How to Manage Risk in Large Projects

The risk management process for large projects is the same as for medium projects with two additional items. First is to utilize quantitative risk analysis techniques (in addition to qualitative techniques). Second is to create a contingency plan to document the consequences to the project if the Risk Management Plan fails and the risk actually occurs.

Risk Management Planning


Managing Risk (Large Projects)


Project Manager

Create Risk Management Plan

Start the risk management process by understanding your overall approach for managing risks. This includes defining your risk management process, who is involved with the risk management process, what tools will be used, what roles will be involved, if any (project manager, risk officer, risk manager, etc.), the timeline and the effort associated with managing risks, the risk techniques to be used, etc.

Risk Identification


Project Manager

Identify all potential risks

When you are defining the project, perform a complete assessment of project risk. The risk assessment is done in two parts. First look at inherent risks. These are the risks that are inherent to your project based on its general characteristics. For example, a project that is estimated to take 10,000 effort hours is inherently more risky than one that is estimated at 1,000 effort hours. A project that has 20 people is inherently more risky than one with 3 people. A project that is using new technology is inherently more risky than one that is using technology your team is comfortable with. Notice that in each of these examples, you do not need to know the specifics of the project. Inherent risks are based on the characteristics of the project – regardless of the specific deliverables being produced. The good thing about these inherent risks is that, since they apply to all projects, they can be identified on a checklist.

Second, look for risks that are specific to your project. These risks normally cannot be identified on a checklist since they are specific to your project and may not apply to other projects. For instance, you may identify a risk of a key supplier going out of business or perhaps weather problems causing shipping delays or perhaps you will have difficulty finding resources with a specific set of skills.

There are a couple ways to perform the risk assessment. The project manager can create an initial draft of project risks based on what he knows and circulate the draft for additions, changes and comments. Another technique is to gather all the key stakeholders and discuss these potential risks of the project all at once. This is a better alternative since it gets the key stakeholders all thinking about the project at the same time. You are more likely to end up with a more exhaustive list of real project risks. You want to be careful about being too optimistic during the risk assessment. Remember, you are trying to identify potential risks. It is good to have skeptics or pessimists in these sessions to make sure that all of the potential risks are identified.

Qualitative Risk Analysis


Project Manager

Analyze the risks using qualitative techniques

In the first step of this process you identified all potential risks. This will likely leave you with many more risks that you can focus on. In fact, it probably doesn’t make sense to focus on managing risks that have a low impact to your project. Therefore, before you go through the trouble of putting risk plans in place, you need to determine which risks are the ones that you really want to focus on. The first step of risk analysis is qualitative risk analysis.

Quantitative Risk Analysis


Project Manager

(Optional) Utilize quantitative analysis for all high-level risks

Next, determine if you will utilize more formal and rigorous quantitative risk techniques for the risks that you identified as high-risk using qualitative techniques. The term “quantitative” means that the risk levels are based on a numerical analysis rather than on approximations such as low, medium and high. There are many models and algorithms that can be used for quantitative risk analysis. Most projects, even large ones, do not need to utilize quantitative techniques. However, some projects do require these formal techniques. For instance, if you were building an airplane, it would not be good enough to classify risks into general high, medium and low categories using informal qualitative techniques. You would definitely need the more sophisticated modeling and statistical risk analysis techniques that are a part of quantitative risk analysis.

A few examples of quantitative analysis are described in 7.2.2 Manage Risks / Expected Monetary Value and 2.2.1.P7 Accounting for Estimating Risks – Monte Carlo Modeling.

Risk Response Planning


Project Manager

Create a response plan for each high-level risk

Create a response plan for each high-level risk that you identified to ensure the risk is managed successfully. This plan should include activities to manage the risk, as well as the people assigned, completion dates and periodic dates to monitor progress. There are five major responses to a risk – leave it, monitor it, avoid it, move it to a third party or mitigate it. For further information on these alternatives see 7.2 Manage Risks / Techniques.


Project Manager

Create a contingency plan for high-level risks.

Create a contingency plan to document the consequences to the project if the Risk Management Plan fails and the risk actually occurs. In other words, identify what would happen to the project if the current risk turns into a future issue. This helps the project manager ensure that the effort associated with the Risk Management Plan is proportional to the potential consequences. For instance, if the consequence of a potential risk occurring is that the project will need to be stopped; this should be a strong indication that the Risk Management Plan must be aggressive and comprehensive to ensure that the risk is managed successfully.


Project Manager

Evaluate the medium-level risks

Evaluate the medium-level risks to determine if the impact is severe enough that they should have a risk response plan created for them as well.


Project Manager

Evaluate any low-risk risks

Look at any low-risk items and see if they should be listed as assumptions. In this way you recognize that there is a potential for problems, but because the risk is low, you are ‘assuming’ that the condition will not occur. See Assumptions and Risks for more information.


Project Manager

Move the risk plan activities to the project schedule

Move the activities associated with the Risk Management Plans to the project schedule. Moving the activities to the schedule ensures that the work is actually completed and keeps the schedule the primary focus of all work planning and monitoring.

Ongoing Processes

Risk Monitoring and Control


Project Manager

Monitor the current risk plans

The project manager needs to monitor the Risk Management Plans to ensure the risks are successfully managed. New Risk Management Plan activities should be added if it looks like the risk is not being managed successfully.


Project Manager

Look for new risks

The project manager also needs to periodically evaluate risks throughout the project based on current circumstances. New risks may arise as the project is unfolding and some risks that were not identified up-front may become visible at a later date. It is also possible that previously identified, lower level risks may become medium or high risks at a later time. This ongoing risk evaluation should be performed on a regular basis or at the completion of major milestones.

Discover more from CMGuide

Subscribe now to keep reading and get access to the full archive.

Continue Reading

Scroll to Top