Risk Management in Projects – How to Do It Right


There are many methods for risk management in projects. However, only few of them are actually used. All the while, the press keeps covering failing large-scale projects. Perhaps, you also experience failures in your everyday project management. Could better risk management have prevented them? What is risk management all about anyway?

This article will introduce you to a few techniques from the risk management tool box. Furthermore, you will find a few important tips from experience that you should keep in mind.

First, we will start with the assessment of what makes risk management in projects important. Enjoy reading.

Definition Risk in a Project

The worldwide professional association Project Management Institute (PMI) defines “risk” as events with uncertain occurrence. Hence, besides threats it also includes chances.

A project is a unique, temporary endeavor. That means it invariably involves certain risks.

When talking about risks, we usually refer to possible negative events, however. What applies here: anyone who starts projects accepts certain risks. This is tied to the hope for benefits that outweigh anything negative in the long run.

So far, so important. Without accepting certain dangers, there will be no gain. However, you cannot afford to be too timid as a project manager.

What Is Risk Management in Projects?

The idea of risk management is to increase the chances of achieving the project goals. At the same time, the objective is to minimize the risks of a project failing. Professional risk management is an iterative process. It requires the constant review of realities, the reassessment and adjustment of measures and plans.

For instance, you might have to manage the below risks:

  • Economic losses
  • Damage to company reputation
  • Dangers for health and life of product users
  • Schedule delays
  • Technical problems
  • Definition of project scope
  • Resource scarcity
  • Quality problems, etc.

Yet, in everyday project management the opposite effect can occur only too quickly: Possible high-impact risks go undetected, are forgotten or ignored. Better not to think about what could happen.

Does that sound familiar?

Practical experience has shown that this is dangerous – even if risk management is not mandatory by the organization. It can get dangerous if health and life, monetary factors or the company reputation are at stake in a project.

Therefore, good project managers always try to identify risks and plan how to handle them. The well-conceived establishment of risk management helps lead projects to success.

Good project managers try to identify risks and plan how to handle them.

To what extent project managers actually implement measures and which measures they decide to use, depends on the industry and the individual company culture among other factors.

By the way: the uncertainty inherent in a project can be a risk factor in itself.

What Are the Implications of Corporate Risk Attitudes for Projects

You can ask yourself: As a project manager, am I rather:

  • Risk-averse (unwilling to take risks)
  • Risk-tolerant (not likely to dwell on risks)
  • Risk-oriented (taking risks consciously)?

Studies have shown that many project managers as a rule are rather risk-averse – except when they have to navigate their project through an acute crisis. Pressure to succeed and be on schedule often do the rest.

In principle, there is nothing wrong with acting cautiously. However, it is important not to miss out on big opportunities for this reason.

The better approach is to have analyzed risks as closely as possible before taking a decision on how to deal with them.

For example:

“Is our only reason not to roll out the new software throughout the company that we are unsure about the effects? Or have we assessed the risks carefully and drawn up an appropriate schedule – in other words, do we know what we are doing?”

Our tip: Be aware of both your company’s and your own risk attitude. This should be clear before you plan your risk management. And make sure you communicate any deviations from the standard process actively and with a sound justification for the respective project situation.

Requirements for Corporate Risk Management and Meaning in Different Industries

Naturally, the industry also plays a vital role in risk management. Highly regulated and often risky environments, such as the finance sector, will always tend to be more cautious. They also have to demand a certain approach from their project managers.

Subscribe to the TPG Blog Newsletter now and never miss another blog post.

There are industries in which the lives of the users could be at risk in projects, for instance the aeronautical, automotive, or in some cases the construction, industry. They tend to involve calculated risk management for this reason alone. In their case, the responsibility is immense.

Likewise, project managers tend to implement projects carrying a high risk of damage to reputation for the company with more caution than those in which the good reputation is not particularly at risk.

What is Active Risk Management? What Makes It Important?

Often, undesirable long-term effects are lurking in the shadows, even in cases with seemingly manageable project risks.

