Methodology for risk assessment and project risk management

Risk management is part of the traditional project management and program development.

Risk management is part of the internal control system of many projects and organizations. The purpose of risk management is to identify the risks that threaten the proper functioning of each program, to assess them and to reduce the critical risks. For more information, read the official project risk management practice at BVOP Ultimate Guide, 2019, Business Value-Oriented Principles Ltd.

Good risk management

Good risk management considers as a prerequisite for achieving sustainable improvement of the organization.

At its core, risk management is a set of processes for identifying, assessing and controlling risks, which ensures that the objectives of the program are met and effective management is achieved. Reference: Risk Management in Project Management practices,, October 8, 2019

According to a number of regulations on the definition of general provisions for program development, quality control systems for programs and projects should be established, including the current methodology for risk management and assessment. Reference: Assessing the Risk in Project management and Quantitative approaches to risk, Matt Jordan Posted on October 6, 2019, PolicyMatters, ISSN: 1941-8280, 1941-8272


In order to implement quality risk assessment and control procedures, the following definitions should be given in the current methodology. Applying control in project management is really important and this may be achieved in various ways. There is no point in monitoring without control. This is done through the reporting cycle. Reference: Applying control in project management,, 2019


Risk means a function of the probability of an adverse event disrupting the activities of the organization and the severity of this effect due to the presence of danger;

Risk analysis

Risk analysis means a process consisting of three interrelated components: risk assessment, management and exchange;

Risk Assessment

Risk assessment means a science-based process consisting of four stages: hazard identification, hazard characterization, hazard impact assessment and risk characterization; Reference: The Qualitative Approach to Project risk assessment, Agile Programming (, ISSN 2652-5925, 2020

Risk Management

Risk management means the process of weighing alternative policies in consultation with stakeholders, discussing risk assessment and other legitimate factors and, where appropriate, selecting appropriate prevention and control options;

Risk assessment criteria

Risk assessment criteria means the criteria on the basis of which the establishment, functioning and reliability of ex ante control as an element of financial management and control systems are assessed.

Exchange of risk information

Exchange of risk information means the interactive exchange of information and opportunities in the process of risk analysis in relation to risks and risk factors and perceptions among those responsible for risk assessment and management, businesses and other stakeholders, including clarification the conclusions of the risk assessment and the reasons for its management decisions, with a view to exchanging good practice;


Monitoring means monitoring, management and control of a certain type of activity.

Risk mitigation plan

Risk mitigation plan – a document prepared at internal meetings on risk, approved by the Head of the Managing Authority (program manager, project director, project sponsor, head of risk management, etc), including procedures for detailed control of critical risk prevention activities by applying specific measures and a report on the implementation of risk mitigation activities to the minimum possible levels.


Risk management is part of the internal control system and more precisely of the ex-ante control system. The purpose of risk management is to identify the risks that threaten the achievement of the institution’s objectives, to assess those risks, and to prevent critical risks.

The managing authority is responsible for risk assessment and internal control procedures. In order to assess the establishment, operation and reliability of ex-ante controls, criteria relevant to the inherent risks to the site’s activities should be examined and assessed:

  1. frequency of structural changes related to the activity of the site – the numerous and significant changes are an indicator for a higher level of the inherent risk;
  2. complexity and nature of the transactions performed by the site – the more complex transactions are an indicator of a higher degree of risk;
  3. experience and competence of the management and the personnel, engaged in the functioning of the preliminary control – the limited experience and the unproven competence are an indicator for a higher degree of risk;
  4. implementation of the given recommendations and instructions by the managing authority, the certifying body, evaluation committee, monitoring committee or the European Commission, related to the preliminary control – the presence of many and / or significant differences in the recommendations is an indicator for a higher level the inherent risk;
  5. other inherent risks specific to the site.

