What Is Project Risk?
A risk is an uncertain event or condition that, if it occurs, has a positive or negative effect on a project's objectives. Most people think of risks as negative (threats), but risks can also be positive (opportunities). Effective risk management does not eliminate uncertainty — it prepares the team to handle it.
Studies show that organizations with mature risk management practices complete 70% of projects on time and budget, compared to only 35% for organizations without. Risk management is the difference between proactive leadership and reactive firefighting.
Risk Identification Techniques
| Technique | Description | When to Use |
|---|---|---|
| Brainstorming | Team generates risks freely without judgment | Initial risk identification workshop |
| Checklists | Review predefined risk categories from past projects | Supplement to brainstorming; ensures coverage |
| SWOT Analysis | Examine Strengths, Weaknesses, Opportunities, Threats | Strategic project assessment |
| Expert Interviews | Consult subject matter experts and experienced PMs | Complex or unfamiliar domains |
| Assumption Analysis | Challenge every assumption — failed assumptions become risks | Planning phase |
| Pre-Mortem | Imagine the project has failed — what caused it? | Project kickoff |
Risk Assessment: Probability x Impact Matrix
Once risks are identified, each is assessed on two dimensions: probability (how likely is it?) and impact (how bad would it be?). The combination determines the risk level and response priority.
Probability x Impact Matrix
| Probability / Impact | Very Low | Low | Medium | High | Very High |
|---|---|---|---|---|---|
| Very High (>80%) | Medium | Medium | High | Critical | Critical |
| High (60-80%) | Low | Medium | Medium | High | Critical |
| Medium (40-60%) | Low | Low | Medium | High | High |
| Low (20-40%) | Low | Low | Low | Medium | Medium |
| Very Low (<20%) | Low | Low | Low | Low | Medium |
Risk Response Strategies
For Threats (Negative Risks)
- Avoid: Change the plan to eliminate the risk entirely. Example: Use a proven technology instead of an experimental one.
- Mitigate: Reduce probability or impact. Example: Add automated testing to reduce the risk of regression bugs.
- Transfer: Shift the risk to a third party. Example: Use a managed database service instead of self-hosting.
- Accept: Acknowledge the risk and prepare a contingency plan (active acceptance) or do nothing (passive acceptance).
Risk Register Template
// Risk Register Data Model
interface Risk {
id: string;
title: string;
description: string;
category: 'technical' | 'schedule' | 'cost' | 'resource' | 'external' | 'organizational';
probability: 1 | 2 | 3 | 4 | 5; // 1=Very Low, 5=Very High
impact: 1 | 2 | 3 | 4 | 5;
riskScore: number; // probability * impact
priority: 'critical' | 'high' | 'medium' | 'low';
responseStrategy: 'avoid' | 'mitigate' | 'transfer' | 'accept';
responsePlan: string;
owner: string;
triggerConditions: string[];
contingencyPlan: string;
status: 'identified' | 'analyzing' | 'monitored' | 'occurred' | 'closed';
dateIdentified: Date;
lastReviewDate: Date;
}
interface RiskRegister {
projectId: string;
risks: Risk[];
reviewFrequency: 'weekly' | 'bi-weekly' | 'monthly';
lastReview: Date;
nextReview: Date;
}
// Example IT project risk register
const projectRiskRegister: RiskRegister = {
projectId: 'PRJ-2024-042',
risks: [
{
id: 'R-001',
title: 'Key developer leaves during critical phase',
description: 'The senior backend engineer who owns the payment service could leave the company',
category: 'resource',
probability: 2,
impact: 5,
riskScore: 10,
priority: 'high',
responseStrategy: 'mitigate',
responsePlan: 'Cross-train a second engineer on the payment service. Document all architectural decisions. Conduct knowledge sharing sessions bi-weekly.',
owner: 'Tech Lead',
triggerConditions: ['Engineer gives resignation notice', 'Engineer expresses dissatisfaction in 1:1'],
contingencyPlan: 'Engage contract senior engineer from preferred vendor list. Budget: $50K contingency.',
status: 'monitored',
dateIdentified: new Date('2024-03-01'),
lastReviewDate: new Date('2024-03-15')
},
{
id: 'R-002',
title: 'Third-party payment API breaking changes',
description: 'Stripe may release API v3 during our development, requiring migration',
category: 'external',
probability: 3,
impact: 3,
riskScore: 9,
priority: 'medium',
responseStrategy: 'mitigate',
responsePlan: 'Implement adapter pattern to isolate payment provider integration. Pin API version. Monitor Stripe changelog.',
owner: 'Backend Team',
triggerConditions: ['Stripe announces deprecation', 'API version sunset date within 6 months'],
contingencyPlan: 'Allocate 1 sprint for migration. Pre-build adapter layer allows swap without changing business logic.',
status: 'monitored',
dateIdentified: new Date('2024-03-05'),
lastReviewDate: new Date('2024-03-15')
},
{
id: 'R-003',
title: 'Performance requirements not met',
description: 'Page load times may exceed the 2-second requirement under peak load',
category: 'technical',
probability: 3,
impact: 4,
riskScore: 12,
priority: 'high',
responseStrategy: 'mitigate',
responsePlan: 'Implement performance testing in CI pipeline from sprint 2. Set up load testing with k6 for peak scenarios. Profile and optimize early.',
owner: 'Tech Lead',
triggerConditions: ['P95 latency exceeds 1.5s in staging', 'Load test shows degradation above 500 concurrent users'],
contingencyPlan: 'Add CDN layer, implement server-side caching, consider horizontal scaling. Budget $10K for additional infrastructure.',
status: 'monitored',
dateIdentified: new Date('2024-03-01'),
lastReviewDate: new Date('2024-03-15')
}
],
reviewFrequency: 'bi-weekly',
lastReview: new Date('2024-03-15'),
nextReview: new Date('2024-03-29')
};
// Risk score calculator
function categorizeRisk(probability: number, impact: number): string {
const score = probability * impact;
if (score >= 15) return 'critical';
if (score >= 10) return 'high';
if (score >= 5) return 'medium';
return 'low';
}Known Unknowns vs. Unknown Unknowns
Two Types of Uncertainty
- Known Unknowns: Risks you can identify but cannot predict the outcome. These go in your risk register. Example: "We know the third-party API might change, but we do not know when."
- Unknown Unknowns: Risks you cannot even imagine. These are handled through management reserves (budget buffer) and Agile practices (short iterations that reveal unknowns early). Example: A global pandemic disrupting your supply chain.
Contingency reserves cover known unknowns. Management reserves cover unknown unknowns. Typical split: 10-15% contingency + 5-10% management reserve.
Risk Review Best Practices
- Review Regularly: Bi-weekly for active projects, monthly for lower-risk projects
- Assign Owners: Every risk must have one person accountable for monitoring and response
- Track Triggers: Define observable conditions that indicate a risk is about to occur
- Close Resolved Risks: Risks that are no longer relevant should be closed with a resolution note
- Add New Risks: Every sprint may reveal new risks — keep the register alive