for similar profile
workstreams to determine where uncertainties lay and see what threats
and opportunities impacted them.
Risk Prompt List Examine the Risk Prompt List (Appendix A Risk
Prompt List) in the context of the workstream to determine if any of the
defined areas of risk may be applicable. This details known risk types
which should be considered when determining the risk to the project and
fall under the headings of:
Economic Risks
Environmental Risks
Financial Risks
Governmental Risks
Legal Risks
Operational Risks
Perception Risks
Personnel Risks
Project Risks
Security Risks
Strategic/ Commercial Risks
Structures & Policies Risks
Technical/ Infrastructure Risks
Brainstorming Utilise group brainstorming to identify prospective risks
which may not be recognised by an individual. Utilise disparate groups for

brainstorming to provide alternative views of risks, for example user

groups, development groups, finance heads and project related personnel.
Project Schedules Are any areas of the project falling behind schedule
i.e. is the percentage of workpackage completed running to schedule.
Have all approval target dates been met.
Project Finances Is the project running to budget and within tolerance.
Are there any exceptional costs which were not forecast.
Project Performance Is the number of issues raised higher than
expected or greater than has been experienced in earlier projects. Is there
a high percentage of issues which are unresolved. Does it take longer to
resolve issues than would normally be expected. Are problems being
experienced with any of the projects product quality.

4.2 Risk Assessment

4.2.1

Risk Scales

Following the identification of risks, they will then be included in the risk
register which will identify the risk owner and the steps being taken to mitigate
the risk. Risks will be categorised against the potential impact to the business
on a scale of 1 to 10, 1 being the lowest impact and 10 being the highest
impact. Risks will also be categorised against the likelihood of the risk being
encountered on a scale of 1 to 10, 1 being the lowest likelihood and 10 being
the highest likelihood.
The Risk Impact and Risk Likelihood will then be multiplied to give a total risk
score, 1 being the lowest and 100 being the highest possible risk.
A total risk score of:
below 30 will give a green risk.
Between 31 and 59 give an amber risk
Above 60 give a red risk

4.2.2

Risk Actions

Risk Impact
No action necessary
Monitor as necessary - ensure being
properly managed
Monitor as necessary - less important but
still could have a serious effect on the
provision of key services or duties
Monitor as necessary- less important but
still could have a serious effect on the
provision of key services or duties

< 10
< 20

Frequency
of
Review
n/a
Quarterly

< 30

Quarterly

< 40

Monthly

Score

Monitor as necessary - less important but

still could have a serious effect on the
provision of key services or duties
Important risks - may potentially affect
provision of key services or duties
Key risk- may potentially affect provision of
key services or duties

< 50

Monthly

< 60

Weekly

> 60

Immediate

Immediate action needed - serious threat to

Provision and/or achievement of key services
or duties

> 80

Immediate

4.3 Plan
4.3.1

Objective of Risk Planning

The primary objective of this step is to prepare management responses

using Risk Response Categories for each of the identified threats and
opportunities in order to reduce or remove the threat or to maximize the
opportunity. This should leave the project prepared with an action plan
should any risk materialise.
Concentration should be on red risks as these have the greatest chance
of arising and are likely to impact the project most severely. Consideration
should be given to amber risks and green risks in order to:
Keep the risk at as low a level as is practical
Be prepared to respond to the risk should its severity level increase
during the project
Ensure that green or amber risks do not increase the chance of a
red risk being encountered

4.3.2

Risk Response Categories

a) Avoid typically change an aspect of the project so the threat can

no longer happen
b) Reduce Either reduce the chance of the threat occurring or reduce
the impact of the threat should it occur
c) Fallback Build a fallback plan for actions which will reduce the
threat should the risk occur
d) Transfer A third party takes on responsibility for some of the
financial impact of the threat (via insurance or contractual
agreement) to reduce the financial cost of the threat
e) Accept accept that the threat may be encountered, usually
because it is either unavoidable or financially unviable to avoid the
threat
f) Share work with third parties to share either the cost loss or gain
associated with the threat
g) Exploit seize an opportunity to ensure the opportunity will happen
and the beneficial outcome will be realised
h) Enhance take actions to improve the probability of an event
occurring and to enhance the beneficial outcome should it occur

i) Reject a conscious decision not to exploit an opportunity as it is

more economical to continue without responding

4.4 Implement
The primary objective of this step is to ensure the planned risk responses
are implemented, their effectiveness monitored and corrective action
taken where responses do not provide effective solutions.
To ensure this is carried out efficiently, there will be a sole Risk Owner. This
is a named individual who is responsible for the management, monitoring
and control of all aspects of a particular risk.
There may be a Risk Actionee responsible for carrying out the required
response action for a risk or set of risks. The Risk Actionee should perform
under the direction of the Risk Owner.
The Risk Owner and Risk Actionee may be the same person.
A risk will be assigned to a single individual.
An individual may be responsible for more than one risk but consideration
should be given to their workload and abilities to ensure any individual is
not allocated more risks than they can practically manage.

