Introduction to Project Risk Management: Part 1 – Planning for project risk management

by Jan 1, 2018

by | Jan 1, 2018

This article is the first of a two-part series of articles on the basics of project risk management.  The two parts are as follows:

Part 1:  Planning for project risk management; and
Part 2:  Identify, analyse, action and monitor project risks.

Part 1 deals with the first step of the project risk management process, namely the planning step.  Part 2, to be published next month, deals with the implementation of the project risk management plan. 


Life is uncertain, and projects are unique, complex in nature, based on assumptions and done by people.  Projects are therefore subject to a plethora of uncertainties, i.e. risks and opportunities, that can affect the project and business objectives.

Although the activity is normally referred to as project risk management, it covers both risk and opportunity management.  Potential positive and negative outcomes deserve equal attention.  Therefore, the objectives of project risk management are to increase the probability and/or impact of opportunities and to decrease the probability and/or impact of risks, to improve the likelihood of project success. Risks and opportunities represent two sides of the same coin, but with a very different impact.  The definitions of risks and opportunities should emphasise the differences and similarities, as follows:

  • Risks are defined as uncertain future events or conditions that, if it occurs, could negatively influence the achievement of business, or project, objectives.
  • Opportunities are defined as uncertain future events or conditions that, if it occurs, could positivelyinfluence the achievement of business, or project, objectives.

This introduction to project risk management is aligned with the PMI Global Standard for project management, namely the PMBOK Guide, 6th edition, which incorporates ANSI/PMI 99-001-2017 (PMI, 2017).

Overview of Project Risk Management

Project risk management covers all the activities and processes of planning for risk management, identification and analysis of project risks, response planning and implementation, and risk monitoring on a project.  There are seven project risk management steps, as illustrated in Figure 1.


Figure 1:  Project risk management overview

The seven steps are as follows:

  • Step 1 – Plan Risk Management: The involves finalising the methodology to be used for risk management on a project. Details can differ from project to project;
  • Step 2 – Identify risks and opportunities: The process of identifying individual project risks and opportunities in a manner which makes analysis possible;
  • Step 3 – Perform qualitative risk analysis: The process of assessing and prioritising individual project risks and opportunities for further analysis or action, based on their probability of occurrence and potential consequences;
  • Step 4 – Perform quantitative risk analysis: The process of performing numerical analysis to determine the most likely outcome of identified high priority risks and opportunities;
  • Step 5 – Plan risk responses: The development of risk reduction options, strategy selection, and agreement on preventive and contingency actions to reduce overall project risk exposure;
  • Step 6 – Implement risk responses: The process of implementing agreed-upon risk response plans by the risk owner, according to the agreed upon timeline; and
  • Step 7 – Monitor risks: Monitoring the progress with the implementation of agreed-upon risk response plans, identifying and analysing new risks, and evaluating risk process effectiveness throughout the project.

Unmanaged risks may result in problems such as schedule and/or cost overruns, performance shortfall, or loss of reputation.  Opportunities that are exploited can lead to benefits such as schedule and/or cost reductions, improved overall project performance, or reputation enhancement.

The remainder of this article focuses on the first of these seven steps.  The remaining six steps are covered in a follow-up article, to be published next month.

Step 1:  Plan risk management

System requirements

Effective risk management requires a conducive company culture, as well as the necessary risk management processes, structures and budget to identify, assess and address potential opportunities and adverse effects.

In the planning step, the risk management methodology, assessment tools, responsible parties and timing of risk management activities are fixed.  This implies that the typical risk and opportunity categories are defined, the processes to be used for identifying risks are identified and risk assessment tools, such as a project specific risk matrix, are finalised.  Responsible parties for driving the overall risk management process are identified and the timing and frequency for risk management activities are scheduled.

As a minimum, the risk management planning step should include management commitment, defined roles and responsibilities, clear risk statements, pre-determined risk categories, a custom risk matrix and a risk register.  It should also allow for risk prevention and the reporting of residual risk.  These are discussed in more detail in the following sections.

Risk roles and responsibilities

Risk management is the responsibility of the most senior member of a business or a project team, assisted by one or more risk management professionals.  For a business it is the chief executive officer and for a project it is the project manager.  However, every member of a business or project team has a duty to manage risks in their areas of responsibility.

