Risk Management
All about Managing Risk on Projects

Introduction to Risk Management

A risk is an uncertain event or condition that, if it occurs, has a positive or negative effect on a project’s objectives. Managing those events is what project risk management is all about. Sometimes, you want to avoid a threat happening; sometimes it’s worth encouraging it.

If that sounds strange – why would we want to encourage something risky to happen? – then let’s look again at what risk really is.

Risk can be thought of as ‘uncertainty that matters’. Risks that matter include those with positive effects as well as those with negative effects (which you’ll see referred to as opportunities and threats). They can also affect any project objective, not just time or cost.

We have many podcasts to help you build your project management skills, and risk management strategies are definitely a topic worth learning more about! In this article we’ll look at the types of risk management, techniques you can use, the 5 ways to manage risk and lots of tips for handling this complex knowledge area on your own projects.

Featured Podcast: What People Really Think About Risk

Listen now to this featured podcast on managing project risk.

In this featured podcast with expert Dr David Hillson, you'll learn about what people really think when they hear the word 'risk'.

What about related words like "uncertainty," "threat" or "opportunity"? Building on established neurolinguistic theories of word/image association, this fascinating interview explores underlying tensions in what people think about risks.

You won't find this information in the Practice Standard for Project Risk Management but it's so useful when thinking and talking about risk with project stakeholders. Discover the surprising truth, and compare yourself with your peers. And of course, this episode is relevant to risk management in agile projects as well, just in case you were wondering. The insights will change how you think about risk management critical success factors. Enjoy the episode!
Dr. David Hillson
Dr. David Hillson
Please scroll down to see the full list of our risk management podcasts.

What is Risk Management?

Project Risk Management is the process of identifying and responding to project risks with the objective of managing the impact of that risk.
The risk management process in project management includes a number of steps such as planning, analysis, identifying responses and implementing them, risk review and monitoring. We'll look into more detail about the process of managing risk in the rest of this article.

Importance of Risk Management in Project Management

Risk management on projects is important because it decreases the probability and impact of risk, making it more likely that the project will be successful. It helps us predict and manage what might happen in the future and make the best of that situation.

When most people talk about risk on a project, they are thinking about the things that might go wrong. There’s always something that could happen which would have a negative effect on the project’s performance. Maybe it would delay the project, or increase the cost. Generally, people think about risk in terms of things that would affect the project schedule and budget, but risk can impact any of the project’s objectives.

However, the other reason why managing project risk is important is because some risks are positive: we want to take the risk because if it pays off, there is a benefit to the project.

It’s important to think broadly and deeply about what kind of threat or opportunity could affect the project, so you can make adequate plans to manage the impact appropriately. And risk isn’t only limited to the project’s objectives. You will also see risk in your project as a result of variability, ambiguity and emergence. Risk leadership is a huge area!

Risk categories

One exercise you can do to help the team come up with potential problems is to think about how certain things could affect the project. Create with a list of categories (or use a prompt sheet from the PMO if you have one) and see what you can think of that would cause your project a problem from those categories. The categories could be anything: the names of departments, the workstream on the project they impact, for example. One of the ways we like to categorize our registers is by type. The three categories are:

  • Preventable
  • Strategy
  • External
  • Preventable risks
    These are risks that could be prevented with some effort from the project team. They are things you can see may happen and you can put together a clear plan of action to address them so they do not happen. For example, a key resource leaving the business or a product's pricing changing. While you can't always control these things, you can put measures in place to ensure employee satisfaction levels are high and that contracts secure future pricing at a level the business can sustain.
  • Strategy risks
    These risks affect business strategy. You'll have to think more broadly than your own project in order to come up with strategy risks. Consider what could affect your work if the strategy changed, or whether something could affect your project and also have an affect on business strategy too. For example, a change of leadership in the executive team that prompts a change of direction for the strategy.
  • External risks
    This type of risk hits your project from outside the team, and possibly outside the organization. External threats and opportunities can be hard to identify but spend some time thinking about what could happen that is nothing to do with the project but would affect your work. For example, a natural disaster or a supplier going bankrupt.

Let project team members know that they can come to you at any time if they have identified a project risk. They should be able to raise concerns and add their newly-identified opportunities and threats to the register at any point during the project.

Identifying Risks

Project risk identification typically happens at the start of the project, but it is not a one-off exercise. Risk identification should also happen throughout the project as the work evolves and people get a clearer idea about what could potentially impact the work. Let's look at what is involved.

What is project risk identification?

