Chapter 10. Project Risks

10.1 Project Risk

10.1.1 Definition of Project Risks

Uncertainty is a lack of understanding and awareness of issues, events, paths to follow, or solutions to pursue. It is a state of not knowing or unpredictability. Uncertainty presents threats and opportunities that project teams explore, assess, and decide how to handle. Risks are an aspect of uncertainty [1]. Therefore, an uncertainty is not equal to a risk. Risks can be measured, while uncertainties cannot be. Potential outcomes of risks can be described, but it wouldn’t be possible to determine the outcomes for uncertainties. Risks can be controlled if response strategies can be defined and monitored during the project.

The project team can respond to a risk if the risk triggers are identified and a risk owner monitors it, among other factors. Thus, when the project teams discuss all possible uncertainties in the initiation and planning stages, they can determine the occurrence probability and the impact scale. For example, in our Grocery LLC’s m-commerce project, testers may not determine some of the important code errors, which might lead to rework, schedule slippage, and cost overruns. Considering the previous projects and lessons learned, we can predict the probability and how it may affect the project if the risk occurs. They become manageable risks as the project team can identify triggers and create mitigation strategies, such as code reviews and additional testing phases, to reduce the likelihood and impact. However, we can never be sure that this tester has malicious intentions (e.g., sabotage or data leakage) to help a strong competitor. Hence, this would be an uncertainty, not a risk. Measures like background checks, ethics policies, and monitoring systems can be established at the organizational level to address such uncertainties indirectly. However, they cannot be pinpointed or controlled as a project risk.

It is important to remember that the project team cannot take immediate action to mitigate the likelihood and consequences of the risk. Risks are future events that may occur. Suppose the project team can take immediate action. In that case, this is not considered a risk but an issue, problem, event, or benefit that should be incorporated into the project plan components such as product scope (e.g., requirements), project schedule, and resource allocation plan. They can be added to the Issue Log to record and monitor information on these active issues.

Risk vs. Uncertainty

  • Risk is an uncertainty, but not all uncertainties are risks.
  • Risk deals with known unknowns, whereas uncertainties deal with unknown unknowns.
  • Risks can be measured through the probability and impact of risks.
  • The outcomes of the risks can be described.

Project risk is an uncertain event or condition that, if it occurs, has a positive or negative effect on one or more project objectives [2]. Risks exist in all projects. It is important to remember that risk does not always create negative outcomes but can lead to positive outcomes. The subsections 10.1.1 and 10.1.2 below elaborate on both types of risk with examples.

Before proceeding with 10.1.2, defining three uncertainty-related concepts is essential[3]. Ambiguity, complexity, and volatility can lead to uncertainty and risk within a project.

  • Ambiguity: A state of being unclear, having difficulty in identifying the cause of events, or having multiple options from which to choose.
An example of conceptual ambiguity could be, “The project budget is under control.” Here, it’s unclear whether “under control” means the project is within the approved budget, that the team is closely monitoring costs, or that a certain threshold has been set to manage expenses. Furthermore, “under control” could have different interpretations across departments—finance may see it as strictly adhering to forecasts, while project teams may interpret it as having the flexibility to adjust. This ambiguity can be reduced by establishing a precise definition of “under control,” such as “within 5% of the approved budget,” and ensuring all stakeholders understand and agree on this meaning.
  • Complexity: A characteristic of a program or project or its environment that is difficult to manage due to human behavior, system behavior, and ambiguity.

An example of complexity could be found in a large-scale urban transportation project that integrates a new metro line with existing bus, train, and bike-sharing systems. Here, complexity arises because each transportation mode has its own schedules, maintenance needs, and user expectations. Additionally, diverse stakeholders, such as city planners, transportation companies, local government, and commuters, have different priorities and objectives. This interconnected system could lead to unintended consequences, such as congestion at transfer points or imbalanced demand across modes.

  • Volatility: The possibility for rapid and unpredictable change.

In a construction project, the price of raw materials like steel and lumber may fluctuate frequently due to market demand and supply chain disruptions. These rapid changes can impact the budget and timeline of the project.

