10 February, 2020

Ultimate Guide to Project Risk Management


Risk is inherent in the nature of a project. So, that makes project risk management a central part of the Project Management toolset.

Don’t think of it as an add-on. Nor even as a discipline in its own right. Instead, it’s best to regard risk management as a thread that runs through the heart of project management.

I tend to agree with Tim Lister’s often re-quoted statement that:

‘Risk Management is Project Management for adults’

Quoted in many places, including the book, ‘Waltzing with Bears: Managing Risk on Software Projects‘, Tom de Marco and Timothy Lister, Dorset House Publishing (2003)
Risk Management - Tim Lister

What I take from this is that, when you understand how projects work, and can manage a basic project effectively, you will increasingly use project risk management as your primary framework for controlling your project.

But, maybe, he simply means that ignoring active risk management is just plain childish!

Structure of this Guide

In this guide, we’ll answer all the important questions about Project Risk Management:

What is Project Risk Management?

The very first of my Project Management in Under 5 video series (currently around 100 videos) addressed this very question…

We’ll Start with ‘Project’

Let’s remind ourselves of the definition of a project. To ring the changes, let’s take what is, perhaps, the simplest definition: the PMI’s:

A project is ‘a temporary endeavor undertaken to create a unique product, service or result.’

The fact that we are doing something unique – often new and innovative too – using a temporary organizational structure that probably consists of a group of people who have worked together before, introduces a lot of uncertainty. And uncertainty is the very nature of risk.

Now let’s Understand ‘Risk’

Risk is defined as:

‘Uncertainty that can affect outcomes’

And now, ‘Management’

For me, the term management suggests an active process that seeks to gain control over the uncertainty of risks, by following a simple process. In the video, we saw a four-step process:

  1. Identify Risks
  2. Analyze Risks
  3. Plan for Risks
  4. Take Action
Risk Management Process
Risk Management Process

This is not a one-off sequence of tasks that takes place somewhere suitable, within your project. It is a constant cycle that goes on throughout your project. That’s what I think Tim Lister means when he implies this is the way grown-ups manage projects.

Project Risk Management and the Major Methodologies

As you’d expect, all the predictive project management methodologies have specific ways of describing risk management. And they are all pretty much the same, with superficial changes in terminology and minor variants to their approach. We shall look at three.

  1. The PMI’s Project Management Body of Knowledge (PMBOK Guide), 6th Edition
  2. The APM Body of Knowledge (APMBoK), 7th Edition
  3. The Axelos PRINCE2 Guide, 2017 edition

The PMBOK Guide

In the sixth edition of the PMI’s Project Management Body of Knowledge, The PMBOK Guide, Project Risk Management is the eighth of ten Knowledge Areas. It has 7 seven processes.

The Project Management Professional and Certified Associate in Project Management are two of PMI’s qualifications. They are based on the PMBOK Guide. To learn more about them, check out our PMP roadmap: ‘I Want to Study for Project Management Professional‘.

The APMBoK

The APM’s Body of Knowledge 7th Edition is still fairly new. It has stepped away from the more prescriptive and process-driven approach of its predecessors. It spreads its guidance about project risk management across several subsections in the chapter on Planning and Managing Deployment.

PRINCE2

PRINCE2 is the UK Government’s methodology for Project Management. It’s mandatory for Government-funded projects in the UK, but is used and respected widely around the globe.

PRINCE2 has 7 Processes, 7 Themes, and 7 Principles. And Risk is one of the themes. Of the three methodologies, this is the one that most closely mirrors the approach I take in this article and in the OnlinePMCourses training.

To learn more about PRINCE2, checkout our PRINCE2 roadmap: ‘I Want to Study for PRINCE2‘. It has a huge wealth of resources, including a link to the article, ‘PRINCE2 Certification: Everything You Need to Know‘.

