Handling Risks in Projects

Handling Risks in Projects

Projects are initiated in order to accomplish new results, behaviours or services at a specified quality while working under constraints of time, cost and resources. Because projects are not operations/business as usual, we should expect to experience hitherto unknown challenges and to gain new learning as we execute the project.

This does not mean, however, that we should charge ahead without continuously considering which challenges (risks and opportunities) are likely to occur during the project and to prepare for how we will want to handle these challenges. In short, we need to always have an updated risk analysis and overall picture of the current risk profile for our project.

Defining Our Risks

The first stage in risk management is creating an overview of the risks that the project could potentially face. We need to remember that risk can be both negative (threats) and positive (opportunities), so as to not only focus on the negative risks, which is probably the meaning many of us associate with the word “Risk”.

A good start is to look at the challenges faced by previous, similar projects within our organization. If there have not been previous, similar projects or the documentation is not easy to come by, we may e.g. look to previous, similar projects in our industry or broader still. What should follow are one or more sessions with the project team and stakeholders in which further risks can be uncovered. Involving team and stakeholders ensures that all perspectives are scrutinized.

Evaluation of Risks

For each identified risk, we need to evaluate how likely the risk is to actually occur, and if it occurs what the consequences for the project and the project environment will be. Often this is done by assigning a numerical value from a scale to the Likelihood and to the Impact respectively, the higher the value assigned to more potent is the Likelihood or Impact. Often a scale of 1-10 is used as that is easy to convert to percentage form.

The assignment of scale values to Likelihood and Consequences is followed by a multiplication of these two values to arrive at an overall risk factor. A given risk may thus have the Likelihood value of “3” and an impact of “2” and thus an overall risk factor score of “6”. The values arrived at can now be plotted into a graph to depict risks relative to each other. We can also decide that risks below a certain value will not be part of our considerations and that risks above a certain value must force us to halt the project until the risk has been reduced/eliminated.

We may also want to assess and ascribe a monetary value to the consequences. We can get an idea of which level of cost our risks represent by multiplying the Likelihood with the Monetary Consequences. Say we have a risk with a likelihood of 5 (50 %, probability of 0,5), and a Monetary Consequence of 150.000 €, the current risk monetary value arrives at 75.000 € (0,5 * 150.000). We can add up all the calculated risk monetary value for the project and use that to set up a suitable risk budget.

Risk Response

For each risk identified and evaluated with a score high enough to warrant our attention, we must define what we will do, should the risk materialize. We also need to identify any possible early warning signs that the risk is about to materialize, so that we can initiate our agreed responses as soon and as efficiently as possible. A further point of importance is that for each risk one “Risk Owner” is appointed. The Risk Owner is responsible for ensuring that the risk can and will be handled as agreed in the risk response. The Risk Owners may not themselves carry out activities for the risks they manage, but they must ensure that the risk response is carried out. For each risk we may also appoint one or several people who will actually carry out the actions implied by the risk response.

How can we respond to risks? We can take preemptive actions and/or define mitigating actions to deal with each risk. Again remember, risks can be threats, but risks can also be opportunities. So some risk responses may deal with whether to exploit the opportunity or let it pass.

For risks as threats we may seek to implement actions that allow us to avoid the risk altogether, e.g. make changes to the project. If it is not feasible to eliminate the risk, we may reduce it by implementing actions that reduce the probability and/or implement actions that reduce the consequences should the risk materialize. We can also define and prepare a fallback plan to be implemented if the risk occurs. For some risks we may be able to transfer the handling of the risk to a 3rd party, e.g. by forms of insurance, or we may seek to share the risk with 3rd parties (suppliers/customers). Finally, we may choose to accept the risk as is. The latter is usually done for low score risks where the costs of risk response initiatives outweigh the costs of the risk actually materializing.

For risks as opportunities we also have a set of possible responses. We can plan activities that allow us to exploit the risk for maximum effect, e.g. an opportunity to get better equipment. We can also look at actions that allow us to enhance the probability and/or consequences of the risk, i.e. giving ourselves better odds that the opportunity will have a high impact. Finally, we may choose to reject the risk, because it would cost more to exploit or enhance the opportunity than it would cost to continue as is.

Continual Risk Awareness & Learning

Risk management efforts only have value if the risk identification and evaluation is a continuous process that is carried out throughout the project. Typically, the risk landscape shifts during the project due to new risks being identified, already identified risks changing in severity, risks having actually materialized and been dealt with and some identified risks seizing to be risks for the project.

It is important that we learn from each risk identified and each risk materializing, so that we know what to look out for and how to handle different types of risk. We will update the risk analysis and the risk scores continuously during the project. The risk factor score will change, some risks becoming more critical for the project, some less. It is important to revisit the low score risks that were dismissed earlier on to make sure they have not developed in a more serious direction. Further, the calculated risk monetary value may change, thus requiring us to revisit our risk budget.


A project plunges us into new and strange waters. There are a host of threats and opportunities we can potentially run into along the way. Being well-prepared as to which threats and opportunities these can be and how they can best be handled makes for a smoother, more controlled project execution. Although not all risks can be foreseen, even by the cleverest group of people, continuously analyzing, evaluating and planning risk responses allows us to keep the project in the best possible shape no matter what happens.

Feel inspired? Have ideas? Need to launch initiatives?
Get in touch with NT Management Consulting today