pm4dev, 2019 –management for development series ©

Project
Risk
Management
PROJECT MANAGEMENT FOR
DEVELOPMENT ORGANIZATIONS
 Project Risk Management

PROJECT MANAGEMENT FOR

DEVELOPMENT ORGANIZATIONS

A methodology to manage development

projects for international humanitarian
assistance and relief organizations

© PM4DEV 2019
Our eBook is provided free of charge on the condition that it is not copied, modified, published,
sold, re-branded, hired out or otherwise distributed for commercial purposes. Please give
appropriate citation credit to the authors and to PM4DEV.

Feel free to distribute this eBook to any one you like, including peers, managers, and
organizations to assist in their project management activities.

www.pm4dev.com
Project Risk Management

Risk Management

Risk management deals with the processes to identify, analyze and respond
to risk throughout the project life cycle, with the goal to ensure the project
will be able to reach its objectives. Risk management also helps the project
by determining the right scope, making realistic schedules and better cost
estimates that take in account provisions to respond to risk events. Risk
management also helps project stakeholders understand the true nature of
the project, identify its weaknesses, threats, strengths, and opportunities.
The main purpose of risk management is to build an understanding of the
potential problems that might occur on the project and how they might
impede project success, by developing strategies to reduce the impact of
potentially adverse events on the project. Risk management is an
investment the project is willing to make to reduce the impact to the
project. There are costs associated with risk management and these costs
should not exceed the potential benefits.
Project risk management is concerned with the analysis of the various risks
and reducing their impact. The probability that a risk may occur varies as
the project makes progress, a risk identified as low impact and low
probability may change in a couple of months to high impact and high
probability. The role of the project manager is to ensure there is a constant
evaluation of the risk factors and update the response plan accordingly.
Risk management is a systematic process of identifying, analyzing,
responding, monitoring and evaluating project risks. It involves a series of
steps and techniques to help minimize the probability and impact of
adverse events and maximize the probability and results of positive events
within the context of risk to the overall project objectives. Project risk
management is most effective when it is done early in the life of the project
and is a continuous responsibility throughout the project’s life cycle.

www.pm4dev.com
Project Risk Management

Definition of Risk

A dictionary definition of risk is “the possibility of potential harm that may

arise from some present process or from some future event”1. As such risk
is also associated with the probability that the event may or may not occur.
Risks are also associated with the potential benefits or pay off a project
may receive in light of potential risks. For example, a project may embrace
a particular approach that has a high risk of creating resistance from local
interest groups, but the payoff to the community is high. In this case, the
project faces a decision to use the approach and face the risks or avoid the
risk by using a different approach that may not have the same impact or a
payoff.

Objective of Risk Management

The project risk management plan helps project stakeholders and the
project team makes informed decisions regarding alternative approaches to
achieving their objectives and the relative risk involved. Risk management
encourages the project team to take the following appropriate measures:
 Minimize the negative impacts to project scope, budget, schedule
and quality.
 Maximize opportunities to improve the project’s objectives with
lower cost, shorter schedules, enhanced scope and higher quality.

Sources of Risk

Due to the complexity of the environment they have to act, development

projects face many risks that can jeopardize their viability, development
projects need to build better awareness of all the internal and external
factors that influence the environment that create high risks for the project.
Some of these factors include:

1
Merriam-Webster Dictionary, 2012

www.pm4dev.com
Project Risk Management

 Unclear project objectives and poorly defined project scope.

 Limited access to goods and services.
 Poor local infrastructure.
 Lack of project ownership and support from stakeholders.
 Political, social and economic environment.
 Influence of interest groups, local government, media, and other
NGOs.
 Low understanding of the external environment.

