Project management
Chapter 8
What is project risk management?

What is project risk management?

The entire purpose of project management is to increase the likelihood of the project’s success. But, if you ask any project manager, they will inform you, that projects rarely go as planned, irrespective of how good your project management plan is. This is because, with every project, some uncertainties are associated and these can only be managed. These uncertainties are defined as project risks and their management is defined as project risk management.

If you want to dig deep into how these project uncertainties arise, it happens because in a project we assume certain things to be true without proof for planning purposes. This very process of assumption leads to the creation of project risks.

For example, we assume a critical team will work on the project, but what if the member resigns? Thus, there is a risk that needs to be managed. 


If not, it can impede the project’s progress by impacting the project schedule, dependencies, cost, timely delivery, and quality, or may end in the project failure. Thus, it is the responsibility of a project manager to manage and plan for the project risks.

In this chapter, we will discuss project risk management: what it is, why it matters, what are the steps of project risk management, what are the techniques of the project risk management, and the strategies for the project risk management.

What is project risk management?

Project risk management is the process of identifying, analyzing, monitoring, and responding to project risks to mitigate them or minimize their impact on the project outcomes.

A project risk can be defined as any uncertain event that can derail the project’s progress. For the sake of formal mention, we can divide a project risk into: positive project risk and negative project risk.

However, in the practical world, most people associate project risk with negative risks, which can impede the project’s progress or success. Throughout the chapter, we will refer to the project risk as a negative project risk.

What are the types of project risks?

What are the types of project risks

Project risks are the uncertain events that can be related to the various aspects of the project. Based on that, project risks are of five types:

  • Operational risks: It refers to day-to-day issues that may arise during execution. For example, a critical team member resigns midway, causing delays.
  • Financial risks:  These include risks related to finances, such as budget overruns and fund cutting. For example, an unanticipated increase in the cost of raw materials or resources.
  • Strategic risks: It refers to the risks related to the overall direction of the project. For example, a change in leadership results in a change in directives about the project’s objectives.
  • Technical risks: It refer to the challenges related to technology or tools used in the project. For example, malfunctions or breakdowns in tools, hardware, and software or incomplete or incompetent technology.
  • External risks: It refers to the project risks related to environmental, regulatory, or market changes. For example, changes in law or new government regulations require the project to undergo additional compliance checks or a natural disaster disrupts supply chains, delaying delivery of essential components.

Importance of risk project management

Project risk management plays an important role in ensuring the success of the project. It helps you identify and plan for project risks, develop appropriate risk management to mitigate risks and monitor and track the project risks to quickly adapt to the changing dynamics of the project. This leads to the following benefits:

  • Increase project success with early identification of project risks and mitigate and manage risks with appropriate risk management.
  • Provides a roadmap for the project team to work on quick resolution of the project risks and create a shared understanding with common artifacts and documents.
  • Help you secure the contingency fund and buffer time upfront for effective resolution and minimize the impact.
  • Make it easy to deal with project risks by monitoring throughout and providing a pre-planned response.
  • Ensure enhanced communication, transparency, and involvement with stakeholders. It helps build trust and secure buy-in.

Key steps in project risk management

The purpose of project risk management is to minimize the impact of the risks on the scope, schedule, cost, and quality of the project to increase the likelihood of project success. The role of the project manager is to manage project risks proactively to ensure the project’s success. Have a look at the key steps of project risk management.

1. Identify the project risk

The first step of risk management is to identify project risks. It includes defining all types of project risks that can hamper your project and documenting them in a risk register. There are certain techniques you can use for the comprehensive identification of the project risks.

Here is a brief explanation of some key techniques:

  • Brainstorm with project stakeholders: This is the best way to expand your potential for risk identification. Collaborate with project stakeholders including team members to generate a list of potential risks. This is because project team members are the ones who will work on the project on an operational level. Along with the inputs from project key sponsors and subject matter experts, you can ensure you are not missing any crucial project risks.
  • Historical data: If you have worked on a similar project, historical data is a great way to build a predefined list of common risks that should not be overlooked. Review the lessons learned from the risk registers of past similar projects and create a checklist.
  • Expert judgment: If you think you need expert help to plan for the project risks, seek insights from experienced professionals to identify the project risks. You can also get help from the internal SMEs also if available.
  • SWOT Analysis: This is one of the most used frameworks to examine the project’s strengths, weaknesses, opportunities, and threats. It will help you identify the project risks associated with your initiative.
  • Assumption Analysis: A project plan is created based on project assumptions. Review and validate your project assumptions to identify uncertainties and plan for the project risk mitigation.

