Risk Management in Projects.

Project risk management can be defined as “an uncertain event or condition that, if it occurs, has a positive or negative effect on a project’s activities” (reference: “Practice Standard Project Risk Management”, Project Management Institute). Risk management needs to be an integral aspect of the management of all projects.

There are a number of stages which need to be understood and applied to manage risk during a project:


i) Planning the risk management process.

ii) Identifying potential sources of risk.

iii) Qualitative and Quantitative Risk Analysis.

iv) Actions to address the identified risk events.

v) Risk monitoring and risk control.


Planning the risk management process.

Planning the risk process needs to commence at the very initial stages of the project and will span all aspects of the project as it progresses through to completion and post project review analysis. Planning will detail how the identification, assessment, analysis and methods of response to risks will be managed. Will detail the means of risk monitoring, detail the types of risk assessments to be performed, the risk evaluation and risk rating methodologies to be utilized and the templates to be applied.

Risk resource requirements and resource allocations, means of communication, risk review and approval levels will be detailed.

The project plan will detail all risk related activities such as Cost Risk Assessment, Value Engineering Risk Assessments, …

There needs to be a budget allocated to support the risk efforts. Risk communication needs to be a requirement in all appropriate project meetings.

The risk appetite of the project sponsors needs to be understood. Are they very risk adverse or willing to take risks. Understanding the expected risk environment will help shape attitudes and decisions regarding risk as the project progresses.

The above all need to be clearly understood from the early project stages via the risk plan.


Identifying the potential sources of risk.

The identification of risk will continue throughout the entire project life-cycle, through the initiation, planning, scoping, designing, specification development, estimation, implementation activities. As the project progresses, the understanding of previously identified risks may change, plus new risks will be identified. Therefore, there needs to be a continuous re-assessment of all potential risks and possible re-rating of previously reviewed risks.

The accurate identification of risks requires a clear understanding of the project. The project must be clearly defined, which includes defined scope, schedule, expectations, costs estimates, resource availability. In some cases, the project can only be truly defined as the project progresses. In such instances the risks can only become clear as the complexity of the project unfolds. To ensure adequate risk management, at each iteration of the project, the identification of risks must be reviewed and assessments, ratings updated where necessary.

As risks are identified the assumptions underlying the potential risks need to be recorded, this will help in ensuring a clear understanding behind the initial risk identifications as the project progresses over time.

The identification of risks can be aided by applying a range of methods such as Brainstorming, Cause and Effect, Hazop, Fault Tree Analysis, etc.. Ideally those involved in the risk process should be competent in a range of analytical risk tools. Where competence levels are deficient, then a program to provide such skills should be provided to all those involved in the risk process.

As risks are identified, they need to be recorded according to a structured format. This will normally take the form of a “Risk Register”, where information such as the following is recorded:


i) Each potential risk is assigned a unique identification number.

ii) Date of risk identification.

iii) Allocate a unique name to the risk.

iv) Description of the risk. The description should be SMART, i.e. Specific, Measurable, Attributable, Relevant and Time-bound (note: slightly different to SMART objectives, where the A relates to Achievable). Here “attributable” relates to the risk being related to a specific cause.

v) Potential risk cause. What event or actions may cause the risk to get realized?

vi) Risk Types. Depending on the project, risk may be categorized as Safety, Financial, Environmental, Reputational, etc..

vii) Risk Responses. Are there understood actions which can be taken to minimize the potential negative effects if the risks were to arise. Alternatively, this may relate to actions such as immediate communication of risk to senior management, etc..

viii) A comments or notes sections may contain useful information, or references on related sources of information.

Risk Management Full Details
Risk Management – Information & Understanding …
  • Risk management, explained in an easy to understand, logical, format.
  • Inform yourself about the elements of risk management.
  • Details >>>

Qualitative and Quantitative Risk Analysis.

Qualitative analysis refers to an observation that does not utilize actual measurement or specific numbers, for example, a construction project may be delayed by winter storms. The risk may be considered “high” due to experience of storm frequency over previous years.

Qualitative assessment: An assessment of risk relating to the qualities and subjective elements of the risk—those that cannot be quantified accurately. Qualitative techniques include the definition of risk, the recording of risk details and relationships, and the categorization and prioritization of risks relative to each other.  (Reference: Project Risk Analysis and Management Guide, 2004, APM Publishing).

The risks detailed in the risk register will need to be evaluated and rated to allow an understanding of those risks that pose the greatest threat to project success. Qualitative risk analysis will result in levels of probability and impact (consequences) being allocated to each risk per predefined non-numeric terms. Examples of such pre-defined terms may be “low, medium, high” for probability of occurrence, or “minor, major, critical” for potential severity or impact on the project.
Implementing a qualitative risk analysis.
The project risk team will review each risk as detailed in the risk register. The team will discuss the risk. Risk analytical tools may already have been applied to help understand the risk, or may be applied to further understanding at this stage. The team will consider the likelihood of the risk arising and allocate a rating, e.g. a low probability of occurrence, a medium or high probability of occurrence. The consensus or majority probability rating is recorded onto the risk register.

