Project management risk assessment is an essential part of any project management plan, helping your team avoid problems that can destroy entire budgets.
While we all wish our projects would run flawlessly, disaster is always waiting around the corner. No matter how much you prepare, people and circumstances can let you down. Key employees can take extended leave, stakeholders can ghost you, and unforeseen economic conditions can slice your budget in half - no one expected the pandemic, for example.
Only 3% of organizations avoid using risk assessment. Why? Because it eliminates severe risks in advance and provides a way to mitigate them in a worst-case scenario.
Easier said than done, though, right? That’s why in this guide to project risk assessment, we’ll show you how to identify risks and create plans to counter them.
What is a Project Management Risk Assessment?
Project Risk Assessment Definition
‘Project Management Risk Assessment’, or ‘Project Risk Assessment’, is the process of minimizing risks that could affect a project.
The overall goal is to remove extreme risks and reduce the impact of lower risks via backup plans.
When completed properly, you can ensure a project is completed within both time and budget while meeting the project goals.
Is Project Risk Assessment Really Necessary?
Project management risk assessment is a pillar of any project management, and without it, you can’t say your project planning is complete.
As it's so enshrined in the project management doctrine, it often becomes easily trivialized. Far too many PMs see it as a purely academic exercise, overlooking what it offers.
Shockingly, only 2.5% of companies complete their projects with 100% success - many of which would have been helped with better planning. Even in minor cases, there is no downside to coming up with ideas to keep a project moving smoothly, while in major cases, it can save you heaps of cash.
How Detailed Should Your Plan Be?
Every decision you make during a project invariably creates a potential risk event. Whether you create a contingency plan for every risk will depend on two things:
- The likelihood of the risk event occurring
- The impact the risk event would have on the project
- This is the essence of project management risk assessment: evaluating and prioritizing risks.
Think of something as simple as file storage. If you store your files locally, you create a risk event - what if your local storage fails? To avoid the consequences, you could create a backup in the cloud. But that’s inherently risky - what if the cloud storage company goes under?
So, as an additional safeguard, you might opt for a second long-term storage with a more reliable partner like AWS. Thus, your single decision - storing files locally - creates multiple risk events you have to respond to.
This applies to virtually every decision in a project. If a stakeholder goes AWOL on email, you need to get hold of them on Zoom or Teams. And if they go missing on Zoom or Teams, you need their phone number.
How to Use Our Project Risk Assessment Template
Our free Project Risk Assessment Template can help you complete the process efficiently with a clearly defined plan of action.
Here’s how it works:
- Enter your key project details in the box in the top left.
- Identify the risk. Add a serial number and date of entry.
- Identify the name of the individual who has ownership over the risk and their role in the team.
- Identify the probability and impact of risk.
- View the risk score (using our automated calculator).
- Identify two proposed actions to mitigate risk.
6 Key Steps to Project Management Risk Assessment
Here are some final key steps to follow, which apply regardless of your organization’s methodology for project management risk assessment.
1. Use PESTLE To Identify Controllable and Uncontrollable Risks
Recognizing the difference between controllable and uncontrollable risks will allow you to determine which are avoidable or not worth your time. While every project has some controllable risks, others can’t be mitigated.
Take this project risk assessment example: If a contractor goes bankrupt, you could always line up a second contractor as a backup. But, a devastating flood in a flood-prone region that destroys the data center where you store all your files? There’s nothing you can do about that.
To differentiate between controllable and uncontrollable risks, ask yourself:
- How much control do I have over this risk event?
- Would a change in my decision change the probability of the risk event occurring?
For instance, if you change an unreliable contractor upfront, you can avoid a risk event entirely. But you have no real control over the internal political stability of an offshore partner’s home market or a flood.
Uncontrollable risk events are usually related to political, social, economic, and environmental factors.
One way of analyzing them is by using the PESTLE framework:
2. Use Both Active and Passive Risk Control
Once you’ve used the PESTLE chart to identify the different types of risks, you can then understand what control measures you can take. These control measures can be divided into two broad categories:
- Active risk control
- You have a direct influence on the risk event and can take active measures to control it.
- Passive risk control
- Your risk control options are limited to making safer choices to avoid the risk altogether.
It’s important to actively control risk events with backups and alternatives, but also to passively avoid risk via safer options. For example, lining up a backup contractor to take over in case the primary contractor drops out is active risk control, while avoiding a contractor located in a politically unstable country is passive risk control.
For every risk that you identify, ask yourself:
- Are there alternatives to this service/product I can call on in case of a failure?
- Would the likelihood of the risk event go down if I choose a different product/service?
- What best practices can I adopt to reduce the chances of the risk event occurring?
You’ll find that you have to maintain a delicate balance between active and passive risk control measures. Choosing safer options might reduce risk, but it can also increase your costs, such as choosing a US-based partner instead of offshoring. We advise evaluating your own risk appetite (and that of your stakeholders) to find this balance.
