conveyor robot manipulators work businessman in front of control panel analysis production development Risk management has a specific place in protocols and risk management models. In this article we will discuss the six steps to controlling risk for risk managers, as broken down in the PMBOK: planning, identification, qualitative analysis, quantitative analysis, response planning and monitoring.

In short, a risk manager should take the reins of the risk control process with a detailed plan; find out what the risks are that may affect team members and various units of the organization, assess risks from the perspective of the whole organization; create action plans to respond to each of the risks if they occur; and continuously monitor in order to improve the plan.

Risk management planning

Like any other aspect of project management, risk prevention and response in the case of risk occurrence should be subject to strict planning. Risk management is iterative, implying that the planning phase will be reviewed after each cycle.

More specifically, planning involves a series of essential decisions that will affect the following five steps. Choosing methodologies, assigning responsibilities, defining types and categories and risks, as well as allocating resources are some of the main areas of focus at this moment.

Risk identification

This step is to identify the risks that may affect the development of the project and understand their characteristics. It is essential to identify all risks that may potentially influence the project so that the necessary precautions can be taken and disaster can be avoided. Therefore, planning for all risks is essential. Do not ignore them but instead control them.

For the identification of risks, multiple systems can be used.

One of them is to use similar backgrounds, both in our company and in other companies that resemble by their activity or reach.

Another possibility is to use specific analyzing tools (Ishikawa diagram, flowchart or other types of specialized diagram systems) or other standardized analysis systems, such as SWOT analysis (Strengths, Weaknesses, Opportunities, Threats).

Finally, if the first two possibilities are not feasible, you can resort to expert judgment.

After identification, it is important to proceed to classify risks that have been detected (Technical, external, organizational, management, etc.). Their influence on the project (mild, moderate or severe impact on the project), or the probability of the risk arising (low, intermediate or high probability).

Qualitative analysis

This analysis is used initially to filter risks and prioritize them in order of importance and severity. Although this analysis may not be the best in terms of accuracy and speed.

This type of analysis is also used for risks which need immediate attention. The urgency leads to an analysis that, despite not being the best in absolute terms, is most appropriate for the time available.

The results of this analysis should reflect in a risk assessment matrix.

Quantitative analysis

This is a more comprehensive systems analysis, but also the most complex and time consuming.

To perform a quantitative analysis, specific quantitative risk analysis systems should be used, such as mathematical simulations e.g. Monte Carlo.

A simpler option is to use a decision tree with which you can numerically illustrate the parameters derived for each choice.

If it is not possible to quantify the risks, you can turn to experts in the field to conduct an assessment.

Ideally, experts should be external to the project in order to prevent conflicts of interest. In addition, to avoid bias, the evaluation should be conducted blindly without knowing the outcome of assessments made by the other experts.

There are differences between this point and the assessment of experts in qualitative analysis. While in the former case, experts estimate the relative importance between different types of risks in order to focus on the most important, in the quantitative case experts, despite not having actual data, provide estimates as accurate as possible based on their experience and the results of other projects that they have led previously.

Risk response planning

When a threat is verified, the response must be preplanned and follow the correct procedure. Action plans must be drawn up when risk in the project is present in order to prevent its occurrence. This may include transferring it to an external agent or mitigating their effects, in the event that the risk occurs. Where risks cannot be avoided, in the event of circumstances beyond our control or scope, contingency plans should be developed that allow for coordinated and appropriate action.

Risk monitoring

To predict whether or not risks may occur it is necessary to know warning signs so that it can be anticipated. If this is not possible, monitoring mechanisms should be in place so that a risk in a project can be detected the moment it presents itself.

The purpose of these systems is to instil the attitudes of anticipating risks and having contingency plans in place, before the risk has significantly influenced the project.

In addition, self-monitoring the reaction to the risks and the occurrence of them can improve prevention measures, and thus reduce time and increase the efficiency of the reaction.


Here are some recommended articles:

Our new Risk Assessment Matrix is online

Keys to becoming a good risk manager

Risk management… The what, the why and the what to do


Juan Delgado

Blogger ITM Platform

Receive the latest blogs directly into your inbox