Risk Management
All about Risk Management

Introduction to Risk Management

A risk is an uncertain event or condition that, if it occurs, has a positive or negative effect on a project’s objectives. Managing those events is what project risk management is all about. Sometimes, you want to avoid the risk happening; sometimes it’s worth encouraging it.

If that sounds strange – why would we want to encourage something risky to happen? – then let’s look again at what risk really is.

Risk can be thought of as ‘uncertainty that matters’. Risks that matter include those with positive effects as well as those with negative effects (which you’ll see referred to as opportunities and threats). They can also affect any project objective, not just time or cost.

We have many podcasts to help you build your project management skills, and risk management is definitely a topic worth learning more about! The resources on this page will help you.

Featured Podcast: What People Really Think About Risk

Listen now to this featured podcast on risk management.

In this featured podcast with risk expert Dr David Hillson, you'll learn about what people really think when they hear the word 'risk'.

What about related words like "uncertainty," "threat" or "opportunity"? Building on established neurolinguistic theories of word/image association, this fascinating interview explores underlying tensions in what people think about risks.

You won't find this information in the Practice Standard for Project Risk Management but it's so useful when thinking and talking about risk with project stakeholders. Discover the surprising truth, and compare yourself with your peers. And of course, this episode is relevant to risk management in agile projects as well, just in case you were wondering. The insights will change how you think about risk management critical success factors. Enjoy the episode!
Dr. David Hillson
Dr. David Hillson
Please scroll down to see the full list of our risk management podcasts.

What is Risk Management?

Project Risk Management includes the processes of conducting risk management planning, identification, analysis, response planning, response implementation, and monitoring risk on a project. The objectives of project risk management are to increase the probability and/or impact of positive risks and to decrease the probability and/or impact of negative risks, in order to optimize the chances of project success.

Importance of Risk Management in Project Management

Risk management on projects is important because it helps us plan for the future.

When most people talk about risk on a project, they are thinking about the things that might go wrong. There’s always something that could happen which would have a negative effect on the project’s performance. Maybe it would delay the project, or increase the cost. Generally, people think about risk in terms of things that would affect the project schedule and budget, but risk can impact any of the project’s objectives.

It’s important to think broadly and deeply about what kind of risk could affect the project, so you can make adequate plans to manage the risk appropriately. And risk isn’t only limited to the project’s objectives. You will also see risk in your project as a result of variability, ambiguity and emergence. Risk management is a huge area!

There are many tools available that tell you how to identify your risks, how to quantify them, how to define their impact on the project and what you can do in order to avoid or mitigate them.

Identifying Risks

Project risk identification typically happens at the start of the project, but it is not a one-off exercise. Risk identification should also happen throughout the project as the work evolves and people get a clearer idea about what could potentially impact the work.

As a project manager, you might have access to lessons learned from previous projects which will help you identify appropriate risks for your risk log on this project. You'll also draw on the expertise of your team and talk with them about the kinds of things that could cause problems on the project. Then together, you can plan for those possible situations so you are ready.

One exercise you can do to help the team come up with risks is to think about how certain things could affect the project. Come up with a list of categories and see what you can think of that would cause your project a problem from those categories. Here are some categories to get you started.

  • Preventable risks
    These are risks that could be prevented with some effort from the project team. They are things you can see may happen and you can put together a clear plan of action to address them so they do not happen. For example, a key resource leaving the business or a product's pricing changing. While you can't always control these things, you can put measures in place to ensure employee satisfaction levels are high and that contracts secure future pricing at a level the business can sustain.
  • Strategy risks
    These risks affect business strategy. You'll have to think more broadly than your own project in order to come up with strategy risks. Consider what could affect your work if the strategy changed, or whether something could affect your project and also have an affect on business strategy too. For example, a change of leadership in the executive team that prompts a change of direction for the strategy.
  • External risks
    This type of risk hits your project from outside the team, and possibly outside the organization. External risks can be hard to identify but spend some time thinking about what could happen that is nothing to do with the project but would affect your work. For example, a natural disaster or a supplier going bankrupt.

Let project team members know that they can come to you at any time if they have identified a project risk. They should be able to raise concerns and have the risk added to the log at any point during the project.

Managing Risks

Ready to manage that risk? Here are the risk management steps to work through with your team.

There are several different options for risk management on projects, and the appropriate action depends on many factors. The risk management process below covers what you should consider at each point. Use the context of the project to inform your actions. For example, consider the risk appetite of the project sponsor and what else is going on in the organization. It might not be an appropriate time to be taking risk with a project, even if the project risk seems to be relatively small. That’s why project risk management should integrate into the risk management frameworks and governance approach that exist in the organization overall.

Step 1

Identify the Risk

You’ll have a risk identification workshop (or at least a discussion) at the start of the project, but risk identification doesn’t stop there. Risks can crop up at any point in the project. When they do, start this process for risk management and make sure your new risks are added to the risk register.

Step 2

Analyze the Risk

Once you’ve identified a new risk, the next step is to analyze it. Talk to the team about what could happen if the risk materializes. You need to fully understand what would cause the risk and what could be done to prevent, mitigate or exploit the risk, so spend some time looking at all the options and use your subject matter experts to complete the analysis.

Step 3

Evaluate the Risk

Now you know what could happen if the risk occurs, you can evaluate it. This step lets you prioritize your risk management actions and make better decisions about what risk to focus on. Typically, you’ll look at how likely it is that the risk will happen and how much of an impact will it have if it does happen. This gives you a likelihood and impact rating. Add these to your risk register.

