top of page

Project Risk Management

What is a Project Risk

Project Risk: is an uncertain event or condition that, if it occurs, has an effect on at least one project objective.

Risk Management: is the culture, processes, and structure that leads to effective management of potential opportunities and adverse effects

Let's simplify that - you are responsible for accomplishing the project objectives, so you would want to ensure that you know what can come in the way and what can we do to take of care of that. 

You can't do it alone, you would need your project team and also an

organizational culture, processes, structures to help you manage these risks 

Before we go forward, lets also differentiate risks from issues. 

The key difference is “issue” already has occurred whereas a “risk”

is a potential issue that may or may not happen and can impact the project

positively or negatively.

Steps in managing risks for a project

1. Identify 

2. Evaluate 

3. Plan Risk Responses

4. Implement Responses & Monitor

risk management
1. Identify Risks

Involves the identification of all foreseeable risks


Identify risks through:

2. Evaluate Risks

Determine the size of the risk-taking into account controls that are in place and how well they are working


Prioritize risks by :

  • Assessing the impact on project objective and project constraints ( consequence)

    • 1 – Very Low

    • 2 - Low

    • 3 - Moderate

    • 4 - High

    • 5 - Very High

  • Assessing the chances of this consequence occurring (likelihood)

    • 1 - Rare

    • 2 - Unlikely

    • 3 - Possible

    • 4 - Likely

    • 5 – Almost Certain


Use the evaluation criteria of your organization. 

Prioritization should be done with experts and using facts wherever possible. 

Example - risk management process

The risk that there may be a delay in technology delivery. 

Consequence - this will delay in "go-live" of the project, so will impact constraints of time & cost (penalties, keeping resources for longer on the project) - rated as 4 

Current Controls - insignificant

Likelihood  - the technology is untested and delays have happened before, so lets rate that as 4

Risk Response - We want to mitigate this risk, so the action is to get an expert from outside to deal with technology - the cost is less than the penalties from delay and if this works well, we may deliver earlier and get some bonus from the client.

3. Plan Risk Responses

Once you know your prioritized risks, you need to plan responses. 

The responses can be of 4 types  

Avoid: Eliminate the threat or protect the project from its impact

Mitigate: Reduce the probability of occurrence or impact of a risk

Transfer: Shift the impact of the threat to a 3rd party.

Accept: (used for both threats & opportunities) Acknowledge the risk & not take any action unless the risk occurs -  establish contingency

In the example above we chose mitigation

4. Implement Responses & Monitor
  • You now know the response type and the action, so assign actions to relevant teams and individuals 

  • Ensure actions are being progressed as agreed

  • Flag / raise risks to relevant  stakeholders basis risk priority and intervention needed

  • Review risks periodically

bottom of page