Skip to main content

The risk management strategies you'll find most useful may not necessarily be the ones you'll see in official project management literature. In fact, they may not even be captured in risk management software.

The truth is that sometimes the best strategies were born from the complex and chaotic world where real-life projects live. Here, I'll share several that I've picked up over the years.

The 5 Types Of Risk Response

The Project Management Body of Knowledge (PMBOK) describes five types of risk response strategies:

  1. Risk avoidance
  2. Risk transference
  3. Risk escalation
  4. Risk mitigation
  5. Risk acceptance

If you’ve had any kind of formal risk management strategy training, you know these five risk response strategies by heart.

But well-developed risk response strategies go far beyond these theoretical concepts.

12 Risk Management Strategies You Won't Find In a Textbook

Mitigating risk in real projects often results in some innovative solutions, tricks, and workarounds that you won’t read in any textbook.

12 key risk management strategies
Here are twelve key risk management strategies that you won't find in any old textbook.

1. Get better at communicating and coaching

Take a step back. I know you know what risk management looks like. But if team members and other stakeholders don’t know what effective project risk management looks like, how can they be expected to improve? If there is no coaching to help teams improve their capabilities, improvements in risk management will rarely happen organically.

Competent risk management requires exceptional interpersonal skills in addition to some basic technical skills, so hands-on practice with feedback from seasoned practitioners is needed to improve.

Sign up for the DPM newsletter to get expert insights, tips, and other helpful content that will help you get projects across the finish line on time and under budget.

Sign up for the DPM newsletter to get expert insights, tips, and other helpful content that will help you get projects across the finish line on time and under budget.

  • Hidden
  • By submitting this form, you agree to receive our newsletter and occasional emails related to The Digital Project Manager. You can unsubscribe at any time. For more details, please review our Privacy Policy. We're protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
  • This field is for validation purposes and should be left unchanged.

2. Don't avoid the “avoid” option

There are multiple strategies to respond to identified negative risks. You’d assume that risk owners would select the best risk control response for each risk, but most of the risk registers I’ve ever reviewed usually reflect only two responses: accept and mitigate.

It’s very common to see risk mitigation strategies in project management, but far less common to see risk avoidance being employed as a strategic option.

As Mr. Miyagi said in the Karate Kid, Part 2:

mr miyagi quote from karate kid: best way to avoid punch, no be there!
Mr. Miyagi put it best!

Here’s a risk avoidance example:

Say we're building a highway in a developing country. I know that a specific region is plagued by insurgent activity, so I might propose that the project’s scope be reduced to skip that area to avoid incurring any labour-related safety concerns. 

I could also change my approach to delivering scope. While the straight path through the potentially dangerous area might be the shortest, significant stakeholder risks could be avoided by taking a longer route.

3. And don’t forget the “transfer” option, either

With a transfer strategy, the objective is to shift the risk to a third-party.  While the common method of doing this is to purchase insurance, outsourcing a subset of your project’s scope to a subcontractor who assumes full risk of quality or schedule issues is also an option.

One of the key benefits of risk transfer strategy is that it can completely eliminate specific risks which is an ideal outcome in those cases where risk severity is extreme.

Important caveat: I know that I say to look at risk avoidance and transfer response strategies. However, keep in mind that the efficacy of these tends to diminish over the lifetime of a project. During initiation and planning, they can be quite effective, but once scope and approach are nailed down, it can be a much costlier proposition to avoid or transfer risks.

As with all risk responses, neither of these strategies is free so it is important to balance the cost of avoidance or transfer against the expected financial and non-financial, i.e., reputational, impacts of risk realization before making response recommendations.

4. Be wary of the unofficial risk responses: “deny” and “bury”

I made these response terms up, but they are very real. “Deny” is a common risk response—for every risk which a stakeholder is willing to accept or actively respond to, there is at least one which they will deny exists. Just like acceptance, this denial could be active or passive.

With active denial, there’s no doubt that the stakeholder disagrees about the nature of the risk whereas with passive denial they might not confront you but they’ll ignore your attempts to get them to own the risk. These tend to be the same stakeholders who will take a strong “that won’t happen to us” stance when reviewing lessons from similar past projects.

Likewise, you’ll come across what I call the “bury” risk response. This happens when we face risks on our projects which we really don’t want to communicate as we assume that certain stakeholders will not react favorably. However, as we can’t pretend that they haven’t been identified we document them in our risk registers in such a way as to make them extremely difficult to locate or to comprehend.

These are just a couple of the “risk response anti-patterns” I’ve witnessed. If you’ve encountered any which aren’t listed above feel free to contribute in the comments below

5. Talk about individual impacts

Through a series of experiments focused on positive and negative risks, the authors of a study published in the Harvard Business Review determined that a person is more likely to make an objective, logical decision when a single significant impact is presented, as opposed to being presented along with a number of other lower impact outcomes.

Counter-intuitive as it may seem, simple communication that conveys the more important impact—and that only—can be more effective than providing a whole slew of impacts.

Recognizing that risk owners are frequently reluctant to commit time or political influence to actively respond to a risk, we might be tempted to try to stack the deck in our favor by communicating multiple potential impacts which might result if the risk gets realized.

