Performing a risk assessment is vital to a project’s success. We’ve compiled expert tips, a step-by-step process, and a free, downloadable starter kit to help you conduct a comprehensive risk assessment.
While many managers focus solely on threat mitigation, it’s important to also understand that positive risks can be high-value opportunities. By exploiting or enhancing these opportunities with specific strategies, teams can turn sudden tech breakthroughs or vendor discounts into significant profit margin boosters.
Rather than starting from scratch, experts suggest building a formal taxonomy of historical risks derived from past lessons learned. This can be used as a diagnostic tool to help identify and analyze future risks.
Risk assessment must be a continuous, living process that only ends once a project is retired. Experts advise project managers to listen for hidden risks in casual technical conversations and to use simple quantitative counts to avoid gambler’s fallacy, ensuring that risk registers remain active, evolving documents.
What Is a Project Risk Assessment?
A project risk assessment, or project risk analysis, is a formal process to identify and analyze the risks a project may face throughout its lifecycle. Teams identify possible risks and assess their likelihood and impact. Risk assessments are conducted before a project begins and throughout its lifecycle to monitor changing conditions and address new risks.
Project risk assessments are an important part of project risk management. Learn more from experts about best practices in this article on project risk management. For even more tips and resources, see this guide to creating a project risk management plan.
Why Are Project Risk Assessments Important?
Project risk assessments are important because they help teams identify threats that could change a project’s timeline, budget, or outcomes. By evaluating risks early, teams can prioritize threats and opportunities based on their likelihood and impact. This allows them develop mitigation strategies and make informed decisions.
A 2024 study by Deloitte asserted that “teams should explore how dynamic risk assessments can potentially enhance business functions, improve decision-making, and reduce costs.” Enterprise risk management, it continues, “is essential for companies to systematically identify, assess, and manage organization-wide risks.”
The ORX 2025 Risk Assessment Study states that “risk assessment remains a core essential element of the risk management process.” The study notes that organizations increasingly rely on risk assessments to understand potential impacts and support decision-making. As a result, risk assessments are evolving from static, periodic exercises into dynamic, real-time processes that allow organizations to respond quickly to emerging threats.
Tips for Assessing Risk in a Project
To assess risk in a project, start by collectively brainstorming all potential risks. Next, analyze each risk to understand its timing, triggers, probability, and impact. In addition, use historical data, maintain manageable numbers, consult external experts where possible, and keep an eye out for opportunities.
Review Past Projects
Wendy Romeu, President and CEO of Alluvionic, suggests compiling “a taxonomy of old risks that you’ve identified in other projects from lessons learned.” She provides an example of how this would look at the start of a project.
“You would pull up your template that includes all the risks that you realized in other projects and go through that list of questions. Then you would ask: ‘Do these risks apply to our project?’”
Romeu also recommends collective brainstorming. When the whole team comes together with their varied experiences, risk identification is more effective.
Document important risk information for future projects using one of these free project risk templates.
Set Risk Limits
It is important to be thorough, but also stay focused on meaningful risks. A project may face an unlimited number of risks with infinitesimal likelihood or impact, and accounting for them all can pull attention from what truly matters.
Mike Wills, who taught for 19 years at Embry-Riddle Aeronautical University’s College of Business, recommends ensuring that your list of risks does not get unwieldy.
“You want to identify possible risks, but you want to keep the numbers manageable. The more risks you identify, the longer you spend analyzing them. And the longer you’re in analysis, the fewer decisions you make.”
— Mike Wills, former teacher at Embry-Riddle Aeronautical University’s College of Business
One way to keep your risk identification focused is to break possible risks down into categories. Learn about the most common project risk types.
Look for Positive Risks
Unexpected opportunities are known as positive risks, or opportunities.
“Most people, when they think about risk assessment, they always think about the negatives. I really try to encourage people to think about the opportunities as well.”
Opportunities, or positive risks, might include a new technology becoming available that speeds up a project timeline, a key vendor offering a discount, or a sudden increase in demand. If acted upon, these opportunities can reduce costs or increase profit margins. Zucker, who has more than two decades of experience managing projects in Fortune 100 companies, recommends learning how to respond in such situations.
Inputs needed for risk assessment are the information sources a team uses to understand the project environment and identify potential risks. These inputs include documents and data that provide context, define constraints, and highlight factors that could affect the project. Analyzing these inputs helps teams accurately assess project risks.
