A Step-By-Step Guide to Project Risk Management

Updated January 13, 2020

Some days your productivity is at an all-time high. Your team is churning through their deliverables one-by-one, and your clients couldn’t be happier.

Other days you can’t seem to get past issue after issue, and all hell is breaking loose.

Your computer crashed and one of your top developers is out sick with swine flu. Your project is going way over budget because who would’ve guessed that team happy hours could get so expensive.

“How could this happen?” you ask yourself, but you know the answer. You didn’t see any of this coming.

You weren’t prepared and now your project is falling way behind.

No one wants to be in this position, but in order to avoid this and other horrible scenarios, it’s important to manage the risks that create these problems.

At a glance: How to manage risk on your projects

  • Step 1: Create a risk log
  • Step 2: Identify any relevant risks
  • Step 3: Perform a risk analysis
  • Step 4: Develop a response plan
  • Step 5: Assign owners for each risk

Overview: What is project risk management?

Project risk management is the act of taking steps to mitigate or minimize any potential issues that threaten a project’s timetable or completion.

It’s important to note the difference between issues and risks since these terms are often conflated.

A risk is something that hasn’t happened yet, but that you can take steps to predict and avoid, while an issue is a risk that has already occurred.

If you’ve made it this far, congratulations! Learning how to manage project risks is the perfect follow up once you’ve graduated beyond the project management basics.

Be sure to incorporate everything you learn here into your project management plan before beginning the execution phase.

How can you identify project risk?

There are many different ways and systems for identifying risks, but in the interest of saving your time, I’ve put together a list of my favorites:

  1. Host a brainstorming session: Invite your team and the stakeholders for a brainstorming session to think of any particular risks that might hold up the completion of this project. Have each participant write down their concerns and ideas for mitigating their risk projections, review these ideas with the group in a discussion, then finally narrow down the major concerns.
  2. Interview your team and stakeholders: Rather than put everyone on the spot, perhaps a more private setting is conducive to risk identification. Host individual interviews with the relevant actors in this project in order to gain insight into their concerns. Perhaps you might find trends in their ways of thinking that’ll point you in the direction of where your attention ought to be.
  3. Evaluate similar projects in the past: Sometimes history is the best teacher. If you are frequently running and completing projects at your organization, try rummaging through the post-project reports in order to get a sense of what issues were dealt with in the past and try to identify any key patterns.

Project risk examples to look out for

These risks could threaten to derail your project. Be on the lookout for some common project risks, which include:

  • Scope creep: When project requirements and steps tend to grow throughout the project lifecycle.
  • Budget control issues: This occurs when project budget estimates are underestimated, leading to overages during the execution phase.
  • Contract risk: When an outside party, such as a third-party contractor, fails to deliver on an obligation to you.
  • Technology risk: When technological failures disrupt project execution, such as service outages or hard drive crashes.
  • Project dependencies: Not all task dependencies are necessarily a risk, especially if they aren’t crucial. However, if a task is a precondition for a long list of other tasks, they act as possible risks.
  • Resource risk: If you aren’t able to assemble the right team or acquire a sufficient budget, that counts as a resource risk.
  • Schedule risk: If your plan relies on a significant number of assumptions and uncertainty, your project timeline might become a potential risk.
  • Resistance to change: When departments or individuals resist changes to the status quo. This can occur during the integration of teams, technologies, or processes and requires project integration management to cohesively tie them together.

There are many different types of project risks, and it’s up to you to identify and mitigate those risks if you want your project to succeed.

How to manage risk on your projects

It’s one thing to know the risks, but it’s another to actually manage and mitigate them. That’s why I’ve boiled down the entire process to these five risk management steps.

Step 1: Create a risk register

A risk register is an itemized list of potential risks, many of which I listed above, that can derail a project.

This log is typically created in a spreadsheet with a list of risks, the impact of the risk, the likelihood of the risk, the contingency cost, and the response plan.

What creating a risk log looks like

As mentioned before, this log or register will be created in a spreadsheet as a reference guide in case of an emergency. In fact, most, if not all, of your risk management will be conducted around this risk register.

These are the basic steps to create and fill out a risk register. I will elaborate on the process referencing the main list.

  • Identify risks: There are many ways to identify risks, such as holding brainstorming sessions with your team, conducting individual brain-picking sessions with your team members, and past project reevaluation.
  • Analyze risks: This is where you will conduct a risk assessment in order to determine the impact and likelihood of the identified risks.
  • Record risk response data in register: Now that you have your data, it’s time to fill out your risk register with your findings.

Step 2: Identify any relevant risks

Now that you understand the wireframe of the risk register and the basic process for creating one for your project, it’s time to move into the first major step in creating this register: identifying the risks.

I’ve already gone into detail on identifying risks, so this is just going to be a short review of the content laid out above.

What identifying risk looks like

There are so many different ways to identify risks that I’ve narrowed down the focus to my top three methods:

  • Hosting a brainstorming session: This is as simple as bringing together your team for a discussion of potential risks. However, there are a few rules to keep in mind during this brainstorming session. The first rule is to avoid criticism of suggestions. This ensures that all members of the team feel safe to contribute and that no stone is left unturned. The second major rule is to record every single potential risk that is identified, no matter how insignificant it may seem.
  • Interview your team and stakeholders: Some people don’t function as well within a large group setting. If your team functions better in a more intimate setting, try hosting individual conversations with your team members so they feel more comfortable sharing their thoughts about the upcoming project. Be sure to follow the two major rules established for brainstorming sessions.
  • Evaluate similar projects in the past: If your organization conducts a lot of projects, then you already have a treasure trove of information at your fingertips. Evaluate the post-project data for any risk patterns that might affect your future project.

