The Essential Guide to Project Risk Analysis

By Kate Eby | November 15, 2022

Project teams must conduct risk analysis for every project to ensure it is successful and not derailed by preventable incidents. We’ve gathered expert tips on project risk analysis and a free project risk analysis starter kit to help get you started.

Included on this page, you’ll find details on the benefits of project risk analysis, the types of project risk analysis, the basic steps of project risk analysis, and a downloadable starter kit with templates and other helpful resources.

What Is Project Risk Analysis?

Project risk analysis is the process by which a project team assesses possible risks to a project. During this process, teams analyze the impact of each risk and begin planning to prevent or mitigate large risks. 

Project risk analysis is synonymous with project risk assessment. Both terms describe a process in which the team works to understand and deal with possible risks.

The primary components of risk analysis include identifying the risk, determining the probability of that risk happening, and measuring the impact on the project if it happens. This can be expressed in a basic formula: 

Risk = Event Probability of Occurrence x Event Impact

Kris Reynolds

“Risk analysis really goes back to Smokey Bear’s mantra: ‘Only you can prevent forest fires,’” says Kris Reynolds, Founder and CEO of Arrowhead Consulting in Tulsa, Oklahoma. “The goal is to be proactive here. When you do the analysis, you're trying to deal with issues before they become issues that you have to deal with.”

While project teams most often think about negative risks, a risk in a project can also be a positive risk, or an opportunity. In that case, the project team will want to understand the positive risk. By doing so, they can figure out how to best increase its likelihood and take advantage of it when it happens.

Learn more about project risk, including details on positive and negative risks, in this comprehensive guide to project risk.

Risk Analysis vs. Risk Identification

Most experts consider risk identification to be an early and important step in the risk analysis process. In order to perform an analysis of project risks, your team will first need to identify those risks. 

Once the team identifies project risks, they can place them in a risk register. The team will then work to determine the likelihood and impact of each risk. Finally, they will create a risk response plan to respond to each risk effectively. Learn more in this comprehensive guide to risk identification.

Risk Identification vs. Risk Analysis vs. Risk Management

Risk identification and risk analysis are both components of risk management. Risk management is a broad term that refers to the overall identification, analysis, and response to positive and negative project risks. 

Most experts define project risk identification, risk analysis, and risk management as the following:

  • Risk Identification: During risk identification, your team determines the full list of risks that could affect your project.
  • Risk Analysis: During risk analysis, your team conducts a full analysis of each risk to determine which risks are most likely to happen and which might have the greatest impact on the project. The team then uses this analysis to create a plan for preventing or mitigating those risks.
  • Risk Management: Risk management is the overall process your team must follow to identify, assess, analyze, and prevent or deal with risks in order to ensure the best possible result for your project.

Benefits of Project Risk Analysis

Effective project risk analysis provides several benefits to your organization. It helps ensure that you don’t take on projects where risks outweigh benefits. It also allows your organization to understand and prevent risks that could derail a project.

The benefits of good project risk analysis include the following: 

  • Provides a Full Understanding of Project Value: Project risk analysis allows your team and company to fully understand the risks of a project. That way, your company can avoid taking on projects where the risks are likely to outweigh the benefits.
  • Helps Ensure Sound Project Planning: Understanding the likelihood and impact of all the risks to your project will allow your company to create more realistic and helpful project plans. 
  • Helps Prevent Negative Risks: Good risk analysis allows your project team to anticipate and prevent some negative risks.
    Jean Ballard
    “You need to provide an analysis of your risk just to understand what are the things you need to look out for or mitigate, and you need to be able to prepare for them,” says Jean Ballard, Senior Manager for Actualize Consulting. “Ultimately, the goal of all of this is that you want your project to go well, and you want it to go smoothly. You don't want anything that has not been foreseen to occur.”
  • Helps Mitigate Negative Risks: Some risks can’t or won’t be prevented, but good project risk analysis allows your team to deal with unavoidable risks effectively. With proper risk analysis, teams can limit the negative impact of project risk on project goals.
  • Allows Better Integration with Other Projects: Doing good risk analysis for a project allows your team and company to assess how a project might affect other company projects and overall company operations.

    “I had one client who’d say, on every new project, ‘Do no harm. Do no harm,’” Ballard recalls. “And I'd always wonder to myself, ‘Why is he saying that? Why would we ever do harm?’ Then I realized there had been a recent project that was going to change one little thing. It turned out it blew something else up, so he was speaking from experience. There was some project that was supposed to be no big deal, but something was missed. and something blew up. That then affects your reputation. People may have less faith in you. It's also difficult on the project team; it just sort of taints the whole experience. This is why you should pay attention to this.”
  • Creates Clarity for Stakeholders: Good project risk analysis means that you can understand and communicate project risks to stakeholders at the beginning of the project. By doing so, you can ensure that risk events do not take stakeholders by surprise or decrease their trust in your team.
  • Helps Prevent Litigation or Regulatory Violations: Doing good risk analysis at the beginning of a project will help you avoid litigation and prevent violations of  government regulations.
  • Ensures the Effective Use of Company Resources: Good project risk analysis saves you time and money in the long run. Knowing the likelihood and impact of risks helps prevent surprises that require expensive fixes or extra staff time.

