Managing risk is a necessary component of project management. Unfortunately, it is often neglected right up until the point where there is a serious problem that needs to be addressed. Ignoring risks until they materialize is guaranteed to blow your budget and schedule every time – and it will add unnecessary stress.

Despite the obvious benefits of a robust risk management strategy, it tends to be an overlooked area of project management training. Many project managers (PMs) I’ve talked to aren't familiar with the terminology or simply don't know where to begin. So let me break down the basics of risk management and demystify this often-misunderstood subject.

What is Risk?

Whenever I’m asked to define risk, I can’t help but paraphrase a well-known Salt-N-Pepa song from the ‘90s.

“Let’s talk about risk, baby, … let’s talk about all the good things and the bad things that may be. Let’s talk about risk!”

Yep, you read that right. Risk can actually be a good thing. Risk is simply the potential of gaining or losing something of value. 

  • Negative risks are threats you’ll need to manage

  • Positive risks are opportunities you should try to leverage

Risk Management Strategies

Once you identify a threat or opportunity, you’ll need to weigh the various options available to you and decide how best to manage the risk. In general, there are four different strategies available, and the best practice is to weigh the pros and cons of each of the strategies before deciding which is the best fit for the risk in question. 

Managing Threats

There are four strategies for managing negative risk:

  1. Avoid – Eliminate the threat

  2. Mitigate – Reduce the probability or impact

  3. Transfer – Shift the impact to another party

  4. Accept – Acknowledge the threat, but take no action until necessary

For example, if there is a threat that your approved vendor may not be able to deliver a required device in time for software testing, you could explore the following risk management strategies:

Managing Threats.png

Leveraging Opportunities

There are 4 strategies for managing positive risk:

  1. Exploit – Ensure the opportunity is realized

  2. Enhance – Increase the probability or impact of the opportunity

  3. Share – Allocate some of the ownership to a third party

  4. Accept – Acknowledge the opportunity, but don’t actively pursue it

For example, if there is an opportunity that your company could receive a significant bonus from your client if you deliver the project one month early, you could explore the following risk management strategies:

Leveraging Opportunities.png

Managing Risk in 3 Easy Steps

Armed with your newfound knowledge of risk management strategies, you’re ready to up your game and become a risk management pro. Just follow the three steps below and you’ll be amazed at how much easier it is to keep your projects on budget and schedule.

Step 1: Identify and Document Risks

Create a risk register to identify and document all project risks

  • List all the risks you can think of – give each risk an ID

  • Assign an owner to each risk (i.e. the person responsible for the outcome)

  • Estimate the probability (percent chance of occurrence) and impact if the risk materializes (amount of money and/or days of schedule)

  • Calculate the predicted impact of each risk by multiplying the probability by the impact. For example, if there is a 20% chance that a threat will result in a 10-day schedule delay and $5,000 budget increase, then the predicted impact would be a two-day delay (20% x 10 days) and $1,000 budget increase (20% x $5,000)

  • Define a strategy to manage each risk (i.e. mitigate, transfer, exploit, etc.)


In the end, you should have a risk register that looks something like this:

Risk Register with budget and schedule.png

Be sure to add contingency to both the budget and the schedule to account for the predicted impact. You can expect that some risks will materialize and others will not. With any luck, the amount of contingency you’ve built into the budget and schedule will be sufficient to cover the risks that materialize.

Step 2: Prioritize Risks

Not all risks are created equal. You may be tempted into thinking risks with the greatest impact are the ones you need to worry about. But if a threat with a severe impact isn’t likely to occur, then it is actually less of a concern than a moderate impact threat that is very likely to occur.

To ensure you are focusing your energy on the right risks, use a risk matrix, like the one below, to visualize the severity of each risk. Then prioritize managing the highest risks first, followed by the moderate ones. In general, risks in the low category shouldn’t require much attention, but they should still be monitored to ensure they remain in the low category.

Risk Matrix.png

How you define the probability and impact categories is up to you. I typically use the following ranges for each category:

Risk Matrix Categories.png

Using the risk register we created in Step 1, and using the impact and probability breakdowns provided above, our resulting risk matrix would look like this:

Populated Risk Matrix.png

This visual representation quickly shows us that we should give the most attention to our third risk, and that risks 1 and 2 are roughly equivalent to in terms of project impact.

Step 3: Monitor and React

Once you’ve identified and prioritized your risks, you’ll need to continue to monitor them. Over time, the probability and impact of any given risk may change. When this happens you should revisit your risk management strategy and revise as needed. I typically review my risk register and risk matrix weekly, right before I do my budget and schedule updates. This way, I can update my budget and schedule to reflect the most up-to-date expected contingency requirements.

As the project progresses, there will be new risks that pop up. These will also need to be added to the risk register and monitored. Happily, there will also be old risks that never come to pass and you can close those.

As risks materialize, stick to the plan and draw from the contingency to address them. Be sure to keep your team and your client in-the-loop regarding new and changing risks. They’ll appreciate knowing you are anticipating and reacting to the changing landscape of the project.

Knowing you have done all you can to protect your budget and schedule will put your mind at ease and build trust with your team and client. 

The only question left to be answered is what are you going to do with all your free time now that you’re not busy worrying?

This is a guest article from a member of the Bureau of Digital community. We're always looking for good tips and lessons, if you're interested in contributing please email smith@bureauofdigital.com.

Comment