Sun. Jan 22nd, 2023

Risk Management Cycle

This comprises four stages that should be completed in order.

Identifying the Risks

Before you can do anything to plan risk mitigation, you have to identify the risks present to the completion of your project. From reading the information about a brief carefully, you should compile two lists of things that you believe could jeopardise the successful delivery of the project. As you saw in the previous page, this means creating a list of:

  • Internal risks
  • External risks

For each risk that you identify, you should describe:

  • What the risk is (e.g. work isn’t completed in time, supplier is late etc)
  • What the knock-on effect of that risk would be
  • Who it affects

There is no need at this stage to consider how to deal with the risk. This is because until you have assigned a risk level to it, you don’t know how many resources it is appropriate to make available. You’d look very foolish if you were to throw thousands of pounds of resources at a problem that wouldn’t have had much impact on the project in the long term.

Assessing the Severity of Risks

Have a look at this graphic, from the Met Office website:

This is a four point scale matrix, which shows the impact and probability of events occurring. The x-axis shows the impact that the risk would have, on a scale of very low to high, and the y-axis shows the likelihood, on a scale of unlikely to very likely.

You are expected to use a simpler, three point matrix, but with the same axes:

Once you have determine the likelihood and impact of a risk, you can identify the overall risk level, using the matrix above. For example, a high impact and highly likely scenario would be red – a significant risk to the project.

An amber tile represents a moderate overall risk, and a green tile represents a low level of risk.

Having identified a list of internal and external risks in the first step, you will need to use the above process to now assign a level of risk to each of them.


Now you have a list of risks, and have calculated the severity of each of them, it’s time to decide what to do. You have three choices at this stage:

  • Accept the risk – this doesn’t mean that you want the risk to materialise. It is you, as project manager, saying that the reward outweighs the risk. Yes, if it goes wrong, you are going to need to fix it, but you’re happy that it’s the best way forward
  • Plan contingency – if you accept the risk, you now need to make contingency plans. These are the “what if it goes wrong” plans – how will you rectify things if one of your staff is off sick and it affects the delivery of a key part of the project? You might opt to employ additional help, or re-allocate work from other staff, deferring other less vital or time-sensitive work until later. Whatever contingency plans you come up with, if you have decided to accept the risk, you have to plan for it.
  • Avoid the risk – not always possible (you can’t predict illness for example). But there are risks that could be avoided – often, this means re-working the design in order to avoid the risk, or requires changes to budget so that more established contractors can be used, even if they are more expensive.

Monitoring and Controlling Risks

As the project manager, your job doesn’t end once the project plan is drawn up. You are in charge, overseeing it all the way to completion.

This means you are responsible for keeping on top of the risks that have been identified, and being aware of unidentified risks that crop up.

This makes the risk management aspect of a project more of a cycle than a one-time-step. Forewarned is forearmed: in this sense, if you have a good idea of what could go wrong before it does, and plan for it, your project will run far more smoothly. But you will still be hit by issues that you didn’t foresee: this is why it is important to constantly revisit the risk analysis throughout the project, and check that

  • the original risks are still accurate and that mitigation plans are still valid
  • no new risks have been identified during the process, and if they have, that clear mitigation plans are in place