Project management, transformation and operation
Case studies
Trainer profiles

Risk management in project management

Claude Palmarini
Risk management in project management

Every project, whatever its field, involves risks. These risks can affect project progress and results. Risk management is therefore crucial to anticipating and minimizing negative impacts, while maximizing opportunities throughout the project.

What is risk in project management?

It is an uncertain condition or event which, if it occurs, has a positive or negative effect on at least one of the project's constraints, such as time, cost, scope, quality or others.

The different types of risk in project management

Internal: the availability of all necessary resources, or risks linked to coordination or internal communication, etc.
External: economic, environmental, etc.
Risks also vary in nature:

Financial: such as variations in exchange rates or inflation.
Technical: in the event of dependence on third-party technology, the presence of unidentified security vulnerabilities, the difficulty of integrating a new system with existing ones...
Legal: arising from legal constraints, regulations and contracts.
Strategic: linked to possible changes in company or market strategy that may affect the project.
Operational: such as quality management, logistics, etc.
And many others, depending on the type of industry.
It's important to classify the different types of risk in order to manage them properly.

How to analyze risks

Create a risk matrix

The risk matrix is a bit like Eisenhower's matrix, which helps you sort out what's important and what's urgent. The risk matrix is based on two axes, each with 5 levels (in general):

  1. Impact: negligible, minor, moderate, major, catastrophic
  2. Probability of occurrence: very unlikely, unlikely, possible, likely, very likely.

To be complete, the matrix must include the notion of criticality, which is calculated as follows:

Impact x Probability = Criticality

Criticality can be low, moderate or high. It is criticality that determines the actions to be taken.

Qualitative risk analysis

This identifies and classifies risks according to their criticality, using tools such as the matrix, enhanced by expert interviews, brainstorming or checklists.

Quantitative risk analysis

The application of statistical and mathematical techniques uses simulations to generate distributions of results. It helps decision-makers understand the range of possible outcomes and make informed decisions based on probabilities rather than guesswork. This includes:

  • Modeling and simulation using mathematical models, to appreciate how variations in cost, time and other key variable estimates may affect the project.
  • Sensitivity analysis to identify the risks having the greatest impact on project objectives, by assessing how changes in project assumptions affect its outcome.
  • Extreme Case Scenarios: Evaluate worst-case and best-case scenarios to understand the best and worst cases.

When to manage risk

From the outset of the project and continuously throughout its lifecycle, with periodic reassessments to update the risk register and adjust strategies.

How to respond to risk

Responding to risk aims to limit its probability or impact. For each level of criticality, one action might be preferred:

  • Accept: no action is taken because the risk is minor, the costs outweigh the expected benefits, or the response options are limited.
  • Mitigate: reduce the likelihood or impact of the risk. This could be by adjusting work methods, modifying the scope of the project, improving the skills and technologies used, etc.
  • Avoid: modify the project plan (change supplier, revise schedule, adjust objectives, etc.) to eliminate the impact of the risk.
  • Transfer: shift responsibility for the risk to a third party, e.g. transfer the financial risk to an insurance company (for a fee). This reduces the cost of the impact, but does not eliminate the likelihood of it occurring.
  • Escalate: when the risk exceeds the Project Team's tolerance threshold, it is escalated to a higher level of governance or management for decision.

How to control and monitor risks

Setting up a continuous monitoring system enables us to detect changes in risks and the effectiveness of response strategies.

The risk register

This involves recording information on identified risks, analyzing them, planning response strategies and monitoring their evolution.

Rigorous documentation helps to communicate risk information effectively to stakeholders, and provides a basis for the evaluation and continuous improvement of risk management. It enables :

  • Traceability: the origin, assessment and management of risks throughout the project.
  • Communication: sharing information on risks and their status with the project team and stakeholders.
  • Decision-making: thanks to a factual basis.
  • Learning: for future projects, enabling risks to be identified more quickly and lessons learned to be shared.

For each risk, the log should include:

  • Description of the risk.
  • Potential cause(s) of the risk.
  • Triggering event
  • Consequences if the risk materializes.
  • Probability of occurrence and potential impact
  • Selected risk response strategies.
  • Person responsible for monitoring the risk trigger.
  • Current risk status (open, in process, closed).
  • If necessary: Risk response plans: documents detailing the actions to be taken to manage each risk, including necessary resources, timelines and monitoring indicators.

Some best practices for risk documentation:

  • Keep it up to date (risks encountered, their treatment, lessons learned).
  • Ensure it is accessible to the team
  • Write clearly and concisely
  • Protect against unauthorized access, while respecting confidentiality requirements.


The selection of a risk response strategy depends on a number of factors, such as the impact of the risk, its probability of occurrence and the resources available to manage it. A combination of these strategies may be required to effectively address the various risks facing a project.

Like the project itself, risk management is a dynamic process requiring constant assessment and adaptation.

To find out more:

Project management: anticipating and managing risks

Contact us

To learn more about our new services or to talk to us about your skills development needs, contact Cyrielle Renard at 514-380-8237 or by email:

Similar articles

See all our articles