For a typical project, risk management roles and responsibilities are as follows:

  • Project sponsor:  The sponsor has overall accountability for all project execution and business risks.  The sponsor owns the integrated risk management process;
  • Project manager:  The project manager is responsible for implementing an integrated risk management process for the project;
  • Project track leaders:  Responsible for risk identification, risk assessment, development of preventive and contingency actions and implementation of allocated risk actions within their areas of responsibility;
  • Risk management professional:  Oversees the risk management process, provides guidance and direction, and helps facilitate the process, and;
  • Functional managers:  They provide input into the risk management process at functional level and ensure that technical integrity is maintained

Risk statements

It is always beneficial to start with a SWOT analysis of a business or project to identify potential risks and opportunities.  Weaknesses and Threats give rise to risks and Strengths and Opportunities lead to opportunities for achieving the objectives.  

Risk statements need to be structured descriptions of the risks which separate cause, risk and consequence.  For example: Because of (1) an existing condition, an (2) uncertain event may occur, which would lead to (3) an effect on the project objectives.  In this case, the numbering refers to:

  1. The Cause;
  2. The Risk or uncertain event, and;
  3. The Consequence.

Writing risk statements in this manner makes the risk assessment process much simpler.  To force the writing of risk statements in this format, use a table with three columns entitled Cause, Risk and Consequence.

Risk categories

There are many different types of risks, or impacts, that can affect the sustainability of a business.  Similarly, there are different risks that can affect the viability of a project.  Although it is not essential to group risks according to predefined risk categories, it does make sense to keep like risks together. The biggest benefit of having risk categories, is the fact that it triggers the risk management professionals when identifying risks and opportunities for a business or project.  This ensures that all types of risks are covered.

In our consultancy, we use nine risk categories when grouping risks and opportunities and we use the acronym STEEPCOIL as an aide memoire to remember them, as shown in Figure 2.


Figure 2:  Risk categories

These risk categories are described in more detail below:

  • Social risks:  Social risks cover the well-being of the workforce and the community.  The includes the health and safety of these stakeholders.  It also addresses matters like relocation, skills shortages, corporate social investment and training;
  • Technical risks:  This addresses the risk that the selected process technologies will not meet the business or project objectives, i.e. product quality and plant availability issues.  First-of-a-kind technologies and large scale-ups of proven technologies are normally problematic;
  • Economic risks:  Economic and financial risks cover the profitability of the venture.  It includes issues like equipment cost, feedstock and product prices, logistics cost, effect of project cost overruns, effect of schedule slip, etc.;  
  • Environmental risks:  This covers potential impacts on air, water and groundwater, as well as smells, noise and visual impacts on stakeholders.  Included are compliance and reporting risks to the responsible authorities, in line with the environmental management plan for the facility;
  • Political risks:  This addresses the likelihood of political instability and strikes in the country and region where a facility is being planned or operated.  Will the process facility be a high-profile target in case of instability?  Will political risks influence the supply chains?
  • Commercial risks:  Commercial risks include potential problems associated with contractual agreements which can lead to delays, cost overruns or counterclaims.  Here we include risks associated with the marketing of final products and the governance thereof;
  • Organisational risks:  Organisational risks cover the structure and ownership of the company responsible for the establishment and operation of a process facility.  What are the risks that a specific partner brings to the deal?  It also addresses the issue of having a lean organisation structure and suitably qualified and experienced personnel in key positions;
  • IT risks:  Information technology risks are shown separate from the technical risks due to the unique character thereof.  Chemical plants require process control systems, communication systems and business systems to interact and function seamlessly, and;
  • Legal risks: These are risks associated with the specific legal framework within which the business must operate.  Are carbon taxes applicable? What is the likelihood of it becoming a reality?  What legislation is in the pipeline that can impact on the sustainability of a venture.

Risk matrix

Risk assessments can be qualitative or quantitative.  Stochastic modelling is required for quantitative analysis and is considered optional.  Qualitative analysis is always required.

Qualitative analysis is performed using a two-dimensional risk matrix, with the probability of an occurrence along one axis and the consequence of the occurrence along the other axis.  A group of assessors weighs up each risk statement and scores it in terms of probability and consequence, i.e. plots the risk on the matrix.  