2. Analyse the project risks

This is the step where you do the brainwork on the risks documented in a risk register. The purpose of this step is to analyze, prioritize, and categorize the project risks based on the likelihood of occurring and the potential impact of risks on the project.

Project Risk Matrix

The Likelihood (Probability) and Impact (Severity) matrix are used for it. It provides a visual way to prioritize risks based on their likelihood of occurring (probability) and their impact on the project outcomes (Severity). Let’s understand how it works.

Likelihood and impact matrix use two-axis:

  • X-Axis (Impact): It represents the severity of the risk’s impact on project objectives, ranging from low to high.
  • Y-Axis (Likelihood): It represents the likelihood that the risk will occur, ranging from unlikely to very likely.

The matrix is usually a grid of 3×3, 4×4, or 5×5 based on the scale used on the two-axis.

If we take an example of the five-part scale to assess the impact and likelihood of the risk, here is what the scale looks like:

On the probability axis (Y-axis), you can rate the risk based on the likelihood of its occurrence, using a scale of 1 to 5:

  • 1 (Very Low): Almost impossible
  • 2 (Low): Unlikely but possible
  • 3 (Moderate): Could happen, but not frequently
  • 4 (High): Likely to happen
  • 5 (Very High): Almost certain

On the impact axis (X-axis), you can rate a risk based on its impact on the project if it happens, also using a scale of 1 to 5:

  • 1 (Very Low): Negligible impact
  • 2 (Low): Slight impact
  • 3 (Moderate): Noticeable impact
  • 4 (High): Major impact
  • 5 (Very High): Severe impact

Each risk is assigned a number or score in the matrix with 1 being very low and 5 very high. Based on that, the score of each cell in the matrix is calculated.

Risk score is calculated as following:

Risk Score = Probability (P) × Impact (I)

Corresponding to the score, each cell is assigned a risk zone or priority level using a color code.

Risk zones or priority level are defined as follows:

  • Critical (Red): Take immediate action to mitigate or avoid these risks
  • High (Orange): Develop strong contingency plans
  • Medium (Yellow): Monitor regularly
  • Low (Green): Spend minimal resources

The range of the risk score zone depends on the scale you use for Probability (P) and Impact (I). Since we are using a 5×5 matrix, total possible risk scores range from 1 (1 × 1) to 25 (5 × 5), with scores from 1 to 25.

Here is a common way to assign ranges to zones:

  • Low (Green)- 1 to 5
  • Medium (Yellow)- 6 to 10
  • High (Orange)- 11 to 15
  • Critical (Red)- 16 to 25

For instance, if a risk has a likelihood rating of 4 (Likely) and an impact rating of 5 (Very High), the risk score would be 4×5 = 20.

This risk should be placed in the Critical (Red) zone and on the top of your priority list to monitor and mitigate.

Using the likelihood and impact matrix, project managers can identify the most critical risks focus their efforts, and allocate resources effectively to mitigate or minimize the impact of those risks.

3. Create a risk response plan

This is the step where you plan a response to the risk. There is a standard framework that tells how you should respond to a risk. Here are the four risk response strategies you can follow:

  • Avoid: It involves changing the project plan to prevent the risk. It is used when you can avoid the risk by making some changes. For example, a supplier might deliver materials late. So, you decide to work only with suppliers who have a proven on-time delivery record.
  • Mitigate: It involves implementing measures to reduce the likelihood or impact of the risk. It is used when you know you cannot avoid the risk but you can only minimize the impact. For example, a team member might take leave due to illness and miss deadlines. So, you cross-train team members to handle the work if the primary person is unavailable.
  • Transfer: This approach is used when you can’t eliminate or mitigate the risk yourself but someone else can. You shift the responsibility for the risk to someone else, like a third party, by paying for it or outsourcing. For example, equipment might break during a project, causing delays. So you purchase equipment insurance. If the equipment breaks, the insurance company covers the cost and repair time.
  • Accept: This strategy involves doing nothing to prevent the risk. Instead, you plan for what to do if the risk happens. You rely on a contingency plan to manage risks. It is used when a risk has a low impact, low probability, or is too expensive to address in advance. For example, it might rain during an outdoor event. So, proceed with the outdoor event but have tents or indoor backup options ready.

4. Implement the risk response

This is the step where a project manager plans for how a risk plan will be implemented. A project manager:

  • assign risk owners to each risk
  • incorporate risk response plans and tasks into the project schedule and budget
  • communicate the risk response plan to stakeholders and team members.