The Seven Essentials of Project Risk Management

Project Risk Management - Ultimate Guide

There are some excellent books on project risk management. As an introductory text, that takes you beyond the single chapter you’ll find in most project management books, I can only really recommend my own: Risk Happens! (US|UK).

However, if you want to go deeper, there are others I’d recommend too – and you can browse them at our Project Management bookshop.

But our purpose here is to introduce you to the essentials of project risk management. So let’s dive straight in.

How to Manage Project Risk

Before we start, this video introduces all the key concepts that we will cover…

First Essential: You need to plan your Project Risk Management approach

The PMBOK Guide 6th Edition refers to this as:

11.1 Plan Risk Management

The PRINCE2 Guide 2017 Edition refers to this in the section:

10.3 Guidance for Effective risk Management

Because active risk management needs to perfuse everything you do, it pays to start by planning how you will do it. There are several key considerations you’ll need to make:

  1. What is your project delivery approach?
    And therefore how will you fit risk management into it as an equal partner to your other key concerns?
  2. What approach will you take to Project Risk Management?
    This will depend on factors like the:
    1. culture of the organization
    2. novelty, scale, and complexity of your project
    3. political factors like the strategic importance and visibility of your project
  3. What is your organization’s attitude to risk?
    This will bring into play factors like risk tolerance/risk appetite.

Out of this will come things like a risk management plan and a budget and resource plan for your risk management activities. Your plan needs to address things like:

  • Approach to risk management
  • Risk categorization
  • Scales for risk impact and likelihood
  • Thresholds for different levels of intervention – including a limit of risk tolerance, beyond which you will cancel a project; if you cannot satisfactorily address risks that lie beyond that limit
  • Roles and responsibilities of team members and project board members
  • Tools, software, and methodologies
  • Monitoring, reporting, and escalation processes

Do take a look at our guest article, from Keith Baxter, the founder of risk management consultancy, De-RISK: ’10 Step Risk Management Kick-off for Your Project’.

Second Essential: You can’t do anything until you know what the risks are

The PMBOK Guide 6th Edition refers to this as:

11.2 Identify Risks

The APMBoK 7th Edition refers to this as:

4.2.2 Risk Identification

PRINCE2 refers to this as: Identify

Before you do anything else, you need to identify the risks to your project.

While some risks may be unforeseeable, many will be accessible to your team’s collective experience, instinct, and imagination. Get the team together and make a long-list of everything that could go wrong.

To help you, we recommend our Indispensable Guide to the Sources of Project Risk. This article will introduce you to the types of project risk, and also get you started with spotting the risks on your project.

Two other articles that you could usefully read are:

  1. Giant Guide to Project Failure
  2. More Reasons why Projects Fail

Third Essential: Not all risks are equal

The PMBOK Guide 6th Edition refers to this as:

11.3 Perform Qualitative Risk Analysis

11.4 Perform Quantitative Risk Analysis

The APMBoK 7th Edition refers to this as:

4.2.3 Risk Analysis

PRINCE2 refers to this as: Assess

Your long-list can quickly get very long indeed. So you need to prioritize your work in managing the risks. Three factors will typically have the largest influence on your priorities. The first two derive from the definition of a risk: ‘Uncertainty that can affect outcomes’.

The Effect on Outcomes

How severe the impact would be if the risk occurs. There are lots of ways to measure the impact, depending on what type of impact you anticipate, and what your priorities are for your project. At its simplest, this can just be a high, medium, low scale.

The Type of Uncertainty

I discuss the four types of uncertainty in this short video…

The Level of Uncertainty

How likely you consider this risk to be. This is usually the hardest element to estimate, because we rarely have good data on which to base our estimates. And, in the absence of a data-driven approach, we need to rely on estimation and intuition. The problem is that most people are highly unsophisticated in our understanding of probabilities and statistics, and our intuitions frequently lead us astray. To avoid falling into the trap of believing our estimates are more robust than they are, keep your evaluation simple: a high, medium, low scale is often the best approach.

