Risk management in project management.

In project management, risk is any potential event that can impact your project, positively or

negatively. Risk management is the process of identifying and dealing with these events before or

as they happen. Risk can come in many different forms—employee sickness, inclement weather,

unexpected costs, and transportation delays among them.

Projects all have inherent risks. The ability to shepherd a project through risk is therefore one of

the most important skills project managers are expected to have.

Types of project risks

Project risks can affect the time and resources required to bring a project to completion. Risks can

be internal (within the control of the project team) or external (outside of the project team's control.

Note the following types of risks and examples:

1. Financial risks such as rising costs, inaccurate budget forecasts, increases in labor and

materials, low sales, and challenges in securing funding.

2. Strategic risks result from errors in strategy, such as choosing a project management

methodology that doesn't work for the project, basing efforts on a company culture that needs

updating, experiencing high employee turnover, or investing in technology that is difficult or

expensive to use.

3. Performance risks result from team members' missed deadlines, delays, undefined goals, and

KPIs, using insufficient or outdated market research, and scope creep (when initial goals

expand or shift away from a project’s original intentions).

4. External risks occur outside of the control of the project team, such as changing laws and

regulations, market volatility, inclement weather, vendors' missed deadlines, labor strikes, civil

unrest, vandalism or damage, and supply chain issues.

5. Positive risks (opportunities) are unexpected but have a positive effect on your project, such

as finishing tasks earlier than expected or under budget, outperforming original goals,

becoming more efficient with a new tool, or benefitting from a policy change.

Stages in the Risk Management Process

The six risk management process steps that we’ve outlined below will give you and your

organization a starting point to implement or improve your risk management practices. In order,

the risk management steps are:

1. Risk identification

2. Risk analysis or assessment

3. Controls implementation

4. Resource and budget allocation

5. Risk mitigation

6. Risk monitoring, reviewing, and reporting

Step 1: Risk Identification

The first step in the risk management process is risk identification. This step takes into account

the organization’s overarching goals and objectives, ideally through conversations with

management and leadership. Identifying risks to company goals involves asking, “What could go

wrong?” with the plans and activities aimed at meeting those goals. As an organization moves

from macro-level risks to more specific function and process-related risks, risk teams should

collaborate with critical stakeholders and process owners, gaining their insight into the risks that

they foresee.

Step 2: Risk Analysis or Assessment

Analyzing risks, or assessing risks, involves looking at the likelihood that a risk will be realized,

and the potential impact that risk would have on the organization if that risk were realized. By

quantifying these on a three- or five-point scale, risk prioritization becomes simpler. Multiplying

the risk’s likelihood score with the risk’s impact score generates the risk’s overall risk score.

This value can then be compared to other risks for prioritization purposes.

Step 3: Controls Assessment and Implementation

Once risks have been identified and analyzed, controls that address or partially address those

risks should be mapped. Any risks that don’t have associated controls, or that have controls that

are inadequate to mitigate the risk, should have controls designed and implemented to do so.

Step 4: Resource and Budget Allocation

This step, the resource and budget allocation step, doesn’t get included in a lot of content about

risk management. However, many businesses find themselves in a position where they have

limited resources and funds to dedicate to risk management and remediation. Developing and

implementing new controls and control processes is timely and costly; there’s usually a learning

curve for employees to get used to changes in their workflow.

Step 5: Risk Mitigation

The risk mitigation step of risk management involves both coming up with the action plan for

handling open risks, and then executing on that action plan. Mitigating risks successfully takes

buy-in from various stakeholders. Due to the various types of risks that exist, each action plan

may look vastly different between risks.

For example, vulnerabilities present in information systems pose a risk to data security and could

result in a data breach. The action plan for mitigating this risk might involve automatically
installing security patches for IT systems as soon as they are released and approved by the IT

infrastructure manager.

One more note on risk mitigation — there are four generally accepted “treatment” strategies for

risks. These four treatments are:

 Risk Acceptance: Risk thresholds are within acceptable tolerance, and the organization

chooses to accept this risk.

 Risk Transfer: The organization chooses to transfer the risk or part of the risk to a third

party provider or insurance company.

 Risk Avoidance: The organization chooses not to move forward with that risk and avoids

incurring it.

If an organization is not opting to mitigate a risk, and instead chooses to accept, transfer, or avoid

the risk, these details should still be captured in the risk register, as they may need to be revisited

in future risk management cycles.

