VOices Blog Members Home Events English | Français Shopping Cart
Skip to main content

Blog > Managing Risk

Managing Risk

posted on Jun 26, 2018

by Maria Lahiffe

We all take risks every day, from taking a shower, to driving to work, to developing a new program for our stakeholders. Risk is unavoidable, but it can be managed.

What is a Risk?

A risk is a future event which may or may not happen, and which could have a positive or negative impact on our endeavour. [1] Let’s unpack that a bit:

  • Future event: By contrast, something which has happened already is an issue
  • Not a certainty: if something is guaranteed, then it is not a risk – it is a future issue
  • Impact: if the event happens, it will have an effect. Many people work only to manage negative risks, but it is equally important to consider potential events which could have a positive effect. Any impact which could change the course of your endeavour should be considered.

Three types of risk

It can be useful to define three types of risk: known, unknown, and unknowable. [1]

Known risks: these are things can be identified and analyzed beforehand to either (a) reduce the likelihood they will occur, or (b) reduce their impact in the event they occur. [2]

Unknown risks: these are things which were not identified beforehand and therefore not analyzed and planned for. An unknown risk could have reasonably been foreseen, if the risk identification was done properly and if the right people were consulted. Here is a good list of potential project risks.
Unknowable risks: these are things which cannot reasonably be foreseen. Examples include a terrorist attack in a small town in Ontario, or the 1997 ice storm. [1]
Unknown and unknowable risks need to be managed in the moment as they occur using a workaround paid for through a management reserve. This reserve is not usually under the control of the project manager. [2]

Analyzing risk

Risk is a product of two things: probability and consequence.

Probability: This is the likelihood that something will happen. For example, something which is likely to happen one time in two has a high likelihood. Something with a likelihood of one in 100 has a low likelihood.

Consequence: this is the impact that the event would have if it occurs.

Use the following steps to analyze risk. This downloadable form can help.

  1. List the risks. Make sure you consult a broad cross-section of your stakeholders, to ensure that your list is as complete as possible. You don’t want to get caught by an unknown risk which you could have anticipated.
  2. For each risk, assess
    1. Probability (likelihood) as low, medium, or high
    2. Consequence (impact) as low, medium, or high
  3. Map each risk onto a risk analysis grid.


Risk Response

There are five potential responses to risk: [3]

  1. Avoidance
  2. Acceptance
  3. Monitoring and preparation
  4. Mitigation
  5. Transference


The easiest way to remove risk is to avoid it, by removing the risk-bearing tasks from the project. This makes sense if the tasks form a small part of the project, but they bear a high risk. Avoidance will require changes to the project scope, resources and/or time.


Remember that everything carries risk. It is impossible to completely remove all risks from anything you do. If the risk is low, then it may make best sense simply to accept that the risk may happen. It can be wise, to allow for a contingency – such as time, cost, and/or resources – which may become necessary if the risk comes to pass.

Monitoring and Preparation

This is along the same line as acceptance. Monitor and prepare for risks which are medium to high but which cannot be managed any other way. An example could be an unrealistic deadline imposed by a stakeholder: the likelihood of missing the deadline is high.

  • Make a plan to monitor the triggers which will activate the risk.
    In the case of the example, you may decide to monitor the schedule variance weekly.
  • Build action plans which can be mobilized immediately if the risk happens.
    In the example case, you may plan to notify person X if the schedule variance is greater than Y. That way, if the risk occurs, you don’t have to think – you simply follow the plan.


This means changing the project plan to reduce the likelihood, impact, or both, of the risk you are analyzing. Here are some possible mitigation strategies:

  • Reduce the complexity of the project
  • Add more resources
  • Add time to the schedule
  • Supervise more closely
  • Train staff more thoroughly


The last possibility is to transfer the risk to someone else. In the non-profit sector, the main ways to transfer risk are (a) purchase insurance, or (b) contract out the difficult work to a more experienced company.

Volunteer Ottawa offers a comprehensive suite of courses related to all aspects of running a non-profit or a charity. Click here for our event calendar. Subscribe to our Event RSS Feed to be among the first to know when a new workshop is added to the schedule.

Like what you've read? Subscribe to our RSS feed so you never miss a post! We have a general RSS Feed for all VOices blog posts, as well as an Operations RSS Feed which will focus on topics related to organizational operations.

Related blog posts:

G. M. Becker, "A practical risk management approach," in PMI Global Congress 2004, Anaheim, CA, 2004. J. Rowley, "5th Edition PMBOK Guide - Chapter 11: Risk Management Concepts," 4SquareViews, 18 July 2013. [Online]. Available: https://4squareviews.com/2013/07/18/5th-edition-pmbok-guide-chapter-11-risk-management-concepts/. [Accessed 19 June 2018]. B. Roseke, "5 Risk Response Strategies," Project Engineer, 23 January 2015. [Online]. Available: http://www.projectengineer.net/5-risk-response-strategies/. [Accessed 19 June 2018].
new comment comment