Chapter 6 – Risk Management

6.3. The 5 Steps of the Risk Management Process

Managing risks on projects is a process that includes planning and identifying the potential risks, a risk assessment, development of a risk response strategy, and monitoring and controlling risks. Identifying the potential risks is important-you can simply ask yourself:  What could go wrong with the project? Risk assessment includes both the identification of potential risks and the evaluation of the potential impact of the risk. There are tools, both qualitative and quantitative, to measure risk.

A risk response plan is designed to eliminate or minimize the impact of the risk events—occurrences that have a negative impact on the project.  Monitoring the risks is important to reassess the likelihood and any consequences that may result from the event. Identifying risk is both a creative and a disciplined process. The creative process includes brainstorming sessions where the team is asked to create a list of everything that could go wrong. All ideas are welcome at this stage, with the evaluation of the ideas coming later.

1. Risk Management Planning

The Project Manager and a group of team members, as well as stakeholders, build a plan that is the way to perform the project.  They come to an understanding and agreement on the parameters and risk levels of the project.  They have key parameters that include scheduling, performance, capability, technology, etc.  The results are documented.

2. Risk Identification

Identifying risks is the most important part of the risk management process and has the biggest impact on the process.  It is the first step in the process.  If a risk is not identified, it cannot be assessed or evaluated. A more disciplined process involves using checklists of potential risks and evaluating the possibility that those events might happen on the project. Some companies and industries develop risk checklists based on experience from past projects. These checklists can be helpful to the project manager and project team in identifying both specific risks on the checklist and expanding the thinking of the team. The past experience of the project team, project experience within the company, and experts in the industry can be valuable resources for identifying potential risks on a project.

Identifying the sources of risk by category is another method for exploring potential risks on a project. Some examples of categories for potential risks include the following:

  • Technical
  • Cost
  • Schedule
  • Client
  • Contractual
  • Weather
  • Financial
  • Political
  • Environmental
  • People

Watch this video: 7 Ways to Identify Project Risks, by Harry Hall [4:34], below. The transcript is available on YouTube.


Risk Breakdown Structure

You can use the same framework as the work breakdown structure (WBS) for developing a risk breakdown structure (RBS). A risk breakdown structure organizes the risks that have been identified into categories using a table with increasing levels of detail to the right. The people category can be subdivided into different types of risks associated with the people.  It is a hierarchical structure of potential risks.  A team of people (usually experts in the field that is guiding the project) get together and brainstorm: “What could go wrong?” A risk register is a list of all the risks that have been previously identified,.

Examples of people risks include the risk of not finding people with the skills needed to execute the project or the sudden unavailability of key people on the project.  Other risks may include technology breakdowns, inclement weather, financial cutbacks, changes in laws and legislation, progress slows down, and the project is behind schedule.

3. Risk Assessment

After the potential risks have been identified, the project team then assesses each risk based on the probability that a risk event will occur and the potential loss associated with it. Not all risks are equal. Some risk events are more likely to happen than others, and the cost of a risk can vary greatly. Evaluating the risk for the probability of occurrence and the severity or the potential loss to the project is the next step in the risk management process.

Having criteria to determine high-impact risks can help narrow the focus on a few critical risks that require mitigation. For example, suppose high-impact risks are those that could increase the project costs by 5% of the conceptual budget or 2% of the detailed budget. Only a few potential risk events meet these criteria. These are the critical few potential risk events that the project management team should focus on when developing a project risk mitigation or management plan. Risk evaluation is about developing an understanding of which potential risks have the greatest possibility of occurring and can have the greatest negative impact on the project (Figure 6-2). These become the critical few.

Risk and Impact matrix compares the impact (high or low) and the likelihood of occurrence is high or low.
Figure 6‑2: Risk and Impact

There is a positive correlation—both increase or decrease together—between project risk and project complexity. A project with new and emerging technology will have a high complexity rating and a correspondingly high risk. The project management team will assign the appropriate resources to the technology managers to ensure the accomplishment of project goals. The more complex the technology, the more resources the technology manager typically needs to meet project goals, and each of those resources could face unexpected problems.

Risk evaluation often occurs in a workshop setting. Building on the identification of the risks, each risk event is analyzed to determine the likelihood of occurrence and the potential cost if it did occur. The likelihood and impact are both rated as high, medium, or low. A risk mitigation plan addresses the items that have high ratings on both factors—likelihood and impact.

