An Educate 360 Brand

The Ultimate Guide

to Risk Management
The comprehensive guide to the risk management
methods for every project manager to succeed.

Project Management Academy is a registered mark of Educate 360, LLC.

 The Ultimate Guide to Risk Management

All projects have inherent risks that can

influence the outcome. A Project Management
Professional (PMP)® credential holder cannot
avoid or prevent risk altogether.
Still, project managers can make a risk management plan to address, diminish, and
manage the risks to better understand and address the highest probability or
potential impact risks.

One thing is for sure: the most significant risks a

project manager can take are failing to know what a risk management
plan is and not having a risk management plan for their project.

This guide will explain the different types of risk that project managers
encounter, the value of risk management, and how the essential methods
used by the project team can mitigate risk and ensure project success.

Table of Contents
Understanding Risk ............................................................................. 2-3
What is Risk Management? .................................................................. 4
The Different Types of Risk .................................................................. 5-10
Measuring Risk ................................................................................... 11-14
Developing a Risk Management Plan ..................................................... 15-17
Tools and Techniques for Managing Risk ................................................ 18-20
The Risk Management Process ............................................................ 21-22

Project Management Academy is a registered mark of Educate 360, LLC. 1

1 | Understanding Risk The Ultimate Guide to Risk Management

1 Understanding Risk

Simply put, a risk is that which

could happen. It is the uncertainty
that populates every moment. Risk
is everywhere, at every moment.

It might rain. It might flood. Your car could have an engine

failure. Your computer could get a virus. Without conscious
thought, we constantly evaluate the chances of specific
things happening and adjust our behaviors accordingly.

For example...

? !
Rain is a risk.
Did you check the forecast? It can have positive (plants grow,
Did you take an umbrella
Or was your decision based water to drink) or negative
with you today?
on years of living in a dry (flooding, destruction of crops)
Why or why not?
desert climate? impacts depending on its
intensity.

Project Management Academy is a registered mark of Educate 360, LLC. 2

1 | Understanding Risk The Ultimate Guide to Risk Management

Risk vs. Project Risk

As a PMP® credential holder, you can’t manage
risk effectively unless you clearly understand
what risk is.
It is crucial to know fundamentally what project risk is so you can build a risk
management plan to address these variables as they arise. Project risks may vary by
industry and organization, even by geography and time of year, but the risk is universal.
To understand project risk, take the idea of risk and apply it to the environment of a
project. Some events or conditions could benefit or harm the project’s overall success.
These project risks vary by the type of project, the industry, the company for which the
project is done, and more.

Risk
According to the PMI Lexicon of Project
Management Terms, risk is defined as an
uncertain event or condition that, if it occurs,
has a positive or negative effect on one or
more project objectives. Project Risk
According to the Project Management Institute
(PMI), project risk is the cumulative effect of
the chances of uncertain occurrences which
will adversely affect project objectives. It is the
degree of exposure to negative events and
their probable consequences.

For the concept of risk, including Risk is not always a bad thing. For example, a
project risk, project managers project risk could be the early arrival of supplies
must look at both the positive resulting in the final product’s completion sooner
than planned. Project managers have many
and negative.
responsibilities, including using risk
management tools and techniques to manage risk.

Project Management Academy is a registered mark of Educate 360, LLC. 3

2 | What is Risk Management? The Ultimate Guide to Risk Management

2 What is Risk Management?

Now that we’ve adequately defined risk, it’s time to take a

closer look at risk management: the discipline of identifying,
planning, monitoring, and managing the uncertainty that could
impact project outcomes.
As risk can be positive or negative, risk management helps plan and act upon the need to enhance/exploit a positive
risk or mitigate/avoid a negative risk to ensure a project delivers value to the organization. This process tries to shift
away from reacting to risk, with the vulnerability and cost of that status, towards being proactive in predicting and
acting on risk for the project’s benefit.

Project Management Academy is a registered mark of Educate 360, LLC. 4

3 | The Different Types of Risk The Ultimate Guide to Risk Management

3 The Different Types of Risk

There are not many “sure things” in the world, but the fact that
project managers have lost countless hours of sleep worrying
about what could go wrong is one of them.
To plan for and manage risk, it is critical to understand not all risks are the same, even among similar project types.

