Updating of Risk Log

Home Page  <<  >>

Review of the risks already identified & identification of new risks

As it has been stated above, the Project Manager must review all the risks identified during the Project Initiation Phase in order to identify if all of them remain applicable. Since Project Planning Phase has already started and Project Manager is participating in Activities scheduling, in Resource, Cost and Quality Planning, he/she should be considerably more knowledgeable about the project and therefore more able to predict possible risks.

Furthermore, as a result of planning the project and adding detail to the Project Brief, new risks may also come to light. The identification and scheduling of the activities needed in order to produce the project deliverables may reveal a new level of complexity and interdependencies to the project, possibly producing more risk. Similarly, defining resource requirements may call for resources with unique skills whose availability may be diminishing. Furthermore, assumptions made for planning purposes usually involve a degree of risk. For example if the date that a key person will be available is uncertain, the Project Manager may assume a specific start date for planning purposes but the uncertainty still exists and may affect the real start date of a specific activity.

The above mentioned are only a few examples of how risks in a project evolve over time. Therefore, the Project Manager has to update the existing list of risks (Risk Log) by adding new risks that were identified during the planning process. As in the Project Initiation Phase, the Project Manager should consider both internal (events the Project Manager can directly control) and external (events that are outside of the direct influence of the Project Manager) risks.

It should be mentioned that once again, data and experiences from previous projects may provide excellent insight into potential risk areas and ways to avoid or mitigate them. If the Implementing Agency/ Contracting Authority has previously implemented similar projects and has a list of risks that faced during them, the Project Manager should consider all potential risk elements included in this list. 

Evaluation of new risks

The Project Manager evaluates each new risk in terms of the likelihood of its occurrence and the magnitude of its impact (refer to Risk Assessment in Subchapter

Definition of preventive and contingency actions

Determining actions to reduce threats to the project’s objectives (also known as “Risk Response Planning”) is essential for the project’s success. These actions must be appropriate to the severity of the risk, cost effective, agreed by all parties involved and assigned to certain responsible persons.


The actions that could be taken break into the following types:

Prevention: Risk prevention refers:
to risk avoidance (doing things differently (changing the project plan) and thus removing the risk, where it is feasible to do so or
to the reduction of the likelihood of an identified risk .

Risks identified in the early stages can be avoided or reduced (in likelihood) by e.g. clarifying requirements, adding resources, extending the duration of the project, improving communication, adopting a familiar methodology for the implementation instead of a new one, avoiding unfamiliar contractors etc.

Transference: Risk transfer is seeking to transfer the responsibility of managing the risk to a third party; it does not eliminate it.

Risk transfer is typically used in the context of a government agency passing the risk to a contractor. PPP, PFI and concession contracts are typical examples of risk transfer from the public to the private sector.

In addition, use of a fixed – price contract may transfer risk to the contractor whereas a cost reimbursable contract leaves more of the risk to the Contracting Authority, especially in case that the project’s design is not stable and mid project changes occur.

Acceptance: Risk acceptance indicates that the Project Steering Committee decides to tolerate the risk perhaps because nothing can be done at a reasonable cost to mitigate it, or because is unable to identify any other suitable response strategy or because the likelihood and impact of the risk occurring are at an acceptable level.
Contingency: These are actions planned and organized to come into force as and when the risk occurs.

It should be noted that when you complete the Risk Log you should consider both risk acceptance and risk transferring as preventive actions and thus describe them in the relative column (refer to Annex 1-6).


© 2007 Republic of Cyprus, Treasury of the Republic, Public Procurement Directorate
Home Page | Government Web Portal | Disclaimer | Webmaster