Example: Risk Analysis of Equipment Delivery

A project team analyzed the risk of some important equipment not arriving at the project on time. The team identified three pieces of equipment that were critical to the project and would significantly increase costs if they were late in arriving. One of the vendors, who was selected to deliver an important piece of equipment, had a history of being late on other projects. The vendor was good and often took on more work than it could deliver on time. This risk event (the identified equipment arriving late) was rated as high likelihood with a high impact. The other two pieces of equipment were potentially a high impact on the project but with a low probability of occurring.

Example: Risk Assessment Charts

Project managers need to check all the risks, eliminating those that may be redundant and those that need attention.  Some Project Managers use scenario analysis, a method that can predict the possibility of an event happening that could disrupt or weaken the project.  Project Managers ask themselves:  What is the likelihood this event can happen?  What would the impact be on the project if the event happened?  How easy would it be to detect the event in time so as to reduce the chance of the event causing problems?

Likelihood:  The probability that the event will happen
Impact:    The effect the event would have on the project, and to what degree.
Detection Difficulty:  The amount of time the team would have to respond to the event to avoid or reduce the impact

Rating Scales are used in two ways:

Rank and Order Scales: Criteria used from high impact to low impact.  Example:  very low, low, moderate, high, very high
Numerical Scales:   1 = very low, 2 = low, 3 = moderate, 4 = high, 5 = very high

Or, sometimes, the criteria includes both the impact scales and the numerical scales. The Project Manager and/or the team need to establish the criteria up front and distinguish what 1 means versus a 2, and so on. See the sample risk assessment table below.

This is an example of a simple Risk Assessment Matrix for a vacation being planned with the family of 4 to Vancouver for 10 days.

Risk Event Likelihood Impact Detection Difficulty Risk Rating* When
Somebody gets sick 2 3 1 6 1 week ahead of trip
Flight cancelled 2 4 4 32 24 hours ahead of trip
Somebody does not have the money to go on the trip 1 2 1 2 2 months ahead of trip
Family conflict about destination 1 1 1 1 Discussed and agreed 3 months ahead of trip
*Note: Risk Rating = Likelihood × Impact × Detection Difficulty (multiply the numbers)

Risk Event –What is the actual risk event that you have identified?

Likelihood –  How likely is the event to occur? Scale: 1 = Not Likely to 5 = Very Likely

Cost Impact – What is the cost of the event?  Scale: 1 = Low cost to 5 = High Cost

Time Impact – How much time will be lost?  Scale: 1 = Little Time to 5 = Lots of Time

Scope Impact –How will the event effect the quality of the project?  Scale: 1 = Little Effect to Major Effect

Risk Rating – Multiply the individual ratings from each category to get an overall Risk Rating

Not all project managers conduct a formal risk assessment on a project. One reason, as found by David Parker and Alison Mobey in their phenomenological study of project managers, was a low understanding of the tools and benefits of a structured analysis of project risks (Parker & Mobey, 2004). The lack of formal risk management tools was also seen as a barrier to implementing a risk management program. Additionally, the project manager’s personality and management style play into risk preparation levels. Some project managers are more proactive and develop elaborate risk management programs for their projects. Other managers are reactive and are more confident in their ability to handle unexpected events when they occur. Yet others are risk averse and prefer to be optimistic and not consider risks or avoid taking risks whenever possible.

On projects with a low-complexity profile, the project manager may informally track items that may be considered risk items. On more complex projects, the project management team may develop a list of items perceived to be higher risk and track them during project reviews. On projects of even greater complexity, the process for evaluating risk is more formal, with a risk assessment meeting or series of meetings during the life of the project to assess risks at different phases of the project. On highly complex projects, an outside expert may be included in the risk assessment process, and the risk assessment plan may take a more prominent place in the project implementation plan.

Generally, for complex projects, statistical models are sometimes used to assess risk because there are too many different possible combinations of risks to calculate them one at a time. One example of the statistical model used on projects is the Monte Carlo simulation, which simulates a possible range of outcomes by trying many different combinations of risks based on their likelihood. The output from a Monte Carlo simulation provides the project team with the probability of an event occurring within a range and for combinations of events. For example, the typical output from a Monte Carlo simulation may indicate a 10% chance that one of the three important pieces of equipment will be late and that the weather will also be unusually bad after the equipment arrives.