Risk Types and Categories

Risk Types
One component of risk management is the organization of the
risks identified, which can be informally referred to as
“Risk Types”, “Risk Categorization”, and “Risk Categories”.

Risk Categorization
During project planning, identified risks are assigned a type
(a label) by themselves. Then, types will be collected into a
category (or group). The organization of risks by types and
categories provides a consistent means to track what can
become large amounts of information and to determine Risk Categories
where and when mitigation is required.

Project Management Academy is a registered mark of Educate 360, LLC. 5

3 | The Different Types of Risk The Ultimate Guide to Risk Management

Risk Types
The benefits include:
The PMP certification exam may include scenarios
®

describing risk types and categories or require Knowing where to apply resources and when
analysis to determine a risk level. To prepare for the to use the various risk strategies for areas of
PMP® exam and improve your project management higher risk
skills, it is essential to know how to organize risks. Assessing the risk level for a type or category

Identifying risks, assigning a risk type, and organizing Preventing duplication of risk efforts by
risks by category provides many benefits to the project labeling and organizing all identified risks
manager and the team. Leveraging opportunities to mitigate negative
risk or enhance positive risk by seeing all
risks in a related area

Technical Risks
Examples:
Using new laptops for the project would be labeled a
“Technical” risk. As a Technical risk, the use of new laptops
would then be included in the overall category of
“Source-Based” risk. The greater the number of technical
risks, the more source-based risks there will be. Increases or
As the label implies, technical risks are those decreases in risk quantities in a type or category can
connected to technology, including, but not influence resource and budgetary considerations.
limited to, software, hardware, digital network,
digital assets, system security, and new and • software update • hardware breakdown

changing technology and regulatory • network security change • audit requirement changes

requirements. Additional examples include: • data breach • connectivity and access

• data corruption • platform incompatibility
• software license costs • data security

Project Management Academy is a registered mark of Educate 360, LLC. 6

3 | The Different Types of Risk The Ultimate Guide to Risk Management

External Risks
Examples:
The COVID-19 pandemic is an external risk (global health
No project is 100% isolated from and insulated
crisis) that impacted projects (personnel, supply chain,
against changes happening outside. External
costs, etc.). Additional examples include:
risks exist outside the project’s organization
and, most likely, are beyond the control of the • regulatory • customer
project manager or team, such as political, • weather • external stakeholder groups
governmental, climate, or economic changes. • suppliers • political
• marketplace • environmental

Overall Project Risks

Examples:
A Project Manager oversees the overall project risk to
This type of risk looks at the effect of risk, keep the likelihood of risk within acceptable ranges by
arising from a combination of individual risks limiting negative variation, promoting positive variation,
and other project sources, on the entire project, and maximizing the probability of creating value for the
not just individual components. These risks can customer. Additional examples include:
be positive or negative and influence the overall
outcome of the project. • planning • estimating
• executing • communicating

Project Management Academy is a registered mark of Educate 360, LLC. 7

3 | The Different Types of Risk The Ultimate Guide to Risk Management

Known Risk “Known-Known”

Examples:
What the risk is and the impact of that risk A supplier has informed you of a 3% price increase

are known. The risk is identified early and effective in 3 months for a part used in the final stage of
a manufacturing process. You know the risk (increased
documented in the risk register.
cost) and when it will happen.
Risks are identified and documented during project
planning by the project team.

Unknown Risk “Known-Unknown”

Examples:
Hurricanes are known to happen in the Atlantic Ocean at
As implied, the unknown risk is a known risk with certain times of the year, but how many storms will occur
an unknown timing or full impact. The risk is in a season or where they may come onto the shore is
often identified by a subject matter expert or a unknown. The National Hurricane Center will make
annual predictions for hurricanes to assist with planning,
specialist. The risk is identified and documented
but there is no absolute when, where, or how big a storm
in the risk register.
could be.
Risks are identified and documented by a specialist or
subject matter expert during project planning.

Unknowable Risk “Unknown-Unknown”

Examples:
Let's stick with our supplier price and hurricane examples:
A rare occurrence but with great impact Suppose a weather system sinks a ship carrying the
potential if it occurs, the unknowable risks are widget (the widgets’ price and arrival being known risks).

not identified at any time, and thus there are no In that case, it will take time to secure a replacement boat
and to manufacture replacement widgets (time to find a
associated plans in place.
replacement boat being an unknown risk). An unpredicted
weather system (unknowable risk) destroyed the single
Risks that are not anticipated and thus undocumented.
needed shipment.