By doing this, we might actually diminish the perceived threat or opportunity presented by the risk resulting in risk owners responding in the exact opposite manner than what we had hoped for.

To avoid this, while it is a good idea to capture complete information in our risk registers, when presenting risks to stakeholders, focus on communicating the single impact which presents the greatest threat or opportunity. Then, if you don’t get the buy-in you were hoping for, add weight to your argument by sharing other potential impacts.

6. Get your eternal optimism in check

It’s hard to think about negative risks, much less plan for them, when you think that everything will be fine. Optimism is good—just not blind optimism.

If such optimism is the prevailing mindset within a company, it can be difficult for risk owners to envision things not going according to plan. What has always intrigued me is how the same leadership teams which can be moderately effective at implementing operations or business risk capabilities will be so much weaker when it comes to project risk management.

A risk averse culture will take a long time to change for an overall organization, but a project manager should be able to influence it within the ecosystem of their projects.

7. Use data to show how risk management is working

We work hard to manage risks. But all of that doesn’t mean much to the outside person unless we can demonstrate, with numbers, that all of this risk management is producing real, beneficial effects.

To be meaningful to stakeholders, executives, clients, and teams, part of your risk management effort needs to include analyzing not only the risks but the effort spent on risk management too.

Show the positive correlation between effective risk management and successful project outcomes. In the absence of supporting internal empirical data or strong pressure from the outside to create a valid sense of urgency, senior leaders and project teams will be unwilling to sustainably invest in the required behavior and practice changes.

8. Managing risk takes time, so make sure your team has it

Too often, unhealthy levels of multitasking by project teams and stakeholders result in those practices perceived as unnecessary being jettisoned or being given lip service only.

If a team barely has time to deliver the scope of their project, how can they or equally busy risk owners be expected to expend any real efforts on considering or responding to potentialities which may never be realized?

And, if we combine this limited availability with “one size fits all” approaches to project risk management, it is no wonder that many teams will do the absolute bare minimum required to meet onerous governance requirements.

9. Put stakeholder engagement higher on your priority list

This is not to say that you must wait until all stakeholders have been identified, engaged and analyzed before commencing risk management activities. Like most project management practices, risk management is iterative—it’s perfectly fine to do a high-level risk assessment with your core team in the early days of a project before you’ve met with all key stakeholders.

That said, I still cannot overstate the importance of ensuring that stakeholder engagement ranks high on the list of prerequisites for conducting a detailed risk identification and analysis session.

Ignore this and you can safely add stakeholders as a key source of risk to your project!

10. Give regular updates on the status of risk responses

Just because you’ve had a meeting with the response owner and they’ve bought into the need for their action doesn’t mean that you can wash your hands of the risk. This is the “reinforcement” part of managing risk, and you can’t omit it.

Regularly reporting on the status of implementing risk responses to your sponsor and key stakeholders as well as following up with response owners will be needed to increase the likelihood of follow-through.

11. Mine your risks for opportunities

Companies invest in projects not to meet the triple constraint, but to achieve expected business outcomes. As such, a myopic focus on delivery excellence can still result in poor returns.

You can use a benefits risk review to evaluate the threats and opportunities affecting the realization of project benefits. It doesn’t need to be frequent—the effort required to do a quality job and the availability of the external stakeholders required to make this exercise a success would restrict it to once a month at most. Review the risks, responses, issues, and impacts that arose—and mine those risk registers to improve outcomes of future projects.

12. Make your risk prevention efforts visible

Word of an issue spreads like wildfire, and many pairs of eyes begin to closely monitor the situation. Then, when unnatural acts save the day, there are lots of people to recognize and reward the heroes. I can’t count the number of times I have witnessed “on-the-spot” awards being awarded to individuals or teams when a critical issue has been successfully resolved.

Risk management is like an effective security agency—you usually only hear about them when something bad has happened, but you rarely hear of the multiple tragedies which they deterred. The probability and timing of risk realization is always uncertain, hence the ease of recognizing good risk management behaviors in the moment is much harder than with issues which have readily visible resolution times.

So how do we shift focus from issue management to risk management?

What if we capture expected timeframes for the realization of critical risks in risk registers so that once those dates have passed without those risks being realized the team can celebrate?

quote graphic: when an issue occurs, what if we spent as much effort understanding how the issue could have been prevented in the first place as we do in resolving it and celebrating our heroic efforts
It's important to spend time recognizing both your and the team's capabilities in resolving risk.

If we start recognizing effort spent on successful prevention to the same extent that we recognize heroics, then where attention goes, energy flows.

What's next?

We did a workshop on managing risk—it's only available to DPM Members. If you're not a member, consider joining our active community of fellow project managers.

By Kiron Bondale

Kiron D. Bondale, PMP, PMI-ACP, PSM II, ICP-ACC, PMI-RMP, CDAP, CDAI is a senior consultant for World Class Productivity Inc. delivering training & consulting services. He has managed hundreds of projects in both internal and third party contexts over the past twenty years. He has set up and led Project Management Offices (PMO) and has provided agile, PPM, and project management consulting services to hundreds of clients across multiple industries. He has been published in both PM and industry-specific journals and has delivered hundreds of presentations on project management and agile topics.