Having a budget, a detailed schedule, and a well‐defined Logframe are not

a guarantee that the project will be a success. There are many factors that
can intervene and limit the ability of the project team to deliver the project
benefits. Risk factors are conditions that exist in the project environment
that the project has little or no influence, in some cases risks are
unavoidable and the project must develop strategies to minimize its
impact. Risk management is not a one‐time exercise, the project must be
able to develop risk management strategies during the project initiation
and all project planning phases to increase the chances of project success.

www.pm4dev.com
Project Risk Management

Risk Management Process

There are four stages to risk management, they are:
 Plan: Risk Planning, involves the identification, quantification and
development of a response plan
 Do: Risks Response, includes the activities to mitigate, monitor risks
and respond to risk events.
 Check: Risk Plan Evaluation, involves the evaluation of the risk
management plan and response actions taken by the project
 Adapt: Risk Plan Improvement, the actions to improve the risk plan
and response mechanisms as well as an update on the risk levels

Risk Management inputs and outputs:

Inputs Do Outputs
Monitor and
Respond to
Risks

• WBS
• Risk
• Project
Proposal Plan Check management
• Log-Frame Process plan
Evaluate Risk • Risk response
• Project Identify Risk
Plan reports
environment
• Improvement
• Historical
plans
information
• Budget
Adapt
Improve Risk
Plan

Figure 1 ‐ Risk Management, IPO Diagram

www.pm4dev.com
Project Risk Management

Inputs: Inputs for the project risk management include the following
documents or sources of information:
 WBS
 Project Proposal
 Log‐Frame
 Project environment
 Historical information

Outputs: The project team will use the above information to develop three
important documents for the project:
 Risk management plan
 Risk response reports
 Improvement plans

www.pm4dev.com
Project Risk Management

Risk Planning

The risk management plan is a process that helps the team decide the best
approach and plan for risk management activities during the life of the
project. The project team needs to hold several meetings to develop the
risk management plan, starting with the identification of project risks, and
reviewing project documents such as the project contract, WBS, budget,
schedule, roles and responsibilities, including documents from previous
projects and organization’s policies and guidelines for risk management.
Additionally, the project needs to assess the risk tolerances of the various
key stakeholders, what may seem a low impact risk to the project team
may be a high impact risk to a stakeholder. Some stakeholders may be risk‐
averse, which will require a different approach in the risk management
plan.
The risk management plan will document the procedures for managing risk
during the project life cycle, the plan will summarize the results of the risk
identification, risk quantification and risk analysis, and the procedures for
responding to a risk event including the evaluation of the risk management
plan. The risk management plan is also used as an input to the project
budget and project schedule, since the identification and quantification of
risks may require changes in the project schedule and the provision of a
contingency budget to cover the costs of a risk event response.
The plan also determines the roles and responsibilities of the people
involved in responding to a risk event and the steps required to evaluate
the response plan. The risk management plan can include the methodology
to identify and quantify risks, reporting formats, authorization procedures
and a description of how the team will track and document the risk events.
Additionally, the risk management plan may include contingency plans and
fallback plans with their appropriate contingency budget reserves. These
are detailed as follows:
 Contingency plans are predefined actions that the project team will
take if one of the identified risks occurs.

www.pm4dev.com
Project Risk Management

 Fallback plans are plans used for risks with high impact that are put in
place when the activities to reduce or mitigate the risk have not
worked.
 A contingency budget reserve is a financial provision that the project
or organization holds to mitigate costs caused by a risk event.

Risk planning consists of three stages: Identifying all the risks that may have
an impact on the project, quantify the impact and probability for each
identified risk and develop a risk response plan.

Risk Identification

This is the step where the project team identifies and names all risks. The
project can use a combination of brainstorming and reviewing risk
management plans from previous similar projects. Identifying risks is the
process of gaining an understanding of the negative outcomes of a project.
The project manager and the project team should investigate all sources for
information about potential risks to the project, to facilitate this search
risks can be categorized into two groups: internal and external risks.
 Internal risk: comes from the project organization or internal
conditions such as limited support from the organizations, lack of
qualified resources on the team, and the organization’s management
processes and project management competencies. Internal factors
also include stakeholders, including intended beneficiaries and the
local communities, which have a strong influence in the project
outcomes. In most cases, internal factors can be managed, and their
impact reduced by getting the support and commitment to the
project.

