Project Risk Management
The purpose of this document is to present some general guidelines for managing those
risks associated with a project. As each project is unique, the approach used to manage
the project’s risk must be adjusted to match the needs of the project. Included with these
guidelines is a Risk Management Plan template and a Risk Mitigation template that may
be used for recording, analyzing and tracking project risks. The steps involved in
performing risk management include Risk Identification, Risk Analysis, Risk
Prioritization, Risk Response Strategies and Risk Response Plan.
Step 1 - Risk Identification The first step in performing risk management is to identify as many potential risks
associated with the project as possible. Although this activity is primarily performed
during the Planning phase, it should occur throughout the entire project. As each
potential risk is identified, a brief description of the risk is created and recorded. During
the risk identification process there is no analysis of the risks being presented. Each risk
is recorded as it is stated and the next risk is then presented. To help identify potential
risks, items such as lessons learned, the project work plan (WBS) and other documents
may be used.
The Risk Management Plan template has been provided to assist in identifying and
documenting potential project risks. The template provides a place where the identified
potential risk descriptions may be entered. To aid in organizing the identification process,
this template has been divided into sections by each project life cycle phase and the
different project management areas. Also to assist in getting the process started, a basic
listing of common risks associated with projects is provided. The team may start with
these common project risks and determine if they are or are not relevant to the project.
Step 2 - Risk Analysis Once it is felt all the risks that can be identified have been, then each of the risks need to
be analyzed. This first involves discussing and clarifying each risk to make sure there is
a good understanding of the risk. When the risk has been clarified the next step is to 1.
determine the probability of the risk occurring and 2. determine the impact the risk will
have on the project if it does occur. This information can be recorded on the Project
Management Plan template next to each of the risk descriptions. Please note that the
impact includes determining the consequence the risk will have on the project which may
include missed target dates, increased cost and so on which may also be recorded on the
template. When performing risk analysis the project team needs to keep in mind the
project’s success factors and how the risk may impact those factors.
For the probability the following scale may be used:
1 = Very Unlikely – 0% to 5% probability 2 = Unlikely – 6% to 35% probability
3 = Likely – 36% - 65% probability
4 = Highly Likely – 66% to 95% probability
5 = Almost Certain – 96% to 100% probability
For impact there is a number of different ways to look at it as risk may impact a number
of different factors within the project such as costs, project schedule, lost opportunity and
so on. The anticipated consequence of a risk, if it occurs, needs to be documented for
those. For the impact the following scale may be used:
1 = Almost No impact on scope/cost/schedule/opportunities
2 = Minor impact on scope/cost/schedule/opportunities
3 = Moderate impact on scope/cost/schedule/opportunities
4 = Significant impact on scope/cost/schedule/opportunities
5 = Project Failure
Below is an example of an impact matrix that may be used. Because all projects are
unique, these factors may not fit in every case. For example a project with a mandated
implementation date would have Project Failure with even the slightest slippage in the
Project 1 Almost No 2 Minor 3 Moderate 4 Significant 5 Project Impact Impact Impact Impact Impact Failure
Scope Minor areas Major areas Scope End Product Scope
change of scope of scope changes is effectively
barely impacted impacted unacceptable Useless
noticeable to customer
Insignificant Schedule Overall Overall Overall Schedule
schedule slippage schedule schedule schedule
slippage <5% slippage 5 – slippage 11 – slippage >20
10% 20% %
Insignificant Cost change Cost change Cost change Cost Cost
cost change <5% 5 - 10% 11 - 20% change >20
Quality Only minor Quality Quality End Product Quality
degradation applications reduction reduction is effectively
barely are affected requires unacceptable Useless
noticeable customer to customer
By multiplying the probability by the impact you determine the Risk Factor. The higher the Risk Factor the greater the risk to the project. The Risk Factor may be record on the
Risk Management Plan template.
Step 3 - Risk Prioritization
Because you cannot nor should not try to manage ALL risks associated with a project,
you need to prioritize the risks to determine which ones should be managed. By using
the Risk Factors you can see what risks may have the greatest impact on the project.
