Risk Types in Project Management

What do all projects of all sizes across all industries have in common? The answer is risk. It is just one reason Project Management Institute’s (PMI) standards and certifications for the Project Management Professional (PMP)® certification include risk management. The universal fact of risk is every project will have a unique blend of risk types and categories that need managing.

---

---

Risk Types PMP® and Risk Categories®

What is certain is all projects have a degree of inherent uncertainty. There are even project or resource contracts that include risk clauses and associated fees. The PMP® certification exam will include questions based on PMI’s definition of risk:

Risk	An uncertain event or condition that, if it occurs, has a positive or negative effect on one or more project objectives.  (Source: https://www.pmi.org/pmbok-guide-standards/lexicon)

One component of risk management is the organization of the risks identified, which can be informally referred to as PMP® Risk Types, Risk Categorization PMP®, or Risk Categories PMP®.

Within the project management plan, identified risks are assigned a type (a label) by themselves. Then, types will be collected into a category (or group). The organization of risks by types and categories provides a consistent means to track what can become large amounts of information and to determine where and when mitigation is required.

For example, using new laptops for the project would be labeled as a “Technical” risk. As a Technical risk, the use of new laptops would then be included in the overall category of “Source-Based” risk. The greater the number of technical risks, the more there will be source-based risks. Increases or decreases of risk quantities in a type or category can influence resource and budgetary considerations.

The process of identifying risk, assigning a risk type, and organizing by risk category provides many benefits to the project manager and the team. The benefits include:

• knowing where to apply resources and risk strategy work to areas of higher risk
• assessing the risk level for a type or category
• preventing duplication of risk efforts by labeling and organizing all identified risks
• leveraging opportunities to mitigate negative risk or foster positive risk by seeing all risks in a related area

The PMP® certification exam may include scenarios that describe risk types and risk categories or require analysis to determine a risk level. For both preparing to take the PMP® exam and the improvement of your project management skills, it is important to know how to organize risks.

---

---

Risk Types PMP

Just as organizing project tasks can be approached systematically to break down what is needed and when, so can risk. Begin with the four types of project risk.

What are Risk Types?

A risk type, or informally the “PMP risk types,” are buckets for risks of a similar nature. Determining the Risk Types is part of the overall risk identification work within the risk management efforts.

4 Project Risk Types

For this article, four types of project risks are listed. However, industry and the specific project management methodology practiced by an organization can influence the types used and how they are defined.

Technical Risks

As implied by the label, technical risks are those connected to technology including, but not limited to software, hardware, digital network, digital assets, system security, and new and changing technology and changing regulatory requirements.

Technical risk examples:

• software update
• network security change
• data breach
• data corruption
• software license costs
• hardware breakdown
• audit requirement changes
• connectivity and access
• platform incompatibility
• data security

External Risks

There is no project that is 100% isolated from and insulated against changes happening outside.

External risks are those that exist outside of the project’s organization and, most likely, are beyond the control of the project manager or teams, such as political, governmental, climate, or economic changes. The COVID-19 pandemic is an example of an external risk (global health crisis) that impacted projects (personnel, supply chain, costs, etc.). Examples include:

• regulatory
• weather
• suppliers
• marketplace
• customer
• external stakeholder groups
• political
• environmental

Organizational Risks

Projects occur within an organization, be that a team, department, division, company, or a group of friends in a start-up. The organization behind the project, whether a sole proprietor or global interdepartmental collaboration, will include change as part of day-to-day business activities. Organizational risk examples are those derived from breakdowns in internal procedures, people, and systems.

Organizational Risk Examples:

• work culture
• processes within the organization
• resources
• prioritization
• project dependencies
• funding
• technology
• new technology
• requirements
• interfaces between systems
• performance and reliability
• quality

Project Management Risks

The fourth type of risk is “project management risk,” or, “project risk,” and includes the efforts to manage the project. It includes project management work and tasks within communication, estimating, planning, contract development, and scoping. Examples include:

• planning
• executing
• estimating
• communicating

Why are Risk Types important?

Remember, project risk is “an uncertain event or condition that, if it occurs, has an effect on at least one project objective.” All projects have risks, and risk is the highest at the onset of the project. It is important to understand, identify, organize, and manage risk to protect the project’s goals and objectives. When there is an organized list using risk types, the project manager is better positioned to act appropriately when there are disruptions to “…processes, resources, and technology in an ongoing project.”

How are Risk Types used in projects?

