Project Risk Management: Understanding and Tackling Project Risks

Project risk management is all about recognising project threats and planning ahead. You can plan for and mitigate project risks through careful analysis and by establishing project risk protocols, even if you can't completely eliminate all risks. 

Many projects face major challenges during their execution, but with a solid risk management plan, you can mitigate risk in your projects by avoiding, accepting, reducing, or transferring risks. 

In this guide, we will explore frameworks you can use to understand project risk, including ways of categorising risk, how you can build risk management processes into your project plan, and strategies for responding to risk in a risk mitigation plan.

What is project risk management?

Managing project risk is a key part of your job as a project manager. An important first step to identifying risks is defining what "risk" entails. A project risk is anything that might cause something not to happen as expected. When conducting a risk assessment for your project, it's important to recognise that each project has its own unique combination of potential risks.

Project risk management is the process of predicting and preventing potential problems with a project that could affect its scope, cost, schedule, or quality. It involves both identifying existing risk factors and anticipating those that might arise in the future.

How do project risks impact projects?

Risks can significantly impact a project. Project risk management frameworks tend to look at the impact of risks on a project’s scope, budget, or schedule. 

Project scope

The project scope is the series of goals and activities that the project team commits to complete. The scope is the initial list of deliverables for a project. As a project manager, you need to make sure that everyone has a clear understanding of what needs to be done. You need to put in place clear milestones with proper sign-offs and involve your product owner, key stakeholders, and team members. These clear checkpoints will help you keep things on track throughout the project.

The dangers of scope creep

Scope creep is when a project's size or requirements change partway through the project. These changes can occur for a variety of reasons, but the result is that the project becomes larger than originally thought and typically results in problems with capacity planning and an increase in project cost. 

Why is it so difficult for project teams to identify and eliminate scope creep? Technically, it’s just a tweak here, a new requirement there. But, when these tweaks turn into added features, like a software upgrade that changes the database requirements for a project, the project suddenly has another layer of complexity. While change requests and requirements shouldn’t be ignored and can even lead to better results, continually expanding effort on new goals can be counter-productive and move the project from its critical path.

Project budget

When you work out the cost of a project, it is not enough to consider only the direct costs. Cost risk is concern that a project's cost will increase due to factors like scope creep and snags in implementation. Many factors can affect the amount of money you need for a project. For example, if you’re completing a manufacturing project in China and the currency exchange rates change, your cost of production might go up. As we will see later, there are several ways you can deal with risks.

Project schedule

Schedules and timelines are some of the first things that are normally impacted in the event of a risk. Some schedule risks are discrete events that are easy to identify. Extreme weather, natural disasters, company layoffs, shipping and delivery delays, strikes, and key worker illness can all cause unexpected changes in project schedules.

Some of the most notorious schedule risks are often forgotten by project managers. These risks are more subtle and are often process- or team dynamics-driven.  They include conflicting priorities between teams, project dependencies that prevent task kick-off, and failed or poor quality communication channels between team members.

Categories of project risk

You may experience external and internal project risks as well as positive risks.

External project risks

External project risks are the ones that you don’t control. They are caused by factors outside of your project’s scope and team and can often increase the possibility of project failure. External risks include economic conditions, new regulations, and changes in competitors or technology.

It's always good to build time buffers into requirements and to make it possible to rework the schedule in case external risks materialise.

Internal project risks

An internal project risk is any issue arising from within a project that can impede progress. Internal project risk is also called process risk, task activity variance, and performance shortfall. Examples of internal risks include a developer going on holiday, a team member handing in their resignation, or a business function not performing up to expectations. Internal project risks can derail even the best-planned projects, so it is important to anticipate, appraise, and mitigate such risks at the earliest possible time.

