Project Risk Management
Identify it, score it, respond to it, and monitor it on a cadence. This is what risk management actually looks like when it protects delivery instead of sitting in a spreadsheet nobody reads.
Real Risk Management Runs on Cadence
Most project risk management is performative. A register is built at kickoff, scored with numbers someone chose to look reasonable, assigned to owners who never review it, and closed at project end regardless of whether the risks materialized. Real risk management is a living discipline that runs on cadence, surfaces emerging threats before they become issues, and gives executives the information they need to make real decisions.
Four Disciplines That Protect Delivery
Identify
Risk identification is not a one-time workshop. It is an ongoing discipline that draws from the project team, from stakeholders, from historical project data, and from structured techniques like assumption analysis and constraint review. Every risk gets into the register. Filtering comes at scoring, not at identification.
Analyze
Analysis converts a list of risks into a prioritized action set. Qualitative scoring, likelihood multiplied by impact, is sufficient for most projects and delivers fast, consistent prioritization. Quantitative analysis is appropriate for high-stakes programs where decision-makers need financial exposure modeled. The goal of analysis is ranking.
Respond
Every scored risk above the threshold requires a documented response. Avoid removes the cause of the risk. Mitigate reduces its likelihood or impact. Transfer shifts it to another party. Accept acknowledges the risk and assigns a contingency budget or response plan if it materializes. Every response has an owner and a target date.
Monitor
Monitoring is the discipline most teams skip. Risks are reviewed on cadence, weekly for active delivery, at minimum every status cycle. Closed risks are documented with outcome. Emerging risks are added immediately. The register is a live document, not an artifact.
The Four Dimensions of Delivery Risk Intelligence
Four Ways to Handle a Risk
Avoid
Remove the cause of the risk entirely. Change the plan so the risk cannot occur. The most protective strategy when it is feasible.
Mitigate
Reduce the likelihood of occurrence, the impact if it occurs, or both. The most common strategy for risks that cannot be eliminated entirely.
Transfer
Shift the risk to another party through insurance, vendor contract, or formal agreement. Changes accountability without necessarily reducing probability.
Accept
Acknowledge the risk and define a contingency response. Used for risks below the response threshold or where other strategies are not cost-effective.
Risk Management Runs Through Every Phase
Frequently asked questions
Weekly on active delivery programs. At minimum at every project status cycle. Risks that go unreviewed for two weeks are risks that are being managed by luck.
A risk has not happened yet. An issue already has. The distinction matters because response strategies differ: risks are managed proactively, issues require immediate corrective action.
Yes, though it can be lighter. Even a three-column list, risk, owner, and response, is a functional risk register. The discipline matters more than the format.
Make Risk Management a Discipline, Not a Document
PMOstart builds and runs risk management frameworks that actually protect your delivery. Request support or download the free Risk Register template to start now.