Project Risk Management and Agile context


In project management, risks and issues are two distinct concepts, although they are often related. Understanding the difference between them is crucial for effective project management. Here's a breakdown of each, along with examples:


  1. Definition: Risks are events or conditions that may occur in the future and have an impact on project objectives. They represent uncertain events that could have positive or negative consequences for the project.

  2. Nature: Risks are potential events that have not yet occurred but may happen in the future.

  3. Management Approach: Risk management involves identifying, assessing, and mitigating potential risks to minimize their impact on the project.

  4. Examples:

    • Market Risk: Changes in market conditions could affect the demand for a product being developed in the project.
    • Technology Risk: The use of new or unproven technologies may introduce uncertainties regarding their performance or compatibility.
    • Resource Risk: Key team members leaving the project unexpectedly could impact project timelines and deliverables.


  1. Definition: Issues are events or conditions that have already occurred and are currently affecting the project. They represent known problems or challenges that need to be addressed.

  2. Nature: Issues are current events that are impacting the project's progress or objectives.

  3. Management Approach: Issue management involves identifying, tracking, and resolving problems that arise during the project execution phase.

  4. Examples:

    • Budget Issue: Exceeding the allocated budget for a particular project task or activity.
    • Schedule Issue: Delays in project milestones or deadlines due to unforeseen circumstances or dependencies.
    • Quality Issue: Defects or errors discovered in deliverables that require rework or corrective action.

Relationship between Risks and Issues:

  • Risks can potentially lead to issues if they materialize. Effective risk management aims to identify and mitigate risks before they become issues.
  • Issues may arise from unforeseen risks, but they can also stem from other factors such as human error, resource constraints, or external events.
  • While risks are managed proactively to prevent their occurrence or minimize their impact, issues are addressed reactively as they arise during project execution.

In summary, risks are potential future events that may impact project objectives, while issues are current problems or challenges that are already affecting the project. Both risks and issues require attention and management to ensure successful project outcomes.

Risk Management Process

Project risk management is the process of identifying, assessing, prioritizing, and mitigating risks that could affect the success of a project. It involves systematically analyzing potential risks and developing strategies to minimize their impact or likelihood of occurrence. Here are the key steps involved in project risk management:

  1. Risk Management plan :  Create a Risk management plan, an overall process / framework for managing the risk
  2. Risk Identification: This involves identifying potential risks that could impact the project objectives. Risks can be identified through various methods such as brainstorming sessions, documentation reviews, historical data analysis, and expert judgment. It's essential to consider both internal and external factors that could affect the project. The risks are captured in a document called as risk register.
  3. Risk Assessment: Once risks are identified, they need to be assessed in terms of their probability of occurrence and potential impact on the project's objectives. Based on the qualitative assessment the risks can be categorized as major , medium and low. The major risks with high impact in terms of monetary or business value goes through further quantitative risk analysis.
  4. Risk Response Planning: After assessing the risks, the next step is to develop strategies and action plan to respond to positive and negative risks
  5. Implement Risk Response Plan Risk ; Detailed action items defined in the risk response planning are implemented in this step
  6. Monitor Risks : Monitoring risks is a crucial aspect of project risk management to ensure that identified risks are being effectively managed  

By following these steps, project teams can proactively identify and address potential threats to project success, ultimately increasing the likelihood of achieving project objectives within scope, schedule, and budget constraints.

Qualitative Risk Assessment

Qualitative risk assessment is a method used to evaluate risks based on subjective criteria rather than precise numerical data. It typically involves assessing risks based on their likelihood of occurrence and potential impact using qualitative descriptors such as high, medium, or low. Here's how qualitative risk assessment is typically conducted using a Probability and Impact matrix.

Using the above table  based on the value of Probability x Impact risks can be categorized as Catastrophic (Red), Major (Orange), Medium ( Yellow), Low (Green).

Quantitative Risk Assessment Technique

Expected Monetary Value (EMV) analysis 

Expected Monetary Value (EMV) analysis is a risk management technique used to quantify and compare the potential outcomes of different decisions or actions. It's particularly useful in project management, finance, and decision analysis, helping individuals and organizations make informed choices under uncertainty. EMV calculates the average or expected financial outcome of various scenarios by considering both the probability (likelihood) and the impact (monetary value) of each possible outcome.

How to Calculate Expected Monetary Value:

The formula for EMV is relatively simple:



Pi​ = Probability of outcome

Vi​ = Monetary value of outcome 

n = Number of possible outcome

Steps for Conducting EMV Analysis:

Identify Possible Outcomes

: List all the potential outcomes of the decision or project. These can be positive (opportunities) or negative (threats).

Assign Probabilities

: For each identified outcome, estimate the probability of its occurrence. Probabilities should be expressed as a number between 0 and 1, with the sum of probabilities for all outcomes equal to 1.

Assign Monetary Values

: Determine the monetary value (positive for gains, negative for losses) associated with each outcome.

Calculate EMV for Each Outcome

: Multiply the probability of each outcome by its monetary value.

Sum Up the EMVs

: Add all the calculated EMVs together to get the total expected monetary value. This gives you a single figure that represents the average expected financial outcome of the decision or action.

Example of EMV Calculation:

Imagine a project with two possible outcomes:

Outcome A

: 60% chance (0.6 probability) of gaining $100,000

Outcome B

: 40% chance (0.4 probability) of losing $50,000

The EMV would be calculated as follows: EMV=(0.6×$100,000)+(0.4×−$50,000)=$60,000−$20,000=$40,000EMV=(0.6×$100,000)+(0.4×−$50,000)=$60,000−$20,000=$40,000

This result means that, on average, the project is expected to net a gain of $40,000, considering the risks and opportunities involved.