 External risk: comes from the environment and these are more
difficult to manage. These include all the factors that the project has
little or no influence to change and the best strategy is to develop
contingency plans that will help minimize their impact. External
factors include political system, socioeconomic context, geography,
infrastructure, and the local natural environment.

www.pm4dev.com
Project Risk Management

The identification of the project risk should be captured in a Risk Log that
during the life of the project the log will be updated to reflect the new
information on each risk and update their risk impact and probability. The
project team should list all risks that may have an impact on the project,
one way to start this process is to review each one of the project process
areas, such as scope, schedule, budget and quality, as a way to identify
potential risks.
Another source for project risks is the information from previous similar
projects, it is a good way to learn from the past, and therefore, increase the
chances to reduce risks on current and future projects.
Table 1 – Risks by process area
Process Area: Risk Factors or Conditions
Poor planning or poor scope definition and inadequate scope control,
Scope
low stakeholder involvement
Estimating errors, poor allocation of resources, external
Schedule
dependencies
Estimating errors, currency exchange fluctuations, budget constraints
Budget
and donor regulations
Poor quality definition, inadequate controls, and quality assurance
Quality
program
Team conflicts, absence of leadership, poor definition of
Team
responsibilities, low skills
Low interest and support to the project, lack of ownership, conflicts
Stakeholder
of interest and priorities
Poor communication skills, information overload, communication
Information
interferences
Risk Ignoring critical risks, poor risk analysis, inadequate response plans

Contract Contract clauses, good and services availability

There are several methods for identifying risks, the project team needs to
start the process by first reviewing the project documentation, analyzing
project assumptions on which project plans were developed, interviewing
key stakeholders and reviewing previous projects.
The most common technique for identifying project risk is the use of
brainstorming in which a group attempts to generate a list of potential risks
for the project, the result is a comprehensive list that the group then uses

www.pm4dev.com
Project Risk Management

to quantify based on their probability and impact to the project. Another

useful technique is interviewing people with experience in a specific subject
matter to identify risks in the project. A good source of people to interview
is team members from a similar or past project, and key project
stakeholders who can provide a different view of project risks from their
perspective. A final technique for risk identification is to conduct a SWOT
analysis with the project team. The SWOT (Strengths, Weaknesses,
Opportunities and Threats) is an analysis, usually used in strategic planning,
but that can provide valuable insights to identify the potential risks to the
project.

Risk Quantification

Quantifying the risks is a process that requires an analysis of the risk factors
by determining their probability of occurrence and their impact to the
project. Risk quantification takes the form of a matrix that places
probability and impact together. All risk identified need to be quantified in
two dimensions, probability and impact:
 Probability is the chance or likelihood that the event will occur or
not, some risks are almost certain that they will occur while others
are a remote possibility.
 Impact is the result or consequences of a risk event to the project,
measured by the effect on the project.

A good practical method is to use a scale of high to low (or one to three) for
each risk level of impact and probability. The risk factor is determined by
multiplying impact with probability and organizing the results from high to
low, providing a list of prioritized risks.

www.pm4dev.com
Project Risk Management

Table 2 – Risk assessment

Risk Risk Probability Risk Impact Risk Index Risk Priority
(P x I)
Risk A Medium (2) Low (1) 2 4

Risk B Low (1) High (3) 3 3

Risk C High (3) High (3) 9 1

Risk D Medium (2) High (3) 6 2

It is not necessary, or economically feasible to prepare a response plan for

all risks identified in the project, for that purpose the project needs to
prioritize the risk based on their level of impact and probability. The table
above helped determine a risk prioritization list that the project can use to
prepare the response plans.

Figure 2 – Impact Probability Matrix

www.pm4dev.com
Project Risk Management

Risk Response Plan

Risk quantification provides an analysis of risks prioritized by their

probability and impact to the project. Risk response planning is to
determine the actions needed in case of a risk event.
There are four strategies the project can do to respond to a risk vent:
 Avoid the risk: Making changes to the project to remove the risk.
 Mitigate the risk: Take action to reduce the impact or the chance of
the risk occurring.
 Transfer/Share the risk: Moving the liability of the risk to a third
party, or Share the risk with a partner organization.
 Accept the risk: To accept the consequences of the risk, sometimes
due to the inability to develop a response strategy. The risk might be
so small the effort to do anything is not worthwhile.

