"The major difference between a thing that might go wrong and a thing that cannot possibly go wrong is that when a thing that cannot possibly go wrong goes wrong it usually turns out to be impossible to get at or repair."— Douglas Adams
A risk is an uncertain event that, should it occur, will have an effect on the achievement of the project's objectives. The purpose of the Risk practice is to identify, assess and control uncertainty and, as a result, improve the ability of the project to succeed.
Two Main Types of Risk
- Threat — an uncertain event that could have a negative impact on objectives.
- Opportunity — an uncertainty that could have a favourable impact on objectives.
The Five-Step Risk Management Procedure
Identify
Identify risks using techniques including: reviewing lessons, risk checklists, risk prompt lists, brainstorming, risk breakdown structures, and risk workshops.
Express risks as: Risk cause (source) → Risk event (trigger) → Risk effect (impact description).
Assess
Focus on understanding probability and impact. Risk proximity (when it might materialise) is also important.
Plan
Prepare specific management responses.
Threat responses: Avoid, Reduce, Transfer, Accept, Prepare contingent plans.
Opportunity responses: Exploit, Enhance, Share.
Implement
Ensure that planned responses are acted on. Each risk should have a risk owner and a risk actionee.
Communicate
Risks are communicated continually via management products: checkpoint reports, highlight reports, stage reports, lessons reports, and end project reports.
A Risk Register template is available on the PRINCE2 Templates page. See also: Risk Assessment Scales for guidance on probability and impact rating scales.