Project Risk Management - avoiding the rocks on the road to success

The practical application of Project Risk Management is a key element in the success of any project. The Project Risk Management process should form part of the project management routine at all stages of the Project Life-Cycle.

All too often though the application of Risk Management can fall by the wayside somewhat during the implementation phase of a project once the Project Team gets into the fast pace of the implementation phase, dealing with all the day to day issues that need to be resolved.


FAILING to follow a structured Project Risk Management process for your projects in a self-disciplined manner will quickly lead to project failure.

Much has been written about Project Risk Management and the application of tools and statistical methods to analyse, prioritise and manage project risk, though arguably this creates a perception of complexity which can often lead to project managers doing the bare minimum regarding the application of Risk Management processes within their management routine.

The practical application of Project Risk Management is straight forward: 

Applying a practical risk management process to your projects with the self-discipline and commitment to follow the process rigorously, you will underpin your chances of a successful outcome.

Generic Project Risk Management Process

A simple way of looking at a generic Project Risk Management process, is to split it into 4 key activities:

  1. Objective Setting - Set the objectives for the Project Risk Management process to be used and align them with the overall objectives for undertaking the project - the criteria for success.  Risk Registers are practical ways for logging identified risks so they may be managed effectively through the project risk management process.

  2. Risk Analysis - Identify foreseeable risks and seek to understand the type of risk - is it commercial, health & safety related, operational etc?  For all risks identified, understand the likelihood and impact as well as any cause and effect relationships between risks.

  3. Action - formulate methods and actions to reduce or eliminate identified risks in a structured and manageable way to enable continuous control of risk and uncertainty.  Specific response actions may include the transfer, mitigation, allocation or acceptance of identified risks.

  4. Monitoring - throughout the whole Project Life-Cycle, the level of risk facing the project should be measured in some way, as well as a measuring the effectiveness in responding to identified risks.

Your Project Risk Management process should also consider and deal with the following:

  • Risk or Opportunity?

    A practical Project Risk Management process, if applied properly, can also facilitate the identification of opportunities to improve the desired outcomes of your projects.  Opportunities to bring previously unidentified benefits to the project, often mean some deviation from the project definition and implementation plan and can often be overlooked or dismissed due to the discipline of controlling the project as signed off.

    More creative project managers will however be very keen to identify and incorporate opportunities for improvements, although significant risk could be introduced to the project whilst persuing an opportunity. 

    By following a practical Project Risk Management process during the assessment of opportunities, risks associated with pursuing opportunities can be successfully managed during the course of seeking the benefits on offer - in a lot of cases pursuing opportunities can inherently mitigate previously identified project risks.

  • Risk vs Definition

    Different types of risk are present during different stages of the project life-cycle, the largest project risks mainly present themselves during the early stages of a project, when the project definition has not been developed sufficiently, or risk details have not been worked through thoroughly enough. 

    It therefore follows that as a project proceeds to completion its risk profile reduces the nearer to completion it gets.

    With some projects, a level of residual risk may exist after the project has been completed, which will require continual monitoring and management.

    For example, the safe storage of non-recycled nuclear waste following decommissioning of a power station.

  • Project Definition Rating Index

    As a way of subjectively benchmarking a project’s definition against projects that were considered successful, the American Construction Institute and the European Construction Institute published the Project Definition Rating Index (PDRI) - by scoring all aspects of a project’s definition in line with recognised Best Practice in project management application, it’s possible to assess whether your project is likely to be successful or not, given its level of definition - in a sense, an assessment of the level of risk associated with a project at a known level of definition.

    As a Risk Management tool the PDRI is useful and prompts two discussions:

    "Do we delay the implementation phase and spend some time better defining the project and reducing it’s inherent risk before we start?"


    "We cannot afford to delay the implementation phase, we understand the project is carrying  sufficient risk to reduce its chances of success, however we will employ a rigorous project risk management process to ensure the relatively high level of risk is managed properly."

    Each type of discussion will depend on the project team’s adversity to risk, and the reasons for undertaking the project.

  • Foreseen and Unforeseen Risk

    Two areas of project risk management that you are likely to come across, with pretty obvious descriptions, are Foreseen and Unforeseen risk. 

    Foreseen risks are those risks that your project team is able to anticipate and therefore have a good chance of managing appropriately.  Foreseen risks are the principal focus of the project risk management process, as it’s pretty difficult to manage something you are not aware of (unforeseen).

    However, to ignore unforeseen risks totally is not wise.  Unforeseen risks are those that creep up on you and hit you totally unawares, and can consequently cause project failure very easily.

    Although the specifics of unforeseen risks are unknown, it’s likely that some provision can be made to accommodate the generic type of risk that could present itself in an unforeseen way. 

    Purists will challenge the logic here.  After all, if a risk can be contemplated in any way, it has to be, by definition, foreseen, although it’s likelihood of occurring is so remote it’s generally unlikely.

    A common pragmatic way around this issue is for the sponsoring organisation to put aside some level of central contingency fund to be made available should an unforeseen risk present itself.  This fund would typically be held outside of the project budget, but within the sponsoring organisation’s financial budget.

Having established the objectives of your Project Risk Management process taking into account the impact and magnitude of the consequences of project failure.  The next step is to undertake a Risk Analysis of your project.

Qualitative & Quantitative Risk Analysis

If you do nothing else, the bare minimum you should be considering is the production of a list of risks facing your project and to rank that list in some way to allow you to focus on managing the most significant risks, but at the same time not losing sight of the less significant risks.

This ‘list’ in essence is the start of your Risk Register and should be the main vehicle for traveling along the Project Risk Management process, although the generic risk management process is in fact an iterative review, as shown previously.

During the early stages of the Project Life-cycle, qualitative risk analysis is more often used than quantitative.  During concept and feasibility stages of a project, the level of definition is not sufficiently defined to allow effective quantitative risk analysis.

Quantitative risk analysis techniques come into their own as the project definition gets better developed, and very often, quantitative risk analysis becomes an integral part of the definition development process, defining actions and implementation methodologies which mitigate or remove risks previously identified.

Monitoring and Control

The Risk Management process is iterative.  Iterations, or review points, are usually determined by which stage of the Project Life-cycle you are at:

  • Concept and Feasibility stages may see the creation of the Risk Register with risks identified and qualitatively ranked in order of importance for more in-depth consideration at the next stage of the project.

  • During the Pre-planning stage of the project the risk register will be reviewed at least once again having taken some action against the most significant risks identified from the earlier definition stages.  As the definition proceeds, some risks may have been eliminated, yet new risks may have presented themselves. 

    Some risks may still have only been assessed qualitatively and some of the more significant risks may have undergone a rigorous quantitative analysis.  The priorities for management action will have most likely also changed.

  • During the Project Implementation and Handover stages of a project it’s more usual to review risks via the Risk Register on an ongoing basis as part of the project control activities and reporting requirements for the project - commonly on a monthly basis as a minimum.

Good practice suggests that the outcome of project risk management activities should be fed back into other projects as continuous learning. 

After all, if a method of eliminating or mitigating a risk has proven successful, by capturing and sharing the successful risk management actions with others, similar risks associated with other projects can be managed more effectively, reducing the overall project risk exposure of the sponsoring organisation.  In this sense the Risk Management process becomes a feedback loop of learning and overall risk reduction.

For assistance or further guidance with developing a Project Risk Management process, or any aspect of integrating practical Risk Management techniques to your projects, Contact Us for a confidential discussion with no further obligation by yourself. 

We are passionate about Project Management Best Practice and are here to help.

Return from Project Risk Management to Home Page