Project Risk Management

By Mark Romanelli

09 August 2018, update 24 September 2018

All projects face risk. That's why risk management is an important part of project management. But what exactly is project risk management and what can a project manager do in order to manage risk? According to the Project Management Institute, project risk management involves planning for risk management, identifying and analysing potential risks, developing and implementing risk response strategies, and monitoring the risks throughout the course of a project. This article will help to explain the types of project risks and provide some simple, but very useful, tools and techniques for risk identification, assessment, and response planning.

Types of Risk

By their nature, project risks represent unknown events and incidents that can occur during the course of a project with negative outcomes on the project's ability to deliver its intended results. Project risks fall into two categories: 1) known unknowns and 2) unknown unknowns.

Known unknowns are risks (unknowns) that can be reasonably identified and planned for. Because they can be identified, they can be listed and therefore 'known.' Examples of potential known unknowns include delays in delivery, bad weather, or equipment failure.

Unknown unknowns are risks to the project that fall outside the scope of normal possibility. Examples of unknown unknowns include natural disaster, political risk, and acts of God. Since they cannot be identified and planned for, these events are considered 'unknown'.

Because unknown unknowns are outside of the normal scope of possibility, they are difficult and often impossible to plan for. Many projects that do take them into consideration plan additional project budget and time as response strategies. The risk management tools and techniques listed here are suggestions for addressing realistic, identifiable project risks – known unknowns. These tools and techniques include:

  1. Risk Identification
  2. Risk Assessment
  3. Risk Response Planning

Risk Identification

Before risks can be managed, they need to be identified. This can be best accomplished by bringing together project team members and experienced subject matter experts in order to review all of the elements of a project to identify potential risks. The result of this brainstorming session should be a list of all potential risk events, large and small, in a project. From this list, the project team can eliminate any unreasonable or unlikely risks to compile a list of identified, known unknown, project risks.

Risk Assessment

Once the potential risks are identified, a project team needs to determine the severity of each individual risk. This can be accomplished by using a Probability / Impact Matrix. This tool involves looking at each risk and determining how likely it is to occur (the probability) and how bad the consequences are going to be to the project if the risk does occur (the impact). Based on the combined assessment outcomes of these two dimensions, a project team can gain an enhanced understanding of the nature of the risk and therefore better plan an appropriate response strategy.
risk assessment matrix

Risk Response Planning

There are four generic risk response strategies that can be used to address identified, known unknown, project risks:
  • Accept
  • Avoid
  • Mitigate
  • Transfer
Each response strategy is described below, along with its corresponding effect on the Probability / Impact Matrix risk assessment. An example of each type of risk response is provided in the context of a simple project; planning an evening out with friends for the coming weekend.


To accept a risk means to decide that planning an active response strategy isn't necessary. This is done when a risk is identified, but determined not to cause a significant enough issue to be worth the time and effort to plan around it. Such is the case when a risk is assessed as both low probability and low impact.

In our example project, you could identify a taxi cab drivers strike as a low probability, low impact risk to your project. It is unlikely that such a strike will occur this weekend, and if it does you can always select an alternative form of transportation (Über, bus, etc.), so the impact is also low. Since this is the case, you decide to accept this particular risk.

Acceptance doesn't mean that the risk should be ignored. A project team should still track accepted risks and be prepared to formulate a response should the event occur.


To avoid means to escape something that is potentially harmful. As a project management risk response strategy, avoiding a risk means to try to keep it from happening. In other words, to reduce the chances (the probability) of the risk event happening.

The avoid response strategy can be used for identified project risks with a high probability rating. The goal is to reduce, or possibly even eliminate, the probability of the risk event.

For our example project, you may have identified a risk that one particular friend, Carl, will behave badly and cause problems for the rest of the group. Based on past experience, you know this risk is a high probability. In order to avoid this risk, you may want to speak with Carl beforehand – or decide not to invite him at all – and thereby avoid the risk by reducing its likelihood of occurrence.


To mitigate something means to lessen its severity or seriousness. This is also what happens when mitigating an identified project risk. To mitigate a project risk means to take actions in order to reduce the severity of the risks impact should it occur. This way, if the risk does occur, the harm done won't be as bad.

The mitigate response strategy can be applied for project risks with a high impact rating. Similar to the avoidance strategy, the goal in this case is to reduce, or even avoid altogether, the impact of a particular risk to the project.

For your evening out, let's say that you plan to visit two locations – a restaurant and a theatre. There is a risk of rain for the evening and, try as you might, that risk can't be avoided. The impact is that your group will get wet while walking from one venue to the next. You may choose to lessen the impact of (mitigate) the risk by bringing umbrellas with you for the walk. This way, should the risk occur, the results won't be as bad.


Sometimes, there is a risk that is simply too much for the project to agree to take on. This could be because of a high likelihood that cannot be reduced, a high impact that cannot be mitigated, or a combination of the two. When this is the case, the best response strategy may be to transfer the risk to a third party. This is commonly done when purchasing insurance policies. The risk is transferred from the responsibility of the project team, usually at a cost (or premium), to another party who agrees to accept and manage the risk.

Risk transfer is employed when the risk levels, on one or both of the examined dimensions, cannot be reduced or managed to be within acceptable risk tolerance levels for the project.

Referring back to our example, let's assume that the night out also involves an overnight stay at a pricy hotel. Your group is fairly certain that the evening will go off, but not enough to risk the full booking fee of the hotel. Therefore, when booking the hotel, your group may decide to pay a little bit extra for the reservation to include a free cancellation policy. With this approach, and for a small fee, the risk of cancellation cost is placed on the hotel and not the members of your group.
Matrix showing risk mitigation strategies and how they act on risk impact and probability

Clearly, these four response strategies won't work for addressing every identified risk in every situation. Sometimes combinations of these response strategies will be necessary. In other cases, completely new and creative responses will be required to address unique constraints and circumstances. But in many cases, these response strategies will be enough to address most of the risks encountered on most projects. In order to make the most of them, it is important to know how each one works and when they are best used.

As a project is monitored and controlled, risk management is a part of the process. From start to finish, it is a project teams ongoing responsibility to monitor and control the progress of a project and take corrective actions when necessary. This also includes monitoring and controlling for project risks.

Project risks management can be a simple or complex process, depending on the nature of the project. With these tools, many projects can be risk managed in order to increases the likelihood of successful project completion.

About the Author: Mark Romanelli is a full-time lecturer in the Sports, Culture, and Events Management program at the University of Applied Science Kufstein Tirol (FH Kufstien Tirol) in Kufstein, Austria. His curriculum includes courses in Project Management and Strategic Project Development. He is a member of the Project Management Institute and a Certified Associate in Project Management.


If you liked this page, feel free to recommend us!