Project Risk Management Basics

“Bad things happen.” “Nobody could have seen it coming.” “This is just a complex project”… This is what you will hear in the absence of risk management. To some degree, everybody is already familiar with the basic logic of risk management.  When you leave home one hour earlier because you want to catch that flight to that relaxing and beautiful place, and you know that traffic is unpredictable on your way to the airport, you are doing risk management. This basic logic can be applied in projects as well.

What is a Risk?

Risk is “uncertainty that matters”, something that might impact your goals.

Risks can have positive (Opportunities) or negative (Threats) impact. For simplicity, we will use the word risk for threats in this post.

An easy way to see risks is to consider them anti-value. If a product or solution adds value, risks are events that, if materialized, will reduce value. Value has different forms for different people. For some customers, value is delivery on time, for others a set of features, and for others again, delivery to cost.

Risk is “uncertainty that matters”

Dr. David Hillson, the Risk Doctor

Why project risk management?

Project Risk management is the process in which you identify, prioritize and act to reduce the impact of the risks. You can see it as defining alternative paths to your goal in case of the main road being cut off along the way.  If you recognize a risk but you don’t act upon it, you simply accepted the risk, which cannot be defined as management of risks. In plain English, if you don’t manage risks, risks will manage you.

Basic risk management is better than firefighting. The essence is to act. Proactivity is at the core of risk management. If you spend your days reporting to your stakeholders why you are off-track, this might be a sign of a lack of risk management.

Manage risks, or be ready to do firefighting.


If your company has a process, use it as much as your knowledge and experience allow you to do so. But if you feel overwhelmed at the beginning, remember the following principles:

Don’t do this

Do not ignore risks. Risks arise as issues later on in the project. Issues are more difficult to handle as the room to adapt and correct gets less and less with time. Acting beforehand has the benefit of time and space to think and plan.

Do not pretend to be the risk hero, share responsibility of risks with your team instead. If you feel like a hero, then you are surely in the middle of the critical path. Everything goes through you, which makes your life as a project manager more difficult.

Do not hide risks. Some project managers fear to share the risks of a project with their stakeholders. They believe that communicating the risks of a project shows lack of confidence, skill, or is only a way to excuse possible future failures. This is terribly wrong. It follows the same logic as ignoring risks.

Do NOT ignore risks. Share them.


Do this

Start with a simple log. You don’t want to get bogged down in technicalities and tools while you are dealing with risks. Something like an excel spreadsheet can work as well as any sophisticated tool. I would recommend to start with a log with the following columns:

  • Risk description: “as a consequence of [OBSERVABLE FACT IN THE PRESENT], [UNCERTAIN EVENT IN THE FUTURE] might happen, which would lead to [IMPACT ON PROJECT GOALS]”
  • Risk Severity: “High, Medium, Low” (Impact x Probability)
  • Assigned to
  • Status Description

Pick a small number of risks to focus on. This might sound crazy, but risk management can quickly turn into a bureaucratic burden instead of a management task. Setting a limit will force you to really prioritize and act. An extensive risk log might only give you a false feeling of safety. Talk to your team and your customer, check how to make the project risk acceptable by managing only, for instance, the top 5 risks.

Keep yourself accountable. Schedule a weekly meeting with your team for risk management. Whenever you are overworked and want to cancel the meeting to use the time slot for something else, remember: “Short term gain, long term pain.”

Ask more questions, ask more frequently. Questions are a simple way to get access to critical information. Following questions might work for you: What can go wrong? Would you commit with this task/goal? Don’t worry about being annoying, it’s your job.

Be transparent with your stakeholders. Let them know about risks. Include information about key risks and their status in your reports. It requires a lot of effort and time to convince your stakeholders at a later point, when the risk has already grown into a real issue for the project. Besides, it is harder to regain trust than to keep it.

Pick a small number of risks to focus on


Leave a Reply

Your email address will not be published. Required fields are marked *