The Four Pillars of an Effective Project Risk Management Plan

An effective Risk Management Plan ideally considers multiple controls and intertwining processes that produce a system that doesn’t stop learning.

Risk management planning is often a key project topic that comes to mind when strategizing towards a future state of a project, regardless of industry or company size. Risk management goes beyond a simple checklist of “to-do’s” and “not-to-do’s” but instead a dynamic and interconnected system of processes that continuously reinforces awareness into a project’s unknowns. Ideally, risk management is an iterative process that follows a framework that establishes best practices at all seniority levels. Company leaders influence formal policies, for example, and a project team’s social culture in confronting risks or uncertainties.

Our views on effective risk management cover four pillars:

One: Risk Identification

Identifying the causes and sources of where risks may come from.

Two: Risk Evaluation

Evaluating the impact and probability that a risk may entail.


Three: Risk Handling

Handles how a risk should be measured and engaged with to reduce fallout.


Four: Risk Controlling

Ongoing controls that report and monitor risks, including further changes.

A system that holistically identifies, evaluates, mitigates and controls the impact of most project uncertainties as they occur is a proactively iterative one. The unexpected and unknown variables may lead to unwanted scenarios that are unpreventable. An effective risk management plan would minimize its probability of happening – and mitigate the fallout of any undesired results – while also keeping visibility and tracking the fallout that affected the project at hand.

Risks can be identified from various sources during a project, and these sources should be used in conjunction with one another as opposed to only considering one source as a standard operating procedure during a project. Risk repositories or risk logs can serve as an angle where a central list of all uncertainties and their explanations or sources are recorded. Checklist analyses and expert judgements (i.e. external consultants or subject matter experts (SMEs) can come together to identify gaps or brainstorm and interview for potential weak points within an engagement. Additionally, as a big part of risk mitigation, regularly scheduled project status reports or project calls can provide insight into current issues faced, threshold violations or potential changes that need to be escalated into the attention of the greater team.

All risks can be evaluated and handled into a few manageable categories as well, for example: whether risks fall upon the “technical” side of a company (technology, interfaces, performances), or whether they are “external” (marketplace, customer, vendors), “organizational” or are “project management” related (i.e. budgeting). A matrix approach can be used to determine which risks have higher or lower exposures to the team based on multiplying the factor of how probable a risk is to happen (low, medium and high percentages ranging from 0% to 100%) versus the impact that the risk has to a project; these also range from low, medium and high percentages ranging from 0% to 100%. The results allow the team to prioritize risks based on their impact, category and source to provide awareness and risk mitigation strategies to be formulated.

Lastly, in mitigating risks, a response should pay attention to “bigger-picture” strategic implications and the “tactical” and lower-altitude considerations. Risk responses may vary based on the risk profiles or social cultures of a company culture or country. Still, the idea of confronting and mitigating risks all starts from similar management principles. Risk responses should uphold the delegation of responsibility, accountability and relevancy to those assigned; costs and time should be evaluated against, as well as a denoting selected-response plan that is justified against other alternatives.

Ultimately, prioritization against risks often becomes a constant focal point of its own for many project teams, as resources are almost always finite. A resource or process should also be in place to track awareness of the risks at hand. Suppose risk mitigation within a corporate structure does not have sufficient help or ability to encompass all risks. In that case, the angle of attack should at least aim to contain threats with the most severe exposure or priorities.

To summarize, a risk management plan that encompasses a start-to-end process of identifying, evaluating, handling and controlling risks will ultimately encourage an iterative process. This includes learning new risks and uncertainties in a company’s formal policies or the social media corporate culture of a team. By doing so, risk management planning is far from a simple checklist of things “to do” (or “not to do”).

Author: Jones Yiu | [email protected]

Contact Us

Whether you’re looking for assistance identifying risks, developing action plans or linking your business objectives, risks and strategies, contact Withum’s Business and Management Consulting Team to learn how we can help.