Looking to free up space in your home but unsure about the best way to sell your old piano? Don't let a valuable item depreciate or sit around fo...
How to create a project risk management plan: 16 steps to minimize damage.
This article provides a 16-step guide to effective project risk management planning, from risk identification and probability and impact assessment to developing mitigation strategies and contingency plans. Risk management helps businesses proactively control situations, reduce losses, and maintain progress. The article emphasizes the role of continuous monitoring, effective analysis, and flexible adjustments to ensure the project achieves its goals safely and sustainably.
In any project – whether a small startup or a large investment plan – risk is always present. A clear and effective risk management plan is the "shield" that helps businesses avoid unnecessary losses and maintain steady progress.
When developing a project risk management plan , you need to identify:
-
The probability of a risk occurring and the extent of its impact on the project;
-
Identify potential risks at each stage;
-
Develop response strategies and damage mitigation plans in the event of a risk occurring.
A well-structured plan not only helps you proactively deal with problems when they arise , but also reduces risk from the outset , ensuring the project stays on track and achieves its set goals.
Whether you're a project manager, business owner, or financial professional, mastering risk management planning will help you build a solid foundation for all future decisions.
Step 1: Understand how risk management works.
In project management practice, "risk" doesn't only have a negative meaning. It can be an opportunity or a challenge depending on how we assess and handle it. Risk management helps businesses proactively control situations , rather than reacting passively when problems occur.
Here's the simplest and most practical way to understand risk management in a project:
-
What is risk? It is the impact (positive or negative) of an event or series of events that occur during the execution of a project.
→ To put it simply: Risk = Probability of occurrence × Level of impact. -
Factors to analyze for risk assessment:
-
Event: What could happen?
-
Probability: What is the likelihood of that event occurring?
-
Impact: If it occurs, what will be the severity of the consequences?
-
Mitigation: How can the risk be reduced? By what percentage?
-
Contingency Plan: If a risk occurs, what will you do to mitigate its impact?
-
-
The basic formula in risk management:
-
Risk Reduction = Mitigation Measures × Contingency Plans
-
Exposure level = Risk – Mitigation
This is an unavoidable risk, no matter how well you plan.
-
-
Consider the costs and benefits:
Once you've determined the level of exposure, compare the costs of risk management with the benefits of undertaking the project . If the costs outweigh the benefits, you may want to reconsider. -
Assumed Risk:
In many cases, businesses are forced to accept a certain degree of risk , especially when it is a mandatory requirement or the business opportunity is exceptionally promising. This risk is often converted into monetary value to calculate the ultimate effectiveness and profitability of the project.
In summary, project risk management is not about avoiding risk at all costs, but about understanding, quantifying, and proactively controlling it to protect the long-term goals of the business.

Step 2: Define your project
Imagine you're in charge of a computer system that provides critical information to a large number of users —not life-threatening, but significantly impacting overall operations. Currently, the main server is outdated and needs replacing .
Your task is to develop a Risk Management Plan for the migration and relocation of the system to the new server .
This is a simple model, suitable for non-experts, in which risk factors and impact levels are categorized into three common levels in project management:
-
High – a high risk that is likely to occur and cause serious consequences.
-
Medium – the risk is moderate and the impact is moderate.
-
Low – the risk is minimal or the impact is negligible.
Clearly defining the project scope and the characteristics of the system needing replacement is the first and most important step in effectively identifying, classifying, and planning a response to risks.

Step 3: Gather feedback from the project team and collectively identify risks.
Don't create a risk management plan alone. A realistic and effective plan always comes from multiple perspectives within the team.
Here's how to perform this step professionally and easily:
-
Assemble the relevant team: Invite people who understand the project well – this could be systems engineers, project managers, operations staff, or customer support. Each person will see the risks from a different perspective.
-
Organize a brainstorming session:
-
Formulate a central question:
-
What risks might arise during the system relocation process?
-
How can we prevent or reduce the likelihood of them occurring?
-
If the risk actually materializes, how should we respond?
-
-
Encourage everyone to share their ideas openly and without judgment .
-
Take notes on all opinions , including those that "sound strange." Sometimes, it's these different perspectives that help you identify potential risks that others overlook.
-
-
Keep the meeting on track:
-
Avoid letting the discussion stray or turn into a "complaint session."
-
The facilitator needs to control the pace, ensuring everyone stays focused on the main objective: identifying, preventing, and managing risks.
-
-
Leverage the results:
Notes from this meeting will be an extremely important source of input data for you to use in the next steps — from risk classification and impact assessment to the development of a specific action plan .

