In my first major project, my PMO told me I needed to do a Risk Register, so I did one to satisfy them. But when we started facing issues on that project, it was so clear that my risk responses were totally inadequate. While there were lots of out-of-my-control reasons for those issues, I learned by hard knocks that I needed to understand at a fundamental level how risk worked and what to do about it to make sure my projects don’t become embarrassing flops.

On the other side, I later learned that that effective risk management can become a competitive advantage for an organization because it allows an organization to attempt projects that other organizations may find overly risky.

Before we dive in, I want to say up front: The end goal of all risk management is not just to list risks, it is to plan and execute Risk Responses. That means that every step and every tool in this process exists to help project managers know what to do about the sources of risk that exist within your project, because responding to risk appropriately is the primary business value gained from risk management.

My experience in leading industrial projects is that risks that affect product quality, occupational safety, & environmental impact tend to be well managed as there are corporate policies around these. However, on the level of project success, project managers sometimes do just enough risk management to satisfy their PMO, but no more. That’s what happened to me. And without insight into how the process is supposed to work, this type of risk management will not add much value to a project.

This is a multi-part blog post. Part 1 will focus on what risk is, and how to identify risks. Part 2 will focus on measuring risk, specifically Qualitative & Quantitative Risk Assessment terms. Part 3 will focus on strategies to deal with risk, which PMI calls Risk Responses. Part 4 will deal with ways to communicate with stakeholders about risks, as their support is usually needed to successfully implement risk responses.

What is Risk?

When we use the word “risk” in project management, we mean something specific. For us this is a technical term. According to PMI, the word “Risk ” means “an uncertain event or condition that, if it occurs, has a positive or negative effect on one or more project objectives.” Let’s break that down:

Uncertain event — Something that may or may not happen in the future. There’s always a level of uncertainty surrounding risks, and you need to make decisions about risk based on your best judgement of what may happen and

Positive or negative effect— It could hurt your project, or it could help your project. We call Negative risks “Threats”, and we call positive risks “Opportunities”. Both types of risks should be considered in your risk management approach to increase the business value of your projects.

Effects one or more project objectives–There is a direct tie to the goals of the project and the business value you intend to generate. The lens to view risk is, “How much effect could this have on my project’s objectives if it happens?”

How Much Risk is Too Much?

Depending on your company, your project, and your context, your organization might have different ideas of what types of risks are acceptable to achieve project objectives. Project Managers call this Risk Appetite.

Some industries are notoriously risk averse, meaning that they are willing to do a lot to reduce it. Examples of risk-averse industries include banking or healthcare. Other industries such as some Technology & Software firms are the opposite; they are “risk-seeking” in the sense that they prefer riskier options because of a greater potential for reward.

As you get to know your stakeholders you will develop some intuition of what their risk appetite is around your project and that will guide how you handle the uncertainties that you face along the way.

Identifying Risk & the Risk Register

Identifying risk is a continuous process. You don’t just write your risks once and be done. It happens every single day, in every phase of the project. Each day you gain more insight into your project and context, so it is likely you will identify new risks to address at each step. Embrace that.

The primary risk management document you will develop and use throughout the life of your project is the Risk Register. The Risk Register is commonly just a spreadsheet (Excel, Google Sheets, etc.) with each identified risk listed out. You will use the same sheet to do the rest of the risk management processes (assessing identified risk, planning and executing risk responses).

At this early stage, your risk register might look something like this:

It’s a simple document, but it is the foundation of planning effective risk responses. We’ll show you ways to use it effectively as we go through the remainder of this blog series.

Ways to Identify Risks

In my experience it is more important to be comprehensive about the types of risks that exist in a project than it is to be very detailed about each and every one of them. In the end, some projects may benefit from extensive lists of very specific risks, but for other projects that level of detail and can overwhelm the project team. I suggest starting with a big picture overview and then get more detailed as you go. Project managers call this “Progressive Elaboration” and it is a mindset we use a lot.

Risk Breakdown Structure

One tool you can use to ensure you have the full picture of risks is called a Risk Breakdown Structure (RBS). The RBS starts with high-level risk categories and then breaks them down into more specific sub-risks customized to your project. The benefit of the RBS is to reduce the chances that you have a big blind spot somewhere, such as leaving out whole categories of risks from your analysis.

It’s typically a hierarchical chart that could look something like this :

Prompt List

At the risk of sounding simplistic, a good set of questions can help you come up with a first draft of your risks. Sit with an experienced project manager and walk through each stage of your project and ask, “What could go wrong at this stage?” “What are some headaches we should try to prevent?” “What are some reasons this project could be more challenging than we expect / go over schedule / over budget?”

Also, coming up with lists of helpful questions for your specific type of project is a good job for Artificial Intelligence. For example, while writing this post I asked Microsoft Copilot chat, “What are some reasons a commercial construction project might go over budget?” Within seconds, it gave me a basic list of 8 common reasons with explanations for each item and possible strategies to mitigate it. I’ll post the response in a separate post as an example of one basic way to use AI in project management.

Conclusion

Understanding sources of risk within our projects and tracking them in a Risk Register is a foundational first step for effective risk management and helps us systematically approach to creating business value by appropriately addressing sources of risk in our projects. Tools like Risk Breakdown Structures and Prompt Lists can help us avoid blind spots in our project planning and ensure we have our eyes on all sources of risk.