Select Page


A Risk Management Implementation
By Gary Hamilton, Gareth Byatt, and Jeff Hodgkinson

As program or project managers, we have our hands full with the day-to-day management of our initiatives, and it is difficult enough to keep a lid on all the tactical actions that are taking place, let alone plan for the future. Nonetheless, we all know that planning is a key element to success. Most successful program or project managers are effective because they simultaneously balance the immediate challenges and demands facing them with future needs, opportunities and risk-avoidance. In particular, they are able to do so because they identify and communicate these elements at the right levels throughout the organization. How do successful program and project managers remain successful in their day-to-day work while spending only the minimum amount of effort directed towards long term ends?

The focus of this article is a specific risk management strategy which we believe is simple to implement and can directly help to improve one’s ability to identify, manage, and effectively communicate risks.

What are “Risk” and “Risk Management”?

What are risk and risk management? According the PMBOK®, Risk is an uncertain event that can be either positive or negative. Additionally, risk management is, “… the systematic process of identifying, analyzing, and responding to project risk.” Risk management incorporates various processes. Models differ – one example is Risk Planning, Identification, Qualitative Analysis, Quantitative Analysis, Response Planning, and Monitoring and Controlling. While risks are “uncertain” events that have not yet occurred, an Issue is an event that has already transpired. A trigger is an indication that a risk is about to or has occurred, and is usually based on parameters that have been “set off”. This brings us to the following diagram, which depicts Issues arising from Risks.

Risk - Trigger - Issue

Figure 1: Risk – Trigger – Issue

Before we delve into the details of Risk Management implementation, we want to discuss a few aspects of risk. First, by definition, projects are the creation of a unique entity; therefore, a certain amount of risk will always be present. Secondly, one must acknowledge that risk is not bad and, as we have discussed in a previous article (RISK – the PM’s Best Friend), when managed effectively, risk control can yield positive outcomes for the program or project manager and their program/project. While some consider “risk” to be intrinsically negative, risk outcomes can be positive. Such positive risks, or opportunities, as they are commonly referred to, are the events you seek to act upon to create a net positive impact on your project.
When our goal is the identification of project risks, it is helpful to categorize them; when does this risk arise and where is likely to have impact? For instance, is the project risk sourced within technical, quality, schedule, or resource aspects of the project? Balancing risk categories can help provide greater assurance that one is being effective when examining various areas of the project.

A Specific Risk Management Implementation

For years, each of us have used and practiced a similar Risk Management implementation (process and tool) which has proven to be quite simple, yet effective.

The specific implementation discussed here includes a tool and its associated processes. The tool or Risk Register (in our case a Microsoft Excel Spreadsheet) provides a mechanism for capturing project risks and issues, yet also covers all of the PMBOK® KPA processes, with the exception of Risk Planning. We suggest Risk Planning can be covered within one’s Project Management Plan. The planning component within the Risk Management plan can be relatively short (summarized within a couple of paragraphs) by referencing the self-contained Risk Register, identifying the methods for updating the Risk tool, and communicating the Risks and Issues from the Risk tool.

As stated previously, we choose to manage some project risks via a spreadsheet template (see diagram).

Risk Management Processes

Figure 2: Risk Management Processes (Click to enlarge)

As can be seen, each of the processes is included within the spreadsheet (or Risk Register), with the exception of risk management planning. The idea is that each horizontal entry represents one Risk or Issue. If it is a risk, the format for capturing it is in a specific format: “IF BY THEN .” Because risks are uncertain events, it is useful to state them in this format so that the point at which this Risk may become an Issue is clear. Note: not all risks become issues; that is part of their inherent uncertainty.

As part of Risk Identification, we also capture the date on which the risk was identified and the category to which the risk belongs. Risk identification has been shown to be a significant part of risk management in that it makes one aware of potential events or issues that may impact the group.

Following this, we want to quantity and qualify the individual risk itself. Many organizations use a “risk matrix” to control this (e.g. magnitude and likelihood). The mechanism employed here multiplies the probability of risk (value between 0.0 and 1.00) by the Impact of the risk if it were to become an issue (values range 1 to 100). This produces a REN or Risk Event Number, a way of ascribing a value (1 to 100) to each risk. Depending upon your organization’s preferences, you may consider color-coding the REN cell (clear, yellow, red) as a means of drawing attention to high-probability, high-impact risk.

Additionally, this mechanism enables us to collectively sort all of the risks, allowing us to recognize at any point how close any particular risk is to turning into an issue. It also allows users to sort and compare project risks.

Continuing left to right, the next field is labeled “Mitigation.” Within this field, we want to capture our Risk Mitigation Plans. This requires that we look ahead, consider and plan as to what we will do to manage our Risks and their potential progression to becoming Issues. We find that having multiple plans in place helps to maintain a balance as to how we’ll manage our Risks. To this end, we prefer to categorize the plans as either MITIGATE, MONITOR, ENCOURAGE, or ACCEPT.

The last two fields include the Risk Owner (who is primarily responsible for the Risk) and a running status of the risk. The latter should be updated each time the risk status is changed, so that one has a history log for all the risks.

Maintaining and Reporting

Through the process of periodic evaluation and review of the Risks (e.g., PM to review Risk Register with entire team on a monthly basis) and updating Issues and Risks individually when necessary, the Risk Register becomes a “living” record. This includes the current potential for a Risk becoming an Issue (via REN), as well as its current owner and status.