Step 4: Identify the specific consequences of each risk.
After completing the brainstorming session, the next step is to link each risk to a specific, potentially harmful consequence . This step helps you measure the impact more clearly , avoiding vague assessments that hinder action.
To do this step well, please note the following points:
-
Assign specific consequences to each risk:
-
Don't just write vaguely like "The project is delayed" → Be specific: "The project is delayed by 13 days due to a data migration error."
-
Instead of "Exceeded budget" → It should be clearly stated: "Additional cost of 150 million VND due to the need to rent a backup server."
This level of specificity makes it easier to calculate the damage and plan a proper response .
-
-
List the consequences according to the main groups:
-
Progress: How long has the project been delayed, and what impact has this had on implementation milestones?
-
Financial: Estimated costs or damages incurred in monetary terms.
-
Technical issues: System downtime, data errors, reduced performance.
-
Customers/Users: The level of service disruption, impacting experience or reputation.
-
Personnel: Increased pressure, overtime, decreased productivity, or team morale.
-
-
Specify with numbers if possible:
-
Use days, percentages, or monetary values to quantify the consequences .
-
For example: "System error rate increased by 5%" or "Revenue loss of 200 million VND in 2 weeks."
-
-
The goal of this step is:
Identifying specific consequences helps you classify risk levels (high – medium – low) more accurately, and provides a solid basis for proposing mitigation and prevention measures in subsequent steps.

Step 5: Eliminate irrelevant or uncontrollable risks.
An effective risk management plan is not just about listing as many risks as possible , but more importantly, about identifying the actual risks that are manageable .
Remember: not all risks need or should be included in the plan.
Here's a reasonable screening method:
-
Focus on risks that can be controlled or mitigated:
-
Examples include: software errors, server failures, staff shortages, delays, and budget overruns.
-
These are factors you can proactively plan for , as they fall within the project's management scope.
-
-
Eliminate factors beyond your control:
-
Risks such as nuclear war, global pandemics, or asteroid impacts could theoretically disrupt a project, but you cannot predict them or prepare specific mitigation measures .
-
They have no practical value in an operational risk plan.
-
-
Stay realistic:
-
You may be able to "identify" these factors as existing in the business environment, but don't include them in the official risk categories .
-
Focusing on the issues you can actually handle makes your plan more concise, focused, and effective.
-
-
Core principle:
→ Only include risks in the plan that can be identified, measured, and managed.

Step 6: List all identified risk factors.
After eliminating irrelevant risks, the next step is to aggregate all remaining risks —this will form the “baseline dataset” for the subsequent risk analysis and ranking process.
Here are some tips to help you complete this step effectively:
-
Record all the risks that have been identified:
-
Based on the results of the brainstorming session and the analysis in the previous steps.
-
There's no need to sort them by importance or current likelihood — just list them all .
-
-
Keep your language concise and clear:
Each risk should be summarized in a single, specific line of description , for example:-
Data loss occurred during the system migration process.
-
Delays may occur due to software errors or staffing shortages.
-
The new server is not fully compatible with the old application.
-
Users experienced access issues after the switch.
-
Implementation costs have increased more than anticipated.
-
The equipment supplier delivered the goods late.
-
There wasn't enough time to test all the functionality.
-
-
Focus on completeness:
The goal of this phase is not to assess risks, but to ensure that no factors that could affect the project are overlooked. -
Expected results:
You will have a comprehensive risk register (initial risk register) , which will serve as the basis for subsequent steps such as classification, probability and impact assessment, and response planning.

