Project Management in a Small Company: Part 4

Risk Identification and Analysis

Risk Planning

All risks with a high-priority score (red) must have a risk plan. Medium risks (yellow) may or may not have a plan, and low risks (green) do not need a plan. All risks should be monitored throughout the project to make sure they do not change priority.

Example Priority Score Table

There are four main components to a risk plan: who, what, when, and how.

The “who” defines the owner of the risk, the person that monitors the risk and executes the risk plan.

There are usually four “what” response types:

  • Avoidance – avoid the risk. For example if a vendor is typically used for a particular product and that vendor is no longer financially sound, choose another vendor.
  • Transference – transfer the risk to someone else. This is typically done by purchasing an insurance policy.
  • Mitigation – take steps to mitigate (lessen the impact of) the risk. This requires a plan that can be put into action if the risk becomes reality.
  • Acceptance – accept the consequences of the risk. Sometimes you just have to accept the outcome of an event. For example, you suspect that a key vendor will be late but they are the only vendor that can supply the required product.

The “when” response can be a specific date, a range of dates, or a trigger. A trigger is an event that defines the realization of the risk. An example of a trigger is the late delivery of a key product or the customer changing requirements. For an opportunity, a trigger could be receiving the PO for a new product feature.

“How” is the plan to handle the risk if it does occur. This could be a list of steps to take, a process that is invoked, or a list of alternative products that can be used. This plan must be followed as soon as the risk occurs.

Risk Monitoring

The project manager should review the project risks on a regular basis. The purpose of risk monitoring is to:

  • Monitor the status of high priority risks and identify when they have been realized. When a risk is realized its plan must be put into action.
  • Monitor the status of all identified risks to see if their priority scores change.
  • Look for new risks or opportunities as the project unfolds.

The project manager should involve the other team members in this activity as appropriate.


Risk identification, planning, and monitoring are critical project tasks that must not be skipped. There will always be ”unknown unknowns,” but hopefully those will be few and far in between. Properly planning for risks should eliminate surprises that could derail your project. Executing a well-crafted risk response plan to contain risks that occur could mean the difference between a successful and an unsuccessful project.

This post concludes our 4-post series on Project Management in a Small Company. Please contact us if you would like to learn how our team’s project management skills can apply to your company’s needs, or have interest in seeing any specific topics addressed in our future series.