Comprehensive Guide to Project Risk Management Process (2021)

I was sitting in the office at my laptop. I’ve created a perfect plan to fix the problem that may appear in a few days.

It was my first project. And it made me a little proud of the solution I developed.

In a few days, it happened!

With all enthusiasm, I escalated it to the management.

At once I provided my plan to overcome the problem.

In a few hours of intensive meetings, senior management accepted the plan.

The problem was solved fast and easy.

But once everyone left my mentor came to me:

It was a hard hit.

But, if you think about it:

1. It was much cheaper and less stressful to inform about the possible issue.
2. Discuss it with an expert in a quiet meeting.
3. Do not disturb several senior-level managers and engineers. And,
4. We could come to the same result without escalation.

That’s how I came up to use this risk management process.

Short Glossary of Project Risk Management

A Risk in terms of PMBOK Guide is:

An uncertain event or condition that, if it occurs, has a positive or negative effect on a project’s objectives.

But you should also keep in mind this critical aspect of risk management. As David Hillson points out in his article:

“Unfortunately, the concept of overall project risk is usually overlooked in the Project Risk Management approach adopted by most organizations. This means that our risk processes focus exclusively on individual risks and we fail to identify or proactively manage the overall risk exposure associated with our projects.”

So, as we talk, keep in mind the overall project risk level as well.

An Opportunity is an event or condition that has a positive effect. As a project manager, you need to try and leverage opportunities.

The Impact is the effect of risk or opportunity. The effect may influence the feasibility, costs, durations, overall risk level, availability of resources, a person, and so on.

We can assess risks qualitatively as Low, Medium, High impact.

We can also describe the impact as a monetary or duration value as $2450 or 7 calendar days of delay.

Probability is the likelihood of risk or opportunity to happen.

Again it can be Qualitative like Low, Medium, High probability. Or Quantitative as 75%.

Risk Response or Risk Respons Plan is the action you will take to try to avoid or mitigate risk.

Example of Risk Management Process

Before you start digging into each step. Here’s what I want to show you:

The examples of the process!

Why?

You may have a limited view on risk management. You may think about it only in terms of scope, time, and costs.

Therefore, you will develop responses to the plans with this limited mindset.

However, dealing with risks and opportunities, you need to be creative.

It helps you to come up with more efficient solutions.

So, review this article to learn what you can do with a risk:

Risk Management Examples: 9 Behind the Scenes Stories

Seven Steps of Project Risk Management Process

Below is an overview of the seven steps of risk management.

Each step is a separate process. There are in-depth articles for these steps. So, you can dive deep into each different process.

Risk Management Process Overview

1. Plan Risk Management

As all in project management – it starts with planning.

Why?

Well, there’re many reasons:

1. Risk Management takes all the project documentation, processes, and workflows as an input. Everything is a source of risks.
2. You don’t do Risk Management alone. You need to know your stakeholders. So, you need to plan their engagement.
3. You need to collect the assets and knowledge that your organization has. It helps you to avoid creating a wheel.

So, you need a simple Project Risk Management Plan.

It should cover the details for each step we discuss below.

Keep in mind:

There is no such thing as a universal risk management approach. You need to select tools, techniques, and processes for each project individually.

You can find all the details here:

Simple Project Risk Management Plan that Works

2. Identify Risks

The next step is to identify risks.

You do it with techniques described in the Risk Management Plan. You use these techniques at the spots and with project information you identified in the plan.

Here, you can learn about the most efficient risk identification techniques:

Do You Know These 6 Practical Risk Identification Techniques?

There’s one technique that makes the process efficient.

But many companies neglect it.

Why?

It takes efforts and dedication to collect lessons learned.

The main by-product of lessons learned for Risk Management is the List of Risk Categories.

Below you will find 43 Risk Categories as a kickstart. Expand it with your own ones throughout your career.

Read about it here:

43 Important Risk Categories for Effective Risk Identification

How many risks should you have after Risk Identification?

Here’s the truth:

Even on a small project, there are up to a hundred of risks.

What should you do with all of them?

You need to log them all into a Risk Register.

Don’t evaluate them – write them down!

Here you can learn everything about the Risk Register and get a template:

Risk Register – All You Need to Know About It

3. Perform Qualitative Risk Analysis

Dealing with all risks is costly.

You will never have a project that allows tackling all the risks.

You need to select risks that have the most severe adverse effect on the project. Moreover, the probability of such a threat should be adequate.

Therefore, by performing Qualitative Risk Analysis, you go from a hundred of risks to maybe a dozen.

You take this dozen of risks to the next step in the process. You will Plan Risk Responses.

The rest of the risks remain in the Risk Register and get into a Watch List section.

Why?

Risks can evolve and change their Impact and Probability during the project lifetime.

Learn how to perform Qualitative Risk Analysis here:

How to Perform Qualitative Risk Analysis for the First Time

4. Perform Quantitative Risk Analysis

(Optional for small and medium projects)

You may analyze risks further by identifying specific numbers for probability in percents and Impact – in dollars.

By multiplying the numbers, you get the monetary impact of a risk. It’s called the Expected Monetary Value (EVM).

Here’s an excellent article by Harry Hall on this topic:

Evaluating Risks Using Quantitative Risk Analysis

But for smaller projects, you usually don’t need quantitative risk analysis. It doesn’t provide many benefits for the efforts you put into it.

5. Plan Risk Responses

So, now you have a dozen of risks you will work with.

What should you do?

