="http://www.w3.org/2000/svg" viewBox="0 0 512 512">

Main Body

16. Risk Management Planning

bpayne and Adrienne Watt

Even the most carefully planned project can run into trouble. No matter how well you plan, your project can always encounter unexpected problems. Team members get sick or quit, resources that you were depending on turn out to be unavailable, even the weather can throw you for a loop (e.g., a snowstorm). So does that mean that you’re helpless against unknown problems? No! You can use risk planning to identify potential problems that could cause trouble for your project, analyze how likely they are to occur, take action to prevent the risks you can avoid, and minimize the ones that you can’t.

A risk is any uncertain event or condition that might affect your project. Not all risks are negative. Some events (like finding an easier way to do an activity) or conditions (like lower prices for certain materials) can help your project. When this happens, we call it an opportunity; but it’s still handled just like a risk.

There are no guarantees on any project. Even the simplest activity can turn into unexpected problems. Anything that might occur to change the outcome of a project activity, we call that a risk. A risk can be an event (like a snowstorm) or it can be a condition (like an important part being unavailable). Either way, it’s something that may or may not happen …but if it does, then it will force you to change the way you and your team work on the project.

If your project requires that you stand on the edge of a cliff, then there’s a risk that you could fall. If it’s very windy out or if the ground is slippery and uneven, then falling is more likely (Figure 16.1).

Risk Management Options

Figure 16.1 Risk Management Options
Illustration from Barron & Barron Project Management for Scientists and Engineers, http://cnx.org/content/col11120/1.4/

When you’re planning your project, risks are still uncertain: they haven’t happened yet. But eventually, some of the risks that you plan for do happen, and that’s when you have to deal with them. There are four basic ways to handle a risk.

  1. Avoid: The best thing you can do with a risk is avoid it. If you can prevent it from happening, it definitely won’t hurt your project. The easiest way to avoid this risk is to walk away from the cliff, but that may not be an option on this project.
  2. Mitigate: If you can’t avoid the risk, you can mitigate it. This means taking some sort of action that will cause it to do as little damage to your project as possible.
  3. Transfer: One effective way to deal with a risk is to pay someone else to accept it for you. The most common way to do this is to buy insurance.
  4. Accept: When you can’t avoid, mitigate, or transfer a risk, then you have to accept it. But even when you accept a risk, at least you’ve looked at the alternatives and you know what will happen if it occurs. If you can’t avoid the risk, and there’s nothing you can do to reduce its impact, then accepting it is your only choice.

By the time a risk actually occurs on your project, it’s too late to do anything about it. That’s why you need to plan for risks from the beginning and keep coming back to do more planning throughout the project.

The risk management plan tells you how you’re going to handle risk in your project. It documents how you’ll assess risk, who is responsible for doing it, and how often you’ll do risk planning (since you’ll have to meet about risk planning with your team throughout the project).

Some risks are technical, like a component that might turn out to be difficult to use. Others are external, like changes in the market or even problems with the weather.

It’s important to come up with guidelines to help you figure out how big a risk’s potential impact could be. The impact tells you how much damage the risk would cause to your project. Many projects classify impact on a scale from minimal to severe, or from very low to very high. Your risk management plan should give you a scale to help figure out the probability of the risk. Some risks are very likely; others aren’t.

Risk Management Process

Managing risks on projects is a process that includes risk assessment and a mitigation strategy for those risks. Risk assessment includes both the identification of potential risk and the evaluation of the potential impact of the risk. A risk mitigation plan is designed to eliminate or minimize the impact of the risk events—occurrences that have a negative impact on the project. Identifying risk is both a creative and a disciplined process. The creative process includes brainstorming sessions where the team is asked to create a list of everything that could go wrong. All ideas are welcome at this stage with the evaluation of the ideas coming later.

Risk Identification

A more disciplined process involves using checklists of potential risks and evaluating the likelihood that those events might happen on the project. Some companies and industries develop risk checklists based on experience from past projects. These checklists can be helpful to the project manager and project team in identifying both specific risks on the checklist and expanding the thinking of the team. The past experience of the project team, project experience within the company, and experts in the industry can be valuable resources for identifying potential risk on a project.

Identifying the sources of risk by category is another method for exploring potential risk on a project. Some examples of categories for potential risks include the following:

  • Technical
  • Cost
  • Schedule
  • Client
  • Contractual
  • Weather
  • Financial
  • Political
  • Environmental
  • People

You can use the same framework as the work breakdown structure (WBS) for developing a risk breakdown structure (RBS). A risk breakdown structure organizes the risks that have been identified into categories using a table with increasing levels of detail to the right. The people category can be subdivided into different types of risks associated with the people. Examples of people risks include the risk of not finding people with the skills needed to execute the project or the sudden unavailability of key people on the project.