    “Nobody’s job description says, ‘We expect you to put out fires for half of your day,’” notes Reynolds. “When we're putting out fires, we're not moving the needle and doing the things that we were hired to do, so it really stunts the growth of organizations.

    “Proper risk analysis doesn't eliminate all risk — you can't eliminate all risks,” Reynolds continues. “But it allows you to have that plan in place to either lessen the probability or the impact of those risks.”

Learn more about some of these benefits in this guide to effective project risk management.

Tools and Types of Project Risk Analysis

You can use various types of project risk analysis for your specific project. Examples include qualitative, quantitative, and technical analysis. There are also several project risk analysis tools, such as risk registers, bow-tie analysis, and SWIFT analysis. 

Project teams perform effective project risk analysis by following basic steps of identifying risks and assessing their impact. Specific types of analysis and risk analysis tools will help teams optimize their project risk analysis processes.

Types of Project Risk Analysis

These are some types of project risk analysis that project teams might use:

  • Qualitative Risk Analysis: This is the most common method that project teams analyze project risk. Teams may call it a qualitative risk analysis or use a qualitative risk matrix. In either case, teams place likely risks on a list or in a matrix. Then they perform a rough assessment of the risk probability and impact, as well as assign each risk a score for each factor. Finally, they multiply these numbers to determine the severity of the risk and prioritize high-score risks.

    For example, on a risk register with a scale from one to five, a risk might have a moderate probability of two and a significant impact of four. Its qualitative risk score would be eight.

    “With qualitative, you're going to have experts on the project team, and based on their expertise, they can assign a value for the risk to understand how significant the risk is,” Ballard says.

    Though the numeric scores make this assessment seem quantitative, it relies on subjective, perceived severity and likelihood of risks, rather than calculated probabilities, actual costs, or other hard data.

    Learn more about qualitative risk analysis, risk matrices, and best practices with this guide to project risk assessment. This guide also includes information about Failure Mode and Effects Analysis (FMEA), Finite-Element Analysis (FEA), and Factor Analysis of Information Risk (FAIR).
  • Quantitative Risk Analysis: This is a less common type of project risk assessment.  When performing quantitative risk analysis, as with qualitative risk assessment, teams use a matrix to assess the probability and potential impact of an event. However, with quantitative risk analysis teams use hard data, often dollar costs, to assess the risk.

    With a quantitative risk analysis, your team might decide there is a 20 percent chance of an event happening and that the cost to the company if the event happens is $200,000. In this example, the quantitative risk score would be $40,000. The team would compare that figure to the quantitative score for other risks in order to decide which risks to prioritize.

    Teams working on construction or engineering projects are more likely to use quantitative risk analysis.
  • Technical Risk Analysis: This process is also less common than qualitative risk analysis  and generally appears in engineering and other technical projects. When using technical risk analysis, project leaders present technical details of a project to a team of experts, often from within the organization. That team then decides on possible risks and analyzes the probability and likely impact of those risks.

    A technical risk analysis might use the Delphi method to gather the best objective input from experts. In the Delphi method, project leaders give experts needed information about the specifics of the proposed project. The experts are then asked to identify and assess possible risks separate from each other, often through written surveys. Teams often complete several rounds of input during the technical risk analysis process.

    The process is structured this way to avoid groupthink, or when the opinions or assumptions of a few dominant experts unduly influence input from others.

Project Risk Analysis Tools

These are common tools that project teams use when performing project risk analysis: 

  • Risk Register: Risk registers might be the most essential tool for all project risk analysis. They allow team members to list risks, risk details, and risk response plans. They also allow teams to track and prioritize those project risks. Download helpful risk register templates to get started.
  • Monte Carlo Simulation: This is a simulation where the project team uses a computer to analyze thousands of iterations of a process. The simulation considers dozens or hundreds of variables that might affect various aspects of a project, such as when a task might be finished and the costs of completing a task. The simulation provides a range of results from the many iterations using slightly different variables.
    Luis Contreras
    The Monte Carlo tool might “roll the dice 1,000 times on the task durations,” says Luis Contreras, President and Principal Consultant for AzTech International, a California consultancy that helps organizations manage large, complex projects. “It might say we could finish that one-year project as early as nine months. But, worst case, it could go as long as a year and a half. Then you have to look at that and say, ‘What can we do to mitigate those worst-case scenarios?’

    ”The Monte Carlo simulation can do the same thing for project costs or any other variable.

    Contreras explains that Monte Carlo simulations perform calculations that no human or project team could. “With 100 tasks, if you start to see the interconnections of those tasks, the interdependencies, it’s impossible for a human to do the math to calculate the true impacts,” he says. “This Monte Carlo type of assessment will do that quickly.”

