The risks of risk management


Many project managers struggle with how to effectively build risk contingency into their budgets and schedules without management cutting it out arbitrarily. In addition, risk management tends to be something that is done once at the beginning of the project to fill the checkbox and claim it was done. Too many times, project teams fail to see the value of risk management which can perpetuate some of the common mistakes that are made which make risk management ineffectual.

In this paper, we address the biggest risk facing risk management, the ten (10) common mistakes to avoid, and a recommended approach for managing risks using an activity-based risk model.

The Risks of Risk Management

The major risk in risk management is that a risk occurs and there is not enough time in the schedule or money in the budget. This is usually attributed to one of the following causes:

  1. Insufficient Contingency Reserve Budgeted
  2. Management Slashes Contingency Reserve
  3. Contingency Reserve Mismanaged

Insufficient Contingency Reserve Budgeted

Insufficient contingency reserve often results from poor or no risk planning on behalf of the project manager and team. Risks may not have been identified or quantified properly leading to a meager contingency budget.

In addition, many project managers will add funds to the budget to account for contingency, but very few effectively add time into the schedule for risks. Reasons include difficulty getting project management software to add schedule contingency, not knowing how to effectively add it to the network diagram, or how to allocate the time in a way that management won't just cut it out of the plan. Therefore, some projects have contingency budget, but no time in the schedule to spend it.

Management Slashes Contingency Reserve

A management reduction of the contingency reserves is often due to insufficient risk planning on the part of the project manager and team. When a project manager arbitrarily adds a percentage on to the project budget to account for risk, management views this as padding the estimate. Since there is no detailed justification for this percentage, the project manager has little ability to justify the added costs and relies on ‘gut feel’. In addition, the percentage is undistributed, unallocated budget which makes it an easy target for management to cut.

Contingency Reserve Mismanaged

Lastly, having this undistributed budget alone does not ensure protection when risks occur since there is no plan for how to use this money and no controls in place for its use. It can become a slush fund, a catch all, and a budget to dip into to cover for variances and poor performance which leaves little funds to address risks when they occur.

Common Risk Management Practices & Mistakes

Based on hundreds of consulting engagements conducted with our clients, we have observed the following practices that we now consider the 10 Common Mistakes when performing risk management:

  1. Identify Issues Instead of Risks –
  2. Identify Impacts Instead of Risk Events –
  3. Risk Events Not Specific –
  4. Risks Not Quantified –
  5. Risks Not Time-Phased –
  6. Only Develop One Response Strategy –
  7. Never Incorporate Risk Strategies Into Schedule and Budget –
  8. Add Padding for Contingency Reserve –
  9. Only Assess Risks a the Beginning of the Project –
  10. Risk Management is not Used as a Management Tool/Philosophy -

Identifying Issues Instead of Risks

A risk is a future event that may or may not happen; thus, it has a probability of occurrence between zero (0) and one hundred (100), but neither zero (0) or one hundred (100). If a risk has zero probability of occurring, then it is not a risk and should not be planned for. If instead, it has a one hundred percent chance of occurring, it is an issue that must be addressed.

Project team members often feel uncomfortable with being predictive, which causes them to identify events that they know will occur in the future.

Identifying issues as risks means that the issue resolution, which should be deterministic and added to the plan, becomes part of the risk management plan and becomes probabilistic and is often unbudgeted and unexecuted. It creates the false sense that these events might not happen, thus they might not have to be dealt with.

Lastly, with so many issues masquerading as risks, the team can feel a false sense of confidence that that have identified risks, when they have truly not.

Identifying Impacts Instead of Risk Events

Risks like, “The project goes over budget”, or, “We miss our end date”, are not true risks. These are the impacts of events that may be risks but not the risk event itself. Identifying the impacts leaves the project team with no clear understanding of the events that may cause these outcomes.

Risk Events Are Not Specific

Risks events that lack specificity, for example, “The risk is that the product won't meet the customer's requirements” leaves the project team with too many possible causes to adequately quantify and develop realistic strategies to prevent those events from occurring.

Risks Are Not Quantified

Lack of risk quantification results in an inability to properly budget for risks, difficulty prioritizing the risks, and, therefore, more time might be spent on addressing risks that are of little impact to the project and less time on those of significance.

Risks Are Not Time-Phased

Many risk plans include the probability and impact of the risks, but do not indicate when the risk is likely to occur or when the response strategies need to be implemented. This can lead to project teams that are not prepared to monitor and react to risks until they have already occurred or until after it is too late to apply a strategy to recover from the risk.

