What if a meteor destroys planet Earth? A straightforward, structured approach to managing risk on projects.

At the start of projects, around the time of getting the business case agreed, it can pay dividends to start taking a structured approach for managing risk. I thought I would outline a straightforward approach that can be applied on a variety of projects, in a variety of businesses. The approach falls into three sections. Firstly, the risk workshop, in which risks are identified. Secondly, risk analysis, in which the workshop output is examined. Thirdly, risk review, which embeds risk management into the regular review of the project's progress.

But before we go too far with risk management, we need to be clear what we mean by risk. A risk is an event that may or may not happen in the future, which if it does happen, will have a bearing on your project. What are dealing with is managing uncertainty.

At the risk workshop ask people to brainstorm risks. What could happen that will knock us off track? What are the problems we have with finance, the IT department, the supplier? When you feel you have captured the majority of risks, ask the team to score them in terms of likelihood of occurring and impact on the project. Many people score risks high, medium or low but I prefer scoring on a scale of 1 – 10. Likelihood and impact are the start of risk analysis and it is very productive to score risks in the workshop.

After the workshop, the risk analysis begins. It is not enough to add up crude scores for likelihood and impact to identify the 'biggest risk'. The analysis needs to verify the relative scoring and consider two more dimensions; mitigation and control. If the risk occurs, how can we mitigate it's effect on the project? Are there contingency arrangements that can be put in place, for example? Control is crucial – consider how effective your management controls are in giving you early warning that the risk is likely to occur? If you have identified a risk that your key supplier might fall victim of the recession, how close are you to them? Is your relationship good enough that they will give you fair warning? Perhaps that supplier should be attending the weekly project meeting.

Someone may chuck in a “what if a meteor destroys planet earth?” to which the only reasonable answer is “we all get destroyed too”. Focus on the risks that the project team can manage and control the impact of.

Embedding risk management into the ongoing management of the project means adding a risk review to the agenda of every project meeting. It can seem pedantic to trot out the risk log at each meeting, but it is an important part of staying on top of uncertainty. Consider each risk, is it still relevant? Has anything new emerged that needs to be captured? Check that scores for likelihood and impact are still reasonable. Review the effectiveness of management controls and mitigation options.

A structured approach to risk management provides organisations tackling project work a number of key benefits over and above effective management of the project in hand. Risk management provides a language for discussing difficulties – it can swiftly de-personalise challenges that need to be carefully thought through. Risks logs also provide an organisation with the means to learn from experience. It is our response to uncertainty that distinguishes our maturity.