    Monte Carlo simulations also offer another advantage. “It kind of removes the subjectivity,”

    Contreras says. “Because humans — project managers — no matter how good, we tend to be optimistic. This inserts some objectivity, the whole randomness of rolling the dice on those durations and those costs.”
    Monte Carlo Analysis
  • Bow-Tie Analysis: In a bow-tie analysis, a project team uses a graphical depiction where the possible causes of an event are the left side of a bow tie, the event is the middle of the bow tie, and the consequences of the event are the right side of the bow tie. This analysis allows the project team to better understand cause and effect in their risk analysis. It also allows the team to better understand and deal with these consequences.
    Bow Tie Analysis
  • SWIFT Analysis: A SWIFT (Structured What-If Technique) analysis uses brainstorming in a structured way to analyze risk. It asks project team members to think of a number of what-if scenarios for the project. That helps the team think of likely risks and consequences and how to respond to both.

To learn about the different types of risk, see this all-inclusive guide to project risk types.

Project Risk Analysis Process

Project teams can follow basic steps to perform an effective project risk analysis. These steps include identifying, evaluating, assessing, mitigating, monitoring, and reviewing risks. By following the risk analysis process, teams can anticipate and address most project risks. 

These are details on the main steps in the project risk analysis process:

  1. Risk Identification: The team brainstorms and performs research, then creates a list of possible risks to the project.
  2. Risk Evaluation: The team evaluates the full list of risks to determine which are most likely to affect the project.
  3. Assessment of Probability and Impact: The team performs a more detailed analysis of the risks and determines their probability and potential impact.
  4. Risk Mitigation Planning: The team crafts a response plan for each risk, either to prevent the risk from happening or to deal with it effectively if it does happen.
  5. Risk Monitoring and Review: Even after you set up plans to respond to risks, your team’s work is far from finished. Project teams should continually review existing risks and monitor for new risks as the project moves forward. The likelihood and impact of risks might change.

    Often, the person on your team doing this monitoring will be listed as the owner of the risk in the risk register. Ultimately, the entire team — and the project manager — is responsible for monitoring project risks.

Be sure to document your risk analysis in a comprehensive project risk assessment report and download a project risk analysis plan template as part of your overall project risk management plan.

Challenges in Project Risk Analysis

Project risk analysis poses certain challenges to teams. These include gathering the right information, being able to predict which risks will be the most impactful, and properly monitoring the ongoing risks.

These are some common challenges to successful project risk analysis:

  • Gathering the Right Information: Your team will need to gather the appropriate information to identify and assess the risks that are most likely to affect the project. Team members will need to talk to the right people and find after-action reports for similar past projects. Identifying the information that is most applicable to your project can be difficult.
  • Predicting the Future: No one can predict the future, of course, but that’s what risk analysis asks you to do. Teams gather information to make informed and intelligent predictions about what might happen with the project, but making accurate predictions will always be challenging and imperfect.
  • Consistency in Risk Assessment: Various departments and divisions within your organization should be part of the risk analysis process. Sometimes that can mean separate teams are using different criteria or scales to assess and quantify risks.

    “I've seen where companies departmentally will set the scales differently,” Reynolds says. “They come in and have risk scores, which is great. But somebody used one to five and someone else used one to 10. Consistency is huge. When you talk about risk analysis, make sure that you're consistent in setting the parameters of how you're going to analyze or evaluate risk.”
  • Risks with No Owners: Assign an owner to each risk; they will be responsible for monitoring that risk. This owner may also be responsible for mitigating the risk if it happens. Too often, teams don’t assign owners for each risk, or owners don’t do what they’re supposed to do to monitor and mitigate the risk.

    Learn more in this comprehensive article on project risk mitigation. 
  • Lack of Vigilance: Too often, teams assess risks at the beginning of a project but fail to perform ongoing analysis of those risks. It can be difficult work, but it is necessary. The team should assess risks throughout the project lifecycle. In some circumstances, risks will disappear. In others, new risks will arise, or existing risks will become more likely or impactful.

Project Risk Analysis Starter Kit

Project Risk Analysis Starter Kit

Download the Project Risk Analysis Starter Kit

Use this starter kit to help guide you through effective project risk analysis. It includes blank and example versions of a quantitative matrix and blank and example versions of project risk registers.

In this kit, you’ll find: 

Project Risk Register Examples

An early important step in project risk analysis is for the project team to create a project risk register. We’ve provided examples of project risk registers and a blank version you can modify in our project risk analysis starter kit.

One example risk register is for a construction project. The other is for an information technology project.

Get a Handle on Project Risk with Real-Time Work Management in Smartsheet

Empower your people to go above and beyond with a flexible platform designed to match the needs of your team — and adapt as those needs change. 

The Smartsheet platform makes it easy to plan, capture, manage, and report on work from anywhere, helping your team be more effective and get more done. Report on key metrics and get real-time visibility into work as it happens with roll-up reports, dashboards, and automated workflows built to keep your team connected and informed. 

When teams have clarity into the work getting done, there’s no telling how much more they can accomplish in the same amount of time. Try Smartsheet for free, today.



Discover why over 90% of Fortune 100 companies trust Smartsheet to get work done.

Try Smartsheet for Free Get a Free Smartsheet Demo