Table 1 – Risk response strategies

Risk Level Response Strategy
9 Avoid the Risk, take immediate action.
6‐4 Mitigate or Transfer the Risk, first priority .
3‐2 Mitigate or Transfer the Risk, second priority.
1 Accept the risk, monitor regularly.

A risk response plan should include the strategy and action items to address
the strategy. The actions should include what needs to be done, who is
doing it, and when it should be completed. The actions that the project can
take as part of its risk response strategies are: developing preventive plans
and develop contingency plans.

 Preventive plans: involves the review of the risk log to identify if any
steps can be taken to prevent risk from happening or reduce the
probability that the risk may occur. Preventive actions use transfer or
avoidance risk strategies. The cost of prevention actions needs to be
weighed against the impact of the risks. The tasks are then added to
the project schedule with a clear assignment of roles and
responsibilities.

www.pm4dev.com
Project Risk Management

 Contingency plans: are plans for those risks where the project
cannot build prevention strategies, these plans use mitigation and
risk acceptance strategies. Preventive plans seek to minimize the
impact of the risk event in the project. Contingency plans include a
list of resources such as budget and personnel.

The response plan needs to be updated as soon as the

project evaluates the risk log and updates the risk
factors. Failure to do that may result in using an
outdated response plan that does not reflect the most
current factors that expose the project to more risks.

The project manager is ultimately responsible for the analysis and

monitoring of risks with assistance from the project team. There may be
some risks that are outside the control of the project manager, these risks
fall within the responsibilities of the organization’s management team. The
project manager should discuss any such risks with the management team
to ensure that the risks are being adequately monitored and a response has
been planned. The project will develop a simple table that describes the list
of risks prioritized, the preventive or contingency plans developed and the
people responsible for it. The table below shows an example:
Table 42 – Risk matrix log
Risk Probability Impact Index Risk Response Plan Responsible
Risk C High (3) High (3) 9 Immediate Action, Project
Avoid risk, change Manager
schedule dates
Risk D Medium (2) High (3) 6 Contingency Plan, Coordinator
mitigate risk by
adding resources.
Risk B Low (1) High (3) 3 Preventive Action, Specialist
transfer risk to a
consultant
Risk A Medium (2) Low (1) 2 Contingency Plan, Administrator
accept risk, loss is not
significant.

www.pm4dev.com
Project Risk Management

Risk Contingency Budget

This is a technique for all the identified risks, the idea is to request a risk
contingency budget to cover the impact to the project if one or more of the
risks occur. The project will need to calculate the monetary impact to the
project if the risk event occurs, the second step requires assigning a
probability value to each risk expressed in percentages. Multiply the impact
value with the risk probability, add all the values, the result is the risk
contingency budget.
Table 3 – Risk budget
Risk Probability Impact Contingency Budget
Risk C .60 70,000 42,000
Risk D .40 50,000 20,000
Risk B .10 40,000 4,000
Risk A .40 5,000 2,000
Total $165,000 $68,000

From the example above, the potential impact to the project is $165,000.
But neither the donor nor the organization is in a position to assign these
funds, the only reason the project would need that much money is if every
risk occurred. The risk contingency budget should reflect the potential
impact of the risk, this is the total contingency request for the project that
for this example is $68,000. This value will need to be added to the project
budget as risk contingency. If risk B and D actually occurred, the project will
be able to use the contingency budget. If risk C also occurred, the risk
contingency budget will not be enough to protect the project from the
impact. Because risk C has a 60% chance of occurring, the project team
needs to put their efforts on this risk to make sure that it is managed so
that its impact on the project will be lessened through proactive risk
management techniques such as prevention or mitigation.
Force Majeure Risk

Force Majeure, or greater force, is a sentence to describe risks that are so

catastrophic that they are outside the scope of risk management planning.
There is little that the project can do to prevent them or mitigate them and

www.pm4dev.com
Project Risk Management

when they occur, the impact is so large that may cause the project to be
closed or postponed for many months. The following are some examples of
Force Majeure risks:

 Nature Events: Earthquakes, hurricanes, floods, volcano eruptions,

etc.

