It has been a long time since I wanted to talk a bit more about risk. Risk Management is one of my preferred knowledge areas in the Project Management Body of Knowledge, but the sad thing is that it is often misused. It starts with the definition of a risk. In the common language, a risk has always a negative connotation: it refers to the possibility of misfortune or loss; to hazard; to something exposing to danger; perilous. To be honest, most people just keep looking at that single side of the coin. If you want to implement an integrated risk management process, you will have to consider that risk isn't always just a bad thing.
The PMI defines risk as an uncertain event or condition that, if it occurs, has a positive or negative effect on an objective. Dr. David Hillson has a much simpler definition of a risk: an uncertainty that matters. I love this sentence. It clearly outlines the two dimensions of a risk: the uncertainty (or probability); and the effect on objectives (or impact). That makes things easier to understand: if you can predict 100% of chances for something to happen, then it is not a risk. Nor is it a risk if it is uncertain, but has no impact at all on the project or its deliverables.
That being clarified, the PMBOK defines Risk Management as the systematic process of identifying, analyzing and responding to risk. There is a suitable set of processes in the framework to deal with risks, that works for both threats and opportunities. These processes naturally follow the phases of a project, but really need to be taken seriously. Underestimate them and chances are high that you will end up pulling the plug.
Coming next: The Risk Management Plan