Risk is an uncertain event in future that, if/when occurs, impacts the project objectives like scope, cost, schedule or quality A risk could have multiple causes and multiple impacts A cause could be requirement, assumption, constraint or a condition that creates possibility of positive or negative outcomes Risk conditions could include aspects of an organization’s or a project’s environment that may contribute to project risk, such as immature project management practices, etc. PRINCE2 defines risk as: ‘Uncertainty of Outcome – whether positive opportunity or negative threat’.
Project risk represents inherent uncertainty in any project A project risk that has materialized has no uncertainty anymore! Should be treated as an issue and addressed as such
Risk avoidance involves changing the project plan to eliminate the threat entirely. The most radical risk avoidance strategy would be to shut down the project entirely!
Risk transfer requires shifting some or all of the negative impact of a threat, along with partnership of response, to a third party. Transferring the risk simply gives another party the responsibility for its management – it does not eliminate it. Transferring liability for risk is most effective in dealing with financial risk exposure, and tools could include insurance, guarantees, performance bonds, warranties, etc. Contracts may be used to transfer liability for specified risks to another party: For example, when a buyer has capabilities that the seller doesn’t, it might be prudent to transfer some work and its concurrent risk contractually back to buyer In many cases, use of a cost-plus contract may transfer the cost risk to the buyer, while a fixed-price contract may transfer risk to the seller
Risk mitigation implies a reduction in the probability or impact of an adverse risk event to be within acceptable threshold limits. Taking early action to reduce the probability or impact of a risk occurring in the project is often more effective than trying to repair the damage after the risk has happened. When it is not possible to reduce the probability, a mitigation response might address the risk impact by targeting linkages that determine the severity
The strategy indicates that the project team has decided not to change the project plan to deal with a risk, or is unable to identify any other suitable response strategy. This strategy is adopted because it is seldome possible to eliminate all threats from a project This strategy could be active or passive Passive acceptance requires no action except to document the strategy, leaving the project team to deal with risks and when they occur Most common active acceptance strategy is to establish a contingency reserve, including amount of time, money or resources to handle the risk
This strategy might be selected for risks with positive impacts where the organization wishes to ensure that the opportunity is realized. This strategy seeks to eliminate the uncertainty associated with a particular upside risk by ensuring the opportunity definitely happens. Example, assigning an organization’s most talented resources to the project to reduce the time to completion or to provide lower cost than originally planned
Sharing a positive risk involves allocating some or all of the ownership of the opportunity to a third party who is best able to capture the opportunity for the benefit of a project Examples include risk-sharing partnerships, teams, special-purpose companies, etc. which can be established with the express purpose of taking advantage of the opportunity so that all parties gain from their actions.
This strategy is used to increase the probability and/or positive impacts of an opportunity. Identifying and maximizing key drivers of these positive-impact risks may increase the probability of their occurrence Examples of enhancing opportunities include adding more resources to an activity to finish early
Accepting the opportunity is being willing to take advantage of it if it comes along, but not actively pursuing it
Some responses are designed for use only if certain events occur. For some risks, it is appropriate for the project team to make a response plan that will only be executed under certain predefined conditions, if it is believed that there will be sufficient warning to implement the plan. Events that trigger the contingency response, such as missing intermediate milestones or gaining higher priority wait a supplier should be defied and tracked
A secondary risk can be defined as a risk created by the response to another risk. In other words, the secondary risk is a consequence of dealing with the original risk. A simple way to look at this is to think of project management as a chess game in which one has to think as many moves ahead as possible. One has to consider the reaction to the reaction, or in other words, the consequences that could arise from dealing with a problem or risk. Secondary risks are generally not as severe or significant as primary risks, but can become so if not anticipated and planned for appropriately.
Exposure to loss remaining after other known risks have been countered, factored in, or eliminated. Residual risk primarily is applied to any element of risk that remains once the risk assessment as been made and responses implemented.
Defense Secretary Donald Rumsfeld, Feb 12, 2002: “Reports that say that something hasnt happened are always interesting to me, because as we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns -- the ones we dont know we dont know.”