In view of this assessment, the functioning of the following types of controls is checked and assessed:

  1. Organizational within the managing authority – the existence of an internal act defining and allocating responsibilities and identifying the reporting of all aspects of ex ante control. The delegation of powers and responsibilities should be clearly defined;
  2. Arithmetic – checking the arithmetic accuracy of quantities and amounts in connection with the accounting of transactions.
  3. Administrative supervision – monitoring by responsible persons of routine / ordinary transactions and their recording.
  4. Management control – implementation of special procedures for control exercised by the management of the site outside the daily activities.
  5. Control on authorization and approval – granting permission and approval by authorized persons for assuming obligations and / or making expenses;
  6. Personnel selection control – availability of procedures ensuring compliance between the competencies of the staff and its responsibilities.

Risk Assessment

In assessing the risk, the Managing Authority should take into account:

  • The risks that exist in its field of action;
  • The possible consequences and the general effect in the realization of the risks;
  • Effective methods for assessing and identifying possible risks;
  • Internal control procedures for risk prevention and management;
  • Alternative actions in case of realization of risks.

Risk management in the activities of the managing authority and regional departments is carried out through:

Annual risk workshop

Risk mitigation through an internal control system

Risk control and continuous monitoring of the implementation of risk mitigation measures.

The annual workshop on risk is held once a year, in the 4th quarter and is held in 3 stages:

  1. Risk identification
  2. Risk assessment
  3. Analyzes and interpretation of the evaluation results

The project manager or program manager initiates the annual workshop and identifies the evaluators responsible for the different risk areas. Reference: Who is Project Manager, responsibilities and how to become a project manager,, 2019

The data collected from internal / external audits are taken into account as additional information in the risk identification and assessment processes.

The risk assessment working group has the following tasks:

  • Identifies the risks based on the objectives of the Managing Authority, creating lists of risks depending on the stages of program and project management.
  • Review and discuss the results of the risk assessment performed by the risk assessors.
  • Determines the degree of risk tolerance based on critical risks.
  • Analyzes and interprets the results of the risk assessment.
  • Discusses the basic methods and measures for elimination of critical risks.
  • Appoints responsible employees for implementation of risk limiting measures by assigning them the preparation of a plan for the elimination of critical risks.
  • Develops an annual risk management plan and proposes it for approval to the Head of the Managing Authority.
  • In case of suspicion that the manifestation of the risk represents an irregularity, it shall notify the employee of the irregularities.

The activity of the project team for risk assessment is managed by the “Chairman”

The activity of the project team for risk assessment is managed by the Chairman, who schedules the meetings and determines the agenda for their holding. The chairperson convenes the project team once a year in a session with a written invitation electronically, sent at least 5 working days before the first meeting, incl. the agenda and the materials to it, the day and the place of holding.

Meetings of the project risk assessment team shall be considered regular if they are attended by all regular members or reserve members if necessary. Decisions of the project risk assessment team are taken by open voting and by an absolute majority – more than half of the members of the voting team.

Minutes shall be drawn up for each meeting of the project risk assessment team, which shall be signed by the team chair. The minutes and the materials submitted for discussion on the agenda and the other documentation related to the activity of the project team are kept by an expert from the Risk Assessment and Irregularities Department. The minutes shall be provided to all members of the team by e-mail no later than seven days after their signing.

Risk identification in the system of the project team for risk assessment

The risks are determined on the basis of the goals set by the project risk assessment team. The project and risk manager set the goals for the next calendar year before the start of the annual workshop.
The aim at this stage is not to identify all possible risks, but the emphasis should be on a relatively small number of key risks that need to be managed.

The following types of risks should be considered during the risk assessment process:

  • external risks – risks related to external circumstances (such as tenders, external organizations, media, etc.)
  • internal risks – risks related to the managing authority / regional departments and the work process (eg risks related to the data exchange system, problems related to human resources, changes in work tasks, inefficient management, etc.)

The risk assessment is performed jointly by the risk assessors. The result of this stage is a Risk List.