3. Calculate the Risk Score
Creating a contingency plan for every factor is unrealistic. So, how do you decide which to act on and which to ignore?
Easy - calculate the risk score for each risk event. We use ‘Risk Probability’ multiplied by ‘Risk Impact’.
- Risk Probability is the chance of the risk event occurring, expressed as a number (higher numbers = higher probability). You can also express it as a percentage.
- Risk Impact is the expected impact of the risk event on project success. This impact is based on the priority of the affected deliverable. A risk event that affects a key deliverable will have a higher Risk Impact than a non-essential deliverable.
In our Project Risk Assessment Template, you’ll find a table like this where you can enter Risk Probability (P) and Risk Impact (I), and the ‘Risk Score Percentage’ is calculated automatically.
Of course, this isn’t an exact science. You can’t objectively assign a hard number to the importance and probability of a risk event occurring. Your scores are also liable to be influenced by the people you’re consulting. A programmer is likely to over-emphasize technical risks while underplaying operational risks.
And that brings us to the next point.
4. Create a Project Risk Assessment Committee
Risk management duties tend to be the responsibility of the project manager. But there are more tasks at hand.
Ideally, you should get people from various backgrounds and departments to assess which risks are most important.
This is called a ‘risk assessment committee’ and should include:
- Project manager: As the person responsible for the project plan, it is only natural that you get involved. You’ll also be responsible for all the operational aspects of this committee.
- Subject matter experts: These are people inside or outside the agency who can identify risks and evaluate their probability and impact. For instance, you might have your lead developer look over the technical deliverables, while the lead designer might consider the design/UX aspects.
- Key stakeholders: Get both internal and external stakeholders involved to understand what they prioritize in the project.
Getting stakeholders involved is particularly important. Stakeholder priorities don’t always align with the stated project priorities. Yet, you want to keep them happy while ensuring a successful project.
By getting them on board, you’ll get a fair idea of what risk events you can prioritize to keep them happy without jeopardizing the broader aims of the project.
5. Mitigate your mitigation!
Ironically, risk mitigation itself is not without risk. So, if you want your project to be as risk-proof as it can get, you’ll need a risk mitigation plan… for your risk mitigation plan.
Think of it as two levels of risk mitigation. You should apply it to all mission-critical deliverables, at least.
For example, do you have an outside contractor lined up in case a key employee leaves the company? Yes? Great! But what if they’re located in a politically unstable country? You’ll want to line up a second contractor as a backup.
When you’re creating your risk mitigation plan, ask yourself:
- What are the active and passive risks associated with this risk mitigation tactic?
- Are there safer alternatives that I can switch to?
- If yes, what are the costs associated with the switch (both in terms of money and time)?
6. Keep a Register of All Risks
The ‘Risk Register’, or ‘Risk Compendium’, is used by every mature organization to make future project risk management assessments easier.
You can think of it as an internal Wiki that documents all the risks you or other project managers have ever encountered. Ideally, these risks should be classified by project type, size, and client.
So the next time you get a new project, you can refer to the Risk Register and see what risks usually come up.
For instance, if 90% of your app development projects under $100k have data storage issues, it might be a good idea to invest in storage alternatives for future projects.
Documenting all risks can also tell you what your organization excels at and what it struggles with. If a certain risk type routinely crops up across projects, it probably means you need to bolster your expertise in that area.
Project Risk Management Assessment Mistakes to Avoid
Here are some frequent mistakes companies make when conducting project risk assessments:
Treating Project Risk Assessment as a One-Time Task
Don’t think of just ticking a box that says you’ve done a project risk assessment based on old data without actually doing a fresh one. You shouldn’t do a copy-and-paste job here, or you’ll leave your project vulnerable to emerging threats.
Instead, establish a routine to efficiently complete project risk assessments during the planning stage of each new project.
Ignoring Emerging Risks
Many organizations overlook emerging threats, such as cybersecurity or regulatory requirements. It’s another reason why you need to take a fresh approach to each project risk management assessment, using your Risk Register for support (and not as a replacement for a new assessment).
Lack of stakeholder involvement
As mentioned in our steps, you must include input from other employees, IT teams, compliance officers, and members of leadership to avoid blind spots.
Setting up a Project Risk Assessment Committee might not be fun, but it is absolutely critical to successful project risk management.
Misjudging the severity of risks
Be sure not to over- or underestimate risks when calculating their impact. Too much focus on low-priority issues can lead to a misallocation of resources, while underestimating high-impact threats can be outright catastrophic for a project. Revising your risk template can help you avoid this problem.
Failing to align mitigation to goals
At the end of the day, you’re doing all this to further the business. So don’t forget about the broader business strategy. Risk mitigation efforts should support company objectives - for example, a backup contractor shouldn’t be in an industry, country, or circles that your company doesn’t want to be associated with.
Request a Demo
Naturally, all this can be quite overwhelming. So, feel free to request a personal demo with Workamajig to learn how a powerful agency management system can transform your projects into profits.
Originally published November 5, 2019.