Project Management Academy is a registered mark of Educate 360, LLC. 8

3 | The Different Types of Risk The Ultimate Guide to Risk Management

With every project containing its unique blend of risks, project managers must know
the types of risk, event-based and non-event based, and the differences in those
risks to have an effective overall risk management strategy.

Event Risk (External)

Uncertain future events that may or may not

occur; if it does happen, it will influence one
or more objectives. At the core, event risk Examples:
may or may not happen, and the likelihood of Again, think of significant weather events like hurricanes,
it happening cannot be controlled by the floods, and droughts.
project manager. Think of it as an “external”
event upon which the project manager knows The health and safety protocols enacted for Covid-19
exemplify an event-based risk. Supply chain issues, costs
it could happen, but there is no way to know
of protective equipment, and other risks went from theory
for sure or when.
to reality.

Event-based risks are what many categorize as “traditional”

risks in that they are identified on the project risk register
and (according to PMI) “are addressed in the typical project
risk process, with well-established techniques for
identifying, assessing, and managing them.”

Non-Event Risk (Inherent)

Examples:
Some risks arise from uncertainty when some
Whereas a hurricane is an example of event risk, a
aspects of a planned task or situation are
record-breaking cold day is an example of a non-event
unknown. They are more subtle in nature. A
risk. We know winter is cold in many geographic areas,
non-event risk is the known uncertainty that one
but we cannot fully predict if a specific day in the future
aspect of a planned situation could change.
will have unusually low temperatures.
They are often more subtle than an event risk.

Project Management Academy is a registered mark of Educate 360, LLC. 9

3 | The Different Types of Risk The Ultimate Guide to Risk Management

Non-Event Risk continued...

A non-event risk is the known uncertainty that one aspect of a
planned situation could change. They are often more subtle than an
event risk. These are the two types:

Variability Risks
Examples:
• Productivity may be above or below the target

• The number of errors found during testing may

Uncertainty about some of the key be higher or lower than expected
characteristics of a planned event, activity, • Unseasonal weather conditions may occur
or decision. Variability risks, also called during the construction phase

“aleatoric uncertainty,” are those in which some • Exchange rates could vary beyond the range
used to build the quote
aspect of a planned situation is uncertain.

Ambiguity Risks
Examples:
• Elements of the requirement or technical solution
Ambiguity risks are also known as “epistemic
• Use of new technology
uncertainty,” describing uncertainties arising
• Market conditions
from a lack of knowledge or understanding.
• Competitor capability or intentions
Every project has a unique set of risks, and
• Future developments in regulatory frameworks
despite all project manager’s best efforts to plan
• Inherent systemic complexity in the project
for the unknown, some will still occur that are not
part of the risk register or risk planning. However, For these types of risks, extra focus and effort may
understanding the types of risks empowers the be needed to increase knowledge of the risk to then
project manager and team to be more thorough in be able to remove some of the ambiguity of the
risk identification, thus reducing the number of impact it may have on a project.

“surprise” risks that occur.

Project Management Academy is a registered mark of Educate 360, LLC. 10

4 | Measuring Risk The Ultimate Guide to Risk Management

4 Measuring Risk

Understanding how to gather, interpret, and act upon

risk-related information is crucial for any project manager.
At the beginning of a project, the project team should carefully review project objectives (scope, budget,
schedule, business goals, and resources) to identify risks. From there, risks should be analyzed to understand the
qualitative and quantitative impact on the project.

Project Management Academy is a registered mark of Educate 360, LLC. 11

4 | Measuring Risk The Ultimate Guide to Risk Management

Qualitative Risk Analysis

Performing qualitative risk analysis is an essential step in project
risk management. This process enables project managers to
prioritize risks by assessing their probability and impact.

All projects come with positive and negative risks, also known as opportunities and threats,
but resource limitations most likely will prevent you from focusing on every risk. Qualitative
risk analysis allows you to identify urgent risks that require attention while reducing the level
of overall uncertainty in the project.