Example: Risks in John’s Move

In John’s move, John makes a list of things that might go wrong with his project and uses his work breakdown structure as a guide. A partial list for the planning portion of the RBS is shown in Figure 16.2.

Risk Breakdown Structure

Figure 16.2 Risk Breakdown Structure (RBS)
Source: http://pm4id.org/11/2/

The result is a clearer understanding of where risks are most concentrated. This approach helps the project team identify known risks, but can be restrictive and less creative in identifying unknown risks and risks not easily found inside the WBS.

Risk Evaluation

After the potential risks have been identified, the project team then evaluates each risk based on the probability that a risk event will occur and the potential loss associated with it. Not all risks are equal. Some risk events are more likely to happen than others, and the cost of a risk can vary greatly. Evaluating the risk for probability of occurrence and the severity or the potential loss to the project is the next step in the risk management process.

Having criteria to determine high-impact risks can help narrow the focus on a few critical risks that require mitigation. For example, suppose high-impact risks are those that could increase the project costs by 5% of the conceptual budget or 2% of the detailed budget. Only a few potential risk events meet these criteria. These are the critical few potential risk events that the project management team should focus on when developing a project risk mitigation or management plan. Risk evaluation is about developing an understanding of which potential risks have the greatest possibility of occurring and can have the greatest negative impact on the project (Figure 16.3). These become the critical few.

Risk and Impact

Figure 16.3 Risk and Impact
Source: http://pm4id.org/11/2/

There is a positive correlation—both increase or decrease together—between project risk and project complexity. A project with new and emerging technology will have a high-complexity rating and a correspondingly high risk. The project management team will assign the appropriate resources to the technology managers to ensure the accomplishment of project goals. The more complex the technology, the more resources the technology manager typically needs to meet project goals, and each of those resources could face unexpected problems.

Risk evaluation often occurs in a workshop setting. Building on the identification of the risks, each risk event is analyzed to determine the likelihood of occurrence and the potential cost if it did occur. The likelihood and impact are both rated as high, medium, or low. A risk mitigation plan addresses the items that have high ratings on both factors—likelihood and impact.

Example: Risk Analysis of Equipment Delivery

A project team analyzed the risk of some important equipment not arriving at the project on time. The team identified three pieces of equipment that were critical to the project and would significantly increase costs if they were late in arriving. One of the vendors, who was selected to deliver an important piece of equipment, had a history of being late on other projects. The vendor was good and often took on more work than it could deliver on time. This risk event (the identified equipment arriving late) was rated as high likelihood with a high impact. The other two pieces of equipment were potentially a high impact on the project but with a low probability of occurring.

Not all project managers conduct a formal risk assessment on a project. One reason, as found by David Parker and Alison Mobey in their phenomenological study of project managers, was a low understanding of the tools and benefits of a structured analysis of project risks (2004). The lack of formal risk management tools was also seen as a barrier to implementing a risk management program. Additionally, the project manager’s personality and management style play into risk preparation levels. Some project managers are more proactive and  develop elaborate risk management programs for their projects. Other managers are reactive and are more confident in their ability to handle unexpected events when they occur. Yet others are risk averse, and prefer to be optimistic and not consider risks or avoid taking risks whenever possible.

On projects with a low-complexity profile, the project manager may informally track items that may be considered risk items. On more complex projects, the project management team may develop a list of items perceived to be higher risk and track them during project reviews. On projects of even greater complexity, the process for evaluating risk is more formal with a risk assessment meeting or series of meetings during the life of the project to assess risks at different phases of the project. On highly complex projects, an outside expert may be included in the risk assessment process, and the risk assessment plan may take a more prominent place in the project implementation plan.

On complex projects, statistical models are sometimes used to evaluate risk because there are too many different possible combinations of risks to calculate them one at a time. One example of the statistical model used on projects is the Monte Carlo simulation, which simulates a possible range of outcomes by trying many different combinations of risks based on their likelihood. The output from a Monte Carlo simulation provides the project team with the probability of an event occurring within a range and for combinations of events. For example, the typical output from a Monte Carlo simulation may indicate a 10% chance that one of the three important pieces of equipment will be late and that the weather will also be unusually bad after the equipment arrives.

Risk Mitigation

After the risk has been identified and evaluated, the project team develops a risk mitigation plan, which is a plan to reduce the impact of an unexpected event. The project team mitigates risks in various ways:

  • Risk avoidance
  • Risk sharing
  • Risk reduction
  • Risk transfer

Each of these mitigation techniques can be an effective tool in reducing individual risks and the risk profile of the project. The risk mitigation plan captures the risk mitigation approach for each identified risk event and the actions the project management team will take to reduce or eliminate the risk.

