What is Project Risk Management?
All projects – regardless of whether they are relatively short and straightforward, or long and complex – carry a degree of risk. This is because while many factors may be known, established and predictable, there are some aspects and variables that are unknown or iterative (i.e. more is known as the project unfolds). Project risk management is an approach that involves identifying, managing, mitigating, and at times exploiting these risks to increase the chances of project success.
Project Risk Management Processes
According to the Project Management Institute’s Project Management Body of Knowledge (PMBOK® Guide – Sixth Edition ), there are seven project risk management processes
Project risk management
the process of determining how to carry out risk management activities on a project.
the process of identifying and documenting individual project risks, as well as the sources of overall project risk.
Qualitative risk analysis
the process of categorizing and prioritizing specific projects risks, in order to conduct deeper analysis and assess the likelihood of occurrence and impact (along with any other relevant characteristics).
Quantitative risk analysis
the process of assigning numeric values to the cumulative anticipated impact of project risks and other sources of uncertainty.
Planning risk responses
the process of identifying possibilities, determining strategies, and achieving consensus on the best ways to address project risk exposure (individual risks and overall).
Implementing risk responses
the process of carrying out planned risk responses.
the process of assessing risks, analyzing new risks (including those that may be potentially positive), and evaluating the overall effectiveness of risk management across the project.
Risk Management Plan
All of the risk-related documentation generated through these processes create the overall project risk management plan. It is important for new project managers to grasp that risk management is an ongoing effort – not a one-time achievement.
For example, during the execution of a project it may be necessary to revisit risk identification and make changes, which in turn would trigger other processes such as qualitative risk analysis and quantitative risk analysis. This is why on complex projects, or in organizations that focus on project-related initiatives (a.k.a. projectized organizations) or in high-variability environments (e.g. Agile project management), project risk management may be led by a designated individual or group, and not remain solely the responsibility of the project manager.
Project Risk Management Assessment
Conventionally, the word “risk” is associated with something negative. For example, we read and hear about health risks such as improper eating choices, financial risks such as poor saving/spending habits, cybersecurity risks such as failing to safeguard our online accounts and devices, and so on.
However, when it comes to assessing risk in project management, it is important to keep in mind that all risks are not automatically negative. Some can be positive, and help projects achieve business objectives. For example, there may be a small possibility that in a few months key specialists who are currently assigned elsewhere, will be available for reallocation to a project. This in turn would likely enable the project to finish ahead of schedule and under budget.
While the project manager (and other team members who are involved in project risk management assessment) cannot realistically assume this will happen, they should nevertheless be prepared to rapidly seize the opportunity should it occur.
Types of Risk Management in Project Management
There are multiple types (or levels) of risk management in project management, and each type must be governed by the processes described above – or else project health, or even project survival, could be at risk. These types of risk include:
Individual project risks
these are events or issues that would have a negative or positive impact on project objectives if they occur.
Overall project risks
these are events or issues that would have a negative or positive impact on the project as-a-whole. These risks arise from all sources of uncertainty, including individual project risks.
these refer to events or issues in which uncertainty exists regarding a key variable. Some organizations use Monte Carlo analysis to address variability risks.
these refer to events or issues where uncertainty exists about the future, and which might have an impact on a project’s ability to achieve its objectives.
Project resilience risks
these refer to events or issues that simply cannot be realistically determined beforehand, but nevertheless force the project to make major changes. For this reason, project resilience risks are sometimes called “unknown unknowns”.
Project Risk Management Examples
Here are some examples of the project risk management types described above:
Examples of individual project risks
key project staff unavailable during a specific time period; requirements for a specific software feature may not be fully defined.
Examples of overall project risks
NPS may fall and reputation in the marketplace may be damaged; the project may incur a cost that is 20% higher than the original cost baseline.
Examples of variability risks
productivity above or below target; unseasonal weather conditions.
Examples of ambiguity risks
future developments and changes to regulatory frameworks; excessive systemic complexities in a project.
Examples of project resilience risks
pandemic; terrorist attacks.
Of these types of risks, one of them – project resilience risks – cannot be anticipated in advance. As such, it is not feasible to proactively manage and mitigate them. However, organizations should have strategies, policies, and workflows in place that enable them to pivot in the very rare – but nevertheless possible – case that a project resilience risk emerges. For example, while organizations across all industries and sectors were shocked by the speed and severity of the COVID-19 pandemic, those that had the capacity and systems to adapt generally fared much better than those that did not.
Project Risk Management Software
Risk assessment and controls are critical to project success. It is essential for organizations to use powerful, yet easy-to-use project risk management software that:
- Is cloud-based and can be securely accessed from any device in or out of the corporate office.
- Centralizes and organizes risks and mitigation plans directly into project views.
- Tracks, logs and manages all types of risks and issues.
- Uses a risk register to help proactively devise a mitigation strategy.
- Enables internal and external stakeholders (e.g. customers, sponsors, etc.) to collaborate and share documents in designated online workspaces instead of through emails.
Best Practices for Risk Management in Project Management
Teams and organizations are encouraged to adopt the following project risk management best practices:
- Begin the risk management process as early as possible.
- Create a robust, realistic and agreed-upon plan for how risks will be identified and monitored throughout the project.
- When identifying risks, define which team member(s) will be responsible for tracking and reporting on them.
- Prioritize project risks based on the likelihood and severity, but as discussed above do not neglect to include potentially positive risks as well.
- Keep the lines of communication open! It is vital for everyone to be on the same page, and focused on the same objectives.
- As noted above, use proven and highly-rated project risk management software.
The Final Word on Project Risk Management
While there are many paths to project success, the unifying common denominator of all projects that reach the finish line on time, within budget, and having achieved all business objectives is that they exhibited strong, effective project risk management. Of course, project risk management is not the only factor. But it is surely one of the most important when it comes to determining whether a project will become an inspiring success story – or a daunting cautionary tale.