The Real-life of Risk Management at Projects.

Bob looks nervous; he is watching his wristwatch every single minute thinking about what he needs to say when he gets into a meeting with his boss Rick. He has been called to discuss the delay of one of the major projects this year for the company.

He is not a single member of the project; he is Project Manager indeed, however with this new global illness named “COVID-19” everything has changed on the project development. He gets into the office of the sponsor:

  • Rick: Hi Bob, thanks for coming to the meeting, how you doing?
  • Bob: Hello Rick, I doing fine thanks, just a little bit worried about this illness and its impacts on the project.
  • Rick: Actually, that’s why I invite you to this meeting. The company Shareholders are worried about the recent project reports, which show some delay. We are forecasting ending 6 months later than expected and of course, this means a bunch of money for the company.
  • Bob: In matter fact, I believe that is worse than that Rick. We are not prepared to face all the consequences of this illness and keep the business continuity of the project. Every day is a big challenge. The project teams are a concern, the providers are late and so on.
  • Rick: Well Bob that is exactly what I do not want to hear out. Later this afternoon I got a meeting with shareholders and I will say to them that we will be executing the Risk response plan of our project, just tell me, do we have one for this project?
  • Bob: Not Rick, as you know, we are just starting to implement PM methodologies at the company, and risk management we are not there yet…
  • Rick: Bob, we have a major issue here, I need you to do….

Have you ever lived a situation like Bob or Rick in the past? This is a frequent situation at companies. Risk Management (RM) is still growing in most of them, in fact, several organizations besides of receive major negative impacts due to risk, they are blockers to change their minds about how serious they need to take RM on their projects.

When did this RM thing begin?

Let’s put some history here “The study of risk management began after World War II. Risk management has long been associated with the use of market insurance to protect individuals and companies from various losses associated with accidents. Other forms of risk management, alternatives to market insurance, surfaced during the 1950s when market insurance was perceived as very costly and incomplete for protection against pure risk. The use of derivatives as risk management instruments arose during the 1970s, and expanded rapidly during the 1980s, as companies intensified their financial risk management. International risk regulation began in the 1980s, and financial firms developed internal risk management models and capital calculation formulas to hedge against unanticipated risks and reduce regulatory capital. Concomitantly, governance of risk management became essential, integrated risk management was introduced and the chief risk officer positions were created. Nonetheless, these regulations, governance rules and risk management methods failed to prevent the financial crisis that began in 2007. (Dionne, 2013).

Well since 1945 it has been a while, however, RM has been evolving several changes in different areas, like at PM. Project Management Institute (PMI) is one of a few institutions that constantly are improving its vision of PM. Risk has been added since the first edition of PMBOK (project management body of knowledge) in September 1987 (camilamotato, s.f.) and also has been changing too. In the last edition (6th) now, there is a new process in the execution phase: implement the risk response plan. Why is that? It is simple, RM must be proactive during the entire project and especially when the deliverables are being created, and that fact does not look obvious in previous editions.

This also matches with the latest version of the framework of ISO 31000:2018 Risk Management Standard, which allows us to see an integral vision of RM from five bases focused on Leadership and commitment (ISO, 2018).

Illustration 1 ISO 31000 Framework (clause 5).

At this point, everything shows great, in papers looks amazing, but in real life not always does like that. Certainly looks more as Bob explains to his boss in our initial history. How do I know that? First, my experience with RM at projects and second because I made research with 50 project managers that now I will show you.

RM in real life told by professionals.

I made this survey with professionals of several countries asking them about how they live PM and how they add RM in their journeys? The truth is that we all manage risk consciously or unconsciously, but rarely systematically.

For this survey the participation was:

Table 1 Gender-age participation

Therefore, I ask these professionals with the following questions:

1. Do you apply project management plans in your organization?

Normally, we maybe think “of course all of them practice PM at their companies” but the reality shows that there is 16% who does not apply PM at their companies. From this 16 % universe, 83.33% belong to men between 36-45 years.

What does mean? People who are in their professional maturity still without developing PM formally and women are more focused to work organized. So we probably ask:

  • How they manage the risk?
  • How their company manages projects?
  • Are they following a different kind of business strategy?
  • How they measure the success of their projects?

We are just starting here, so we now know that not everyone involved in projects uses PM plans. Let’s see what about RM.

2. Do you include a risk management plan in your project plan?

40% of professionals do not include RM in their plans. It is remarkable the 28% of them just manage the risk as it appears, because the other 12% who voted that they do not include at all, probably manage risk as it appears too.

This takes us to improvise, what is the issue with improvising? We are throwing a coin looking for luck; we got a 50% chance of solving and 50% of making it worse.

Furthermore, we think at risk such as a bad thing, but it means also good things, yes! it is related to threats or opportunities. Consequently, when we create an RM plan we are not only making to manage threats, mitigate, avoid, transfer or accept risk; we are also doing to manage opportunities, to escalate, exploit, share, enhance or accept them.

What about that 60% of professional that use RM plans? This 60% is split by 66.67% of men, 30% by women and 3.33% by others. That is a very interesting fact because more than 70% of these universes use hybrid methodologies (qualitative + quantitative) for RM. Why is this so amazing? Use hybrid methodologies is not easy, is not even cheap, is difficult and expensive, requires top training, good tools, and real expertise, but provides the best outcomes. So, matter fact, we are in a good line.

Do you remember Bob and the consequences that he was talking about with his boss? We now going to talk regards the real consequences of a lack of RM at projects.

3. What has been the main consequence you have suffered for not managing risks in any of your projects?

36% of professionals surveyed had suffered scope, schedule, budget or business case consequences due to the lack of RM in their projects and 32% represents the major impacts on schedule and budget.

Do you know the definition of project failure? It is when at least one of the next conditions shows up:

  • You finish the schedule later than expected.
  • You spend more budget than you have planned.
  • Your scope is changed (this condition affects more to predictive methodologies than agile, where the scope is probably changing due to prioritization of the product owner or even final customer).
  • When your final customer is not satisfied with the results.

The last one conditions it is perhaps the most important and will be related to failure in the first three. Apply RM helps us to improve our odds to achieve better results on projects.

What do we need to get this better?

4. What do you think is the main cause that does not allow risk management to be carried out in a project?

In particular, the 58% that represents the lack of an RM culture in the organization that is not only the main cause for the companies to adopt suitable PM practices. It is also the route cause due to they cannot change their mind to the improvements as well.

A good culture comes from the top, without this way to visualize the growth of the company it will be harder. Months ago, I made a survey asking about what kind of management rules in companies in 2020. The outcomes were that 40% of employees work for Management 1.0 in their organizations, it is that bad news? Well, it means that they are working on companies that management still in the 1900s culture.

In real life, those trends must change if we want to see improvements in RM. Any change that we are living in our environment needs to be evaluated, the world moves so much quicker and constantly we need to adapt to him.

Do you think that now is hard to start to implement PM and RM? It will be harder later, technologies, diseases, nature do not stop; we need to move faster than they do.

If you get involved in Bob’s situation, now you have some facts to discuss with your boss and explain why the companies need major changes to achieve better results, not in the future, but right away.

I hope you like this research; it is always nice to share experience and knowledge with you.



  • camilamotato. (s.f.). Timetoast timelines. Obtenido de
  • Dionne, G. (2013). Risk Management : History, Definition and Critique. Cahiers de recherche 1302, CIRPEE.
  • ISO. (2018). ISO. Obtenido de
  • PMI. (2017). PMBOK GUIDE 6th Edition. Newton Square, Pennsylvania, USA: Project Management Institute, Publisher.