Risk Management Process
A structured, repeatable process for identifying, evaluating, and responding to events that could impact a project.
Explanation
- Risk — a potential event that could happen and impact the project
- Issue — a known or real problem that is already affecting work
- Risk management — the process of identifying and evaluating potential risks and applying steps to address them
The 5 phases
- Identify — define potential project risks with the team. You can only manage what you know.
- Analyze — determine likelihood and potential impact. Serious risks with high probability pose the greatest threat.
- Evaluate — use the analysis to prioritize which risks to act on.
- Treat — plan how to respond to each risk. Minor risks may be ignored; serious ones need detailed mitigation plans.
- Monitor and control — assign team members to monitor, track, and mitigate risks as they evolve.
Tools
- Cause-and-effect diagram — shows possible causes of an event or risk
- Risk register — table/chart listing risks, their likelihood, impact, owner, status
- Probability and impact matrix — 2D prioritization tool
- Inherent risk — probability × impact
- Risk appetite — the organization’s willingness to accept possible risk outcomes
- Risk exposure — measure of potential future loss from a specific event
Risk types
- Time risk — tasks take longer than anticipated
- Budget risk — costs rise due to planning or scope changes
- Scope risk — project won’t produce the outlined results
- External risks — factors outside the company with little control
- Single point of failure — risk that could halt the entire project (one SME, one supplier)
Mitigation strategies (the 4 Ts / 4 As)
- Avoid — eliminate the risk by changing approach (different supplier, different design)
- Accept — acknowledge and prepare, often via contingency funds
- Reduce / control / minimize — reduce probability or impact (multiple suppliers, cross-training)
- Transfer — shift responsibility to another party (insurance, outsourcing)
Opportunities (positive risks)
Opportunities are potential positive outcomes that may add value (completing ahead of schedule, discounted materials, extra resources). Use the same identify → analyze → evaluate → treat → control loop to plan how to seize them.
ROAM — categorizing active risks during execution
When a risk register has too many items, use ROAM to classify each:
- R — Resolved — no longer a problem
- O — Owned — assigned to a team member who monitors through to completion
- A — Accepted — can’t be resolved; accepted as-is
- M — Mitigated — there’s a plan to eradicate it
Communicating risks
- Early and often for medium/high-level risks
- Serious risks require direct, thorough communication
- Failing to communicate risks erodes stakeholder trust
- Escalate at the first sign of critical problems — see change-management
The risk management plan
A living document containing high-level risks and mitigation plans. Updated regularly:
- Add newly identified risks
- Remove risks that are no longer relevant
- Update mitigation plans as they evolve
Dependencies as a source of risk
See dependency-types. Dependencies — the links between tasks — are often the greatest source of risk to a project. If you don’t plan for them, you risk budget, schedule, and outcome impact.
Application
Risk identification happens during course-3-project-planning Phase 4, but the process runs throughout course-4-project-execution. Risk reviews are typically part of milestone check-ins.