Only Develop One Risk Strategy

Many project teams create one strategy per risk and then stop. The first strategy may not be the best and it may take multiple strategies to adequately address each risk. Developing multiple strategies like avoidance, mitigation, deflection and acceptance/contingency help to ensure a more robust response to risks.

Never Incorporate Risk Strategies into the Project Schedule and Budget

Risks and risk strategies tend to be documented in a risk plan, often in Excel. Rarely are the strategies or estimates from these risk plans incorporated into the project plan budget and schedule. It becomes a second document without any integration with the project plan. This can lead to schedule and budget shortages when risks occur.

Add Padding for Contingency Reserve

Due to many factors listed above, project teams often just add a percentage to the project budget and schedule, hoping that will be sufficient to cover the potential risks. This arbitrary padding leads to arbitrary cutting by management since there is no justification for the estimate, no plan or strategy for the use of this budget and no controls in place for managing this budget.

Only Assess Risks at the Beginning of the Project

Risk assessments are typically conducted at the beginnings of projects, but are rarely conducted or evaluated throughout the project. This means that new risks, changes to the status of existing risks, and opportunities to employ mitigations strategies may go unidentified.

Risk Management is not used as a Management Tool/Philosophy

Organizations that do not place value on risk management tend to just go through the motions and do not derive the benefits of their efforts. In order for risk management to provide value, management must adapt their management style to a risk-based approach. Risks must be tracked and reported on a regular basis. Risks must be discussed in every status meeting, steering committee meeting and checkpoint. Management must also not just focus on the identification of a new risk, but also the planning, response, and closure of previously identified risks, since it is risk mitigation and avoidance which is the ultimate goal, not just identification.

A Recommended Approach to Risk Management

Activity-based risk plan

Exhibit 1 – Activity-based risk plan

The risk plan starts with the identification of the risk event. Once the risk is identified, impacts are estimated, affected tasks (parts of the plan/WBS) are identified, and a probability of the risk's occurrence is assigned.

Then the project team develops the risk response strategies. They can include avoidance, mitigation, deflection and acceptance/contingency. A natural or planned event that indicates the likelihood of the risk's occurrence, or that the risk has occurred, is called a trigger.

These strategies and triggers involve human intervention, resources performing work, which means there are activities for each of these to be added to the work breakdown structure. These activities have durations and costs which must be incorporated in the budget and into the network diagram.

By having discrete activities built into the plan, project teams have incorporated budget for dealing with risks, as well as time into the schedule without the use of padding. In addition, it becomes an allocated budget which is management controlled and earmarked for those activities identified as part of the risk plan. Project managers now have a plan for dealing with risks that is integrated with their work plans. It is easier to justify the added costs and time when presenting a clear strategy and activity plan to management.

The only type of risk activity that is built into the work plan differently is the contingency activities. These are activities which are contingent upon the risk occurring. Planning one hundred percent of the duration and cost for the contingency activities would imply the risk is definitely going to occur and thus it is not a risk, but an issue. Planning zero percent of the contingency activity's duration and costs would imply that the risk will never occur and thus shouldn't be considered. Therefore, a percentage of the contingency activity's duration and costs must be included in the work plan and the percentage used is the probability of the risk event's occurrence. Multiplying the percentage times the impact (duration and cost of the contingency activity) is called the Expected Monetary Value (EMV).

This approach of adding activities to the work plan creates an overall budget of dollars and time for risk management. When a risk event occurs, the activities are executed and cost is incurred. When a risk event does not occur, the positive cost and schedule variance of the contingency activity that does not have to be executed can be shared by other contingency activities that are executed when their risk events occur.


The biggest risk in risk management is being unprepared, not having enough budget or time to respond to risks and complete the project successfully. There are many contributing factors which include poor or inefficient risk planning as listed in the 10 Common Mistakes when Managing Risk. But by following the Activity-based Risk Management approach, project teams build sufficient plans, with budget and schedule, to adequately and proactively deal with risks, justify contingency costs to management, and increase the chances of success on their projects.

This material has been reproduced with the permission of the copyright owner. Unauthorized reproduction of this material is strictly prohibited. For permission to reproduce this material, please contact PMI or any listed author.

© 2005, Tom Westcott
Originally published as a part of 2005 PMI Global Congress Proceedings – Toronto, Canada



Related Content