When it Matters

Impact and likelihood are implicit in the definition of risk.

A slightly more pedantic definition might be that ‘risk is uncertainty that can affect outcomes in the future’.

This introduces time into the definition. The third thing to consider in prioritizing a risk is its proximity. Is it likely to be a concern soon or much later? Once again a simple scale of soon, middle and far distance will often suffice.

Putting it all together…

Already, with just simple three-point scales, you have 27 possible priority values.

Assuming you consider impact, likelihood, and proximity to be equally important, you can get a numerical priority ranking by allocating scores to the scales:

  • Low/distant = 1
  • Medium/Middle = 2
  • High/soon = 4

If you multiply the scores, you’ll get priority rankings from 1 to 64. That is more than adequate to prioritize effectively.

Please note, though, that this scoring approach is suitable for ranking and prioritization. It is not a sound quantitative approach for estimating the value of a risk, in anything but the most approximate way.

Fourth Essential: Determine what you will do to manage each risk

The PMBOK Guide 6th Edition refers to this as:

11.5 Plan Risk Responses

The APMBoK 7th Edition includes a section on:

4.2.9 Contingency Planning

PRINCE2 refers to this as: Plan

Towards the bottom of your priority scale, you may choose to do nothing about your risks.

But at the top of the scale, not only must you act, but you will need a basket of different strategies to deal with these highly dangerous threats. You will want to find ways to reduce both the likelihood and impact of the risk, and put in place measures to tackle the outcomes if the risk arises. For large risks, each will need its own management plan.

You’ll build your risk management plan out of six generic strategies:

  1. Accepting minor risks (‘risk toleration’)
  2. Reducing the likelihood that the risk will occur (‘risk reduction’)
  3. Reducing impact, if the risk does occur (‘risk mitigation’)
  4. Transferring the risk to someone else – usually through a contract (‘risk transfer’)
  5. Devising a ‘contingency plan’ to carry out, should the risk occur
  6. Removing the risk entirely – which is often not possible (‘risk termination’)

Both PMI and PRINCE2 have slightly variant lists of risk strategies. And I have analyzed these in a detailed article, ‘Risk Response Strategies: A Full and Revised Roundup‘.

The Importance of Understanding Root Cause

One thing people often struggle with is finding a suitable plan for a big risk. First of all, make your plan multi-pronged. But most important, many big risks aren’t risks at all. Take, for example, a typical project risk on a typical project risk register:

‘The project is delayed’

That’s not a risk, it’s a possible outcome. The way to make progress is to ask, ‘what could happen to delay the project?’ There are doubtless many possible answers to this. Each one is a separate risk. And each of these separate risks will be best addressed by its own management plan.

Fifth Essential: Record all risks and what you are doing about them

When you run a project, you are spending someone else’s money or putting their reputation at hazard. So, it is imperative that you are accountable and can show that you are treating these risks seriously.

Build a Risk Register or Risk Log to record the risks you identify, how you assess them and, crucially, what you do about them. Your Risk register is a tool of governance, accountability and transparency on the one hand, and a management tool on the other. Throughout your project, you should be constantly referring to it, to assess how your risk profile is shifting, and what your next risk management action should be.

As you’d expect, there are risk register templates in all of our core project management course programs, as well as in our Project Management Templates Kit.

Sixth Essential: Do something

The PMBOK Guide 6th Edition refers to this as:

11.6 Implement Risk Responses

The APMBoK 7th Edition refers to this as:

4.3.3 Risk Management

PRINCE2 refers to this as: Implement

There is one systematic failing of many inexperienced project managers. They often do an excellent piece of desk work on risk management. They file a thorough and elegant Risk Register, and then to move on to the next issue on their project. they somehow imagine that the risk will get to hear about their plan, and so not materialize.

