Please Share

Indispensable Guide to the Sources of Project Risk

If you are taking on Project Management, you will need to come to terms with its necessary consequence: project risk. It’s a topic I’ll be covering a lot, over time, because it is so central to project management. I have already written, at length, about why projects go wrong. In this article, we’ll look at some of the sources of project risk.

PMI Talent Triangle - Technical Project Management

Types of Project Risk

Sources of Project Risk

Sources of Project Risk

It is often helpful to understand categories. But I am not talking about the often-cited categories of project risk, like:

  • Personnel
  • Financial
  • Schedule
  • Procurement
  • …Etc

I want to look at the fundamental nature of risk.

Definition of Risk

Risk is defined as:

Uncertainty that can affect outcomes

So, from that point of view, risks are an inevitable part of projects. We have more uncertainties than everyday operational work, because projects are novel and try to introduce change. Learn more about the basics of Risk Management in the Risk Management Explained podcast.

The Four Types of Project Risk

And if uncertainty is a characteristic of risk, then our understanding of project risk must start from the source of our uncertainty. This leads me to four types of project risk, based on why we don’t know.

Classification of Project Risk - Known-Unkowns, etc

Classification of Project Risk

Let’s start with the toughest of all…


We can’t know what we don’t know. Until, that is, we discover it. Nassim Nicholas  Taleb wrote a whole book (US, UK) about what he describes as ‘Black Swan Events’. These are events for which we have no warning. These are risks that we cannot foresee, because they are based on things we do not know. The only way we uncover these hidden truths is by constant research and exploration. And the only way to deal with them as sources of project risk is constant vigilance. We need processes that deliberately look out for the first signs of an unexpected event.

When we discover the existence of something, that throws up a second problem… We don’t yet know much about it. Our unknown unknown has become a known unknown.

For #project risks we cannot foresee, horizon scanning is essential Click To Tweet


Known unknowns are gaps in our knowledge. These sources of project risk are common in many of our projects. Examples include:

  • what is the sub-surface structure below the building site?
  • how will we solve the technical challenges of integrating these two software tools?
  • how will this group of stakeholders react to our proposals?
  • which contractor or supplier will win the tender process?

None of these are unknown-unknowns. For each one, we know there is a problem and can characterize that unknown. Each is susceptible to familiar processes of research, data-gathering, and assessment. But as we refine our knowledge, and analyze what we learn, we reduce our uncertainties, and therefore our risks.

Known unknowns are gaps in our knowledge. Respond with research Click To Tweet

Sometimes it is possible to refine our knowledge to such a degree that no uncertainty remains. At other times, we bump into a core of ‘irreducible uncertainty’. That is, there is sometimes an amount of uncertainty we can never resolve, until events play out. We’ll come back to that.

But first, lets look at the knowledge we don’t know we have…


There is knowledge you have – often from your past experience – that you have never brought into your conscious awareness. This s one of the principal reasons why lessons learned reviews are such a valuable project management discipline. Reflecting on your experiences is the surest path to wisdom. But if we assume that team members do have hidden knowledge that is relevant to your project, how can you reveal it?

Here are my suggestions:

  1. Improve your knowledge management processes. Set up regular lessons learned reviews and find ways to document and share the knowledge.
  2. Encourage team members to share stories and anecdotes about previous projects and ask questions about the links and similarities with your current project
  3. Ask people questions and request opinions… Especially from people who tend to be less confident in offering their opinions and ideas.
  4. Use exercises that tap into unconscious memories – such as Gary Klein’s ‘Pre-mortem’ approach to risk identification
  5. Be curious about what stakeholders know or can tell you. Often, their unarticulated (or hard-to justify) concerns arise from this kind of hidden knowledge
'Latent Risks' - What is it that you don't know you know? Click To Tweet

Your curiosity is the way you’ll unlock these sources of project risk. And, like our known-unkowns, once you release them, they become…


Known-knowns are the risks we know we know about. Yet some of them remain risks.


Because there remains some uncertainty that we cannot, even in principle, resolve.

We know the weather is a risk to many types of project. And we know that we know it, so it is a known-known. But there is nothing we can do to create certainty about this season’s rainfall, or night-time temperatures, for example, until it is too late.

Likewise, we know hat, over the course of a large and lengthy project, some of our team will fall ill. Maybe worse. And we know we know it will happen. We can take actions to mitigate the impacts. We can even supply flu vaccines and encourage safe travel, to reduce the likelihoods. ut we can never remove the risk entirely, and we can never know who it will strike until it does strike.

Statistics will tell us how much priority to give these types of project risk. But the risks remain because the uncertainty is random in nature. We understand randomness. (Well, statisticians and actuaries do – most of us have a pretty weak understanding). But we can never eliminate it.

Not all risks can be reduced with research. Randomness rules. Click To Tweet

Sources of Project Risk

There are many potential sources of project risk. One of our Project Management Checklists has over 60 examples. In this guide, I’d like to discuss the categories we use in that checklist.

General Risks

These tend to be a mix of naturally occurring events and the kind of risks that arise as a result of the complexity of human endeavours.

Marketplace Risks

These are all of the different commercial risks that can arise.

Technical Risks

Most of these risks are fairly readily managed. The mistake people frequently make is to assume that nothing can go wrong, because technology is reliable. I kid you not… I know it sounds absurd when written down, but many people have that unspoken assumption, despite all evidence to the contrary.

People Risks

Often it isn’t the tech that lets us down, but the user. There are all sorts of risks that people pose… If only we could do our projects without them. Of no. That won’t work. Then we’d need to use technology!

Process Risks

Whether you are thinking of embedded organizational processes that affect your project, or your project’s own processes, any process can fail due either to:

  • Missing steps
  • Faulty documentation
  • Error in creating the process
  • human error

Property Risks

Real estate, assets and equipment are all subject to uncertainties that can affect your project’s outcomes.

Financial Risks

Avoid being lazy and simply documenting the risk of project cost over-run. What are the sources of financial risk? Each is different, but each can be managed. Cost over-run is too nebulous and fuzzy to lend itself to a mitigation plan.

Social and Political Risks

As soon as two people start to discuss your project, you have politics to contend with. Foreseeing the social an political sources of project risk is an important activity at the start of devising your stakeholder engagement plan.

Why use a Checklist?

In the case of project risk identification, a checklist can help you in two ways:

  1. Firstly, it can speed up your process of identifying potential project risks, by offering you a starter set of risks to consider.
  2. Secondly, it can ensure you do not mis a significant risk… or, indeed,, a whole category of risks.

So, checklists prevent costly mistakes and speed up consistent delivery.

Take a look at our Project Management Checklists now.

Checklists prevent costly mistakes and speed up consistent delivery. Click To Tweet

How do your Categorise and Identify Project Risks?

Please tell us below, how you handle the identification and categorisation of risks on your projects. I’ll respond to every substantive comment.

About the Author Mike Clayton

Dr Mike Clayton is one of the most successful and in-demand project management trainers in the UK. He is author of 14 best-selling books, including four about project management. He is also a prolific blogger and contributor to and Project, the journal of the Association for Project Management. Between 1990 and 2002, Mike was a successful project manager, leading large project teams and delivering complex projects. In 2016, Mike launched OnlinePMCourses.

follow me on: