17 July, 2023

Spotting Project Threats: How to Find the Sources of Project Risk

Projects are inherently uncertain. So we set out to spot what can go wrong as early as possible. Risk Identification is the first stage of Risk Management and it demands that we understand the sources of project risk. So, in this article, we’ll look at two things:

  1. How we can understand the four different types of project risk
  2. A categorization of the different sources of project risk

If you want a guide to a Risk Management Kick-off to your project, check out our 10-Step Risk Management Kick-off for Your Project.

Spotting Project Threats - How to Find the Sources of Project Risk
Sources of Project Risk

Definition of Risk

Risk is defined as:

Uncertainty that can affect outcomes

So, from that point of view, risks are an inevitable part of projects. We have more uncertainties than everyday operational work, because projects are novel and try to introduce change. Learn more about the basics of Risk Management in the Risk Management Explained podcast.

And if uncertainty is a characteristic of risk, then our understanding of project risk must start from the source of our uncertainty. This leads me to four types of project risk, based on why we don’t know.

An Introduction to Project Risk Management

For a broad introduction to Risk Management, I recommend:

To go a little deeper, we have:

The Four Types of Project Risk

It is often helpful to understand categories. But I am not talking about the often-cited categories of project risk, like:

  • Personnel
  • Financial
  • Schedule
  • Procurement
  • …Etc

We’ll return to this approach later. But first, I want to look at the fundamental nature of risk.

Classification of Project Risk
Classification of Project Risk

Video Explanation

And now, in writing!

Let’s start with the toughest of all…


We can’t know what we don’t know. Until, that is, we discover it. Nassim Nicholas  Taleb wrote a whole book (The Black Swan) about what he describes as ‘Black Swan Events’. These are events for which we have no warning. These are risks that we cannot foresee, because they are based on things we do not know. The only way we uncover these hidden truths is by constant research and exploration. And the only way to deal with them as sources of project risk is constant vigilance. We need processes that deliberately look out for the first signs of an unexpected event.

When we discover the existence of something, that throws up a second problem… We don’t yet know much about it. Our unknown-unknown has become a known-unknown.

For #project risks we cannot foresee, horizon scanning is essential Click To Tweet


Known unknowns are gaps in our knowledge. These sources of project risk are common in many of our projects. Examples include:

  • what is the sub-surface structure below the building site?
  • how will we solve the technical challenges of integrating these two software tools?
  • how will this group of stakeholders react to our proposals?
  • which contractor or supplier will win the tender process?

None of these are unknown-unknowns. For each one, we know there is a problem and can characterize that unknown. Each is susceptible to familiar processes of research, data-gathering, and assessment. But as we refine our knowledge, and analyze what we learn, we reduce our uncertainties, and therefore our risks.

Known unknowns are gaps in our knowledge. Respond with research Click To Tweet

Sometimes it is possible to refine our knowledge to such a degree that no uncertainty remains. At other times, we bump into a core of ‘irreducible uncertainty’. That is, there is sometimes an amount of uncertainty we can never resolve, until events play out. We’ll come back to that.

But first, let’s look at the knowledge we don’t know we have…


There is the knowledge you have – often from your past experience – that you have never brought into your conscious awareness. This is one of the principal reasons why lessons learned reviews are such a valuable project management discipline. Reflecting on your experiences is the surest path to wisdom. But if we assume that team members do have hidden knowledge that is relevant to your project, how can you reveal it?

Here are my suggestions:

  1. Improve your knowledge management processes. Set up regular lessons learned reviews and find ways to document and share the knowledge.
  2. Encourage team members to share stories and anecdotes about previous projects and ask questions about the links and similarities with your current project
  3. Ask people questions and request opinions… Especially from people who tend to be less confident in offering their opinions and ideas.
  4. Use exercises that tap into unconscious memories – such as Gary Klein’s ‘Pre-mortem’ approach to risk identification
  5. Be curious about what stakeholders know or can tell you. Often, their unarticulated (or hard-to-justify) concerns arise from this kind of hidden knowledge
'Latent Risks' - What is it that you don't know you know? Click To Tweet

Your curiosity is the way you’ll unlock these sources of project risk. And, like our known-unknowns, once you release them, they become…


Known-knowns are the risks we know we know about. Yet some of them remain risks.


Because there remains some uncertainty that we cannot, even in principle, resolve.

We know the weather is a risk to many types of projects. And we know that we know it, so it is a known-known. But there is nothing we can do to create certainty about this season’s rainfall, or night-time temperatures, for example, until it is too late.

Likewise, we know that, over the course of a large and lengthy project, some of our team will fall ill. Maybe worse. And we know we know it will happen. We can take action to mitigate the impacts. We can even supply flu vaccines and encourage safe travel, to reduce the likelihood of each type of illness. But we can never remove the risk entirely, and we can never know who it will strike until it does strike.

Statistics will tell us how much priority to give these types of project risks. But the risks remain because the uncertainty is random in nature. We understand randomness. (Well, statisticians and actuaries do – most of us have a pretty weak understanding). But we can never eliminate it.

Not all risks can be reduced with research. Randomness rules. Click To Tweet

Sources of Project Risk

There are many potential sources of project risk. One of our Project Management Checklists has over 70 examples. In this guide, I’d like to discuss the categories we use in that checklist.

General Risks

These tend to be a mix of naturally occurring events and the kind of risks that arise as a result of the complexity of human endeavors. These tend to be the ‘sh*t happens’ type of risk!

Marketplace Risks

These are all of the different commercial and competitive risks that can arise.

Technical Risks

Most of these risks are fairly readily managed. The mistake people frequently make is to assume that nothing can go wrong, because their technology is reliable. I kid you not… I know it sounds absurd when written down, but many people make that unspoken assumption, despite all evidence to the contrary.

People Risks

Often, it isn’t the technology that lets us down, but the user. There are all sorts of risks that people pose… If only we could do our projects without them. Oh no! That won’t work. Then we’d need to use technology!

Process Risks

Whether you are thinking of embedded organizational processes that affect your project, or your project’s own processes, any process can fail due either to:

  • Missing steps
  • Faulty documentation
  • Error in creating the process
  • human error

Property Risks

Real estate, assets, and equipment are all subject to uncertainties that can affect your project’s outcomes.

Financial Risks

Avoid being lazy and simply documenting the risk of project cost over-run. What are the sources of financial risk? Each is different, but each can be managed. Cost over-run is too nebulous and fuzzy to lend itself to a mitigation plan.

Social and Political Risks

As soon as two people start to discuss your project, you have politics to contend with. Foreseeing the social and political sources of project risk is an important activity at the start of devising your stakeholder engagement plan. This also includes legislation and regulatory risks.

Why use a Checklist?

In the case of project risk identification, a checklist can help you in two ways:

  1. Firstly, it can speed up your process of identifying potential project risks, by offering you a starter set of risks to consider.
  2. Secondly, it can ensure you do not miss a significant risk… or, indeed, a whole category of risks.

So, checklists prevent costly mistakes and speed up consistent delivery.

Take a look at our Project Management Checklists now.

Checklists prevent costly mistakes and speed up consistent delivery. Click To Tweet

Next Steps with Project Risk Management

The Next steps from here are to identify and analyze your risks, and build your risk register. Take a look at these videos and articles;

Going Deeper into Project Risk Management

These videos and articles will take you even deeper into risk management:

I also Recommend my Best-selling Project Risk Management Book

Risk Happens! 2nd Ed

Things go wrong: Risk Happens!

But you can be prepared.
‘I am a PM of 10+ years and I have never found such a concise read on risk management that provided so much valuable information.’

New 2nd Edition
Revised and Enlarged
Kindle exclusive

Buy Now

How do your Categorise and Identify Project Risks?

Please tell us below, how you handle the identification and categorization of risks on your projects. I’ll respond to every substantive comment.

Never miss an article or video!

Get notified of every new article or video we publish, when we publish it.

Mike Clayton

About the Author...

Dr Mike Clayton is one of the most successful and in-demand project management trainers in the UK. He is author of 14 best-selling books, including four about project management. He is also a prolific blogger and contributor to ProjectManager.com and Project, the journal of the Association for Project Management. Between 1990 and 2002, Mike was a successful project manager, leading large project teams and delivering complex projects. In 2016, Mike launched OnlinePMCourses.
{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Never miss an article or video!

 Get notified of every new article or video we publish, when we publish it.