4.5 Communicate
Risks will be communicated outwards as part of:
Checkpoint Reports - frequency defined in each Work Package,
minimum of monthly
Highlight Reports - defined by Project Board, minimum of monthly
End Stage Reports
End Project Reports
Lessons Reports at End Stage and End Project
Inwards communications of risks, in particular new perceived risks should
to the Project Manager for assessment, ad-hoc and openly welcomed.

Tools and Techniques

Project risk will be managed through electronic library store of completed

Risk Register Forms with a hard-copy back-up of the forms maintained
within the Project Office. Each Risk Register form will detail the status of a
single risk and will have a unique, sequential risk identifier.
Access to Risk Register forms will be restricted to those defines in the roles
and responsibilities, below and to the Risk Owner.

Records

Appendix B Risk Register details the format of the Risk Register and
contains descriptions for each Risk Register field.

Reporting

Individual risk overviews will be entered on the Risk Summary which will
be readily available for authorised individuals and which will be circulated
at Project Boards.
The Risk Summary will detail:
Programme Name / Project Name
Risk Identifier
Summary of risk description
Risk Category
Current risk colour (green, amber, red)
Current risk weighting
Previous risk colour (green, amber, red)
Date registered
Risk Owner
Access to Risk Summary will be restricted to those defined in the roles and
responsibilities (section 9) and to the Risk Owner.

Timing of Risk Management Activities

The Risk Register will be created on approval of this Risk Management

Strategy. It will be updated:
On planning the next stage
On authorizing a work package
On any updates of the project plan
Upon any updates of the Business Case
On the production of any exception plan
On review of any stage status
It will be closed when approval for project closure has been given by the
Project Executive.

Roles and Responsibilities

Role

Responsibility

Corporate
Management

Provide the corporate risk management policy

and risk management guide.

Executive

Be accountable for all aspects of risk

management and ensure an approved project
Risk Management Strategy exists.
Ensure risks associated with the Business Case

are identified, assessed and controlled.

Escalate risks to corporate management as
necessary.
Senior User

Ensure all risks to the users are identified,

assessed and controlled.

Senior Supplier

Ensure risks relating to the supplier aspects

are assessed and controlled.

Project Manager

Create the Risk Management Strategy.

Create and maintain the Risk Register.
Ensure all project risks are being identified,
assessed and controlled throughout the project
lifecycle.

Team Manager

Participate in the identification, assessment

and control of risks.

Project Assurance

Review risk management practices to ensure

they are performed in line with the projects
Risk Management Strategy.

Project Support

Assist the Project Manager in maintaining the

projects Risk Register and Risk Summary.

10

Proximity

10.1 Categorising Risk Proximity

Risk events will be categorised as:
Imminent likely to be encountered immediately, typically within
one week or less
Within the stage likely to be encountered during the current stage
of the project
Next stage likely to be encountered during the next planned stage
of the project
Within the project likely to be encountered before the project is
closed
Beyond the project likely to be encountered after project closure

10.2 Risk Proximity Actions

Imminent risks should be noted separately within reporting to highlight the
risk to project members to ensure it is being monitored adequately.
On completion of a stage, within the stage risks should be assessed to
determine if they were encountered. If they were not encountered their
relevance to the next planned stage should be determined and their
proximity classification modified accordingly.

On completion of a stage, next stage risks should be assessed to

determine if they are still applicable to the next stage (i.e. the stage to be
started) and, if appropriate, their proximity should be modified to within
the stage.
within the project risks should be reviewed at stage end to determine if
they fall into the next stage category (i.e. the stage after the stage to be
started).
beyond the project risks should be reviewed at stage end to determine if
they are still legitimate risks. If the project is at closure stage, these risks
should be highlited in the project closure documentation.

