Project & Programme Management

What is Risk Management?

Looking to improve risk management within your business? In this guide we take a look at the ins and outs of risk management and how to improve strategic and operational decision making.

Risk Management at a Glance

    • Risk Management is the coordinated and strategic control of the direction of an organisation
    •  Risk can be an upside risk (positive) or a downside risk (negative). Risk can also be known, unknown and unknowable. 
    • Managing risk effectively enables businesses to stay ahead their competition, take advantage of opportunities, reduce costs and increase value.  
    • An effective risk manager should have many skills; resilience, analytics, leadership, collaboration, be supportive, recognise achievement, financial and regulatory knowledge and competence
    • Improve risk management within your business by viewing risk management training courses with QA.


What is risk management? 

t’s all very well to have a project aim in mind – but it’s equally important to know what could go wrong. If you know what risks are involved in the project plan, then a project manager can mitigate, prevent, or at least prepare for these risks early on. 

Risk management is the coordinated and strategic control of the direction of an organisation. It allows a business to protect itself and create value in the face of risk. 

Risk is inherent in everything you do – and particularly as a professional in the context of a business. It’s impossible to control everything, so as your environment changes, so must the organisation, and yourself. All major decisions within organisations – at strategic, portfolio, programme, project, product, and operational levels – are made with risk in mind. 

As a risk professional, you need to take the lead and champion risk in all that you do!  

What is a risk in project management? 

While including several other definitions, the Oxford English Dictionary 3rd edition defines risk as: ‘(exposure to) the possibility of loss, injury, or other adverse or unwelcome circumstance; a chance or situation involving such a possibility.’ 

Risk in project management is an uncertain event or set of events that, should it occur, will influence the achievement of your objectives, whether for better or (more likely) worse.  

But remember: risk isn’t all bad! Risks can either be threats (downside risks) or opportunities (upside risks). Upside, or positive, risks are opportunities that can affect the project in beneficial ways, like finishing the project early or having more customers than you accounted for. However, these can quickly become negative risks, and vice versa, if not effectively planned for. 

All project risks are unplanned by default, but only some are foreseeable. Risks can be known, unknown, or unknowable. Known risks are already visible, and your team is aware of them through risk management planning (see below). Unknown risk has not been discussed in the planning stage and is only known by a limited number of people. Therefore, your risk management plan should focus on discovering these risks and devising an effective response. Unknowable risk is risk that no one could reasonably predict – like accidents, illnesses, or technological failure.  

 A great risk management plan prepares for all eventualities and types of risk. Bringing together the identification, prioritisation, and responses to risks is all part of the scope of risk management. 

Why is risk management important?  

Decision-makers need to find ways of finding out what is known and what is uncertain that would have an impact on objectives should the uncertainty become a reality. Some of this uncertainty may help achieve your objectives (for example, risk opportunity or upside risk) and some of this uncertainty may hinder achieving your objectives (such as risk threats or downside risk). Some uncertainty might be a risk opportunity to one stakeholder yet a risk threat to another stakeholder. All uncertainty must be identified and managed throughout. 

Taking and managing risk is essential to business survival and growth. Effective risk management is likely to improve performance against objectives. But it must be designed to meet your organisational needs, considering both the internal and external environments. 

Other benefits of effective risk management include: 

  • Creating and protecting value for your organisation. 
  • Greater efficiency of resources. 
  • Exploiting opportunities. 
  • Enhanced innovation of products and services. 
  • Lower cost. 
  • Reduced waste (tangible and intangible). 
  • Improved service delivery. 
  • Building in resilience in an Agile way. 

Without dedicated risk management, a business may suffer. Not planning effectively could cause issues such as: 

  • Missed opportunities to capitalise on positive risks. 
  • Lost accountability – for both the successes and the failures of tasks. If team members aren’t engaged with managing risk, they will never improve their working style either. 
  • Negative client relationships – you want your stakeholders and clients to believe in you. Businesses depend on trust and delivering strong results over and over again. If you can’t manage risk, or at least learn from risks and improve the process next time, then your clients will lose faith and take their business elsewhere. 
  • Failure of entire project – efficiency can suffer if there is not a detailed risk management plan. 

Risk management planning process  

The risk management process reflects the dynamic and ever-changing nature of project work. A risk register should be used to document any risks, as well as analyses and responses, and risk ownership should be assigned to keep individuals or teams accountable for certain risks.  

Before starting the process, an organisation should consider something called the triple bottom line. This is a focus on value – not just in terms of profit but also in terms of people and the planet, considering the environmental, social, and governance (ESG) criteria. The focus for the triple bottom line is sustainability. In other words, it is not just about measuring the bottom line (profit) but also the impact that people and planet have on what we do and how we do things. 

Creating a risk management plan  

When assessing risk and creating a risk plan, there are a few key stages to bear in mind. At every stage below, it is important to consider: the purpose and objective of the process (the Why and What), the activities involved and the information flow to transform inputs to outputs (the Sequence), the techniques commonly used within that process (the How), and the roles involved in the process according to each perspective (the Who). 

Consider also: 

  • The risk itself – what is it? 
  • The consequence of the risk – what will happen if this risk occurs? 
  • The probability of the risk – how likely is it that it will happen? Prioritise accordingly. 

1. Define context and objectives   

Consider the VUCA acronym. VUCA stands for volatility, uncertainty, complexity, and ambiguity, and refers to the dynamic and fast-changing nature of the contemporary business environment. Considering VUCA at each stage of the risk management process increases awareness of, and readiness for, the unexpected. You may also perform a PESTLE (political, economic, sociological, technological, legal, and environmental) analysis and/or a SWOT (on strengths, weaknesses, opportunities, or threats) analysis. At this stage you need to identify the stakeholders, understand the internal and external contexts, and any of your objectives that are at risk. 