Applications and Limitations:


: EMV is widely used in project management for risk quantification, in investment analysis, insurance rate calculations, and more.


: EMV analysis relies on accurate probability and monetary value estimates, which can be difficult to ascertain. It also simplifies complex decisions into averages, potentially overlooking the variability and distribution of outcomes.

In summary, Expected Monetary Value analysis is a powerful tool for making decisions under uncertainty, offering a clear, quantitative basis for comparison among different options. However, it's important to complement EMV analysis with other risk management techniques and qualitative considerations to make well-rounded decisions.

Let's consider a simplified example of Expected Monetary Value (EMV) analysis in the context of a business decision.

Scenario: A company is considering launching a new product. There are two possible outcomes: success and failure. The company estimates the financial impact (in terms of profit or loss) for each outcome and assesses the probability of each outcome occurring.

Outcome A (Success):

Probability: 70%

Financial Impact (Profit): $200,000

Outcome B (Failure):

Probability: 30%

Financial Impact (Loss): -$50,000

  • Calculating Expected Monetary Value (EMV):

  1. Identify Possible Outcomes: Success (A) and Failure (B).

  2. Assign Probabilities:

    • PA = 0.70 (Probability of Success)
    • PB​= 0.30 (Probability of Failure)
  3. Assign Monetary Values:

    • VA​=$200,000 (Profit if Successful)
    • VB​=−$50,000 (Loss if Failure)
  4. Calculate EMV for Each Outcome:

    • EMV for Success (A): =0.70×$200,000=$140,000EMVA​=PA​×VA​=0.70×$200,000=$140,000
    • EMV for Failure (B): =0.30×−$50,000=−$15,000EMVB​=PB​×VB​=0.30×−$50,000=−$15,000
  5. Sum Up the EMVs:

    • Total EMV: =$140,000+(−$15,000)=$125,000 (EMVA​+EMVB​)


The total Expected Monetary Value (EMV) for launching the new product is $125,000. This means that, on average, the company can expect to gain $125,000 from launching the product, considering both the probabilities of success and failure and their respective financial impacts.


Based on the EMV analysis, the company may decide to proceed with launching the new product since the expected monetary value is positive, indicating a net gain. However, the decision should also consider other factors such as strategic fit, market conditions, and potential risks beyond financial impacts.

Sensitivity Analysis 

Sensitivity analysis is a technique used to determine how different values of an independent variable affect a particular dependent variable under a given set of assumptions. This analysis is used in a wide range of fields, including finance, economics, engineering, and environmental studies, to test the sensitivity of the outcome to changes in the input variables. Sensitivity analysis is crucial for modelling and decision-making because it identifies how the variation in output can be attributed to different sources of variation in the input parameters, helping to assess the robustness of the results.

In a project risk management sensitivity analysis is used to assess the impact of a particular risk on the project objectives in isolation. It is done using a tornado diagram as shown below.

Risk Response Strategies

Here are several common negative risk response strategies:

  1. Avoidance: This strategy involves altering the project plan or business approach to avoid the risk entirely. For example, if there is a risk associated with a particular supplier, the project may choose to work with a different supplier or handle the task internally to mitigate the risk of supplier failure.

  2. Transference: Transference involves shifting the impact of the risk to a third party, such as through insurance, warranties, or outsourcing. By transferring the risk, the responsibility for managing it effectively shifts to another party better equipped to handle it.

  3. Mitigation: Mitigation aims to reduce the probability or impact of a risk. This might involve implementing additional controls, improving processes, or conducting more thorough testing. For instance, if a project faces a risk of delays due to resource shortages, hiring additional resources or cross-training team members could mitigate this risk.

  4. Contingency Planning: Contingency planning involves preparing alternative actions that can be taken if a risk event occurs. This allows for a rapid response to minimize the impact of the risk on the project or organization. Contingency plans often include predefined steps to address specific risk scenarios.

  5. Acceptance: Sometimes, it's not feasible or cost-effective to implement specific measures to address a risk. In such cases, the organization may choose to accept the risk and its potential consequences. While not actively mitigating the risk, this approach involves monitoring the risk closely and being prepared to respond if it materializes.

  6. Escalating a risk is a strategy used when the identified risk is beyond the control or authority of the project team or when it requires the attention of higher-level management or stakeholders. This strategy involves formally notifying relevant individuals or groups about the risk so that appropriate actions can be taken to address it.

These negative risk response strategies can be applied individually or in combination, depending on the nature and severity of the risks identified and the resources available to address them. Effective risk management involves a proactive approach to identifying, assessing, and responding to risks throughout the project or organizational lifecycle. 

Here are several common positive risk response strategies:

  1. Enhancement: Enhancement strategies aim to increase the probability or impact of positive risks. This might involve investing in research and development, innovation, or capacity-building initiatives to amplify the potential benefits of a particular opportunity.
  2. Exploitation: Exploitation involves actively seeking to maximize the benefits of identified opportunities. This might include allocating additional resources, adjusting project priorities, or pursuing strategic partnerships to capitalize on favourable market conditions or emerging trends.

  3. Sharing: Sharing opportunities involves collaborating with external stakeholders to jointly exploit the benefits of a risk. This could take the form of forming alliances, joint ventures, or partnerships to leverage complementary strengths and resources for mutual gain.

  4. Accepting : In the accept risk response strategy, you take no action to realize the opportunity. You leave it as is, and if it happens, you will benefit from it. You use this strategy when the response cost is high, there is a low chance of it occurring, or the benefit does not outweigh the effort.