Poor Project Management vs. Risks/Uncertainties

  • Effective project management requires meticulous planning, precise resource qualification definitions, and comprehensive requirements specification through stakeholder engagement.
  • Issues arising from poor planning or oversight, such as coding errors due to inadequate developer qualifications or ambiguous requirements, are not considered risks. These are management deficiencies.
  • Properly managing project scope, quality, communication, and stakeholder engagement is crucial to prevent these issues from affecting project outcomes, as they result from management gaps, not risks or uncertainties.

10.1.2 Negative Project Risks

It is the reality that project teams mostly encounter negative risks. These risks might jeopardize the well-being of a project’s progress and lead to failure if they occur. Remember that these are considered risks if the project team can predict the probability and impact levels and cannot take immediate action to avoid, escalate, transfer, mitigate, or accept these risks (see 10.5 Developing and Implementing Risk Response). Some examples of a negative project risk are:

  • The machines we plan to use in the project have historically experienced a 5% downtime rate. Therefore, we should be prepared to manage any potential downtime occurrences.
  • Some vendors we will work with during our project experienced delivery delays in past projects. Although they have earned the trust of our organization, we should be prepared to manage any delays.
  • A key human resource for an activity may become sick or find a better job and leave the organization.
  • Projects that depend on good weather, such as road construction projects, face the risk of delays due to exceptionally wet or windy weather.
  • Safety risks are also common on construction projects.
  • Changes in the value of local currency during a project affect purchasing power and budgets on projects with large international components.

An Example of a Negative Risk (Threat)

A construction company is building a 20-story building in a Northeastern state, and they are expected to finish it by February. However, the project team knows that winter is not a preferred season for construction work, and the adverse weather conditions may disrupt activities, leading to schedule delays and cost overruns. This is why the project team should evaluate all the possible risks from inclement weather, such as snowstorms. The project team can obtain long-term historical data and seasonal forecasts from the National Weather Service and monitor daily and weekly weather forecasts. Based on this data, expert opinions, and project team discussions, a probability percentage and impact level can be predicted for this risk.

Two Negative Risks for the Grocery LLC’s Mobile-Commerce Project

  1. Risk of Delays Due to Technical Issues in App Development
    • Given the complexity of integrating new features across Android and iOS platforms, technical issues, such as compatibility challenges or bugs in the SDKs (Software Development Kits), pose a potential risk to the project schedule. These potential issues are recognized as a possibility that could interfere with the project timeline.
    • The project team should review historical data and consult with experienced developers to assess common technical challenges in similar projects. By doing so, they can estimate these issues’ probability and potential impact. Weekly testing and monitoring can be added to the WBS in the project scope and requirements in the product scope, and resources can be added to these activities. While these steps reduce the likelihood or impact of the risk, they do not eliminate it entirely.
    • This is why the project team should discuss the probability and impact levels after the steps above have been taken, create a response strategy, include a contingency reserve, and provide a specific course of action if the risk materializes despite the preventive activities.
  2. Risk of Increased Costs Due to Fluctuating Software Licensing Fees
    • Given the potential for fluctuations in software licensing fees and SDK costs, there is a recognized risk that fees may increase unexpectedly, impacting the project budget. Although some variability in fees is anticipated, the exact changes cannot be predicted, making this an inherent risk that could necessitate unplanned additional funds.
    • To address this, the project team should monitor historical cost data and stay informed of current industry trends to assess the likelihood and potential impact of any fee increases. Preventive steps should be incorporated into the project scope, such as setting up alerts for fee changes and establishing communication with vendors for early notice. While these actions can reduce the risk’s potential impact, they cannot eliminate it entirely.
    • Therefore, after implementing these measures, the project team should assess the probability and impact levels, develop a response strategy, and include a contingency reserve in the budget. This approach ensures that the team is prepared with a specific course of action to mitigate any financial impact if the risk materializes despite preventive actions.

10.1.3 Positive Project Risks

Some risks may make achieving a project’s objective easier, and therefore, they have a positive impact. Some examples of these risks are described below:

  • The potential to utilize an easier way to do a task.
    • There is a potential opportunity to adopt a new software development framework during the project execution. This framework, if available and suitable for our needs, could significantly streamline the development process.
  • Acquiring some materials in exchange for lower prices than estimated
  • A potential change in organizational process that can accelerate the procurement of some materials
  • A new technology that has been developed and can be introduced to the market while we carry out the project
  • Our organization has applied for a grant that, if approved, could provide additional funding for the project.

