The 10 Risk Management Commandments You’re Breaking Every Day

I fear that many project managers live by the letter of the law and may fail to gain the true benefits of risk management. These individuals are too concerned with checking boxes and making the risk management processes overly complex. Let’s look at some common mistakes and how to overcome them.

Photo of calculator and pie chart

1. Thou shalt not make risk management complicated.

Every project is different. Wise project managers tailor their risk management plan to each project. Pick only the necessary inputs and tools and techniques. And speak in a manner that your sponsor, project team, and stakeholders understand. If you wish to introduce new terms (e.g., risk attitude, risk tolerance, Monte Carlo), be sure to define them.

Evaluating Project Schedules Utilizing Quantitative Risk Analysis

picture of calendarDo you remember the first time you missed a project deadline? I do. I recall the embarrassment for me and my team. I promised myself I would take proactive steps to mitigate this outcome for future projects.

Why do projects take longer than expected? Often times, risks occur and project managers lack adequate schedule reserves.

Once burned, many project managers start a bad habit – padding their project schedules. If a project is estimated at 120 days, the project manager may add a 10% pad, an additional 12 days. The project manager estimates the project duration to be 132 days.

Padding is a quick and dirty method. It provides reserves, but let’s look at a better way to estimate reserves.

Evaluating Risks Using Quantitative Risk Analysis

bar chart on computer screen

Project managers should be prepared to perform different types of risk analysis. For many projects, the quicker qualitative risk analysis is all you need. But there are occasions when you will benefit from a quantitative risk analysis.

Let’s take a look at this type of analysis: What is it? Why should we perform it? And when should it be performed?

7 Benefits of Keeping a Project Journal

Perhaps you are like me. You have lots of thoughts darting around in your mind. If you are looking for a way to sort and organize your thoughts, let’s look at the benefits of keeping a project journal.

Project managers are busy people, often managing multiple projects. During the course of a day, you may encounter all kinds of things–schedule conflicts, people issues, poor leadership by your sponsors, too many meetings, and scope creep, to name a few. Furthermore, we are so busy that it’s hard to find time to make sense of it all.

Author, blogger and speaker Michael Hyatt says, “…journaling is a means to an end. It helps me think more deeply about my life, where it is going, and what it means.” This is not only true for our personal lives, but journaling helps with our professional lives.

project manager keeping a project journal

Benefits of Project Journaling 

Here are seven ways I benefit from my project journal:

30 Quick Risk Evaluation Tips

genius evaluating risksWinston Churchill said, “True genius resides in the capacity for evaluation of uncertain, hazardous, and conflicting information.” In this article, I share 30 risk evaluation tips to help you tap into your genius. Enjoy!

  1. One of the top reasons for evaluating risks is to determine which risks are most significant.
  2. Always perform the qualitative risk assessment. The assessment is quick, but keep in mind –it’s also subjective.
  3. Determine if organizational assets such as a risk register template and probability/impact rating scale are available to jump-start your evaluation.
  4. Be sure to update the risk register each time you evaluate your risks.
  5. When evaluating each risk, consider the causal factors, the risk itself or uncertainty, and the impacts.
  6. Probability is the likelihood that a risk may occur.
  7. Impact is the effect or consequence on the project if the risk occurs.
  8. Multiply probability and impact to calculate a risk score (e.g., 4 x 5 = 20).
  9. Be sure to define your rating scales for probability and impact.
  10. Concerned with the velocity (e.g., time-to-impact) of your risks? Consider rating velocity along with probability and impact. Here is an example of how you can calculate a risk score using velocity: Risk Score = (Probability + Velocity) x Impact.
  11. Improve the quality of your risk information through interviews and workshops before evaluating your risks.
  12. There may be multiple causal factors for a single risk.
  13. There may be multiple impacts for a single risk.
  14. Some root causes are common to multiple risks. Responding to these root causes often provide high leverage.
  15. Look out for the high power/high influence stakeholders who wish to bias risk ratings for their own benefit.
  16. Beware – some individuals may be biased in their assessments because they lack an understanding of the risks. Educate stakeholders on the risks.
  17. Perform an assumption analysis before evaluating your risks.
  18. Not all bias is bad. For example, if the sponsor says that the budget is the most important priority, consider this factor in your ratings.
  19. Things change. Therefore, conduct periodic risk reviews.
  20. Consider evaluating your risks again when there are significant changes in the project or when you hit project milestones.
  21. Lots of small risks can create a large cumulative risk exposure.
  22. When multiple activities converge into a successor activity, the risk for the successor activity is greatly increased.
  23. Sum the individual risk scores to calculate the total project risk score. You may divide the project risk score by the number of risks to calculate the average risk score.
  24. Risks that may occur later in a project should be considered as a higher risk than the risks that may occur early in the project. Why? There is less response time, greater uncertainty, and greater impact.
  25. The same risk may occur multiple times in the same project. Should you use the same risk response? Yes, if the response plan is working. Look for ways to tweak the response for a one-two punch.
  26. Want a way to analyze risks at a higher level than the individual risks? Group risks by category (e.g., time, cost, scope, and quality). Sum and compare risk scores by category. How have the risk exposures in the categories changed from one risk review to the next risk review? Why did the exposures change?
  27. Determine high-priority risks. Define a risk threshold (e.g., risks with a risk score of X or higher).
  28. Be sure to involve appropriate stakeholders in the evaluation of your risks.
  29. Right size your risk evaluation process.
  30. Perform quantitative risk assessments when more detailed information is required for project decisions. Quantitative risk analysis is not always mandatory.
How to Actually Perform a Qualitative Risk Analysis Mini-Course. I’ve developed this course to help you quickly review the concepts of qualitative risk analysis. You’ll be able to test your understanding through a quiz. Additional risk evaluation resources are provided including a FREE risk register template. Click here to enroll!

