Common Sense Approach to Risk Management

Risk management

Risk management is one of the elements of project management that tends to get left out when time is crunched.  If you are skipping risk management, or only doing it at the beginning of your project, you are setting yourself up for trouble.  Risk management doesn’t need to be overly complicated.  If you are limited on time, you can still take measured steps to understand and plan for risk.  In this post, I will teach you a series of simple steps you can take to ensure you are set up for project execution success through careful risk planning and risk management.

For illustration purposes, I will use a simple real-life example throughout this article. For my sample project, I will use running a baseball tournament.

Step 1: Identify Risks

Your first step is to identify potential risks to your project.  These can range from not likely to happen to very likely to happen, and can be items that would have a minor impact to items that would have a major impact to your project outcome.

Tip: Do not create your list of risks in a bubble.  As you gather your list of risks, be sure to talk to all of your stakeholders, and to each team member.  Each person will have their own lens that they consider risk through and will provide valuable input.

In my example project, stakeholders include other volunteer parents, the coach, and the baseball organization board.  You should gather your risks and track them in a risk register. The risk register is a centralized spot to track potential risks, analysis around probably and impact, and risk response plans.  It is a living document that is never “finalized”, as risks will continue to be identified throughout the course of the project, and some risks may in fact turn into issues that need to be dealt with.

In this first step, you should simply work to identify the potential risks.  In my baseball example, my list of risks may look something like this:


I don’t have anything listed in the supplementary columns as I have not completed my analysis at this stage.  I am simply looking to create a full list of potential risks.  Having the list of risks is not enough however; you need to think through which ones to focus on as likely or having the biggest impact, which leads us to Step 2 – Analyze Risks and Plan Response.

 Step 2 – Analyze Risks and Plan Response

With limited time, not every risk is worthy of your attention.  In order to know which risks to focus on, you should take the time to assign a Risk Probability score and a Risk Impact score, which can then be multiplied together to create an overall “Risk Score”.  I find a good way to do this is to use a 5-point scale, from1 (low likelihood or low impact) to 5 (high likelihood or high impact).  The higher the risk score, the more focus you should put on the risk response and ensuring stakeholders are aligned.  By doing this, you are able to proactively plan and if a risk turns into an issue, immediately employ the agreed-upon action plan.  This helps keep you out of the fire-fighting mode we so often find ourselves in as project managers.

Going back to my baseball example, here is how I might rank my risks:


In this example, the two risks with the biggest “risk score” combining probability and impact are “002” – bad weather and “005” – Not enough porta potties.  As such, I will want to put some extra effort into planning my response or putting plans in place proactively to reduce the likelihood or impact.  For “bad weather” I might choose to have a back-up schedule ready to go based on shortened games or extending by a day.  For the risk of not enough porta potties, I may decide it is too critical and too likely to leave to chance, and work with my stakeholders to secure an additional porta potty.  In some cases, you may decide to accept a risk.  For instance, it is pretty unlikely a team would not show up that has already paid.  This resulted in a low risk score, and as such, I would likely not plan a different potential schedule based on this scenario.  Here is what my risk register might look like with risk response plans included:

 Again, this is a living, breathing document.  Risks will continue to get added as the project progresses, and some may reduce in likelihood or impact.  For instance, if I secure an extra porta potty, the likelihood drops to a 1 or a 2, and the Risk Score drops as well.  At that point, I may accept the remaining lower risk.  As long as your project is still underway, you need to continually monitor risks, Step 3.

Step 3: Monitor and Review Risks

Each week you should review the risk register as a project team, and continually update it.   This should be a standing item – do not let this fall off. Proactive and thorough risk management is one of those areas that separate a great project manager from a good one.  Taking the time to do this will only save you time and headaches throughout your project.

As you review, edit, and add to risks, you will want to consider which risks warrant additional conversation with your key stakeholders.  It is important to know who can make decisions around potential response plans and to get agreement upon any steps being taken to reduce risk likelihood or impact.

A risk is uncertain; it is something that could conceivably happen in the future.  If a risk becomes a reality, it is no longer a risk but an issue.  If that happens, the risk should be reclassified as an issue and your action plan to resolve should be confirmed and executed upon.

As you continue to monitor and review risks, it is important to continually keep your stakeholders apprised of changes or additions to the risk register, which leads us to Step 4: Reporting and Communication.

Step 4: Communication of Risks

The easiest way to ensure you keep on top of communicating risk status is to incorporate it into your weekly status reporting.  I prefer to have a dashboard that includes an overall project status, and for a larger program or project might even include an overall risk status.  You can then use that risk indicator to drive attention and communication of your risks.

I also include a section in my project status report that pulls in the risks from the risk register.  You likely will not want to communicate EVERY risk you have on you register; I choose to highlight those risks with the higher risk ratings and/or risks that require conversation or decision making around risk response plans.

After you discuss the risks, you should update your risk register to update impact or probability scores, as well as update any decisions made around risk response.

One of the main purposes of communicating risks to key stakeholders regularly and often is to avoid nasty surprises!  If a big issue arises that was not considered in your risk review and risk planning, your stakeholder(s) will be quite unhappy.  The idea is to anticipate risks before they turn into issues, and to proactively communicate with your stakeholders around perceived probability and impact, as well as risk response plans.

If you anticipate risks and are able to then efficiently deal with issues, and do so in a completely transparent way, you will have happy stakeholders.  As usual, extra communication is always better than not enough.  If you aren’t sure whether or not you should include a risk in your communication with your stakeholders, the answer is YES, include it!


In summary, no matter how tight your timeline, don’t skip risk management.  It always pays off to plan for and anticipate risks that may become issues, and to be proactively ready to execute an already agreed-upon response plan when issues inevitably happen.  It truly is four simple steps, iterated throughout the course of your project: Identify, Analyze and Plan, Monitor and Review, and Communicate.  Put these 4 steps in place to feel more in control of your project, and to build trust and confidence with your stakeholders.

To learn more about our Human Resources courses, click here.

To learn more about our Project Management courses, click here.