Performing Qualitative Risk Analysis

You should complete the qualitative risk analysis early on in your
project so you can adequately prepare for and prioritize project risks
by understanding how likely they are to happen, how they could
affect the project, and what you should do to prevent threats and
capitalize on opportunities.

However, as with risk identification and other risk management

activities, qualitative risk analysis should occur throughout your
project. Risks can come and go during your project's life cycle, and
their severity may also change over time.

Project Management Academy is a registered mark of Educate 360, LLC. 12

4 | Measuring Risk The Ultimate Guide to Risk Management

Qualitative Risk Analysis Inputs

There are four input categories for qualitative risk analysis: project management plan, project
documents, enterprise environmental factors, and organizational process assets.

Risk Management Plan Cost Management Plan

The most relevant input in this category. Helps you outline and control your project
The risk management plan helps you budget. You can use the cost management
decide how to analyze, prioritize, and plan to understand cost-related project
respond to various project risks. risks better.

Schedule Management Plan Scope Baseline

Helps you outline and control your Documents the approved project scope statement
project schedule. You can use this plan and work breakdown structure. It helps prioritize
to understand schedule-related project risks or reassess them if your actual project
risks better. progress differs from your planned results.

Project documents that can contribute to qualitative risk

analysis can include:

Risk Register Assumption Log

Used to track and report on project risks. A list of assumptions made related to your
You can use the risk register to document project. Understanding what assumptions were
priority levels for risks and organize any made when creating your project plans helps
other relevant information identified. better inform your risk processes.

Stakeholder Register
A directory of project-related individuals whose risk tolerances, appetite, and opinions you should
consider. Understanding your stakeholder register may also uncover sources of bias to help you assess
risks more objectively.

Project Management Academy is a registered mark of Educate 360, LLC. 13

4 | Measuring Risk The Ultimate Guide to Risk Management

Quantitative Risk Analysis

Quantitative Risk Analysis is a risk management process that
helps managers numerically analyze how identified risks may
affect a project's objectives and what contingency reserves
may be required to account for those risks.

Project managers can perform a quantitative risk analysis to inform sound project
decisions supported by numerical data, like the schedule or budget impacts associated
with a specific risk. Assessing project risks through quantitative risk analysis is also
helpful for estimating or simulating risk-related information to plan for
risks appropriately.

Performing Quantitative Risk Analysis

Quantitative risk analysis enables you to better plan risk responses,
monitor risks, and control some variables associated with project
risks. While qualitative risk analysis helps you prioritize project risks
on your risk register, quantitative risk analysis allows you to under-
stand the project's probability of success given the current risk
information and plan for appropriate contingency amounts in both
schedule and cost.

Pros and Cons

Quantitative risk analysis has many advantages but can also be tedious
and time-consuming. Ensure you carefully consider if these pros make it
worth investing time and energy into completing a quantitative risk analysis:

• Informs project decisions with objective data

• Guides discussions with stakeholders: what/when risks are/not acceptable
• Helps organize risk-related information for large, complex projects
• Provides a high level of visibility for projects and project reporting

Despite these benefits of performing quantitative risk analysis, it may not be a

worthwhile process if your project is small or relatively straightforward.

Project Management Academy is a registered mark of Educate 360, LLC. 14

12
An Educate 360 Brand
5 | Developing a Risk Management Plan The Ultimate Guide to Risk Management

5 Developing a
Risk Management Plan

A risk management plan is a project document that helps

inform how the project team will handle responsibilities for
managing positive and negative risks.
The Project Management Institute (PMI) defines the risk management plan as "a component of the project,
program, or portfolio management plan that describes how risk management activities will be structured and
performed." The document includes a risk budget, roles and responsibilities, stakeholder risk appetites, and how to
implement risk responses. The more complex, higher budget, and longer duration projects likely have more
comprehensive risk management plans.

Project Management Academy is a registered mark of Educate 360, LLC. 15

12
An Educate 360 Brand
5 | Developing a Risk Management Plan The Ultimate Guide to Risk Management

The risk management plan is critical to creating a project plan

that ensures a heightened understanding of the project's risks.
Project managers often consider a risk management plan the most effective tool project managers can employ to
increase the odds of project success.

PMP credential holders know effective risk management can determine project success or failure. For the PMP
certification exam, students should know what a risk management plan is, when the risk management plan is created,
what are types of risks and risk categories, how often the risk management plan is updated, how the risk response
plan is created, how to conduct risk monitoring and control, and how risk management benefits the project.

