Search for an essay or resource:

Essay: Risk management process (ScotRail)

Essay details:

  • Subject area(s):
  • Reading time: 12 minutes
  • Price: Free download
  • Published: October 3, 2021*
  • File format: Text
  • Words: 3,277 (approx)
  • Number of pages: 14 (approx)
  • Risk management process (ScotRail)
    0.0 rating based on 12,345 ratings
    Overall rating: 0 out of 5 based on 0 reviews.

Text preview of this essay:

This page of the essay has 3,277 words. Download the full version above.

A risk is “an uncertain event or set of events that if it should occur, will influence the achievement of objectives” (PRINCE2 definition). By practicing risk management and considering it as part of the IT project will prepare the ScotRail project team for the worst scenarios. The PRINCE2 methodology contains three dimensions; risk management strategy (how risk management will be integrated into the ScotRail project).

This section will describe the risk management process in detail related to successfully completing the new ScotRail web and mobile application for users. It will explain the useful tools and techniques to avoid overall risk throughout the start and end of the project. Most importantly, discuss how the organisation communicates risk management.

3.2 Objectives

Without having risk management objectives, the project will fail miserably. It is crucial for ScotRail to ensure the project runs smoothly without the interference of high impact risks.

The most important objectives are stated below:

1. Maintain a common understanding of risk across all stakeholders involved in the project.
2. Allocate capital more efficiently through better management of internal resources to save project costs.
3. Carry out a SWOT analysis to find major threats to the project and decrease the severity impact.
4. Improve risk identification and assessment techniques to respond effectively to catastrophic risks.

3.3 The Risk Management Procedure

Risk Management involves a series of five steps which is the key to success for every IT Project because the organisation may face unexpected events or changes. PRINCE2 provides a disciplined approach for the development of risk management strategy. The project needs to understand how to identify risk how to assess the risk and control the risk because it may influence the project objectives.

PRINE2 requires the ScotRail project to have Management Strategy document that defines The project procedures in terms of how the risk will identified, assessed, controlled and communicated in the project. Therefore, the cycle diagram (Figure: 3.0) presented below show the steps the risk management procedure. Communication itself is an ongoing process which is carried out throughout each step of risk management.

Figure 3.0 – Risk Management Procedure Cycle Diagram

3.3.1 Step 1: Risk Identification

This is the first step of carrying out the risk management process within an IT project. Some Risk Identification tools and techniques are:

1. Brain-storming – a few meetings between internal or external stakeholders were set up to find any problems in the project and discussions on how they can be solved. The brain-storming technique was performed by prompting the team to think about any problems that may occur throughout the project and writing it as bullet points; sharing thoughts and ideas. The IT project managers of ScotRail took lead of all meetings by documenting all suggestions. This was the first important step which helped identify many risks.

2. SWOT analysis – this is a study undertaken by the ScotRail organization to identify its internal strengths, weaknesses, external opportunities and threats. There were several meetings which took place to achieve this. An example of this is presented below referring to the ScotRail project.


Figure 3.1 – SWOT Analysis

4. Risk Breakdown Structure (RBS) – this is a hierarchical representation of risks, starting from upper levels and going downwards towards lower level risks. As shown below, you can see business, project and product risks which lead to more defined risks. The risks can keep subdividing into deeper level.

Figure 3.2 – Risk Breakdown Structure

5. Past Reviews and records – project members who have previous experience of identifying risks from similar projects which can be reused. This technique would be a discussion between internal and external stakeholders of the project. Past reviews are simple, but members must trust each other’s knowledge from previous projects. Risks Categories

Risks can be reduced or detected at an earlier stage of the IT project. It is crucial for every team to consider potential risks that may occur throughout the IT project. There are three types of risks which can be identified:

  • Business risks – this involves organisation-related problems.
  • Project risks – this involves people and resources which affects the overall performance of the project.
  • Product risks – quality of the product being developed, example the team may fail to meet user requirements.

Defined Risk Categories

  • Strategic
  • Commercial
  • Economic/Financial/Market
  • Legal & Regulatory
  • Organisational/Management/Human factors
  • Political
  • Environmental

These risk types are broken down into defined categories where relevant risks are recorded referring related to the project listed in Figure


Figure 3.3 – Defined Risk Categories Table

Overall, during the risk identification step, the risk cause and risk event is also discussed.

