Project Risk Management explained

Project Risk Management

Project Risk Management: this article provides a practical explanation of project risk management. Next to what it is (definition), this article also highlights the question what is a risk, risk management versus project management, the steps to start with project risk management and some useful methods. After reading, you will have a basic understanding of this project management tool. Enjoy reading!

What is Project Risk Management? The theory

The definition of Project Risk Management

Project risk management is the process that project managers use to manage potential risks that may affect a project in any way, both positively and negatively. The goal is to minimise the impact of these risks.

A risk is any unexpected event that can affect people, technology, resources, or processes (including projects). Unlike a regular problem that may arise, risks are incidents that may occur suddenly, sometimes entirely unexpected.

Free Toolshero ebook

Project managers do not always know which risks the project is exposed to, when they occur, and why. Due to this high degree of uncertainty, project risk management requires a serious and in-depth approach.

In short, the Project Risk Management process consists of identifying risks, analysing them, and subsequently responding to any risks that may arise throughout the project life cycle.

This is done to limit the consequences of the risk as much as possible, so that objectives can be continued to be met.

Generally speaking, risk management is not a reactive activity. To find out which risks may arise, risk management must be included in every planning process. Which risks are there that may influence the project, and how can these risks be controlled?

What is a risk?

A risk is anything that may affect a project’s performance, budgets, or timeline when it materialises. Risks are therefore possibilities; there is a possibility that a certain incident may affect the project. “Individual” risk is defined as an uncertain event or condition that, if it occurs, has a positive or negative effect on a project’s objectives.

In practice, risks are often associated with problems that need to be addressed. Risk management is therefore the process of identifying, analysing, and responding to risks before they actually become problems.

Who conducts Project Risk Management?

Although Project Risk Management works the same for every project, it can take different forms. Different types and sizes of projects require a different approach to risk management.

In many large-scale projects, a relatively large amount of attention is paid to comprehensive risk management and mitigation strategies for when problems arise.

For smaller projects, a simple prioritised list of high, medium, and low priority risks is sufficient.

Project Risk Management: Risk management vs project management

Risks are inevitable in organisations, and virtually every other project is exposed to risks. The project manager has the responsibility to ensure that the impact of risks is minimised.

Generally speaking, project risk management consists of the following steps.

The rest of this article will take a closer look at the various aspects of project risk management also as a project management tool.

Steps to start with project risk management

Figure 1 – steps to start with project risk management

Step 1: Risk identification

The first step in Project Risk Management and the creation of a risk management plan is identification. Another term for a risk management plan is a risk register. When identifying risks, the assessor may work in different ways.

For example, they may look up information about similar projects in the past. Various brainstorming techniques are also used to refresh team members’ knowledge of past projects and risks, or to share new innovative mitigation strategies.

There are different types of risks, such as operational or business risks. Different risks are borne by different people. The risks that often directly affect a project include:

  • Financial risks (budgeting)
  • Legal risks
  • Supplier risks
  • Physical risks to employee
  • Strategic risks

Step 2: Risk Analysis

After various risks have been identified, it is important to evaluate them. Risk analysis is usually done in a qualitative or quantitative way. Subsequently, risks are categorised based on two criteria: the probability that the risk will actually occur, and the severity of its impact. Both criteria are assigned a value, ranging from high, medium, to low.

The risk is then assigned a category and processed in a matrix.

Risk Analysis example - toolshero

Project Risk Management: the Qualitative Risk Analysis

Qualitative Risk Analysis is a subjective evaluation of the probability and impact of each risk. Responses are subsequently devised for the various risks, or alternatively a risk is analysed again, but in a quantitative way.

An advantage of the qualitative Risk Analysis method is that it is relatively quick and easy to implement. It is also ideally suited for people who do not have skills in calculating opportunities and statistics.

A qualitative risk analysis also has drawbacks, however. The results can be ambiguous or difficult to explain, for instance.

Quantitative Risk Analysis

Quantitative Risk Analysis is the numerical analysis of the probability and impact of identified risks. The main focus is on which risks and activities contribute most to achieving the project objectives.

Quantitative Risk Analysis is less ambiguous and can be easily explained on the basis of input: numbers. The probability and impact can be analytically combined in a correct way. Contingency plans can be drawn up on the basis of the data resulting from quantitative risk analysis.

A disadvantage of quantitative risk analysis is that the development of models and simulations is time-intensive and external expertise is often required.

Step 3: Risk response

As soon as it is clear where the greatest risks come from and which is the most important to deal with quickly, corrective measures must be taken. When it comes to risks within project management, the project manager or risk owner has four options for responding to a risk. These are explained below.

Option 1: Avoiding the risk

Avoiding a risk means that the chance that the risk will occur is reduced to as close to zero as possible. Usually risk avoidance involves making different decisions or making some adjustments to the original project plan.

Suppose a project manager is warned by someone about an increased risk of bankruptcy with certain suppliers, he or she can then make the decision to choose another supplier. This avoids the risk of the impact of bankrupt suppliers.

Option 2: Limiting the impact of the risk

Limiting a risk means reducing the impact of a risk incident. By mitigating risks, you ensure that the impact of a risk is reduced.

An example of this is a project risk in the test phase of, for example, a product. By testing more and better, risks are not prevented, but every effort has been made to limit the possible consequences of a negative event that may occur.

Option 3: Transferring the risk

Transferring a risk involves moving responsibility for dealing with the consequences of a risk to someone else. A well-known example of this is taking out insurance.

For example, a private individual can take out luggage insurance so that he or she does not have to deal with any financial consequences. The impact of the risk of something happening to the luggage is then dealt with by the insurance company.

The private individual receives compensation for the damage suffered in the event that the risk of luggage theft or damage becomes reality.

Option 4: Accepting the risk

The final option for dealing with risks is to simply accept the impact an event can have once it becomes reality. Accepting risks may be sensible if the chances of a risk are relatively low and the costs of mitigating it are high.

Accepting a risk is not the same as not making a decision or hiding from a problem. In many ways, it is a risky response to a risk, but risks are always weighed and factored in.

Step 4: Implementing a risk response

The fourth step is to implement responses to various risks. Each risk response is part of the project management plan. A risk response may come in many forms:

  • A budget allocated for a specific risk
  • A task assigned to a specific person
  • Development or implementation of a new process

In project risk management, it is important that a responsible person is assigned to each risk. It is this person who supervises the risk and specifically works on controlling and managing a risk.

This person communicates with all stakeholders about the status of the risk and the impact that the risk may have and what the response looks like.

This risk manager collects as much information about the risk as possible. This approach should be applied across the whole board of project management activities. Each risk response must become a small sub-project, as it were.

Project Risk Management Tips for risk responses

Consider the project objectives

In order to establish the optimal risk-response strategy, it is important that the main goals of the project are considered.

Trade-offs will probably be necessary because it is difficult to always have time, quality, and costs go according to plan. Understanding the deep goals of a project will help the project team plan the right response to the right risk.

Prioritise risks within your Project Risk Management

Giving priority to a certain risk is important because it ensures that certain resources are allocated to a particular function or task.

If it is a risk with a high probability of occurrence and high impact, it goes without saying that sufficient resources must be deployed to minimise both the impact and probability.

Involve stakeholders

The more collaboration and communication between project team members and other key stakeholders, the faster and more effective potential risk identification and better risk response planning.

Step 5: Monitoring the risk

As with all control processes and roadmaps in project manager and other business situations, it is important that both measures taken and the current situation are monitored.

This is important to ensure that risk responses remain effective, fast, and efficient. The status of the risks and expect impact and probability must be constantly monitored.

There should be considerable dynamism in this during the project life cycle. If the risks are too high at a certain moment, you will have to act on them. At worst, risks endanger the feasibility of a project. All information that may relate to a risk must therefore be assessed.

Effective Project Risk Management methods

It is important to identify the main risks so that the team can effectively prepare responses to them. In other words, it is crucial to identify the most impactful risks. Various tools can be used for this.

Failure Mode and Effect Analysis (FMAE)

FMAE can be used in identifying risks as a way to find cause-effect relationships of risks that may impact a project.

Failure Mode and Effect Analysis (FMAE) is also used to perform qualitative risk analysis. The advantage of FMAE is that it adds the dimension of risk detection. For instance, how likely is a potential risk to be detected?

In this way, three parameters are kept for all risks: the probability that the risk will become reality, the impact of the risk if it occurs, and the probability of detection of the risk.

Risk Bow Tie diagram

The Risk Bow Tie diagram is a tool that visualises the risk in an easy-to-understand way. The diagram is in the form of a snare, and shows a clear division between proactive and reactive risk management.

The strength of the snare diagram is that it provides an overview of several plausible scenarios in one image. This provides a simple and visual way of presenting risks.

Decision Analysis

Decision Analysis formally identifies and analyses important aspects of a particular risk. The method follows a specific step-by-step plan to guide the project team through the risk decision-making process. The RACI matrix (responsible, accountable, consulted, informed) helps to identify and define the different roles in the decision-making process.

Join the Toolshero community

Now it’s your turn

What do you think? Are you familiar with the explanation of project risk management? Have you work on projects in which a lot of attention was paid to project risk management? Can you give an example of a project in which the absence of good risk management had negative consequences? What else do you believe is important in project risk management? Do you have to deal with risks that can potentially impact your business?

Share your experience and knowledge in the comments box below.

More information

  1. Carbone, T. A., & Tippett, D. D. (2004). Project risk management using the project risk FMEA. Engineering management journal, 16(4), 28-35.
  2. Chapman, C., & Ward, S. (1996). Project risk management: processes, techniques and insights. John Wiley.
  3. Raz, T., & Michael, E. (2001). Use and benefits of tools for project risk management. International journal of project management, 19(1), 9-17.
  4. Ward, S., & Chapman, C. (2003). Transforming project risk management into project uncertainty management. International journal of project management, 21(2), 97-105.

How to cite this article:
Janse, B. (2020). Project Risk Management. Retrieved [insert date] from Toolshero:

Original publication date: 05/07/2020 | Last update: 12/04/2023

Add a link to this page on your website:
<a href=””> Toolshero: Project Risk Management</a>

Did you find this article interesting?

Your rating is more than welcome or share this article via Social media!

Average rating 5 / 5. Vote count: 13

No votes so far! Be the first to rate this post.

We are sorry that this post was not useful for you!

Let us improve this post!

Tell us how we can improve this post?

Ben Janse
Article by:

Ben Janse

Ben Janse is a young professional working at ToolsHero as Content Manager. He is also an International Business student at Rotterdam Business School where he focusses on analyzing and developing management models. Thanks to his theoretical and practical knowledge, he knows how to distinguish main- and side issues and to make the essence of each article clearly visible.


Leave a Reply