Project Risk Management includes the processes of conducting risk management planning, identification, analysis, response planning, and controlling risk on a project. The objectives of project risk management are to increase the likelihood and impact of positive events and decrease the likelihood and impact of negative events in the project.

Project risk is an uncertain event or condition that, if it occurs, has a positive or negative effect on one or more project objectives such as scope, schedule, cost, and quality. A risk may have one or more causes, and, if it occurs, it may have one or more impacts. A cause may be a given or potential requirement, assumption, constraint, or condition that creates the possibility of negative or positive outcomes. For example, causes could include the requirement of an environmental permit to do work or having limited personnel assigned to design the project. The risk is that the permitting agency may take longer than planned to issue a permit; or, in the case of an opportunity, additional development personnel may become available who can participate in the design, and they can be assigned to the project. If either of these uncertain events occurs, there may be an impact on the project, scope, cost, schedule, quality, or performance. Risk conditions may include aspects of the project’s or organization’s environment that contribute to project risks, such as immature project management practices, lack of integrated management systems, multiple concurrent projects, or dependency on external participants who are outside the project’s direct control.

Project risk has its origins in the uncertainty present in all projects. Known risks are those that have been identified and analyzed, making it possible to plan responses for those risks. Known risks that cannot be managed proactively should be assigned a contingency reserve. Unknown risks cannot be managed proactively and, therefore, may be assigned a management reserve. A negative project risk that has occurred is considered an issue.

Individual project risks are different from overall project risk. Overall, project risk represents the effect of uncertainty on the project as a whole. It is more than the sum of the individual risks within a project since it includes all sources of project uncertainty. It represents the exposure of stakeholders to the implications of variations in project outcomes, both positive and negative.

Organizations perceive risk as to the effect of uncertainty on projects and organizational objectives. Organizations and stakeholders are willing to accept varying degrees of risk depending on their risk attitude. The risk attitudes of both the organization and the stakeholders may be influenced by a number of factors, which are broadly classified into three themes:

    • Risk appetite, which is the degree of uncertainty an entity is willing to take on in anticipation of a reward.
    • Risk tolerance, which is the degree, amount, or volume of risk that an organization or individual will withstand.
    • Risk threshold, which refers to measures along with the level of uncertainty or the level of impact at which a stakeholder may have a specific interest. Below that risk threshold, the organization will accept the risk. Above that risk threshold, the organization will not tolerate the risk.

For example, an organization’s risk attitude may include its appetite for uncertainty, its threshold for risk levels that are unacceptable, or it’s risk tolerance, at which point the organization may select a different risk response.

Positive and negative risks are commonly referred to as opportunities and threats. The project may be accepted if the risks are within tolerances and are in balance with the rewards that may be gained by taking risks. Positive risks that offer opportunities within the limits of risk tolerances may be pursued in order to generate enhanced value. For example, adopting an aggressive resource optimization technique is a risk taken in anticipation of a reward for using fewer resources.

Individuals and groups adopt attitudes toward risk that influence the way they respond. These risk attitudes are driven by perception, tolerances, and other biases, which should be made explicit wherever possible. A consistent approach to risk should be developed for each project, and communication about risk and its handling should be open and honest. Risk responses reflect an organization’s perceived balance between risk-taking and risk avoidance.

To be successful, an organization should be committed to addressing risk management proactively and consistently throughout the project. A conscious choice should be made at all levels of the organization to actively identify and pursue effective risk management during the life of the project. Project risk could exist at the moment a project is initiated. Moving forward on a project without a proactive focus on risk management is likely to lead to more problems arising from unmanaged threats.


Entrance Criteria:

  • < >

Exit Criteria:

  • < >

Process and Procedures:

Tailoring Guidelines:


Process Verification Record(s):

  • Projects shall monitor all identified risks during the progress review meetings for the project and shall report all risks with high exposure in the project’s Senior Management Review
    • Stored By: <?>
  • Projects shall develop mitigation plans for all identified risks that have a high-risk exposure
    • Stored By: <?>


  • < >
    • Maintained By: <>
    • Submitted By: <>
    • Frequency of Submission: <>


  • Project Management Institute. (2013). A Guide to the Project Management Body of Knowledge (PMBOK Guide) – Fifth Edition. Newtown Square, Pennsylvania: Project Management Institute