A project risk is anything that could negatively affect your project's timeline, budget, quality, or scope if it occurs. It is not a problem. A problem has already happened. A risk is something that might happen. Managing risks means identifying the most significant ones early, assessing how likely they are to occur and how bad the impact would be, and putting a plan in place before they become problems.
Most project managers do not track risks formally. They carry them in their heads. They know the project depends on a vendor delivering on time, that one team member is at risk of leaving, and that the software integration has not been tested yet. But none of those concerns are written down or assigned an owner. When one of them materializes, it becomes an emergency that could have been managed if it had been tracked.
How to Score a Risk
Every identified risk gets scored on two factors: probability and impact. Both are scored on a scale of one to five.
Probability measures how likely the risk is to occur. A score of one means it is very unlikely. A score of five means it is almost certain to happen if nothing changes. Impact measures how severely the risk would affect the project if it occurred. A score of one means the impact is minor and manageable. A score of five means the project would be significantly derailed or stopped.
Multiply the two scores to get a risk score. Maximum score is 25. Use three thresholds: a score above 15 requires immediate action, a score of 8 to 15 requires active monitoring, and a score below 8 can be logged and reviewed periodically.
| Risk Score | Category | Action Required |
|---|---|---|
| 16 to 25 | High | Act now. Assign owner. Implement mitigation this week. |
| 8 to 15 | Medium | Monitor weekly. Have a contingency plan ready. |
| 1 to 7 | Low | Log and review monthly. No immediate action required. |
The 5-Risk Weekly Log
Every project needs a risk log. It does not need to be complex. A simple spreadsheet with five columns is enough: risk description, probability score, impact score, total risk score, and mitigation owner with a due date.
Review the risk log at the start of every week. Ask two questions for each risk: has anything changed about the probability or impact since last week, and is the mitigation plan being executed on schedule? Update the scores and owners accordingly. Bring the highest-scoring risk to the weekly status meeting as the single risk to flag that week.
The most common project risks that go untracked: key resource availability, external vendor or supplier dependencies, technology or integration failures, stakeholder approval delays, and scope assumptions that were never validated. Add these five categories to every new risk log as a starting checklist.
The Difference Between a Risk and an Issue
A risk is something that might happen. An issue is something that has already happened and needs to be resolved. Both need to be tracked, but they require different responses. A risk needs a mitigation plan to prevent it from occurring or to reduce its impact. An issue needs a resolution plan to address the impact that has already materialized.
Keep risks and issues in separate logs. Mixing them creates confusion about what is being prevented and what is being fixed. When a risk occurs, move it from the risk log to the issue log and update the response accordingly.
What to Do When a High-Scoring Risk Has No Clear Mitigation
Some risks cannot be fully mitigated. A key vendor may be unreliable and there is no backup supplier. A regulatory approval may be uncertain and there is no alternative path. In these cases, the risk needs to be escalated to the project sponsor with three things: a clear description of the risk, its probability and impact score, and the range of outcomes if it occurs.
The sponsor then decides whether to proceed with the risk, adjust the project to reduce the risk, or pause the project until the risk is resolved. That is a sponsor decision, not a project manager decision. The project manager's job is to surface the risk clearly and early, not to absorb it silently and hope it does not occur.
Use the free Scope Creep Risk Checker to assess the most common category of project risk that operations managers face. Subscribe at the homepage to receive your PIN.
More Project Management Reads
- How to Stop Scope Creep Before It Derails Your Project
- How to Manage Projects Without a PMP. The 15-Minute Sprint
- How Operations Managers Can Actually Use AI on Projects
- The Difference Between a Busy Project and a Healthy One
- How to Recover a Project That Is Off the Rails
Free Project Management Tools
Get free tools built for project managers who learned on the job.
Charter template, sprint system, dashboard, recovery checklist, and AI prompt library. All free. Delivered instantly.