Two examples:

  1. Essentially, the project for the new development of customer satisfaction surveys was not a big thing. However, later, it became apparent that important questions had been forgotten and data for evaluation was missing…
  2. The form generates errors and brings more frustration than satisfaction to customers. This results in more and more of them turning elsewhere…

With a more mindful approach beforehand, the project participants might have avoided these kinds of risks after all.

For this reason, there are means and methods of effective risk management. In some cases, project success can hinge on their use.

Which Tasks Are Part of Active Risk Management?

First, project managers looking to handle risks in a professional way, must make sure they have a full toolbox. Below, we introduce a few of these techniques.

1. Risk Identification

To identify risks, we need techniques that trigger creative thought processes. We can check our project documents, call meetings with stakeholders and experts or brainstorming sessions. Or we can create checklists.

If that is not enough and there is reason to suspect that several important risks might yet be unidentified, the Delphi Method might help. With the Delphi method, the project manager surveys a group of experts individually and anonymously. Should there be a stark difference between the responses, you communicate them to all involved. This is intended to spur a discussion. You repeat the procedure until the statements no longer diverge as much.

The benefit of the Delphi Method is that it helps you ensure that:

  • Everyone speaks their mind openly
  • No one is swayed too much
  • No one takes a backseat either, e.g. because others may appear to be dominant

Nominal Group Technique: The Nominal Group Technique is used for similar reasons: It works in the same way as brainstorming. However, rather than everyone calling out their idea, they take it down on a piece of paper. These notes are collected afterwards. This helps you ensure that quieter voices on your team will also be heard.

SWOT Analysis: If you are working in a project with high uncertainties and are breaking new ground as a team, you might find an analysis of the strengths, weaknesses, opportunities and threats (SWOT analysis) helpful. With the aid of the four dimensions, you consider in which areas you as a company or a project team are good and where you still see potential for improvement. From this, you derive risks for your project.

Pre-Mortem Approach: Another interesting practice has been tried and tested in agile projects: in the pre-mortem, teams imagine their project as failed already and ask themselves what might have happened and why.

As opposed to the post-mortem approach, i.e. the project autopsy after the failure, this event takes place at the beginning of the project. From this, they derive recommendations for action. The intention is to prevent the failure of the project, if at all possible.

Agile, traditional or hybrid? Which method to use for what project. Read now.

Brain scientists were able to prove that the change in perspective (we imagine we were already in the future looking back) leads to participants engaging in scenarios much more closely and creatively than mere predictive brainstorming.

Risk Management in Projects: Fictive pre-mortem exercise for a new television at the Agile Game Night in Munich in May 2018

Fictive pre-mortem exercise for a new television at the Agile Game Night in Munich in May 2018: red entries (for example “not compatible”, “exploded”, “high energy use”) act out negative scenarios

Our tip: Whichever method you end up picking in each particular case: at the end, you should come out with a risk register, i.e. a list of identified risks in your project.

However, be aware that at this stage there may still be unidentified risks. You will not be able to predict all. Use the risk register document e.g. for the communication with stakeholders. Or use it to diminish the risk of losing sight of project risks.

Do not forget to keep checking and updating the risk document at regular intervals. You should also write down strategies for handling each of the risks in the document.

Our tip: To avoid planning redundant measures, it is worth analyzing the root causes. You may find a common cause for several risks. You could try to fix this and thus master several risks at once.

2. Risk Analysis and Visualization

Your next step could be a qualitative risk analysis.

This is a way of classifying and weighting the identified risks. Thus, you determine the urgency, possible effects and the priority.

Risk management: Qualitative risk analysis with a trend diagram

Qualitative risk analysis with a trend diagram Which risks remain high throughout and must be observed most closely?

You can further analyze those risks which you deem to be most dangerous for your project.

