Risk Audit vs Risk Review

Project managers include the risk audit and the risk review in their overall risk management process work with complex or large projects. Within the Project Management Professional (PMP)® exam, there are frequently questions designed to assess one’s knowledge of the uses of the risk audit and the risk review to ensure the different purposes are understood. Above all, the project manager needs to know that both the risk audit and review ensure an effective risk management plan for the project’s duration. It is less a case of risk audit vs risk review PMP and how the audit and review complement each other within the overall project risk management plan.

PDU Course on Organization Readiness to Better Understand Risk for PMP
Free PDU Class on Organizational Readiness. Learn to Manage Change in a Project Setting.

Risk Audit PMP and Risk Review PMP

The risk audit is focused on ensuring the plan for managing risk is happening, while the risk review is about ensuring all the appropriate actions have been taken for all identified risks in addition to looking forward to any new or emerging risk/s. Both the risk audit and the risk review fit within the Risk Management Plan and are part of the tools, processes, and documentation recommended by the Project Management Institute (PMI).

RiskAn uncertain event or condition that, if it occurs, has a positive or negative effect on one or more project objectives.
(Source: https://www.pmi.org/pmbok-guide-standards/lexicon)
Risk Management PlanA component of the project, program, or portfolio management plan that describes how risk management activities will be structured and performed.
(Source: https://www.pmi.org/pmbok-guide-standards/lexicon)

Risk Audit

Just as an audit for any financial system or software system is a line-by-line review of each process step and its outcome, so is a risk audit for a project. When preparing for the PMP certification exam, know that the risk audit reviews all risk management policies, guidelines, risk mitigation strategies, and outcomes of risk management activities.

Risk Audit Definition

Project managers should have defined risks, analysis results, responses, and mitigation results within the risk management work. That data is used to conduct a risk audit.

Risk AuditExamination and documentation of the effectiveness of risk responses in dealing with identified risk and their root causes and the effectiveness of the risk management process. (Source: https://www.projectmanagement.com/contentPages/wiki.cfm?ID=346698&thisPageURL=/wikis/346698/Risk-audit#_=_)

When to use a Risk Audit

The size of the project will determine the frequency of risk audits (small projects may only need one audit conducted vs a large or extended project needing a series of risk audits conducted). A thorough risk audit shows how each project process performs, especially risk management work. As shared on the PMI’s project management knowledge repository website, “The main idea behind doing a risk audit is for the organization to become more proactive in dealing with risks.”

Consider these critical points for a Risk Audit:

  • It is a task-by-task, risk-by-risk analysis part of the Monitor Risk process.
  • The purpose is to determine the overall effectiveness of the Risk Management Plan and the activated risk response strategies so that adjustments can be made for the remainder of the project.
  • Always document the audit and the conclusions from it.
  • The project’s scope determines the frequency and quantity of audits; medium and large projects may have Risk Audits performed at significant milestones throughout the project, but smaller projects may have a Risk Audit only at the end of all work.

How to use a Risk Audit

From the audit, the project manager and team gain insight into the effectiveness of risk management efforts already conducted to apply to the project work ahead. Having an objective risk audit performed at regular intervals throughout a project can help “ensure that your project stays on track and budget.” Documentation of the risk audit results should be kept with other project documentation as it should be part of the project’s final lesson learned or postmortem activities.

Risk Review

When preparing for the PMP certification exam, know that the project team conducts the risk review, often as part of scheduled project status meetings. It is a tool to ensure that as changes occur in the project environment, the risk management plan, including identified risks and proposed strategies, remains relevant and feasible.

If thinking from a risk audit vs risk view PMP certification exam lens, know that the audit looks back to determine what worked, whereas the risk review looks forward to preparing for future changes. It is not a case of either-or, but rather, using both the audit and the review to maximize the effectiveness of all risk management work.

Risk Review Definition

There is not a formal definition of “Risk Review” in the online PMI.org lexicon, yet it is a tool embedded within the PMI’s A Guide to the Project Management Body of Knowledge (PMBOK® Guide).

Risk ReviewConducted at regular intervals throughout the project to assess the current project environment to determine if any changes are needed to manage future risks

Changes are part of all projects. The Risk Review is a means to recognize shifts within a project environment and adjust risk management plans to benefit or protect the project from changes.

When to use a Risk Review

The risk review should be scheduled such that it occurs at regular intervals and includes input from the project team, specifically the risk owners. It should be aligned to when changes are planned for the project. Not every single change should require a risk review. Instead, only those that have an impact on the overall project environment.

How to use a Risk Review

Each risk review should follow a structure so that the risk owners know how to prepare and so that there are fewer opportunities to miss an impactful change. The risk owners, project team, and project manager can ask questions such as these in the risk review:

  • What are new risks in each category?
  • For each new risk, what is the probability of occurrence?
  • For each new risk, what is the impact?
  • Is the probability of occurrence the same as before for each existing risk?
  • For each existing risk, is the impact the same as before?
  • Are any individual risks occurring together, thus amplifying the impact?
  • Are there existing risks that are no longer possible and should be closed?
  • [if risk audit has occurred] Are there any lessons learned to apply moving forward?

All risk review work should be captured and included with other project documents.

Risk Audit vs Risk Review

When doing a risk audit vs risk review PMP comparison, note that they have similarities and differences. 

How they are similar

Both are project management tools used to ensure an appropriate risk management plan and processes for the project’s life cycle. The project manager leads both, should include project team input, and result in information stored with project documentation.

How they are different

The size of the project will determine the frequency and quantity of risk audits; large and complex projects require more risk audits. In contrast, the risk review can be embedded in recurring, standing project status meetings for any size project. At the most basic level, the audit looks back to see if actions taken had a positive outcome on the risk and project, where the review is looking forward to adjusting risk plans to reflect project shifts.

Studying for the PMP Exam?


Risk Audit and Risk Review for PMP Certification Exam

The PMP exam may contain questions to determine to understand the tools’ purpose and when to use the tools for a provided scenario. It is helpful to know for both Risk Audit and Risk Review:

  • Definition
  • Purpose
  • When to conduct
  • What it provides for the project
  • How it differs from other risk management tools

Risk audits are an audit technique within the Monitor Risk process. Risk reviews fall under “meetings” techniques within the Monitor Risk process of waterfall project management.

Conclusion

Project managers are always looking back to capture lessons learned and looking forward to preparing for what’s coming. Looking in the past (“what happened?”) and in the future (“what could happen?”) is really what the risk audit and risk review are doing.

Upcoming PMP Certification Training – Live & Online Classes

NameDatePlace
PMP Certification TrainingAug 13,14 & 20,21
8:30am-6:00pm
Boston, MAView Details
PMP Certification TrainingSep 12,13,14,15
8:30am-6:00pm
Boston, MAView Details
PMP Certification TrainingJul 11-14 & 18-21
12:00pm-4:30pm
Online - Greenwich Mean Time (GMT)View Details


Megan Bell
Megan Bell
Project Manager & Writer at Project Management Academy | + posts
Megan Bell