Step 7: Determine the probability of occurrence for each risk.
Once a list of potential risks has been compiled, the next step is to assess the probability – that is, the likelihood that the risk will actually occur during project implementation.
This step helps you differentiate between risks that require attention and those that only need monitoring , thereby prioritizing resources for appropriate action.
Here's how to do it:
-
Step 1: Assess the probability of occurrence
For each risk factor on the list, determine its likelihood level:-
High: High probability, almost certain to occur (e.g., delays due to high workload).
-
Medium: This is possible, but depends on specific conditions (e.g., network connection errors during data transfer).
-
Low: Rarely occurs, only possible in exceptional circumstances (e.g., prolonged power outage during system relocation).
-
-
Step 2: If necessary, convert to a numerical value.
In some professional projects, you can assign a numerical probability value to make it easier to calculate the overall risk:-
0.01 – 0.33 = Low
-
0.34 – 0.66 = Average
-
0.67 – 1.00 = High
For example, if you estimate the probability of data loss to be around 70%, you could write it as 0.7 (High) .
-
-
Step 3: Eliminate unlikely risks
Scenarios with zero probability —such as a "dinosaur attack on a data center"—should be removed from the list . There's no need to waste time analyzing completely unrealistic risks. -
Step 4: Record the results in the Risk Register.
In the "Probability" column, enter High / Medium / Low or the corresponding numerical value for each risk.
This makes it easier for you to compare and prioritize in the next step (assessing impact and overall ranking).

Step 8: Determine the impact level of each risk.
After assessing the probability of occurrence , the next step in a risk management plan is to determine the impact – that is, the actual consequences if the risk actually materializes. This is a crucial step in understanding which risks could cause significant losses and which risks would only have a minor impact.
Here's how to do it:
-
Step 1: Assign an impact level to each risk.
Based on previously agreed-upon guidelines (e.g., timeline, cost, quality, reputation, etc.), determine:-
High: If it occurs, the risk could disrupt the project, cause significant financial losses, or seriously affect users/businesses.
→ Example: Loss of all customer data during a system migration. -
Medium: Causes temporary disruption; damage is repairable.
→ Example: A system error caused downtime for several hours. -
Low: Mild impact, causing no significant damage or being easy to handle.
→ For example: Some auxiliary features may not work immediately after the conversion.
-
-
Step 2: If necessary, use a digital scale.
In projects requiring detailed quantitative analysis, the impact level can be converted into a numerical value for easier calculation:-
0.01 – 0.33 = Low
-
0.34 – 0.66 = Average
-
0.67 – 1.00 = High
For example, an impact rating of 0.8 (High) corresponds to an estimated loss of approximately 300 million VND.
-
-
Step 3: Eliminate risks with zero impact.
If an event has no impact on the project , it should not be included in the risk list , no matter how high the probability of it occurring.
→ For example: “Employee’s dog had dinner” is completely irrelevant to the project and should be removed. -
Step 4: Update the Risk Register.
In the risk summary table, add a “Impact” column and specify the level (High / Medium / Low) or the corresponding numerical value.
This information will be used to calculate the overall risk level (Risk Score = Probability × Impact) in the next step.

Step 9: Determine the overall risk level for each factor.
Once the probability and impact have been determined, the next step is to calculate or classify the overall risk level . This forms the basis for prioritizing risks —which risks require immediate action, and which can be monitored periodically.
Here's how to do it:
-
Step 1: Combine probability and impact
Based on the two parameters assessed in the previous steps, you can use a risk matrix to determine the overall risk level.For example, a simple combination table at the L – M – H level:
Impact Low Medium High Probability (Low) Short Short Medium Probability (Medium) Short Medium High Probability (High) Medium High Very high → Based on the intersection of probability and impact, you will rank the overall risk .
-
Step 2: If using numerical values (0.00 – 1.00)
You can calculate the risk score using this formula:
→ Risk Score = Probability × ImpactFor example:
-
Risk 1: Probability = 0.6, Impact = 0.8 → Risk Score = 0.48 (Medium Risk Level)
-
Risk 2: Probability = 0.8, Impact = 0.9 → Risk Score = 0.72 (High Risk Level)
Depending on your internal standards, you can define the following conventions:
-
0.01 – 0.33 = Low
-
0.34 – 0.66 = Average
-
0.67 – 1.00 = High
-
-
Step 3: Flexibility in analysis
There is no “standard international” formula for combining probability and impact.
Each organization or project can customize the calculation method , as long as it accurately reflects the actual level of risk .
In many cases, you can flexibly switch between the L–M–H system and the arithmetic coefficient system to suit your reporting or presentation purposes. -
Step 4: Record the results in the Risk Register.
Add a “Overall Risk Level” column to show the final result — this is the baseline data for moving on to the next step: prioritizing treatment and planning action.

