Risk Management is an important component of managing projects.  It is included in Project Management Body of Knowledge (PMBOK) as a distinct chapter, along with the other key components.  What is risk management?  In my experience, it is often either not done, or done mechanically as a process.  It is rarely integrated in the ongoing management of a project.  Risk Management is supposed to be dynamic, not a static documented process.

So what is risk management?

The project is created to achieve an objective, and plans are created to detail how the objective will be achieved.  Risk management is a support process that addresses things that may not go as planned.  While it is important to take appropriate time to plan a project, it is impossible to plan everything perfectly.  Each project has its unique path, challenges and successes.  It is much easier to automate regular operations.  Projects are not regular operations, and benefits less from the constant improvement of a repetitive process. In that sense, project plans are always the best attempt.  We also have to balance cost and benefits of planning.

Project risk management is meant to increase the chance of success of a project.  It does so by identify, managing and controlling risk on a project.

What is risk?

Risk is almost always interpreted by people as a negative.  Yet, the theoretical definition of risk is:

Risk is an uncertain event or condition that, if it occurs, has a positive or negative effect on one or more project objectives such as scope, schedule, cost, and quality. / PMBOK 5th edition, Chapter 11

You will note that the risk definition is neutral.  Risk can be positive or negative.  In that sense, risk relates to uncertainty of the future.

  • A risk with negative impact is a threat
  • A risk with a positive impact is an opportunity

I would prefer if risk management would be called something else, to show more the neutral side of the process.  Maybe Uncertainty Management…  In all cases, I may choose to call it differently, but it is still called risk management by most books and project managers.  So let’s stay with risk management.


Risk Management is managing the changing reality of a project.  As time passes by, new events occur that may or may not be as planned.  It creates threats and opportunities that must be managed.  Let’s keep in mind this neutral definition.

Risk vs Issue

It is true that risk is often simplified to the negative side of uncertainty: threats.  Risk is also often confused with Issue Management.

A risk is an uncertain event in the future that has a probability of occurring, which would have a negative or positive impact on the project.

An issue is something (maybe a risk earlier identified) that has occurred.  An issue is a negative risk (threat) that is not uncertain.  It has a 100% probability of occurring.  In short, it did occur.

Issue management is not risk management.

Risk perception

Organization may be risk averse.  They are even more likely to be risk averse if risk is only viewed as threat.

Organization would benefits from seeing risks both as a threat and an opportunity.  The existence of opportunity is a key reason to attempt some projects.  The ability to reap benefits from opportunities is a key factor success.

Books will say that organizations will accept varying degrees of risk.  I prefer to say that organizations will accept varying degrees of uncertainty.

Risk Management Process

risk management includes:

  • Identification of risks
  • Qualitative risk analysis
  • Quantitative risk analysis
  • Plan risk responses
  • Monitor and control risk


In the end, discussing risks is having open discussions on the uncertainty of the project, including threats and opportunities.  In requires a willingness to discuss the reality of the project, and everything that we do not control.  Too often, managers and executives reduce risk management to a process, because they don’t like things that they do not control.  The reality is, we don’t control that much… And by trying to control too much, we only kill any hope of enjoying the benefits of the unplanned opportunities.

So having a sound and honest risk management does increase the chance of success of a project.  Not only that! Done correctly, with the neutral definition of risk, it also enhances the chance of benefiting from excellent opportunities.

And with opportunities, usually if we don’t take them, others will.