Risk is inherent in the nature of a project. So, that makes project risk management a central part of the Project Management toolset.
Don’t think of it as an add-on. Nor even as a discipline in its own right. Instead, it’s best to regard risk management as a thread that runs through the heart of project management.
I tend to agree with Tim Lister’s often re-quoted statement that:
‘Risk Management is Project Management for adults’
Quoted in many places, including the book, ‘Waltzing with Bears: Managing Risk on Software Projects‘, Tom de Marco and Timothy Lister, Dorset House Publishing (2003)
What I take from this is that, when you understand how projects work, and can manage a basic project effectively, you will increasingly use project risk management as your primary framework for controlling your project.
But, maybe, he simply means that ignoring active risk management is just plain childish!
In this guide, we’ll answer all the important questions about Project Risk Management:
The very first of my Project Management in Under 5 video series (currently around 100 videos) addressed this very question…
Let’s remind ourselves of the definition of a project. To ring the changes, let’s take what is, perhaps, the simplest definition: the PMI’s:
A project is ‘a temporary endeavor undertaken to create a unique product, service or result.’
The fact that we are doing something unique – often new and innovative too – using a temporary organizational structure that probably consists of a group of people who have worked together before, introduces a lot of uncertainty. And uncertainty is the very nature of risk.
Risk is defined as:
‘Uncertainty that can affect outcomes’
For me, the term management suggests an active process that seeks to gain control over the uncertainty of risks, by following a simple process. In the video, we saw a four-step process:
This is not a one-off sequence of tasks that takes place somewhere suitable, within your project. It is a constant cycle that goes on throughout your project. That’s what I think Tim Lister means when he implies this is the way grown-ups manage projects.
As you’d expect, all the predictive project management methodologies have specific ways of describing risk management. And they are all pretty much the same, with superficial changes in terminology and minor variants to their approach. We shall look at three.
In the sixth edition of the PMI’s Project Management Body of Knowledge, The PMBOK Guide, Project Risk Management is the eighth of ten Knowledge Areas. It has 7 seven processes.
The Project Management Professional and Certified Associate in Project Management are two of PMI’s qualifications. They are based on the PMBOK Guide. To learn more about them, check out our PMP roadmap: ‘I Want to Study for Project Management Professional‘.
The APM’s Body of Knowledge 7th Edition is still fairly new. It has stepped away from the more prescriptive and process-driven approach of its predecessors. It spreads its guidance about project risk management across several subsections in the chapter on Planning and Managing Deployment.
PRINCE2 is the UK Government’s methodology for Project Management. It’s mandatory for Government-funded projects in the UK, but is used and respected widely around the globe.
PRINCE2 has 7 Processes, 7 Themes, and 7 Principles. And Risk is one of the themes. Of the three methodologies, this is the one that most closely mirrors the approach I take in this article and in the OnlinePMCourses training.
To learn more about PRINCE2, checkout our PRINCE2 roadmap: ‘I Want to Study for PRINCE2‘. It has a huge wealth of resources, including a link to the article, ‘PRINCE2 Certification: Everything You Need to Know‘.
There are some excellent books on project risk management. As an introductory text, that takes you beyond the single chapter you’ll find in most project management books, I can only really recommend my own: Risk Happens! (US|UK).
However, if you want to go deeper, there are others I’d recommend too – and you can browse them at our Project Management bookshop.
But our purpose here is to introduce you to the essentials of project risk management. So let’s dive straight in.
Before we start, this video introduces all the key concepts that we will cover…
The PMBOK Guide 6th Edition refers to this as:
11.1 Plan Risk Management
The PRINCE2 Guide 2017 Edition refers to this in the section:
10.3 Guidance for Effective risk Management
Because active risk management needs to perfuse everything you do, it pays to start by planning how you will do it. There are several key considerations you’ll need to make:
Out of this will come things like a risk management plan and a budget and resource plan for your risk management activities. Your plan needs to address things like:
Do take a look at our guest article, from Keith Baxter, the founder of risk management consultancy, De-RISK: ’10 Step Risk Management Kick-off for Your Project’.
