Identifying Risk


Customer Focus and UX: Introduction and Project (Online)
Requirements Gathering Videos

Identifying Risk

The definition of risk, from the point of view of our projects, is:

“An uncertain event or set of circumstances that should it or they occur would have an effect on the achievement of one or more of the project objectives.”

(APM, Project Risk Analysis and Management Guide, Second Edition)


“Risk management is a process that allows individual risk events and overall risk to be understood and managed proactively, optimising success by minimising threats and maximising opportunities.”

You see that one of the first features of risk management is that it is a process. This indicates that it is continuous. It’s not enough to do it once and then forget about it.

The definition also mentions individual and overall risk, so context and internal and external risk have to be identified.

We must understand and manage proactively to minimise the threats and maximise the opportunities that come from the risks. How is it that we can maximise an opportunity from risk?

Consider that a risk could be that we finish too early on a task. People end up sitting and waiting around doing nothing (which costs money). We could maximise the opportunity in this risk, by having other work ready for them.

So, identifying that this could happen and having a plan on how to deal with it, is an example of risk management.

Risk identification and the risk log

When you identify a risk in your risk log, Probability and Impact are the most important factors. So, if a risk is most likely to happen and has a great impact on the project, we must identify them, make a contingency plan or plan to minimise the risk.

There are different methods available to assess risk. Let’s start with a simple matrix. 

An example risk matrix

Sensitivity = how sensitive is the potential impact on the project for the assumption to be true:

  • A – Negligible impact
  • B - Manageable impact
  • C – Significant impact
  • D – Critical impact

Stability = how reliable or certain is the assumption made

  • 1 – Extremely credible
  • 2 - Comfortable credibility
  • 3 – Questionable credibility
  • 4 – Most likely false

You have Risk A and Risk B identified, so you simply put them on the matrix according to the judged sensitivity (potential impact) and stability (likeliness to happen), and you can see that Risk B needs your attention more than Risk A.

This next assessment uses formulae to identify accurately where a risk can be placed on the matrix. That numerical value makes it easier to prioritise in a risk log. To the left of the diagram you see probability (likelihood of it happening) from Very Low (VLO) to Very High (VHI) and at the bottom you see impact (effect on project).

An example risk matrix, this time showing priority level increasing in importance towards the top corner of high probability and high impact


  • Quantitative and qualitative
  • Risk x Probability factor x Impact = place on chart

Risk A   = 0.5 x 0.1 = 0.05

Risk B    = 0.9 x 0.8 = 0.72

Risk C   = 0.1 x 0.8 = 0.08

Risk D   = 0.9 x 0.05 = 0.045

These results allow you to more accurately rank the different risks, and give them appropriate attention.

Threats and opportunities

Once all risks have been identified and prioritised, you need to identify them as a threat or an opportunity and plan the response of how you would proceed when it happens. 

An example flowchart showing risks split into threats and opportunities, then plan response, then decide

In the case of a threat, you can:

  • Accept a threat and plan a response
  • Avoid it by changing things in the process so that it will not occur
  • Reduce the chances of it happening, by taking mitigating actions
  • Transfer the risk (outsource to another company)

For opportunities, you can reject it, enhance or exploit (so you would welcome that risk), or share the opportunity with another project or organisation.

It's important to know that you must plan your response ahead of the project happening and stick to it.

Benefits of risk management

Here’s a summary of the benefits of risk management:

  • Better prepared when something goes wrong
  • Increased credibility with stakeholders and sponsor
  • Increased likelihood of completing project on TCQ
  • Allows for better financial and benefits decision making
  • Clear allocation of responsibilities with risk owner
  • Improved team morale and promotes openness
  • Facilitates greater risk-taking and benefit exploitation
  • Improves communication
  • Helps the organisation to assess risk in future

Requirements Gathering

About the Author
Learning Paths

A world-leading tech and digital skills organization, we help many of the world’s leading companies to build their tech and digital capabilities via our range of world-class training courses, reskilling bootcamps, work-based learning programs, and apprenticeships. We also create bespoke solutions, blending elements to meet specific client needs.