This may affect ScotRail’s objectives; the diagram (Figure 3.4) below presents the approach carried out once the risk has been identified. Risk cause describes the source of the risk, risk events shows the uncertainty of risk and risk effect is what impacts the project objectives.

Figure 3.4 – Risk Identification Step

3.3.3 Step 2: Risk Assessment

This is the next step of risk management, this involves finding ways to manage the risks which have been identified and analysed by the IT project team. This is to prevent high impact risks to threaten the project. The risk must be either avoided or mitigated; take some sort of action that will cause little damage to the project.

Risk Assessment is responsible for observing and evaluating the obdurate risks. This may include changes to the risks which have already been identified and alterations in the likelihood and impact that the risks might have. The changes may cause new risks to be identified.

This step involves two main actions:

  • Estimating, which assesses the probability, impact and the proximity for each threat or opportunity (refer to risk register).
  • Evaluating, this is to rank all the risks and get an overall risk value for the project.

For the ScotRail project a probability versus impact table is used to measure if risk impact is high, medium or low. PRINCE 2 suggests plotting the estimates on a Summary Risk Profile diagram presented below (figure 3.5). This is also referred to risk proximity; which means how close the risk is to occur in the ScotRail project. The prediction is extremely useful because the project team compare different risks to see what risks need more attention and it can provide you with an overview of all levels of risk.

Figure 3.5 – Risk Profile Summary

3.3.4 Step 3: Risk Planning

This step is regarding specific planning responses to the threats and opportunities. The main concept of Risk Planning is to decrease the threats and increase the opportunities. It is important for the ScotRail project team members to be prepared for any risks which may occur.

An example of this would be an external weather risk scenario; the Project Manager fails to plan a response to a risk, due to terrible weather conditions, employees will not be able to arrive at work which will slow development time during the week. Altogether there are six responses for threat and four responses for opportunities that PRINCE2 provides. These are stated in form of a clear table for better understanding. (Figure 3.6)

Figure 3.6 – Risk Response Table Risk Responses

The threat responses above are:

  • Avoid – act so the threat can no longer happen
  • Reduce – this is reducing the probability of the risk or reduce the impact if the risk does occur
  • Fallback – this is a plan of activities that would be performed if the risk occurs or become a problem.
  • Transfer – an example of this is when financial risks are transferred to another party e.g. insurance policy to recover costs if threats occur
  • Accept – the risk here is accepted because it may cause damage to reject the risk.
  • Share – this is a response for both threats and opportunities, sharing risks with suppliers or external companies involved in the ScotRail project.

The Opportunities responses above are:

  • Exploit – advantage would be taken of the risk if it occurred.
  • Enhance – actions are taken to give a greater chance for an opportunity to happen.
  • Reject – where an opportunity is identified and the ScotRail organisation decides to not take further action.

3.3.6 Step 4: Risk Implementation

The final step is to Implement the Risk which is the

In the implement step, the risk owner and the risk actioner roles are defined. The risk owner
is an individual who is responsible for the monitoring and control of a risk, whereas the risk actioner is assigned to carry out the risk response actions. They support and take advice from the risk owner.

The whole organisation must carefully carry out risk identifying activities, however, in some occasions, this falls on the responsibility of the project manager. The table below shows what stakeholder has the responsibility of certain risks. Risk Management Roles and Responsibility:

ScotRail Organisation Member(s)

Role & Responsibility


Managing Director of ScotRail

  • Approve Risk Management Strategy
  • Responsible for business risks
  • Escalate risk to programme management

Senior Supplier

Chief executive of Network Rail

  • Identify external risks
  • Decide on risk recommendations

Senior User
Head of IT at ScotRail

  • Ensure supplier aspects of risks are managed

Project Manager(s)
Matt Mitchel
Narinder Kaur
Catriona Cowe
Patrick O’Donnell

  • Create Risk Management Strategy
  • Create & maintain risk register
  • Responsible for management of risks

Project Assurance

  • Give support to Project Board and advice about risk management

3.3.7 Step 5: Communicate Risk

Communicating the risk throughout the whole ScotRail project is crucial for the IT project team. Referring to figure 0.0, the cycle shows that communication is at the center of the risk management procedure. It is important for experts and employees to continuously give their feedback on the risks stated in the risk register. Communication management facilitates the engagement with stakeholders. There are many ways in which risks can be discussed and shared; the ScotRail organisation had weekly meetings covering all risks from the risk register and identifying any new risks. This ensures that project threats and opportunities are communicated to all necessary stakeholders.