Similarly, the team will discuss the potential consequences if the risk were to arise. Again, the team will determine if the expected consequences will be minor, major or critical to project success, again, the result will be recorded onto the risk register.

Such a qualitative risk analysis approach will usually follow a process such as:


a) Establish a team of individuals with a range of skills, experiences and who have a stake in the process under review

b) Clearly define the scope of the analysis

c) Ensure the team remains focused on identifying potential causes of risks

d) Document the discussions and suggestions, all are valid

e) Revisit the suggestions and combine equivalent risks, eliminate those not seen as valid

f) Prioritize based on an approach to rating as previously outlined.


Implementing a Quantitative Risk Analysis:
A quantitative risk analysis is a numerical estimation of the potential cost to a project which will arise if the risk were to arise. The cost to a project may be financial, reputational, safety, environmental impact, etc..

Where risks have been reviewed via a qualitative risk analysis, a quantitative risk analysis allows a numerical value to be allocated to the risk, which permits the creation of a simple prioritization list. Depending on the organizational focus, extra weighting can be allocated to say safety within the project, versus reputation, in order to create a focus on project safety, or maybe the focus would be on alignment to budget.

In the quantitate risk assessment, probabilities may be allocated numbers within ranges, for example a 20% probability of occurrence, or a 50%, 80% probability of the risk arising. The severity is also allocated a numerical value, for example, a low level severity may be allocated a number within the range of 1 to 3, a minor severity may range from 4 to 6, major from 7 to 8 and critical from 9 to 10. The product of a probability and the respective severity will provide a quantitative risk value. The risk team can then decide which risks are unacceptable based on the value of the risk.


Addressing unacceptable risks within a project.

Where qualitative, quantitative, or, qualitative & quantitative risks assessment methods are utilized and if unacceptable risks are identified, then action needs to be taken to fully understand the potential risk and to reduce or if possible to eliminate. Risk reduction can be achieved via process redesign, addition of enhanced inspections and testing, provision of protective equipment, etc..


Actions to address the identified risk events.
Once risks have been identified, analyzed, understood and rated, then the project team need to effectively address those risks deemed unacceptable i.e. those risks which if they were to materialize could pose a threat to the project meeting its objectives.

As risks are initially identified in the early stages of the project, the potential for serious negative impacts on the project can seem daunting, however, via utilization of a structured project risk management process, the risks will get evaluated, rated and prioritized. The project team can then address, minimize and possibly eliminate many of the initially unacceptable risks, so that the project proceeds in a planned fashion towards the required project objectives.

There are a number of responses which the project team can take to potential risks which can be categorized as follows:

i) Avoid the risk

ii) Transfer the risk

iii) Mitigate the risk

iv) Share the risk

v) Accept the risk


Under an “avoid” response the project team may see how actions can be taken to prevent the risk from arising in the first instance. Can the project objectives or scope be modified to eliminate the risk? Can the project be implement via a different path?

Can the risk be transferred? For example, if there were potential financial penalties associated with project delays, can some form of insurance against delay be implemented, therefore the risk gets transferred to a third party. Can some elements of the project be awarded to external organizations, e.g. those with a particular expertise in an area, again resulting in the risk transferring to those third-party organizations.

Following-on from “transferring” the risk is to “share” the risk. It may not be possible to completely avoid a risk by transferring to a third party, or the costs of such a transfer may be prohibitive. For example, the costs of insurance to avoid all possible financial penalties in the event of project delay may be prohibitive, however, an insurance level which halves potential penalties may be deemed an acceptable risk.

Mitigating or reducing the risk can be achieved in numerous ways. For example, via increased supervision, extra testing, enhanced procedures, provision of extra protective processes and protective equipment, … In many projects the bulk of risks will be addressed via mitigation strategies.

Some risks may be deemed “acceptable” even if they potentially risk the success of the project itself. All projects inherently entail some level of risk. Very often the greater the potential benefits associated with project success, the greater the level of risks within the project itself and the greater the risk tolerance (or risk appetite) within the project management team.


Risk monitoring and risk control.

As the project progresses and knowledge of the project improves, then risk understanding and potential negative risk exposure will decrease. This scenario requires a process to be in place which efficiently captures all risks, evaluates such risks, rates the risks and oversees prompt and effective responses to address the risks. Such a process will often require the maintenance of a risk register, which is continually updated, (daily, weekly, monthly), clear ownership of the register, regular risks review meetings, defined actions to address identified unacceptable risk, undisputed ownership for reducing project risks, clear reporting and communication of risks across the project team and throughout relevant management.

Risk Management Full Details
Risk Management – Information & Understanding …
  • Risk management, explained in an easy to understand, logical, format.
  • Inform yourself about the elements of risk management.
  • Details >>>