Risk matrices can anything from a simplistic 2×2 matrix to a very complex 7×7 matrix.  Risks with a low probability and insignificant consequences do not warrant further investigation.  However, high probability risks with significant impacts require attention.   We normally use a 5X5 matrix, which affords sufficient resolution for most applications, for our projects.  An example of a 5X5 matrix is shown in Figure 3, with definitions for a variety of categories.  The numbers in the coloured squares represent the product of the probability and consequence ratings.

The squares of the matrix are colour coded as follows:

  • Green: Low risk;
  • Yellow: Medium risk;
  • Orange: Significant risk; and
  • Red: High risk.

Figure 3:  Illustrative 5X5 risk matrix

The company’s level of risk tolerance determines the placement of the colour squares and which risks will be further addressed.  Companies, or projects, with a high appetite for risk will have a smaller area covered by red and orange squares than those who are risk averse.  Typically, risks falling in the red and orange squares necessitate further action. The risk matrix must be finalised, and agreed to, before proceeding to later steps in the risk management process.

Risk register

The risk register is a live, structured document where risks are captured and managed.  Each risk is assigned a specific risk owner who is the person responsible for the risk reduction actions.

The risk register has provision for a unique risk number, risk category, risk description, and the current risk assessment.  For those risks where further action is required (orange and red risks), provision is made for preventive actions, which reduce the probability of an occurrence, and contingency actions, which reduce the consequence of an occurrence.  On completion of the actions a residual risk assessment is performed to determine if a risk has been adequately addressed.

We prefer to maintain separate risk registers for the project implementation phase and for the operations phase.  Although there will certainly be much duplication, it helps to maintain focus where it is necessary.  

Project risk management plan

The output of the planning for risk management step is captured in a project risk management plan.  The risk management plan describes how risk management activities will be structured and performed for a specific project. The risk management plan may include some or all the following elements, most of which have been discussed in detail in the preceding paragraphs:

  • Risk philosophy: Describes the generic approach to risk management on a project. Highlight differences from the norm, if any;
  • Methodology: The risk management procedures, tools (including the approved risk matrix) and sources of data that will be used;
  • Roles and responsibilities: Who is responsible to lead and support the different risk management activities;
  • Funding: Identify funding required for risk management activities and establish protocols for application of funds;
  • Timing: Specify the timing of the different risk management activities along the project timeline and the frequency of meetings;
  • Risk categories: Use the STEEPCOIL example or any other preferred risk breakdown structure;
  • Definitions of risk probability and impacts: These must be specific to the project context, and reflect the risk appetite of the organisation and stakeholders;
  • Reporting format: Here we define how the outcomes of the project risk management process will be documented, analysed, reported and communicated; and
  • Tracking and auditing: Risk audits may be used to consider the effectiveness of the risk management process.

Concluding remarks

A detailed project risk management plan, as described above, is the desired outcome of the planning for risk management step.  However, this is only the first of seven steps in the project risk management process.  Part 2, covering the remaining steps, will be published on the 1st of February 2018.


PMI (Project Management Institute, Inc.), 2017, A guide to the project management body of knowledge (PMBOK Guide), 6th ed. PMI Book Service Center, Atlanta.

Jurie Steyn

Consulting Partner, Director

Jurie holds a BEng(Chem)Hons and an MBA. He has more than 37 years of engineering, operations management and functional management experience. He started, developed and managed the Environmental & Risk Engineering group in Sasol Technology for more than 14 years. More...


You might also enjoy:

Black Swan Risk Management for Projects

Black Swan Risk Management for Projects

By Jurie Steyn.Introduction Decimus Junius Juvenalis, known in English as Juvenal, was a poet active in the period AD 110 to 130. He wrote sixteen satires on the vices, abuses, and follies of Imperial Rome and is regarded by many as one of the greatest satirists of...

read more
Document Management in a Digital World

Document Management in a Digital World

Once again, I am grappling with the future and considering moving back to the past… Things worked then, didn’t they?  Printers, photocopiers, and fax machines were the order of the day.  Nothing could go forward on a project unless there was a signature on the...

read more