Project Risk Management – Part 7 of 8

Submitted by Guy Shtub on December 11, 2014 - 21:12

This is the seventh post in an eight part series that covers the fundamental theory of project management. In this post we will focus on Project Risk Management. The series is based on our online learning course Hands on Project Management Theory and Practice.
In this post we will discuss and define risks in projects. We will present the tools and techniques commonly used to identify, analyze and manage risk before during and after the project.
Risk is the possibility that an event with adverse consequences for the project will take place and, consequently, that the project may not achieve its goals or may violate its constraints. Based on this definition, risk is associated with uncertainty. In other words, if we know for sure that an event with adverse consequences for the project will take place, this event does not pose a project risk but it is part of the information we need to take into account in developing the project plan.


According to this definition there are several types of uncertainty involved in each risk event, including:

  • Will the event take place?
  • If the event takes place, when will it happen?
  • And, if the event will take place, what is the impact on the project goals and constraints?


We’ll cover the tools and techniques used to deal with these questions during the project life cycle.


Risk identification is an effort to list the events with adverse consequences that might take place during the project. This effort is largely based on the experience gained in the past with similar projects, and on the knowledge gaps that are identified during the project planning phase. Some sources of risk are:

  • At the task level, the risk that a task will take longer than planned
  • At the resource level the event that a resource unit will not be available when needed


Every project risk should be analyzed in order to decide what to do about it, if anything, and when to do it. The decision is based on several criteria such as:

  • The probability that the risk event will take place during the project
  • The impact of the risk event on the goals and constraints
  • The cost of taking each of the possible alternative actions to deal with the risk
  • The tolerance or sensitivity of the project stake-holders to the consequences of the risk event


The analysis starts during the project planning process and it is based on the information available prior to the project execution. It continues during project execution as new information becomes available and can be used to reevaluate and consequently change or improve prior decisions.
The simplest way to deal with risk is to ignore it. This is the worst decision, as it really means that many other options are not considered and opportunities that might exist to mitigate the risk are lost. In other words, it should be assumed that if you do not attack project risks they will attack you.
The easiest way to analyze risk is to map the risk events based on the probability or likelihood of each event occurring and based on its impact.



In this map, risks in the upper right corner of the map are high probability, high impact risks and the project manager should consider mitigation of these risks. Risks in the lower left corner of the map are low probability low impact risks that the project manager should consider accepting, as we will see next.
Mitigation of risks is also known as the proactive approach, as it is done prior to the risk event actually happening.
Acceptance of risks is also known as the reactive approach, as actions will be taken as a reaction to the risk event after it actually occurred.

An extreme decision is to avoid the risk altogether, either by reducing the probability of the risk event to zero, by reducing its impact to zero, or both. This can be done, for example, by creating project plans that use modes of execution that are not sensitive to the specific risk events. For example, it is sometimes possible to select modes that are not using risky resources. Risky resources are ones that have a high probability of not being available when needed.


Another example for reducing risk is by assigning excess resources to buffer against the event that resource units will not be available when needed.
The probability that the activities requiring this type of resource will be delayed is reduced with the increase of the buffer size we create.

It is also possible to schedule activities that generate cash to start early to reduce the risk of bankruptcy. Additionally, it is advisable to reduce the duration of the critical path by crashing activities to reduce the probability of late finish of the project.
Sometimes it is better not to mitigate risks. This occurs when the likelihood of the risk event is low, its impact is low, or the cost of mitigation is higher than the cost of accepting the risk. This might be the case if the stakeholders are not sensitive to the impact of the risk event.


For example, if the tolerance of the stake holders to late finish of the project is high, and therefore the penalty for delays is low, it might be better not to take any action during the project planning and to monitor the risk as part of the monitoring and control effort during project execution. In this case it might be necessary to take corrective actions during project execution, such as splitting an activity due to lack of resources.
The Critical Chain project management approach focuses on scheduling risks, assuming that cost is a function of project duration. By planning the project to finish earlier than the due date, time buffers are created that protect the project from scheduling risks.

An important part of risk management is learning from past projects. One way to do this is simply by learning from the past experience of senior project managers. However, a much better way to do this is by capturing past project information and learning from it. This can be done with the PTB Analytics.
Project risk management is performed throughout the project life cycle. It starts with risk identification, followed by risk mitigation, and finally risk monitoring and control. The project manager must take risk into account and deal with it continuously.