11

Early Warning Indicators

There are several early warning indicators which should be monitored

during the lift of the project:
Forecast project spend / timescales exceeding approved tolerance
should the forecast total spend exceed the project budget plus
allowed tolerance, it is clear there is a genuine risk of overspend (or
non-completion) of the project. This should be regularly monitored
by the project manager to ensure spend is within allowed limits
Forecast stage spend / timescales exceeding approved tolerance
the implication is that the stage has either been incorrectly costed,
incorrectly defined or has encountered unforeseen problems.
Product quality not meeting quality requirements have there been
shortcuts in the production of products which detrimentally impact
product quality. In particular, has the spend to date fallen below the
forecast spend to date or the products been delivered earlier than
planned.
These should be regularly monitored by the Project Manager / Project
Support to ensure each stage is performing according to planned cost,
timescales and quality.

12

Risk Tolerance

Risks are scored on a scale of 1 to 100, one hundred being the greatest
risk. Risks with a score greater than 60 should be noted to corporate
management for information. Risks should be escalated to corporate
management immediately the risk score exceeds 80.

13

Risk Budget

There is no specific risk budget. Project tolerance will be employed where

necessary to minimise the impact of risks.
It should be noted that there may be some risks defined during the project
which require a separate budget, e.g. insurance against risk encounter or
insurance against financial implications of risks.

Appendix A Risk Prompt List

Checklist of Common Risk Sources

Personnel Risks
Illness
Conflict
Labour Problems
Skill Shortage
Motivation
Commitment

Governmental Risks
Permits
Customs
Environmental Standards
Patents
Health & Safety
Nuclear Regulations

Project Risks
Budget
Scope/ Complexity
Vision
Decision Process
Timescale
Commitment
Politics
Poor Estimating

Strategic/ Commercial Risks

Under-performance to specification
Management will under perform
Insufficient Capital Revenues
Lack of availability of Capital Investment

Security Risks
Theft
Espionage
Natural Disaster

Financial Risks
Cash Flow
Payments
Exchange Rates
Operational & Maintenance Costs
Procurement Costs

Operational Risks
Inadequate Business Continuity
Health & Safety Constraints
Marketing/ Communications
Manufacturing
Purchasing
Inadequate Design
Professional Negligence
Human Error/ Incompetence
Safety being compromised
Performance Failure
Unclear Expectations
Breaches in Security
Structures & Policies Risks
Business Structure
Business Planning Process
Service Plan
IT Plan
Recruitment Process
Staff Development Process
Managerial & Accountability Structures
Change Management Procedure
Risk Management Procedure
Quality Management Procedure
Organisational Strategy
IS Programme Plan
Contingency Management Procedure
Bureaucracy
Complaints Handling Procedure

Perception Risks
Racially/ethnically/gender offensive
Health Threatening

Economic Risks
Shortage of Working Capital
Failure to meet projected revenue targets
Market Developments have adverse affects
Legal Risks
Scope Creep
Contract
Personal Liability
Penalty Clauses
New or Change legislation impacts activity
Unforeseen regulatory controls or licensing
requirements
Technical/ Infrastructure Risks
Scalability
Integration
Security
Standards
Compatibility
Performance
Inadequate Design
Infrastructure Failure
Increased decommissioning costs
Residual Maintenance Problems
Environmental Risks
Transport Problems
Building Facilities & Temperature

Appendix B Risk Register

RISK REGISTER

FORM [Form ID if applicable]

Ref:[Location/Filename]
Project Name:

Programme Name:[If applicable]

Risk Identifier:

Risk Description:

[A unique reference for every

risk entered into the Risk
Register e.g. 0001]

[In terms of the cause, event (threat or opportunity) a

(description in words of the impact)]

Probability:

Impact:

[These should be recorded in

accordance with the projects
chosen scales]

[These should be recorded in

accordance with the projects
chosen scales]

PreResponse
[Estimate the
inherent
values (preresponse
action)]

PostResponse
[Estimate the
residual values
(post-response
action)]

PreResponse
[Estimate the
inherent
values (preresponse
action)]

PostResponse
[Estimate the
residual values
(post-response
action)]

Expected Val

[These should be rec

accordance with the
chosen scales
PreResponse
[Estimate the
inherent
values (preresponse
action)]

P
Res
[Esti
residu
(post
ac

Risk Response Category:

[How the project will treat the risk in terms of the projects chosen categories
e.g.

- For threats: avoid, reduce, fallback, transfer, accept, share

- For opportunities: enhance, exploit, reject, share]

Risk Response:

[Actions to resolve the risk (should be aligned to the chosen response categories. Note that more than on

Date Registered:
[Date the
identified]

risk

was

Risk Author:

[Person who raised the

risk]

Risk Owner:

[Person responsible
for managing the
risk]

Risk Action

[Person(s)
w
implement
action(s) des
the risk respo