You are here:

PMO News: 3.5 steps to effective risk management

Note: This column is part of a new monthly feature “PMO News,” which highlights current events in UIT's Project Management Office.

By Jayci Minjares
UIT Project Management Office

Jayci Minjares, IT Project Manager

In project meetings we unknowingly discuss risk, in the context of “what-ifs?” The project team may not realize these risk factors, so risks are not assessed or managed until the risk occurs. There are also many different types of risks that can affect a project, such as schedule, cost, scope, environment, new or old technology, executive support, and security. Risk is one of many reasons why a project manager can help your projects be successful. 

3.5 steps to effective risk management

Risk Management is the identification, assessment, and prioritization of risks. The Project Management Institute (PMI) outlines the risk management processes as:

  • Plan Risk Management
  • Identify Risks
  • Qualitative Risk Analysis
  • Quantitative Risk Analysis
  • Plan Risk Response
  • Control Risk

Step 0.5: Ask questions

Before starting the risk management process, meet with the project sponsor and other stakeholders to ask a few questions, such as "Is time or cost the key driver on this project?" and, "If an event occurs where the timing of the project could be saved by going over budget, would that be acceptable?" These types of questions ensure the next three steps will focus on what exactly is critical to key stakeholders (rather than what is assumed to be important).

Step 1: Identify what could go wrong

The goal of step 1 is to identify possible threats to a project. Risk identification techniques include: researching publicly available risk registers; meeting with subject matter experts to ask what they're most concerned about; reviewing past projects; and brainstorming (Nominal Group Technique).

Step 2: Prioritize

Step 2 involves prioritizing your list of risks, such as high/low, or most likely, likely, not likely, never.

Step 3: Take proactive action

Address the prioritized risks using these four methods (to easily remember this strategy, use the mnemonic "A-CAT")

  • Avoid risk: change plans to circumvent the problem
  • Control/mitigate risk: reduces impact or likelihood (or both) through intermediate steps
  • Accept risk: take the change of negative impact (or auto-insurance), eventually budget the cost (e.g. via contingency budget plan)
  • Transfer risk: outsource risk (or a portion of the risk) to a third party or parties that can manage the outcome

Risk management then continues through the project lifecycle, meaning the previous 3.5 steps discussed are revisited until the project is complete.

For more useful tips and articles related to risk management, visit or

Did you know?

There are positive risk opportunities that need to be identified, too. Both positive and negative risks should be tracked in your project’s risk management plan. Per the PMBOK Guide 5th edition, the following are used to manage positive risks:

  • Enhance – Increase the chance of a risk happening in order to realize the benefit
  • Exploit – Do not try to realize the opportunity; work hard to ensure that the opportunity does not go unrealized
  • Accept – Don’t take any action to realize the opportunity
  • Share – When you aren't capable of realizing this opportunity on your own, team up with another company and work together to realize the opportunity

Examples of positive risks include reducing your workload, growing your business, and completing a project early.


Bruce Garrod, 3.5 Steps to Effective Risk Management

Project Management Institute

Last Updated: 5/30/17