Risk management is frequently added an afterthought in the Project planning process. It is also a process that is adopted by Project Managers with the best of intentions at the beginning of a project – However, this adoption frequently loses steam mid-way as the schedule/ quality/ scope/ budget pressures on the Project Manager increase, and stakeholder support to risk management drops. Only in mature organizations do we see Risk management being actively pursued with the same vigor & persistence throughout the Project lifecycle as with other Project aspects such as schedule, cost, quality, etc.

One major reason why this happens is: Many organizations do not fully realize the benefits to be accrued from implementing an effective risk management program, and the repercussions of not having one. Further, Project Managers may not be able to appropriately qualify & demonstrate this value and implications to all stakeholders, specially at Executive levels.

This paper proposes a set of process steps & templates to systematically improve stakeholder engagement on risk management at different levels of the organization, and thus improve the effectiveness of Risk Identification, Prioritization, Communication and Mitigation within applicable projects.

It is to be noted that many of the steps in this paper are already defined and in use elsewhere; This paper merely brings these steps together. It also attempts to bridge certain gaps and address certain areas of improvement, specifically relating to the visual representation of risks categorization & prioritization.

Problem statement:

Chaos Manifesto, 2013 [1] has named Executive support, User involvement, and Project Management expertise as 3 of the Top 10 drivers for Project success. The McKinsey & Oxford University study 2012 [2] concluded that the foremost approach to improve project performance is to “focus on managing stakeholders and strategy instead of concentrating on budgeting and scheduling”.  Yet, other than Quality Management, Risk Management is likely the most misused and underutilized knowledge area of A Guide to the Project Management Body of Knowledge (PMBOK® Guide)—Fourth edition (Project Management Institute [PMI],2008).

Risk management implementations are frequently less than effective, most typically due to:

  • Lack of engagement of impacted stakeholders during Risk identification
  • Lack of engagement and support from Executive stakeholders for “Help needed” activities during Risk Mitigation phase

The Root causes of both the above factors lie in ineffective Project Management, and is compounded by the lack of Organizational Project management maturity. The Politics & Culture of the Organization also play a major part, by influencing levels of Executive support to projects and initiatives.


This article proposes a series of steps and templates that can be adopted to drive improvements in Risk acceptance by impacted stakeholder teams, while also driving improvements in establishing visibility of major risks & help needed at the requisite Senior Management and/or Executive levels of the Organization.


1. Structured Risk identification:

It is proposed that we use VIRT (Visual Ishikawa Risk Technique [3], also called Cause and Effect diagram or Fishbone diagram) or other similar approaches, combined with group interactions (such as Brainstorming, Facilitated Workshops, Delphi technique, etc) to identify risks as well as to engage the entire Project team on the identified risks.

2. Qualify & categorize risks

Risk assessment can be performed using a traditional Risk matrix, but the quality of assessment and prioritization can be significantly improved by enhancing the risk attributes used for risk quantification and categorization.

It is proposed that for risk assessment, we adopt the COSO ERM Integrated Framework guidance for Risk assessments as documented in “Risk Management in Practice” [5].

3. Generate a Visual representation of risks:

It is proposed that we use the Risk Heat map to generate a visual representation of identified risks.

The Risk Heat map charts risks in the traditional manner with Likelihood & Consequence on X- and Y-axis of a matrix, and then enhances the visual depiction by including Vulnerability and Speed of Onset of the risks in the chart.

4. Identify risk conflicts/ escalations:

It is proposed that we use Risk Interaction matrix to identify and document Risk conflicts and escalations.

5. Generate a Visual representation of Risk Interaction:

It is proposed that we use the Risk Interaction map to generate a visual representation of prioritized risks.

6. Submit to Project Governance Forum:

It is proposed that we establish formal, periodic Project Governance channels to drive up visibility into the requisite Senior Management or Executive layers of the Organization. It is further proposed that we use the Risk Heat map & Risk Interaction map in conjunction to improve Executive/ Senior Management visibility and engagement on high-priority risks that need their attention & action.


Additional Information on Templates used:

For additional details on the Risk Matrix and Risk Map, and to access the Templates, please read the article “Enhanced Risk Matrix and Risk Heat Map” in the Assets area of the pmExcell website.

For additional details on the Risk Interaction Matrix and Risk Interaction Map, and to access the Templates, please read the article “Enhanced Risk Interaction Matrix and Risk Interaction Map” in the Assets area of the pmExcell website.



To be successful, Risk assessment requires adequate resources as well as Executive commitment. Risk Assessment cannot survive in isolation, without being supported by and being dynamically connected to an Organization-level Process Framework that includes processes such as Project Governance, Portfolio management, Financial planning, Contingency reserve management, etc. Risk acceptance & visibility are critical to project success, specially as the complexity of the project increases.


Additional Notes:

VIRT is a mechanism that can be used to progressively elaborate the causes of risks, given a specific effect.

An example of implementation of a Fishbone diagram implementation is provided in the white paper “Application of Fishbone diagram to determine the risk of an event with multiple causes” [4] (Link: http://mrp.ase.ro/no21/f1.pdf).

Information on approaches for Group interactions can be located here:



[1] Chaos Manifesto, Standish Group, 2013.

[2] McKinsey and Oxford University study – Delivering large scale IT projects on time, on budget, and on value, 2012.

[3] Visual Ishikawa Risk Technique – An Approach to Risk Management, Jen R, PMI Virtual Library.

[4] Application of Fishbone diagram to determine the risk of an event with multiple causes, Ilie G. and. Ciocoiu C.N.

[5] Risk Management in Practice, Dr. Curtis, P. and Carey, M, Deloitte & Touche LLP, Research commissioned by COSO (Committee of Sponsoring Organizations of the Treadway Commission)