Here are some examples of the inputs needed for risk assessment:
Project scope, objectives, and success criteria
Stakeholder expectations and requirements
Historical project data and lessons learned
Known constraints, assumptions, and dependencies
Outputs Generated by a Risk Assessment
Outputs generated by a risk assessment are the results produced after identifying and analyzing risks. They include documented risks, prioritized risk levels, and mitigation strategies that help teams assess potential threats. These outputs help teams make informed decisions and control for potential threats.
These are sample outputs generated by a risk assessment:
A prioritized list of identified project risks
Risk probability and impact evaluations
Recommended mitigation or response strategies
Updated risk register or risk documentation
Project Risk Assessment Methodologies and Approaches
Project risk assessment methodologies and approaches refer to the methods used to evaluate and prioritize risks within a project. They include qualitative, quantitative, and semi-quantitative methodologies, as well as those focused on assets, vulnerabilities, or threats. These methods describe different dimensions of a risk assessment, not mutually exclusive types.
Here is more on each of the main methodologies and approaches to project risk assessment:
Quantitative
Quantitative risk assessment uses numerical data and statistical analysis to estimate the probability and potential impact of project risks. Teams can use modeling, simulations, and cost analysis to help calculate potential losses, compare scenarios, and prioritize risks based on measurable outcomes.
Qualitative
Qualitative risk assessment evaluates project risks using descriptive categories and expert judgment rather than numerical data. Teams can rate likelihood and impact using past project information and scales such as low, medium, or high, allowing them to quickly identify and prioritize risks when precise data is limited.
Semi-Quantitative
Semi-quantitative risk assessment combines elements of qualitative and quantitative analysis. Teams can evaluate likelihood and impact using defined scales, then multiply or compare scores. This helps them rank risks and mitigate as needed without complex statistical modeling.
Asset-Based
Asset-based risk assessment focuses on identifying and evaluating the critical assets in a project. Assets can include people, equipment, or information. Risks are analyzed based on their potential disruption to the use of these assets, like the possibility of staff shortages, equipment failure, timeline crunches, or budget shortfalls. Asset-based analysis helps teams prioritize protections for what is most valuable.
Vulnerability-Based
Vulnerability-based risk assessment examines weaknesses within the project or system that could fail or be exploited. These could be outdated software, process gaps, inefficient workflows, poor documentation, or overreliance on a single vendor. By identifying and evaluating these vulnerabilities, teams can target mitigation efforts to reduce exposure and strengthen areas most likely to cause disruption.
Threat-Based
Threat-based risk assessment centers on external or internal threats that could impact the project, such as natural events, market shifts, or human errors. The threat-based risk assessment approach evaluates the likelihood and impact of these threats to guide preventative measures and response planning.
How to Conduct a Project Risk Assessment
To conduct a project risk assessment, first identify all your potential risks and determine their impact and likelihood. Then, assign a score to each risk and determine your risk tolerance. Finally, prioritize the risks and develop mitigation strategies. Make sure you perform continuous risk assessments throughout the project, and document lessons learned at the end.
Here are the steps to performing an effective risk assessment:
Identify Potential Risks
Bring your team together to identify all potential risks to your project. Review important documents associated with the project and revisit past projects to note the risks that emerged from similar situations. Consider common industry-specific risks — such as environmental, legal, or regulatory — that could realistically occur.
Determine the Probability of Each Risk
After your team has identified possible risks, determine each risk’s probability. This can be done with team brainstorming and by consulting experts. You can also review past projects and other projects in the same industry to make educated assessments. Assign a probability score for each risk.
Determine the Impact of Each Risk
Determine the impact of each risk should it occur. Would the risk stop the project entirely or prevent the completion of a key deliverable? Or would the risk occurring have a relatively minor impact? Impact can be measured with qualitative or quantitative methods, or a combination of the two. Assign an impact score for each risk.
Remember to assess the impact of positive risks, as well as negative. If it’s a positive risk with high impact, Romeu says, “You want to make sure you’re doing the things to make it happen.”
Determine the Risk Score of Each Event
Once your team assesses the probability and impact of identified risks, they can determine a risk score for each. This score allows your organization to understand the risks that need the most attention.
Often, teams will use a simple tool — like one of these free risk matrix templates — to determine that risk score. The team then assigns one score based on the probability of each risk event and a second based on its potential impact on the project or organization. Multiplying those two scores gives each event its overall risk score.
Teams can customize their risk matrices, but Zucker says he prefers to assign the numbers 1, 5, and 10 — for low, medium, and high — to both the likelihood of an event happening and its impact. In that scenario, an event with a low likelihood of happening (level of 1) and low impact (level of 1) would have a total risk score of 1 (1 x 1). An event with a high likelihood of happening (level of 10) and high impact (level of 10) would have a total risk score of 100 (10 x 10).
Understand Your Risk Tolerance
As your team considers risks, it must understand the organization’s risk tolerance. Your team should know what kinds of risks organizational leaders and stakeholders are willing to take to achieve project goals. This will be different for different organizations, industries, and teams.
Documenting this information in a risk tolerance matrix or a brief guidance document provides a clear reference for decision-making. It also helps your team prioritize mitigation efforts, allocate resources effectively and decide which risks require active management versus those that can be accepted.
Decide How to Prioritize Risks
Once your team has determined the risk score for each risk and understands the organization’s risk tolerance, it will determine which potential risks need the most attention. Romeu suggests prioritizing high-impact, high-likelihood risks that your organization will want to work hard to prevent. Develop mitigation strategies that correspond to each risk score.
“Some projects are just so vital to what you do and how you do it that you cannot tolerate the risk of derailment or major failure,” says Wills. “So you’re willing to spend money, time, and effort to contain that risk. On other projects, you’re taking a flyer. You’re willing to lose a little money, lose a little effort.”
Develop Risk Response Strategies
Once your team has assessed all possible risks and ranked them by importance, it’s time to develop risk response strategies. These plans should include ways to respond to both positive and negative risks.
Project teams respond to negative risks using four main strategies: avoid the risk entirely, mitigate it by reducing its likelihood or impact, accept it when prevention isn’t cost-effective, or transfer it to another party (such as through contracts or insurance). Teams can also escalate risks that are beyond their authority or require higher-level decision-making. To learn about these strategies in more detail, see this article on project risk mitigation.
Teams respond to positive risks by exploiting them to ensure they occur, enhancing them to increase their likelihood or impact, or sharing them with partners to improve the chances of success. Teams may also accept or escalate positive risks. Learn more about effective ways to respond to opportunities in this guide to business risk mitigation.
Accepting risk acknowledges the risk without action, often because mitigation is too costly, while escalating it raises high-impact or complex risks to higher-level stakeholders for decision-making or additional support.
How Complexity & Impact Affect Project Risk Response
Risk Type
Low Complexity / Impact
High Complexity / Impact
Positive (Opportunities)
Accept
Exploit, Enhance, Share (+Escalate)
Negative (Threats)
Accept
Avoid, Mitigate, Transfer (+Escalate)
Monitor Your Risk Plans
Your team will want to understand how viable your organization’s risk plans are. That means monitoring how those plans would work in practice or testing them before they’re needed.
A common example is an all-hands drill to walk through a disaster plan. For example, how would a hospital respond to a power failure or earthquake? It’s like a fire drill, Zucker says. “Did we have a plan? Do people know what to do when the risk event occurs?”
Perform Continuous Risk Assessments
Your team should continually assess risks to the project. This should happen throughout your project, from project planning to execution to closeout. “People think it's a one-and-done event,” says Zucker. “They say, ‘I’ve put together my risk register, we’ve filed it into the documents that we needed to file, and I'm not worrying about it.’ I think that is probably the most common issue: that people don't keep it up. They don’t think about it.”
Not thinking about how risks change and evolve throughout a project means project leaders won’t be ready for something when it happens. That’s why doing continual risk assessment as a primary part of risk management is vital, says Wills.
“Risk management is a process that should start before you start doing that activity. As you have that second dream about doing that project, start thinking about risk management,” he says. “And when you have completely retired that thing — you've shut down the business, you've pensioned everybody off, you’re clipping your coupons and working on your backstroke — that's when you're done with risk management. It’s just a living, breathing, ongoing thing.“
Experts say project managers must learn to develop a sense for always assessing and monitoring risk. “As a project manager, you should, in every single meeting you have, listen for risks,” Romeu says. “A technical person might say, ‘Well, this is going to be difficult because of X or Y or Z.’ That’s a risk. They don’t understand that’s a risk, but as a project manager, you should be aware of that.”
Identify Lessons Learned
After your project is finished, your team should come together to identify the lessons learned and record them in a document. By doing so, you allow future leaders of similar projects to learn from your successes and failures, and to better understand the risks that could affect their projects.
“Those lessons learned should feed back into the system — back into that original risk checklist,” Romeu says. “So the next software development project knows to look at these risks that you found.”
Quantifying Risk Example
Risk matrices usually include qualitative descriptions to help teams compare risks based on their relative severity. In some cases, however, teams can calculate a quantitative risk score. For example, your team might determine, based on past projects or other information, that an event has a 10 percent chance of happening. They also determine that that event, if it occurs, would diminish your manufacturing plant’s production capacity, costing your company an estimated $400,000. In that case, you would multiply the impact of the risk ($400,000) by the likelihood (10 percent) to get a risk score of $40,000.
“Just simple counts start to give you a quantifiable way of looking at risk,” says Wills. “A risk that is going to delay 10 percent of your production capacity is a different kind of risk than one that will delay 50 percent of it. Because you have a number, you can gather real operational data for a week or two and see how things support the argument. You can start to compare apples to apples, not apples to fish.”
Wills explains that quantitative assessments can help teams make more objective decisions. “Humans, being very optimistic and terrible at predicting the future, will say, ‘Oh, I don't think it'll happen very often,’” he says. “Quantitative techniques help to get you away from this gambler fallacy kind of approach. They can make or break your argument to a stakeholder that says, ‘I've looked at this, and I can explain mechanically, count by the numbers like an accountant, what's going on and what might go wrong.’”
Writing a Project Risk Assessment Report
Teams will often track risks in an online document that is accessible to all team members and organization leaders. Sometimes, a project manager will also create a separate project risk assessment report for top leaders or stakeholders.
To create a project risk assessment report, start by finding an appropriate template that suits your organization, industry, project, and team. Try one of these free risk assessment templates to get started. Remember to keep your audience in mind. For example, a report for a technical team will need to be more detailed than a report for the CEO or investors.
This starter kit includes a checklist on assessing possible project risks, a risk register template, and more. Use these resources to help your team better understand how to assess and continually monitor project risks.
Project risk assessment methods are tools and techniques project leaders use to help measure risks. Common methods include failure mode and effects analysis (FMEA), bow-tie analysis, Monte Carlo simulation, and scenario analysis, each of which helps teams evaluate risk likelihood, impact, and possible outcomes.
Here is a closer look at a few common risk assessment techniques:
Failure Mode and Effects Analysis (FMEA): This is a structured method for identifying potential failures in a process, product, or system. Teams examine each step, assess possible failure causes and impacts, and prioritize risks using scoring. It helps highlight critical areas that need preventive measures or redesign.
Monte Carlo Simulation: This quantitative technique uses computer modeling to simulate thousands of possible project outcomes. It estimates the probability of schedule delays, cost overruns, or other risks by analyzing variability and uncertainty, which helps teams make data-driven decisions.
Bow-Tie Analysis: In this method, teams create a simple bow-tie diagram, where risks are in the center, causes (i.e. threats) are on the left, and consequences (i.e. impacts) are on the right. You then outline preventive and mitigative controls on each side so users can easily see how to reduce risk likelihood and severity.
Scenario Analysis: This method involves creating what-if scenarios to understand different conditions or events and their impact on a project. Teams can examine risks under various conditions, which helps inform planning, mitigation strategies, and resource allocation decisions.
Expertly Assess and Manage Project Risks with Real-Time Work Management in Smartsheet
Empower your people to go above and beyond with a flexible platform designed to match the needs of your team — and adapt as those needs change.
The Smartsheet platform makes it easy to plan, capture, manage, and report on work from anywhere, helping your team be more effective and get more done. Report on key metrics and get real-time visibility into work as it happens with roll-up reports, dashboards, and automated workflows built to keep your team connected and informed.
When teams have clarity into the work getting done, there’s no telling how much more they can accomplish in the same amount of time. Try Smartsheet for free, today.
Discover why over 85% of Fortune 500 companies trust Smartsheet to get work done.