The PMBOK Guide 6th Edition refers to this as:
11.2 Identify Risks
The APMBoK 7th Edition refers to this as:
4.2.2 Risk Identification
PRINCE2 refers to this as: Identify
Before you do anything else, you need to identify the risks to your project.
While some risks may be unforeseeable, many will be accessible to your team’s collective experience, instinct, and imagination. Get the team together and make a long-list of everything that could go wrong.
To help you, we recommend our Indispensable Guide to the Sources of Project Risk. This article will introduce you to the types of project risk, and also get you started with spotting the risks on your project.
Two other articles that you could usefully read are:
Do take a look at our article, ‘Indispensable Guide to the Sources of Project Risk’.
The PMBOK Guide 6th Edition refers to this as:
11.3 Perform Qualitative Risk Analysis
11.4 Perform Quantitative Risk Analysis
The APMBoK 7th Edition refers to this as:
4.2.3 Risk Analysis
PRINCE2 refers to this as: Assess
Your long-list can quickly get very long indeed. So you need to prioritize your work in managing the risks. Three factors will typically have the largest influence on your priorities. The first two derive from the definition of a risk: ‘Uncertainty that can affect outcomes’.
How severe the impact would be if the risk occurs. There are lots of ways to measure the impact, depending on what type of impact you anticipate, and what your priorities are for your project. At its simplest, this can just be a high, medium, low scale.
I discuss the four types of uncertainty in this short video…
How likely you consider this risk to be. This is usually the hardest element to estimate, because we rarely have good data on which to base our estimates. And, in the absence of a data-driven approach, we need to rely on estimation and intuition. The problem is that most people are highly unsophisticated in our understanding of probabilities and statistics, and our intuitions frequently lead us astray. To avoid falling into the trap of believing our estimates are more robust than they are, keep your evaluation simple: a high, medium, low scale is often the best approach.
Impact and likelihood are implicit in the definition of risk.
A slightly more pedantic definition might be that ‘risk is uncertainty that can affect outcomes in the future’.
This introduces time into the definition. The third thing to consider in prioritizing a risk is its proximity. Is it likely to be a concern soon or much later? Once again a simple scale of soon, middle and far distance will often suffice.
Already, with just simple three-point scales, you have 27 possible priority values.
Assuming you consider impact, likelihood, and proximity to be equally important, you can get a numerical priority ranking by allocating scores to the scales:
If you multiply the scores, you’ll get priority rankings from 1 to 64. That is more than adequate to prioritize effectively.
Please note, though, that this scoring approach is suitable for ranking and prioritization. It is not a sound quantitative approach for estimating the value of a risk, in anything but the most approximate way.
Do take a look at our article, ‘The Project Manager’s Guide to Simple Risk Analysis’.
The PMBOK Guide 6th Edition refers to this as:
11.5 Plan Risk Responses
The APMBoK 7th Edition includes a section on:
4.2.9 Contingency Planning
PRINCE2 refers to this as: Plan
Towards the bottom of your priority scale, you may choose to do nothing about your risks.
But at the top of the scale, not only must you act, but you will need a basket of different strategies to deal with these highly dangerous threats. You will want to find ways to reduce both the likelihood and impact of the risk, and put in place measures to tackle the outcomes if the risk arises. For large risks, each will need its own management plan.
You’ll build your risk management plan out of six generic strategies:
Both PMI and PRINCE2 have slightly variant lists of risk strategies. And I have analyzed these in a detailed article, ‘Risk Response Strategies: A Full and Revised Roundup‘.
One thing people often struggle with is finding a suitable plan for a big risk. First of all, make your plan multi-pronged. But most important, many big risks aren’t risks at all. Take, for example, a typical project risk on a typical project risk register:
‘The project is delayed’
That’s not a risk, it’s a possible outcome. The way to make progress is to ask, ‘what could happen to delay the project?’ There are doubtless many possible answers to this. Each one is a separate risk. And each of these separate risks will be best addressed by its own management plan.
