A High-Level Overview of Risk Management

Posted by Brad Egeland

Many approaches can be used to address risk and the threats it produces. And, likely, they are all viable.  The key is to use whatever works for you, your team, for your customer, and for your organization.  And the REAL key is to DO IT.  Ignoring risks doesn’t mean they won’t happen.  It just means you’re likely to spend your extra time in the unemployment line.

However you go about your process of risk management, remember that no matter how you go about it, you’re likely going to need to include some variation of this basic four-step approach:

Step 1. Identification

Risk identification is the process of determining what threats exist. You and your team – along with the customer’s assistance, if possible – should identify all significant uncertainties (sources of risk), including specific threats (also called potential problems or risk events) that could occur throughout the life of the project.

Step 2.Quantification

Risk quantification is the process of determining how big the threats are. During risk quantification, you and your team must obtain information on the range of possible outcomes for all uncertainties and their distribution and/or probabilities of occurrence.  This way, you’ll be in a better position to understand the nature of the threats and their potential effects on the project.

Step 3. Analysis

Risk analysis is the process of determining which threats are of greatest concern. During risk analysis, you’ll use the knowledge you and your team gained through risk assessment to determine which potential problems represent the greatest danger to achieving a successful and predictable project outcome.  Usually, this is done by considering the probability that a specific problem will occur and its anticipated impact on the project.

Step 4. Response

Finally, risk response is the process of actually dealing with the risks or threats to project success.  You and your team must work to determine the best approaches for addressing each high-threat potential problem.  This risk response plan may include evaluating and choosing among a number of alternatives, and create specific action plans to follow for each specific potential risk.


By putting meaningful time into identifying potential risks and planning for their mitigation – or even avoidance – you’ll not only be giving your project it’s best chance of success, you’ll also be setting the course for good project planning throughout the engagement.  Your confidence, your teams’ confidence, and your customers’ confidence will be greatly enhanced by going through this process because you’ll know that you already have plans in place to deal with these potential threats.  However, don’t rest on that notion.  It’s still critical to revisit your risk list often – preferably weekly during a status call or similar event – and be prepared to act if it appears that an identified risk – or a new unidentified risk – is about to affect your project.

Information for this article was derived, in part, from Gary Heerkens’ book entitled, “Project Management.”

Tags: , , ,

2 Comments to “A High-Level Overview of Risk Management”

  • An additional and very important part of risk management, which relates to step 3 and 4, is to make a risk register (or risk log) that captures and track the identified risks and the risk mitigations. A small project with just a few involved can manage a risk register in a spreadsheet. Real projects with more involved persons should use a proper tool, such as http://mediumrisk.com which is an online web based risk register. With MediumRisk team members have instant access to the most up to date project risk information, and the project management team always has an accurate overview of the most critical issues and the pending actions for implementing the necessary risk mitigations.

  • Addressing the aspect of people risk is the only way an organisation can improve the way their people respond to a situation of risk and the effectiveness of their risk management function. No organisation can ever have a perfect risk management culture, but organisations can achieve a level of maturity where they have an effective risk culture process and every employee is risk-minded and does something on a daily basis to mitigate, control and optimize risk

    For current thought leadership on Risk Culture Building, see my blog:

Post comment