How to Evaluate Risk Velocity

Life is filled with risks. Some risks occur slowly. Others strike with little warning. Let’s look at how to evaluate risk velocity and why it matters.

What is Risk Velocity?

Risk velocity is the time to impact. Think of velocity as an estimate of the time frame within which a risk may occur.

Why Risk Velocity Matters

When the velocity is low, we have more time to respond to the risks. For a threat, we may take steps to reduce the probability and impact. The risk owner has time to develop a contingency plan (i.e., a plan we will execute if the risk occurs) and a fallback plan (i.e., a plan we will execute if the contingency plan fails).

If the velocity is very high, threats strike quickly. Thus, these risks are more likely to become issues, costing more time and money. Here are some causal factors for high-velocity risks:

  • Sponsor notifies you that two critical team members need to be transitioned to another project within two weeks
  • The servers that you ordered for your test region are going to be two to three weeks late
  • Wildfires are emerging into the area of your offices

Imagine that two risks have a risk score of 20 on a scale of 25. But Risk A will likely to occur in a two to three weeks where Risk B will take at least six months. Which risk merits your attention most? See the difference?

How to Reduce Risk Evaluation Bias

We all have biases; many are helpful. In projects, we have biases towards successful projects and motivated teams. If a project sponsor says that schedule is the top priority, the project team has a bias towards meeting the schedule.

However, some biases are harmful. Stakeholders may attempt to sway project decisions in unfair ways. These biases undermine the health of the project and breed distrust.

Let’s look at different types of biases and ways to reduce bias in the risk evaluations. These steps will help ensure the right decisions are made for the right reasons.

What are the Motives and Perception?

Stakeholders may exhibit different types of bias. PMI’s Practice Standard for Project Risk Management explains motivational bias is “where someone is trying to bias the result in one direction or another.” Cognitive biases occur as people make inferences in an illogical fashion. Cognitive biases are based on people’s perceptions.

How to Manage Bias

  1. Uncloak the bias. Project managers should watch and listen for bias. Expose the bias in one-on-one meetings or team meetings, whichever is most appropriate. Be careful – do not judge or challenge too quickly. Be slow to speak. Listen. Seek to understand.

  2. Have open conversations. When a bias is not understood, the project manager should dig deeper. If the bias is based on the wrong perceptions, provide the facts. If the bias is ill intended, ask non-threatening questions that allow the individual to understand how the bias may negatively affect the project.

  3. Reduce the subjectivity. Project managers use qualitative methods to evaluate risks quickly. Some project managers fail to understand that they may be creating greater bias. Let’s look for ways to reduce the subjectivity while keeping the convenience and speed of the qualitative methods.

How to Reduce Bias When Evaluating Risks

For small projects, I use a KISS (Keep It Super Simple) Method for qualitative risk assessments. This one-dimensional technique involves rating risks as:

  • Very Low
  • Low
  • Medium
  • High
  • Very High

While the KISS Method is a simple and quick way to prioritize risks, it is also subjective and open to greater bias. When I use this method, I focus on open and honest conversations about the ratings.

