I’ve been managing software development projects for more than 11 years. Risk management is arguably the most crucial piece in my project management approach. Therefore, I spent lots of time and effort creating a practical risk management process.
Risk management process is a structured approach to identifying, assessing, addressing, and controlling risks. It’s a combination of processes and tools a project manager applies to discover threats and opportunities that may impact a project.
You’ll get the whole risk management process below. You can find links to other articles that explain each process and tool in more detail. So, let’s dive in!
Short Glossary of Project Risk Management
There is no such thing as a universal risk management process. Instead, you need to select tools, techniques, and processes for each project individually. Moreover, organizations often develop their own approaches to risk management that you need to follow.
Please note that the risk management process, framework, and approach mean the same things. So, I’ll use them interchangeably.
That’s why in simple terms, Risk Management is your effort in identifying and tackling project risks.
The PMBOK Guide describes a simple framework for risk management. It gave me inspiration, so credit where it’s due to the PMI. It gives the following definition of a risk:
“An uncertain event or condition, that if it occurs, has a positive or negative effect on a project’s objective.”
Conversely, an opportunity is an event or condition that has a positive effect. As a project manager, you need to try and leverage opportunities as much as avoiding risks.
The “impact” is the effect of risk or opportunity. This may change the feasibility, costs, durations, overall risk level, availability of resources, or personnel. In general, a risk may impact any aspect of the project.
We can assess a risk’s impact qualitatively as low, medium, or high.
We can also describe the impact as a monetary value of a risk like $2,450 or as a delay of four calendar days or both at once.
But don’t limit yourself only to project costs or duration. Risks will appear in all aspects of project management and may have a complex impact. For example, a risk may impact quality, team motivation, resources, and staffing all at once.
“Probability” is the likelihood of a risk or opportunity happening.
Again, it can be qualitative (low, medium, high) or quantitative (a percentage).
A “risk response” or “risk response plan” details the action you will take to avoid or mitigate risk.
What are the 7 Risk Management Processes
Below is a quick overview of the risk management framework. Notice that each step of the framework is a separate process, all of which will be discussed in detail in the related articles.
Additionally, keep in mind that it’s just a framework. You can add or remove tools and techniques in each process. However, in the long run, you need to tailor your risk management approach for the given project.
The primary consideration is the costs of your efforts. Risk management is not free of charge. It requires the involvement of the whole team and stakeholders. So, you need to balance your efforts with the benefits of overcoming risks.
Process #1: Plan How to Manage Risks
As with everything in project management, risk management starts with planning. There are three main reasons for this:
- Risk management requires the input of all the project documentation, processes, and workflows. You need to plan what you’ll analyze and how.
- You don’t do risk management alone. You need input from stakeholders, so you need to know who they are and plan their engagement.
- You need to collect the assets and knowledge of your organization. This helps you to avoid reinventing the wheel.
There are too many moving parts for this to be kept in your head. So, you need a simple project risk management plan. It should cover each detailed step discussed below.
Process #2: Continuously Identify Risks
The next step is to identify risks with techniques outlined in the risk management plan, in conjunction with all the information you have at your disposal.
We’ll talk about different risk identification techniques in detail in this article:
However, I want you to focus on one in particular that can help you kickstart the process, even if you have never done it before. It’s the analysis of risk categories.
The only problem is that your company probably doesn’t maintain a list of risk categories.
But I’ve got you covered. In my experience, there are 43 risk categories. Take these as a starting point. Then, expand the list with categories from your industry. Finally, keep it updated throughout your career.
How many risks should you identify? Even on a small project, there could be up to a hundred.
So, what should you do with all of them? First of all, you need to log them all in a risk register. But don’t evaluate them – just write them down for now!
Process #3: Perform Qualitative Risk Analysis
Qualitative risk analysis is all about assessing each risk’s impact and probability in simple terms like low, medium, or high.
Remember, mitigating is costly: You will never work on a project that allows you to do this for every possible risk.
That’s why the primary goal of the qualitative risk analysis is to shortlist the known risks: Those that have the most adverse impact on the project and are a distinct possibility.
Soon, hundreds of risks will be whittled down to maybe a dozen. The next step is to plan risk responses for each of them.
The others remain in a “watch list” section of the risk register. Why is this needed? The impact and probability of risks evolve during the project lifetime.
Here’s a key piece of advice: Don’t overcomplicate it!
If you can prioritize risks using simple grades of low, medium, and high, then do so. Going beyond this is only beneficial when you have hundreds of risks or require a more complex analysis.
Process #4 (Optional): Perform Quantitative Risk Analysis
You may analyze risks further by using percentages for probability and dollars (or whatever currency is relevant) for impact.
Using these figures, you can calculate the expected monetary value (EVM) of each risk.
But, for smaller projects, this isn’t usually worth the effort required because it’s unlikely to be needed.
In some cases, it may help you to analyze a costly and critical decision. If you are doing it for the first time, ask your peers and leadership for guidance.
Process #5: Plan How to Overcome Risks
So, now you have identified a dozen risks. What next?
- You can do something to avoid a risk.
- You can do something to reduce the impact and/or probability of a threat.
- You can do nothing, but when the threat materializes, you can use the risk reserves to minimize any negative impact.
- You can do nothing and just accept the risk and its effects. Then, you may need to adjust the project plan.