You can never file risk management as ‘done’ while your project is running. Treat your risk register as a day-to-day tool and not as a part of your static documentation. Make sure every line on your risk register is allocated to a single named individual as a risk owner.

Have a regular cycle of reviewing your risks, speaking to the people who you have tasked to deal with them, and generating more action until the threat is reduced to an acceptable level. Periodically, get a team together to identify new risks.

But, above all, when you have a risk plan, work the plan. A set of actions is nothing if you don’t do them.

Above all, when you have a #project #risk plan, work the plan. #PM Share on X

Seventh Essential: Continually monitor and review your Risk Register

The PMBOK Guide 6th Edition refers to this as:

11.7 Monitor Risks

PRINCE2 refers to this as: Communicate

Any Project manager should understand the importance of the monitor and control cycle to a process. Doing isn’t enough. We need to recognize that what we do may not have exactly and wholly the effect we intend. So we monitor the outcomes of our actions and take further action to control deviations from our intention. And, of course: circumstances change.

Throughout your project, you need to maintain your risk register, keeping it current and adding new risks that the team identifies.

In addition, good governance means we need to report on the status of our projects with respect to risks. We do this within regular, highlight or checkpoint reports. Also, we create exception reports when circumstances demand – most likely, in this context, when a substantial risk manifests, or something happens that we had not identified in our risk register.

How to Scale your Risk Management Process

This table lists some of the factors that will influence your decision about how to scale your risk management process.

Drivers of scale and complexity for your risk management process

Scale of project

  • Absolute size of project in terms of investment, resources involved, duration or impact on its sponsoring organization or its community
  • Relative size of the project in the context of its sponsoring organization or its community

Level of threat

  • Cost at risk
  • Implications of failure or delay
  • Significance to its sponsoring organization or its community
  • Reputational risk

Uncertainty of outcome

  • Level of novelty of the project, use of new or untried solutions, or innovation required to deliver the outcome
  • Experience and maturity of project management within the team that is delivering it
  • Changeability of external factors such as political or social pressures

Prevailing environment

  • Degree of oversight and effectiveness of existing governance processes
  • Culture of the sponsoring organisation
  • Levels of resilience and optimism

The next table lists some of the ways that you can adapt the fundamental process to the needs of your project and the environment within which you are pursuing it.

Variables of scale and complexity for your risk management process

Investment in the process

  • The budget for risk management processes and activities
  • The number of people involved
  • The seniority of the people involved

Degree of formality

  • Amount of documentation required
  • Depth and detail of documentation
  • Hierarchy and role descriptions of people involved

Methodologies used

  • Choice of techniques and tools used
  • Number of analytical tools used
  • Use or not of quantitative analysis methods

Level of detail

  • Level of threat considered high priority
  • Detail of risk planning
  • Frequency of monitoring, review, and audit

Learn More about Project Risk Management

Here’s a short video on Five Tips for Great Risk Management…

You can download the Kindle eBook I refer to in this video.

Podcast

I also did a short Podcast interview with Johnny Bierne. You can hear Risk Management Explained on this short Podcast.

Risk Culture

If you are interested in embedding risk management into your organization, we have an article, ‘How to Build a Robust Project Risk Culture [8 Steps]’.

What are Your Project Risk Management Essentials?

We’d love to hear what you consider to be the essentials of managing risks on projects, to give better project management. We’ll respond to every comment we receive.

Never miss an article or video!

Get notified of every new article or video we publish, when we publish it.

Mike Clayton

About the Author...

Dr Mike Clayton is one of the most successful and in-demand project management trainers in the UK. He is author of 14 best-selling books, including four about project management. He is also a prolific blogger and contributor to ProjectManager.com and Project, the journal of the Association for Project Management. Between 1990 and 2002, Mike was a successful project manager, leading large project teams and delivering complex projects. In 2016, Mike launched OnlinePMCourses.
{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Never miss an article or video!

 Get notified of every new article or video we publish, when we publish it.

>