A more common qualitative method is the two-dimensional Probability/Impact matrix. With this method, we rate probability and impact on a scale such as 1 to 10, with 10 being the highest. This method provides a more in-depth analysis of risks as compared to the KISS Method. However, a scale of 1-10 is still highly subjective.

How can we reduce the subjectivity?

The first step is to define qualitative terms (e.g., Low – Very High) for the ratings. Here is an example:


Another step is to define ranges for the scale (e.g., 0-5% for Low). Defining the scale reduces subjectivity and drives greater consistency in the ratings.


If the probability or likelihood of a risk is approximately 15%, we assign a probability rating of 5. If the potential impact on the budget or schedule is 55%, we assign an impact rating of 9. The resulting risk score would be 45 (i.e., 5 x 9 = 45).

If stakeholders need objectivity, perform a quantitative risk analysis. Quantitative risk analysis takes more time than qualitative risk analysis. However, this method provides objective information and data for business decisions.

Read: How to Actually Perform a Qualitative Risk Analysis>>


My Top 10 Most Popular Blog Posts of 2017

My aim this year was to help more project managers than ever. It happened. Allow me to share the results of my most popular blog posts of 2017.

picture of Harry Hall writing my most popular blog posts of 2017

One of my goals was to have 50,000 people visit the Project Risk Coach website. Thanks to you, I had more than 57,500. Visitors spent an average of 4 minutes and 29 seconds per visit. My visitor traffic continues to grow at a steady pace. I experienced a significant increase in the last quarter of 2017.


Where were the visitors from? Here were the top counties:

  • The United States
  • The United Kingdom
  • Australia
  • India
  • Canada

Most Popular Blog Posts of 2017

You may have noticed that I wrote more about project risk management than ever with a sprinkling of general project management articles. Hopefully, you’ve gained further insights for identifying, evaluating, responding to and controlling your risks.

  1. How to Develop a Project Charter
  2. 7 Things You Ought to Know About Identifying Risks
  3. How to Determine Project Budget Reserves
  4. 7 Ways to Treat Risks
  5. The What, Why, and How of Projects
  6. How to Improve Results With Better Risk Statements
  7. 7 Ways to Identify Risks
  8. How to Think Ahead With a Project Plan
  9. 7 Benefits of Keeping a Project Journal
  10. How to Build and Use a Risk Register

Focus of 2018

I am grateful that the demand for my consulting services, particularly in the P&C insurance industry, has been great in 2017. In 2018,  I’d like to teach more with individuals and small groups, both online and face-to-face.

I see my primary audience as practicing project managers in the United States with a college education. Most are between the ages of 30 and 60 and most work in the financial industry.

Irrespective of where you live or what you do, I hope you will find the Project Risk Coach as a go-to resource for project management tips, tools, and techniques.

Please Take My Reader Survey

Reader Survey. Please help me help YOU. It is my sincere desire to provide greater value to you in 2018. Click here to complete a quick survey.

7 Ways to Identify Risks

one person interviewing another person to identify risksSuccessful project managers have a common trait – they identify and manage risks. Let’s look at seven tools and techniques to identify risks.

Often project managers start with a splash. They get the team together, identify lots of risks, and enter them into an Excel spreadsheet. However, the risks are never discussed again.

What happens when project managers and their team fail to identify risks in an iterative fashion? Teams spend their time and energy on things that do not matter. Risks are not identified and turn into more costly issues. Project teams are not aware of emerging killer risks.

How to Improve Results With Better Risk Statements

Vague risk statements lead to poor risk response planning. When organizations or project teams fail to respond to significant risks (i.e., threats and opportunities), these groups fail to achieve their goals and reach their potential. Risk management starts with identifying risks and writing clear risk statements.

man writing better risk statements

Why do people define risks poorly? I am convinced that most people simply don’t know how. Allow me to share some simple tips that can improve your ability to write clear risk statements.

Test Your Risk Statements

When I ask someone to identify a risk, individuals often respond with something  like “there is a conflict between two executive sponsors” or “the estimates are incorrect” or “we are experiencing system outages.” But these are facts or conditions that are true, not statements of uncertainty. In other words, these are causes that give rise to uncertain events or conditions.