Risk Management Made Simple

by Christopher Patrick, PMP


You have studied it, you know it is important, your clients know it is important, and you know it could save your project from certain disaster. Then why do most project managers fail to perform proper “due diligence” when it comes to Risk Management? Most project managers probably see Risk Management as too difficult or a waste of time.  If I were to tell you there is a way to fast-forward in time to the very last day of the project and identify all of the potential problems you will face on the project, more likely than not you would see value in this.  Risk management (performed properly) is a way to fast-forward into the future to predict all of the potential problems you might face in a project.

Sun Tzu, in the Art of War stated the success of an engagement or failure of the engagement is determined in the “castle” or in the planning cycle before the engagement takes place.  In other words, if in the planning stage, we fail to properly plan our project and enforce mitigation strategies to decrease or eliminate the adverse effect of future events, then the likelihood is that such a situation would indeed occur. Risk Management allows you to stay on offense by identifying a problem before it occurs rather than waiting for the problem to occur and then having to deal with it through a problem management process.

The purpose of this article is to share with you some basic Risk Management concepts which in my experience have proven effective when managing a project. The article is broken up into three sections: What is Project Risk, What is Risk Management, and Risk Management Approach.

Before we discuss project risk, let us first focus on what needs to be considered prior to starting a project. In evaluating a project, first we must ask ourselves, from a business standpoint, should the project be done? Second, from a technical perspective, can it be done? Finally, from an end users perspective, will it work when it is done?

Without a YES to all 3 questions, the project could be in trouble before it starts.

What is Project Risk?

The PMBOK defines project risk as, “an uncertain event or condition that, if it occurs, has a positive or a negative effect on at least one project objective, such as time, cost, scope, or quality” (Project Management Institute, A Guide to the Project Management Body of Knowledge, Third Edition). In simple terms, project risk is the chance or likelihood that things can and will go wrong. Each project is unique and carries with it a certain degree of difficulty, which translates to a certain degree of risk. Risks which are not properly addressed can lead to failure. Some risks are unavoidable, but by applying risk management we can drastically reduce the likelihood of an event occurring.

Those who are familiar with the PMBOK understand there are nine project management knowledge areas: Integration, Scope, Time, Cost, Quality, Human Resource, Communications, Risk and Procurement. It is important to understand that we must manage risk within each one of these knowledge areas, although it is not possible to cover all possible types of project risks within this article.

What is Risk Management?

“Risk Management is the art and science of identifying, assessing and responding to project risk throughout the life of a project and in the best interests of its objectives” (R. Max Wideman, PMBOK). Identifying, assessing and responding to project risks successfully is a primary contributor to project success.

It is important to note that Risk Management is not something performed at a specific point in the project but throughout the life of the project. I have found success in applying Risk Management by following four basic concepts, summarized in the following diagram:

It is important to start with a simple approach and add detail if necessary. The underlying concepts of Risk Management are not difficult.

    • Step 1: Anticipate what can go wrong. The simple step of extracting potential risk information from the team is both an art and a science, and can only be perfected through knowledge and experience. The project manager can use a variety of techniques to pull source information from the team. In my experience, one-on-one meetings have proven to be the most effective.


    • Step 2: Assess the impact of the risk to the project. This can be done by evaluating a risk based on both priority and impact to the project. Determining the ranking for a particular risk can be very subjective. For example, you may have a customer who sees a high priority/low impact risk as more important than a low priority/high impact risk.


    • Step 3: Find the cause of the risk. This can be accomplished by extracting the underlying root cause from team members and key stakeholders. Some effective methods include Fishbone Analysis or Decision Tree.


    • Step 4: Take measures to prevent failure or minimize its impact. What is the contingency plan or mitigation plan? What are my plans to prevent the risk from happening and how will I respond if the risk happens?


Let me again emphasize the importance of starting with a simple approach and then adding detail if necessary. For example, we could add built-in advanced warning measures to flag when a risk might occur or input a formula which would list risk importance based on priority level and impact level. The decision to include more detailed information is at the discretion of the project manager; generally it is always easiest to keep everything as simple as possible.

Risk Management Approach

We have provided a basic understanding of Project Risk and Risk Management. We will now discuss an effective approach in applying Risk Management to a project. Before we can begin to practice Risk Management we must first have a clear understanding of our objectives.

Risk Management Objectives:

    • Identify all potential risks.


    • Identify high-impact/high priority risks.


    • Document risk identification and analysis process.


    • Raise awareness to all stakeholders regarding critical factors.


Second, we must understand and believe in the benefits of applying Risk Management to our project.

Risk Management Benefits:

    • Provides a focus on potential risk impact areas.


    • Allows high level risks to be addressed early in the life cycle.


    • Improves confidence in cost and schedule estimates.


    • Improves communication amongst project team and end users.


    • Project manager has basis for contract negotiations.


Finally, by following a simple set of rules, we can effectively fast-forward into the future and identify all the problems that may have happened but did not because we had an effective Risk Management plan.

Risk Management Rules:

    • Start with a simple approach and then add detail.


    • Risk Management is a TEAM effort and ongoing activity.


    • Take a proactive approach to deal with the risk factors.


    • Look for opportunities to capitalize on.


    • There are a variety of tools and techniques available to use.


After performing the Risk Analysis, each identified risk, its probability and impact, and mitigation or preventive actions for that risk can be summarized in a Risk Assessment Matrix (see sample below).



Risk Probability Impact Overall Impact Preventive Action
1. Staff turnover may delay development Medium High High Educate customer about the state of technology and realign the expectations by inviting (customer) to participate in preliminary design meetings
2. Relatively longer learning curve for new staff Medium High High Educate customer about the state of technology and realign the expectations by inviting (customer) to participate in preliminary design meetings