 Human Events: Economic collapse, civil unrest, war, terrorist acts,

social instability, etc.
The responsibility to develop response plans to this type of risk falls under
the responsibility of the organization’s management, since the risk will
impact not only the project but the organization. Some donor contracts
include clauses that deal with Force Majeure events and release
responsibility from the organization for the losses caused by these events.

Risk Response

Once the risk management plan has been approved the team will carry the
activities assigned to the. The team will focus on the tasks to avoid,
mitigate or transfer the risk. Depending on the number of risks and the
priorities assigned in the plan, the team will start working and report on the
progress of the project manager.
 Avoid Risk – The project team can avoid the risk by changing the
activity that will create the risk. For example, severe weather
conditions can delay the completion of key project activities. In this
case, the project manager may choose to move the calendar or
cancel the activity altogether. In this case, the project should
evaluate the consequences to the project objectives
 Mitigate Risk ‐ These are activities designed to reduce the impact to
the project if the risk were to occur. For example, an activity that
may take too much time to complete will delay the entire project,
the plan will require an increase in the resources or people available
during the performance of that critical activity.

www.pm4dev.com
Project Risk Management

 Transfer/Share Risk – This activity includes the process to transfer or

share the risk with a third party who may have more expertise. For
example, the project team may not have the skills required to
complete a critical activity and the project manager decides to hire a
consultant to do that work.
 Accept the Risk ‐ Due to its low probability and Impact, the best
action is to accept the risk. Even if it happens the cost of doing a
response can be higher than the cost of the risk impact. The project
manager should do a risk/benefit analysis to determine the cost of
accepting the risk. These risks should be monitored regularly to see if
their probability or impact changes over time.

Once the planned risk response activities are completed the project
manager should update the risk register and communicate the results to
key stakeholders.

Monitoring the risk registry

An important activity during this phase is to monitor the risk registry for
any changes. As more information is obtained the risk will change their
levels of probability. The team will monitor the risks with top priority and
determining if the triggers are close to occur. Monitoring also includes a
revision of the assumptions made at the start of the project about each
risk. During the life of the project the conditions, assumptions and
knowledge of the environment changes and with that the initial
information the project had about the risks also changes. It is a good
practice for the team, as it makes progress and builds more understanding
about the project environment, that they review the original assumptions
they made regarding the project risks impact and probabilities.
Risk monitoring is an ongoing activity performed by the project team
throughout the entire life of the project. Risk management does not stop
with risk analysis and development of a response plan. The identified risk
may not occur, or their probabilities or impact may diminish. Previously
identified risk that during the analysis stage was categorized as low impact
or low probability may turn into high probability and high impact.

www.pm4dev.com
Project Risk Management

Additionally, new risk may come that the team wasn’t aware at the start of
the project. All newly identified risk will need to go through the same
process as those identified during the risk planning phase. New identified
risk would also have an impact on the preventive actions or contingency
plans developed initially. The project will need to update this information
and make the necessary changes to the project plans.

Risk Triggers

For some types of risk, it is easy to identify the triggers or situations that
cause a risk to occur, for example schedule disruptions caused by
transportation strikes, budget changes caused by currency fluctuations or
severe weather events on the host country can be monitored closely by
following the news and other sources of information that give indicators
about the proximity of the risk event. Each risk should have a list of trigger
indicators that the project will monitor during the life of the project. One
good practice is to develop an early warning system, this can be done by
publishing the Risk Log with a color indicator that represents the risk level
for each risk from green to red. As the possibility of a risk changes the
project will update the Risk Log and change the color assigned to that risk.
The table below shows an example.
Table 6 – Risk trigger matrix
Risk Trigger Status Date Updated Event
Heavy rains forecasted for next
Risk A (Red) 02/15/2009 week will generate floods in the
project area
Increased probability of higher
Risk B (Yellow) 02/01/2009
costs to the project due to floods
Risk C (Green) 02/15/2009 No changes