Project risk identification is the process of identifying what risks might affect the project and how much of an impact they would have.

How to identify risks

  • Step 1: Make sure the team knows what a risk is
  • Step 2: Brainstorm with the team to identify risks
  • Step 3: Use other techniques as appropriate
  • Step 4: Document the results in your risk register
  • Step 1
    Make sure the team knows what a risk is. A risk is something that hasn't happened yet. As a project leader, it's your responsibility to ensure they understand. Sometimes people get confused between a risk (which hasn't happened yet but might do) and an issue (which has happened already). You only want to add risks to your register.
  • Step 2
    Brainstorm with the team to identify risks. The easiest and most common way to identify what might go wrong is to discuss the possibilities with the team. Meet with key stakeholders and subject matter experts and ask them what they are concerned about. These topics are likely to be perfect candidates for inclusion in your risk register.
  • Step 3
    Use other techniques as appropriate. Brainstorming is good, but it shouldn't be the only thing you rely on. As a project manager, you might have access to lessons learned from previous projects which will help you identify appropriate risks for your risk register on this project. Your PMO might have checklists or prompt lists that will help you go deeper into the project and find the less obvious hazards. You can also review corporate risk registers that could cover new and emerging business risks like IT threats as these could also have an impact on your project.
  • Step 4
    Document the results. Finally, you need to record what you have uncovered from your conversations and analysis. Record all the details the risk register so you have a single place to track and monitor them. You can also assign each risk a category which makes it easier to report on them later.

Managing Risks

Now you have your risk register populated with the potential problems and opportunities that you have identified. You are ready to prepare actions plans for each of them. Here are the risk management steps to work through with your team.

  • Identify the risk (we looked at this in detail above so we will not review it again)
  • Analyze the risk
  • Evaluate the risk
  • Decide on the most appropriate risk management strategy
  • Monitor and review.

There are several different options for risk management on projects, and the appropriate action depends on many factors. The risk management process below covers what you should consider at each point.

Use the context of the project to inform your actions. Scrum helps manage risk: if you use that approach to completing projects, you will already be managing your exposure because of the rules you apply to doing work.

Whether you work in a predictive or agile environment, consider the risk appetite of the project sponsor and what else is going on in the organization. It might not be an appropriate time to be taking chances with a project, even if the impact seems to be relatively small. That’s why project risk management should integrate into the risk management frameworks and governance approach that exist in the organization overall.


Step 1

Analyze the Risk

Once you’ve identified a new risk, the next step is to analyze it. Talk to the team about what could happen if the risk materializes (which is risk speak for saying 'the risk happens'). You need to fully understand what would cause it to happen and what could be done to prevent, mitigate or exploit the risk. Spend some time looking at all the options and use your subject matter experts to complete the analysis.

Step 2

Evaluate the Risk

Now you know what could happen if the risk occurs, you can complete your evaluation. This step lets you prioritize your risk management actions and make better decisions about what to focus on. Typically, you’ll look at how likely it is that the threat or opportunity will happen and how much of an impact will it have if it does happen. Use a risk matrix following the specific guidance from your PMO to calculate a likelihood and impact rating. Add these to your risk register.

Step 3

Decide on Risk Management Strategy

Armed with your evaluation and assessment, you can now make a risk management plan. You may decide to do nothing. Or you may decide to invest a lot of time and effort into controlling the potential problem. Your next steps will very much depend on the project, your risk assessment and the risk appetite of the executive team at the time. Here are the 5 ways to manage risk.
  • Avoidance
  • Acceptance
  • Transference
  • Mitigation or enhancement
  • Exploitation
Let's look at what each of those means for your project.
  • Avoidance. This is where action is taken to reduce the negative effect of the threat. For example, you could remove high-risk deliverables from the project scope, or increase the development and testing time to ensure the products were fit for purpose. Avoidance is a control mechanism to address potential problems by making sure they don't happen.
  • Acceptance. It might be appropriate to do nothing and accept the risk for what it is. You could choose this approach where there is nothing you could do to address the risk, or where the risk effect is so low that it isn’t worth investing time and energy in acting on it.
  • Transference. Sometimes the best thing to do is to pass the risk to another party for them to manage, with their agreement. An example of this is insurance. Your project manages a risk by asking another individual or group to take on the risk for you, and that normally involves a fee. If it isn’t possible to pass the whole risk on to another group, then you can share the risk, taking responsibility for part of it each. Joint ventures reduce the risk of capital investments and are definitely worth considering as a strategy.
  • Mitigation and enhancement. When you mitigate or enhance a risk, you are changing the amount of impact it will have on the project. In other words, you are changing the risk level, either to decrease the likelihood of it happening it to an acceptable amount, or to increase the likelihood of it happening. There are lots of things you can do to make this happen, such as replanning the project, involving different stakeholders, changing its priority, or the priority of tasks on the schedule, and so on. The exact steps you take will depend on the project, the team, and what you are trying to achieve.
  • Exploitation. Finally, you can exploit the risk, which means making a real effort to make the most of any positive uncertainty. A simple example would be doing additional marketing for your product launch in an attempt to increase the number of products sold in a particular time period. You could also add extra items into scope to provide extra benefit for the end users or stakeholders. With this strategy, you are trying to captitalize on the uncertainty by going ‘all in’ on achieving any extra benefit.