Using this information plus any other information from the project team and stakeholders,
rank the risks in priority order from highest to lowest for those risks having a significant
impact on the project. (Determining what risks have a significant impact on the project
and should be ranked depends on the project and its ability to accept certain amounts of
risk.) The priority for the ranked risks may be recorded on the Risk Management Plan
Step 4 - Risk Response Strategies
When the risks have been identified, analyzed and prioritized the next step is to
determine how to respond to each risk. Within the risk response strategies there are four
1. Mitigation, which is reducing the probability and/or the impact of an adverse risk.
This is primarily used for those risks that are to be managed by the project team.
2. Acceptance, which is accepting the risk as is and doing nothing. This is generally
taken for those risks with a low Risk Factors. It may be used for higher rank risks
where a contingency plan is developed. If the risk occurs the contingency plan is
put into operation.
3. Avoidance, which is eliminating the cause of the risk such as revising the scope to
exclude that part involving the risk.
4. Transference, which is placing the responsible for the risk and it consequence on
someone outside the project.
Once it is determined how each risk will be responded to, those requiring actions will be
assigned to team members as the Risk Owners. The team is overall responsible for the
project’s risks and the Risk Owner is the person assigned to coordinate the efforts of the
team in managing the risks. The Risk Owner is generally the person most familiar with
the risk subject. The Risk Owner is responsible for the development and/or overseeing
the creation of the Risk Response Plan and the action items to be taken within the risk
Step 5 - Risk Response Plan
For those risks that have a response strategy of Mitigation, Acceptance, Avoidance or
Transference a risk response plan needs to be developed.
Mitigation - The most common form of managing a risk is through mitigation. Within
this approach a risk response plan is developed that presents the various ways the
probability and/or impact of the risk may be lessened. For those risks being mitigated,
the Risk Owner needs to formulate ideas as to how the risk’s probability and/or impact
may be reduced. These are general statements covering the various areas that may be
concentrated on to lessen the risk. Action items are then developed to outline specific
actions that will be taken to support those ideas in reducing the probably and impact of
the risk. These action items may also be included in the project plan. A Risk Mitigation
template has been developed to assist in this process.
Risk Mitigation Template Fields Definition
Risk Description Enter the description of the risk as stated in the Risk
Risk Item Identifier Enter the risk identification information, such as Requirements
#3, that was assigned to the risk in the Risk Management Plan.
Risk Priority Enter the priority of the risk as stated in the Risk Management
Risk Factor Enter the Risk Factor for the risk as stated in the Risk
Risk Response Enter the response strategy being used for the risk (mitigation,
Strategy avoidance, acceptance or transference) as indicated in the Risk
Risk Status Indicate the current status of the risk; open, closed, cancelled
Last Updated Enter the date when the Risk Response Plan was last updated.
Risk Owner Enter the name of the individual who is primarily responsible
for managing the risk.
Date Assigned Record the date the risk was assigned to the Risk Owner.
Consequence if Risk Enter a description of the impact/consequence of the risk
Occurs including scope, schedule, costs, and lost opportunity.
Areas where List those areas that may be concentrated on to lessen the
Probability may be probability of the risk from occurring. Reduced
Areas where Impact List those areas that may be concentrated on to lessen the
may be Reduced impact if the risk does occur. Attachments If there are any attachments, please reference them here.
Action Items Within this section list all of the very specific actions that will
be taken to manage this risk. including how the actions will
be performed and if appropriate when.
Acceptance – Because no action is taken to manage this risk the only thing that needs to
be documented in the Risk Response Plan is the consequence of the risk if it occurs. No
additional planning needs to be developed unless it is decided that a contingency plan
will be developed. If this is the direction then the contingency plan needs to be
development and the risk monitored.
Avoidance – Because a change is made to the project, such as revising the scope to
eliminate the risk, no Risk Response Plan needs to be developed. It is very possible that
the project change management process needs to be followed as a result in changing the
Transference - When the placing the responsible for a risk and it consequence on
someone outside the project the project team needs to documented who and how the risk
responsibility if being transferred. This can be recorded in the consequence section of the
Risk Management Plan template.