Additionally, reporting top risks (via sorting of highest value REN) allows your audience (e.g., team members, customers, and senior staff/sponsors) to quickly notice potential issues that could impact your project, as well as develop plans to deal with associated risks and issues (via the Risk Mitigation Plan section).


This article has provided an overview of a specific Risk Management implementation that can be adapted to most projects. While risk management is far more than maintaining a Risk Register, the tools for making decisions are essential. As a result, it is the hope of the authors that you will find these tools and their implementation useful for providing a framework in which you, too, can be a successful manager of program and project risk.

Gareth Byatt, Gary Hamilton, and Jeff Hodgkinson are experienced PMO, program, and project managers who developed a mutual friendship by realizing they shared a common passion to help others and share knowledge about PMO, portfolio, program and project management (collectively termed PM below). In February 2010 they decided to collaborate on a five (5) year goal to write 100 PM subject articles (pro bono) for publication in any/all PM subject websites, newsletters, and professional magazines / journals. They have been translated into Arabic, French, Italian, Spanish, Portuguese, and Russian and published on websites in Australia, Brazil, Canada, Costa Rica, France, Italy, New Zealand, Poland, Russia, UK, and the USA. Their mission is to help expand good program and project management practices by promoting the PM profession, to be a positive influence to the PM Community, and in earnest hope readers can gain benefit from the advice of their 60+ years of combined experience and expertise (and the expertise of co-authors who write with them on certain articles and subjects). Although all three are well credentialed, together they have the distinction in particular of being 3 of only 25 worldwide that hold the Project Management Institute’s PMP®, PgMP®, and PMI-RMP® Credentials. Gary and Jeff have all five (5) of the PMI ‘Family of Credentials’. As of December 31st, 2010, PMI confirmed we were the only two having these.

Along with writing articles, each also champions a role in the overall writing program collaboration process:

  • Gareth manages all requests for additional guest author collaborations
  • Gary manages the article development tracking and readership metrics
  • Jeff manages the article distribution and new readership demographics

Each can be contacted for advice, coaching, collaboration, and speaking individually as noted in their bios or as a team at:

Gareth Byatt is Head of the Group IT Portfolio Management Office for Lend Lease Corporation. Gareth has worked in several countries and lives in Sydney, Australia. Gareth has 14+ years of project, program, and portfolio management experience in IT and construction. He can be contacted through LinkedIn.

Gareth holds numerous degrees, certifications, and credentials in program and project management as follows: an MBA from one of the world’s leading education establishments, a 1st-class undergraduate management degree, and the PMP®, PgMP®, PMI-RMP®, & PRINCE2 professional certifications. Gareth is also the APAC Region Director for the PMI’s PMO Community of Practice and chairs several peer networking groups. He is a Director of the PMI Sydney Chapter for 2011.

He has presented on PMOs and program and project management at international conferences in the UK, Australia, & Asia including PMI APAC in 2010.

Email Gareth:

Gary Hamilton has 17+ years of project and program management experience in IT, finance, and human resources and volunteers as the VP of Programs for the PMI East Tennessee chapter. Gary is a 2009 & 2010 Presidents’ Volunteer Award recipient for his charitable work. He has won several internal awards for results achieved from projects and programs he managed as well as being named one of the Business Journal’s Top 40 Professionals in 2007. Gary is the 5th person globally to obtain the six PMI credentials PgMP®, PMP®, PMI-RMP®, PMI-SP®, PMI-ACP®, and CAPM®. In addition to these, Gary holds numerous other degrees and certifications in IT, management, and project management and they include: an advanced MBA degree in finance, Project+, PRINCE2, MSP, ITIL-F, MCTS (SharePoint), MCITP (Project), CSM (Certified Scrum Master), and Six Sigma GB professional certifications. Email Gary: or contact him through LinkedIn.

Jeff Hodgkinson is a 31 year veteran of Intel Corporation, where he continues on a progressive career as a program/project manager. Jeff is an IT@Intel Expert and blogs on Intel’s Community for IT Professionals for Program/Project Management subjects and interests. He is also the Intel IT PMO PMI Credential Mentor supporting colleagues in pursuit of a new credential. In 2012, he earned an IAA (Intel Achievement Award), Intel’s highest recognition, with the team for work in implementing an industry-leading private cloud solution.

Jeff received the 2010 PMI (Project Management Institute) Distinguished Contribution Award for his support of the Project Management profession from the Project Management Institute. Jeff was the 2nd place finalist for the 2011 Kerzner Award and was also the 2nd place finalist for the 2009 Kerzner International Project Manager of the Year Award TM. He also received the 2011 GPM™ Sustainability Award. He lives in Mesa, Arizona, USA and volunteers as the Associate Vice President for Credentials & Certifications for the Phoenix PMI Chapter. Because of his contributions to helping people achieve their goals, he is the third (3rd) most recommended person on LinkedIn with 590+ recommendations, and is ranked 33rd most networked LinkedIn person.

Jeff holds numerous certifications and credentials in program and project management, which are as follows: CAPM®, CCS, CDT, CPC™, CIPM™, CPPM–Level 10, CDRP, CSM™, CSQE, GPM™, IPMA-B®, ITIL-F, MPM™, PME™, PMOC, PMP®, PgMP®, PMI-RMP®, PMI-SP®, PMW, and SSGB. Jeff is an expert at program and project management principles and best practices. Jeff is currently focusing on gaining expertise in energy efficiency and home energy alternatives.

Email Jeff:

Recommended PM App

Recommended PM App