What is Project Risk Management?
Project risk management is the systematic process of identifying, analysing, and responding to uncertainty that could affect a project's objectives. A risk is any uncertain event or condition that, if it occurs, has a positive or negative effect on at least one project objective โ whether that is scope, schedule, cost, or quality.
It is important to recognise that risks are not always negative. A threat is a risk with a potentially negative impact, while an opportunity is a risk with a potentially positive impact. Effective risk management addresses both, seeking to minimise threats and maximise opportunities.
The consequences of ignoring risk management are well documented. Projects that fail to identify and manage risks proactively are far more likely to overrun on budget, miss deadlines, or fail to deliver the expected benefits. The statistics paint a stark picture:
These figures demonstrate why risk management cannot be an afterthought. It must be embedded from project initiation through to closure, with regular reviews and updates as the project environment evolves. Projects that invest in structured risk management are significantly more likely to deliver successfully.
Risk Identification Techniques
Risk identification is the first and arguably most critical step in the risk management process. You cannot manage a risk you have not identified. The goal is to systematically uncover as many potential risks as possible โ both threats and opportunities โ before they materialise and catch the project team off guard.
No single technique will capture all risks. Effective identification uses a combination of approaches, drawing on the experience and knowledge of the entire project team and key stakeholders.
Risk Identification Techniques
| Technique | Description | Best Used When |
|---|---|---|
| Brainstorming | Facilitated team session to generate a broad list of potential risks without judgement or filtering | Early in the project when you need wide coverage; at stage boundaries to refresh the risk register |
| SWOT Analysis | Structured review of Strengths, Weaknesses, Opportunities, and Threats at project or organisational level | During project initiation to understand the strategic risk landscape and internal capabilities |
| Checklists | Pre-built lists of common risks drawn from historical data, lessons learned, or industry standards | As a baseline to ensure known, recurring risks are not overlooked; supplement with other techniques |
| Assumption Analysis | Systematic review of all project assumptions to identify which are unstable or could prove false | When the project relies on key assumptions about resources, technology, third parties, or timelines |
| Delphi Technique | Anonymous, iterative expert consultation where responses are aggregated and shared across rounds until consensus | When you need unbiased expert opinion, especially for technical or specialist risks where groupthink is a concern |
| Root Cause Analysis | Working backwards from potential risk events to identify their underlying causes and shared drivers | When you want to address systemic issues rather than individual symptoms; for grouping related risks |
Source: APM Body of Knowledge, 7th Edition; PRINCE2 Manual
Involve the Whole Team
Risk identification should never be carried out by the project manager alone. Team members, subject matter experts, suppliers, and key stakeholders all bring different perspectives and knowledge. A workshop format with a skilled facilitator is one of the most effective ways to surface risks that no single individual would identify on their own. Make it safe for people to raise concerns without judgement.
Risk Assessment: Probability-Impact Analysis
Once risks have been identified, they need to be assessed to determine their significance and priority. Not all risks are equal โ some are highly likely but low impact, while others are unlikely but potentially catastrophic. Risk assessment helps you focus your limited resources on the risks that matter most.
There are two broad approaches to risk assessment: qualitative and quantitative. Qualitative assessment uses descriptive scales (e.g., High/Medium/Low) to rate probability and impact. Quantitative assessment assigns numerical values and uses techniques like Monte Carlo simulation or decision tree analysis to model the overall risk exposure. Most projects begin with qualitative assessment; quantitative methods are used for larger, more complex projects where numerical precision is needed for decision-making.
Probability-Impact Matrix
| Probability / Impact | Negligible | Low | Moderate | High | Critical |
|---|---|---|---|---|---|
| Very High (>80%) | Medium | High | Very High | Very High | Very High |
| High (60-80%) | Low | Medium | High | Very High | Very High |
| Medium (40-60%) | Low | Medium | Medium | High | Very High |
| Low (20-40%) | Low | Low | Medium | Medium | High |
| Very Low (<20%) | Low | Low | Low | Medium | Medium |
Adapted from PRINCE2 and APM risk assessment frameworks
The risk score is calculated by combining probability and impact โ either by multiplying numerical values (e.g., 4 x 5 = 20) or by using the matrix to derive a category (e.g., "High"). This score determines the risk's position in the priority list and directly informs the choice of response strategy.
