“Continually evaluate exposure to risk, both opportunities and threats, to maximize positive impacts and minimize negative impacts to the project and its outcomes.” PMBOK pg. 53
“What happens if you see a bear and then it tries to eat you? What if you’re running in the dark and fall off a cliff and break both your legs, can’t move, and then a bear eats you!? So much could happen!!” This is the conversation I had with my wife when I got confirmation of entrance into my first 50 mile trail race. The race took place in northern Minnesota and is known to have black bears in the region.
“That’s a risk I’m willing to take” I responded. Having done trail runs in the past, I understand the risks involved (bears are actually very low in the risk category) and mitigate as many as possible. In this area, the bigger risks are bees/wasps, falling rocks on the steep climbs, rolling an ankle, and getting lost by taking the wrong trail. Though I, and my fellow runners, mitigate as much as possible, you can never run away from all risks in anything we do!

A risk is defined as an uncertain event or condition that, if it does occur, has a positive or negative impact on one or more objectives. I’ve known some PM’s who say all projects have all the same risks; resources (people/equipment), money, time, scope, and quality. I would agree with that. And though categorically this is true, these risks will be different from project to project, because every project is unique.
So what is the best type of risk identification and documentation approach? Here’s my answer; it’s the approach where you identify, document, and continually discuss mitigation strategies. Qualifying a risk is a must, quantifying is nice but not required. It doesn’t need to be complex or full of algorithms. Many projects don’t even document risks or have risk registers, so even the simplest approach puts you ahead of the game. There two risk identification approaches that I like to take.
The first are basic interviews with a variety of stakeholders. The project sponsor, as well as those in leadership roles, can help identify negative and positive risks. In an interview with someone from sales earlier this year, they asked how we would quickly scale up if the product being created exceeded sales expectations by 50%. “Wildly successful” was added as a project risk. I interview and discuss risks the project team regularly and update the risk register throughout the project. Other stakeholders are also interviewed and I ask my standard question with them; what would prevent this project from being successful. Their answers are added to the register.
Another method I’ve used is “What if shit happened?” I ask the project team “Imagine we released. Thinking back, what shit happened?” Sure, you’ll get a few smarty pants responses. But, you’ll also get a lot of valid responses, too. Talk about and document these risks. This type of exercise can even be a little fun!

Companies and PMO’s that are more mature have a structured approach to risk. The two aspects of risk the PMBOK calls out is Risk Appetite and Risk Threshold. Risk appetite is the degree of uncertainty a company is willing to accept. I’ve used this approach mostly when evaluating projects before approving and kicking them off. Risk threshold is a measure of acceptable variation. For example, if a project goes 10% over budget, it’s time to ring the alarm bells. Every company is different, so understand what yours has in place (if any).
Now, all this risk identification and structured approach is great, but risk response is where you and your team can keep your project on track when risks turn into issues. The response should be appropriate to the significance of the risk (don’t stop all work and pull your team into a 1/2 day meeting for a low impact issue). Determine if the risk response needs additional approvals before executing. Once it’s time to execute, ensure the response is owned by the right person(s).
Risks. Every project has them, and some have more risks than others. Don’t try to overcomplicate risk identification and categorization. Interview a variety of stakeholders. Qualify risks. Quantify if you can. Make it a regular habit to review them. And finally, properly respond to risks when they occur.
Project Management Institute. (2021). A Guide to the Project Management Body of Knowledge (PMBOK guide) (7th ed.). Project Management Institute.