Risk avoidance usually involves developing an alternative strategy that has a higher probability of success but usually at a higher cost associated with accomplishing a project task. A common risk avoidance technique is to use proven and existing technologies rather than adopt new techniques, even though the new techniques may show promise of better performance or lower costs. A project team may choose a vendor with a proven track record over a new vendor that is providing significant price incentives to avoid the risk of working with a new vendor. The project team that requires drug testing for team members is practicing risk avoidance by avoiding damage done by someone under the influence of drugs.

Risk sharing involves partnering with others to share responsibility for the risky activities. Many organizations that work on international projects will reduce political, legal, labor, and others risk types associated with international projects by developing a joint venture with a company located in that country. Partnering with another company to share the risk associated with a portion of the project is advantageous when the other company has expertise and experience the project team does not have. If a risk event does occur, then the partnering company absorbs some or all of the negative impact of the event. The company will also derive some of the profit or benefit gained by a successful project.

Risk reduction is an investment of funds to reduce the risk on a project. On international projects, companies will often purchase the guarantee of a currency rate to reduce the risk associated with fluctuations in the currency exchange rate. A project manager may hire an expert to review the technical plans or the cost estimate on a project to increase the confidence in that plan and reduce the project risk. Assigning highly skilled project personnel to manage the high-risk activities is another risk-reduction method. Experts managing a high-risk activity can often predict problems and find solutions that prevent the activities from having a negative impact on the project. Some companies reduce risk by forbidding key executives or technology experts to ride on the same airplane.

Risk transfer is a risk reduction method that shifts the risk from the project to another party. The purchase of insurance on certain items is a risk-transfer method. The risk is transferred from the project to the insurance company. A construction project in the Caribbean may purchase hurricane insurance that would cover the cost of a hurricane damaging the construction site. The purchase of insurance is usually in areas outside the control of the project team. Weather, political unrest, and labor strikes are examples of events that can significantly impact the project and that are outside the control of the project team.

Contingency Plan

The project risk plan balances the investment of the mitigation against the benefit for the project. The project team often develops an alternative method for accomplishing a project goal when a risk event has been identified that may frustrate the accomplishment of that goal. These plans are called contingency plans. The risk of a truck drivers’ strike may be mitigated with a contingency plan that uses a train to transport the needed equipment for the project. If a critical piece of equipment is late, the impact on the schedule can be mitigated by making changes to the schedule to accommodate a late equipment delivery.

Contingency funds are funds set aside by the project team to address unforeseen events that cause the project costs to increase. Projects with a high-risk profile will typically have a large contingency budget. Although the amount of contingency allocated in the project budget is a function of the risks identified in the risk analysis process, contingency is typically managed as one line item in the project budget.

Some project managers allocate the contingency budget to the items in the budget that have high risk rather than developing one line item in the budget for contingencies. This approach allows the project team to track the use of contingency against the risk plan. This approach also allocates the responsibility to manage the risk budget to the managers responsible for those line items. The availability of contingency funds in the line item budget may also increase the use of contingency funds to solve problems rather than finding alternative, less costly solutions. Most project managers, especially on more complex projects, manage contingency funds at the project level, with approval of the project manager required before contingency funds can be used.

Project Risk by Phases

Project risk is dealt with in different ways depending on the phase of the project.


Risk is associated with things that are unknown. More things are unknown at the beginning of a project, but risk must be considered in the initiation phase and weighed against the potential benefit of the project’s success in order to decide if the project should be chosen.

Example: Risks by Phase in John’s Move

In the initiation phase of his move, John considers the risk of events that could affect the whole project. Lets assume that John’s move is not just about changing jobs, but also a change of cities. This would certainly incur more risks for the project.  He identifies the following risks during the initiation phase that might have a high impact and rates the likelihood of their happening from low to high.

  1. His new employer might change his mind and take back the job offer after he’s given notice at his old job: Low.
  2. The current tenants of his apartment might not move out in time for him to move in by the first day of work at the new job: Medium.
  3. The movers might lose his furniture: Low.
  4. The movers might be more than a week late delivering his furniture: Medium.
  5. He might get in an accident driving from Chicago to Atlanta and miss starting his job: Low.

John considers how to mitigate each of the risks.