When you run a project, you are spending someone else’s money or putting their reputation at hazard. So, it is imperative that you are accountable and can show that you are treating these risks seriously.
Build a Risk Register or Risk Log to record the risks you identify, how you assess them and, crucially, what you do about them. Your Risk register is a tool of governance, accountability and transparency on the one hand, and a management tool on the other. Throughout your project, you should be constantly referring to it, to assess how your risk profile is shifting, and what your next risk management action should be.
As you’d expect, there are risk register templates in all of our core project management course programs, as well as in our Project Management Templates Kit.
The PMBOK Guide 6th Edition refers to this as:
11.6 Implement Risk Responses
The APMBoK 7th Edition refers to this as:
4.3.3 Risk Management
PRINCE2 refers to this as: Implement
There is one systematic failing of many inexperienced project managers. They often do an excellent piece of desk work on risk management. They file a thorough and elegant Risk Register, and then to move on to the next issue on their project. they somehow imagine that the risk will get to hear about their plan, and so not materialize.
You can never file risk management as ‘done’ while your project is running. Treat your risk register as a day-to-day tool and not as a part of your static documentation. Make sure every line on your risk register is allocated to a single named individual as a risk owner.
Have a regular cycle of reviewing your risks, speaking to the people who you have tasked to deal with them, and generating more action until the threat is reduced to an acceptable level. Periodically, get a team together to identify new risks.
But, above all, when you have a risk plan, work the plan. A set of actions is nothing if you don’t do them.
Above all, when you have a #project #risk plan, work the plan. #PM Click To TweetThe PMBOK Guide 6th Edition refers to this as:
11.7 Monitor Risks
PRINCE2 refers to this as: Communicate
Any Project manager should understand the importance of the monitor and control cycle to a process. Doing isn’t enough. We need to recognize that what we do may not have exactly and wholly the effect we intend. So we monitor the outcomes of our actions and take further action to control deviations from our intention. And, of course: circumstances change.
Throughout your project, you need to maintain your risk register, keeping it current and adding new risks that the team identifies.
In addition, good governance means we need to report on the status of our projects with respect to risks. We do this within regular, highlight or checkpoint reports. Also, we create exception reports when circumstances demand – most likely, in this context, when a substantial risk manifests, or something happens that we had not identified in our risk register.
This table lists some of the factors that will influence your decision about how to scale your risk management process.
Scale of project
Level of threat
Uncertainty of outcome
Prevailing environment
The next table lists some of the ways that you can adapt the fundamental process to the needs of your project and the environment within which you are pursuing it.
Investment in the process
Degree of formality
Methodologies used
Level of detail
You can download the Kindle eBook I refer to in this video.
I also did a short Podcast interview with Johnny Bierne. You can hear Risk Management Explained on this short Podcast.
If you are interested in embedding risk management into your organization, we have an article, ‘How to Build a Robust Project Risk Culture [8 Steps]’.
We’d love to hear what you consider to be the essentials of managing risks on projects, to give better project management. We’ll respond to every comment we receive.
Dr Mike Clayton is one of the most successful and in-demand project management trainers in the UK. He is author of 14 best-selling books, including four about project management. He is also a prolific blogger and contributor to ProjectManager.com and Project, the journal of the Association for Project Management. Between 1990 and 2002, Mike was a successful project manager, leading large project teams and delivering complex projects. In 2016, Mike launched OnlinePMCourses.
Project Management Priorities: Meeting 6 Big Challenges of a Fast-changing World
New Project? What are Your Big 7 Project Management Priorities?
How Much do You Know about the Top 10 Project Management Organizations?
How to Do Project Benefits Management | Video
Session expired
Please log in again. The login page will open in a new tab. After logging in you can close it and return to this page.