Project risk management is the discipline most PMs understand in theory and under-execute in practice. The most common failure is treating the risk register as a documentation exercise rather than an active management tool. A risk register that is updated monthly and reviewed by nobody is not risk management — it is risk theater.
- The RAID log (Risks, Assumptions, Issues, Dependencies) is the PM's primary risk tool
- Risk scoring without response ownership produces risk awareness without risk management
- The weekly RAID review is the most important recurring PM meeting — not a status call
- Issues that are not escalated within the defined SLA become the PM's accountability
The RAID log structure
RAID covers four categories: Risks (potential future impacts), Assumptions (believed to be true but not confirmed), Issues (realized problems requiring action), and Dependencies (external items that could block delivery). Each entry needs an owner, a target date, and a clear status. The RAID log is a living document, not a project artifact.
Risk scoring
Score risks on probability (1–5) and impact (1–5). Multiply for a composite score. Scores above 12 are high risk, 6–12 are medium, below 6 are low. Score regularly — not once at project launch. Risks change as projects evolve.
Response strategies
The four risk response strategies: Avoid (eliminate the condition that creates the risk), Transfer (shift the impact to a third party via contract or insurance), Mitigate (reduce probability or impact), Accept (acknowledge the risk with a contingency plan). Each high-risk item needs a documented response strategy with an assigned owner.
Escalation
Define escalation triggers in the RAID log: what risk score level requires sponsor notification? What issue age (without resolution) requires steering committee escalation? Unescalated issues that become project problems are the PM's accountability, not the team's.
Frequently asked questions
Weekly, in the PM team meeting. High-risk items should be reviewed with the sponsor at least bi-weekly. The RAID log is a discussion tool, not just a document.
A risk is a potential future event. An issue is a realized problem requiring active management now. Risks become issues when they materialize.
The level of risk an organization or sponsor is willing to accept on a project. Different sponsors have different risk appetites — understanding this shapes how aggressively you mitigate.
High risks should be visible to sponsors and steering committees. Not to avoid accountability but to enable informed decisions. Hiding risks from sponsors creates surprises that destroy trust.
Request Risk Management in Projects: A Practical Guide
Answer a few quick questions. We will recommend the right engagement and follow up within one business day.
Ready to put this into practice?
PMOstart provides consulting, fractional PMO leadership, templates, and tools to help you apply what you just read.