Introduction to Risk management


Risk management is a process that allows individual risk events and overall risk to be understood and managed proactively, optimising success by minimising threats and maximising opportunities.


All projects, programmes and portfolios are inherently risky because they are unique, constrained, based on assumptions, performed by people and subject to external influences. Risks can affect the achievement of objectives either positively or negatively. Risk includes both opportunities and threats, and both should be managed through the risk management process.

Risk is defined at two levels for projects, programmes and portfolios. At the detailed level, an individual risk is defined as ‘an uncertain event or set of circumstances that, should it occur, will have an effect on achievement of one or more objectives’. In addition, at the higher level of the project, programme or portfolio, overall risk is defined as ‘exposure of stakeholders to the consequences of variation in outcome’ arising from an accumulation of individual risks together with other sources of uncertainty.

The high-level process, as illustrated in figure 3.12 starts with an initiation step that defines the scope and objectives of risk management. A key output from the initiation step is the risk management plan, which details how risk will be managed throughout the life cycle.

Figure 3.12: Risk management process

Risks are then identified and documented in the risk register. The relative significance of identified risks is assessed using qualitative techniques to enable them to be prioritised for further attention. Quantitative risk analysis may also be used to determine the combined effect of risks on objectives.

The process continues with risk response planning, aiming to avoid, reduce, transfer or accept threats as well as exploit, enhance, share or reject opportunities, with contingency (time, cost, resources and course of action) for risks which cannot be managed proactively. The final step is the implementation of agreed responses.

The whole process is iterative. For example, assessment or response planning can lead to the identification of further risks; planning and implementing responses can trigger a need for further analysis, and so on.

It is also important to identify and manage behavioural influences on the risk process, both individual and group, since these can have a significant impact on risk management effectiveness.

Risk management at project, programme or portfolio level must not be conducted in isolation and must interface with the organisation. Risks at project level may need escalation to programme and portfolio. Risks can also be delegated from higher levels to lower levels.

In addition, P3 risk management must contribute, as appropriate, to both business risk assessments and organisational governance requirements. The P3 manager must be aware of risks that have an effect outside their scope of responsibility, e.g. those that could affect the organisation’s reputation.

The management of general health and safety risks is usually excluded from P3 risk management, as the management of these risks is traditionally handled by a separate function within the organisation.


Risk management at project level is most often focused on individual risks that, should they occur, will affect the project’s objectives. It is, however, also important for the project manager to understand the overall risk exposure of the project, so that this can be reported to the project sponsor and other stakeholders.

Risk management must be closely aligned to schedule management. Cost, time and resource estimates should always take risks into account.

The project manager is accountable for ensuring that risk management takes place. Depending on the size and complexity of the project, a specialist risk manager may be appointed to oversee and facilitate the risk management process.


The programme will establish a common framework and standards for risk management across the programme. This will enable comparison of risk, reduce the time taken to initiate management processes at project level, and help identify interdependencies between risks across the programme. The common framework will be set out in the programme risk management plan.

Programme risk management is made up of two distinct areas of focus:

  • project risk escalation and aggregation;
  • wider business risk and risks to benefit achievement.

Programme risk management addresses any individual risks at project level that, if realised, will have a wider impact. Project risks that cannot be effectively managed within projects and within contingency are escalated to the programme for attention and/or action. In addition, related or common risks within individual projects may combine or aggregate to have an effect at programme level, in which case they also need to be escalated.

Programme risk management also considers any risks delegated from the portfolio or strategic level, as well as risks arising directly at the level of the programme itself. Programme risks are likely to focus on prioritisation of programme components, allocation of resources, interfaces and interactions between programme components, the ability to deliver change management activities within the programme, and cumulative risks arising from the combined impact of the project risks.


Risks at portfolio level are often of such scale that they may have significant impact on the ability of the organisation to operate. Portfolio risk management will focus on two areas:

  • risks escalated from projects or programmes and from areas of day-to-day business;
  • risks that impact upon the objectives of the portfolio and the host organisation.

Project and programme risks that cannot be effectively managed at their originating level may be escalated to the portfolio for responses unavailable at project or programme level.

The portfolio will establish common frameworks and standards for risk management, which will be cascaded to projects and programmes to ensure a common approach and reporting structure. This enables effective comparison of risk, reduces the time taken in initiating risk management processes, and assists with identification of potential conflict in selected responses across the portfolio.

The consideration of risk efficiency is of particular importance to portfolio risk management. The principles of risk efficiency have been established in financial portfolios for many years. They are equally relevant to portfolios of projects and programmes. Ensuring that the portfolio does not expose an organisation to too much risk and is efficient is an important function in the ‘balance’ phase of the portfolio life cycle.


Join APM

Sign up to the APM Newsletter.