Project risk is always in the future. Risk is an uncertain event or condition that, if it occurs, has an effect on at least one project objective. Objectives can include scope, schedule, cost, and quality.

Project Management Book of Knowledge (PMBOK), V4 2008

Every project carries risk. Often the determining factor of project success is how you anticipate and respond to risk. Risk Management provides a formal process and structured activities to help. In this post we will introduce core concepts around Risk Management.

It is important to note that not all risks are negative. Negative risks – or threats – are what we typically think of when we think of risk as the term seems to carry a negative connotation. However, there are also positive risks – or opportunities – that could significantly impact your project.

I would recommend spending equal time speaking to opportunities as threats. The goal of risk management is not limited to preventing bad things from happening. The goal of risk management is delivering on your objectives. And, should an unexpected opportunity occur it can have every bit as large an impact on your project.

Project Risk Management Processes

The Project Management Institute has defined six processes to support effective Risk Management. They are:

Plan Risk Management

As you would expect, the first process is developing a plan. The Risk Management Plan is a sub-plan to the overarching Project Management Plan. It typically does the following:

• Documents a process for identifying, analyzing, monitoring and controlling risks
• Defines roles and responsibilities
• Describes how and when risk will be managed through the project
• Assigns budget for risk response planning

I recommend this document also includes overarching or systemic risks known to the project. This document is not where risk will be tracked over time – those activities will be managed in a Risk Register. The rationale for including systemic risks is to frame risk for the project overall – to provide stakeholders with themes within which individual risks are likely to fall.

Identify Risks

The process of identifying risks can be as simple as having the project team discuss the project one afternoon and brainstorm what could go wrong (or unexpectedly right) with the project. Or, it could be an elaborate evaluation across functional areas, departments or stakeholder groups in the months leading up to the start of the project. Regardless of complexity, this process should effectively capture those risks identified prior to the project.

Identified risks should be captured in a Risk Register.

Perform Qualitative Risk Analysis

Performing qualitative risk analysis is the process of evaluating the probability and impact of a risk. This analysis will help you prioritize risks. Those with the highest probability of occurring and highest potential impact clearly are most deserving of your attention.

A Probability and Impact Matrix is a tool that can be used for organizing risk and consolidating risk analysis.

Perform Quantitative Risk Analysis

Performing quantitative risk analysis is simply an effort to backstop your analysis with additional data. How significant would the impact be? How high is the probability? What data supports our analysis?

Plan Risk Responses

Planning risk responses is an effort to address project risk prior to the project start. For highly probable and impactful threats your best option is likely to avoid them altogether. Or, you might simply attempt to diffuse or mitigate the risk so as to decrease its probability or impact. If you have identified an opportunity you might do exactly the opposite and seek to exploit or enhance the probability and impact.

Risk response plans can be baked directly into a Risk Register.

Monitor & Control Risks

Effective risk management will continue throughout the project. A risk should be tracked until such a time that it is no longer a risk to the project. As circumstances change, so to should your risk response strategy.

Monitoring and controlling risk typically requires a governance model be in place whereby risk is discussed and escalated as needed.

Conclusion

Risk Management is a proactive excercise. If you consider what can go right or wrong with your project you are much more likely to be equipped to see the project to a successful conclusion. The processes outlined here are intended to provide an initial framework to help you and your organization identify, analyze, plan for, monitor and control risks throughout the project.