Risk D (Green) 02/01/2009 No changes

The objective is to have everyone on the team, and some key stakeholders
aware about the risks to the project and develop a level of readiness that
will facilitate a proactive response to a risk event. The worst situation is

www.pm4dev.com
Project Risk Management

when the risk event surprises the project and leaves them with no options,
or time to prepare to respond properly to the risk.
In certain situations, by understanding the imminence of a risk event, the
project can prepare the actions to reduce the impact such as moving the
place or time of training events, postpone the transportation of material to
and from the project, reduce the local currency deposits to reduce the
exposure of currency fluctuations, or prepare the project team for a severe
weather event.

Risk Event Response

Risk event response involves executing the risk contingency plan to respond
to a risk event. Executing the plan ensures that the people assigned to
those duties, the risk owners, carry out the actions to mitigate, prevent or
respond to a risk event. Preventive actions occur when the project
implements measures to reduce the impact or probability of a risk. The
project can also decide to put in place actions to respond to a risk event by
implementing the contingency plans and workarounds.
During risk response, the project manager will notify the key stakeholders
about the event and the steps that the project is taking to reduce the
impact to the project, these will include the request for authorization to
use the risk contingency budget required and assign the personnel for the
activities planned. The project manager should supervise the activities and
include the results in the project reports. The risk owners assigned to
respond to the risk will receive their orders and resources required to
implement their actions, the organizations’ management will be informed
as well as the donor and beneficiary representatives as appropriate.
Not all plans always go as planned, and the risk that originally was rated as
medium impact may result in a high impact risk causing more damage to
the project than previously thought. The project manager should monitor
closely the impact to the project. Especially in the areas of schedule, budget
and scope and develop contingency plans to mitigate the impact to the
project. Responding to risk should be more than just implementing the
planned actions, the project needs to take this opportunity to measure how

www.pm4dev.com
Project Risk Management

effective was its initial analysis of the risk and how effective was the
response plan.

Risk Plan Evaluation

Risk Evaluation

1. Like any other plan, the initial assumptions and estimates on risks will
usually have changed over time. It is through practice, experience, and
evaluation of the results that will create the opportunities to make changes
in the plan and contribute information to allow possible different decisions
to be made in dealing with the risks being faced.
2. The results of risk analysis and management plans should be updated
periodically. There are three reasons for this:
 Evaluate the effectiveness of actions taken, and how the project was
able to use the plan to address the risk.
 Evaluate whether the previously selected contingency plans are still
applicable and effective and make the appropriate changes
 Evaluate the possible risk level changes in the project environment.

Evaluating the Risk Response Plan

All risk response plans need a post evaluation to determine if the actions
were as effective as planned. The team should review the risk management
plans the project created to respond to a risk event. The evaluation should
be another opportunity for the project to review the assumptions made at
the moment of identifying and quantifying the risks.
The project team should meet and discuss the results of the risk response
plans, the effectiveness of the prevention actions and mitigation plans,
review the roles and responsibilities of the risk owners and how they were
able to conduct their duties. In general, the team should address the
following areas during the risk response evaluation:

www.pm4dev.com
Project Risk Management

 The ability of the team to identify risks and make adjustment to the
plans for new risks and their accuracy in determining probability and
impact.
 The participation of stakeholders in the risk response actions.
 The effectiveness of the mitigation plans and how the plan was able
to address the identified risks and satisfactorily mitigate or reduce
the impact of the risk event.
 The need for workarounds to address unplanned or unexpected risk
events.
 The accuracy of the contingency budget in addressing the risk
response actions.
 The appropriateness of the risk strategies to mitigate, transfer,
accept or avoid risks.
 The ability of the risk owners to manage the risk event and take full
ownership of their role.
 The ability of the risk owners to document recommendations and
modifications to the plans.

A key outcome of this review is to update and adapt the risk management
plans and strategies originally developed.