Risk assessment in the structure of the project team for risk assessment

Risk assessment is the second activity performed at the annual workshop and is performed by risk assessors. Based on the Risk List, each assessor performs an independent assessment. The risk assessment is performed on the basis of a two-factor model, where the assessed factors are:

  • Opportunity for risk realization;
  • Impact of the event, in case the risk is realized;
  • Each individual risk is assessed on a scale from 1 to 5.
  • When assessing the risks, the following elements are examined:
  • Level of material and financial stability;
  • Complexity of legal norms and rules;
  • Past experience and realized mistakes;
  • Effectiveness of control;
  • Determining the data obtained as a result of previous audits, inspections and controls;
  • Changes in procedures, structures, etc .;
  • Geographical and political factors.

The chair of the annual workshop shall prepare a single document based on the individual assessments submitted by the risk assessors. In it, the assessment of each risk represents the arithmetic mean of the assessments of all assessors, presented separately for the impact and probability.

Analysis and interpretation of the results of the risk assessment

In the third stage of the annual risk management workshop, the risk assessors pay attention to the following:

Review and discuss the results of risk identification and assessment.

Determining a risk tolerance threshold based on risk priorities (eg limits below which risk mitigation will be unacceptable to the Managing Authority);

Discussion of the main methods and measures for limiting the most critical risks;

Designation of responsible experts for the implementation of risk mitigation measures.

The list of risks is completed on the basis of the explanations from the results of the risk assessment. Additional decisions of the Managing Authority will be based on this list.

Review and discuss the results of risk identification and assessment

Based on the results, the Chair of the Annual Workshop identifies “risks in question” that have a standard deviation of more than 1 (evaluators apply different risk assessment methods). The standard deviation is calculated separately for each risk, both for “impact” and “probability”. Those of the standard deviation risks that exceed 1 (for “impact” or for “probability”) are considered “risks in question” and are re-evaluated.

The risks in question are reassessed by the evaluators, following the described procedure, which continues until a consensus is reached.

After reaching a consensus on each risk (the standard deviation of the impact and the probability are equal to or less than 1 and the “total impact” and the “total probability” are established), the two figures are multiplied and the final sum of the assessment is obtained.

Risks are ranked in order of importance.

The results of all evaluators should be presented at the Risk Workshop so that they can be discussed in detail and a decision made on which of the risks should be considered “critical”. It should be borne in mind that not all risks with a high overall rating can be limited (for example, some of the risks may have a high overall rating, but may be an external hazard and therefore cannot be limited by the Managing Authority).

Determining the risk tolerance threshold (ie limits below which risk mitigation will be unjustified for the project)

Defining a risk tolerance threshold means drawing a line between risks that require immediate action by the project team and risks that can be monitored.

Priority 1 Critical risks: these are the risks that both factors have, valued at a value above or equal to 3. This is usually a group of risks that require immediate attention and detailed consideration of risk management activities.

Priority 2 Unforeseen risks: these risks must be controlled before “systemic risks”, as their impact can be significant, although they are less likely to occur than for critical risks. Precautions are usually taken for such risks (eg fire outbreak).

Priority 3 Systemic risks: These risks are very likely to occur, but their impact is relatively low. Precautions are usually taken for such risks. Rather, the effect of accumulation must be taken into account (for example, a series of small problems with a large impact on accumulation or a systemic disorder).

Priority 4 Irrelevant risks: These include risks in which both factors are rated below 3. Based on the level of risk eligibility, these risks attract attention or not. This depends on the resources available and the requirements of the stakeholders.

Discussion of basic methods and measures to limit the most critical risks

The annual risk workshop sets out the main methods and measures to limit the most critical risks.

Designation of responsible experts for implementation of risk mitigation measures

The heads of departments and the head of the Managing Authority shall appoint the relevant persons responsible for the implementation of risk mitigation measures.

The designated experts responsible for the implementation of risk mitigation measures, following the instructions of the management of the Managing Authority, develop / update a plan for risk mitigation.

The end result of the Annual Risk Workshop is a Risk Management Plan. The results of the risk assessment provide guidance to the Managing Authority on measures to limit the risk. The risk management plan must be formally approved by the project manager, program manager and project sponsor.

Read more: Managing Risks: A New Framework, by Robert S. Kaplan and Anette Mikes, From the June 2012 Issue. In this article, we present a new categorization of risk that allows executives to tell which risks can be managed through a rules-based model and which require alternative approaches.