Product Family


Project Management Professional (PMP), Risk Manager – Loss Prevention and Education, Design Professional

The goal of project risk management is risk mitigation—reducing uncertainty while keeping the project’s objectives intact. An organized approach can help you achieve your goals along with those of your client.

Can you answer these questions about your current project?

  • What are your project risks?
  • Who is responsible for managing those risks?
  • What are the warning indicators?
  • What is the likelihood that a risk event will occur?
  • What is the potential magnitude of each risk?
  • What is the best strategy for mitigating each risk?

Risk can vary in its degree and its impact on a project. To effectively mitigate risk is to avoid the potential consequences of project failure. This article presents a step-by-step process for analyzing and mitigating project risk.

The benefits of risk analysis
The purpose of risk analysis is to determine the cause, effect, and magnitude of a perceived risk and develop and examine options for avoiding or mitigating it. It also entails understanding the danger signs that a project is headed off track and prioritizing necessary corrective actions.

Risk analysis can also strengthen your relationship with the client and other project participants in these ways:

  1. It showcases your experience for the client. Your risk analysis demonstrates the knowledge you’ve gained through your work on similar projects and gives you the opportunity to discuss with your client the kinds of issues you’ve encountered in the past and how you plan to avoid or mitigate them on this project.
  2. It demonstrates to your client that you are proactively managing risk. Identify risks before the project starts and discuss the concerns (e.g., scope, schedule, budget) and risk triggers that you’ll monitor as the project progresses.
  3. It provides the project team members, including the client, with a tool they can use to stay alert to project risk and take steps to mitigate potential risks before they affect the project.

Identify the risks
The first and most important phase of mitigating project risk is risk identification. Risk is first identified during the proposal phase and again before you begin work on a project. Once you identify and understand the risks, you can determine the best way to manage them.

To identify risk, you may need to draw on a number of sources (e.g., the project team, firm-related experience, past project experience, technical expertise, your lawyer and/or insurance broker). The goal is to create a comprehensive list. Below are several areas of risk and examples:

  • Contract – an uninsurable indemnification clause
  • Project scope and schedule management – likelihood of scope and schedule creep
  • Budget – potential overruns
  • Project management – lack of experience
  • Historical records – review past projects for risks that may apply to this project
  • Vendor/supplier information – risks associated with installation, usage, maintenance of equipment, or materials
  • Health and safety – site conditions, construction activities, end-user injuries
  • Stakeholder relations – public relations concerns, regulatory reviews, and approvals


The four basic risk mitigation strategies are: avoid, transfer, assume, and control.

Next, you’ll need to assess the ways your list of risks could impact your project:

  • Evaluate risk events
    Evaluate the identified risks for their potential to cause events that could adversely affect project objectives.
  • Identify risk owners
    Identify individuals who will be responsible for minimizing each identified risk by monitoring the risk, communicating problems, and taking action to mitigate or avoid the risk. These include the project manager, project team, firm principals, owners, client, contractors, and other stakeholders.
  • Identify triggers
    Identify early warning signs (e.g., excessive complaints from the client) that an adverse event has occurred or is about to occur. The triggers tell risk owners when to implement contingency or fallback plans. We know it’s frustrating to give up space for document storage or pay for archive service. However, it’s even more frustrating, and costly, to find yourself powerless in the face of a claim. Remember, some contractors are looking for excuses to file claims these days, so don’t throw away those old documents just yet.
  • Analyze the risks
    To determine the impact these risks have on the project, each risk must be analyzed. For example, you can qualitatively analyze risk using the formula:

Risk ratio = probability x impact

The resulting score will drive your risk response. Probability and impact are estimated subjectively or using verifiable data.

  • Probability
    What’s the estimated likelihood of an event occurring—e.g., very low, moderate, very high? Score 0 – 10, with 0 representing no risk and 10 representing certain risk.
  • Impact
    What’s the effect on the project if the event occurs? Impact (also scored 0 – 10, with 10 representing the biggest impact) is also estimated subjectively, providing a “how bad is it?” rating as shown in the chart below. What’s the estimated magnitude (minor to catastrophic), frequency (one-time to hourly), and duration of the risk (one hour to one month)?4
  • Risk ranking
    Which risks rank at or near the top? Some risks are improbable, and some are very minor with little impact. Ranking the risks using the risk rating (probability x impact) will help you prioritize your risks and determine top risks that will move forward in the risk analysis process.

Assume dependencies
Dependencies are assumptions, or “if, then” scenarios, that drive the timing, magnitude, or potential control of the risk event. Establish where your risk analysis is valid and where it will be based on uncertainty. Dependencies include a poorly defined scope of services, equipment failure, agency approvals, or changes late in the project.

Set mitigation strategies and plan responses
Risk mitigation asks, what actions can we take to proactively protect our firm and profitably manage our projects? Here are four basic risk mitigation strategies you can use. Each strategy can be used alone or in combination with others.

