CDC Home

Project Management Newsletter

Risk Management

Newsletter Archive
Click Here to Subscribe

Volume 3 | Issue 7 | July 2009

Daniel Vitek, MBA, PMP

There is often confusion between what a risk is and what an issue is, and how the activities of managing each interface and interact with each other. According to the Project Management Institute (PMI) Project Management Body of Knowledge (PMBOK):

  • A risk is an uncertain event or condition that, if it occurs, has a positive or negative impact on project objectives, time, cost, scope, or quality.
  • An issue is a point or matter in question or in dispute, or that is not settled and is under discussion, or over which there are opposing views or disagreements. Often project issues are first identified as a risk and through the risk management planning process may already have a planned approach to managing the issue.

Project risk can be anything that threatens or limits the goals or deliverables of a project. Risk is present in all projects and may have one or more causes and, if it occurs, one or more impacts. Risk must be identified, managed, and addressed throughout the project in order for the project to be successful.

Project risk management is an iterative process that begins in the early phases of a project and is conducted throughout the project life cycle. It is the practice of systematically thinking about all possible outcomes before they happen and defining procedures to accept, avoid, or minimize the impact of undesirable outcomes on the project. Risk identification is a practice that proactively identifies and addresses potential obstacles that may arise and hinder project success or block the project team from achieving its goals. Types of risk that should be considered during this process include:

  • Financial risk such as investments, funding, capital expenditure, etc.
  • Legal risk such as lawsuits, change in law, etc.
  • Government/Political risk such as regulatory change, legislative change, policy change, etc.
  • Physical risk such as natural disasters, fire, accidents, death, etc.
  • Intangible risk such as human resources, knowledge, skill sets, relationships, etc.
  • Technical risk such as IT security, infrastructure, software, etc.
  • Security risk such as facility, information, documentation, etc.

Project teams should hold meetings to identify risk and to define appropriate strategies for dealing with risk. The outcomes of these activities are documented and used in the development of a Risk Management Plan (RMP). The RMP describes the approach and processes for assessing and controlling risks in the project. The RMP describes how risk management activities will be performed. It documents risks, how risks were identified, analyzed, and prioritized; how the project team will react to risk symptoms and triggers; who is responsible for managing which risks; how risks will be tracked throughout the project lifecycle, and how risks will be mitigated and/or what contingency plans may be executed.

Project risk management also includes the processes for conducting risk management planning, identification, analysis, responses, and monitoring and controlling. Risk management plays an important role in maintaining project stability and efficiency throughout the project life cycle. To manage risks effectively, risks must be recorded and managed in a central location. This is accomplished through the utilization of a risk log. The risk log maintains information regarding identified risks, their symptoms, triggers, mitigation strategies, and contingency plans. The log allows for a central source that the project team can reference for all risk related information.

The Project Manager is ultimately responsible for managing risks and should regularly review and update the status of each identified risk and ensure that risks are under control. The ultimate objectives of project risk management are to increase the probability and impact of positive events and decrease the probability and impact of events adverse to project objectives. Effective risk management accomplishes:

  • Identification of risk
  • Evaluation and prioritization of identified risks
  • Assignment of risk owners
  • Development of risk response plans
  • Tracking and reacting accordingly
  • Monitoring and controlling risks

The process of obtaining the necessary information to properly complete and execute the RMP is typically a four part process that includes:

  • Risk identification
  • Risk analysis
  • Risk response planning
  • Risk monitoring and controlling, and reporting

Risk identification is an iterative process that is conducted throughout the entire project life cycle. Any person associated with the project should be encouraged to continually identify potential project risks. PMI PMBOK defines risk identification as the process of determining which risks might affect the project and then documenting characteristics of those risks.

Risk analysis is primarily concerned with prioritizing and classifying risks and then determining which risks require the development of mitigation strategies and/or contingency plans. Risk analysis reflects the project’s tolerance for risk and defines thresholds and tolerance levels in areas such as cost, schedule, staffing, resources, quality, etc. that, if triggered, may require implementation of defined contingency plans. Risk analysis is an iterative process that is performed continuously throughout the life of the project as new risks are identified and existing risks change. Risk analysis may include:

  • Qualitative Risk Analysis
  • Quantitative Risk Analysis

Risk response planning includes the identification and assignment of one or more persons to take responsibility for each identified risk and defines the actions to be taken against that risk through the development of measures and action plans to respond to risk should it occur. PMI PMBOK defines Risk Response Planning as the process of developing options and actions to enhance opportunities and to reduce threats to project objectives. Risk response actions may include:

  • Risk mitigation
  • Contingency plans
  • Risk Transfer
  • Risk Avoidance
  • Risk Acceptance

Risk monitoring and control, and reporting is the process of identifying, analyzing, and planning for risk, keeping track of identified risks, and reanalyzing existing risks, monitoring risk symptoms and triggers, and reviewing the execution of risk responses strategies while evaluating their effectiveness.

Risk reporting is the process of regularly reviewing and providing status about identified risk. Project work should be continuously monitored for updates and changes, this practice should also include the review and update of risk. When reporting or reviewing project progress, risk management status should be included.

For more information and tools related to the topic(s) covered in this newsletter, the CDC Unified Process, or the Project Management Community of Practice please visit the CDC Unified Process website at

Please also visit the CDC Unified Process Newsletter Archive located at for access to many additional newsletters, articles, and management related topics and information.


The CDC UP offers a short overview presentation to any CDC FTE or Non-FTE group. Presentations are often performed at your location, on a day of the week convenient for your group, and typically take place over lunch structured as one hour lunch-and-learn style meeting.

Contact the CDC Unified Process at or visit to arrange a short overview presentation for your group.


The CDC Unified Process Project Management Newsletter is authored by Daniel Vitek, MBA, PMP and published by the Office of Surveillance, Epidemiology, and Laboratory Services.

For questions about the CDC Unified Process, comments regarding this newsletter, suggestions for future newsletter topics, or to subscribe to the CDC Unified Process Project Management Newsletter please contact the CDC Unified Process or visit



  • January 23, 2009
    Topic: Project Metrics - Which to Whom
  • February 06, 2009
    Topic: 2009 Project Management Summit
  • March 27, 2009
    Topic: Agile Development at CDC
  • April 24, 2009
    Topic: Integrating EA into your Project
  • May 15, 2009
    Topic: The C&A Process
  • June 19, 2009
    Topic: Program Management & PMOs
  • July 31, 2009
    Topic: Risk Management
  • August 28, 2009
    Topic: Managing Teams Across Generations
  • September 25, 2009
    Topic: More on Records Management
  • October 30, 2009
    Topic: Stage Gate Reviews - EPLC Lessons
  • December 04, 2009
    Topic: Authority, Power, & Influence


Add This Socialize the CDC Unified Process: The U.S. Government's Official Web PortalDepartment of Health and Human Services
Centers for Disease Control and Prevention   1600 Clifton Rd. Atlanta, GA 30333, USA
800-CDC-INFO (800-232-4636) TTY: (888) 232-6348, 24 Hours/Every Day -

A-Z Index

  1. A
  2. B
  3. C
  4. D
  5. E
  6. F
  7. G
  8. H
  9. I
  10. J
  11. K
  12. L
  13. M
  14. N
  15. O
  16. P
  17. Q
  18. R
  19. S
  20. T
  21. U
  22. V
  23. W
  24. X
  25. Y
  26. Z
  27. #