Step 4

Monitor and Review

Finally, you’ll monitor and review the actions taken. Are they working? Has the risk passed? If the threat or opportunity is no longer going to happen because of the action you have taken, you can close the risk on the register. This step ensures that you can track whether your risk management actions are having the effect you expected. If not, you can step in and change how you are managing the risk to thoroughly address it.

Risk management in business is a detailed subject, and we’ve only touched on it here. Why not pick a couple of podcasts with our risk management expert interview guests and listen to them discuss the theory and practice of risk on projects in more detail?

Risk management has to be something supported at the top level and driven down. The program manager can identify risk and attempt to mitigate and manage them. That really wasn’t something that was done formally 30 years ago and we can do it today because of technology. Does it add a little bit of time and burden to the organization? Yes, but that’s essential if you’re going to keep risks from impacting a program.
Scotty Bates
Scotty Bates

PM Podcast Episodes on Risk Management

Below you'll find a selection of our favourite podcasts about managing risk on projects. These are just a few of the many expert interviews we have in store for you sharing risk management techniques across all kinds of industries and projects. If you're looking to improve your risk skills, start here!

How to Integrate Risk Management into Agile Projects

In this episode of the Project Management Podcast, you'll learn about risk management in agile projects and the techniques every project manager should address as part of any Agile approach. Risk expert Laszlo Retfalvi shares his tips for integrating risk processes into agile ways of working.
Laszlo Retfalvi and Cornelius Fichtner
Laszlo Retfalvi and Cornelius Fichtner

How Risk Attitudes Affect Your Project

How do you and the stakeholders on your project react to threats? Do risks frighten you or do they invigorate you? And what risk approach will a frightened project manager take versus the approach that an invigorated one takes? This discussion is at the core of risk attitude in project management. Janice Preston, PMP, discusses the four basic risk attitudes.

How to Quantify Qualitative Risk

All risks needed to be analyzed, but it's easier to see the impact of some than others. In this interview with Ricardo Viana Vargas, you'll learn the five-level scale for probability, the mathematical "quadratic mean" process involved to calculate the numerical exposure, and how you can easily apply qualitative risk analysis on your own projects.
Ricardo Viana Vargas
Ricardo Viana Vargas

How to Manage the Risks You Didn't Know You Were Taking

Drawing on leading thinking and current best practice, in this interview you'll learn about the full range of project challenges that need to be managed, starting from the proto-definition of risk as “uncertainty that matters”. With illustrative examples of each type of risk, and practical response strategies for managing them, you'll learn about managing overall project risk, how to identify all types of risk that might affect our projects, and ways to tackle them effectively.
Cornelius Fichtner and David Hillson
Cornelius Fichtner and David Hillson

Summary

Whether you are new to project risk management, or whether you can fluently use terms like ‘stochastic’ and ‘aleatoric’ in your conversations with stakeholders, there is always more to find out about the emerging professional discipline of project risk management.

We’ve had the pleasure of speaking to some of the world’s foremost experts in project risk management, and sharing their wisdom and knowledge with you in our range of free and premium expert interviews. Enjoy the episodes!

Project Management for Beginners and Experts

Going beyond Project Management Professional (PMP)®, PMI Agile Certified Practitioner (PMI-ACP)®, and Certified Associate in Project Management (CAPM)®

Copyright © 2008 - 2020 OSP International LLC.
PMI, PMIef, the PMI Registered Education Provider logo, the PMIef logo, PMBOK, PMP, PgMP, PfMP, CAPM, PMI-SP, PMI-RMP, PMI-ACP, and PMI-PBA are registered marks of the Project Management Institute, Inc.