The risks theme in PRINCE2

scissors cutting the word risk

In project management, it is necessary to identify, assess and control risks during the project lifetime. Effective risk management maximises the potential of project success.

In this post, we examine the risk management strategy in PRINCE2, identify key risk management roles and procedures, and outline the nine risk responses available to project managers and their teams.

What is risk?

Risk is a possible event that, were it to occur, would impact the project and its objectives. There are different types of risk: negative risks are termed as ‘threats’, and positive risks are deemed to be opportunities.

A strategy to manage risk

PRINCE2 recommends a risk management strategy that integrates with project management activities. This strategy covers: project risk management objectives; procedures; PRINCE2 roles; timing; budget; and tools.

The project manager must also understand the risk tolerance of the project board. Where risk is deemed to be above acceptable levels, the project manager must create an exception report and submit to the project board for approval. A further step in the risk management process could be created where the corporate or programme management sets risk tolerance. In this case, the project board must escalate to corporate or programme management for a decision to be made.

Risk management roles

There are two specific risk management roles:

  • The risk owner is the person who manages, monitors and controls the risk and responses to it
  • The risk actionee is the person who performs activities of the response to risk

Risk management budget

The budget for risk management will be part of the project’s overall budget, but designated for response to risk.

Risk management procedures

In the initiation stage, the project manager will create a Risk Register. This is where all information about every risk is recorded and maintained. This includes details such as risk description, risk owner, responses, and risk evaluation in terms of value (e.g. financial impact).

PRINCE2 recommends five steps:

  1. Identification of risk
  • Get information about risk management policy and risk appetite of the customer
  • Create a risk management strategy
  • Identify threats and opportunities, causes and impacts, and enter into the Risk Register


  1. Assessment
  • Estimate probability, impact, and possible timing
  • Evaluate the net effect of all risks and overall risk severity


  1. Plan
  • Identify possible risk responses, and recommendations of which response should be taken
  • Risk responses should be selected to minimise threats and maximise opportunities
  • Balance costs of response implementation against impact of risk


  1. Implementation
  • Implement the response to risk, and monitor the response
  • Take corrective action when effects of response do not match expectations
  • Re-asses the risk


  1. Communication


Potential risk responses

There are nine risk responses. The first 5 deal with threats. Responses 6, 7 and 8 deal with opportunities. The final response applies to both threats and opportunities:

  1. Avoid – remove or neutralise a threat, so it never occurs.
  2. Reduce – like ‘avoid’, a proactive response, but this time to reduce potential effects of risk.
  3. Fallback – a reactive contingency plan to move back to the previous state.
  4. Transfer – Transfer part of the financial impact of risk to a third party (e.g. subcontractor via contract terms).
  5. Accept – do nothing, and accept the impact of the risk. However, continue to monitor to ensure risk impact does not move above acceptable levels.
  6. Exploit – act to force the risk event to occur.
  7. Enhance – increase the likelihood of the risk occurring, or increase its impact.
  8. Reject – do nothing, avoiding exploitation of the risk. Once more, monitor the situation.
  9. Share – include a pain/gain formula in the procurement contract, before the risk event occurs.


In our next blog, we’ll examine the theme of change in PRINCE2 projects. In the meantime, don’t hesitate to contact us: