Project Risk Management: Best Practices, Tips, and Expert Advice

By Kate Eby | July 25, 2017 (updated February 27, 2023)

Enterprise risk management has become a growing field in today’s business world, where many external and internal risks threaten organizations. But while companies are wise to invest in and uphold an enterprise risk management plan, those same companies exhibit less awareness or investment in project risk management. 

This article explains the importance of risk management planning. We will outline the types of risks a project might face, including software projects, how to identify potential risks and outcomes, and how to monitor those risks while the project is active. We will hear from a top global risk management expert about why companies overlook project risk management, and how to easily set up a project risk management plan.

What Is Project Risk Management?

As the name implies, project risk management is the practice of identifying, managing, and mitigating risks in individual projects (this can include construction projects, software updates and releases, and virtually any other type of project undertaken by a company). Project risk management is a subset of an organization’s enterprise risk management plan. Individual project risk management plans should support and reflect the overall enterprise risk management strategy.

Project risk mitigation is the practice of identifying and reducing risks and exposure to risks on any project. Identifying the potential risks is just part of the equation. For each potential risk, a project manager should consider how to address that risk, should it actually affect the project. A project risk management plan, then, identifies all potential risks that could affect a project, and assigns  team members to manage or address each risk. The plan should list as many ways as possible to avoid the identified risks, steps to mitigate the risk should it occur, and how to monitor the progress of that risk mitigation.

In the project risk management field, there are several commonly used, helpful acronyms. Familiarize yourself with the following acronyms before you engage with risk management planning:

  • PEST: This refers to common types of risks that could affect a project: political, economic, social, and technological

The following three focus on stages of project risk management:

  • ACAT: Avoid, control, accept, and transfer
  • AMTA: Avoid, mitigate, transfer, accept
  • SARA: Share, avoid, reduce, accept

Why Project Risk Management Is Important: What Risks Can Affect a Project?

There are tons of risks that can affect a project, and in many ways are the same types of risks faced by entire enterprises. It’s important for project and program managers to be attuned to the types of risk that could affect the success of their projects. These risks include:

  • Financial risks
  • Vendor risks (including late or sub-quality deliveries, etc.)
  • Scope creep (where more asks are added to a project beyond what was initially scoped)
  • Weather and natural disasters
  • Changes in staffing, resources
  • External risks (including governmental, political, environmental, and market-related risks)
  • Hacking, cyberattacks, phishing
  • Unforeseeable and personal (a death in the family of a key team member, etc.)
  • Accidents
  • Sabotage (by disgruntled employees, etc.)

This is simply a list of common potential project risks, but it should help project managers think creatively and proactively about possible issues that could arise. Remember, these risks may differ from project to project.

The Benefits and Goals of Project Risk Management

As with enterprise risk management, the ultimate goal in project risk management is to recognize that external or internal factors can pose risks to the success of any given project. Project risk management is the practice of identifying, weighing and monitoring those risks. The goals and benefits of project risk management include:

  • To identify, monitor and mitigate risks. Ideally, nothing should be a surprise.
  • To be as proactive as possible in risk prevention.
  • To provide clear steps for risk remediation in case something happens.
  • To provide transparency, accountability, and increase faith and confidence of shareholders.
  • To protect stakeholders and project managers.

According to Torsten George, independent cyber security risk management expert, the increase of awareness and need for risk management overall is a positive trend. “But,” George says, “risk was originally a ‘stepchild’ of compliance, so it’s taken time and focus to grow the awareness of overall risk and how to manage it.”


Torsten George

Project risk is now being seen, correctly, as a subset within the bigger buckets of enterprise risk management.” - Torsten George


George says that project risk management reflects more of the operational aspects of enterprise risk management: how a company demonstrates its commitment to mitigating risk at a more granular level. “It’s a cultural shift,” George says. “Project risk is now being seen, correctly, as a subset within the bigger buckets of enterprise risk management. For instance, in IT, each new project carries inherent risks with it, and each needs to be identified and carefully monitored while the project is underway.”

There still isn’t universal consensus on the value of risk management planning, either at the enterprise or project level. Tony Cox, president of Cox Associates in Denver, has argued against risk matrices as using “inexact mathematics.” They can be useful at a very high level to gauge general risk, but he advises his clients against a log or matrix to identify and monitor risks because there’s too much chance for error or omission.

The Elements of a Project Risk Management Plan

The factors will vary by industry and type of project, but certain elements will be relevant to most project risk management plans. These elements, to be quantified and weighted for potential impact of each risk, include: 

  • Budget and costs
  • The process of identifying, analyzing, evaluating, and mitigating risk
  • A risk log template, which is reviewed and evaluated on an ongoing basis
  • Identification of roles and ownership of various risks and their solutions
  • Risk categories and severity

The Steps to Create a Project Risk Management Plan

John Drew is President of the risk management consulting company ErmsCo, and has worked in corporate risk management for 30 years. According to Drew, for a project risk management plan to be effective, a project manager needs to look at his or her organization’s existing enterprise risk management process. Ideally, it will already have created a scoring methodology that can be used to ensure alignment for each project in the company. 

“If not,” Drew continues, “another option would be to contact your company’s finance division to get assistance in development of a plan for project and implicitly project risk. Then a project manager can create a plan that works specifically for the project, and take it to the executive suite for endorsement and transparency.”


John Drew

Simpler is always better. There’s no need to make any risk management plan overly intricate. It just needs to be comprehensive enough to cover the relevant bases that could affect your project.” - John Drew, President, ErmsCo

Even so, Drew says, “Simpler is always better. There’s no need to make any risk management plan overly intricate. It just needs to be comprehensive enough to cover the relevant bases that could affect your project.”


  1. Drew outlines the steps typically involved in creating a project risk management plan: 
  2. Create a risk scorecard, log template (see above), or "risk register"
  3. Analyze and assess risks against likelihood, and potential level of impact
  4. Describe how to identify risks and threat of risks
  5. Devise a plan of action for mitigating risks, which includes "contingency" risks and preventative measures
  6. Set up risk monitoring, reviewing, and revisiting on ongoing basis

An Important Type of Project Risk Management: Software Risk Management

A specific and common type of project risk management involves software development risk management. When software is developed, projects related to the development and/or the release of that software can face specific risks and challenges. 

According to the Test Institute, a nonprofit educational and software certification organization, there are typically five types of scenarios that introduce risk in most software development and release projects. As a best practice, a project manager should ask these questions to identify and quantify these risks:

  • How complex is the technology? The more complicated and intricate the software and its functionality, the greater chance of risk affecting some part of it during the development phase.
  • What is the depth of knowledge and experience? The technical expertise of the testing team is especially important. If the testers are not well-versed in your product code, language, or customer base, this can lead to significant risks.
  • Are there any conflicts within the team? These can include existing or potential conflicts.
  • Are the development teams spread across a large global area? With more development teams working around the world, sometimes in a different country from the project leaders, there is greater chance of miscommunication or other types of risks.
  • How sophisticated are the testing tools being used by the team? Do they reflect the world of users at large, and can they detect flaws in the project or functionality well before a release, so that fixes can be made?

If a software release project manager asks these questions, and revisits them throughout the project, there is a much greater chance that risks can be identified, and steps taken to mitigate those risks and any damage posed by them, early on. Software teams and project managers should also make a routine practice of studying past, similar projects. These could include previous launches of a software if you are working on an update to it, etc. With each software project, you should refine the knowledge base of risks, and gain efficiencies to use the previous project’s learnings as a jumping off point.

John Drew’s Rules for Effective Project Risk Management Formulas

Drew says that he believes a risk management policy should have a rating method that determines key criteria such as alignment to strategic objectives, risk assessment, cost assessment, prioritization scoring methodology, and risk adjusted return analysis. He recommends three rules for the most relevant and useful risk management logs and scoring cards:

Scoring Formula Rule #1: Keep the scoring simple enough that all the stakeholders can quickly comprehend the answer and compare projects against one another, and then begin to prioritize. Drew thinks of this step as “risk-adjusted thinking.”
Scoring Formula Rule #2: Use the same scale for all projects so all stakeholders can easily rate and compare projects to determine priorities and allocate resources.
Scoring Formula Rule #3: All project management programs should have a project scoring method that includes elements such as strategic, financial, execution, and risk as part of the equation. The risk element should score risks related to the project, and consider internal and external risks. In other words, Drew says, all related projects should consider similar risk types and be scored with the same scale.

Building In Flexibility: How to Pivot with Change

However, having a comprehensive project risk management plan in place won’t ensure team success; you must also have regular checkins. Ensure project rigor by scheduling regular recurring project status meetings with your stakeholder group to assess task completion, and to address any issues that may have come up or may be on the horizon. It’s also important to consider environmental, team, and other changes, and to revise, review, and reassess risk profiles as needed.

Benefits of Risk Management Software

The benefits of project risk management software are similar to those of enterprise risk management software, albeit more focused. Some of the benefits of using project risk management software include:

  • Increased shareholder value: Managing risk results in better brand and reputation, boosting stock prices
  • Optimized risk/return outcomes
  • Greater transparency: This gives managers the ability to tackle projects with best risk/reward outcomes
  • Prioritization: This enables higher risk initiatives to be monitored/managed more closely as needed
  • Reduced compliance costs: Integrating corporate governance, risk management, and compliance processes means lower costs for all
  • Internal controls
  • Stronger operations
  • Ability to update security (project- and enterprise-wide)

Educational Opportunities in Project Risk Management

The educational opportunities for project risk management come from the same entities that educate on enterprise risk management, and on best practices in project management. The three most significant and impactful organizations include the North Carolina State University program, the Project Management Institute, and the Risk and Insurance Management Society (RIMS). All offer extensive classes, certifications, and other resources in all types of risk management and project management issues.


Plan and Manage Project Risk in Real Time with Smartsheet

Empower your people to go above and beyond with a flexible platform designed to match the needs of your team — and adapt as those needs change. 

The Smartsheet platform makes it easy to plan, capture, manage, and report on work from anywhere, helping your team be more effective and get more done. Report on key metrics and get real-time visibility into work as it happens with roll-up reports, dashboards, and automated workflows built to keep your team connected and informed. 

When teams have clarity into the work getting done, there’s no telling how much more they can accomplish in the same amount of time. Try Smartsheet for free, today.



Any articles, templates, or information provided by Smartsheet on the website are for reference only. While we strive to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability, or availability with respect to the website or the information, articles, templates, or related graphics contained on the website. Any reliance you place on such information is therefore strictly at your own risk. 

These templates are provided as samples only. These templates are in no way meant as legal or compliance advice. Users of these templates must determine what information is necessary and needed to accomplish their objectives.

Discover why over 90% of Fortune 100 companies trust Smartsheet to get work done.

Try Smartsheet for Free Get a Free Smartsheet Demo