Skip to main content.

Project risk management methods

A version of this article by Dr Stephen Grey, Associate Director, was submitted to the Australian Project Manager in 1999. Note that the Australian and New Zealand Standard AS/NZS 4360 has been superseded by ISO 31000 and IEC 62198.


Late last year the Australian Project Manager carried a series of articles on risk management. Risk management is a field of growing interest to project managers as well as in general business and organisational management. There are several approaches used to manage risk in projects and this is a brief outline of some that you might encounter, with an indication of their strengths and weaknesses.

Aims of project risk management

Organisations are as likely to take on formal project risk management for what might be seen as negative reasons, such as a string of disasters or external demands to do so, as they are because they believe it is a sound way to do business. No matter how it is initiated, the process is generally found to be very beneficial once it is in place, so long as it is well designed.

The aim of devoting attention to risk management is to achieve better and more reliable outcomes from projects and business activities. To do this it is necessary to:

  • Understand where the major risks lie and the priority they deserve in amongst all the other demands on your resources
  • Establish realistic budgets, targets and contingencies for commercial contracts and internal performance agreements.

Methods in common use

There are several methods of project risk management in common use. Some are extremely cost-effective but the subject still attracts a lot of muddled thinking and well-intentioned efforts that can absorb more effort than the benefit they deliver. It is important to be clear about what you want from risk management and how it fits into your organisation’s other processes and tailor your approach to suit.

There are proprietary methods and tools that purport to do everything for you as well as many openly documented approaches to project risk management. The vast majority with any merit at all fit into one or more of the following categories:

  1. Informal direct assessment of risks – experienced judgement
  2. Checklists – lists of risks that have happened before or features of a project generally thought to be risky
  3. Risk indicator scales – scoring schemes
  4. Structured brainstorming and evaluation
  5. Probability-Impact calculations
  6. Probabilistic modelling of costs, schedules and cash flows.

The features of each of these are summarised in the following table in terms of their ability to achieve the two main aims of project risk management that were described earlier.


Identification and prioritisation of risks

Budget, target and contingency setting

Informal direct assessment of risks

Works well when the content and commercial environment of your project is routine and experienced people are available with time to consider each project in depth

As good or as bad as your unaided judgement


Work well if the latest job goes no further than the material used to develop the list

No direct value except in providing input to subjective judgement

Risk indicator scales

Works as a support for subjective judgement when the content and commercial environment of your project is routine and the scales have been calibrated

Often misused by inexperienced personnel who try to convert scales into dollar or time values

Structured brainstorming and evaluation

As good as the team you assemble to carry out the brainstorming

Can be a lot more cost-effective than any individual or an unaided group

Has the capacity to ensure that no stone is left unturned in seeking to understand what might influence the financial and schedule out-turn

Probability-impact calculations

No direct help with identifying risks – in fact it relies on them being identified elsewhere

Ignores general estimating uncertainty and tends to understate the exposure and the required contingency, as well as providing a false sense of security

Probabilistic modelling

Model development can be used as a framework for risk identification and tends to highlight any gaps in plans and optimistic assumptions

Provides a sound basis for understanding the uncertainty in cost and schedule estimates and setting realistic targets and contingencies, as well as clarifying the effects of alternative risk sharing strategies

Each of these will now be discussed briefly.

Informal direct assessment

Projects would never succeed without the involvement of experienced professionals and it would be foolish to under value the contribution expert judgement can make to risk management. The problems with expert judgement are that it is often in short supply and that projects regularly present us with challenges no one has had to face before.

Informal direct assessment is great as long as today’s job is similar to the last one you did. As soon as the technical content, the complexity, the commercial arrangements, the resourcing strategy or other key feature move into untried waters, judgement is potentially unreliable. An even greater danger is that you might not realise you are getting out of your depth until it is too late.

Check lists

Lists of things that have gone wrong in the past are very popular. The drive to avoid making the same mistake twice is strong. The problem is that the first time you make a mistake on something that has not arisen before may be enough to sink your business or your career.

