Risk Management

All projects, regardless of size or complexity, have a risk component. The complexity and visibility of a project coupled with the potential impacts of risks will determine the appropriate risk management strategy.

The benefits of Risk Management include:

  • Informs development of the preconstruction schedule and budget.
  • Applies methodology to calculating appropriate levels of schedule and budget contingency. This allows CDOT to deliver more dollars to programming.
  • Supports fact-based conversations with management when you need to address potential impacts of changes.

The Risk Management Plan (RMP) consists of the Risk Workbook.  Risk Management is a scalable process. Less complex projects typically have fewer risks and the impacts are less significant.  Examples of less complex projects include resurfacing, chip seals, and other projects that have a limited scope.  Projects that are more complex will generally have a longer list of risks that require more detailed planning to manage.  Special circumstances could elevate even the simplest of projects to a higher level of complexity.  The impacts and complexity specific to the project determine the risk management strategy rather than the type of project.

To complete an RMP, the PM and project team need to conduct risk identification, analysis, and planning using the framework below:

  1. Risk Identification is the process of determining risks that could affect the project.
  2. Risk Analysis is the qualitative assessment of the probability and impact associated with a risk.
  3. Risk Response Planning involves developing risk response strategies and assigning owners to monitor risks.
  4. Risk Monitoring and Controlling is the process of tracking risk status, implementing response strategies, and identifying new risks.


How do you create an RMP?  The Risk Workbook has sections to document information related to the following four steps of risk management.

1. Risk Identification:

The Project Manager will work with the Project Team during scoping to identify risks. Techniques to identify risks include brain-storming, interviewing more experienced staff, using a starter risk worksheet, conducting surveys, asking “what if questions”, reviewing best practices, etc.

  • The DSR Meeting is a good forum to conduct risk identification.
  • Form 1048 is a good checklist for making sure all aspects of the project have been considered.
  • The Risk Workbook template includes a library of potential risks.
  • Consider both “threats” (negative impacts) and “opportunities” (positive impacts).
  • Don’t try to limit risk identification by phase. Risks may pertain to preconstruction and/or construction.


2. Qualitative Risk Analysis:

Risk analysis is the process of assigning the likelihood (Low or High) that a risk will occur, and the impact (Low or High) that would result.  The PM, team, stakeholders, etc., will determine these values based on their experience and judgment.  

The Risk Register (a worksheet in the Risk Workbook) uses the likelihood and impact to rank each risk by calculating a heat map.  Red, yellow, and green indicate priority, with red indicating risks that warrant the most attention.  Column 1 of the Risk Register is for manually ranking risks, in order of concern.  For example, if the Risk Register ranks 5 risks as high, the PM and team could prioritize them.


3. Risk Response Planning:

The Project Manager and project team members will assign a strategy and develop specific response actions for each Risk.  The PM also will need to assign Risk owners to monitor (column 13, Risk Register) Risks and recommend when actions are needed (column 14, Risk Register) to keep Threats from derailing the Project and/or take advantage of Opportunities when they arise.

  Risk Strategies for Threats (Negative Impacts):

  • Avoid: Change the nature of the project such that it retires the risk.
  • Transfer: Assign Risk to a third party, often through a contract or MOU. Management of the risk is allocated to the party best able to manage them. Note that risks not retired by project award will be transferred to the construction phase.
  • Mitigate: Take proactive actions to reduce likelihood or impact of risk to below acceptable thresholds.
  • Accept: In the context of a threat, if a risk is unavoidable or you choose to take your chances; you may need to add appropriate amounts of cost and/or schedule contingency.


 Risk Responses for Opportunities (Positive Impacts):

  • Accept: In the context of an opportunity, be willing to take advantage of an opportunity if it arises, but not actively pursue it.
  • Exploit: Take steps to make opportunity happen and be prepared to make the most of it.
  • Share: Share the benefits (i.e., with Local Agency Partners).
  • Enhance: Use the opportunity to provide more value, longer life.


4. Risk Monitoring and Control:

Project Managers and Risk Owners periodically review and report the status of Risks (document in columns 15 and 16, Risk Register).  Remember to:

  • Take appropriate action if a risk occurs.
  • Update status (column 2, Risk Register) to “Retired” when a risk is no longer a threat or opportunity.
  • Continue to identify and document new risks throughout the project lifecycle