Risk Management Processes


Managing risks in project is imperative for its success. We need to have a process (or processes) in place for risk management to be effective. Here are the five steps project manager can use for risk management:

1. Identify Risks – Identify risks that affect the project (positively or negatively) and documenting their characteristics

2. Assess & Analyze Risks – Assess the risk impact, Analyze the probability of risk occurrence and prioritize the risks, numerically analyze the effect of identified risks on project objectives (usually on cost, schedule and scope targets)

3. Plan Actions – Explore all the possible ways to reduce the impact of threats (or exploit opportunities). Plan actions to eliminate the risks (or enhance the opportunities). Action plans should be appropriate, cost effective and realistic.

4. Monitor & Implement the Action – Track the risks throughout the project. If risks occur then implement the risk strategy based on action plan. Ex. If mitigation strategy is selected, execute the contingency plan based on risk triggers. In case contingency plan fails, execute fallback plan.

5. Measure the effectiveness & Control the risk impact – Measure the effectiveness of the planned action and controlling the risk impact by understanding risk triggers & timely implementation of planned actions.

Risk management processes are cyclic which starts from identification of a risk and it may result in identification of another new risk.

Risk Management Processes

Usually, each individual have different opinions & ways to deal with risks. Some go for avoidance. Others go with risk taking. So, while working for a project, the approach to risk should be consistent to meet project objectives & this need to be documented in a risk management plan. Communication of risk and its approach to be done to risk team member/risk owners/stakeholders.

Here is the links for all the PMBOK Risk Management processes in Mind Map structure:-

Plan Risk Management – Mind Map

Identify Risks – Mind Map

Perform Qualitative Risk Analysis – Mind Map

Perform Quantitative Risk Analysis – Mind Map

Plan Risk Responses – Mind Map

Monitor & Control Risks – Mind Map

What are different Risk Reserves?


We can divide risks into following three broad category based on their identification & response planning:

1. Known – Responded (with avoidance, mitigation, transference)

2. Known – Not responded (or accepted)

3. Unknown (here also default strategy is acceptance)

Eliminating maximum number of risks is the main objective. But not all can be eliminated or responses would be too costly or time consuming and hence the risks are accepted.

In case of transference – project cost need to include the insurance amount

In case of mitigation – project cost and schedule need to consider the extra effort to execute contingency plan and subsequent fallback plan in case of contingency failure.

So even implementing planned responses increases cost and schedule of the project to execute the activities. These are not extra. They are inherent to the project based on the risk responses and it should not omitted during planning phase. These added cost and schedule due to risks are called ‘Reserve‘.

There are two types of reserves.

Contingency reserve is needed to tackle residual risks or “Known – Unknowns”. Risks that are identified but they are accepted.

Management reserve handles the “Unknown” risks. Those risks that are not identified as part of risk management process are “Unknown” risks. We don’t know what the risk is and we don’t have any response plan for them. They falls under ‘accepted’ risks.

Project manager has to take these into consideration in project schedule & budget plans. General representation of the project total budget & total schedule is:

Project’s Total Budget = Sum(Project’s Activity Cost) + Contingency Reserve + Management Reserve

Project’s Total Schedule = Critical path duration + Contingency Reserve + Management Reserve

Risk Response Planning Strategies


General risk response strategies.

Risk Response Planning

Risk Response for Negative Risks:

Avoidance: “I want to eradicate the risk by eliminating its cause” strategy. In this either the risk eliminated by different means or by changing the project plan. Hence probability of risk becomes zero which will improve safety to project success. This is the best possible strategy. But it is not possible to follow avoidance all the time. Example for avoidance: House construction during summer instead of rainy season.

Transference: “In case of risk occurrence, third party will bear the impact” strategy. This one is next to avoidance in terms of project safety (esp. financial risks). Here risk is not eliminated but the risk impact is transferred to another one with extra project budget cost. Example: Annual Maintenance Contract, Shop Fire Insurance, Theft Insurance, Natural Disaster Insurance.

Mitigation: “Reduce the probability & impact of risk to accepted level by good planning before hand” strategy. Mitigation is taking calculated risk. We know there could be a risk. We can not avoid it. But we know we can reduce the probability & impact by taking some measures at the start of the project. Hence we added few activities for that in execution phase.

Acceptance: “In case of risk occurrence, nothing to do” strategy. This is the Worst ever strategy & most of the risk books do not call this as strategy at all ! All unidentified risks falls under this response category.

Risk Response for Positive Risks:

Exploitation: “I want to take advantage of an opportunity” strategy. We know there is a sure thing happens with this risk. Plan all actions to get more results of that. In this way we are increasing the impact. For example adding talented resources to reduce project time.

Sharing: “Having partnership in utilizing maximum advantage” strategy. Leaving ownership of the risk to another party who can tap the opportunity for our benefit. Good example on this is outsourcing to specialized groups.

Enhancing: “Getting it done by doing the right things” strategy. Identify few enhancers or drivers for the event, perform that in such a way it increases the probability and/or impact of it.

Acceptance: “In case of risk occurrence, nothing to do” strategy. Though this is a worst negative response strategy, it is a nice one for positive risks. No need to throw stones on the tree, fruit automatically falls on your lap in the windfall!

Secondary Risks


You came up with initial identification, analysis and responses of project risks. But you found one new risk arises because of implementing already planned response for a risk.

What to do with the new risk?

The new risk is called as ‘Secondary risk’. Secondary risks should also follow the same process like qualified, quantified and responses planned for them like in original risk.

Definition from PMBOK® Guide: Secondary risks that arise as a direct outcome of implementing a risk response.

In some cases, secondary risks remain after responses. They all all accepted for which the contingency plan & fallback plan need to be prepared.

Residual Risks


Risk management is a cyclic process. But for a project, it cannot go on for ever. Right? Project manager, his team & management has to find a stop point on further assessment & responses. Those risks that remain even after developing responses to the project’s primary (or original) risks are called as Residual Risks.

Impact of residual risks are usually actively accepted. The project team has to document & monitor these risks throughout the project as they may occur anytime. Contingency plans & fallback plans are created to handle the situation when these risks occur.

Residual Risks are termed sometime as ‘Known Unknowns’ i..e these are identified risks(‘known’) but their impact is ‘unknown’ and it is accepted.

Known or Unknown – what type is your risks are?


In our school days, we studied about probability of occurrence of an event like probability of getting 2 when rolling a dice once = 1/6. I hated probability in my college days as lot of derivations and assumptions need to be done. When I studied the same in Project Risk Management, I understood the real application. But it is not too late for me to brush up my school probability one more time.

Okay, let us dive into the topic right now.

What are ‘known’ risks?

‘Known’ risks are somewhat predictable & proactively managed. ‘Known’ indicates those risk that can be identified, analyzed & planned in advance.

What are ‘unknown’ risks?

Unknown risks are those unable to anticipate and describe. Unknown risks cannot be managed proactively. These risks that result from the uniqueness of the work and they are difficult or impossible to anticipate.

For any project, before starting risk management planning process, ‘Unknown’ risks would be high. But through proper Risk Management Planning process, almost all risks can be explored which keeps ‘unknown’ risks to a minimal number.

In ideal situation, 0% ‘Unknown’ risk possible!(?)

Risk Management Planning

Generally, the best method for managing unknown risk involves allocating reserves on the basis of the measured consequences of unanticipated problems on similar past projects.

Enterprise Environmental Factors (EEFs)


Let me start the topic with the following four questions:

* What are the environmental factors that influence your project’s success?

* Is those environmental factors are external or internal to your organization?

* Is the factor going to affect the project outcome positively or negatively?

* Is any factor imposing any constraints on the existing project management options?

You may bring a list of factors for the above thought provoking questions. Here we go!

The project manager must consider any or all external environmental factors and internal organizational environmental factors that surround or influence a project’s success. These factors are referred as Enterprise Environmental Factors (EEFs).

These factors may come from any or all of the enterprises involved in the project and it may include lot of things like organizational culture & structure, existing resources, PM softwares, etc. But these must be taken into account for every project process like project charter preparation, project planning, scheduling, costing, resources, etc.

Enterprise Environmental Factors include(not limited to):

* Organizational culture & structure, Infrastructure,

* Government rules, guidelines, regulations or industry standards,

* Marketplace conditions,

* Stakeholder risk tolerances,

* Project management information systems(PMIS),

* Existing human resources factors like skills, knowledge, disciplines,

* Personnel administration like hiring, performance review guidelines, training,

* Published commercial information or databases for estimations,risk data

* Company work authorization system.