Skip to content
PM Certification


5 (100%) 6 votes

Introduction to Project risk management

Project risk management is frequently overlooked yet is one of the more critical elements of successful project delivery. Generally, delivering a project’s defined scope on time and within budget are characteristics of project success.

Unfortunately, these success factors are often not achieved, especially for large complex projects where both external influences and internal project requirements may change significantly over time.

Project risk management is a continuous process of identifying, analyzing, prioritizing and mitigating risks that threaten a project’s likelihood of success in terms of cost, schedule, quality, safety and technical performance.

Organizations and owners often consider project risk management activities as “nice to have” on a project rather than as a core component of project controls. Additionally, there is some confusion between organizations and project teams as to what exactly constitutes risk management activities.

In this tutorial, we provide a standard framework for risk management and discuss implementation techniques for projects of all types and sizes.

This should provide you with a better understanding of how to address the following challenges:

  • Do we have a comprehensive project risk management policy?
  • What elements of project risk management are necessities for our organization to implement?
  • How do we balance the requirements and controls of a risk management programme with efficient and streamlined project execution?
  • Are our current project risk management
    procedures effective at mitigating project risk?
  • How do we align our project specific risk management activities with our enterprise risk management objectives?
  • What are some key questions we should be asking about project risks throughout the project lifecycle?

Defining project risk management

The objective of project risk management is to understand project and programme level risks, minimize the likelihood of negative events and maximize the likelihood of positive events on projects and programme outcomes.

Project risk management is a continuous process that begins during the planning phase and ends once the project is successfully commissioned and turned over to operations.

Construction owners, project teams and contractors often define and apply risk management activities differently on a project. Owners may use informal or ad hoc practices, such as stage gate approval, that they interpret as risk management activities, contractors may define risk management as tracking potential change orders, and project teams may express the view that “everything we do is risk management”.

While all of these activities help to identify and manage discrete elements of project risk, they do not fully describe a comprehensive approach to project risk management.

A comprehensive project risk management approach should have the following components, which should be scalable to the specific project’s size and type:

  1. Strategy and planning;
  2. Risk identification;
  3. Analysis (quantitative and qualitative);
  4. Response planning; and
  5. Monitoring and control.

1. Strategy and planning

Strategy and planning activities set the foundation for a risk management programme and ultimately determine whether the initiative is successful. During the strategy and planning phase an organization will define how risks are addressed and managed. Strategy and planning should take into consideration:

  • Corporate or enterprise-wide risk management guidelines (including tolerance level for risk);
  • Available resources (staffing, budgets);
  • Preferred reporting and communication protocols; and
  • The organization’s strategic objectives. Strategy and planning activities include:

Strategy and planning activities include:

  • Assigning roles and responsibilities related to risk management activities; identifying and defining requirements for project stakeholders regarding risk management activities;
  • Establishing common risk categories for identified risks. Categories can either be based on common industry risks or on the organization’s risk categories (e.g. construction, financial, operations, governance etc); and
  • Developing a risk matrix and assigning risk ratings to identify risks. The risk matrix should define risk ratings based on probability and impact by taking into account the organization’s risk tolerance.

2. Risk identification

Risk identification is the identification of all possible risks that could either negatively or positively affect the project. It is important in the risk identification process to solicit input from all project stakeholders including those outsides of the core project team. Potential contributors to risk identification include:

  • Project team members (planners, engineers, architects, contractors etc);
  • Risk management team members;
  • Subject matter professionals(IT, Safety, Legal etc);
  • Customers (internal and external);
  • End users; and
  • Organisation management and leadership.

Successfully capturing all project risks increases with frequent communication and feedback amongst team members and stakeholders. These discussions should attempt to identify inaccuracies, inconsistencies and assumptions regarding the project.

The resulting product of these working sessions should be the initial list of identified risks. From the initial list of identified risks, a risk register or log can be populated to ensure that all risk items are analyzed, prioritized and monitored. Risk registers should typically include the following fields:

  • Risk type;
  • Description;
  • Cost impact;
  • Probability;
  • Risk level;
  • Possible responses; and
  • Action owner.

3. Analysis

The analysis phase determines the likelihood and impact of each identified risk and prioritizes risks for management attention. Successful risk analysis requires objective thinking and input from those most familiar with the area affected by the possible risk. An analysis is typically a two-step approach:

Step 1 – Qualitative analysis

For the qualitative analysis, the project team assigns a priority level (e.g high, medium, low) to each risk. The priority level should be aligned with the organization’s risk management plan, risk tolerance level, and other organizational objectives.

The priority levels can be used to rack the risks on the risk register and develop efficient response plans that focus attention on items with a higher priority. It is important to identify all potential risks that will require follow up by the project team.

Step 2 – Quantitative analysis

For the quantitative analysis, the project team assigns a most likely cost value to each identified risk. This value takes into consideration both the probability and potential impact of the risk event occurring. Determining probability and impact can result from a variety of exercise including:

  • Interviews- gathering impact and probability data for a range of scenario (e.g optimistic, most likely and pessimistic)
  • Decision trees- comparing the probability of risks and rewards between various decisions
  •  Model simulations– conducting a project simulation in order to quantify potential impacts to the project.