• You can do something to avoid risk.
• You can do something to reduce Impact and/or Probability of a threat.
• You can do nothing and let the risk happen but use the reserves to minimize the negative impact.
• You can do nothing and accept the risk and its effects.

But don’t limit yourself to some standard actions:

Sometimes you need to look beyond your Gantt Chart, your budget, and the team that you have.

Here, you can read more about Risk Response Strategies:

Risk Response Strategy (Definitive Guide with Examples)

6. Implement Risk Responses

Each Risk Response Plan is a part of your Project Management Plan.

• It’s an amount of budget allocated for the specific risk.
• It’s a separate task someone needs to perform.
• It’s a new process you developed.

So, at a specific moment of your project, someone needs to implement the Risk Response plan. Moreover, this person should report on progress.

Also, you need to do specific actions:

• Assign a Risk Owner. Each risk should have an owner. This person will monitor and work specifically on allocated risk when the time comes.
• Communicate with stakeholders about the upcoming risks and responses you will do.
• Collect data about the risks: number of risks that happen or didn’t occur. The efficiency of risk responses and impact of risks on schedule, budget, scope of work. Also, don’t forget about the client’s happiness.
• Identify any residual risk after you implemented risk responses.

These activities go across the board of all project management efforts. Each risk response is like a micro sub-project.

Here’s a tip:

Delegate ownership for implementing risk responses as much as possible. You need to focus on the bigger picture of project progress, overall risk levels, and new sources of risks.

7. Monitor Risks

As with all controlling processes in project management, it’s the same thing here.

You need to ensure that your risk responses are efficient and timely.

You need to keep an eye on new risks that appear. And they do appear all the time!

Also, you need to control the overall risk level for the project.

At some point, you may feel the need to make changes to the project baselines or your risk management approach.

Sometimes new risks may challenge the feasibility of your project.

So, you need to assess all the input that you get.

Here are some more practical tips on identifying new risks:

How to Identify Risks in Project Management (a practical guide)

If you want to get all these articles as one PDF get access to PM Basics Library.

What Should You Do if Risks Messed Up Your Project

Following this process doesn’t safeguard you from problems.

• You may fail to identify a severe risk.
• Your risk response plan may appear inefficient.
• Small risks may get a severe commutative effect.
• Some risks will be out of your control.

So, you need to be ready to lead your project through this crisis.

And here the catch:

You need to focus your efforts on getting your project back to the project plan.

I mean you should not re-plan the whole project. That will create new risks.

You need to develop corrective actions that will put the project back on track.

If there is no way you can do that – only then recommend canceling the project. You can start all over again with new input.

It will ensure you will waste the client’s money for nothing.

Read more about resolving project management crises here:

How to Survive Project Management Crisis

Test Yourself in Risk Management

Do you think you know enough about Project Risk Management?

Take this short quiz and identify gaps in your knowledge.

In the end, I provide correct answers and explanations.

A document you use to capture all known risks is called:

• A. Risk Log.
• B. Risk Register.
• C. Risk List.
• D. Risk Diary

Next Question

On a Friday evening John (your best engineer in the team) comes to you and says he quits. You have two weeks to find a substitution. What would reduce the chances of such an event? Why?

• A. Regular one-on-ones with John.
• B. Comprehensive professional development plan.
• C. The highest salary in the team.
• D. More responsibility.

Next Question

A process that involves prioritizing risks for further action or analysis by assessing the impact and the probability of occurrence is called

• A. Qualitative Risk Analysis
• B. Risk Brainstorming
• C. Quantitative Risk Analysis
• D. Risk Retrospective

Next Question

When do you perform Risk Identification?

• A. At the beginning of a project.
• B. During project planning.
• C. During the whole lifetime of a project.
• D. During project execution.

Next Question

As a part of your project, you need to organize a conference. You learn that in the place that you rented there's a 70% chance of a tropical storm on the selected dates. How should you handle such risk?

• A. Change the location of the conference.
• B. Buy insurance to cover possible damage.
• C. Book another place nearby to mitigate the risk of the first location unavailable due to the storm.
• D. Inform all participants of the possible storm.

Next Question

Who should be involved in Risk Management activities?

• A. Only Project Team.
• B. Only Project Manager.
• C. As many stakeholders as practical.
• D. All stakeholder except clients.

Next Question

You acquired an expensive piece of equipment for your project. It is know to be sensitive and fragile in work. Several tasks that require this equipment are on a critical path. What's the BEST action you can do to improve project's chances for success?

• A. Buy insurance to cover the costs of repairs.
• B. Hire a technical support team to quickly fix the equipment if needed.
• C. Find a good expert to operate the equipment.
• D. There's nothing you can do.

Next Question

You are on the call with clients. They say the vendor team they hired to create designs is behind schedule. What should you do?

• A. State that your project is also behind the schedule because of it.
• B. Log the risk into Risk Register to assess impact.
• C. Do nothing. It's not your problem.
• D. Contact the vendor to help them out.

Next Question

After you performed Qualitative Risk Analysis you need to create:

• A. A prioritized list of risks.
• B. List of risk for additional analysis and investigation.
• C. List of urgent risks
• D. Watch list
• E. All the above

Next Question

After reviewing Risk Register you see two critical risks that you anticipate during the next week. What should you do with this knowledge?

• A. Do nothing. Your Risk Register is shared with the team and stakeholders.
• B. Reach out to the stakeholders and the responsible person with a reminder.

Finish Quiz

---