Project Management

The Unconventional Guide to Project Risk Management

Published by in Project Management

Two million dollars were at stake.

Campton College wanted to replace their call accounting system from the 1990s. The new system would manage every department of their medical school’s accounting information (including billing, tuition, and dorm expenses). But switching over to a new product wasn’t easy. They hired a risk-assessment team to figure out potential threats and risks that could come with switching over vulnerable banking information. They estimated the liability could cost the college $2 million.

According to Jean Scheid of Bright Hub Project Management, “The risk assessment team was able to identity 14 various risks with solutions to those risks that lowered a forecasted 249% risk they had previously determined to a mere 54.3% risk. By lowering the percentage of risk through secure processes, the college was able to introduce a newly updated system.”

At the end of the day, the college was able to slowly switch their assets over and was able to safeguard their information from loss or malicious attacks.

If only all project managers could execute their risk management processes so smoothly.

project risk management

But lo! They can!

According to Info-Tech Research Group, organizations that use a formalized risk management strategy are 53% more likely to have “management success” than those who use an “ad-hoc approach.” And the risk management strategy doesn’t need to be complex.

Below, I’ve outlined the three steps every business needs to take when trying to deter project risk.

1. Identify pain points

Stopping the domino effect concept for business solution, strate

There has never been any project devoid of risk—obvious examples include going over budget, leaking sensitive information, and improperly assigning tasks, leading to project delays or failures. Identifying potential risk problems is the most important part of risk management.

Project Management Times has an excellent resource for identifying common risk areas. They include:

  • Unrealistic schedules
  • Incomplete requirements when a project starts
  • Changing priorities
  • Tech synchronization taking longer than assumed
  • Learning unfamiliar project tools

Before starting the project, take the time to identify which risks have the highest probability of happening and have the highest potential for having a negative effect on the project.

2. Evaluate the severity of each risk

Risk written on multiple road sign

The next step in risk management is characterizing the risk’s potential effects on the project. For example, many governmental IT programs use the following chart (this particular example came from an Old Dominion University document):

2-23-2015 1-46-05 PM

Make sure the following variables are considered when labeling your potential risk:Naturally, each project management office will have its own classification set, but breaking out risk levels helps determine how much time one should give each project. Organize your risks by its probability versus its potential impact. Try to balance qualitative measures of risk with quantitative, using hard numbers related to cost, resources, time, and labor. Reach out to your stakeholders to see where they see potential risks to the project, and use project management software to help identify hidden problems.

  • Quality: Will the quality of the final product be affected if this risk takes place?
  • Timetable: Will the final product meet deadline if this risk takes place?
  • Resources: Will there be additional costs if this risk takes place?

3. Create contingency and mitigation plans

Scenario Planning on White with Golden Compass.

After all of the potential risks have been identified, put contingency plans in place—this will eliminate the stress of trying to come up with a plan as a negative event is taking place. Create a response for each possible risk. Upon evaluating the probability and severity of each risk, project managers should also formulate a plan to deter the most severe risks from happening. According to a document from the Office of the Assistant Secretary for Preparedness and Response, possible mitigation strategies include:

  • Avoidance: Change the objectives and scope to avoid the risk altogether
  • Transference: Push the risk onto a third party (like a subcontractor)
  • Moderation: Take steps to lower the probability of the negative event occurring
  • Acceptance: Accept that the risk may take place, along with any associated consequences
  • Abeyance: Determine how to address this risk at a later time.


While this is a brief overview of how project managers can plan for and moderate risk, I’m sure there’s a lot more that they can do. What do you do? What did I miss? Leave your thoughts below!

Looking for Project Management software? Check out Capterra's list of the best Project Management software solutions.

About the Author

Rachel Burger

Rachel Burger

Rachel is a former Capterra analyst who covered project management.



Comment by Rachel Burger on

You are so right. One of the biggest overlooked variables in project risk management are resources and team members. That’s why communication and clearly defined expectations are a must… plus a willingness to only work with the best. That’s a structural company problem that PMs unfortunately rarely have control over.

Comment by Raymond Erdman on

Don’t forget that it’s not always possible to avoid, mitigate, transfer, etc. ALL the risks. When “accepting” risks, or when new, unforseen risks arise (which can certainly happen with longer duration projects), there is a good chance the RESOURCE variable will become important – often meaning additional dollars are needed. Good risk management also includes setting aside dollars to cover risks, such as contingency funds, or other useful options, such as apprising stakeholders during the risk analysis stage, of a possible need to commit additional funding for risks that fall under their responsibility.

Comment by Lauren on

Thanks for outlining these three steps in a risk management strategy. It is definitely important to evaluate the severity of each risk in order to decide what steps to take.

Comment on this article:

Comment Guidelines:
All comments are moderated before publication and must meet our guidelines. Comments must be substantive, professional, and avoid self promotion. Moderators use discretion when approving comments.

For example, comments may not:
• Contain personal information like phone numbers or email addresses
• Be self-promotional or link to other websites
• Contain hateful or disparaging language
• Use fake names or spam content
Your privacy is important to us. Check out our Privacy Policy.