Step 4

Decide on Risk Management Strategy

Armed with your assessment, you can now make a risk management plan. You may decide to do nothing. Or you may decide to invest a lot of time and effort into addressing the potential problem. Your next steps will very much depend on the project, your risk assessment and the risk appetite of the executive team at the time. Here are the main approaches you can include in your risk management plan to address each risk.
  • Avoidance. This is where action is taken to reduce the negative effect of the risk. For example, you could remove high-risk deliverables from the project scope, or increase the development and testing time to ensure the products were fit for purpose.
  • Acceptance. It might be appropriate to do nothing and accept the risk for what it is. You could choose this approach where there is nothing you could do to address the risk, or where the risk effect is so low that it isn’t worth investing time and energy in acting on it.
  • Transference. Sometimes the best thing to do is to pass the risk to another party for them to manage, with their agreement. An example of this is insurance. Your project manages a risk by asking another individual or group to take on the risk for you, and that normally involves a fee. If it isn’t possible to pass the whole risk on to another group, then you can share the risk, taking responsibility for part of it each, which could be the case in a joint venture, for example.
  • Mitigation and enhancement. When you mitigate or enhance a risk, you are changing the amount of impact it will have on the project. In other words, you are changing the risk level, either to decrease the likelihood of it happening it to an acceptable amount, or to increase the likelihood of it happening. There are lots of things you can do to make this happen, such as replanning the project, involving different stakeholders, changing its priority, or the priority of tasks on the schedule, and so on. The exact steps you take will depend on the project, the team, and what you are trying to achieve.
  • Exploitation. Finally, you can exploit the risk, which means making a real effort to make the most of any positive uncertainty. A simple example would be doing additional marketing for your product launch in an attempt to increase the number of products sold in a particular time period. You could also add extra items into scope to provide extra benefit for the end users or stakeholders. With this strategy, you are trying to captialize on the uncertainty by going ‘all in’ on achieving any extra benefit.

Step 5

Monitor and Review

Finally, you’ll monitor and review the actions taken. Are they working? Has the risk passed? If the risk is no longer going to happen because of the action you have taken, you can close the risk on the register. This step ensures that you can track whether your risk management actions are having the effect you expected. If not, you can step in and change how you are managing the risk to thoroughly address it.

Risk management in business is a detailed subject, and we’ve only touched on it here. Why not pick a couple of podcasts with our risk management expert interview guests and listen to them discuss the theory and practice of risk on projects in more detail?

Risk management has to be something supported at the top level and driven down. The program manager can identify risk and attempt to mitigate and manage them. That really wasn’t something that was done formally 30 years ago and we can do it today because of technology. Does it add a little bit of time and burden to the organization? Yes, but that’s essential if you’re going to keep risks from impacting a program.
Scotty Bates
Scotty Bates

PM Podcast Episodes on Risk Managment

Below you'll find a selection of our favourite podcasts about project risk management. These are just a few of the many expert interviews we have in store for you sharing risk management techniques across all kinds of industries and projects. If you're looking to improve your risk skills, start here!

How to Integrate Risk Management into Agile Projects

In this episode of the Project Management Podcast, you'll learn about risk management in agile projects and the techniques every project manager should address as part of any Agile approach. Risk expert Laszlo Retfalvi shares his tips for integrating risk management into agile ways of working.
Laszlo Retfalvi and Cornelius Fichtner
Laszlo Retfalvi and Cornelius Fichtner

How Risk Attitudes Affect Your Project

How do you and the stakeholders on your project react to risks? Do risks frighten you or do they invigorate you? And what risk approach will a frightened project manager take versus the approach that an invigorated one takes? This discussion is at the core of risk attitude in project management. Janice Preston, PMP, discusses the four basic risk attitudes.
Janice Preston
Janice Preston

How to Quantify Qualitative Risk

All risks needed to be analyzed, but it's easier to see the impact of some than others. In this interview with Ricardo Viana Vargas, you'll learn the five-level scale for probability, the mathematical "quadratic mean" process involved to calculate the numerical exposure, and how you can easily apply qualitative risk analysis on your own projects.
Ricardo Viana Vargas
Ricardo Viana Vargas

How to Manage the Risks You Didn't Know You Were Taking

Drawing on leading thinking and current best practice, in this interview you'll learn about the full range of project risks that need to be managed, starting from the proto-definition of risk as “uncertainty that matters”. With illustrative examples of each type of risk, and practical response strategies for managing them, you'll learn about managing overall project risk, how to identify all types of risk that might affect our projects, and ways to tackle them effectively.
Cornelius Fichtner and David Hillson
Cornelius Fichtner and David Hillson


Whether you are new to project risk management, or whether you can fluently use terms like ‘stochastic’ and ‘aleatoric’ in your risk conversations, there is always more to find out about the emerging professional discipline of project risk management.

We’ve had the pleasure of speaking to some of the world’s foremost experts in project risk management, and sharing their wisdom and knowledge with you in our range of free and premium expert interviews. Enjoy the episodes!

Project Management for Beginners and Experts

Going beyond Project Management Professional (PMP)®, PMI Agile Certified Practitioner (PMI-ACP)®, and Certified Associate in Project Management (CAPM)®

Copyright © 2008 - 2020 OSP International LLC.
PMI, PMIef, the PMI Registered Education Provider logo, the PMIef logo, PMBOK, PMP, PgMP, PfMP, CAPM, PMI-SP, PMI-RMP, PMI-ACP, and PMI-PBA are registered marks of the Project Management Institute, Inc.