Checklists are a useful final reference. When you think have identified all the risks you face you can make sure there is nothing so obvious that it slipped past. In practice they are not only limited by being locked in the past, they tend to grow and become unwieldy. Every time a new failure occurs it is added to the list. It is not unknown for checklists so big that no one will use them and then they do no good at all.

Risk indicator scales

There have been innumerable attempts in the last decade or so to produce scoring schemes against which you can 'measure' the riskiness of your project. You score 4 points for having an inexperienced team, 3 for a moderate degree of technical complexity and so on. When all the points are added up they give you an overall score.

The people who prepared the indicator scale will tell you that a score less than a certain number means your project is low risk, when it goes above that it becomes moderate risk and if you are unlucky enough to exceed another threshold you are in trouble.

One problem with such schemes is that a perfectly good project can get a bad score and vice versa. It is easy for entrenched interests, those who want to kill a project or see it go ahead at any cost, to challenge the score and point out special features that should over ride the usual limits. The reasons they can do this are that the score has no basis in real world measures such as time and money and that, like checklists, scoring schemes generally rely on what went wrong last time.

Structured brainstorming and evaluation

If you want to be confident that you have left no stone unturned in the search for risks there is no substitute for an experienced group of people. However, experienced people are generally very busy and it is important to find a way to use their time cost-effectively.

Simple structured techniques can be used to drive a group through a focussed exercise and produce a valuable result in a limited and predetermined time. The Australian/New Zealand Standard for Risk Management, AS/NZS 4360, provides a sound framework for doing this. Broadleaf’s interpretation of the Standard for project risk management is illustrated in the following diagram.

The risk management process

Probability-impact calculations

Many projects use a list of risk issues with a probability and impact against each one. These numbers are multiplied together and added up, using the same logic as a bookmaker, that you can get by on the average outcome.

There are all sorts of problems with this approach. Many risks are not easy to characterise as uncertain events with a single probability. They might be better described by an uncertain quantity with a range of possible values and a distribution of likelihoods within that range. Uncertain estimates are generally like this. Another problem is that there might be a few very big risks in the calculation, so big that if any one came off the entire contingency budget would be insufficient to cover the cost.

At best, probability-impact calculations give a false sense of security. At worst they can leave you very exposed. Even if the bookmaker analogy was being applied realistically, you are effectively facing a 50/50 chance of exceeding your budget if you rely on this type of calculation. Most project managers would be looking for better odds.

Probabilistic modelling

Uncertainty in events and quantities is not as mysterious as we are often led to believe. Just as we can analyse and model the engineering characteristics of a project, we can analyse and model the uncertainty in our estimates. There is not room to set out all the detail here but the basic techniques are within the reach of anyone with a reasonable grasp of spreadsheet modelling, access to Excel or Lotus 123 and one of the inexpensive risk modelling packages that work within them. We use @RISK by Palisade Inc.

The output of a quantitative risk model is generally of the form shown here. It enables you to understand the realistically likely range of outcomes you can expect face and the risk of exceeding a target set somewhere in that range. Similar calculations can be made for more complex measures such as NPV, payback period and IRR.

Experience shows that both the exercise of constructing a model and the output it produces contribute greatly to understanding the risk on a project. Anyone interested in pursuing this further can find descriptions of basic techniques in 'Practical Risk Assessment for Project Management', by Stephen Grey, published by John Wiley & Sons, Chichester, 1995, ISBN 0 471 93979 X.


Structured brainstorming and evaluation is a proven technique for identifying risks and getting a clear view of their relative significance. It relies on a carefully planned and executed workshop process. Its strengths are that it can be managed to fit a schedule, it covers the ground systematically and it delivers cost-effective output, making good use of scarce resources.

Probabilistic modelling complements the brainstorming technique, using the identified risks to ensure that all significant influences on a project’s cost and schedule are realistically incorporated into a view of the project’s overall performance. This provides a sensible basis for setting targets and agreeing contingencies.