Different types of reports were produced to communicate risk:

Highlight Report: This report is a time-driven management product in PRINCE2. It was used by the project board to monitor the progress of the project. The highlight report was frequently updated by the project manager; who would advise the project board of any problems where the board could help. When new risks would arise the highlight, report was of great use to communicate to the project board. This was mostly accomplished by a formal presentation or conference call by the Project Manager.

Checkpoint Reports: were used by the project team to show a status of what tasks are being worked on or completed. The team members had a shared an online task list showing what member had the responsibility of a task. This is shown in the appendix; there were also progress emails sent to the project manager.

End Stage Report: This report provides a summary of progress to a certain date; which then was taken to the project board by the project manager as a formal presentation to ask what should be done next in the ScotRail Project. This was where approval was given to move onto the next stage of the project.

End Project Report: The end stage report was only used during the project closure to review the performance of the project. It allowed the project manager to record any unfinished work of the project; however, this was not the case. The project manager communicated this to the project board using Trello; a project management tool for communication.

Lessons Report: This report is included with the end project report; although, this report was used by the project manager throughout the project by recording any new experiences which could be used for other upcoming projects.

Overall, there was effective communication throughout the ScotRail project due to the types of formal reporting carried out. Various reports were used for different areas of the project. However, reporting was not the only type of communication used, the next section will explain another useful method for communicating risks.

3.4 Early Warning Indicators

The ScotRail project aimed to increase the probability of achieving the project objectives at an early stage of the project. Early warning indicators were used by the ScotRail project team to focus on areas which will affect the project. Examples where Early Warning Indicators were developed for the ScotRail Project:

1. Understanding of Business Case by all stakeholders
2. Estimated delivery date for the project
3. How much trust is there between employees
4. Level of feedback during meetings and reporting
5. Stakeholder conflicts

There were specific approaches used to identify the Early Warning Indicators

Maturity Models

As ScotRail is a medium sized organisation is having developed maturity model documentation that can be used to assess their delivery of the project. The organisation had a high score which resulted in a successful project delivery. The project team was able to continue because the assessment of project objectives, team and technology was positive.

Stakeholder Analysis

Stakeholder analysis was used to identify what motivates specific stakeholders and the power they have over the ScotRail project. An insight of stakeholder reactions was analysed to how they may behave if the project does not go according to their requirements. This prevented possible future problems of the ScotRail project.

Overall, communicating the risks throughout the project is the final step of the risk Management procedure. However, there is a useful tool which is used to record all risks identified, assessed, planned and implemented. This is explained in the next section.

3.5 Risk Register

The risk management process steps stated above are documented together in a format of a excel spreadsheet. This is called a risk register; a powerful risk management tool used in the PRINCE2 methodology behaving as a repository for all potential risks. (ISO 73:2009) Risk management—Vocabulary defines a risk register to be a “record of information about identified risks”. The risk register for the ScotRail project showing 10 recorded risks is presented below with a provided list of definitions.

Figure 3.7 – Risk Register

Risk Register Definitions:

  • Risk Identifier: Risk ID from specific categories.
  • Risk Author: The person who brought up the Risk.
  • Risk Types: These represent the categories where the risks fall in; Business, project or product (scotRail System).
  • Risk Description: This is written is a specific way (e.g., cause, event and
  • Risk Actioner: A person who will carry out the actions from the risk response section.
  • Proximity: (Likelihood) How soon (when) the risk is likely to occur.
  • Risk Response: Actions to resolve the Risk.
  • Risk Status: Current status of the Risk: Active or Closed – all risks closed
  • Risk Owner: The person in charge of being the risk owner
  • Probability Impact: Choose value from an agree scale (very low, low, normal, etc.)