For the five positive risks above, a project manager’s response strategy can be to exploit or enhance one of five alternative strategies (see 10.5 Developing and Implementing Risk Response) when they occur.

An Example of a Positive Risk (Opportunity)

Company XYZ is considering developing a new electric toothbrush, which customers are asking for according to consumer surveys across the USA. The project team prepared all the plans and estimated that this project would take nine months to finish. The new toothbrush can be introduced to the market at the end of the project. The project team will use a 3D printer to create prototypes while developing and testing various toothbrush types. While working on the risk management plan, the team has been aware of ongoing research on a new 3D printer that is faster and can print more durable items with more details. Based on the analysis, the team found that this new printer can expedite the project. If this positive risk occurs during the project, it can expedite the project by one month, resulting in an 8-month project duration, saving one month. So, the project team allocated a contingency reserve for this opportunity. If the 3D printing company can make this new printer available to the market around the fifth month of the project at the latest, the project team can purchase it. The estimated cost for this new printer was determined to be $25,000. Therefore, this money is placed as a contingency reserve.

Two Positive Risks for the Grocery LLC’s Mobile-Commerce Project

  1. Risk of Streamlined Development Process with an Enhanced Software Development Framework
    • During the project execution phase, a more efficient software development framework or updated SDK tools may become available. If this framework is compatible with our project requirements, it could simplify development tasks, improve code quality, and reduce overall development time, contributing to a smoother project timeline.
    • The project team should regularly monitor industry news and updates from Android and iOS SDK providers. Suppose a beneficial framework or tool is released. In that case, the team should evaluate its suitability for integration into the project, with provisions for additional training if required to take advantage of this opportunity.
  2. Risk of Lower Procurement Costs for Essential Software Licenses
    • There is a potential opportunity to acquire some necessary software licenses or development tools at lower-than-estimated prices. Vendors offering discounts or promotional pricing during the project could reduce the overall project cost and potentially free up budget resources for additional features or contingency planning.
    • The project team should monitor vendors and industry platforms for any potential discounts or promotions. The team should also maintain flexibility in the procurement timeline to take advantage of these savings opportunities.

10.1.4 Post-Project Issues/Uncertainties and Benefits

Project risks impact the project’s objectives, activities, timeline, budget, quality, stakeholder management, and communications during the project lifecycle. Effective project management involves identifying, assessing, and managing these risks to ensure successful project delivery. These risks are directly linked to project activities and require active management throughout the project lifecycle.

10.1.4.1 Post-Project Issues/Uncertainties

When the inspection committee and the client approve deliverables at the end of the execution (implementation) phase, the close-out phase starts. The deliverables are handed over to the operational teams, the administrative and financial closure procedures are finalized, and the project team is disbanded. Then, the post-project or the operational phase starts. This new phase may be subject to various issues regarding the deliverable’s performance, its adoption by the users (e.g., customers, consumers, and end users), regulatory changes, and maintenance and support challenges. The project manager, project team, or business analysts are expected to carry out feasibility studies to understand the future situation of the market and consumers during the preparation of the business case and project initiation and planning phases. If the business analysts find out during the business case preparation that the adoption of the project deliverables by the customers when the project is completed would be low due to reasons such as a competitor’s dominant market share, changing consumer habits, expectations of radical changes in technology (e.g., artificial intelligence), and customers’ reluctance to purchase our deliverables based on surveys, the alternative solutions to the business need are revised according to these studies. The project team may also reveal findings that need revisions in the project scope during the initiation and planning phases. For instance, if the interviews with the stakeholders point out a low adoption of our project deliverable when it is completed, the team considers it a serious indicator. This should lead to a discussion within the team and with the executive management and the client on whether to terminate the project or revise it.

If there is substantial uncertainty regarding the customers’ adoption of the deliverables, this is not recorded as a risk but a post-project issue that requires a serious revision of the project. In any case, these issues or uncertainties emerge after the project is officially closed and impact the project’s outcomes or the long-term success of its deliverables. Eventually, as highlighted in the previous sentences, although these risks are not directly linked to project activities during the project lifecycle, the project manager and team must anticipate and consider them during the planning and handover phases to minimize long-term issues. Examples of post-project issues include:

  • User Adoption Risk: Customers may be slow to adopt the project deliverables for various reasons, such as established shopping habits or preferences for competitor products and services. In the worst scenario, customers may not purchase the deliverables, leading to a fiasco. Some examples of low customer adoptions are Google Glass[4] (a wearable augmented reality headset), Segway personal transporter[5] (a self balancing personal transportation device), Amazon’s Fire Phone[6] (a smartphone designed to integrate Amazon services), and Coca-Cola’s new coke that was reformulated in 1985[7].
  • Product Performance Issues: After launch, the deliverables may face performance issues, such as slow loading during peak hours for websites and mobile applications. This may lead to user frustration and potentially negative reviews.
  • Regulatory Changes: Regulations that become effective after the project is closed, such as those regarding data protection, privacy, environment, health and safety, financial compliance, product safety and quality standards, labor and employment, trade, and import/export, could necessitate revisions and updates to the deliverables. This usually requires developing a new project to comply with the new regulatory changes.
  • Market Changes: Competitors may release similar services with enhanced features. It may affect the market share and possibly necessitate further updates or marketing efforts to maintain competitiveness.
  • Maintenance and Support Challenges: Higher-than-anticipated maintenance needs, such as bug fixes or security updates in a mobile app, website, or security software, may increase costs and affect the service’s long-term sustainability.

10.1.4.2 Project Benefits

Another essential point is distinguishing positive risks from the project benefits, which are the intended positive outcomes and value the project seeks to deliver for the organization and its stakeholders. These benefits are critical to the project’s success measures and should be identified, monitored, and optimized during and after the project. Examples include:

  • Increased Revenue: Organizations can tap into additional revenue streams by successfully introducing a new or improved deliverable as a result of a project.
  • Enhanced Customer Satisfaction: A well-designed deliverable, whether a product, service, or business process, that meets user needs and provides value can improve the customer experience and build brand loyalty.
  • Operational Efficiency: Streamlining processes or optimizing the structure of a deliverable can lead to greater efficiency. This could lead to faster processing times, better resource utilization, and productivity gains.
  • Strengthened Market Position: By effectively delivering a high-quality product, service, or process improvement, organizations can reinforce their competitive advantage.

Benefits of the Grocery LLC’s M-Commerce Project

Tangible Benefits

  1. Increased Revenue: 25% of lost revenue will be recovered within a year after the project is completed and the mobile app is launched. If the recovered revenue is more than 25%, it is still not a positive risk but a benefit.
  2. Improved Online Presence: Online traffic and sales will increase via the mobile app and optimized mobile website.
  3. Operational Efficiency: Dependency on physical stores will be reduced, cutting operational costs related to in-store operations.
  4. Broader Market Reach: Geographic reach will be expanded through online platforms, which will enable new customer acquisition.
  5. Data Insights: The company will have an enhanced ability to collect and analyze customer behavior data for personalized marketing strategies.

Intangible Benefits

  1. Enhanced Customer Satisfaction: Greater convenience and safety will be possible for customers through user-friendly digital platforms.
  2. Stronger Brand Loyalty: Trust and long-term customer relationships will be built.
  3. Competitive Advantage: Differentiation will be achieved in a competitive market by offering advanced digital shopping solutions.
  4. Future-Proofing: A robust digital infrastructure will be established that positions Grocery LLC for evolving retail trends.
  5. Employee Engagement: Employee morale will be improved by incorporating modern tools and systems into operations.

10.1.4 Known-Unknowns and Unknown-Unknowns

As discussed in Chapter 9 for contingency and management reserves, risks are known unknowns, and uncertainties are unknown unknowns. As regards known unknowns (i.e., risks), we can identify them in the initiation and planning stages and later, when they emerge during the execution stage, and estimate the costs of additional resources and time needed if they occur. The costs allocated to compensate for managing these risks are named “contingency reserve.” However, it is not always possible for project teams to predict all the risks. Therefore, a management reserve is assigned besides the cost baseline, the sum of activity costs, and contingency reserves (Figure 10.1.1). One obvious risk that emerged at the end of 2019 and has had a severe impact on all countries since March 2020 is the COVID-19 pandemic. This pandemic was an “unknown unknown” for all the projects across the world. Some projects overcame the issues by using their management reserves besides contingency reserves. However, numerous projects failed, although they had contingency and management reserves since the impact of this pandemic exceeded their capacity and capability limits.

