Project Risk Management


By Simon Riley

Any work to introduce business or technical change involves an element of inherent risk. In this article, I discuss how negative project risks should be identified, analysed, have effective ownership, and the correct level of response.

I’ve spent my career managing projects and programmes of work. One of the key lessons learnt, both first-hand (ouch!) and as someone brought in to rescue failing projects, is this: when you fail to manage risks effectively, you increase the chances of project delay, costs increasing or even project cancellation.


Follow the process

Many organisations follow either a standard project methodology or have, over time, developed an in-house methodology to meet their needs; both approaches require the effective management of project risks. The following steps are key, regardless of the methodology you use or the timescale you are working to.

Identify and log your risks
Risks must be identified as soon as possible – and I don’t mean “project manager makes notes & stores them in an Excel spreadsheet to be dug out at the next stage gate review.” Risk identification must be a collaborative effort from key project members and stakeholders, and it needs to happen throughout the project life-cycle.

Where possible, utilise a collaborative tool for the logging and maintenance of a risk register that team members and risk owners can access.

Risk Analysis
Once a risk has been identified and logged, the project team must be able to analyse the likelihood and severity of the risk. An effective way of prioritising risks is to use a “scoring method” to ensure those risks with a higher severity and likelihood are addressed as a priority. This information must be logged within your risk tool.

Risk ownership
Risk ownership is key. All too often I have looked through a risk log and found the same project manager’s name against each of the registered risks. Within the stakeholder group the correct owner must be assigned; this person should have the correct level of authority to effectively manage the risk.

Risk Response & Deadlines
Each risk should have a corresponding response that is clearly logged within the collaborative tool, with an agreed date for the risk response action. Typical responses for risks will be:
Avoid: Change the strategy or adjust your plan accordingly to completely avoid the risk.
Mitigate: Take action to reduce either the likelihood or the severity of the risk.
Transfer: Move responsibility for the risk from the project to another entity. This might be by way of external teams to the project, outsourcing or assignment of a 3rd party.
Accept: Some risks might be too costly or time-consuming to consider one of the above responses; conversely, where the likelihood or severity of a risk is very low, the decision to accept a risk can sometimes be perfectly acceptable. This should not be viewed as a “do nothing” approach. Accepted risks should be logged and explained to the project executives and sponsors in the same manner as risks that have had proactive actions taken against them.

Manage the risk & communicate
You have identified and logged risks, assigned owners and have risk responses in place, now is the time to ensure that the risks are effectively managed. Regular reviews of open risks with the project stakeholders should take place, and risk owners must be accountable for the risk responses. Your project communication plan should detail how senior stakeholders will be notified of risks, including those that require escalation.

As the project progresses, new risks will become apparent and existing ones will pass without materialising. The project team must continue to identify and review new risks at regular intervals through to project completion, including any post-project support periods.


Winterhawk’s experienced team of consultants & project leads are highly skilled at delivering projects for our clients as both stand-alone pieces of work or as a wider programme with our clients and partners. Let us focus on project delivery & management, so you can focus on running your business.

Simon Riley brings 20+ years of large enterprise programme management experience to Winterhawk’s Advisory Board, across a range of industries including Energy, Finance, Insurance, Aviation, Retail, Engineering and IT Services. He has led large-scale ERP implementations and HR transformations in organisations across Europe and North America, as well as being instrumental in the development of partnership networks at Winterhawk.