Another risk management tool which is related to the risk register is a Contingency plan. It is often used for an exceptional risk that would have catastrophic consequences. The contingency plan is final stage of defense against the risk to support project success. Contingency plans are an essential part of risk management. It is important to always have a backup option if things go wrong. A good contingency plan can prevent the ScotRail project from “going under” when unexpected events occur.

3.6 Contingency Plan

Risk ID Contingency Plan


Insufficient Budget; the project cost may arise and there will not be enough money to lead the project to success. Budgeting could be affected in many ways such as project team employees may demand higher wages. Another project risk could be that the project was budget estimation was not realistic or carefully thought through with the project board including the senior supplier and executive.


Time Management; the project could run behind schedule and fail, in a PRINCE2 project all successful projects must meet the planned end date. The project manager may not delegate the tasks on time or fail to communicate. The project team may not complete tasks in time to move onto the next stages in the project. Team might lack communication and stakeholder conflicts could arise; wasting time.


Size of project; The size of system is underestimated and may be ambiguous than expected. Functional requirements may become complicated and developers might not have enough time to add more implementation stages and new features required from the stakeholders.

Therefore, to ensure successful project delivery it is extremely important to carefully follow the risk management process and have a clear understanding of what risks may occur at each stage of the project. The risk register and contingency plan is available for all team members; the team is prepared for any negative or positive effects towards the project. The section will describe the teams understanding of risk tolerance and its importance.

3.7 Risk Tolerance & Appetite

It was important for the ScotRail project to understand and accept the risk “appetite”. Risk appetite refers to the amount of losses the project could afford and still have a successful outcome. This relates to the business objectives; the project board of ScotRail had to first discuss the risks which may arise when achieving business goals. The amount of risks identified in the project were fairly distributed to the projects stakeholders as shown in the risk register.

Figure 3.9 – Risk Appetite & Tolerance Representation

The figure presented above shows the visual aspect of the range between risk appetite in green; allowing affordable risks. It then represents the risks which were controlled by various stakeholders in the ScotRail project. However, risk tolerance is the highest level of risk impact and severity; it then became critical to act on. Although there were many risks which were controlled.

Having the knowledge of risk appetite and tolerance allowed the project manager to monitor all risks which may lead to a negative path and try to control them. For this project; the ScotRail team followed the risk register matrix shown in the appendix to follow the severity and likelihood of each risk.

3.8 Risk Budget

The ScotRail project team had set aside money to deal with specific responses to threats and opportunities. This was used for any other department or service of the project. Most times a threat or opportunity may cost money which is calculated in the risk budget for the project. Project costs and delays were not paid off by using the risk budget; the project manager ensured that the risk budget was only kept strictly for arising positive and negative risks.

Although, most risks were early identified and controlled; there were very few risks which had expenses. The risk budget was then used to overcome and accept the risks before the project manager had lost control of the risk itself. If there was not enough risk budget for the risks the Project Manager would refer back to the Project Board; Executive and discuss what to do next.

3.9 Conclusion

Overall, Risk management is sometimes referred to “Project management” itself. It was crucial for the ScotRail project team to focus and understand the need for Risk Management for each stage of the project. Many risks were identified which affected different stakeholders or areas of the project. The assessment techniques when identifying the risks were very helpful; this followed onto learning how to control the risks. The risk register and understanding risk tolerance played a large factor.

Each team member had the responsibility to communicate any risks which may affect the project and its surroundings. Communicating the risks using formal reporting had allowed the Project Board to continuously be engaged and understand every stage of the ScotRail application being produced. The project manager ensured that each member of the project knew the importance of Risk Management. By the efficient use of Risk Management tools, techniques, communication and processes the project lead to a great success without having any unfinished requirements or severe concerns.


About Essay Sauce

Essay Sauce is the free student essay website for college and university students. We've got thousands of real essay examples for you to use as inspiration for your own work, all free to access and download.

...(download the rest of the essay above)

About this essay:

If you use part of this page in your own work, you need to provide a citation, as follows:

Essay Sauce, Risk management process (ScotRail). Available from:<> [Accessed 02-12-21].

These have been submitted to us by students in order to help you with your studies.

* This essay may have been previously published on at an earlier date.

Review this essay:

Please note that the above text is only a preview of this essay.

Review Content

Latest reviews: