Explore

A 6-step project risk management process

Your no-nonsense guide to better risk assessment.

If you spent a lot of time in outdoors-themed organizations growing up, then you know that they emphasize being prepared for whatever life throws at you. The goal is to anticipate and prepare for potential problems so that they’re easier to handle. In survival situations, proactivity outweighs reactivity.

The same strategies hold true with project risk management. The better prepared you are, the less time you spend dealing with issues.

What is project risk management?

Project risk management is the act of identifying, assessing, and mitigating risks that might occur during any given project. Risk, in this case, is defined as anything (good or bad) that might have an effect on the project objectives and outcome. It could be taking a chance on a new team member and who ends up helping you finish the project ahead of schedule. Or it could be a network crash that sets you back weeks.

Like wilderness survival, the goal of project risk management is to be as prepared as possible for anything that might happen. You’re planning for the just-in-case moments. Without solid risk management plans, things can go south quickly.

What are the 6 steps in the project risk management process?

I’ve broken down the project risk management process into 6 steps. I’ve published a

risk analysis template⁠

that will guide you through most of these steps. And I’ve linked a few other helpful templates you can adapt into your own efficient process to identify, assess, and plan for potential risks.

1. Risk identification

The first thing is to identify all the possible sources of risk in your new project. These could be good things, bad things, or things that are time-wasters. The goal is to figure out what these things are.

Chances are that you’ll be able to identify most of the potential sources of risk based on previous experiences in projects. However, there might also be things that could happen that you’ve never encountered before. It’s a good idea to include others in the risk identification process. For example, running a brainstorming session of sorts can be an effective method for coming up with new risks that you’ve never encountered before.

2. Risk analysis

Once you’ve identified risks you may encounter in a project, it’s time to take a deeper look into each. In this analysis phase, you’ll classify the risk, determine its impact on the project, and plan a strategy for mitigating the risk.

There are a few ways you could analyze risk. A

risk matrix⁠

allows you to create a visual representation of the impact of the risk and how likely it is to happen. Again, this is where you can jump into my

risk analysis template⁠

, which will help you run both quantitative risk analysis and qualitative risk analysis.

3. Risk ownership

Being prepared on every level also means avoiding blame. By assigning ownership of risk, you proactivity hand off the response to the appropriate team and foster a culture of support and empowerment. The risk owner should be the person who has the best skills to mitigate individual risks on your team.

For example, if something goes wrong with the back-end of an app you just launched, you can’t expect your copywriter to solve the problem. In a project risk management process, you would have given ownership of this risk to your engineers and empowered them to put the mitigation plan in motion when ready.

You can see an example of risk ownership assignments in my

risk analysis template⁠

⁠

Screen Shot 2021-10-19 at 10.31.15 AM.png

⁠

4. Risk prioritization

Once you decide who is responsible for the risk, prioritize it. In this step, you’re looking for things that are going to have a big impact on the end result (either good or bad) and that are very likely to happen. Prioritization is a part of the risk assessment process and where the

risk matrix⁠

comes in handy. As you can see by the diagram below, the matrix clearly tells you what kind of priority each kind of risk should be — guesswork is typically not part of this step.

⁠

(

source⁠

)

5. Risk response plan

This is probably the most critical step of the process. Each type of risk you encounter (or at least the high priority ones) should have a risk response plan in place to help with risk mitigation, should the risk actually occur. Ideally, you’ll have a plan in place for everything you’ve identified. Focus first on the high-priority risks.

Your response plan should have clear steps to follow that help mitigate the risk, including who’s in charge of what, what needs to be done, and how fast it needs to happen. Here’s what the plan looks like in my

risk analysis template⁠

⁠

Screen Shot 2021-10-19 at 10.29.45 AM.png

⁠

6. Monitor risk management strategy

Finally, you need to monitor your strategy to make sure that it’s working the way that it should and that you’re adequately prepared for each potential risk. Our advice would be to use our post-mortem and

project closeout template⁠

at the end of the project to assess how you handled the situations that came up, as well as a way to improve your processes around how you manage risk.

Positive vs negative risks and the impact they can have on your project

Even though we’ve already touched on this, it’s always worth calling out that not all risks are bad.

It’s entirely possible that when you’re running your project, you’re going to encounter situations that are risky but ultimately very good for your project. These are going to be things that allow you to finish early, find innovative solutions to your business problems, or even bring in more customers to your business.

The other end of this is negative risk. This is what you want to avoid. Negative risk tends to result in things like failed projects, blown deadlines, or scope creep.

It’s worth noting here that good or bad, risks can’t necessarily be prevented. That’s why project risk management focuses so much on planning for potential situations that may never happen. But, if they do happen, then you’re prepared.

Improve project risk management with Coda

Coda’s building blocks and templates can help you better manage situations when they come up. I want to mention two of my favorite docs that work to clearly identify both the risk itself and the points in the project where something might happen.

Gantt chart

Gantt charts, or timelines as Coda calls them, are excellent ways to visually identify potential risks. Seeing your entire schedule laid out this way can help you identify moments where risk may occur. I highly recommend playing around with

conditional formatting⁠

to highlight those moments. For example, you could use different colors within the chart that indicate the severity of the potential risk (red for high impact, green for positive impact, etc.).

There are also going to be moments when critical tasks overlap in ways that aren’t ideal or conflict with other aspects of the project, Gantt charts, because of the way they’re designed, make those moments obvious.

Test out this

Gantt chart template⁠

to decide whether it’s a useful tool for your project risk management.

Kanban boards

Similar to Gantt charts, kanban boards can be used as a way to help with project risk management. The kanban system uses cards that identify the various tasks that need to be completed within a project. As a risk management tool, these cards can be color-coded to highlight moments where risk may occur. It provides you with a quick way to identify risks, so you can hand off potential issues to the people most suited to dealing with them (that’s the assign risk step from above).

It ends up looking something like this.

⁠

(

source⁠

)

Of course, if you’d like to play around with that, we’ve got you covered. This

kanban template⁠

has everything you need to get started.

Project risk management FAQ

What are the 3 types of project risk?

There is more than one kind of risk that you might encounter during a project. The actual risk itself may vary depending on the specifics of your project, but the impact of that risk typically falls into one of three categories.

Financial - These are the risks that cost you money. This could be something that delays the project, or it could be needing more tools than you initially thought, or it could be something breaking that you need to fix. Whatever the cause, you feel this one in your pocketbook.

Schedule - These are things that affect the schedule of the project. Scope creep is a classic example. Increased scope means increased time needed for completing those additional tasks. The schedule could also be affected for a range of reasons, from team members being away longer than expected to aspects of the project being more challenging than initially thought.

Performance - This is anything that results in a lower quality deliverable (or final product) than the project plan called for. Here, we’re looking at things like team members who are burning out or don’t have the skills you thought they did. It could also be that the timeline was too short and people had to rush.

What are examples of project risks?

Specific kinds of risks you might encounter while working that could impact project success:

Technology - There are potential tech issues that always exist, including your network crashing, computers going down, a cyberattack, the power going out in your building, or the tools you’re using going down. Technology risks can be hard to plan for because they’re often unexpected and usually require the help of an IT department to get things running again.

Communication - This happens when there isn’t enough clear communication at all levels. It could involve key stakeholders, team members, or clients and often is the result of either too many different communication channels (leading to confusion), too much communication, or not enough.

Scope creep - Scope creep is every project manager’s nightmare. This happens when the clients (or stakeholders) ask for small changes to a project that add work and increase the project length. This often starts out innocent enough, but if not properly managed it can become very overwhelming very quickly as the project scope increases beyond the point of being able to manage it.

Cost - Cost becomes a problem when you overshoot your budget. Sometimes, cost and scope creep go hand in hand (because the cost increases with the scope), but sometimes it’s the result of either unexpected project costs along the way or poor budgeting.

Operational - There’s a reason project managers spend a lot of time fine-tuning their workflows and using systems that help them keep everything on track. Without a smooth workflow, your project can fall behind and costs can increase.

Lack of skills - If your team doesn’t have the necessary skills to complete the job (or those skills aren’t as developed as they could be), you’re facing some project risks. This one can be avoided by running training sessions with your team or by ensuring that you pick team members that can get the job done.

What is the difference between project risk and project crisis?

The biggest difference between a project risk and a project crisis is that a risk is something that might happen, where a crisis is something that is happening. With project risk management you’re identifying and preparing for anything that could happen during a project and coming up with response plans.

Crisis management focuses more on implementing those plans once something has happened. Crisis management is also something that covers unforeseen events, things that you could plan for, but are often so unlikely that you don’t. This could include the death of someone in your company or a major natural disaster in an area not usually prone to disasters.

How does a project manager mitigate the risks?

The best way to mitigate risks is to be prepared. The more you’re ready for certain things to happen (risk), the better you’ll be able to mitigate the event should it actually happen. Here’s what this looks like:

Use risk management - Positive thinking isn’t going to pull you out of the weeds if things start happening during a project - good planning will. Use risk management to identify and prepare for potential worst-case scenarios.

Communicate with your team - Talk about risks during your

kickoff meeting⁠

. This way, your team knows what to expect and what do to if things go south.

Prioritize risk - A risk matrix helps you rank risk according to the severity and impact.

Analyze risk - Risk analysis helps you figure out exactly what the impact of the various kinds of risks might be. The more in-depth your analysis, the more accurate your response will be.

Respond quickly - Like a lot of things, the sooner you deal with something when it happens, the better. If you drag your feet when responding to a small problem (either because you don’t have a good plan in place and have to figure things out or because you just don’t want to deal with it), you give that issue time to get worse.

Analyze your response - You can’t just let things happen, deal with them, and then never speak of them again. That doesn’t help you learn. Instead, take the time to look at how you responded to an incident, whether or not your response was successful, and what you could do differently next time. This helps you gain a better understanding of how you handle things. You should also take time to identify what led to something happening in the first place. If you can, run through the events that led to the incident and determine what, if anything, you might have been able to do to prevent it. This, in turn, gives you a path to follow next time you identify certain kinds of risk in the future.

Want to print your doc?
This is not the way.

Try clicking the ⋯ next to your doc name or using a keyboard shortcut (

CtrlP

) instead.