Clarifying Some Key Points
As you revise the Risk theme, have a look at the points in this section. For each item, if you read a sentence or two and are sure that you’re already clear on the point and know it, just skip the rest and move on to the next item.
Seeing risk as positive and negative
A dictionary definition of risk is ‘the adverse consequences of future events’. In other words, it’s negative. Risk is normally seen as something bad than can happen. There’s been a move in risk management, which PRINCE2 has reflected, to also consider positive or ‘upside’ risk, which is about good things that can happen. That may sound a bit odd at first. ‘You’re at risk of winning a major prize’ just doesn’t seem to sound right.
A key to understanding positive and negative risk is the word ‘uncertainty’. That word makes it easier to see that something good can happen as well as something bad. The trick in risk management now is to try and limit or prevent the bad stuff, and increase or make certain the good stuff. That’s where the lists of risk actions fit in, one for the downside risks or ‘threats’ and one for the upside risks or ‘opportunities’.
Learning the risk actions for the Foundation
PRINCE2 is horribly complicated when it comes to risk actions – unnecessarily complicated actually, although that’s small comfort when you’ve got to learn them all for the Foundation exam anyway. Different people have different ways of remembering lists of things, but acronyms can be helpful. Here are a couple that may help.
Drowning is bad news, really it is; it’s very negative. To avoid drowning, you need a buoyancy aid such as an inflatable raft. So, then, negative risk actions are AS RAFT:
A – Avoid: Can you stop the risk happening? Can you avoid it altogether? There’s a risk of a gas explosion from a gas heater, but if an electric one is installed instead, then the possibility of a gas heater explosion is eliminated. There may now be a danger of an electric shock, but that’s a different risk and one that’s arisen due to the action taken to control the gas explosion risk. You win a bonus point if you quickly recognised that a shock from the electric fire constitutes a secondary risk.
S – Share: Get someone else to share the negative impact, perhaps for a share of the benefits of the project.
R – Reduce: Okay, so perhaps you can’t stop the risk happening, but can you reduce the chances of it happening and/or reduce the impact if it does happen?
A – Accept: You choose to note the risk but not to do anything about it, at least at the moment. Perhaps the action would be too costly, for example, or be too distracting.
F – Fallback: I hate this term, not least because so few people use it. Most use the word contingency. Basically contingency or fallback is allowing for the risk to happen – you can absorb the impact, completely or partially. So because you have a dodgy supplier, you put in some time contingency against the risk that supply will be delayed . . . again. If the supply is then a bit late, you can accommodate it.
T – Transfer: Give it, or at least part of it, to someone else. A classic example is insurance, by which financial risk is transferred to an insurance company (albeit at some cost). Another classic is sub-contracting, where you may pay a fixed cost and if, say, a risk is realised that the work is much more complicated than anyone thought, well the sub-contractor will have to find the additional staff to put onto the job and pay the extra, not you.
Some positive things may affect the project, and it’s usually wise to try and increase the chances of such beneficial impact. You need wisdom like that of a seer – so, for positive risk actions, SEER:
S – Share: Yes, again. Remember that this action is common to both lists; an action for positive, upside risk as well as for negative, downside risk. Here you may involve another organisation, for example, to invest in the project to bring about this happy result and to share in the benefits of it.
E – Exploit: Okay, so there’s a chance that the positive risk may be realised. However, can you take an action to make it certain, or nearly certain, that it will happen?
E – Enhance: The impact of the positive risk may be really good. However, can you take an action which will make it even better?
R – Reject: If the positive risk is realised, then that’ll be good and everyone will be pleased. However, it’s not worth any action to try and increase the chances and effect of realising the positive risk. Such effort would, perhaps, just distract from getting on with the main work of the project.
Quick quiz on risk response types
So, AS RAFT and SEER. Now, all you have to do is remember what the letters of those acronyms stand for. Got all that? Great. How about a quick quiz to prove it then? Have a look at each risk action and decide what type of action it is within the AS RAFT and SEER response sets.
1. The news reports are saying it’s increasingly likely there will be a train strike, so we’re flying to Edinburgh instead to be sure that we make the meeting on time.
2. Our teams have limited experience in this highly complex area, so we’re going to outsource this part of the work to an experienced company. If that company hits problems, it’ll have to find more experts at its own cost to deal with them.