Step 10: Rank the risk level from high to low.
After calculating the overall risk level (a combination of probability and impact), the next step is to rank the risks . This helps you prioritize resources and make strategic decisions – focusing on addressing the risks with the greatest impact first.
How to do it:
-
Step 1: Create a list of all assessed risks.
Use the Risk Register, which includes:-
Risk name
-
Probability of occurrence
-
Impact level
-
Overall Risk Score (L–M–H)
-
-
Step 2: Sort by overall risk level
-
High/Critical: Requires immediate action; serious consequences if it occurs.
-
Medium: Requires close monitoring; can be harmful if left unchecked.
-
Low: Only periodic monitoring is needed; no immediate action is required.
Here's an example of a risk ranking chart:
No. Risk Probability Impact Overall risk level Priority ranking 1 Data loss during system migration. High High Very high 1 2 Compatibility issues between the old and new software. Medium High High 2 3 Delays due to a shortage of technical personnel. High Medium Medium 3 4 Costs increased due to renting backup servers. Medium Medium Medium 4 5 Temporary access issues after the switch. Short Short Short 5 -
-
Step 3: Determine the Risk Threshold
-
With a high risk level , you need an immediate response plan (Immediate Mitigation Plan) .
-
With medium risk , it is possible to plan for regular monitoring and trigger measures when signs of escalation appear.
-
With low risk , only general monitoring and control are required.
-
-
Step 4: Update and maintain
Risk rating is not a one-time process , but should be reviewed periodically —especially when there are changes in project scope, budget, or schedule.

Step 11: Calculate the total risk level of the project.
After ranking each individual risk, the next step is to calculate the total risk to get an overall picture of the project's risk level. This indicator helps managers assess the overall safety of the project and make decisions about whether to continue, adjust, or add resources.
The process is very simple:
-
Step 1: Convert the risk levels (H–M–L) into numerical values.
Based on the previously used scale:-
High = 0.8
-
Average = 0.5
-
Low = 0.2
-
-
Step 2: List all risk points
For example, your risk assessment table has 7 factors that are evaluated:
→ H, H, M, M, M, L, L
→ Correspondingly: 0.8, 0.8, 0.5, 0.5, 0.5, 0.2, 0.2 -
Step 3: Calculate the Average Total Risk score.
Add them all up and divide by the amount of risk:→ Average total risk score = 0.5
-
Step 4: Interpreting the results
According to the agreed-upon scale:-
0.01 – 0.33 = Low
-
0.34 – 0.66 = Average
-
0.67 – 1.00 = High
Since the average score of 0.5 falls within the range of 0.34 – 0.66 , the overall risk level of the project is "Medium" .
-
-
Step 5: Explain the practical meaning
-
The project has an acceptable level of risk , requiring regular monitoring but not reaching an alarming level .
-
However, the management team should focus on high-level risks to ensure that the overall risk level does not increase during implementation.
-

Step 12: Develop risk mitigation strategies.
Once you've identified the factors most likely to occur or have a significant impact, the next step is to develop a risk mitigation strategy —that is, to reduce the probability of the risk occurring , rather than dealing with the consequences when it does occur. This is a crucial part of a risk management plan because it helps prevent problems at their source , saving time and costs in future remediation.
Here's a practical and easy-to-implement approach:
-
1. Prioritize handling high and medium-level risks.
-
High and Medium risks should be prioritized for mitigation.
-
Low risks can be considered later or simply monitored periodically.
-
-
2. Identify measures to reduce the probability of occurrence.
Consider what might reduce the likelihood of the risk becoming a reality , for example:-
If there is a risk of delayed delivery of critical components , place an order early or choose a backup supplier .
-
If there is a risk of data loss when migrating systems , plan for a full backup before moving .
-
If there is a risk of staff shortage during the testing phase , allocate backup resources or temporarily outsource .
-
If there is a risk of the new system being incompatible with the old software , conduct early testing on a simulated environment before real deployment.
-
-
3. Evaluate the effectiveness of each measure.
-
Estimate the probability of risk after implementing the measure (e.g., from 0.7 down to 0.3).
-
Record this change in the Risk Register for tracking purposes.
-
-
4. Assign specific responsibilities for each mitigation action.
-
Each measure requires a specific person or group to take primary responsibility , avoiding a situation where "everyone is in charge and no one does anything."
-
Clearly state the completion deadline and the resources required .
-
Risk mitigation is not about eliminating risk entirely, but about proactively controlling its potential occurrence. A good mitigation plan will help stabilize the project, make it more predictable, and limit damage before the risk becomes a major problem.

Step 13: Develop Contingency Plans
After developing a mitigation strategy to reduce the likelihood of a risk occurring, the next step is to prepare a contingency plan —aimed at minimizing damage should the risk actually materialize . This is an essential part of any professional risk management plan, as unforeseen events are always possible and cannot be completely controlled .
1. Objectives of the contingency plan
-
Impact mitigation once the risk has materialized.
-
Maintain project activity at an acceptable level, rather than allowing it to come to a complete standstill.
-
Increase the flexibility and resilience of the organization or project.
2. Prioritize developing plans for "High" and "Medium" risks.
-
Focus on factors that are likely to strongly impact progress, cost, quality, or reputation .
-
Low risks may only require monitoring and flexible response when they occur.
3. Practical examples of contingency plans
-
Risk: Critical components may be delivered late.
→ Contingency plan: Use old components temporarily to maintain operations, or purchase from another supplier while waiting for new parts. -
Risk: Key personnel leaving unexpectedly.
→ Contingency plan: Have a plan in place for job handover , train replacement personnel , or hire external consultants . -
Risk: System errors after data conversion.
→ Contingency plan: Keep backups of old data and prepare a plan to revert to the old system (rollback) if necessary. -
Risk: Power outage or data center infrastructure failure.
→ Contingency plan: Maintain a backup system or temporarily switch to a secondary server while the problem is being resolved.
4. Flexible thinking – “Think outside the box”
-
You can't always control the sources of risk, especially external factors (politics, natural disasters, economic fluctuations, etc.).
-
However, you can still minimize the damage by:
-
Diversify your supply sources.
-
Expand your product/service portfolio to avoid dependence on a single revenue source.
-
Develop strategic partnerships to share risks when necessary.
-
A contingency plan is a "lifeline" that helps a project withstand unexpected events. While risks are undesirable, preparation allows for a quick response, minimizes losses, and maintains stability in all situations.

Step 14: Analyze the effectiveness of risk management strategies.
After developing and implementing mitigation measures and contingency plans , the next step is to evaluate the actual effectiveness of these measures. The goal is to see whether they have significantly reduced the likelihood or impact of the risk .
Here are some practical and easy-to-implement approaches:
-
1. Re-evaluate the probability.
-
Compare the probability of risk before and after implementing mitigation measures .
-
For example, the risk of delays, which previously had a probability of 0.7, decreased to 0.3 after increasing staff and monitoring progress weekly.
-
If the reduction is significant, the mitigation strategy can be considered highly effective .
-
-
2. Reassess the impact level.
-
Analyze whether the contingency plan reduces losses when a risk occurs .
-
For example, thanks to regular data backups, data loss incidents only affect 10% of uptime, instead of 50% as before.
-
-
3. Reassign Effective Ratings
-
Update the Risk Register with the risk score after applying the strategy .
-
This helps to reflect the actual current risk situation , rather than relying solely on initial predictions.
-
-
4. Continuous monitoring and periodic improvement
-
Risk management is an iterative process, not a one-time action .
-
Performance should be reviewed periodically (monthly or per project phase), especially when there are significant changes in schedule, costs, or personnel .
-
-
5. Learn from experience and optimize future strategies.
-
Record lessons learned from the implementation process to improve risk management methods in future projects.
-
For example: If a strategy proves ineffective, analyze the cause—whether it's due to people, processes, or external factors.
-
Effective analysis helps businesses measure the real value of risk control measures. A strategy is considered successful when it significantly reduces the likelihood of risk occurrence or the extent of damage, while also ensuring project stability and long-term cost savings.

