Risk management for projects

Know­ing how to iden­ti­fy risks is every project man­ager’s (not so) secret weapon

Risks are an inevitable part of life. While it’s tempt­ing to go about your days in one of those human bub­ble suits (don’t give into the temp­ta­tion — they smell fun­ny and don’t wash well), the real­i­ty is that you get the most joy, suc­cess, and ful­fill­ment from the leaps that make you sweat.

What is risk management in project management?

A risk is any possible outcome or event that can occur over the course of a project or during a process. Risks can be related to timeline, budget, or performance, but there is no limit to its flavours. Project risk management is the process of making educated guesses and mapping out strategies related to these perceived risks.

How does risk affect project planning?

Understanding risks allows you to plan more accurately, learn from your mistakes, and create smoother processes for future projects. It also helps you estimate time, money, and people resources better, which is good news for your team and your clients.

It can be tempting to skimp on this stage and push these little risks under the rug or to ignore them altogether. But ignoring them doesn’t make them disappear. They’ll come back and bite, and when you’re not prepared, they can kill an entire project. Nothing’s more important to the success of a project than a project manager’s ability to identify and manage risk. All projects have risks—if you don’t see them, look harder (psst: look under the rug! They’re under the rug.)

Are project risks the same thing as red flags?

Nope—even though red flags can point you in the direction of possible risks, don’t treat them as interchangeable. Risks are all the pathways that a project could take while red flags are observable clues that tell you whether risks are more likely to happen. If you’re a smarty pants, you can use those handy red flag spotting skills to help you assess project risks.

Here’s how: red flags can’t prove a risk will happen, but they are good indicators. If you see a red flag in a project, you can make a safe bet that risk is likely to happen. Consider this a courteous heads up that you should stick your eyeballs on this project and watch it like a bird watches a breakfast worm.

Projects with fewer red flags mean you probably have smooth sailing ahead. Probably—just because you don’t see it doesn’t mean risk isn’t lurking below the surface. It’s just less likely.

Types of risks

Remember—don’t be a downer. Not every risk that crosses your path is going to be negative. Check out the difference between negative and positive risks.

Negative risks

Negative risks are anything bad that can happen to a project that would increase complexity or kill its chance at success. Negative risks range from mild to serious, but they all have the power to affect that golden PM triangle of scope, time, and cost. And people, they definitely impact your people.

Positive risks

Positive risks make a project easier, more successful, more profitable, and more sustainable. If you are willing to hedge your bets and sense a powerful opportunity (say, a new client that’s out of your norm approaches you and wants to work together)—it’s definitely worthwhile to weigh out the positive and negative risks before advancing. You may win out big, but if the project doesn’t pan out, it could burn you, so have a backup plan.

You can respond to positive risk by doing any of the following:

  • Exploit: eliminate uncertainty and make this thing happen
  • Enhance: increase your odds that this risk will pay off
  • Share: go in halfsies with your stakeholders and share the risk
  • Accept: take what comes
Risk TypeDescription

People

People risks affect your project team and your stakeholders. For example, employee turnover is a common people risk (either in your own org or your client’s).

Relationship

Relationship risks depend on team members’ (and stakeholders’) ability to align, communicate, and cooperate. An example would be a new stakeholder added mid-project.

Schedule

Scheduling risks affect the mighty calendar. This includes things like time off, team member availability, and anything that affects project length.

Scope

Remember our old friend scope creep? Project scope is such a fickle beast that it has a risk category all its own. This risk category includes any risk related to scope, like introducing changes or adding features.

Financial

Financial risks relate to the budget of both your org and your client. Commonly pops up as late (or withheld) payments, outdated budgets, and the gross, over-budget project.

Business

Business risks are concerned with the long-term longevity of both your organization and the organization of your stakeholders. This includes more significant risks like taking a project that would hurt your org’s reputation or taking a financially risky project that could hurt your organization’s sustainability.

The four stages of the project risk management process

Now that you know what risks are, let’s look at how to stay one step ahead and catch them before they destroy your project.

There are four steps to think about when you building a risk management plan on a large project:

Identify

Brainstorm any possible risks that come to mind. Risk identification is a collaborative process, so don’t be shy to ask for everyone’s input.

At the end of this stage, you should have a long list of all possible risks you and your team can imagine. Even if they start sounding ridiculous—that’s how you know you can stop.

Assess

Once you have a list of risks, it’s time to determine which ones are worth worrying about (and which aren’t). Bring all your stakeholders together for this: designers, developers, or any other folks whose trade insight will be valuable.

As you assess risks, think of them in three different levels: less serious, a bit serious, and pretty damn serious. If you want to get fancy, you can assign each a numerical value (a traditional risk matrix uses a value between 1 to 4 or 5).

At the end of this stage, you’ll have narrowed your list down to risks likely to pose a threat. Assessing the threat-level of risks allows you to determine how much attention and energy each deserves.

Mitigate

Now that you know your real risks, what plans can you put in place to avoid them, or at least manage them as they happen? Now is the time to be proactive rather than reactive. It’s vital to consult every risk owner at this stage so they’re aware of how they can help to mitigate risks. That way you and your team will avoid any surprises and scrambling down the road.

It’s impossible to avoid all the risks swooping down on you, no matter how good you are at spotting them. That’s why reducing impact is also another part of mitigating risk. Even if you can’t prevent a fire from happening, you can stop it from burning the whole house down. Map out how you can stop risk in its tracks as soon as you see it happening.

At the end of this stage, you’ll have a plan that will help you avoid as many negative risks as possible. Remember: your risk mitigation strategy is always proportional to your risk threat level.

Plan

You’re not a fortune teller. Despite your best efforts to put safeguards in place or course correct, project pitfalls will happen. Whip-smart PMs know it’s important to have both an emergency response plan (to handle the risks that come true) and a contingency plan (to prevent risks from striking twice or, dare we say, thrice).

By the end of this stage, you will have a thoughtful summary of best-laid plans to take with you as you traverse this risky world of ours.

How to manage risks in project management

Project management software

Some PMs use software to help track risk. The right PM software can help you keep on top of documentation and collect data about common risks. This data can provide aggregated insights that help inform future decisions and preparations. The tool we teach to our apprentices does it.

Risk assessment matrix

Want to really lay your risks out on the lawn? A risk assessment might be the crystal-clear vision that you are after. Not to be confused with a RACI matrix, a risk assessment matrix organizes your risks by severity and likelihood to give a high-level overview that is digestible at a quick glance. If this sounds like your thing, we’ve got a template for you.

DIY risk management tracker

If neither of the above options works for you, you can roll your own. There’s no wrong way to do it as long as you at least include the risk name, owner, probability, and outcome. This resource from the Bureau of Digital offers a great example of what a DIY risk register looks like.

Pointing out risks sometimes feels like shining a spotlight on an empty stage—you can’t always catch the culprit midflight, but you can try. Think of the pain if you don’t. It festers. But brave project leaders fearlessly tackle risk management and stop these risk monsters in their tracks. Yes, your future self will thank you.

Related resources

Illustration of a red flag

Red flags

Spot the warning signs. Clean up project emergencies.

Scope creep: what is it, how it happens, and how you can prevent it

The four most common types of scope creep in project management with examples

Talk to us.

Learn more about our programs or just say hi.