Positive risks

A positive risk is an unexpected event that can have a good effect on your project. As you start your project, always be on the lookout for positive risks. Positive risks could shorten the original project timeline or lower the required budget. Positive risks might come in the form of team members becoming more efficient after training, or through the availability of a new tool or process. When they do occur, document positive risks and make decisions based on them. A simple activity, such as moving a team member to another department or changing when you buy project equipment could make a big difference.

How do you manage project risks?

The best way for you to plan for and deal with project risks is to follow a risk management process. Risk management helps you to anticipate the risks that face your project and assess those that will have the biggest impact on it.

Although risk management is an essential part of any project, many project managers fail to implement a formal approach. If you treat risk management as an integral part of your project plan, you will have a greater chance of minimising or eliminating the effects of risks to your project.

The five steps of a risk management process are: identify, analyse, evaluate, treat and monitor. 

Identify project risks

As a project manager, you must take steps to try and identify project risks. The first step to managing risk is to know what areas of your project might be risky. As you prepare your risk management plan, remember that the process is iterative. You will revisit potential project risks throughout the life of your project. In this step, your goal is to make sure you’re aware of all the potential factors you might encounter so you can take steps to mitigate those factors early on.

You’ll want to create a risk list as early in the project lifecycle as possible. This will not only allow you to see what risks your project might encounter and take action before problems arise, but it will also give you time to develop responses for each risk and prepare for various contingencies. In particular, it’s a good idea to identify risks that relate to team members. Any loss of a key person could delay the project significantly.

A good starting place is to take a look at past projects that had challenges and similar risks. 

Perform kickoff meetings, hold brainstorming sessions, and attend stakeholder meetings. Meet with subject matter experts in your business and externally to gain additional feedback on your project plans. 

You also need to ensure you fully understand the project scope and goals. Perform gap analysis, assess any project assumptions and read pre-project requests for changes in scope from stakeholders. There are often early signs of internal risks to the project when you look at the reasons for the project and how it was formed.

Analyse risks

You need to quantify the probability and potential impact of the risks that you identify. When determining probability, ask yourself if each risk represents something that has happened before (such as delayed manufacturing) or if it’s a new threat (such as a new competitor coming in with a new product). You may also want to consider the likelihood of multiple risks occurring at once and how they will interact.

You should capture qualitative and quantitative data on the risks that you become aware of in a risk register. 

Evaluate risks

Prioritising risk allows you to stay focused on the most likely potential problems. There are many risks that occur in every project. This stage will build your risk register document and help you and your team to categorise the high-, medium-, and low-risk items on your project. Document the risks with columns for their type (budget, security, compliance), their cause (human error, timelines, capacity planning, technical constraints), and their impact (failure to deliver critical path, loss of client trust) and mitigating factors (procedures to follow in case of a negative event). Risk evaluation will help you to determine risk levels and monitoring and process priorities for your project.

Treat risks

To treat risk is to create a plan to deal with it. The question to ask when you're treating a risk is: What can I do to reduce this uncertainty and make the risk become less likely or less significant? Risk treatment is where you’ll plan and take action. This could be anything from getting more information on a supplier to changing project phases or milestones so that multiple related risks don’t converge simultaneously on the project timeline. 

Brainstorm what actions you can take to minimise the impacts of all high-risk items. Once you’ve come up with your actions, assign a team member to take responsibility for tasks on high-risk items. 

Monitor risks

The best way to manage project risks is to be aware of them and mitigate as best as you can. This process will involve assigning monitoring duties to various members of your team. Make sure that these assignments are clear so that the person being assigned knows exactly what they are supposed to do. You will also want to set up a reporting system so that all project updates and progress reports go directly to you and another senior member of your project team. Set a meeting schedule where risks will be discussed.

Risk mitigation in projects

Mitigating risk is a process that helps you reduce project risk exposure and deal with uncertainty. It is the process of dealing with risks using methods and procedures that provide some level of assurance that the risk will not result in harm or undesirable consequences.