4, Risk Response Plan

After the risk has been identified and evaluated, the project team develops a risk response plan, which is a plan to reduce the impact of an unexpected event. The project team mitigates risks in various ways:

  • Risk avoidance (avoid or eliminate the risk)
  • Risk acceptance  (accept the risk, and move forward, deal with the consequences, if any)
  • Risk mitigation (reduce the probability of the risk, reduce the consequences)
  • Risk transfer/share (let someone else deal with it, move the risk somewhere else ie.  supplier)

Each of these techniques can be an effective tool in reducing individual risks and the risk profile of the project. The risk response plan captures the risk of each identified risk event and the actions the project management team will take to reduce or eliminate the risk.

Risk Avoidance usually involves developing an alternative strategy that has a higher probability of success but usually at a higher cost associated with accomplishing a project task. A common risk avoidance technique is to use proven and existing technologies rather than adopt new techniques, even though the new techniques may show promise of better performance or lower costs. A project team may choose a vendor with a proven track record over a new vendor that is providing significant price incentives to avoid the risk of working with a new vendor. The project team that requires drug testing for team members is practicing risk avoidance by avoiding damage done by someone under the influence of drugs.

Risk Acceptance involves partnering with others to share responsibility for the risky activities. Or hiring someone else to take on that part of the project. Many organizations that work on international projects will reduce political, legal, labour, and other risk types associated with international projects by developing a joint venture with a company located in that country. Partnering with another company to share the risk associated with a portion of the project is advantageous when the other company has the expertise and experience the project team does not have. Or, they may contract out a portion of the project to a company with greater skills and experience to ensure success.

Risk Mitigation (reduction) is an investment of funds to reduce the risk on a project. On international projects, companies will often purchase the guarantee of a currency rate to reduce the risk associated with fluctuations in the currency exchange rate. A project manager may hire an expert to review the technical plans or the cost estimate on a project to increase confidence in that plan and reduce the project risk. Assigning highly skilled project personnel to manage the high-risk activities is another risk-reduction method. Experts managing a high-risk activity can often predict problems and find solutions that prevent the activities from having a negative impact on the project. Some companies reduce risk by forbidding key executives or technology experts to ride on the same airplane.

Risk Transfer (or sometimes shared) is a risk reduction method that shifts the risk from the project to another party. The purchase of insurance on certain items is a risk-transfer method. The risk is transferred from the project to the insurance company. A construction project in the Caribbean may purchase hurricane insurance that would cover the cost of a hurricane damaging the construction site. The purchase of insurance is usually in areas outside the control of the project team. Weather, political unrest, and labour strikes are examples of events that can significantly impact the project and that are outside the control of the project team.

See the example in the table below of a risk response plan for a company that provides computer software and hardware.

Event Response Contingency Trigger Responsibility
Somebody gets sick Accept: If sick, cannot go on trip Find another family member to go on trip Family member tells us about sickness Sick family member
Flight cancelled Mitigate: Check with airlines regularly Find another flight or airline to book tickets Notice from airline about cancellation Airline
Somebody does not have the money to go on the trip Avoid: Ensure everyone has the money before tickets are booked Find another family member who has the money for the trip Notification from family member Family member
Family conflict about destination Avoid: Ensure at planning meeting everyone agrees on destination Family member does not go on trip and find another family member to go Family member changes their mind before tickets purchased Family member

Follow the Event Questions to complete the Risk Response Plan:

Risk Event – What is the actual risk event that you are planning for

Response –  How do expect to respond to that event – Mitigate, Share, Avoid, Transfer or Retain

Contingency – What do you do if your initial response doesn’t work (Plan B)

Trigger – When do you implement your contingency (Plan B)

Responsibility –Who is responsible for initiating the contingency (Plan B)

5. Monitoring and Control of Risk 

Once the risk plan, assessment and response plan are developed, the monitoring and controlling starts.  These elements involve thinking about what might trigger an event (risk), how team members monitor the changes, and how they track the changes to ensure the project continues to meet the goals of the project.  The tracking and reporting of these changes need to be in a logical format.

The Project Manager and team use simple charts that explain the trigger and how it will be monitored and tracked.  A simple worksheet allows them to make a list.  A database could be set up to track and report the changes.

The 5-Step Risk Management Process will improve the completion of the project through charts (visible), good communication among all the stakeholders, and capturing lessons learned when the project closes.

9.3. Risk Management Process” from Essentials of Project Management by Adam Farag is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License, except where otherwise noted.


Icon for the Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License

Strategic Project Management Copyright © 2022 by Debra Patterson is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License, except where otherwise noted.

Share This Book