2. Identify threats and opportunities   

Consider risk exposure. Risk exposure is the degree to which a particular objective is at risk and can be positive or negative. Brainstorm with colleagues and stakeholders to get the most well-rounded view of all your risks – if you are working on your own you might miss some important ones! 

3. Analyse the risk 

You can never have too much information about a risk – it helps you prepare in the best way. Then you can assess how it’s going to affect your schedule and budget. 

4. Prioritise risks  

Not all risks should be equally prioritised. Risk should be managed by categorising risks as high, medium, or low. You can then plan how you’ll respond to tackle these risks. 

5. Agree on a risk owner 

Assigning an owner to a risk means there is someone who will oversee the risk. Someone needs to be responsible for the risk, identifying it should it occur, and resolving it. Each risk needs a professional watching out for it, or you’re opening the organisation up to even more risk.  

6. Respond 

Once you know whether it’s a positive or negative risk – and whether you could exploit it to better the project, or you need a risk mitigation strategy – you then implement your planned response to the risk.   

7. Monitor and report progress  

As you react to the risk, it’s important to track the progress of your response strategy. Whoever owns the risk will be responsible for this.  

8. Review and adapt 

Review your risk management strategy, and use this to improve you next responses to risk. 


Risk Management Skills

Every organisation can benefit from team members that know how to manage risk. Here are some of the skills that great risk managers may possess. 


This is ability of a person or an organisation to deal with unplanned events and respond strongly, ideally addressing not only anything that has been lost, but turning the adversity into an opportunity for greater value to be created in future. 

The ability to identify, prioritise, and commit to proactive or reactive responses to risk is the route to resilience. Resilience is also enabled by agility. Both resilience and agility depend on a culture that supports collaboration and continual learning.

Enterprise agility 

This is a condition of an organisation more than an individual – but refers to a workforce that can be flexible and responsive to its consistently changing environment. Enterprise agility (also called corporate agility or organisational agility) enables the organisation to remain resilient.


Risk managers need analytical skills to collect data and make important decisions using that data. They also need to spot holes and weaknesses that others may have missed in the systems, infrastructure and other areas. 


Leadership refers to how you motivate and direct people to achieve the objectives. Leaders need to display a positive commitment to risk management and ensure this is fully supported. 


Collaboration helps you build relationships and share information and understanding, improving the way your team works together and solves problems. This leads to more innovation, efficient processes, increased success, and improved communication. Through listening to and learning from team members, you can help each other reach your objectives. 


Support is key to embedding risk management. This can be achieved through on-going learning and development. Having a neutral facilitator will also help to fully support the decision-making process. 


Recognition and reward systems should be implemented for appropriate risk behaviours. When your team understands the benefits and acceptable behaviours of good risk management, they are more likely to embrace this. The formality or informality of reward and recognition is down to each organisation. 

Financial and regulatory knowledge 

It is important that a good risk manager knows the average costs of risks, as well as keeping up with any regulation changes.  


This is, in short, the ability to do something successfully. This is built up over time by refining all the skills listed above. 


Risk Management Roles

Risk managers help to identify and assess factors that can be classed as a risk for an organisation, most commonly in regard to finances, strategy, operations, information technology and reputation. 

1. Environmental compliance specialist 

Evaluates the environmental risk of a company's policies, procedures, and production, with a focus on the triple bottom line previously mentioned. They ensure that an organisation is operating within legal guidelines. They are often responsible for conducting inspections, investigating the effects of pollutants, and writing reports. 

2. Compliance consultant

Evaluating and improving the operations and management strategies in place in companies and industries. They study laws and governmental policies that apply to specific industry contexts. They write compliance plans, provide training, and design company-specific regulations. 

3. Compliance officers

Focus on evaluating and improving the operations of that specific organisation. They study and interpret laws and governmental policies relating to the industry they work in. They write compliance plans and reports, design regulatory tools and advise on implementation. 

4. Risk analysts

Help companies review project proposals, either as an outside consultant for many clients or within a company. They use their knowledge of the law, policy, and societal demand to analyse proposals and advise companies on how to alter their plans. Their primary duties include reviewing documents, developing plans, analysing data and writing mitigation reports. 

5. Operational leaders 

Responsible for the reliable and efficient delivery of products and services and therefore the risks to achieving such delivery.  

6. Operational managers

Supporting the operational leader they help in leadership of an operation, and the efficacy of risk management within that operation.  

7. Risk process expert

Responsible for providing support as needed to operational managers and leaders. This may be to facilitate risk sessions, support specialist techniques, or ensure reporting is accurate.  

8. Risk specialist

Responsible for supporting particularly risky areas of the business; for example, health and safety, data privacy, or business continuity.  

9. Insurance manager

Responsible for progressing insurance claims and monitoring the adequacy of insurance cover. 


Improving risk management in your business

There are many practical ways to improve your risk management skills.  

Learning – You can help yourself and your team learn by arranging some online learning, gamification, or support tools in the workplace. This helps teams to learn to move with their changing work environment. 

Recruitment – It’s often helpful to bring in talent from outside the team, or even outside of the company. This can help with acquiring new skills and perspectives.  

Reallocation – It’s useful, and good management, to move people around to make better use of their skills. 

Partnerships – Collaboration with other specialised parties can increase skillsets. 

Discover more about RIsk Management Courses and Training at QA, or contact our team today