When assessing impact, consider all project objectives: time, cost, quality, scope, and benefits. A risk might have a low cost impact but a very high impact on schedule. Always assess against the objective most affected, and record your rationale so assessments are transparent and repeatable.
Proximity Matters Too
Probability and impact are not the only factors. Risk proximity โ how soon the risk might materialise โ is equally important for planning. A high-impact risk due next week demands more immediate attention than one that might occur in six months. Always record when you expect each risk to occur and factor this into your response planning.
The 5 Risk Response Strategies
Once you have identified and assessed your risks, you need to decide what to do about each one. A risk response strategy defines the approach you will take to deal with a risk, whether it is a threat or an opportunity. There are five widely recognised strategies, and the right choice depends on the risk's probability, impact, cost of response, and the project's overall risk appetite.
Risk Response Strategies for Threats and Opportunities
| Strategy | For Threats | For Opportunities | Example |
|---|---|---|---|
| Avoid / Exploit | Change the project plan to eliminate the threat entirely | Change the plan to ensure the opportunity is realised | Remove a high-risk technology from the solution; fast-track a feature to capture a market window |
| Transfer / Share | Shift the impact to a third party (insurance, outsourcing, fixed-price contracts) | Share the upside with a partner better placed to capture the benefit | Transfer delivery risk via a fixed-price contract with a supplier; joint venture to exploit a new market |
| Reduce / Enhance | Take action to lower the probability or impact of the threat | Take action to increase the probability or impact of the opportunity | Conduct additional testing to reduce defect risk; invest in early prototyping to increase chance of innovation |
| Accept | Acknowledge the risk and take no proactive action; set aside contingency budget or time | Acknowledge the opportunity exists but take no specific action to pursue it | Accept a minor schedule risk and include two days' float; note a potential cost saving without committing resources |
| Escalate | Pass the risk up to programme or portfolio level when it exceeds the project's authority or scope | Escalate an opportunity that could benefit the wider organisation, not just this project | Escalate a regulatory change risk to the programme board; flag a strategic partnership opportunity to senior management |
Source: PRINCE2 Manual; APM Body of Knowledge, 7th Edition
For each risk, the chosen response should be proportionate to the risk's significance. It would be wasteful to spend tens of thousands of pounds mitigating a risk that has only a minor potential impact. Equally, accepting a catastrophic risk without any mitigation is reckless. The cost of the response should always be weighed against the expected value of the risk.
Threats and Opportunities: Two Sides of the Same Coin
Many project teams focus exclusively on threats and neglect opportunities entirely. This is a missed chance. A well-managed project actively seeks out and exploits positive risks โ a supplier delivering early, a new technology reducing cost, or a regulatory change that simplifies compliance. Your risk register should include both threats and opportunities, with response strategies tailored to each.
Building and Maintaining a Risk Register
The risk register is the single source of truth for all identified risks on the project. It captures each risk's description, assessment, response strategy, owner, and current status. Without a well-maintained risk register, risk management is just a conversation โ it has no formal record, no accountability, and no mechanism for tracking whether responses are actually being implemented.
A good risk register is not a static document. It is a living management tool that is reviewed and updated regularly throughout the project lifecycle โ at stage boundaries, during highlight reports, and whenever the project environment changes significantly.
Risk Register Structure
| Column | Purpose | Example Entry |
|---|---|---|
| Risk ID | Unique identifier for tracking and cross-referencing | R-014 |
| Description | Clear statement of the uncertain event and its potential effect โ use "If... then..." format | If the key supplier fails to deliver components by 15 March, then the build phase will be delayed by 3 weeks |
| Category | Classification to help with analysis and reporting (e.g., Technical, Commercial, Organisational, External) | Commercial |
| Probability | Likelihood of the risk occurring, using the agreed scale | High (70%) |
| Impact | Severity of the effect on project objectives if the risk materialises | High (schedule: +3 weeks, cost: +ยฃ45,000) |
| Risk Score | Combined rating derived from probability and impact | Very High |
| Owner | Named individual responsible for managing this risk and implementing the response | Sarah Chen, Procurement Lead |
| Response Strategy | The chosen approach (Avoid, Transfer, Reduce, Accept, Escalate) with specific actions | Reduce: Identify alternative supplier and begin parallel procurement by 1 March |
| Status | Current state of the risk (Open, In Progress, Closed, Occurred) | In Progress |
| Review Date | When this risk will next be formally reviewed and reassessed | 28 February 2026 |
Adapted from PRINCE2 Risk Register template
The most common failure with risk registers is treating them as a checkbox exercise at the start of the project and never revisiting them. A risk register that was last updated three months ago provides a false sense of security. To keep your risk register alive and useful, build risk reviews into your regular project rhythm:
Weekly or fortnightly: Review the top 10 risks with the project team. Have probabilities or impacts changed? Are response actions on track? Have new risks emerged?
