Managing Risk


This post is part of a series on IT consulting.

A risk is the probability of loss, danger or damage. Risks can come from uncertainty, deliberate acts, or unpredictable and unforeseen events. Risk management is about reducing the probability of a risk occurring. Once a risk has occurred, it becomes a problem, or issue. Risk management therefore also considers reducing the impact of issues.

As in stakeholder management, the five steps involved in risk management are as shown below. The process is repeated and refined throughout the project.

Risk Management Process

Some approaches add an explicit knowledge or learning step in addition to the track step. For the purposes of this post I’m assuming that risk management histories are available to subsequent projects.


When identifying risk, try to find gaps in knowledge about the project and its environment. When a project starts, organise a workshop or brainstorming activity with all stakeholders to identify risks. Do not leave risk identification to the project manager. Continue to identify risks as the project progresses. At a minimum, capture the following information for each risk:

  • Root cause - Consider and document the real cause of the potential, undesirable outcome represented by the risk.
  • Condition - Provides the description of an existing state of affairs or attribute that the team feels may result in a project loss.
  • Consequence - Describes the undesirable project attribute or state of affairs that may happen if the risk were to occur.
  • Effect - Consider and document the down-stream effect of the potential, undesirable outcome represented by the risk.


During this step risks are examined and priorotised. The most common way of quantifying risk exposure is to quantify risk probability and impact. The quantities can be multiplied together to calculate risk exposure.

  • Probability - Risk probability is a measure of the likelyhood that the consequence described by the risk will actually occur. Risk probability can be expressed as a simple mapping of "low", "medium" and "high" to the values 1, 2 and 3, respectively, or as a percentage.
  • Impact - Risk impact is a measure of the magnitude of loss caused by the consequence described by the risk. Impact can be expressed in financial terms or, as with risk probability, using a subjective scale.
  • Exposure - Risk exposure is a measure of the overall threat of the risk. It is calculated by multiplying the risk probability with the risk impact. Risk exposure is then used to rank or prioritise risks.


The first step during risk planning is choosing an approach to dealing with each risk. The following list contains some common approaches to risks:

  • Research - further study is required to aquire more information and better determine the characteristics of the risk.
  • Accept - Live with the consequences if the risk were to occur. Accept the risk and take no further action.
  • Avoid - Avoid the risk altogether by changing the scope of the solution.
  • Transfer - Acoid the risk by transferring it to another project, team, organisation or individual.
  • Manage - Create mitigation and contingency plans to reduce to probability and impact, respectively, of the risk.

If the risk is going to be managed, a mitigation and contingency plan are formulated and documented. The risk is also assigned to a stakeholder, who is responsible to executing the mitigation and contingency plans.


During this step the team is actively executing mitigation steps to reduce the probability of risks, or performing activities related to contingency plans because triggers have been reached. Risk status is actively tracked, updated and communicated. Some commonly-used status types are:

  • Identified - The risk's cause, condition, consequences and effect have been identified.
  • Active - Risk identification, analysis and planning are complete. The risk is being actively managed and tracked.
  • Issue - The risk has happened, and so has become an issue. The contengency plan, if avaialble, is being actively managed and tracked.
  • Closed - The risk is no longer active because it has been mitigated, avoided, transferred, or the contingency plan has been executed.

Home | Blog | Photos | Contact | About and all content copyright 1995-2019 by Michael Wittenburg, unless otherwise stated.
All content on this site is licensed under the Creative Commons license, unless otherwise stated. uses a single session cookie because it's required by the tech underlying the site (Microsoft ASP.NET). The cookie stores no information and seves no functional purpose.