  1. During his job hunt, John had more than one offer, and he is confident that he could get another job, but he might lose deposit money on the apartment and the mover. He would also lose wages during the time it took to find the other job. To mitigate the risk of his new employer changing his mind, John makes sure that he keeps his relationships with his alternate employers cordial and writes to each of them thanking for their consideration in his recent interviews.
  2. John checks the market in Atlanta to determine the weekly cost and availability of extended-stay motels.
  3. John checks the mover’s contract to confirm that they carry insurance against lost items, but they require the owner to provide a detailed list with value estimates and they limit the maximum total value. John decides to go through his apartment with his digital camera and take pictures of all of his possessions that will be shipped by truck and to keep the camera with him during the move so he has a visual record and won’t have to rely on his memory to make a list. He seals and numbers the boxes so he can tell if a box is missing.
  4. If the movers are late, John can use his research on extended-stay motels to calculate how much it would cost. He checks the moving company’s contract to see if they compensate the owner for late delivery, and he finds that they do not.
  5. John checks the estimated driving time from Chicago to Atlanta using an Internet mapping service and gets an estimate of 11 hours of driving time. He decides that it would be too risky to attempt to make the drive by himself in one day, especially if he didn’t leave until after the truck was packed. John plans to spend one night on the road in a motel to reduce the risk of an accident caused by driving while too tired.

John concludes that the medium-risks can be mitigated and the costs from the mitigation would be acceptable in order to get a new job.

Planning Phase

Once the project is approved and it moves into the planning stage, risks are identified with each major group of activities. A risk breakdown structure (RBS) can be used to identify increasing levels of detailed risk analysis.

Example: Risk Breakdown Structure for John’s Move

Risk Breakdown Structure - John's Apartment

Figure 16.4 Risk Breakdown Structure (RBS) for Packing John’s Apartment
Source: http://pm4id.org/11/3/


John decides to ask Dion and Carlita for their help during their first planning meeting to identify risks, rate their impact and likelihood, and suggest mitigation plans. They concentrate on the packing phase of the move. They fill out a table of risks, as shown in Figure 16.4.

Implementation Phase

As the project progresses and more information becomes available to the project team, the total risk on the project typically reduces, as activities are performed without loss. The risk plan needs to be updated with new information and risks checked off that are related to activities that have been performed.

Understanding where the risks occur on the project is important information for managing the contingency budget and managing cash reserves. Most organizations develop a plan for financing the project from existing organizational resources, including financing the project through a variety of financial instruments. In most cases, there is a cost to the organization to keep these funds available to the project, including the contingency budget. As the risks decrease over the length of the project, if the contingency is not used, then the funds set aside by the organization can be used for other purposes.

To determine the amount of contingency that can be released, the project team will conduct another risk evaluation and determine the amount of risk remaining on the project. If the risk profile is lower, the project team may release contingency funds back to the parent organization. If additional risks are uncovered, a new mitigation plan is developed including the possible addition of contingency funds.

Closeout Phase

During the closeout phase, agreements for risk sharing and risk transfer need to be concluded and the risk breakdown structure examined to be sure all the risk events have been avoided or mitigated. The final estimate of loss due to risk can be made and recorded as part of the project documentation. If a Monte Carlo simulation was done, the result can be compared to the predicted result.

Example: Risk Closeout on John’s Move

To close out the risk mitigation plan for his move, John examines the risk breakdown structure and risk mitigation plan for items that need to be finalized. He makes a checklist to be sure all the risk mitigation plans are completed, as shown in Figure 16.5. Risk is not allocated evenly over the life of the project. On projects with a high degree of new technology, the majority of the risks may be in the early phases of the project. On projects with a large equipment budget, the largest amount of risk may be during the procurement of the equipment. On global projects with a large amount of political risk, the highest portion of risk may be toward the end of the project.

Closeout of Risk Mitigation

Figure 16.5 Closeout of Risk Mitigation Plan for John’s Move
Source: http://pm4id.org/11/3/



Parker, D., & Mobey, A. (2004). Action Research to Explore Perceptions of Risk in Project Management. International Journal of Productivity and Performance Management 53(1), 18–32.



This chapter of Project Management is a derivative copy of Project Management for Instructional Designers by Amado, M., Ashton, K., Ashton, S., Bostwick, J., Clements, G., Drysdale, J., Francis, J., Harrison, B., Nan, V., Nisse, A., Randall, D., Rino, J., Robinson, J., Snyder, A., Wiley, D., & Anonymous. (DATE). Project Management for Instructional Designers. Retrieved from http://pm4id.org/. licensed under Creative Commons Attribution 3.0 Unported.


Icon for the Creative Commons Attribution 4.0 International License

16. Risk Management Planning by bpayne and Adrienne Watt is licensed under a Creative Commons Attribution 4.0 International License, except where otherwise noted.

Share This Book