The benefits include:

• Shifting the overall project work from reactive to proactive

• Better management of project budgets with early allocations marked for highly likely risks

• Reduced team anxiety by building confidence via assigned responsibilities and needed
actions for risk
• Greater accuracy for managing project schedules thanks to built-in flexibility for risks
• Mitigating negative risks through a vetted process of planned actions
• Enhancing positive risks through a process of identification and planned actions

Project Management Academy is a registered mark of Educate 360, LLC. 16

12
An Educate 360 Brand
5 | Developing a Risk Management Plan The Ultimate Guide to Risk Management

Building a Risk Management Plan

While risk management plans can vary based on the complexity of the project’s scope,
there are vital elements to include, and the process of creating the plan should be
consistent. According to PMI’s A Guide to the Project Management Body of Knowledge
(PMBOK® Guide) – Sixth Edition, risk management plan inputs include:

• authority levels of decision-making for risk response

• enterprise environmental factors
• risk management methodology
• organizational process assets
• organizational risk policy
• project charter
• project management plan
• project risk background
• risk categories
• risk concepts and terms
• risk reporting types and frequency
• risk response timing

However, not all risk management plans will utilize all of these inputs. The plan should be tailored to
match the overall scope of the project. The more complex, higher budget, and longer duration projects
will likely have more comprehensive risk management plans.

Project Management Academy is a registered mark of Educate 360, LLC. 12

17
8
An Educate 360 Brand
6 | Tips and Techniques for Managing Risk The Ultimate Guide to Risk Management

Tools and Techniques

6
for Managing Risk

Risk management plans should be tailored to the project,

including selecting risk tools and techniques to ensure the
effective use of qualitative and quantitative data for increased
objectivity and accuracy.
The larger and more complex a project is, you may need more tools to manage the risk. At the same time, a smaller
project could require only a few risk tools and techniques for effective risk management.

Project Management Academy is a registered mark of Educate 360, LLC. 18

12
An Educate 360 Brand
6 | Tips and Techniques for Managing Risk The Ultimate Guide to Risk Management

Brainstorming,
Surveys, and
Focus Groups: Risk Report:
These data collection tools for risk A risk report is a risk management
identification and risk response communication tool that should
planning extract insights you cannot clearly and concisely explain actions
capture through numbers. Asking taken, provide descriptions for other
targeted questions of informed experts, risk-related activities, and detail any
including project team members, inputs needed by stakeholders.
stakeholders, customers, and subject Project managers use the risk report
matter experts, in a format that sparks to convey risk status to the team and
reflection and discussion can generate to inform stakeholders of needed risk
insight into why a risk did or did not management decisions or results of
occur, in addition to powerful new the risk response action.
approaches to future risk response
tactics.

Risk Register:
Risk Breakdown
The risk register documents each risk
Structure (RBS): and related activities, including
descriptions, probability of occurrence
Project Managers create an RBS ratings, impact rankings, mitigation
diagram to convey the hierarchical activities, and status. The risk register
relationship among identified project is updated throughout the project life
risks as organized by risk category. The cycle to ensure informed risk manage-
detail level is determined partly by the ment decisions.
project's complexity and the Risk
Management Plan. The RBS is included
in Risk Management
documentation.

Project Management Academy is a registered mark of Educate 360, LLC. 19

12
An Educate 360 Brand
6 | Tips and Techniques for Managing Risk The Ultimate Guide to Risk Management

Risk Data Quality

Assessment:
Strength, Weakness,
Project teams use risk assessment, a Opportunity, and
qualitative measure using risk data and Threat (SWOT)
the parameters of probability and impact,
to identify, categorize, prioritize, and
Analysis:
manage risks before they happen. When
The SWOT analysis tool fosters critical
done with verified tools and quality
thinking and a deeper understanding of
inputs, risk assessment may take time
risk. As the name implies, the risk is
but can prevent problems from adverse
analyzed from the four categories
risks and enhance opportunities from
(Strengths, Weaknesses, Opportunities,
positive risks. For all risk assessments,
and Threats) to get to the root of it from
the quality of data used to determine the
multiple angles and provide more accu-
impact directly correlates to the accuracy
rate information for later risk response
of the risk assessment and the decisions
strategies. In most cases, negative risks
based upon it.
emerge around weakness and threats,
and positive risks are identified through
strengths and opportunities.

