The PRAM Guide describes a systematic and disciplined approach to controlling risk that can be used to help improve the success of projects. It sets out methods for the identification and recording of risks, highlighting the consequences and establishing appropriate management action. The Guide does not prescribe a system that project managers can adopt without careful thought; it will still be necessary to study other risk methods and techniques and to develop judgement through personal experience. Successful project managers know that they must develop an approach to each project that is appropriate for the purpose and which makes full use of the team’s strengths and the inherent qualities of the project and its environment. It must also reflect the project manager’s own individual style of management. There are, as always, no short-cuts to good management.

This latest edition of the Guide aims to assist project managers and risk practitioners by describing a range of approaches and techniques that are being used by their peers, and from which they may choose to suit their own particular circumstances.

This Introduction describes some of the issues and choices with respect to possible approaches and then goes on to outline the structure of the Guide.

Many project managers still see risk management as a rearguard action to protect the project from its own fears. In some cases, it is only applied superficially in order to comply with internal company rules or meet client expectations.

Simply managing to lowest cost – a typical scenario resulting from competitive fixed-price bids or unenlightened project sponsors – potentially leaves the project exposed to inherent risks. Identifying those risks and making mitigation plans in the form of alternative paths, action plans or ‘a contingency fund’ go some way towards dealing with the risk, but such an approach can be too reactive in that the mitigation plan is invoked only when the potential threat has become an issue, and opportunities (that is, risks with a positive impact) are not actively pursued.

If a project team is to be successful it cannot rely on the absence of problems but must predict and manage the inherent risks so that, when problems do occur, they can be overcome and, when opportunities arise, the benefits are maximised. A successful project manager is undoubtedly also a good risk manager who not only controls project risks to avoid ‘management-by-crisis’, but is also aware of opportunities and is ready to exploit them as they arise.

The effective management of risks will reduce the requirement for contingency planning, leading to more competitive bids, more profitable projects and more satisfied customers. This ‘risk-efficient’ approach acknowledges that proactive and judicious spending of some of the risk budget (time and/or cost) before risks occur offers the project manager the opportunity to exercise full management control over those potential events.

The net effect is to make the project far less susceptible to chance in that threats are rendered less critical in impact, or even eliminated altogether, and significant opportunities are actively pursued and realised. As a consequence, the project is less exposed to ‘crisis’ situations, and thus the project team is less stressed, more confident and is better able to apply its skills. The net result is a project that is more likely to succeed in achieving its stated objectives within agreed time and cost budgets and a customer who is more relaxed and happy.

Project risk analysis and management, as described in this Guide, is in many respects a formalisation of the common sense that project managers usually apply to their projects. It is not a new way of managing and need not require a significant change in the way a project manager thinks or behaves. It is a tool to assist in discharging project responsibilities effectively and in ensuring the fulfilment of project objectives. Although project risk analysis and management has a clearly defined formal structure, it cannot be applied mechanically – it should not be seen as a ‘painting by numbers’ approach. Most experienced risk practitioners understand this, but formal statements of risk methodologies do not always make this important point clear. Creativity, lateral thinking and an understanding of the domain or environment in which the project is taking place are crucial to successful risk management.

Project risk analysis and management is often concerned with extremely complex risk issues, so a complex method is the last thing that is needed. Accordingly, the method described in this Guide has been kept as simple as possible, while nevertheless fully encompassing all the various methods and viewpoints known to the authors that contribute to the comprehensive analysis and management of risk. This means that this Guide does not knowingly exclude any approaches that are currently being used successfully.

At its most fundamental level, risk management is extremely simple. The risks (both threats and opportunities) are identified, a prediction is made on how likely they are and the extent of their impact, decisions are taken on what to do about them, and then those decisions are implemented. At a more complex level, overall risk outcomes (rather than individual risk events) are identified and strategies devised to manage these outcomes by, for instance, changing the project approach, solution, timescales, basis of contract or even the scope of the project. This increased complexity is generally rewarded by a significantly improved performance against objectives.

Chapter 3, ‘Principles’ offers a high-level definition of the recommended approach to managing risk and introduces the fundamental principles and concepts on which the rest of the Guide is based. It also provides a summary of the risk management process, which is expanded in Chapter 4.

Chapter 4, ‘The PRAM Process’ takes the reader through a number of iterations of the process, demonstrating the changing emphasis as the project progresses and better information becomes available. The approaches described here have all been experienced by members of the APM Risk SIG. Few implementations of risk management need to specifically address every phase and action as presented in this chapter although, to varying degrees, every aspect is present in successful risk management.

Having established the principles and described the process in detail, the Guide turns to implementation. Chapter 5, ‘Organisation and Control’, examines risk management in the context of the project’s management and describes how to govern and control risk management activities on the project.

By definition, risk management involves not only most team members, but also other parties, many of whom will not be willing participants when it comes to assessing the nature of risks and how best to deal with them. Understanding this is crucial to successful risk management and is discussed in Chapter 6, ‘Behavioural Influences’.

Chapter 7, ‘The Application of PRAM’, discusses issues concerning the introduction of risk management into the organisation – namely, establishing and sustaining effectiveness, developing capability, measuring success and managing expectations.

Finally, Chapter 8, ‘Tools and Techniques’ gives a high-level summary of the tools available for implementing a risk management process. These are categorised as identification, quantitative techniques, qualitative techniques, risk control, risk audit and risk management tools. More detailed descriptions of techniques in the first three of these categories are provided in the Appendix, ‘Using Risk Management Techniques’.

The Guide concludes with a glossary and a list of other publications that may be of interest to the reader in ‘Further Reading’.

The principles and objectives of risk management have been widely adopted in recent years. Many government agencies, educated clients and wise contractors now insist on a risk assessment before any contract is placed or undertaken. They also require risk management to be undertaken during execution of the project. Yet, some organisations still take risk management less seriously, perhaps through ignorance or a bad experience. It is hoped that, whatever the reader’s circumstances, this Guide will go some way towards ensuring that tangible benefits accrue wherever risk management is applied.

In addit...