For this purpose, there are several detailed diagram techniques, such as:

  • The tornado diagram for visualizing the estimated effects
  • The Monte Carlo simulation for acting out scenarios with a random generator
  • Decision trees for narrowing down possible measures
Risk management – Quantitative risk analysis with a tornado diagram

Quantitative risk analysis with a tornado diagram (besides threats, this example also presents possible opportunities)

  • The risk matrix visualizes active risks in a colored matrix of impact over probability. The risk table makes the communication within the project team easier. This tool can help you present the risk situation clearly to project sponsors or the steering committee. The graphical visualization in the risk matrix supports project managers in setting priorities and developing response strategies for the risks as will be described further below.
Risk management – Example of a risk matrix, the TPG Risk Chart App

Example of a risk matrix, the TPG Risk Chart App for the easy communication of project risks

Learn more about reporting and the risk matrix in our article on the Project Status Report.

Monetary Risk Analysis for Creation of Reserves

When it comes to risks, it is particularly important to keep an eye on possible financial losses and cushion them if necessary. In general, you have the opportunity to calculate the expected value of risks using the below formula.

Expected monetary value = probability of a risk (%) * expected financial impact

From this, you can derive possible risk surcharges, i.e. reserves created for identified and analyzed risks.

Top management, on the other hand, maintains more general reserves for anything that might occur without being previously identified.

Our tip: The sooner you address a risk in a project, the more budget-friendly and effective the solution usually is. Thus, address risk issues at the very beginning, if a project is of high importance to your company.

3. Planning Risk Measures in the Case of Risk Acceptance

The creation of risk surcharges and reserves is a form of active risk acceptance. The occurrence of a risk is put up with, but not without making provisions.

If the risk does not materialize, the reserves will be released.

What Measures for Risk Management in Projects Exist?

What type of measure is suited to which project risk, will result from the analysis and the actual options in any situation.

Frequent types of risk management are:

  • Avoidance / Prevention (eliminating or evading the danger)
  • Mitigation (reducing the probability of occurrence or the extent of the damage)
  • Transfer (transferring responsibility to a third party, such as an insurance company)
  • Active acceptance (arranging for risk surcharges and reserves)
  • Passive acceptance (doing nothing)
  • Escalation (asking management for help)

Passive acceptance (outright acceptance without taking action) can be an adequate reaction to some risks. Other risks may require the provision of reserves, the conclusion of an insurance contract, the involvement of top management or further measures.

It is important to make the decisions on the treatment of risks on a carefully considered basis. To this end, you have to identify, analyze and judge risks in advance.

Equally important, if not more, is the understanding that it is not enough to look at risks only once at the beginning of the project. Professional risk management is an iterative process requiring the constant assessment of realities, reevaluation and adaptation of measures and plans.

Our tip: Give thought to possible risks in your projects on a regular basis. It is not enough to do this only at the beginning! For risks with high impact and high probability of occurrence, you should always have specific measures planned. Communicate these openly. And check periodically if these measures are still adequate.

Conclusion – Risk Management in Project Management

This article has outlined why active risk management is useful in projects and which threats it can help avoid. It can get dangerous if health and life, monetary factors or the company reputation are at stake in a project.

In addition, you have become acquainted with several methods for risk identification and assessment, including agile techniques.

Professional risk management is feasible if you know a few tricks and tweaks. And it is worthwhile: if you actively identify, analyze and communicate your risks, irrespective of industry and risk-taking propensity, you will be able to look back on more project success in many cases.

Have the courage to approach this topic! It will certainly pay off for you once a risk leaves the theoretical level and suddenly strikes in reality.

Is there anything you have to add on the topic of risk management? What gives you a headache? We’ll be happy to respond to your comment below!

About the author:Antje Lehmann-Benz, PMP, PMI-ACP, PSM expert is a trainer for project management with a particular focus on agile practices and Scrum seminars. Furthermore, she has experience as a software trainer (JIRA, Confluence) and consultant. In addition to teaching frameworks and theory, she is experienced in the use of agile games and practical exercises to reinforce the knowledge gained.

Read more about Antje Lehmann-Benz on Linkedin.


print this article


Leave A Reply