11. Project Risk Management – A Guide to the Project Management Body of Knowledge (PMBOK® Guide), Fifth Edition



Project Risk Management includes the processes of conducting risk management planning, identification, analysis, response planning, and controlling risk on a project. The objectives of project risk management are to increase the likelihood and impact of positive events, and decrease the likelihood and impact of negative events in the project.

Figure 11-1 provides an overview of the Project Risk Management processes, which are as follows:

11.1 Plan Risk Management—The process of defining how to conduct risk management activities for a project.

11.2 Identify Risks—The process of determining which risks may affect the project and documenting their characteristics.

11.3 Perform Qualitative Risk Analysis—The process of prioritizing risks for further analysis or action by assessing and combining their probability of occurrence and impact.

11.4 Perform Quantitative Risk Analysis—The process of numerically analyzing the effect of identified risks on overall project objectives.

11.5 Plan Risk Responses—The process of developing options and actions to enhance opportunities and to reduce threats to project objectives.

11.6 Control Risks—The process of implementing risk response plans, tracking identified risks, monitoring residual risks, identifying new risks, and evaluating risk process effectiveness throughout the project.

These processes interact with each other and with processes in other Knowledge Areas as described in detail in Section 3 and Annex A1.

Project risk is an uncertain event or condition that, if it occurs, has a positive or negative effect on one or more project objectives such as scope, schedule, cost, and quality. A risk may have one or more causes and, if it occurs, it may have one or more impacts. A cause may be a given or potential requirement, assumption, constraint, or condition that creates the possibility of negative or positive outcomes. For example, causes could include the requirement of an environmental permit to do work, or having limited personnel assigned to design the project. The risk is that the permitting agency may take longer than planned to issue a permit; or, in the case of an opportunity, additional development personnel may become available who can participate in design, and they can be assigned to the project. If either of these uncertain events occurs, there may be an impact on the project, scope, cost, schedule, quality, or performance. Risk conditions may include aspects of the project's or organization's environment that contribute to project risk, such as immature project management practices, lack of integrated management systems, concurrent multiple projects, or dependency on external participants who are outside the project's direct control.

Project risk has its origins in the uncertainty present in all projects. Known risks are those that have been identified and analyzed, making it possible to plan responses for those risks. Known risks that cannot be managed proactively, should be assigned a contingency reserve. Unknown risks cannot be managed proactively and therefore may be assigned a management reserve. A negative project risk that has occurred is considered an issue.

Individual project risks are different from overall project risk. Overall project risk represents the effect of uncertainty on the project as a whole. It is more than the sum of the individual risks within a project, since it includes all sources of project uncertainty. It represents the exposure of stakeholders to the implications of variations in project outcome, both positive and negative.

Organizations perceive risk as the effect of uncertainty on projects and organizational objectives. Organizations and stakeholders are willing to accept varying degrees of risk depending on their risk attitude. The risk attitudes of both the organization and the stakeholders may be influenced by a number of factors, which are broadly classified into three themes:

  • Risk appetite, which is the degree of uncertainty an entity is willing to take on in anticipation of a reward.
  • Risk tolerance, which is the degree, amount, or volume of risk that an organization or individual will withstand.
  • Risk threshold, which refers to measures along the level of uncertainty or the level of impact at which a stakeholder may have a specific interest. Below that risk threshold, the organization will accept the risk. Above that risk threshold, the organization will not tolerate the risk.

For example, an organization's risk attitude may include its appetite for uncertainty, its threshold for risk levels that are unacceptable, or its risk tolerance at which point the organization may select a different risk response.

Positive and negative risks are commonly referred to as opportunities and threats. The project may be accepted if the risks are within tolerances and are in balance with the rewards that may be gained by taking the risks. Positive risks that offer opportunities within the limits of risk tolerances may be pursued in order to generate enhanced value. For example, adopting an aggressive resource optimization technique is a risk taken in anticipation of a reward for using fewer resources.

Individuals and groups adopt attitudes toward risk that influence the way they respond. These risk attitudes are driven by perception, tolerances, and other biases, which should be made explicit wherever possible. A consistent approach to risk should be developed for each project, and communication about risk and its handling should be open and honest. Risk responses reflect an organization's perceived balance between risk taking and risk avoidance.

To be successful, an organization should be committed to address risk management proactively and consistently throughout the project. A conscious choice should be made at all levels of the organization to actively identify and pursue effective risk management during the life of the project. Project risk could exist at the moment a project is initiated. Moving forward on a project without a proactive focus on risk management is likely to lead to more problems arising from unmanaged threats.