Probability and Impact

Risk Matrix:
Risk probability refers to the likelihood of
Root Cause Analysis:
a specific risk happening within the
The PMP exam may include questions
project's lifecycle. Risk impact is the level
about performing root cause analysis
of disturbance to the project if a risk
and what the tool can provide. Within
occurs. Probability and impact definitions
risk management, root cause analysis
and the corresponding values for each
is a systematic process to gain insight
should be determined early in the project
into the source of risk. Rather than
and remain consistent throughout the
trying to combat the result of the risk
project.
(in a reactive and often less effective
way), knowing the root of the risk
enables the Project Manager and team
to mitigate the source (in a proactive
and typically more effective way).

Project Management Academy is a registered mark of Educate 360, LLC. 20

12
An Educate 360 Brand
7 | The Risk Management Process The Ultimate Guide to Risk Management

7 The Risk Management Process

Project managers and teams must continually track risk to implement

the corresponding response in a timely manner. Identifying a risk but
not knowing it has happened negates the proactive benefit of Risk
Management processes. Also, implementing the risk response too
late means it could do little, if anything, to protect the project.
The effectiveness of the response is included in project reporting so
the project manager and team can make needed adjustments and
ensure any lessons learned are available to future teams.

The six essential Risk

Management
steps in the risk Planning

management
process include: Risk Monitoring Risk
and Controlling Identification

Risk
Management
Process

Risk Response Qualitative

Planning Risk Analysis

Quantitative
Risk Analysis

Project Management Academy is a registered mark of Educate 360, LLC. 12

21
An Educate 360 Brand
7 | The Risk Management Process The Ultimate Guide to Risk Management

The risk management plan describes how risk will be managed on the project. A risk
Risk Management management plan should include a risk budget, resources, tolerance levels, and how to

Planning implement risk responses. More complex, higher budget, and longer duration projects are
likely to have more comprehensive Risk Management plans.

During this phase, the Project Manager conducts a careful review of project objectives
(scope, budget, timeline, goals, and resources) to identify risks and document them on the

Risk Identification risk register. Each identified risk is organized by different factors (internal or external
triggers, for example) or by categories (environmental, regulatory, technology, or staffing)
on the risk register. Risk identification is critical in risk management as it is the basis for
the risk matrix and assessment tools when managing large or complex projects.

Project managers determine each risk's probability and potential impact using a relative scale
Qualitative Risk in phase three. The research is for individual risks, not the overall project risk. The accuracy of

Analysis
the qualitative risk measurement is heavily influenced by the objectivity and knowledge of the
subject matter experts providing the assessment.

Next, conduct quantitative risk analysis using “hard” data, such as costs, logistics, and the
number of employees, to assign numerical values to each identified risk. Project managers use
Quantitative Risk quantitative risk analysis for projects needing a greater level of insight into the likelihood of

Analysis
completing on schedule or budget, for complex projects with multiple go/no-go decision points,
and to generate a numerical value to assign to each risk for use in determining the project's
overall level of risk. For greater accuracy, the Project Manager should use both qualitative and
quantitative analysis, but only if the scale of the project warrants this level of effort.

Each risk management plan should be tailored to fit the project scope and objectives and

Risk Response include an appropriately aligned risk response plan. The risk response strategies differ for
negative and positive risk; positive risk can benefit the project while negative risk can hurt it.
Planning Therefore, risk response planning should focus on the project risks of the highest level of
probability and the deepest level of impact, reflect the budget included in the risk management
plan, and detail when to implement the identified responses.

After risks are identified, analyzed, and a risk response is prepared, project managers must

Risk Monitoring
continuously monitor risks to ensure appropriate and timely action is taken for maximum
effectiveness. Risk monitoring and controlling is the continuous process of tracking

and Controlling identified risks and monitoring the results of executed risk responses. Risk monitoring and
controlling fit into Risk Management as part of the Project Manager and team's ongoing
work to understand risk at any time within the project's lifecycle.

Project Management Academy is a registered mark of Educate 360, LLC. 22

12
An Educate 360 Brand