The risk response plan will help you achieve one of these results. But don’t limit yourself to a cookie-cutter solution. An efficient response plan comes from collaboration with stakeholders.
Sometimes you need to look beyond your Gantt chart, your budget, and your team. Sometimes, informing the right people may eliminate the risk altogether.
Process #6: Implement Risk Responses
Each risk response plan is a part of your project management plan:
- It’s a budget allocated for a specific risk.
- It’s a separate task someone needs to perform.
- It’s a new process you developed.
More often than not, someone needs to implement the risk response plan before a risk materializes. At the very least, this person should monitor the risk and report on the effectiveness of any response.
But, in most cases, that shouldn’t be you because you don’t have the time to track dozens of risks.
So, you need to do the following:
- Assign an owner to each risk. This person will monitor and work specifically on their allocated risk when the time comes.
- Communicate with stakeholders about the upcoming risks and responses you’ve planned.
- Collect data about the risks: The number of risks that did or didn’t occur, the efficiency of responses, and the impact on schedule, budget, and scope of work. Also, don’t forget about the client’s happiness.
- Identify any residual risk following your responses.
These activities are relevant across the board for all project management efforts. Each risk response is like a micro sub-project. But they are always a part of the wider project, not a stand-alone activity.
Here’s an expert tip:
Delegate ownership for implementing risk responses as much as possible.
You need to focus on the bigger picture of project progress, overall risk levels, and new sources of risks. In general, you should only tackle the risks that are in your area of expertise.
Process #7: Continuously Monitor Risks
When controlling risk management activities, you first need to ensure that your planned risk responses are efficient and timely.
After that, you need to keep an eye on new risks as they appear. And they do surface all the time! Likewise, known risks may change their probability and impact. These new and updated risks may challenge the feasibility of your project.
Next, you need to control the overall risk level for the project. You should do this periodically. Then, based on your analysis, you may need to make changes to the project baselines or your risk management approach.
In essence, you need to use the same risk identification techniques over and over again.
When Does Risk Management Process Start on a Project?
Why do you need to think about risk management right at the start?
First of all, you inherit risks from the environment of your organization. Think about internal stakeholders, processes, lack of support from leadership, absence of expertise, recurring or seasonal problems. They’re all present in this environment already.
So, here’s the good news!
The more you work in one company, the more you know about its inefficiencies and weaknesses. But rest assured that the same challenges will reappear for all new projects. Unfortunately, organizations don’t fix these problems quickly.
Second, you may participate in the pre-sales phase of a project. So, again, there’s the potential to avoid a treasury of risks from the start by adjusting stakeholders’ expectations. But you need to know how to identify and track those risks.
That’s why we need to focus on risk management from the start. You need to apply the processes and tools we discuss in this chapter throughout every aspect of the project. Risk management activities must be baked into your project plan.
Repeat this mantra after me:
“I will perform risk management activities throughout the whole project lifetime and in between projects. It never stops.”
Secret Ingredient of Risk Management
I was sitting in the office early one morning. I’d created a perfect plan to fix a problem that I believed would appear in a few days. It was my first project. And it made me a little proud that I’d discovered a potential risk!
In a few days, it happened!
With barely concealed enthusiasm, I escalated it to management. At once, I provided my plan to overcome the problem. After a few hours of intensive meetings, senior management accepted my plan.
We solved the problem quickly and efficiently. But once everyone left, my mentor came to me. “What the hell was that?” he said. “Fixing the consequences is a passive mindset. You should be proactive! If you knew the solution, you should have prevented the problem.”
That’s a lesson that I’ve remembered throughout my whole career. If you think about it, he was right. By discussing the problem with an expert in a quiet meeting before it arose, we could have reached the same result in a cheaper, less stressful way without troubling senior-level managers and engineers.
So, risk management is all about preventing problems or reducing their impact on a project.
The secret to efficient risk management is proactivity.
What if Risks Messed up Your Project?
Following this process doesn’t safeguard you from problems:
- You may fail to identify a severe risk.
- Your risk response plan may be inefficient.
- Small risks may snowball into larger ones.
- Some risks will be out of your control.
When a risk seriously hits your project, you need to focus your efforts on getting back to your initial plan. Don’t re-plan the whole project because that will create new risks.
But that’s the worst-case scenario. You’re unlikely to see too many risks that can instantly ruin the whole project. Even if there are, such risks are usually known, and you try to avoid them from day one by creating a prototype or performing a feasibility analysis.
In the real world, you should be worried about the compound effect of numerous small risks and risks that you failed to identify. They won’t bring your project down at once, but they’ll gradually cause delays. They will make your project owner unhappy to the point where they start questioning your competency. You definitely want to avoid that!
That’s why I suggest you get the risk management plan template below. It will help you become an expert in risk management.
Conclusion on Risk Management
Unfortunately, this article was just one piece of a complex project risk management framework: Many other processes happen before and after this one.
If one part doesn’t work, the whole system breaks.
My Risk Management Plan Template connects all processes and tools into one cohesive system. It also provides access to other articles and videos on risk management.
Don’t put your projects and reputation at risk. Ensure you know how risk management works in the real world.
All successful project managers know it’s better to learn from someone else’s experience (aka lessons learned). Tap into my 12 years of practical IT experience and get the Risk Management Plan Template.