There are four primary risk-mitigation tactics: 

• Avoid the risky activity

• Accept the risk

• Reduce the risk 

• Transfer the risk

Each of these ways to mitigate risk has a distinct purpose and will be effective in different situations. 

Avoiding risk

You can reduce or eliminate many smaller risks by simply taking the time to think about potential negative outcomes and how you could avoid them.

Avoiding risk is a proactive way of minimising the risk, or even turning it into a non-risk. For example, you may avoid a risky supply chain partner by doing thorough due diligence and selecting a lower-risk supplier. By avoiding the supplier with a chequered track history you may significantly lower a major project risk. 

When avoiding risks you need to do a cost/benefit analysis. If taking a risk will result in a superior project outcome you may want to take another approach to the risk.

Accepting risk 

Accepting risk is caring that something could go wrong in your project, but realising the consequences will be low if they do, or the benefits of accepting the risk are significant. You might choose to accept a risk if it is unlikely to happen and if there’s no good way to prevent it from happening.

Sometimes, risks just can’t be avoided. After all, life is full of uncertainty. But even with a certain amount of risk in every project, it’s important to set priorities and make smart decisions about what risks to accept versus which ones you need to manage in some way.

Reducing risk

Medium- and high-risk events are good candidates for risk-reduction efforts. If a given risk has a significant potential impact on your project, chances are that you could prevent it from happening or reduce its impact with some type of action.

Consider including risk reduction tactics in your project plan, such as pre-purchasing supplies that are likely to experience shortages or hiring more resources for a task than you expect will be needed, even if those resources aren’t needed at the beginning.

You can also reduce the impact of risks by building in contingency and scheduling buffers.

Building in a contingency budget

A contingency budget provides money to pay for additional work that you might need during your project. This could be used if something changes and you need more time, or if your project execution doesn’t go as smoothly as expected. Contingency budgets help protect your project against risks that could affect the project cost.

Building in scheduling buffers

The time needed to complete a project is rarely consistent from one phase to another and often varies with the level of complexity. A buffer can be added in the critical path to compensate for this uncertainty. This is especially useful in long-duration projects or sequence-dependent projects. Where a project is sequential it is normally best to place the buffer in the late stages of the project.

Transferring risk

Transferring risk means shifting the responsibility of risks away from you as project manager and onto another party. This may be engaging a third-party supplier, or it may mean getting insurance coverage against potential losses.

To mitigate risk in a software development project risk, for example, you could plan to outsource the development of aspects of your software to a proven external team of developers. By shifting the tasks to a third party with more resources and experience than your internal team, the impact of technical flaws and delays could be less severe. 

Tools to help you to manage project risk

The following tools are tried and tested. They are simple in design and serve as instant anchors on your team’s path through the risk management and mitigation process.

The risk management plan

A risk management plan is an important part of the overall project plan. The risk management plan contains the information needed to effectively identify, respond to, and monitor project risks. It will guide the identification of appropriate responses to risk, facilitate the resolution of issues that arise, manage interdependent risks, and monitor for potential signs of emerging risks. 

The risk management plan document should be drawn up at the initiation stage of the project, and be kept updated as you move through the project phases. It should be a reference guide, it should guide best practices, and should be kept with the risk register.

The risk register

A risk register provides a way to track risks that are discovered and the subsequent plans to mitigate them. You can manage project risks in a structured manner using your risk register. 

The risk register is a structured table created to record all the potential risks that could impact your project. 

A basic risk register can be made up of nine columns: 

1. Risk title 

2. Probability 

3. Risk type

4. Risk causes

5. Impact 

6. Who’s at risk? 

7. Response and mitigation

8. Status 

9. Monitoring assigned to

How can you learn more about project risk management?

You can learn how to effectively assess risk and manage risks in your projects by applying techniques that are based on proven models and industry best practices. If you’re looking to learn about risk management, and project management more widely, then you might like to consider the Google Project Management: Professional Certificate on Coursera.