The purpose of this step is to have clarity of the roles and responsibilities. A project manager uses tools like project management software at this stage to implement a risk management plan.

Project management software like ProofHub helps you assign a risk owner to each risk, incorporate risk response tasks into the project schedule, facilitate team collaboration, and monitor the project plan to control risks.

5. Monitor and control risks

This is the step where a project manager continuously tracks risks and responses to those risks for effective risk management and addresses any new risks that arise.

In this step, a project manager:

  • regularly revisit the risk register and update risk statuses
  • use key risk indicators (KRIs) and performance metrics to assess the effectiveness of risk responses
  • apply risk management measures to address risks introduced by scope, schedule, or resource changes

A project manager creates an ‘Issue log’ at this step and updates the ‘Risk register’.

An issue log records risks that have converted into issues and document resolutions.

A risk register is updated because new risks are identified as they emerge. Your risk management plan is a living document that should be updated throughout.

6. Communicate about risks and document lessons for future reference

Effective communication is necessary for the effective management of the risks. This is the step where a project manager ensures all stakeholders are aware of risks and understand their roles in managing them.

In this step, a project manager uses the following techniques:

  • Risk reports: Regular updates on risk status and responses shared with stakeholders.
  • Meetings: Discuss risks during project review meetings or dedicated risk workshops.
  • Transparency: Clearly explain the rationale for decisions regarding risk responses.

For example, provide clients with monthly risk updates and highlight the risks affecting the project timeline. It helps in stakeholder alignment and builds agreement and understanding about risk management actions.

In the end, lessons learned are documented. A project manager keeps detailed records of identified risks, decisions made, and mitigation strategies and documents what worked and what didn’t for reference for future projects.

Strategies to mitigate and manage risks

Managing risks effectively involves proactive strategies to reduce their likelihood or impact. Below are key strategies to mitigate and manage risks:

1. Contingency planning

This strategy involves preparing backup plans to address high-priority risks, ensuring the project can continue with minimal disruption. Contingency plans typically outline alternative actions, additional resources, or pre-approved budget reserves.

For example, a software development project might allocate reserve funds to cover unanticipated licensing fees or delays in securing tools.

2. Avoiding scope creep

Scope creep refers to uncontrolled changes or additions to a project’s objectives, which can lead to resource shortages and timeline overruns. To mitigate this, clearly define the project’s scope at the start and establish approval processes for any proposed changes.

For example, introduce a formal change control process, requiring stakeholder sign-off for any scope adjustments, ensuring alignment with project priorities and capacity.

3. Continuous monitoring

Risks are not static. They evolve throughout the project lifecycle. Regularly review and update your risk management plan to identify emerging risks, reassess existing ones, and refine mitigation strategies.

For example, a construction project might hold weekly risk review meetings to evaluate factors such as weather changes or supply chain disruptions.

Best practices for project risk management

Here are some of the best practices you can adopt for project risk management:

  • Be proactive: Risk management should start early in the project and continue throughout its lifecycle. It helps you resolve risks easier and cheaper before they escalate into problems.
  • Involve the entire team: Risk management is not the responsibility of just one person. Involve the entire team. Team members provide you with diverse perspectives and expertise to identify risks that might otherwise be overlooked.
  • Use clear and simple processes: Develop straightforward risk management processes and tools that everyone on the team can understand and use.
  • Stakeholder involvement: Engage stakeholders throughout the risk management process. It helps bring clarity and ensure stakeholders’ buy-in.
  • Adaptability: Be prepared to revise risk responses as the project evolves. This is because new risks keep emerging throughout the project.

Real-world example of risk management in action

Project: Software development project

  • Risk identified: A key developer may leave the team.
  • Risk analysis: Probability: High, Impact: High, Delays in critical feature development
  • Risk response plan:
    • Cross-train team members to cover critical tasks.
    • Hire a contractor as a backup.
    • Prepare a contingency plan for task reprioritization.
  • Risk monitoring: Weekly team check-ins to assess workload and morale.
  • Risk communication: Communicate with key project stakeholders about the risk.

Implement the risk management plan to mitigate or minimize the impact of risks on the project.

Recognized by leading industry leaders

Capterra shortlist 2024 GetApp 2024 saasworthy 2024 G2 high performer Software advice Trusted vendor
Seamlessly visualize your progress, easily spot bottlenecks & create custom workflows at one place for better performance.
Start your 14-day free trial
No per user fee.
No credit card required.
Cancel anytime.
ProofHub Articles
Apple store Play store
© 2025 ProofHub