Project management header
products page

Risk management – part 1 - Overview


Risk management is a big subject in its own right.
It is also described as part of PRINCE2® 2005 within the component 'Management of Risk'.
However, this is discussed in much greater detail in 'The Complete Risk Management package'.

Under PRINCE2 2009 there are no ‘components’ only ‘themes’.
The equivalent is the theme Risk.
[see Risk - Purpose]

The next sections give an overview of the topic and a general approach.

Risk will cover not only commercial and project activities but the potential damage to people, property and the environment.

Particular industry sectors will have established risk assessment procedures that have been built upon experience, for example, HAZOP (hazardous operations) analysis in the pharmaceutical sector.
This section tries to cover some of the basic issues that the Project Manager should be aware of for consideration.

The Project Manager should be aware of potential constraints to the management of risk, for example, financial (budget, cash flow and uninsured liabilities) or resource (personnel, equipment, facilities, data and systems).

Risk should be considered within:

  • Health and safety legislation
  • Product liability and consumer protection
  • Accident control
  • Environmental protection
  • Potential future legislation

There is often confusion between ‘risk’ and ‘issue’.


A potential event that may have a detrimental effect on time, cost, quality and deliverables.


This is an unpredicted event that requires a decision otherwise a negative affect on the project may result.

The above definitions are not in agreement with PRINCE2.
For PRINCE2 2005 risk is defined as:

It concerns uncertainty in the outcome of an event. This may take the form of a positive opportunity or a threat.
[see Management of Risk - part 1]

For PRINCE2 2009 risk is defined as:

A risk is an uncertain event or set of events that, should it occur, will have an effect on the achievement of objectives.
It consists of a combination of the probability of a perceived threat or opportunity occurring, and the magnitude of its impact on objectives, where:


Is used to describe an uncertain event that could have a negative impact on objectives.


Is used to describe an uncertain event that could have a favourable impact on objectives.
[see Risk - Risk defined - What is a risk?].

Under PRINCE2 2005 and 2009 there is no formal definition of an issue.
Under PRINCE2 2005 issues are covered within the sections:

Controlling a Stage (CS) - part 4 - Capturing Project Issues (CS3) Controlling a Stage (CS) - part 5 - Examining Project Issues (CS4)

Under PRINCE2 2009 [see ‘The Complete Project Management plus PRINCE2’] the Issue Report purpose states:

‘An Issue Report is a report containing the description, impact assessment and recommendations for a request for change, off-specification or a problem/concern. It is only created for those issues that need to be handled formally.’
[Change - Change defined - Issue and change control].

Impact analysis

A risk may have an impact not only on future tasks but possibly the specification of the product.
There could be legal, health and safety, regulatory, marketing, personnel and other implications.

By its very nature an issue will have some impact on the plan and schedule.
It may be an issue that needs addressing urgently to circumvent any future problems.
The effect on the plan could materialise in a number of ways, for example, alter deadlines, costs or specifications.
In some cases, the impact may be difficult to ascertain.

Risk (and issues) versus impact

Before we panic over a future event we must assess the risk versus the impact.
One event may have a tremendous impact on cost and time (if it occurs) but virtually no impact if the risk is very low.
For example, the potential that an outside manufacturer may go bust.

On the other hand, there may be an event which is highly likely to occur but with little impact.
For example, people off ill, if cover is very good.
The above examples are possible future events, issues which have already occurred will need to be assessed for impact.

Use of automated planning tools

Full risk assessment is a subject in its own right.
You can carry out a simple risk assessment by utilising the experiences of people, or better, by assessing various outcome scenarios on say MS Project software, for example, will a delay of 2 weeks affect anything?
It is best to view this on the software as humans are not very apt at remembering all of the links in the schedule.

Need to consider more than just the time effect on the plan

All impacts need to be assessed not only for delays but costs, specifications, environmental, legal and regulatory impact.

Document risks and issues

These should be documented in any project team reports.
There should be some mechanism for recording risks and issues together with any impacts and actions taken.
Make sure these documents are reviewed at regular intervals as part of the control process.

The information recorded could be:

Project no:
Ref. number:
Date raised:
Title / description:
Potential impact:
Status: open, in progress, on hold, closed
Review date:

Don’t forget to have a suitable backup plan in the event of a disaster.
Consider technological redundancy.

Project manager’s responsibility

In general, it would be a luxury to have a specific individual on the project team to advise on risk.
As such it is the responsibility of the Project Manager to make sure suitable procedures are in place.
If necessary resource the expertise externally.

PRINCE2® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries.