Project Risk Management


The sense of urgency for Project Risk Management

Are you satisfied with the performance of your programs or projects?

Do you realize your business case on time, within budget and right quality?

Do you want more project control and fewer surprises?

Working in projects is nowadays a commodity. But, we are still dissatisfied about the success rate of project success in terms of time, budget, quality, acceptance and project management. Important success factors for successful projects are:

  • Acceptance by the organisation
  • Meeting expectations
  • Meeting deadlines
  • Sponsor’s involvement/ownership
  • Meeting budget
  • Meeting quality criteria
  • Manage scope creep
  • Excellent project management

We would like to add one other important factor: professional risk and issue management.

Lack of good Risk and Issue Management

KPMG study reveals that 55% of projects that took longer than planned (in other words significantly had an overrun of costs and time) barely managed risks.

Risk management within projects has the lowest maturity level of all project knowledge areas (study of Ibbs and Kwak). Also, one out five organizations does not manage projects risks. Four out of ten organizations manage risks only at project level but don’t manage dependencies between projects.

Are you surprised?

We experience that at a certain moment it is decided that a programme or project should start. We make a plan including a risk analysis. We start the project and from day one many “things” happen, which we call Actions, Issues and Risks. We start to manage them by using multiple Excel sheets: one sheet for Actions, one for Issues and one for Risks. Although Excel is powerful, it has (functional and technical) limitations and causes a higher probability of a project failure rate.

From the start of the project deviation starts/increases and leads to fire-fighting. Then it becomes very hard to manage to deviation on the (adjusted) plan. We get out of control, time and costs are extended.

So risk and issue management is a risk in itself. How often have we not already said: “We are risk averse”, “I have identified this risk a long time ago”, “We don’t learn from previous project (risks)”, “We see the same risk at different places” or “Why was I not informed”. The process, the people behaviour/awareness and the technology regarding risk and issue management needs higher attention and improvement.


Our vision is that in a professional environment projects should be executed as planned. However, always unplanned things happen, being issues and/or risks. If you can manage that professionally, then things become planned and you are back on track for success.  In essence manage the deviation of the (adjusted) plan. Just keep focus on the principle “management by exception”, being Completions of Actions that belong to Issues and Risks (CAIR). Project Risk Management (PRM) will make the difference to your project success. It’s about Project Management, Risk Management and Project Risk Management (Risk Identification, Risk Assessment, Risk Planning and Risk Implementation).

Also there is a relation between Project Risk Management and Operational Risk Management. Why? Programmes and Projects (supply side) deliver benefits and deliverables that will be used in the business operations (demand side) based upon what the business operations pointed out as the functionality within the project scope. So issues/risks form the demand side should be delivered by the supply side through projects, but the supply side often fails to deliver the right things and the things right. In this way a negative reciprocity is established and remained.

Risk has different perceptions views. For a CEO or CMO risk is a side product of entrepreneurship. For a COO or a Project Manager risk is a main product. However, we don’t believe that everything should be controlled. You need risk to enhance creativity. High risk, high reward. What we really need is the right mix, to optimize risk and reward.

How to proceed?

An integrated solution is needed by balancing hard elements (processes, methods, techniques, systems) with soft elements (training, coaching, awareness, attitude and behaviour). Alignments with best practices like PRINCE2®, MSP® (Management of Successful Programmes), M_o_R® (Management of Risk) and PMBoK (Project Management Body of Knowledge) is essential. At the end you will increase your probability for more and better controlled successful projects.

The table shows that by applying professional processes, people and technology you capability to commission and manage projects increases (horizontal axis). This will lead to a lower level of project risks (vertical axis). In general, the probability (those are the percentage in each cell) will significantly increase. Even if the level of project risk remains the same, the use of professional processes, people and technology helps you to increase the probability. The highest increase is for projects with a medium and high level of project risks.

At organizational and project level the maturity level of project risk management can be evaluated.

Ad hoc: process unpredictable, poorly controlled and reactive

Initial: process characterized for projects and is managed

Repeatable: process characterized for organisation and is proactive

Managed: process measured, controlled and improved

A Risk Maturity scan and improvement can help to define the AS-IS , TO-BE and the transformation itself. At the end professional Project Risk Management will give the following benefits:

  • More in control: from “Trust me ” to more “Show me – Prove me”
  • Less (opportunity) costs (labour, savings, external hire)
  • Shorter time cycles and time-saving
  • Higher professionalism of project management process, people and their performance
  • Better ownership, cooperation, decision making, transparency and communication, reputation and using one language
  • More risk awareness and a better learning organisation
  • More and better auditable evidence available for e.g. SAS70 and (risk and project) maturity model
  • Improved teamwork in value chain (external parties) through the use of one common technology platform
  • Aggregated and categorised valuable information to set strategy, policy, goals and to make the right decisions.


Project Risk Management is yet not mature enough and needs more professional attention. Also this topic is too far away form the agenda of the CFO/CRO (Chief Risk Officer). Also, PRM as part of ORM (Operational Risk Management) has much less strategic importance compared to other risk types. However, investments in PRM will surely provide higher success rates for project success and (business) operational excellence.

Ramesh Kalpoe, Managing Director TakeCAIR,,, +31629206157


Ramesh Kalpoe is an independent, experienced manager, and advisor who has worked for large and medium sized multinational companies, including ING, ABN and HP. As a management consultant and (interim) manager he led multiple change management programmes and projects. He worked on the business, ICT, and supplier side. Based upon his personal experience he developed and founded TakeCAIR B.V., a Dutch limited company and privately owned. TakeCAIR provides organisations a higher probability of (project) success by adequate (project) risk management.

Comments are closed.