3. We may be liable for large costs if our advice to customers is incorrect, so we’re taking out professional indemnity insurance for all staff with direct customer contact.
4. The new headquarters building will be great, and we think it would be fantastic to have a staff restaurant. A restaurant should be very popular, but that’s not guaranteed. We don’t have the funds for all of it, but we’re inviting a catering company to set up and run a restaurant once we’ve put the basic facilities in place, and we’ll split the profits.
5. Our staff will have to do technical work that’s beyond anything they’ve done before. Things could go wrong, with consequent project delay, but we’re sending staff on training courses to boost their knowledge and skill levels.
6. Customers are likely to buy more of our products, simply because ordering will be easier through the new website being developed by the project. However, we’re going to offer a 10 per cent discount for online orders compared with orders placed through other sales channels to make certain of it.
7. The new warehouse stores some heavy goods, and we’ve had a lot of cases of back injury in the past. We’re going to put all the really heavy stuff in one zone, with warning signs around the perimeter to remind warehouse staff to use proper lifting equipment.
8. Bad weather could affect the launch display to the point of it being cancelled. However, because holding the display in a large indoor arena would be very expensive, and because it’ll be mid-summer, when there’s less chance of rain, we’ve decided not to take action to change the venue and just hope that the weather’s okay. If, nearer the time, forecasts indicate a high probability of really bad weather, we may think about this again.
9. We may face problems in the office move with the lifts breaking down. That would cause severe problems with the schedule for the move. We’ve arranged preventative maintenance though to have the lifts thoroughly checked and serviced before the move takes place. It won’t guarantee that we’ll avoid problems with the lifts, but it’ll make it less likely.
10. Customers are likely to buy more of the product when they see the better information in the catalogue which is part of this marketing project. We could have an electronic catalogue with animated views of the products, which might boost sales even further. However, we’ve decided not to pursue that, at least for the time being, because the time and resources needed to do it would postpone the product launch date. We may pick up the idea in a future project.
Understanding the risk budget
Sometimes, but not always, a suitable way to deal with a risk is to throw money at it. For example, you’re planning to buy a piece of equipment from a cut-price shop that does really good deals. However, the shop doesn’t always have supplies and products can be out of stock for some time while the shop sources another cheap batch. The shop up the road is much more expensive for everything, but it always has stock. So, the risk is that when you go to the cut-price shop to buy the equipment (and you can’t reserve it in advance), it won’t have any. If that risk is realised, the plan is that we’ll handle it by going to the more expensive shop and buying the equipment there. The additional money is put on stand-by as part of the risk budget. If the risk happens, the Project Manager can immediately spend the money set against that risk and which is pre-approved by the Project Board. The Project Manager can immediately send someone up the road to buy the equipment from the more expensive shop. However, if the cut-price shop does have stock and the risk isn’t realised, then the Project Manager can’t divert the unused money in the risk budget to somewhere else.
The risk budget can be set up differently, but the equipment example in the previous paragraph serves to show the underlying concept. The 2009 PRINCE2 manual is too simplistic on this, but that works in your favour for the exams.
One final element to take on board for the risk budget is that it’s approved, initially at least, along with the Project Initiation Documentation (PID), because it’s specified in the Risk Management Strategy (the last section of that strategy). Some new risks may be identified later in the project, so the budget could, therefore, include an additional amount to help deal with any risks that haven’t been identified yet.
Appreciating that the process isn’t a cycle
The PRINCE2 risk management procedure looks like a cycle, but it doesn’t really work that way; you may have found it confusing as a consequence. The four parts that appear to cycle are identify, assess, plan and implement. However, having implemented an action to control a risk, you don’t start all over again to identify it.
To make sense of the apparent cycle, think of it as covering all risk in the project. You identify the risk, assess it, plan actions and then implement them. Then you identify any new risks (perhaps when planning the next stage) and add them to the existing ones. You’ll then assess new risks and the current state of existing risks before going on to plan actions. The cycle still doesn’t work well, however, because if things are looking good with existing risks and the countermeasures are working, you’re not going to plan and implement further actions.
The warning here is not to try to make sense of the model as a cycle in the normal sense. Just take it as a high level overview and you’ll be fine.