At each stage boundary: Conduct a full risk register review. Close risks that are no longer relevant. Reassess all open risks. Identify new risks for the upcoming stage.
After significant events: Any change request, issue, or external event that affects the project should trigger a review of the risk register for new or changed risks.
Every Risk Needs an Owner
A risk without an owner is a risk that nobody is managing. The risk owner is the individual best placed to monitor the risk and implement the response strategy. This is not always the project manager โ it should be the person closest to the risk, with the authority and knowledge to act. Make ownership explicit and hold owners accountable during risk reviews.
PRINCE2 Risk Theme Alignment
PRINCE2 treats risk as one of its seven themes โ a fundamental aspect of project management that must be addressed throughout the project lifecycle. The PRINCE2 Risk theme provides a structured approach to risk management that aligns closely with the techniques described in this guide, while adding specific governance and escalation mechanisms.
At the heart of PRINCE2's approach is the principle that risks must be continuously identified, assessed, and controlled. Risk management is not a one-off activity performed during initiation โ it is embedded into every stage of the project through the management stages, exception reporting, and end-stage assessments.
PRINCE2 Risk Management Components
| Component | Purpose | Owned By |
|---|---|---|
| Risk Management Strategy | Defines how risk management will be performed on the project โ tools, techniques, roles, scales, reporting, and risk categories | Project Manager (approved by Project Board) |
| Risk Register | The record of all identified risks, their assessments, responses, owners, and current status | Project Manager |
| Risk Budget | A sum of money included in the project budget to fund specific risk responses and contingency actions | Project Manager (within tolerances set by Project Board) |
| Risk Tolerances | The thresholds beyond which risks must be escalated โ defined for each management stage | Project Board |
| Exception Reports | Triggered when risk exposure exceeds tolerances โ escalation mechanism to the Project Board via Manage by Exception | Project Manager escalates to Project Board |
Source: PRINCE2 7th Edition, Axelos
The Risk Management Strategy is created during the Initiation Stage and defines the rules of the game for risk management on this specific project. It covers the risk management procedure (identify, assess, plan, implement, communicate), the scales to be used for probability and impact, the roles and responsibilities, and how risk information will be reported to the Project Board.
PRINCE2's Manage by Exception principle is particularly relevant to risk management. The Project Board sets tolerances for each management stage โ including risk tolerances. If the project's risk exposure breaches these tolerances, the Project Manager must raise an exception report and seek guidance from the Project Board. This ensures that significant risks receive senior management attention without the board needing to be involved in day-to-day risk management.
Risk Tolerance and Risk Appetite
Risk appetite is the organisation's overall willingness to accept risk in pursuit of its objectives โ it is set at the corporate or programme level. Risk tolerance is the specific, measurable threshold for a particular project or stage โ expressed as a defined deviation from plan (e.g., "no more than ยฃ20,000 cost overrun" or "no more than two weeks schedule delay"). Understanding the difference is essential: risk appetite guides the overall approach, while risk tolerances provide the concrete boundaries within which the project manager operates.
In practice, aligning your risk management with PRINCE2 means ensuring that risk is discussed at every checkpoint, highlight report, and end-stage assessment. The Project Manager should present the top risks, any changes to the risk profile, and the status of risk response actions. This keeps the Project Board informed and enables timely decision-making when escalation is needed.
Get Qualified in Project Management
Risk management is a core competency for every project manager. Our accredited Project Management course covers risk identification, assessment, response planning, the PRINCE2 Risk theme, and practical techniques for keeping projects on track โ giving you the skills and confidence to manage uncertainty effectively.
Explore Our Project Management Course