This image shows the budget components.
Figure 10.1.1: Project Budget Components
Adapted from PMBOK Guide Sixth Edition

Examples are provided below for the management reserve that might be necessary to handle unknown unknowns and hence to address unforeseen situations that fall outside typical project risks:

  1. Sudden Regulatory Changes: Midway through a construction project, new building codes or environmental regulations that were not anticipated during planning may be introduced. This requires modifications to designs, materials, or safety standards. A management reserve would help cover additional costs and time for compliance.
  2. Unexpected Technological Advances: A breakthrough technology could emerge in a long-term tech development project. The project may need to adapt or integrate new components to remain competitive. Management reserve funds could cover research, training, or new equipment to implement this unforeseen advancement.
  3. Natural Disasters: Unexpected natural events like earthquakes, hurricanes, or floods could delay a construction project, damage materials, or require additional safety measures. While specific location-based risks might be planned, the reserve could cover unprecedented disaster-related costs.
  4. Supplier or Vendor Issues: If a critical supplier suddenly goes out of business or faces significant supply chain disruptions, the project may need to locate alternative suppliers or expedite orders, often at a higher cost. A management reserve would address these unforeseen logistical challenges.
  5. Changes in Stakeholder Requirements: Occasionally, senior stakeholders might introduce significant new requirements or shift project goals based on organizational priorities. These unexpected changes could necessitate additional resources, staff, or equipment. A management reserve could support it without impacting the core project budget.
  6. Security Breaches or Cyber Threats: A previously undetected vulnerability could lead to a software or data-heavy project security breach. Management reserves may cover emergency cybersecurity measures, software updates, and specialized consultants to address these immediate threats.
  7. Sudden Labor Market Fluctuations: In projects that rely on specialized labor, unexpected changes in the labor market, such as mass shortages and sudden wage increases, can lead to increased hiring costs or delays in staffing. Management reserves could help to quickly bring in needed personnel at competitive rates to maintain project momentum.

10.1.4    Individual and Overall Project Risks

Another categorization of risks is individual and overall project risks. Individual risks can affect the achievement of project objectives and disrupt some activities, decisions, components, or deliverables. They can affect only one or some activities but not always the whole project. If a risk impacts the project as a whole, this risk is considered an overall project risk. Let’s consider the case study of “Grocery LLC’s M-Commerce Project” (see 4.4.3 for the WBS). One project objective is “to complete the elicitation of mobile app requirements as well as budget, schedule, and resource estimates on which all the key stakeholders agree.” Activity 2.3, “Review specifications with team and stakeholders,” is essential to identify the requirements that address all stakeholders’ expectations and concerns. However, some stakeholders may not agree on some of the requirements (see 5.2.2 for all the stakeholders in this project). The priorities of the top management, project sponsor, and product owner might not always overlap. When the project team reviews risks, they must consider all possible risks affecting activity 2.3 and the overall project. If the conflict among stakeholders affects this objective and activity 2.3, this would be counted as an individual project risk. The project team should create a contingency budget and schedule for this activity. If there is a risk of obtaining funds to conduct project activities, this would impact the whole project and affect the overall project objective, which aims at creating a mobile app. The project team must also develop risk response strategies to tackle this risk. Besides, the project team can determine acceptable negative and positive variations for overall risks.

  1. Project Management Institute. (2021) PMBOK® Guide (7th ed). Project Management Institute.
  2. Project Management Institute. (2017). A guide to the Project Management Body of Knowledge (PMBOK guide) (6th ed.)
  3. Project Management Institute. (2021) PMBOK® Guide (7th ed). Project Management Institute.
  4. See https://en.wikipedia.org/wiki/Google_Glass
  5. See https://en.wikipedia.org/wiki/Segway
  6. See https://en.wikipedia.org/wiki/Fire_Phone
  7. See https://en.wikipedia.org/wiki/New_Coke

License

Icon for the Creative Commons Attribution-NonCommercial 4.0 International License

Project Management, 2nd Edition by Abdullah Oguz, Ph.D., PMP® is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License, except where otherwise noted.

Share This Book