The Simple Way to Improve Your Project Risk Management

Project Risk Management

Risk is inherent in the nature of a project. So, that makes project risk management a central part of the project management toolset.

Don’t think of it as an add-on. Nor even as a discipline in its own right. Instead, it’s best to regard risk management as a thread that runs through the heart of project management.

I tend to agree with Tim Lister’s often re-quoted statement that:

‘Risk Management is Project Management for Grown-Ups’

What I take from this is that, when you understand how projects work, and can manage a basic project effectively, you will increasingly use project risk management as your primary framework for controlling your project.

What is Project Risk Management?

The very first of my Project Management in Under 5 video series (still ongoing) addressed this very question…


We’ll Start with ‘Project’

Let’s remind ourselves of the definition of a project. To ring the changes, let’s take what is, perhaps, the simplest definition: the PMI’s:

A project is ‘a temporary endeavor undertaken to create a unique product, service or result.’

The fact that we are doing something unique – often new and innovative too – using a temporary organizational structure that probably consists of a group of people who have worked together before, introduces a lot of uncertainty. And uncertainty is the very nature of risk.

Now let’s Understand ‘Risk’

Risk is defined as:

‘Uncertainty that can affect outcomes’

And now, ‘Management’

For me, the term management suggests an active process that seeks to gain control over the uncertainty of risks, by following a simple process. In the video, we saw a four-step process:

  1. Identify Risks
  2. Analyze Risks
  3. Plan for Risks
  4. Take Action
Risk Management Process

Risk Management Process

This is not a one-off sequence of tasks that takes place somewhere suitable, within your project. It is a constant cycle that goes on throughout your project. That’s what Tim Lister means when he implies this is the way grown-ups manage projects.

So what are the Absolute Essentials that a Project Manager need to Know about Risk?

Project Risk Management

Project Risk Management

There are some excellent books on project risk management. As an introductory text, that takes you beyond the single chapter you’ll find in most project management books, I can only really recommend my own: Risk Happens! (US|UK).

However, if you want to go deeper, there are others I’d recommend too – and you can browse them at our Project Management bookshop.

But our purpose here is to introduce you to the absolute essentials of project risk management. So let’s dive straight in.

First Essential: You can’t do anything until you know what the risks are

Before you do anything else, you need to identify the risks to your project.

While some risks may be unforeseeable, many will be accessible to your team’s collective experience, instinct and imagination. Get the team together and make a long-list of everything that could go wrong.

To help you, we recommend our Indispensable Guide to the Sources of Project Risk. This article will introduce you to the types of project risk, and also get you started with spotting the risks on your project.

Two other articles that you could usefully read are:

  1. Giant Guide to Project Failure
  2. More Reasons why Projects Fail

Second Essential: Not all risks are equal

Your long-list can quickly get very long indeed. So you need to prioritise your work in managing the risks. Three factors will typically have the largest influence on your priorities. The first two derive from the definition of a risk: ‘Uncertainty that can affect outcomes’.

The Affect on Outcomes

How severe the impact would be, if the risk occurs. There are lots of ways to measure the impact, depending on what type of impact you anticipate, and what your priorities are for your project. At its simplest, this can just be a high, medium, low scale.

The Level of Uncertainty

How likely you consider this risk to be. This is usually the a hardest element to estimate, because we rarely have good data on which to base our estimates. And, in the absence of a data-driven approach we need to rely on estimation and intuition. The problem is that most people are highly unsophisticated in our understanding of probabilities and statistics, and our intuitions frequently lead us astray. To avoid falling into the trap of believing our estimates are more robust than they are, keep your evaluation simple: a high, medium, low scale is often the best approach.

When it Matters

Impact and likelihood are implicit in the definition of risk.

A slightly more pedantic definition might be that ‘risk is uncertainty that can affect outcomes in the future’.

This introduces time into the definition. The third thing to consider in prioritizing a risk is its proximity. Is it likely to be a concern soon or much later? Once again a simple scale of soon, middle and far distance will often suffice.

Putting it all together…

Already, with just simple three point scales, you have 27 possible priority values.

