Four Steps of the Risk Management Process

Dealing with project risk requires you to adopt a risk management process. There are various formal processes defined these days, for example in the Project Management Book of Knowledge or the PRINCE2 methodology. Whilst these differ in detail, they are all mostly compatible with the ISO 31000 risk management standard, and all follow the same broad process. which may be considered best practice:

1. Identify

Identify the risks that are relevant to your project. Some of the tools you can use to do this are brainstorms, workshops, checklists, interviews, and surveys. Involving people with subject matter expertise is especially important at this stage. Risks are typically recorded in a project risk register (see below).

2. Assess

Once you identify a risk, you must assess how it will impact your project. This is typically done using two criteria: probability and impact. Risk probability states how likely a risk is to be realized, whilst risk impact states how severely the risk will affect your project if realized. It is common to assess these criteria using a qualitative scale (high/medium/low etc), though some governance standards require quantitative assessment. Multiplying the two criteria together (either numerically or using a matrix) yields a result which is called the risk exposure or level of risk.

3. Respond

Every project risk requires a response that is appropriate, achievable, and affordable. The risk level will very much determine the response. For example, you may choose to simply accept a low-level risk while a high-level risk demands a more aggressive response. Possible risk responses include:

1. Avoiding the risk by not pursuing the activity that gives rise to the risk

2. Accepting the risk and the consequences if it is realized

3. Mitigating the risk by changing the probability and/or impact of the risk

4. Transferring the risk to another party

Having defined the response, an action plan is typically required to execute the response.

4. Monitor

Project risk management is not a single activity but an ongoing process that should be part of your project governance process. For example, a weekly project management meeting might allocate time to risk management. You must closely monitor your project risk register, adding new risks as they arise, changing the assessments as new information comes to light, and also tracking the progress of response plans. Most project governance regimes also require regular risk reporting.

Risk Register by ProjectBalm can readily integrate with your risk management process