While these are my three favorites, there are other ways to identify risks, such as reaching out to subject experts or conducting a SWOT analysis.

Step 3: Perform a risk analysis

Not all risks are the same. Some are large, some are small. Some are likely to occur, while some are extremely rare.

This is why it’s up to you to find out which risks require the most effort and attention by conducting a risk analysis.

What performing a risk analysis looks like

Standard risk analysis is score-based, typically measured on a scale of 1 to 10, which measures any type of value, such as money or scheduling delays.

This is done through estimations based on your conversations with your team, stakeholders, experts, or your research into past projects.

The value of the risk is calculated using the formula:

Risk Value = Probability of risk occurrence x Cost of risk

For example, let's say you estimate that there's a 50% chance of an internet outage during any given week (trust me, I’ve worked in an office where this was a reality, and it is frustrating).

That outage may cost you three days of productivity, you would write it out as so:

0.50 (probability) x 2 days (cost of risk) = 1 day (risk value)

This risk value is the amount of buffer you will want to add to your risk management plan in order to account for this potential issue.

These values will be crucial in helping you prioritize your focus in your risk register.

Step 4: Develop a response plan

You’ve identified the risks and performed a risk analysis, so now it’s time to prepare your responses for each risk.

The risk values that you calculated in your risk analysis give you a decent starting point for developing your response plan, such as additional budgets to request or additional scheduled days for certain tasks.

What a response plan looks like

Say the worst happens and the risk becomes a full-blown issue, what do you do?

There are four different ways to respond to risks when or if they become an issue:

  • Share the risk: This is also known as risk transfer. Sharing the risk involves moving some or all of the impact of a risk to a third party, such as an insurer.
  • Control the risk: Although this is not always possible, risk mitigation is an effective way to respond. This is where the risk values come into play, by either adding additional budgets or scheduled time to a project to account for potential issues.
  • Avoid the risk: If the project or task isn’t worth the cost of the risk, sometimes it’s best to eliminate the threat or further protect the project through scope adjustments, changing objectives, or clarifying project requirements and removing vagaries.
  • Accept the risk: Every project will come with some unavoidable risks, and it’s important to accept that. However, you should only accept risks if all other response methods are not possible and their occurrence wouldn’t sink the project altogether.

Whatever response you settle on, be sure to record that response plan into your risk register for future reference.

Step 5: Assign owners for each risk

Out of all the steps in this guide, this is the most straightforward step in the list.

You’ve identified the risks, analyzed their value, selected your response plans, and all you need now are warm bodies to help you mitigate or respond to those risks.

What assigning risk owners looks like

I could just say that you ought to select owners out of the people responsible for each task, but not everyone on your team is suited for risk ownership.

There are certain considerations when selecting a risk owner:

  • Clarify responsibilities: When selecting a risk owner, be sure to be absolutely clear with that individual (or individuals) what the scope of their responsibilities are. Clear expectations are crucial when a risk becomes an issue, so make sure the person responsible is up to date on every nook and cranny of the risk register. Also, be sure to establish the communication strategies you’ll use to ensure that risks are always accounted for during the execution phase of the project.
  • Proper training: In addition to ensuring that the risk owner responsibilities are carried out properly, make sure you train your owners on the exact requirements of the risk response.

Also, it may sound obvious, but make sure you choose owners who respond quickly and show serious attention to detail. The last thing you want is a small risk to blow up into a major issue all due to a poor response.

Can you use project management software for project risk management?

Yes, it is possible to use project management software for risk management, however only in certain circumstances, such as:

  • Your project management software is customizable: Many project management tools don’t come with risk management features. If you plan on tracking, measuring, and mitigating risks through project management software, make sure it has customizable fields or application builder features so you can create your own risk register.
  • Your project is small: Since you’ll be building your own risk management functions in your project management tool, it’s best to make sure you only do this if your project is small in scope. Otherwise crucial details might be lost in the mix without more elaborate risk management systems in place.
  • You’re working on personal projects: This acts as an extension of the previous circumstance, but it’s far more manageable to track and mitigate risks in personal projects in a project management tool than with full-scale corporate projects.

If you must use a project management tool for risk management, I would recommend these options based on their customizability:

In all other circumstances, I would recommend using dedicated risk management tools, since these platforms will come with risk matrices, risk reporting templates, incident management, risk analysis templates, and more.

It’s important you choose the route that is right for you. Just remember, if you feel your project can get by on custom risk management features within a project tool, be sure to reach out to vendors that’ll help you build these functions.

Now your project is prepared to weather the storms

Happy day! You understand the core fundamentals of risk management and to celebrate, why not take out your team on one of your pre-planned and budgeted happy hours.

It’s not a risk if you’ve already created a buffer for it.

Lastly, if you’re reading this piece, you’re probably at the beginning stages of planning everything out before your initial project presentation to the relevant stakeholders.

If that’s the case, why not try out a new project management methodology, like Agile or Waterfall? Check out our guide to the six most popular project management methodologies to learn more.

The Motley Fool has a Disclosure Policy. The Author and/or The Motley Fool may have an interest in companies mentioned. Click here for more information.