top of page


Updated: May 13

If you have been following the project steps, as sequenced on this website, you have already Planned: Stakeholder Engagement, Scope, Time, Cost, Quality, HR, Physical Resources, Communications, and Procurement. You and your Project Team have worked very hard to ensure you have a great plan. You want no surprises and a minimum of frustrations to accompany your project. "What can possibly go wrong?"

Good question! and that is exactly what you need to ask, so you can manage these Risks. Let's look at this a little closer.

Risk: an uncertain event that, if it occurs, has positive or negative consequences on one or more project goals (or objectives).

Risks are not the same as Issues. CLICK HERE for information about issues

NOTE: In Risk Management you will see the words "goals" and "objectives" interchanged. What is meant is: Risk to the planned Scope, Time, Cost etc. because in Project Management we do not normally manage the risk that the project deliverables might not solve the problem, answer the question, or seize the opportunity for which the project was created. For a refresher on Objectives and Goals CLICK here. for the download.

Sometimes we use the word "Opportunity" for a Risk with positive consequences. We would like to increase these. On this site, we focus more on Risks with negative consequences. These are sometimes called "Threats". Of course we want to decrease these!

So we see that the thing which can "go wrong" is the "Risk". We also recognize that the Risk might or might not happen ("if it occurs"). That means there is some Risk Probability of the Risk occurring or not occurring.

The negative consequence(s) to your project goals could be quite serious. On the other hand the consequence(s) might be quite minor. The consequence(s) of a Risk on one or more project goals is called Risk Impact.

First, you want to have an overall plan to manage Risks. Then you want to identify Risks and describe those Risks in priority (qualify) and consequences (quantify). Finally you want to have plans to manage (respond to) the Risks. Your plan carries your signature; and your reputation as a Professional Project Manager rides with your plan, so this is worth doing well!

Risks will always be present in your project. The strategy is to minimize the risk by being prepared. "If you don't attack the Risks, the risks will attack you!"

To effectively manage Risks, you need to find out which ones have the highest probability and the highest impact and manage those very closely. Risks with lower probabilities and lower impacts can be watched with less attention given to them.

The processes needed for good Risk Management are, in this order:

1. Plan Risk Management

2. Identify the Risks

3. Qualify the Risks

4. Quantify the Risks

5. Plan Risk Responses

6. Implement Risk Responses

7. Monitor Risks


You want to consider how to manage Risks in your project. These considerations become your Risk Management Plan. If you have a complex, long term project, with many new Stakeholders, you might want a detailed written Risk Management Plan. In other cases, a much shorter document will suffice. In all cases, having a Risk Management Plan will keep you proactive.

In Planning Risk Management, first evaluate your Key Stakeholders' Risk Attitude, as sketched on the downloadable definitions page. Risk Attitude is the overall picture of an entity's (organization's or stakeholder's) willingness and ability to withstand risks. Evaluation of Risk Attitude will greatly help ensure project success and Stakeholder satisfaction. Risk Attitude will vary from Stakeholder to Stakeholder, and even from project to project for the same Stakeholder.

Analytical tools can be used to determine Risk Attitude such as a Stakeholder Risk Profile, and Risk Scoring Sheets. However, your evaluation can be as simple as a conversation with Key Stakeholders. I like to ask, "What kinds of things do you want to avoid at all costs?" and "What would you prefer to avoid but can deal with if it does happen?" Document these.

Your Risk Management Plan should include commentary on how you will perform the other 5 Risk Management processes (above).

Open this page for more information and templates on the Risk Management Plan and Risk Registers.


Unfortunately many Project Managers fail to identify, assess, and actively manage project Risks. Although Project Managers are often peripherally aware of project risks, the Risks receive low attention until they become critical to the project effort. Why is that?

It is easy to get enamored with our own plans, even in a team environment. This is a normal bias. After all, if we thought there was a possible problem, we would have planned for that, right?

Another important bias to recognize comes when estimating Time and Cost. As we usually start these estimates at a zero base and add on Time and Cost, there is a bias toward low estimates due to items or details being omitted.

A third bias that exists is optimism. If you hear your team (or yourself) saying, "What can possibly go wrong?" (with the implication that the answer is "Nothing!") then there is likely undue optimism. The optimism that usually serves Project Managers well, is detrimental to identifying the Risks.

We want to identify all the Risks to be sure of not leaving out something important. So, it's time to take a step back from your well crafted plans and play "What if?" The process to follow for Identifying Risks is found by CLICKING here.

At this point you have Identified all the Risks, the impacts those risks could have on your project, and the likely causes of those risks. Next we will qualify the Risks so we can prioritize them.


Qualifying Risks is the process of prioritizing the Risks by combining their Probability and Impact. But first, you might need to filter all the identified Risks to a manageable few. Recall that on the Planning page, we said the knowledge areas (found as a project step on the right of this page near the top) are not all number one priority on every project. For one project the Time might be most critical, for another project the Quality might be most critical. So, to Qualify Risks, start with the ones having impact on the most critical knowledge area(s).

Then for each Risk:

1. Score the Impact

2. Determine the Probability

3. Multiply: Probability x Impact = Rank.

4. Enter the Rank of each Risk onto the Risk


In some projects, the Urgency of dealing with a risk is so critical, that we add "Urgency" as a third factor. The equation in these cases is:

Probability x Impact x Urgency = Severity

Your highest priority risks are those with highest Rank (or Severity). You will want to put a good deal of your planning effort toward high Rank (or Severity) risks. Interestingly, I have found the Pareto principle works amazingly well in that approximately 80% of the highest Ranks (or Severities) are found in approximately 20% of the identified Risks.