Step 15: Calculate the effective risk level after implementing the management measure.
After implementing mitigation strategies and contingency plans , the next step is to reassess the total remaining actual risk – also known as effective risk . This indicator represents the level of remaining risk that the project must accept after taking action.
The calculation method is as follows:
-
1. Recalculate the risk level after applying the measure.
Following the review process, the seven project risks were reassessed as follows:
→ M, M, M, L, L, L, L
→ Corresponding numerical values: 0.5, 0.5, 0.5, 0.2, 0.2, 0.2, 0.2 -
2. Calculate the Average Effective Risk score.
-
3. Reassess the overall risk level.
Based on a standard scale:-
0.01 – 0.33 = Low
-
0.34 – 0.66 = Average
-
0.67 – 1.00 = High
→ Result: Total effective risk = 0.329 , corresponding to the Low level .
-
-
4. Comparison with the initial risk level
-
Before implementing the measure: Average level 0.5 (Medium)
-
After applying: Remaining value: 0.329 (Low)
→ This means that the total risk of the project has been reduced by approximately 34.2%.
-
-
5. Practical significance
-
The project has been remarkably effective in risk management , enhancing safety and control.
-
The mitigation and prevention measures have proven effective , laying a solid foundation for the implementation of the next phase.
-
This also provides a quantitative basis for demonstrating the effectiveness of risk management activities in reports to management or investors.
-
When overall risk decreases from Medium to Low , it demonstrates the success of your risk management plan. A 34.2% reduction is a very positive result – it both stabilizes the project and proves the practical value of professional risk management.

Step 16: Monitor and supervise risks throughout the project.
After identifying, analyzing, and developing response plans for each risk, the next crucial step is risk monitoring . This stage helps you detect risks early , enabling timely activation of contingency plans and preventing situations where you are caught off guard.
1. Objectives of risk monitoring
-
Identify early warning signs (Risk Cues) before risks occur.
-
Assess the extent to which risk changes throughout the project lifecycle.
-
Activating the Contingency Plan at the right time prevents widespread damage.
2. How to identify risk cues (Warning Signs of Risk)
-
For each High or Medium risk level, identify specific signs that indicate it may be imminent.
-
Here's a real-world example:
-
Risk of delays: Repeatedly missing deadlines at minor milestones, increasing backlog of work.
-
System failure risk: An unusually high increase in error logs, and a noticeable decrease in processing speed.
-
Risks of staff shortage: Increased turnover rates, decreased productivity, and employee overload.
-
Risk of cost overruns: Unexpected order changes, technical requirement changes, or supplier adjustments.
-
3. Establish a monitoring and reporting mechanism.
-
Regular monitoring: Establish a risk assessment cycle (weekly, monthly, or periodic).
-
Automated alerts: For technology or financial projects, monitoring tools (dashboard, KPI alerts) should be used to detect unusual fluctuations.
-
Rapid reporting: Upon detecting any signs of risk, the responsible team must immediately report it to management for assessment and activation of contingency plans if necessary.
4. Continuous updates and adjustments
-
Risk is not fixed — it changes with the progress and the business environment .
-
Therefore, the Risk Register needs to be continuously updated with new data, including:
-
New risks have emerged.
-
The level of impact varies.
-
The actual effectiveness of the control measures.
-
Risk monitoring is not just about tracking—it's about proactive detection, response, and control. An effective risk management system goes beyond "planning," maintaining vigilance throughout the project, ensuring that any changes are addressed promptly and effectively.

Adjusting risk management to be flexible and practical in the project.
In reality, project managers (PMs) don't always have enough time and resources to oversee the entire risk management process. Therefore, flexibility in approach is crucial to ensure effectiveness while avoiding unnecessary attention to detail.
Here's a practical, easy-to-apply approach for project managers, especially in high-pressure, resource-constrained environments:
1. Focus on the critical path of the project.
-
When the project manager is overloaded, risk analysis can be limited to critical path items , i.e., tasks that directly impact the overall project schedule.
-
Multiple critical paths can be calculated , along with lag time, to predict early which tasks are likely to fall into high-risk areas .
-
This approach optimizes time while ensuring focus remains on the right areas, especially when a Project Manager has to manage multiple projects simultaneously.
2. Balancing risk management and overall project management
-
Risk management is an essential part of a project , but it shouldn't consume all resources and overshadow other planning, coordination, and control activities.
-
The goal is to integrate risk into the decision-making process , rather than turning it into a "project within a project".
3. Measuring the monetary value of risk reduction.
Let's assume your project has a total value of $1,000,000 :
-
Initial risk: 0.5 × 1,000,000 = 500,000 USD
-
Remaining risk (Exposure): 0.329 × 1,000,000 = 329,000 USD
→ Risk reduction value = $171,000
This means you've reduced potential risk by $171,000 through management measures.
This figure also represents the maximum reasonable cost you can allocate to risk management activities — similar to insurance premiums in the overall project budget.
4. Always be ready for change.
-
Risk is a variable, not a fixed factor . A risk that is high today may decrease or disappear tomorrow.
-
New risks may arise due to changes in the environment, technology, or regulations.
-
Therefore, continuously update the Risk Register and adjust your response strategy according to the actual situation.
5. Assessing Risk Tolerance
-
Based on the Exposure score, you can assess the risk tolerance of the project.
-
For example: With a $1,000,000 project, an Exposure of 0.329 means you could face $329,000 in potential risk .
-
If the budget is insufficient to cover this expense, reconsider the project scope or objectives .
-
6. Activate the Early Warning System.
-
Every contingency plan should include an early warning mechanism to identify when it needs to be activated.
-
If test results or indicators help detect risks, prioritize addressing and monitoring those signals early.
-
If you don't already have a warning system, proactively design one , for example: KPIs, a quick reporting system, or an automated monitoring tool.
7. Continuous recording and updating
-
Maintain a risk tracking file on a spreadsheet (Risk Tracking Spreadsheet) .
-
Risk changes over time — old risks may disappear, and new risks may emerge .
-
Regular updates help the management team always have an accurate picture of the current risk situation.
8. Keep asking yourself: “Is there anything I’m missing?”
-
This is the most difficult but also the most important step in risk management.
-
Regularly review and ask yourself:
-
Are there any factors that haven't been considered?
-
Are there any potential risks that have been underestimated?
-
Are there any new events that could impact the project?
-
9. Flexible for small projects or managers with little experience.
-
For small projects or new project managers , some formal steps (such as calculating probabilities – detailed impact) can be skipped .
-
Instead, focus on the severity and make a decision directly.
-
For example, if power maintenance disrupts the server, choose the least risky option —move the server before the power is cut, or wait until the maintenance is complete before restarting the system.
Risk management is not just a technical process, but a strategic decision-making skill. View risk as an inherent part of any project—knowing how to accept, control, and adapt flexibly will help you maintain a balance between efficiency, cost, and long-term project stability.
References
- Ksenia Derouin. Business Strategy Specialist, OBM, and Artist. Expert Interview
- National Institute of Standards and Technology
Translated by Leigh Kennedy Ly .


3 comments
Nhiều bạn trẻ mình gặp cứ nghĩ lập kế hoạch rủi ro là lo chuyện không đâu. Nhưng thật ra, chính nhờ có kế hoạch mà mình từng cứu một dự án khỏi “chết yểu” vì nhân sự nghỉ việc đột xuất. Nhờ có phương án dự phòng, mình xoay chuyển tình thế như phim hành động. Nói thiệt, quản lý rủi ro là kỹ năng sống còn – không chỉ trong công việc mà cả trong đời sống!
Có lần mình làm dự án chuyển dữ liệu, không backup vì nghĩ “chắc không sao đâu”. Kết quả: mất sạch file khách hàng, phải gọi điện xin lại từng cái một. Khách thì khó chịu, mình thì muốn độn thổ. Giờ cứ có dự án là mình backup như thể đang giữ bí kíp võ công – không dùng thì thôi, nhưng mất là mất cả sự nghiệp!
Hồi mới làm dự án, mình chủ quan không lập kế hoạch rủi ro vì nghĩ “có gì đâu mà lo”. Ai ngờ đúng lúc triển khai thì nhà cung cấp báo… nghỉ Tết sớm! Dự án trễ 2 tuần, sếp nhìn như muốn gửi mình đi thực tập ở hành tinh khác. Từ đó, mình rút ra chân lý: rủi ro không báo trước, nên mình phải luôn báo trước với chính mình bằng một kế hoạch tử tế!