Accurately assigning risk types is part of risk management’s “…analyzing project risks to minimize the magnitude of external and internal risks.” In short, risk types are part of the overall work to classify risk and thus be proactive in determining risk response and risk mitigation strategies.

Risk Categories PMP®

When studying for the PMP, project managers should know risk types, categories, and the role they serve in risk management.

What are Risk Categories?

Risk categories are a means to group related risk types for more effective overall risk management. Project Management Academy, a PMI Authorized Training Partner, provides students preparing for the PMP certification exam with this graphic showing how risk types can be further classified for more effective risk management.

Risk types with an overall connection are further organized into categories. In this way, risk resources can be pooled, risk mitigation strategies can be more accurately applied, and the interconnectedness of specific risks can be managed.

Risk Category | Source-Based Risk

The types are grouped into the overall Source-Based risk category as the occurrence or lack of each risk is triggered at the source. In the Risk graphic, Source-Based Risks encompass the risk types of:

• internal
• external
• technical
• non-technical
• industry-specific
• generic

For example, a re-organization at a company (internal risk type) can impact project resources (source-based category). Or a governmental regulations (external risk type) change can impact the project documentation (source-based category) requirements.

Risk Category | Effect-Based Risk

Risk can also be categorized as effect-based for those that are about the impact on the project. As shown in the graphic, the risk types that call into the effect-based risk category include:

• schedule
• cost
• quality
• scope
• resources

Consider how a change in the cost of materials (cost risk category) affects the overall cost of the project (effect-based risk category). Or, if a stakeholder demands deliverables sooner (project management risk type) then the effect on the project can be how much can be accomplished (scope risk category).

Why are Risk Categories important?

Once risks have been identified by type, project teams should group them into categories to show common sources of risk for the industry, application area, or business. If risk types are not categorized, there can be unintentional overlapping or contradictory mitigation work performed thus triggering additional negative risks, which are also called “issues”.

How are Risk Categories used in projects?

Categories can help create more effective risk response strategies by allowing the project team to focus on the categories known to hold the highest risk, or the creation of a generic risk response for any risks assigned to the given category. The benefits of this approach are an increase in the efficient use of project team time and more accurate risk management work overall.

There are risk categories that are common and helpful to know in the context of PMP exam prep. But know a company or industry may have a standard set of categories which include the more common ones and others specific to the type of work performed.

How to Manage Risk

Managing risk is a big component in project management and is certainly addressed within the PMP® exam. Access other articles to continue to grow your knowledge and skills within risk management. At a high level, keep in mind these techniques for managing risk categories:

Consult a wide audience to identify risks

During risk identification work, tap into a wide audience to ensure as many risks as possible are included. Hopefully, you will have more known risks than the unknown. The audiences should include project managers with related experience, project team members, stakeholders, customers, and subject matter experts. Within the identification work and the gathering of input from different audiences, information about the risk should be gathered to help with adding risk type labels and later organizing related risks within a risk category.

Assign a lead to each risk

As is done with project tasks, each risk should have a clearly communicated lead. The lead is someone who understands the risk type and category with the insight to analyze related project information, and who can be trusted to assume risk responsibility. The assignment of leads to a risk includes communicating that role and the associated responsibilities to that person (in other words, listing someone as the lead in a document is not fully communicating the decision).

Track and prioritize your risks

With categories, it can be easier to “bulk” risks for tracking and prioritization. An external change can be a risk for many types, and if the tracking is done at a category level, then the mitigation response can be managed to maximize resources.

What do Risk Types and Categories drive in Risk Management?

Although referenced by multiple names including “risk types PMP,” “PMP risk types,” “Risk Categorization PMP®,” or “Risk Categories PMP®,” the core concept is the same: consistent organization of project risks results in better overall risk management.

The risk types and categories connect to multiple processes, documents, and tools such as:

• Risk register
• Risk audit
• Risk management plan
• Risk budgeting
• Risk mitigation triggers

There are variations in risk types and categories depending on the project work and environment. What should not vary is the use of types and categories as an input into the risk register and risk mitigation triggers, and their inclusion in the risk audit, risk budgeting, and risk management plan.

Conclusion

Do not be overwhelmed by the fact there is uncertainty in your project. In fact, risk can bring great success if managed properly. Use risk types and categories to better organize and track risks, and to more effectively mitigate risk when it occurs. Remember, risk management strategies, tools, and resources are all designed to protect the project’s objectives despite the challenges. Understanding risk is more than good project management or a road to correctly answering a PMP exam question, it is a responsibility for the profession and each project.