Skip to content

Managing risks

Updated Wednesday, 5th April 2006

How can managers protect themselves and their projects from risk? We explore the question in this article, based on course extracts from the OU Business School.

This page was published over five years ago. Please be aware that due to the passage of time, the information provided on this page may be out of date or otherwise inaccurate, and any views or opinions expressed may no longer be relevant. Some technical elements such as audio-visual and interactive media may no longer work. For more detail, see our Archive and Deletion Policy

Risk assessment on a construction site Copyrighted  image Icon Copyright:

Recognising risks
When projects have a range of options open to them, some of those options are likely to be riskier than others, but no course of action can be guaranteed to be a success.

Because of this, an important aspect of planning is to identify what the main risks associated with that plan are, and to try to work out what to do if things go wrong. This is often called contingency planning.

The greater the resources that you are committing, the more important it becomes to assess these sorts of risks systematically and build contingencies into the plan to cover different eventualities.

You will never eliminate risk entirely, but with good planning you should certainly be able to reduce it. The ever-present nature of risk also highlights the importance of building arrangements for monitoring and reviewing progress into your plan.

If you don’t have a means for regularly monitoring the implementation of your plan and the results it is achieving, you won’t know whether things are going as intended. If you know what is happening you will be in a better position to take corrective action if things go wrong. Equally you will have an opportunity to learn from your experiences.

Risk in projects
Risk management is fundamental to project management. It is concerned with assessing the kinds of risk associated with trying to make something happen, for example the possibility of delays in the schedule caused through staff sickness or materials not being available at the appropriate time.

Risks in a project can be both internal – arising from within the project, or external – arising from the context or environment of the project.

Risk is the chance of something occurring that has an adverse effect on the project. Many risks can be foreseen and identified. For example, if you will be relying on supplies being delivered at a particular time, it is worth checking on the reliability of different suppliers and choosing one with a good reputation. You might also make a note to confirm essential deliveries as the project progresses.

If the project involves development of computer-based systems, time needs to be allowed for ‘debugging’ once the systems are installed.

There might also be less obvious risks, for example, a key member of the project staff leaving at a crucial stage. Or, if a project touches on sensitive issues, delays might be caused by political resistance.

Once risks have been identified they can be evaluated in terms of the probability of their occurring. This helps to reduce the extent of uncertainty.

Another way to reduce uncertainty is to examine the amount of information that is required in order to be able to proceed with confidence.

For example, if there is a risk that the quality of the outcome will not meet the expectations of the sponsor or key stakeholders, this risk can be reduced by communicating information about quality as the project is progressing and involving the key stakeholders in evaluation - while there is still time to make any changes.

There are four stages to risk management:

  1. identifying the risk – determining which risks are likely to affect the project and documenting the characteristics of each
  2. impact assessment – evaluating the risk to assess the range of possible outcomes in relation to the project and the potential impact of each of these
  3. developing plans to have in reserve to reduce the impact of the most likely risks and to ensure that these plans are implemented when necessary
  4. ensuring that the risks are kept under review and that appropriate plans are developed to meet any changes in the type or likelihood of adverse impact

In many projects, these four stages are considered almost simultaneously, but in large-scale projects each stage might warrant considerable attention.


The main categories of risk can be summarised as:

  • physical – loss of, or damage to, information, equipment or buildings as a result of an accident, fire or natural disaster
  • technical – systems that do not work or do not work well enough to deliver the anticipated benefits
  • labour – key people unable to contribute to the project because of, for example, illness, career change or industrial action
  • political/social – for example, withdrawal of support for the project as a result of change of government, a policy change by senior management, or protests from the community, the media, patients, service users or staff
  • liability – legal action or the threat of it because some aspect of the project is considered to be illegal or because there may be compensation claims if something goes wrong

Risk assessment involves measuring the probability that a risk will become a reality; impact analysis involves measuring the sensitivity of the project to each identified risk. The key questions are:

  • what is the risk – how will I recognise it if it happens?
  • what is the probability of it happening – high, medium or low?
  • how serious a threat does it pose to the project – high, medium or low?
  • what are the signals or triggers that we should be looking out for?

A risk assessed as highly likely to happen and as having a high impact on the project will obviously need closer attention than a risk that is low in terms of both probability and impact.


Strategies for dealing with risk
Strategies for dealing with risks in project management include:

  • risk avoidance – for example, where costs outweigh benefits, you may decide to refuse a contract
  • risk reduction – for example, regular reviews can reduce the likelihood of an end-product being unacceptable
  • risk protection – for example, taking out insurance against particular eventualities
  • risk management – for example, making use of written agreements in areas of potential disagreement
  • risk transfer – passing the responsibility for a difficult task within a project to another organisation with more experience in that field

A risk log should be compiled for the project at an early stage. This is a list of all the identified risks, together with an assessment of their probability and impact, and contingency plans for dealing with them should they become a reality.


A risk log – or risk register – will provide a framework for necessary actions to be taken and decisions to be made, and should be amended and added to on a regular basis as the project proceeds. The risk register will have noted the actions that could be taken in the event of each risk identified.

You will need to develop a contingency plan to bring into action in the event of any of the most likely risks occurring. The contingency plan should aim to keep the project on track in terms of maintaining the balance of budget, time and quality. As risks will potentially cause concern in one or another of those areas, the contingency will often be to increase the resource in a different dimension.

For example, if the identified risk affects the timescale because one of the tasks might take much longer than estimated, the contingency plan might be to increase the budget for that task to enable more people to work on it to speed it up. If the risk is to the budget - with the danger of costs escalating - the contingency might be to reduce the quality specification for some elements of the project in which the impact of quality might be less important.

Bullet proofing is a way of identifying the parts of your plan which are particularly vulnerable and where there might be serious implications if things go wrong.

Try out a simple risk analysis
Try this out by thinking about a recent plan you have been involved in drawing up. List some of the assumptions you made in creating your plan.

Now apply the following questions to each assumption:

  • a: How likely is the assumption to turn out false – unlikely? very likely?
  • b: If the assumption does turn out to be false, how serious will the resulting problem be – not serious? serious?

Now you can place your answers in a bullet-proofing table like this one:

A risk grid

The table shows the results of your analysis in an organised way. You may want to think about preparing responses to the possibilities you have identified – or at least to those that fall into the top right-hand box – high likelihood/high seriousness.


The top right-hand box, coloured orange, is the most dangerous area. If you place a possibility in this box, you think it is very likely to happen, or you are very uncertain about it, and the consequences for your project would be very severe. Possibilities that fall into the top left-hand box may seem unlikely to happen, but you are judging that their potential effect would make them a danger area .

About this article

This article is based on extracts taken from the Open University Business School courses Winning Resources and Support (B624) and Managing Performance and Change (the Professional Diploma in Management, B700).





Related content (tags)

Copyright information

For further information, take a look at our frequently asked questions which may give you the support you need.

Have a question?