Risk Audits

Risk audit is another approach to evaluating the risk management plan, the
audits are usually done by a third party who audits the risk response
actions and determines if the proper actions were taken as planned. One
advantage of having a third party do the audit is that they will bring a
different perspective to the evaluation and an unbiased opinion that can
shed new light and open opportunities for improvements.
When properly done, risk audits evaluate the effectiveness of the risk
management plan and risk response plans. The audit is a good time to
review what went well, what did not go well, and what can be done to
improve the risk management processes. Performing an audit after a risk
event or at the end of a project provides an opportunity for assessing the
following:

www.pm4dev.com
Project Risk Management

 Completeness of the risk identification process

 Accuracy of probability and impact scores
 Identification and monitoring of risk trigger
 Mitigation and Contingency plans
 Risk contingency budget
 Completeness of the risk management plan
 Performance of the risk owners
 Effectiveness of the risk response plans
 Recommendations for future risk plans

For large or medium size projects, risk audits may be performed at the end
of major milestones throughout the project. Audits for small projects can
performed at the end of the project. The list below contains some of the
steps to conduct a Risk Audit:
 Organize the team. Participants include the project team members,
and other people helped identify the risks, assisted with the response
plans, and how the risk triggers and risk events were monitored
throughout the project. During the meeting, the project manager
may decide to include senior managers from the organization, some
key stakeholders, and even a beneficiary representative because
their perspective of the risk events may be different from the project
team’s perspective.
 Conduct the audit. Using the Risk Log the team should start by
examining the risk list and review the risks that occurred, the risk
that didn’t happen and list the risks that occurred that were not
listed in the log. Participants should also review if the response plans
were effective and, if not, what could have been done to make them
more effective.
 Develop recommendations. The next step is for the team to
recommend how the risk management plans, risk planning, risk
monitoring, and risk response plan, and even the risk evaluation
process could be enhanced or improved. The team should document
all that went well and decide what could be done better next time.
 Develop the risk audit report. The last step is for the project to
document the risk audit process and the recommendations that
emerged from the audit, along with the lessons learned

www.pm4dev.com
Project Risk Management

documentation and assign activities to the team to incorporate all

recommendations in the project plans.

The key message is that the project should spend enough time to evaluate
not only its efficiency in responding to a risk event but its effectiveness at
identifying the risk.

Risk Management Improvements

Updating the Risk Management Plan

Recommendations from the risk evaluation or the risk audit process are
inputs used by the team to update the risk management plan, there is no
use of monitoring, evaluating and auditing the risk response plan if the
findings and recommendations are not incorporated in the risk
management plan process.
Adapting is a survival strategy that the project uses to continuously
improve and proactively respond to the changing environment it needs to
operate, adapting the risk management plan is part of the strategies the
project has to reduce the impact of the risk to the project. It draws its
lessons from the experiences that gained in responding to a risk event, and
the insights and knowledge it gains as the project makes progress.
The project should adapt its approaches, plans and strategies around risk
management by incorporating the recommendations that were developed
in the risk evaluation and risk audit exercises, the recommendations are
categorized into four areas:
 Updating the Risk Log,
 Updating the Risk Response Plan
 Communicate to Stakeholders

www.pm4dev.com
Project Risk Management

Updating the Risk Log

The team should update the risk logs by including the new risk identified by
the risk audit, delete risks that never occurred and review the risk
quantification analysis for each risk. The team should pay special attention
to the assumptions and information that lead the project to list the first list
of risks and take in account the new information on the project and the
sources used to identify risks.
The team should also update the risk log by reviewing and changing the
levels of risk probability and risk impacts and reclassifying the order or
priority of risks in the log. Each risk should be reviewed, and all original
assumptions checked, especially the quantification of risk values.
As the project makes progress many risks that originally were identified as
low risk change their status. Some risk can have a low impact when the
project is in the early stages of implementation, but their impact increases
as the project makes progress. For example, the impact to the project in its
early stages is limited because the project has not used any significant
resources, but mid trough the project the risk has more impact because
more resources were invested.
Risk probability has similar but opposite tendencies. A risk that had a high
probability to occur at the start of the project will reduce its probability as
the project gets closer to its completion, this is due to the fact that more
information about the risk is known. Risks are most likely to occur during
the initiating phase and less likely to occur during the closing phase, this
relationship can be seen in the diagram below.

www.pm4dev.com
Project Risk Management

Risk High Probability

Probability

Low Probability

Project Timeline

Risk
Impact
High Impact

Low Impact

Project Timeline

Figure 5 ‐ Risk Impact and Risk Probability

At the beginning of the project, there are many uncertainties, risk

probability decreases as the project gets more information about the
project and has a better understanding of the causes of risk to occur.
Impact increases due to the investment, resources and commitments made
to the project. Updating the log will generate a new Risk Log that the team
will use to update the risk response plan.

Updating the Risk Response Plan

The changes and updates to the risk log, risk quantification and the risk
prioritization demand for an update to the risk response plan by changing
the contingency plans, the preventive actions, the roles and responsibilities
of the risk owners and the risk contingency budget. The project manager is
responsible for updating the response plan and to communicate all key
stakeholders on the changes to the plan. The communication should
include the most important changes that were made to the plan, with
special emphasis on the risk priority list and the names of the risk owners.

www.pm4dev.com
Project Risk Management

Communication to the stakeholders should highlight the new high

probability, high impact risks and the actions that the project has devised to
mitigate the risk.
The effectiveness of a risk response plan is that it is an iterative process,
and effective communication is a key element. The project needs to build a
constructive communication exchange between key stakeholders, project
team members, management, and the project donors to keep them
informed of the project risk and the plans the project has to devise to
reduce their impact to the project.

Lessons Learned

Project risk management requires a considerable investment in time and

resources if the project wants to obtain any benefits. A good practice for
the project is to continuously adjust the management process to achieve
the best results for the efforts invested. The objective is to make the
process as efficient as possible by reducing the steps that do not produce
an outcome that is proportional to the effort required. It does not make
sense to develop a complex process to deal with risk management that
ends up costing more than the cost the process is trying to avoid. The
project team should aim to learn as much as possible from every risk event
and apply the lessons to the plans and processes to build more efficiencies
and reduce steps or actions that do not add value.

www.pm4dev.com
 Project Risk Management

PM4DEV.COM
Drawing from our deep understanding of the challenges and the needs for
realistic solutions that can improve the way in which projects are managed
and services are delivered, PM4DEV offers the only adapted Project
Management Methodology for development organizations. Our services
include:
 Consulting, to help organizations implement a project
Management methodology that will increase the impact of their
interventions.
 On Site Training on project management methods to increase
and develop the skills of project managers
 Online Learning for project managers that want to develop their
own competencies on a flexible online learning environment.
To get more information on these services, visit our web site at
www.pm4dev.com/services or send us an email to [email protected]. We
offer competitive prices and high‐quality material developed by
international certified experts in Project Management.

www.pm4dev.com
Copyright © 2019 PM4DEV
All rights reserved.
Project Risk Management
PM4DEV, its logo, and Management for
Development Series are trademarks of
Project Management for Development,
PM4DEV.

This point of view is intended as a

general guide and not as a substitute for
detailed advice. Neither should it be
taken as providing technical or other
professional advice on any of the topics
covered. As far as PM4DEV is aware the
information it contains is correct and
accurate, but no responsibility is
accepted for any inaccuracy or error or
any action taken in reliance on this
publication.

This publication contains PM4DEV

copyrighted material and no part of it
can be copied or otherwise disseminated
for commercial purposes.

This Point of view provides a The Sustainable Development

summary of themes, that in Goals (SDG) aim by 2030 to end
PM4DEV's experience, have poverty, protect the planet, and
proved critical in the successful ensure prosperity for all.
implementation of project
management methodologies. PM4DEV is committed to provide
resources and develop knowledge
It draws on the expertise of and expertise to support
Project management professionals development organizations in their
and provides a guide to deliver a efforts to achieve these ambitious
methodology that increases the goals.
chances of project success.

For more information about

PM4DEV services, contact us at:
[email protected]
Project Management
For Development Organizations

www.pm4dev.com
[email protected]

www.pm4dev.com