A Tale of Two Projects: Capturing Risks vs Managing Risks
In a medium-sized manufacturing organisation, two projects, Project Zenith and Project Horizon, set out to modernise the organisations production processes. Both teams recognised the importance of risk management, yet their vastly different approaches led to very different results.
Project Zenith: Risks Captured but Unmanaged
The Project Zenith team took pride in identifying risks early. They produced an extensive risk register that listed numerous threats, including supply chain disruption, technical failures, regulatory delays, poor requirements definition, and even risks not aligned to the project’s objectives. However, no opportunities (upside risks) were identified.
Beyond documentation, risk management received little attention. Risks were reviewed infrequently, only once a month by the Project Manager and never at Project Board level. No effective risk responses were planned or implemented, and ownership was unclear. Opportunities, such as negotiating improved supplier arrangements, were ignored because they were not considered part of the risk management process.
When a supplier unexpectedly halted production due to industrial action midway through the project. With no mitigation in place, alternative suppliers had to be sourced urgently. The resulting delays and cost increase breached project tolerances, forcing unplanned escalations to senior managers. Despite having a “comprehensive” risk register, the project was unprepared when risks materialised.
Project Horizon: Proactive Threat and Opportunity Management
Project Horizon adopted a proactive and disciplined approach to risk management. Like Zenith, they maintained a risk register, but they went further by:
- Identifying both threats and opportunities
- Assessing probability and impact
- Defining appropriate risk responses
- Assigning risk owners and action owners
- Reviewing risks regularly in project workshops and at Project Board stage gates
The team actively searched for opportunities within the risk process. One notable example was identifying the opportunity to engage local suppliers instead of international ones. This reduced costs while also mitigating threats such as possible shipping delays, currency fluctuation, and tariff changes.
Risk management was embedded into the project’s governance and decision-making process. Stakeholders were engaged from the start of the project, and a strong risk aware culture was encouraged across the project.
When an industry-wide material shortage occurred, Horizon was ready. Pre-agreed local supplier contracts enabled the project to continue with minimal disruption.
Outcomes
Project Zenith
- Failed to deliver against time, cost, scope, quality, and benefits
- Reacted to risks instead of managing them
- Missed valuable opportunities
- Spent significant effort firefighting issues
Project Horizon
- Delivered on time and to scope
- Benefits are on track post‑project
- Received strong stakeholder support and trust
The Lesson
Effective risk management is not about compiling long lists of risks and hoping for the best. It is about actively managing uncertainty minimising threats and maximising opportunities.
As Project Horizon demonstrates, robust risk management does not simply protect a project; it actively increases the likelihood of success.
PRINCE2® and Risk Management
PRINCE2 defines the purpose of the Risk Management Practice as:
“To identify, assess, and control uncertainties that would affect the project’s objectives and, as a result, improve the ability of the project to succeed.”
Risk management in PRINCE2 is a structured, ongoing, and repeatable process, fully integrated with project governance. Denial is not a valid risk response.
The Five Steps of Risk Management (PRINCE2)
1. Identify
Review objectives and context to identify threats and opportunities aligned to the project’s objectives.
2. Assess
Estimate probability, impact, (optionally proximity and velocity), and prioritise the risks, and understand the overall risk exposure.
3. Plan
Define appropriate responses (avoid, reduce, share, accept, exploit, enhance, share, prepare a contingent plan).
4. Implement
Execute planned actions, monitor risks, It is critical to ensure that the responsibilities for the risk owner and risk action owner are identified and agreed for each risk.
5. Communicate
Ensure risk information is shared with the right stakeholders at the right time. (examples: Highlight report, Checkpoint report, Exception report, End stage reports).
All steps are iterative as new information emerges; earlier steps may need to be revisited.
Enjoyed this post? Join the conversation by leaving a comment or sharing your thoughts below, we’d love to hear your experiences and perspectives. Don’t forget to explore our upcoming events for more opportunities to learn and connect, and visit the forumto continue the discussion. 