Assuming you consider impact, likelihood and proximity to be equally important, you can get a numerical priority ranking by allocating scoes to the scales:

  • Low/distant = 1
  • Medium/Middle = 2
  • High/soon = 4

If you multiply the scores, you’ll get priority rankings from 1 to 64. That is more than adequate to prioritize effectively.

Please note, though, that this scoring approach is suitable for ranking and prioritization. It is not a sound quantitative approach for estimating the value of a risk, in an but the most approximate way.

Third Essential: record all risks and what you are doing about them

When you run a project, you are spending someone else’s money or putting their reputation at hazard. So, it is imperative that you are accountable and can show that you are treating these risks seriously.

Build a Risk Register or Risk Log to record the risks you identify, how you assess them and, crucially, what you do about them. Your Risk register is a tool of governance, accountability and transparency on the one hand, and a management tool on the other. Throughout your project, you should be constantly referring to it, to assess how your risk profile is shifting, and what your next risk management action should be.

As you’d expect, there are risk register templates in all of our core project management course programs, as well as in our Project Management Templates Kit.

Fourth Essential: determine what you will do to manage each risk

Towards the bottom of your priority scale, you may choose to do nothing about your risks.

But at the top of the scale, not only must you act, but you will need a basket of different strategies to deal with these highly dangerous threats. You will want to find ways to reduce both the likelihood and impact of the risk, and put in place measures to tackle the outcomes if the risk arises. For large risks, each will need its own management plan.

You’ll build your risk management plan out of six generic strategies:

  1. Accepting minor risks (‘risk toleration’)
  2. Reducing likelihood that the risk will occur (‘risk reduction’)
  3. Reducing impact, if the risk does occur (‘risk mitigation’)
  4. Transferring the risk to someone else – usually through a contract (‘risk transfer’)
  5. Devising a ‘contingency plan’ to carry out, should the risk occur
  6. Removing the risk entirely – which is often not possible (‘risk termination’)

Interestingly, the PMI has announced that the forthcoming (estimated September 2017) sixth edition of the Project Management Body of Knowledge (PMBoK®) will include a new risk strategy: risk reporting or escalation. I don’t see that as a strategy to manage the risk, just a tactical process step, if the management plan needs a higher level of expertise or authority.

The Importance of Understanding Root Cause

One thing people often struggle with, is to find a suitable plan for a big risk. First of all, make your plan multi-pronged. But most important, many big risks aren’t risks at all. Take for example, a typical project risk on a typical project risk register:

‘The project is delayed’

That’s not a risk, it’s a possible outcome. The way to make progress is to ask, ‘what could happen to delay the project?’ There are doubtless many possible answers to this. Each one is a separate risk. And each of these separate risks will be best addressed by its own management plan.

Fifth Essential: Do something

There is one systematic failing of many inexperienced project managers. They often do an excellent piece of desk work on risk management. They file a thorough and elegant Risk Register, and then to move on to the next issue on their project. they somehow imagine that the risk will get to hear about their plan, and so not materialize.

You can never file risk management as ‘done’ while your project is running. Treat your risk register as a day-to-day tool and not as a part of your static documentation. Make sure every line on your risk register is allocated to a single named individual as a risk owner.

Have a regular cycle of reviewing your risks, speaking to the people who you have tasked to deal with them, and  generating more action until the threat is reduced to an acceptable level. Periodically, get a team together to identify new risks.

But, above all, when you have a risk plan, work the plan. A set of actions is nothing if you don’t do them.

Above all, when you have a #project #risk plan, work the plan. #PM Click To Tweet

How to Scale your Risk Management Process

What are Your Project Risk Management Essentials?

We’d love to hear what you consider to be the essentials of managing risks on projects, to give better project management. We’ll respond to every comment we receive.


About the Author Mike Clayton

Dr Mike Clayton is one of the most successful and in-demand project management trainers in the UK. He is author of 13 best-selling books, including four about project management. He is also a prolific blogger and contributor to and Project, the journal of the Association for Project Management. Between 1990 and 2002, Mike was a successful project manager, leading large project teams and delivering complex projects. In 2016, Mike launched OnlinePMCourses.

follow me on: