Guide

What is Risk Management:
a complete guide

Table of Contents
  1. Home
  2. >
  3. Blog
  4. >
  5. Risk Management

The world in which we live is undoubtedly full of risks: What are the chances of a natural disaster hitting a certain region? How likely is a car accident under certain conditions? What is the possibility of a construction failure? Although we encounter some level of danger every day, risk management allows us to put measures in place to avoid disasters most of the time.

While we could continue to speak of natural risks or those present in our day-to-day lives, “project risk” is an entirely different type of risk which will be discussed here. We will explain not only what risk management in project management is, but also the essential processes, tools, and methods used in managing risk.

Please note that opportunity management is just as important and goes hand in hand with risk management. We often refer to “R&O Management” for this reason. To simplify reading, however, we will refer to both risk and opportunity management as simply “risk management”.

What is Risk Management in Project Management?

Simply put, Project Risk Management is the set of processes a company implements to protect their projects from possible threats and to take advantage of opportunities.

According to the PMBOK® Guide, risk management is defined as the “systematic process of identifying, analyzing, and responding to project risks.”

Risk management allows us to:

  • Identify events that are either undesired (threats) or desired (opportunities).
  • Understand the impacts of these events on a project’s objectives.
  • Work to reduce their negative effects (or to reap their benefits in the case of an opportunity).

In many sectors today, risk management is not only gaining importance, but has also become a regulatory requirement, and several standards (such as ISO 31000) now exist. Therefore, it must be integrated into the organizational strategy and become part of all project activities.

When integrating R&O Management into project management activities, it’s important to have a robust risk management process, an important tool that project managers should implement right from the start of their projects. This allows us to identify and characterize risks for a more informed view of the project, to accommodate for the cost of risks early-on, and to make informed decisions throughout the life of the project.

Project Risk Management sets organizations up for success, and that’s why Risk Managers are integral members of project teams.

Enterprise Risk Management and how it differs from Project Risk

While Project Risk Management is a framework aimed at protecting projects from threats, Enterprise Risk Management (ERM) is a set of processes that a company implements to protect its organization from possible threats (or to take advantage of opportunities). Therefore, Enterprise Risk Management usually concerns the entire portfolio of initiatives and can extend across their supplier network.

ERM involves identifying risks to the business, preparing a mitigation strategy, and managing this strategy across different business units. Such risks are often strategic and can have significant financial implications for the company.

Unlike project risks, which can be treated on a much smaller scale, enterprise risks may require the cooperation of several departments or divisions. Therefore, it can be helpful to have a dedicated team of Enterprise Risk Managers who can liaise with the departments. This team would also work closely with the Program and/or Portfolio Management Offices as well as the Risk Center of Competence.

Although an ERM strategy is more strategic and high-level, an organization with a robust Risk Management framework is likely to also excel in their management of project risks as well.

What are Project Risks and Opportunities?

Now that we understand what processes govern R&O Management, it would be helpful to define what individual risks or opportunities would look like for a project.

A project risk is an uncertain event that would have a negative impact on at least one of the project’s objectives (Time, Cost, Quality, Scope, Performance) if it occurs.

For example, a risk event could be: “the inability of supplier X to conduct feasibility studies on a modification Y by the end of next year”. The cause of this risk could be a result of the supplier’s resources being heavily utilized on other projects. The consequences would be a delay in implementing change Y. A risk response strategy could be to subcontract out the work or to identify other internal resources capable of conducting the study.

Notice that risks are best described by 3 basic characteristics:

  • An event description,
  • A probability of its occurrence, and
  • Its potential impact on the project objectives.

Each risk must be self-explanatory (clear to the reader) and can be supplemented by its causes.

An opportunity on the other hand, is an uncertain event that would have a positive impact on at least one of the project’s objectives if it occurs.

For example, an opportunity event could be: “Do not perform activity Z”. The causes of this opportunity could be that other feasibility studies are in progress, and the consequences would be a financial gain equal to the cost of activity Z. To allow this opportunity to occur, the response strategy would be to simply not carry out activity Z.

How to classify Risk Events

It is common to confuse the notion of unknown, contingency, risk, issue, and improvement. However, understanding these terms and how to classify each event is important to ensure consistent and effective Risk Management across your entire team.

The key questions to ask are:

  • Can you identify what the event is?
  • How likely is the event to occur?
  • Will the event have a positive or negative impact?
  • How much will the impact be on your organization?
How to identify an event as an improvement, issue, risk/opportunity, contingency, or unknown

Although “unknowns” fall outside the scope of risk management, they should not be underestimated. Unknowns can significantly impact the project objectives (time, cost, quality). It does sound counter-intuitive to prepare for what you don’t know. If you think about, however, most of us already do this in our daily lives. For example, most people keep a certain amount of money in their savings account in case of emergencies. They do not know what may happen in their future – it’s completely unknown – but they have money “just in case.”

Types of Project Risk

After understanding how to identify risks (and opportunities), it can be useful to develop a way to further classify each. Think of this like a tag associated with each risk, allowing you to filter or group them. How risks are grouped or classified often depends on the nature of the organization or the project itself.

In many cases, project risks are based on how they will impact a project’s core objectives: time, scope, cost, quality. For example, you may see the following, in terms of project objective: schedule risk, financial risk, risk of scope creep, quality risk, etc.

In a different scenario, an organization with a complex supply chain may be interested in internal vs external risk to identify potential issues with their supplier network. In any case, recognizing and categorizing these risks allows organizations to develop more targeted strategies for mitigation and response.

Why start now?

Risk management is all about anticipation. Its objective is to guide companies in preparing for, reducing, or avoiding the negative impacts created by any known event. It also helps to seize opportunities that provide improvements, or positive outcomes.

But why now? It is often only in the face of new difficulties (after a significant risk has already become an issue) that we realize how important risk management is. That is usually when companies implement ways to anticipate and protect against uncertainties. The trick, however, is to do it now, before something happens, and to establish the structure and processes to manage uncertainties long-term.

This begins with developing an organizational Risk Management strategy, in which you can define your risk management process and engage a team of experts to drive it. A sound risk management strategy helps you to look to the future, capture opportunities that come your way, and deploy the right efforts against any threats.

Explore Additional Resources

Key Elements to Implement Risk Management

Establishing a robust Risk Management strategy begins with drafting a Project Management Plan. Then, a Risk Matrix and Risk Register can transform your understanding and prioritization of project risks and opportunities. Learn all 5 Key Elements to Implement Risk Management.

4-Step Risk Management
Process

The Risk Management Process is a clearly defined method of understanding what risks and opportunities are present, how they could affect a project or organization, and how to respond to them. Discover the process for how to identify, assess, and respond to project risks.

What is the role of the Risk Manager and their team?

Examine the responsibilities of a Risk Management Team, starting with the role of the Risk Manager. You will see how each interacts with each other and with the project team to facilitate project success.

How to prepare your Risk Contingency Reserve

Despite having implemented either mitigation or avoidance action plans, sometimes adverse effects of risks do occur. In such cases, the project must be able to cope. Learn how the Risk Contingency Reserve is used to cover the financial impact of these events.

Understanding your
Risk Appetite

Determine what “good” looks like for your organization by assessing your Risk Maturity. Then you can customize your Risk Management strategy by understanding your Risk Appetite and building a model that is right for you.

Thank you for the contributions of Marie BELGODERE, Jérémie CLAUSTRE, Capucine COMTE, Alioune DIALLO, Emmanuel LATGE, Jessy MIGNOT, Ingrid NGOBAY, Pierre PETILLON, Louann SUGDEN, Chris WAMAL, and the MIGSO-PCUBED Risk Management Community of Practice.

Looking for Risk Management support?

Our risk experts
are an email away.

Our website is not supported on this browser

The browser you are using (Internet Explorer) cannot display our content. 
Please come back on a more recent browser to have the best experience possible