  • Avoid – Eliminate the threat of risk by removing its cause or selecting a lowrisk alternative approach to achieve the same objective. Taking this approach might lead you to turn down a particular project or client. Walking away may be a tough decision, but sometimes it’s the right one.
  • Transfer (also known as deflection) – Assign the risk to someone else, using insurance, your contract, or both. You can transfer risk to the owner, for example, by including contractual language such as limitation of liability and hold-harmless clauses. (Be aware, however, that your client, your consultants, and the contractor may try to transfer risk to you.) You can allocate risk that is more properly borne by your consultants by making sure that the consultant agreements are aligned with the rights and responsibilities set forth in the prime agreement. And you can review the owner-contractor general conditions to confirm that the contractor assumes the appropriate level of risk and that it hasn’t been transferred to you.
  • Assume – Retain the risk, document the risk, and either accept the consequences or develop a contingency plan (i.e., a project-fee-and-schedule contingency). Since not all risks can be transferred or avoided, assumption may be your only option. To decide whether to assume risk, either directly or by using contractual language, you should follow the principle that risk should be borne by the entity that has the best ability to control it.
  • Control – The fourth mitigation strategy is to control the risk. Since you cannot transfer all risk, you should take steps to measure, monitor, and manage those things that can go wrong. These steps may include developing balanced and equitable contracts, assembling a capable project team, offering more comprehensive services, and limiting who can sign agreements on behalf of the firm.

To respond to risk throughout the project, you should determine how much you can reduce the overall impact on the project by decreasing each risk’s probability or severity. Handling an event trigger or an actual risk event requires planning. What are you going to do if the risk event happens? What is your next step?

A contingency plan identifies alternative strategies to be used if a specified risk event occurs. This plan usually includes a contingency reserve. A reserve is the amount of budget or time above the estimate needed to reduce the risk of overruns to a level acceptable to your client and your firm. Essentially, you’re estimating a budget or schedule change (increase) to lessen the impact of a risk.

For significant project risks, a fallback plan (a stop-work plan or construction site shutdown plan) may be necessary. What actions do you take if the adverse event occurs (e.g., pandemic shutdown, building collapse, crane collapse, flood), the contingency plan is not effective, and the risk is now project failure?

All projects have at least some degree of risk. The project risk analysis tool provides a proactive approach to minimizing the consequences (impact) of adverse events, allowing us to take control of and safeguard the project against risk rather than letting the risks control us.

See the “Dealing with Risk” section and the “Contingency Fund,” “Indemnities,” “Insurance,” “Limitation of Liabilities,” and “Right to Reject or Stop Work” chapters in AXA XL’s Contract Guide, available on our new learning management system, the EDGE.


To contact the author of this story, please complete the below form

Invalid First Name
Invalid Last Name
Country is required
Invalid email
Invalid Captcha

More Articles

Global Asset Protection Services, LLC, and its affiliates (“AXA XL Risk Consulting”) provides risk assessment reports and other loss prevention services, as requested. In this respect, our property loss prevention publications, services, and surveys do not address life safety or third party liability issues. This document shall not be construed as indicating the existence or availability under any policy of coverage for any particular type of loss or damage. The provision of any service does not imply that every possible hazard has been identified at a facility or that no other hazards exist. AXA XL Risk Consulting does not assume, and shall have no liability for the control, correction, continuation or modification of any existing conditions or operations. We specifically disclaim any warranty or representation that compliance with any advice or recommendation in any document or other communication will make a facility or operation safe or healthful, or put it in compliance with any standard, code, law, rule or regulation. Save where expressly agreed in writing, AXA XL Risk Consulting and its related and affiliated companies disclaim all liability for loss or damage suffered by any party arising out of or in connection with our services, including indirect or consequential loss or damage, howsoever arising. Any party who chooses to rely in any way on the contents of this document does so at their own risk.

US- and Canada-Issued Insurance Policies

In the US, the AXA XL insurance companies are: AXA Insurance Company, Catlin Insurance Company, Inc., Greenwich Insurance Company, Indian Harbor Insurance Company, XL Insurance America, Inc., XL Specialty Insurance Company and T.H.E. Insurance Company. In Canada, coverages are underwritten by XL Specialty Insurance Company - Canadian Branch and AXA Insurance Company - Canadian branch. Coverages may also be underwritten by Lloyd’s Syndicate #2003. Coverages underwritten by Lloyd’s Syndicate #2003 are placed on behalf of the member of Syndicate #2003 by Catlin Canada Inc. Lloyd’s ratings are independent of AXA XL.
US domiciled insurance policies can be written by the following AXA XL surplus lines insurers: XL Catlin Insurance Company UK Limited, Syndicates managed by Catlin Underwriting Agencies Limited and Indian Harbor Insurance Company. Enquires from US residents should be directed to a local insurance agent or broker permitted to write business in the relevant state.