The term was in use within the US military establishment long before Rumsfelds quote. An early use of the term comes from a paper entitled Clausewitz and Modern War Gaming: losing can be better than winning by Raymond B. Furlong, Lt Gen, USAF (Ret.) in the Air University Review, July-August 1984: “ To those things Clausewitz wrote about uncertainty and chance, I would add a few comments on unknown unknowns--those things that a commander doesnt even know he doesnt know. Participants in a war game would describe an unknown unknown as unfair, beyond the ground rules of the game. But real war does not follow ground rules, and I would urge that games be "unfair" by introducing unknown unknowns. ” “ NASA space exploration should largely address a problem class in reliability and risk management stemming primarily from human error, system risk and multi-objective trade-off analysis, by conducting research into system complexity, risk characterization and modeling, and system reasoning. In general, in every mission we can distinguish risk in three possible ways: a) known-known, b) known-unknown, and c)unknown-unknown. It is probable, almost certain, that space exploration will partially experience similar known or unknown risks embedded in the Apollo missions, Shuttle or Station unless something alters how NASA will perceive and manage safety and reliability. 
From the same time, conservative lawyer Richard Epstein wrote a well known article in the University of Chicago Law Review about the American labour law doctrine of employment at will (the idea that workers can be fired without warning or reason, unless their contract states terms that are better). In giving some of his reasons in defense of the contract at will, he wrote this. “ The contract at will is also a sensible private adaptation to the problem of imperfect information over time. In sharp contrast to the purchase of standard goods, an inspection of the job before acceptance is far less likely to guarantee its quality thereafter. The future is not clearly known. More important, employees, like employers, know what they do not know. They are not faced with a bolt from the blue, with an "unknown unknown." Rather they face a known unknown for which they can plan. The at-will contract is an essential part of that planning because it allows both sides to take a wait-and-see attitude to their relationship so that new and more accurate choices can be made on the strength of improved information.
Known Unknown refers to circumstances or outcomes that are known to be possible, but it is unknown whether or not they will be realized. The term is used in project planning and decision analysis to explain that any model of the future can only be informed by information that is currently available to the observer and, as such, faces substantial limitations and unknown risk. Known risks are those that have been identified and analysed, making it possible to plan responses for those risks
Unknown Unknowns refers to circumstances or outcomes that were not conceived of by an observer at a given point in time. Specific unknown risks can’t be managed proactively, which suggests that project team should create a contingency plan
Risks can be categorized under headings: Strategic/Commercial; Economic/Financial/Market; Legal & Regulatory; Organisational/Management/Human factors; Political; Environmental; Technical/Operational/Infrastructure
Operational Risk: Risks of loss due to improper process implementation, failed system or some external events risks. Examples can be Failure to address priority conflicts, Insufficient resources or No proper subject training etc. Schedule Risk: Project schedule get slip when project tasks and schedule release risks are not addressed properly. Schedule risks mainly affect on project and finally on company economy and may lead to project failure Budget Risk: Wrong budget estimation or Project scope expansion leads to Budget / Cost Risk. This risk may lead to either a delay in the delivery of the project or sometimes even an incomplete closure of the project. Business Risk: Non-availability of contracts or purchase order at the start of the project or delay in receiving proper inputs from the customer or business analyst may lead to business risks. Technical Environment Risk: These are the risks related to the environment under which both the client and the customer work. For example, constantly changing development or production or testing environment can lead to this risk. Information Security Risk: The risks related to the security of information like confidentiality or integrity of customer’s personal / business data. The Access rights / privileges failure will lead to leakage of confidential data. Programmatic Risks: The external risks beyond the operational limits. These are outside the control of the program. These external events can be Running out of fund or Changing customer product strategy and priority or Government rule changes etc. Infrastructure Risk: Improper planning of infrastructure / resources may lead to risks related to slow network connectivity or complete failure of connectivity at both the client and the customer sites. So, it is important to do proper planning of infrastructure for the efficient development of a project. Quality and Process Risk: This risk occures due to incorrect application of process tailoring and deviation guidelines . New employees allocated to the project not trained in the quality processes and procedures adopted by the organization Resource Risk: This risk depends on factors like Schedule, Staff, Budget and Facilities. Improper management of any of these factors leads to resource risk. Supplier Risk: This type of risk may occurs when some third party supplier is involved in the development of the project. This risk occurs due to the uncertain or inadequate capability of supplier. Technology Risk: It is related to the complete change in technology or introduction of a new technology. Technical and Architectural Risk: These types of risks generally generally leads to failure of functionality and performance. It addresses the hardware and software tools & supporting equipments used in the project. The risk for this category may be due to — Capacity, Suitability, usability, Familiarity, Reliability, System Support and deliverability.
Risks are contained within the project by carrying out a Risk Analysis Identification; Evaluation; Response and Action selection and addressed through Risk Management Planning & Resourcing; Monitoring & Reporting A Risk Analysis may identify one of the following five suitable responses: Prevention, Reduction, Transference, Contingency and Acceptance. Denial is NOT a valid risk response.
‘When’ the risk is likely to occur is known as the risk’s ‘Proximity’.