Project Risk Management: What Could Go Wrong?

Something going wrong, like a delay, extra cost, or missed deadline. If a threat actually happens, it turns into an issue that you need to manage right away.

Example: "Our key supplier might be late with deliveries" becomes an issue when they actually are late.

Something going better than expected, like finding a faster way to deliver or saving money.

Example: "We might finish early if the weather holds" or "A new technology could halve our costs."

What this means: Finding and documenting potential risks before they become problems. You're actively looking for what could go wrong (threats) or what could go better than expected (opportunities).

Start simple. In your next team meeting, ask:

• "What could go wrong here?"
• "What assumptions are we making that might not be true?"
• "What would we regret not preparing for?"
• "What's the one thing that could catch us off guard?"
• "What happened on similar projects?"

Get different perspectives: Talk to your delivery teams, they know where things usually break. Chat with suppliers, they've seen this movie before. Check in with stakeholders, they understand the politics and constraints you might miss. Don't forget end users, they often spot practical risks that technical teams overlook.

Write everything down: Ideally in a risk log, think of it as your project's worry list. It doesn't need to be sophisticated. Even multi-million pound programmes can work with a simple spreadsheet. What matters is that it's visible, updated, and used.

What this means: Working out which risks to lose sleep over. This isn't about precise percentages or complex matrices.

Three simple questions:

• How likely is it to happen? Almost certain, quite possible, or unlikely but worth watching?
• How bad would it be if it did? Showstopper? Major delays? Or just a minor hassle?
• When might it hit? Next week or in three months? Near-term risks need immediate action.

Think about it like this: Would I need to call my boss immediately, mention it in the weekly report, or just handle it myself? That printer risk? Probably not worth your time. That specialist resource leaving? Yeah, let's talk about that one.

What this means: Every significant risk needs a response, not just documentation.

For threats (things that could go wrong):

• Avoid it: Change the plan so the risk disappears
• Reduce it: Make it less likely or less painful
• Transfer it: Share the risk with someone else
• Accept it: Sometimes you just have to live with it (but monitor it)

For opportunities (things that could go better):

• Exploit it: Make sure the opportunity happens
• Enhance it: Increase the probability or positive impact
• Share it: Partner with others to maximise the benefit
• Accept it: Be ready to take advantage if it happens

Key point: Take action, not just writing "monitor and review" next to every risk.

What this means: This is where most risk management falls apart. If no one owns it, no one manages it.

The principle: Every significant risk needs a name next to it. Not "the team", not "TBD", but an actual person who'll be accountable if it happens.

They don't have to fix it alone, but they need to track it, update it, and raise the flag if it's getting worse. People are happy to own risks when they understand why it matters and have the authority to do something about it.

Have a conversation: "This could really impact your area, would you be best placed to keep an eye on it?"

The truth: Most risk registers die after the first month. They get created with enthusiasm, then sit untouched while real risks evolve and new ones emerge.

Make it easy: Build risk reviews into your existing rhythm. Take 10 minutes in your weekly team catch-up:

• "Any new risks emerged this week?"
• "Any of our existing risks getting worse?"
• "Any we can close off?"

Keep it conversational. Informal risk chats over coffee often surface more real concerns than formal monthly risk reviews.

Risk management isn't just a process, it's a human challenge. We're better at spotting short-term risks than long-term ones.

Research in Neuroscience & Biobehavioral Reviews confirms that we place less weight on future risks, a concept known as temporal discounting (Peters & Büchel, 2011). If something feels far away in time, our brain treats it as less urgent or important.

That's why near-term risks get more attention than long-term threats. If you only focus on what's immediately in front of you, you miss the bigger risks building up.

The project manager's job is to help the team visualise the future, to make abstract risks feel real enough to act on.

Ask vivid, time-based questions:

• "Think about the week before go-live, what could throw us off track?"
• "What would we regret not preparing for?"
• "What's an assumption we're treating as fact?"

Use relatable timeframes: Instead of "Q4 risk", say "This might affect our Christmas shutdown and what would that mean for us?"

By painting the picture together, you help the team prepare with clarity, not fear.

Here's something we rarely do: celebrate when risk management actually works. When you avoid a major issue because someone spotted it early, that's a win. When an opportunity gets exploited and delivers extra value, that deserves recognition.

Calling out these successes helps teams see the value in the process. "Remember that supplier risk we flagged? Good thing we had that backup ready."

This isn't just feel-good stuff. It's how you build a culture where risk management is valued, not seen as admin.

Risk management can become challenging, especially when things get difficult. At key checkpoints in your project: after major milestones, at stage gates, or quarterly, take time to reflect:

• Is our risk process actually helping or just creating paperwork?
• What risks did we miss, and why?
• What did we worry about that never materialised?
• Are we learning from near-misses or just moving on?

This reflection stops you falling into the trap of just going through the motions. If your risk process isn't helping you make better decisions, change it. The goal is to manage uncertainty, not to have perfect documentation.

What it means: Change the plan so the risk disappears completely.

Example: Dependent on third-party deliverables you can't control? Bring that work in-house to eliminate the dependency if viable.

When to use: When you can remove the risk entirely without compromising the project.

What it means: Make it less likely to happen or less painful if it does.

Example: Worried about a supplier? Build in buffer time or line up a backup.

When to use: When you can't eliminate the risk but can decrease its probability or impact.

What it means: Share the risk with someone else (usually through contracts or insurance).

Example: Include warranty provisions in the contract to transfer defect risks to the vendor.

When to use: When another party is better placed to manage the risk or absorb its impact.

What it means: Sometimes you just have to live with it. But monitor it.

Example: Weather risks for outdoor work might just have to be accepted with contingency time built in.

When to use: When the cost of addressing the risk outweighs the potential impact, or when no other options exist.

What it means: Make sure the opportunity happens. Lock it in.

Example: Found a faster delivery method? Restructure the plan to guarantee you can use it.

When to use: When you can make the opportunity certain rather than just possible.

What it means: Increase the probability or positive impact of the opportunity.

Example: Early finish looking possible? Add resources to make it more likely.

When to use: When you can invest to increase the chances or benefits of the opportunity.

What it means: Partner with others to maximise the benefit.

Example: Potential to deliver a new capability early? Partner with another team who can help resource and benefit from it.

When to use: When collaboration can amplify the opportunity's value.

What it means: Be ready to take advantage if it happens, but don't force it.

Example: If conditions align perfectly, we could save budget. Monitor and be prepared to act if the opportunity arises.

When to use: When the opportunity is uncertain but you want to be ready to capitalise if it occurs.