Assigning numerical values to Probabilities, Impacts and Urgencies is subjective at best. The numerical values are relative and do not necessarily represent any real project measurable (such as cost, time, compliance, etc). The assessment of the probability of an event occurring is only as good as the available historic data upon which the assessment is based, or the quality of the experience and opinions of those making the assessment. You will want to include the Expert Judgement of Subject Matter Experts in helping assign these values.

This downloadable template (Risk Register 2) provides a way to convert the ideas of High, Medium, and Low into numerical values. The relationship between numerical value and 'High-Medium-Low' might already exist in your organization, or have been developed in your Risk Management Plan. Note the Probability and Impact Matrix at the bottom of this template.

Scroll down on this page Tools for Qualifying Risks to see more of these risk qualifying tools.


By now you have made a Risk Management Plan, identified the risks, given each Risk a rank and entered this information onto the Risk Register. The next process is to numerically analyze the impact of the Risks on overall project goals. We call this Quantifying the Risks, and it is optional, as many great projects have been managed without Quantifying the Risks. If you choose to Quantify the Risks, it must be done after you Qualify the Risks.

The Quantify Risks process can be very time consuming, and requires a fair bit of input data to develop appropriate models, so you want to consider if the benefit is worthwhile. The main benefit of Quantifying the Risks is to produce additional, numerical, Risk information to support decision making. It is also used to provide the aggregated, cumulated impact of all individual Risks on the project outcomes. What does this look like?

In the process of Quantifying the Risks, we correlate each Risk to a numerical impact on the:

. Scope

. Time

. Cost

. Quality

For example:

Expected Monetary Value = Risk Probability x Cost

We can use the numerical values calculated in Quantifying Risks to prepare our Contingency Plans. Consider a Risk with a 20% chance of happening. If it does happen, the project would cost $10,000 more to complete. So we can set aside 20% x $10,000 = $2000 in our contingency reserve fund to cover this risk.

We can also produce information such as: "If Risk 'A' and Risk 'C' both happen, the project cost will increase by 'X' amount and the schedule will take 'Y' weeks longer to complete."

The numerical values calculated in Quantifying the Risks should be entered on your Risk Register.

Further discussion on Quantifying the Risks is found when you CLICK HERE .


You are now prepared for the last process in Planning your Risk Management. From your Qualifying Risks process you know which identified Risks have the highest Rank (or Severity). If you Quantified the Risks, some tools (Decision Tree and Influence Diagram) will be helpful in selecting Risk Responses. Remember to include the affected Stakeholders in selecting the most appropriate Risk Responses. You want to develop options, and select actions, to increase Opportunities and decrease Threats.

How will you address each Risk? This is called Planning Risk Responses.

There are only 4 response types for negative Risks (Threats) and 4 response types for positive Risks (Opportunities), as illustrated here.

Threats Opportunities

>Avoid (prevent) >Exploit (ensure)

>Mitigate (reduce) >Enhance (increase)

>Transfer (to others) >Share (with others)

>Accept >Accept

-passive (do nothing) - passive (do nothing)

-active - active

(set up a contingency) (set up a contingency)


When "Accept" is the selected Risk response type, and you want to do something about it (active), the next step is to prepare a Contingent Response Strategy, with a Trigger. By doing so, you are saying this: "I don't know whether or not this risk will happen, but I am willing to take that chance (accept that risk). If it does happen I will allow the measured variable to get to this level (the trigger), then I will do this (contingent response strategy) which I have thought out ahead of time."

In addition to your Contingent Response Strategy for an accepted risk, you may want to have a Fallback Plan. This is the plan you will use if your Contingent Response Strategy fails to provide the needed result.

If both the Contingent Response Strategy, and the Fallback Plan do not work, you will be forced to do a Workaround. A Workaround is an unplanned response used when there is no plan, or the plans did not work out. In the case of an Unknown Risk, there is no plan; and the Workaround is paid from the Management Reserve Fund with Time from the Management Reserve Buffer.

More information on Planning Risk Responses is given here CLICK HERE


Ideally, the Risk Responses are implemented during, or soon after, making the Risk Response plan. For example, if you decide to transfer the Risk, do so as part of planning your project, not waiting until you are in the middle of execution.

Implementing your Risk Responses may require re-working other parts of your project Plan. Let us say you are going to transfer a certain risk to an insurance company by buying insurance. This decision will impact your cost plan as you will need money in your budget for the insurance premium.

Beware of new risks that are introduced by implementing a Risk Response. These are called Secondary Risks. They need to be managed like any other Risk: Identify, Qualify, Quantify, Plan Response, Implement Response, and Control.

If you chose to actively accept a Risk by setting up a contingency, remember the Risk decreases as the project moves forward so your contingency should be reduced, likewise.

SAFETY RISKS: A special category of uncertain events that, if they occur, have negative consequences on one or more people's well being.

Safety is important enough to be treated as a separate topic in most work places. In project management, the 7 processes we use to manage Risks, above, are also applicable to Safety. In addition, THIS PAGE takes you to 6 guiding principles of a safety culture that should be part of every project.


After planning, you will want to begin Monitoring and Controlling the outcomes of your project. CLICK HERE and follow the links to find out how to monitor and control Risk.


The full collection of Risk Management Tools, with links to even more information, is available when you CLICK HERE .

290 views0 comments

Recent Posts

See All


bottom of page