Many project managers and team members seem stumped about what exactly is required in Risk Management. This blog provides a clear, no-nonsense explanation and a practical approach you can actually use.

Why Risk Management?

Imagine we live in a perfect world where nothing ever goes wrong. In that world, you wouldn't need Risk Management. But in the real world, things break, delays happen, and plans fall apart.

That's why Risk Management matters — it helps you anticipate trouble before it happens.

Interestingly, Carnegie Mellon University's Capability Maturity Model (CMM) places Risk Management at Level 3 — higher than essentials like Project Planning or Quality Assurance. It builds on those foundations to take your process maturity up a level.

Risks vs. Issues

Let's clear this up: Risks are things that might happen that you want to avoid. Issues are those risks actually happening.

Simple enough, right? You manage both, but at different stages of the game.

A Practical Example: The Family Holiday

Picture this — a family planning a road trip holiday. The plan: leave Saturday and drive seven hours to a beach destination. A clear risk? A tire could burst along the way. So, they pack a fully pumped spare and all the right tools. Smart move.

During the trip, the car hits a pothole — boom. Flat tire. That risk just became an issue. But because they had a plan, it's no big drama.

Dad pulls over, sets up triangles, unpacks the boot, swaps the tire, and they're back on the road. That's effective Risk Management in action.

Types of Risk Responses

Here are your main options when dealing with risk:

a. Avoid – Don't do the risky activity.
b. Take – Accept the risk to chase an opportunity.
c. Remove the source – Eliminate what's causing it.
d. Change likelihood – Make it less likely to occur.
e. Change consequences – Reduce the damage if it does happen.
f. Share – Spread the risk (insurance, contracts, partners).
g. Retain – Accept it knowingly.
h. Modify – Put in controls.
i. Mitigate – Reduce its impact.
j. Contingency plan – Have a recovery plan ready.

Another Example: Swimming in the Sea

Let's apply those responses to a fun one — the risk of a shark attack:

Avoid: Don't swim in the sea.
Take: Go anyway, you love the thrill.
Remove source: Swim behind shark nets.
Change likelihood: Stick to the pool.
Modify: Wear a chainmail suit.
Change consequences: Limit how often you swim.
Share: Swim with a cage-diving company.
Retain: Swim freely, fully aware.
Mitigate: Use shark repellent.
Contingency plan: Have medical aid, lifeguards, and emergency contacts ready.

Implementing a Simple Risk Management Approach

Keep it simple — not every potential problem deserves a place in your log. Track only the meaningful risks your team identifies.

Here's what to include:

ID: Unique identifier
Risk Statement: What could go wrong?
Risk Description: Details of the risk
Owner: Who's responsible
Completion Date: When mitigation is due
Severity: High / Medium / Low
Likelihood: High / Medium / Low
Treatment: Which response strategy you're applying

A spreadsheet works beautifully. Three tabs are enough:

• Tab 1: Project Information
• Tab 2: Risks Log – Track ID, Statement, Description, Owner, Dates, Severity, Likelihood, Treatment, Status
• Tab 3: Issues Log – ID, Description, Type, Owner, Dates, Status

Managing the Risk Register

Risks evolve. Some fade, others escalate. Sometimes an issue today becomes a lesson learned — a new risk for tomorrow.

Keep the log alive. Update it, review it, and make sure each action taken is recorded and dated.

Conclusion

Risk Management doesn't need to be complex. It's simply about being ready when things go sideways. Understand your risks, track them smartly, and respond with purpose — so your projects don't derail when life happens.