4. Response planning

Response planning is the phase where the project team develops response actions and alternative options to reduce project risks.

Project teams use response planning to decide ahead of time how they will address possible risk occurrences and how they will avoid, transfer, mitigate or accept project risks. Response planning must take into consideration available resources and potential repercussions of the response plans.

The goal of response planning is to align risks with an appropriate response based on the severity of the risk along with cost, tie and feasibility considerations. Risk response planning includes:

» Assigning responsibility for identified risks to appropriate project team members or stakeholders. It is imperative that the assignment takes into consideration the individual’s capability to address specific risk areas. Assigning a risk to someone who has little or no knowledge of a risk area is not an effective risk planning approach.

» Developing a response plan to address the identified risk. This process should be iterative and include all stakeholders affected by the risk. Common options for response include:

  •  Avoidance– modifying the project plan to avoid the potential condition or occurrence
  • Transference– shifting the consequences and responsibilities associated with the risk to a third party (often accomplished by contractual agreement)
  • Mitigation– taking preventative action to reduce the probability of risk occurrence or impact on the project
  • Acceptance– proceeding as planned and accepting the outcome of risk.

» Finalising and documenting the various risk responses identified by each responsible party. The plan should clearly define the agreed upon response for risk, the responsible party, results
from both the quantitative and qualitative analysis and a budget and timeframe for the risk response.

5. Monitoring and control

The final step of risk management is monitoring and control. This process should be set up to track potential risks, oversee the implementation of risk plans, and evaluate the effectiveness of risk management procedures.

Monitoring and control should occur throughout the project lifecycle and help improve and guide the overall risk management process. This step should:

  • Equip management and the project team to make informed decisions regarding risk;
  • Evaluate the effectiveness of risk response actions; and
  • Identify risk characteristics that appear to have changed from what was documented in earlier identification and analysis stages.

Monitoring and control are essential for maintaining effective and efficient risk management, it is a barometer for determining how well your risk management plan is designed.

If monitoring and control reveal certain risks are not being mitigated or avoided as planned, then an adjustment can be made to the response plan.

Likewise, if monitoring and control reveals that an identified risk is unlikely to materialize, the plan can be adjusted to re-prioritize the risk to a lower level.

Potential benefits of risk management.

Although a well designed and well-executed risk management process can significantly reduce the risk of failure, the benefit of performing a comprehensive risk analysis may be costly and burdensome for smaller projects with limited complexity.

As noted earlier in this paper, risk management processes should be scalable to the size and complexity of an organizations programme or project.

To achieve this, an organization should consider defining a baseline set of procedures to apply to all projects along with a more rigorous set of procedures for high-value, complex projects.

The value of risk management has traditionally been a difficult concept to quantify. Many organizations and project teams understand the risks as they impact their respective roles on

Case Study 1 – New medical office building- $30 million Risk description

Risk description: In order to commission the building at the completion of construction, the utilities needed to be connected to the utility system (gas and electric). Throughout the project, the team could not get a commitment from the utility company when they would complete the connection. This risk was never communicated beyond the project team and there was no analysis of the impact for a delay or an alternative plan developed to address the risk.

Impact: The risk ultimately did occur and resulted in the need for temporary generators, an increase in the contractor’s general conditions and several months delay to the project completion.

Case Study 2 – New bridge construction – $600 million

Risk description: During the design and planning stages of the project, a decision was made to rely on a geotechnical report that was 30+ years old and in a different location than the planned
bridge foundations. The engineers designing the bridge understood this as a risk; however, there was no process in place to capture this risk and quantify or communicate the risk to project
leadership or to the team responsible for managing the construction phase of the project.

Impact: The bedrock in the actual location of the bridge foundations was substantially different than the geotechnical report indicated. This resulted in a complete redesign of the foundations and several months delay on the project. The financial impacts were greater than $30 million.

In both case studies, the risks were well known by the project teams and could have been avoided or mitigated if a risk management process would have been in place.

Having a risk management process would have allowed the organizations to track, quantify, plan and communicate the risks to individuals with the capability to help mitigate or avoid the risk. the project. However, without risk management diminished.

The two case studies below help demonstrate the value and benefit of a comprehensive risk management process.

Embedding risk management into day-to-day activities

Effective risk management is typically achieved when an organization undertakes an active commitment to integrating risk management into their project protocols and controls. Primary considerations for an organization to establish an effective plan include:

  • Allotting appropriate resources to perform risk management activities;
  • Creating an environment that embraces and promotes risk management and actively encourages and pursues risk management at all levels of the organization; and
  • Clearly defining and training personnel on risk management controls.

Many companies set up separate project management organizations. (PMOs) to manage the unique risk of major capital programmes. This assists the organization in aligning dedicated resources with specific skill sets and team structure to manage major construction projects.


A well-defined risk management process can help to greatly increase project and programme success. However, risk management has traditionally been overlooked and is considered by many of the more fuzzy areas of project management.

At a minimum, organizations with significant capital expenditures should clearly define their procedures and expectations for risk management, communicate its importance, adequately train its personnel, and monitor high-risk projects for compliance with risk management procedures.

What Is Risk Management In Projects?