Step 6: Risk Monitoring, Reviewing, and Reporting

The last step in the risk management lifecycle is monitoring risks, reviewing the organization’s

risk posture, and reporting on risk management activities. Risks should be monitored on a regular

basis to detect any changes to risk scoring, mitigation plans, or owners. Regular risk assessments

can help organizations continue to monitor their risk posture. Having a risk committee or similar

committee meet on a regular basis, such as quarterly, integrates risk management activities into

scheduled operations, and ensures that risks undergo continuous monitoring. These committee

meetings also provide a mechanism for reporting risk management matters to senior management

and the board, as well as affected stakeholders.

Risk management vs. risk mitigation

The risk management process entails planning for and anticipating risks. Risk

mitigation strategies are tools used to address risk when it happens.

Tools to manage risk

Tools can provide you with structure for your team’s thoughts and efforts, and serve as a point of

reference throughout a project. Here are a few you might consider using in your risk management

process.

 Risk management plan: A risk management plan is generally a living document that contains

all information related to risk in your project. This can contain an executive summary, your risk

register, mitigation plans, risk owners, and any other information pertaining to risk. Project

managers may update the document as the project progresses and needs fluctuate.

 Risk register: A risk register is a chart that contains all the risks associated with a project, as

well as their priority levels, mitigation plans, and other important details. A risk register might

also be called a risk matrix. You can find project management software that can help you

compile risk registers, or else create your own in a spreadsheet.

 Here’s what a risk register might look like as a project team prepares a company offsite.

Risk
Risk Probability Impact Owner Mitigation plan
level

Project Avoid: Choose

Adverse weather 50% High High
manager indoor venue

Transportation for
Event
participants is 10% Low Low Accept
coordinator
delayed

Avoid: Find
Catering costs
Event caterer that can
$1,000 more than 30% Medium Medium
coordinator guarantee a fixed
expected
price up front

Activities may Legal Transfer: Require

10% Medium Medium
lead to injury associate liability waivers

Risk Exposure
Risk Exposure in project management is a quantitative measure of the potential impact of

identified risks on the project’s objectives. It helps in understanding the level of risk in terms of

cost, time, or other factors that could affect the project. Calculating risk exposure allows project

managers to prioritize risks and determine appropriate mitigation strategies.

Formula for Calculating Risk Exposure

The general formula to calculate Risk Exposure (RE) is:

Risk Exposure (RE)=Probability (P)×Impact (I)\text{Risk Exposure (RE)} = \text{Probability

(P)} \times \text{Impact (I)}Risk Exposure (RE)=Probability (P)×Impact (I)

Where:

 Probability (P) is the likelihood of the risk occurring. It is typically expressed as a

percentage (0 to 100%) or a decimal (0 to 1).

 Impact (I) is the severity of the risk’s effect on the project if it occurs. It is typically

expressed in terms of project cost, time, or other relevant metrics (e.g., cost impact in

dollars, time delay in days, etc.).

Steps to Calculate Risk Exposure

1. Identify Risks: List all potential risks that may affect the project. These could include

financial risks, technical risks, resource risks, schedule risks, etc.

2. Assess the Probability: Estimate the likelihood of each risk occurring. This could be

based on historical data, expert judgment, or risk analysis tools. For example:

 Low probability: 0.1 (10% chance)

 Medium probability: 0.5 (50% chance)

 High probability: 0.9 (90% chance)

3. Assess the Impact: Estimate the impact or consequence of each risk if it occurs. This

should reflect the severity of the risk on the project’s cost, timeline, scope, or quality. The

impact is often quantified in monetary terms or other relevant units. For example:

 Low impact: $1,000

 Medium impact: $10,000

  High impact: $100,000

4. Calculate the Risk Exposure for Each Risk:

 Multiply the probability by the impact for each identified risk to calculate its Risk

Exposure (RE).

 Example: If a risk has a 50% (0.5) probability of occurring and a $10,000 impact,

the risk exposure would be: Risk Exposure=0.5×10,000=5,000\text{Risk

Exposure} = 0.5 \times 10,000 = 5,000Risk Exposure=0.5×10,000=5,000

5. Summing Risk Exposures (for Multiple Risks):

 If there are multiple risks, you can sum the individual risk exposures to calculate

the total Risk Exposure for the project.

 Example: If there are three risks with the following exposures:

 Risk 1: RE = $5,000

 Risk 2: RE = $3,000

 Risk 3: RE = $7,000

Total Risk Exposure = $5,000 + $3,000 + $7,000 = $15,000