The PRINCE2 Approach to Risk Management

Risk Management and PRINCE2

Published: October 23, 2019
Share on:

With insight spanning three decades and an ever-expanding pool of practitioners, PRINCE2 6th Edition has more than earned its title as the world’s most popular project management framework. Taking projects from conception to completion, PRINCE2 prioritizes clarity, structure and the all-important ‘Business Case’. The modern business environment is experiencing a boom in demand for project managers, and PRINCE2 provides actionable, comprehensive and demonstrably practical insight for practitioners across all industries, sectors and locations.

Several elements go into a successful PRINCE2 project, and one of the most critical is the effective management of risk. The PRINCE2 risk management strategy takes an entrepreneurial approach, recognizing that risks, while inevitable, can either be problems or opportunities. The framework offers a well-structured approach to assessing, preparing for, and managing risks in a way that controls the impact they can have on projects. It also prioritizes recording insight, ensuring that even the most significant risks will at least leave teams with valuable insight moving forward.

Seasoned PRINCE2 risk managers are experts in predicting, assessing and preparing for risks, but what exactly does this entail? What is risk management, and what makes PRINCE2’s approach successful enough to be employed by the likes of NATO and the United Nations?

Let’s take a quick look at how PRINCE2 practitioners approach risk management.

Take A Accredited PRINCE2  Course

What is risk management?

As any seasoned project manager knows, no project is ever without risk. Having the ability to identify and evaluate potential dangers, before taking calculated steps to control them, is essential both for keeping projects on track and maximizing gains.

Risk management strategies will typically involve:

  • Identifying potential risks
  • Assessing what kind of impact they could have and how likely they are
  • Creating appropriate contingencies against any problems
  • Choosing appropriate metrics to measure risk
  • Creating reports for team members and stakeholders
  • Working with audit staff to make sure the organization remains compliant
  • Educating staff on potential risks to boost awareness and maximize the likelihood of successful responses

As anyone with experience in any large organization will tell you, one of the most critical aspects of risk management is keeping stakeholders happy. They must be kept aware of exactly what a project’s risks are and what steps are being taken to manage them. Naturally, an experienced manager will control what information reaches stakeholders in order to avoid micromanagement or undue panic. Even so, trying to hide any significant risks from stakeholders is an easy way to lose support for a project altogether.

If this sounds complicated, that’s because it certainly is. Nobody can fully predict the future, after all. What we can do is consider the elements, goals and context of a project using a framework that helps us prepare for potential risks as best we can. This is where PRINCE2 succeeds in spades.

You might also be interested in The Ultimate Guide to: PRINCE2 

A FREE 12 Page Download.


What Is the PRINCE2 Risk Management Strategy?

Effective risk management requires a well-structured approach, and structure is an essential part of PRINCE2. The opening phases of PRINCE2 projects will typically involve a ‘Risk Workshop’, during which team members will identify risks and their potential impacts. As these risks are clarified, they will be added to a ‘Risk Register’, which will contain an analysis of each risk and how best to respond to them.

PRINCE2 teams will also work according to the ‘Risk Management Approach (RMA)’. This is a planning document which defines procedures for how risks are managed, including how they are identified, assessed, controlled and communicated. It sets techniques and standards which will be applied throughout a project, helping teams to prepare for risks well in advance. A project which is part of a larger program may well begin with an RMA already made up. However, such an RMA may still be amended as necessary over time.

There are a number of priorities which will be addressed throughout a PRINCE2 project:

Start Identifying Risks Immediately

PRINCE2 encourages teams to be proactive. They will start by defining a project’s objectives, before considering what could put them at risk in order to develop a ‘Risk Management Strategy’. This will then be continually reviewed and amended as a project progresses.

During this early stage, the team will decide on several risk management elements, including the records they will keep, how risks will be reported, which team members will take on what roles and responsibilities, and so on. This dedication to clarity always pays off, as teams will find themselves ready to swiftly respond as soon as risks actually start coming into play.

Know the Context

Significant risks will often go beyond the scope of individual projects. Because of this, PRINCE2 teams working on a single project will consider risks in the context of the ‘Business Case’. In other words, they ask questions like: 

  • Will this risk endanger subsequent projects?
  • Will the risk have an impact on the large scale goals of our organization?
  • What are the implications of the risk in terms of budget, deadlines, benefits and overall returns?

Understanding the context of where a project fits into a larger program can also help teams to figure out how a particular risk relates to their own specific concerns. The elements of two separate projects in the same organization can differ significantly, so it is worth considering risks on a more immediate scale, as well as in the grand scheme of things.

Be Comprehensive

PRINCE2 teams go as deep as possible when approaching individual risks, examining their causes as well as the impact they could end up having. Teams will also determine the exact circumstances which could cause risks to become immediate threats. Knowing about these ‘risk events’ enables teams to then create early warning indicators for when projects approach the danger zone.

How Likely? How Dangerous?

When assessing risk, a PRINCE2 team will judge it in terms of ‘probability’ and ‘impact’. Naturally, if a risk is less likely to happen, a team may focus their efforts elsewhere. Similarly, risks that are unlikely to do anything significant can be mostly ignored. PRINCE2 project boards will create ‘risk tolerances’ early on, setting in stone exactly when a risk will be acceptable.

Arguably, ‘impact’ is far more pressing, as there should always be a plan for a significant risk even if it is unlikely to occur. The likelihood may also grow over time, which is one of the reasons why an RMA will be continually reassessed. 


If a risk is sufficiently probable and dangerous, the team will have several responses to choose from:

  • Avoiding – If you can, alter the project so you can avoid the risk
  • Reduce – If the risk is unavoidable, minimize the impact
  • Transfer – Outsource the problem to a third party, or take out insurance to deal with the risk
  • Accept – If the impact is unlikely to cause problems, accept the risk and move on

In order to be able to respond effectively, the team will also come up with a ‘Risk Budget’. This figure is set aside in order to finance specific risk responses as necessary.

Of course, it is worth remembering that a ‘risk’ can always be positive or negative. It may be that a potential issue, once you have a workaround, could end up strengthening your final result. You could even find a way to tackle a common risk before the competition and boost the relative market value of your offering.

Another important thing to keep in mind is that once you have responded to a risk, it may still have ‘residual’ risks worth considering. You could also create additional risks as a result of your response, so it will be worth taking the time to measure the impact of your choice.

With so much to consider, PRINCE2 teams will usually refer to past projects. Solid experience can help them come up with the most effective responses possible, even if all they have learned is how not to tackle a specific issue. They will also note the positive or negative impact of their response in order to inform future project teams.

Once a response is put into practice, the team will use the metrics and reports (specified earlier in the project) to monitor its success. This will help them to gauge whether or not additional action will be required.

Take A Fully Accredited PMP Course. Find Out More!

Communicate, Communicate, Communicate

Rather than being a set project phase, communication is something that should be emphasized throughout a project’s lifecycle. Clarity is key to using PRINCE2 successfully, and so project team members will endeavor to keep each other updated about risks and opportunities as they develop. This is typically done with a mixture of bulletins, dashboards, discussion threads, notice boards and briefings. 

Communication with stakeholders will also be key throughout, especially when it comes to explaining how issues are being dealt with. Risk managers will use a variety of tools for this, including:

  • Checkpoint reports
  • Highlight reports
  • End-stage reports
  • End project reports
  • Lesson reports

To learn more about our Accredited Project Management and Agile Training today. Click here.