Risk management is often treated as a one-off exercise: risks are identified at the beginning of a project, documented, and then quietly forgotten. In reality, risks evolve. Probabilities change, impacts shift, new risks emerge, and others disappear entirely.
Effective risk management is therefore not a static artifact but a continuous practice that needs to be integrated into everyday project work.
The risk table as a working tool
My primary tool for managing risks is deliberately simple: a table that is easy to maintain and easy to understand. The value lies not in methodological sophistication, but in regular review and honest assessment.
The table consists of four columns:
- Probability of occurrence
- Impact
- Mitigation measures
- Status
Probability of occurrence
Instead of pretending to calculate precise probabilities, I use clearly defined ranges:
- < 20%
- 20–40%
- 40–60%
- 60–80%
- > 80%
This avoids false precision and forces a conscious decision. The goal is not statistical accuracy, but a shared understanding of how likely a risk is perceived to be.
Impact
Impacts are assessed in terms of their concrete effect on the project and the team:
- no noticeable impact
- individual team members are affected
- a large part of the team is affected
- project execution is at risk
- the project is likely to fail
Framing impact this way makes discussions more grounded. It becomes immediately clear why a risk deserves attention—or why it can be tolerated.
Making risk severity visible
To make the overall severity of risks immediately visible, I color the cells in the probability and impact columns based on their respective values. Low probability and low impact remain visually unobtrusive, while higher values stand out clearly.
In addition, the table is sorted by a combination of probability and impact. This ensures that the most critical risks naturally rise to the top, while less severe ones move down the list. No additional explanation is required—anyone looking at the table can instantly see where attention is needed and where it is not.
This visual ordering turns the table into a practical decision aid rather than a static register.
Mitigation measures
Mitigation measures describe specific actions, not intentions.
Good measures are:
- clearly formulated
- realistically achievable
- assignable to a person or role
A risk without a mitigation measure is not managed; it is merely observed.
Status
The status reflects the current handling of the risk, for example:
- new
- under observation
- being addressed
- mitigated
- archived
But I don’t only update a label but rather also add a short status update text to make progress—or stagnation—visible.
Weekly Cleanup: reviewing risks regularly
Risk management only works if it has a fixed place in the weekly rhythm. For me, this happens during my Weekly Cleanup on Fridays.
The session is intentionally short, but consistent. I follow the same steps every week:
- Update the status
Has anything changed? Has the probability increased or decreased? Has the impact shifted? - Review mitigation measures
Are the measures still relevant? Have they been implemented? Do they need adjustment? - Archive obsolete risks
Risks that no longer exist or are no longer relevant are archived. An overloaded risk list quickly loses its usefulness. - Add newly identified risks
Anything that surfaced during the week but is not yet documented gets added—imperfectly documented risks are better than undocumented ones.
This routine helps ensure that risks rarely come as a surprise. Most of them announce themselves gradually, if someone is paying attention.
Not every risk needs an audience
One deliberate decision is to restrict access to the risk lists. They are only available to a very small circle within project and program management.
This restriction serves a clear purpose. It allows risks to be described in direct and unfiltered language, even if that language might be unsettling to project members when taken out of context. Not every worst-case scenario needs a broad audience—especially when the situation is under control and mitigation is in place.
By keeping the risk list small and confidential, I do not hesitate to document everything that could realistically go wrong. This completeness is far more valuable for decision-making than a sanitized list designed for wide consumption.
Why the effort pays off
The real value of risk management is not the table itself, but the regular reflection on uncertainty. Over time, this creates a shared awareness among decision-makers of what truly matters and where risks are consciously accepted.
Risk management does not eliminate uncertainty, and it does not replace decision-making.
What it does is ensure that decisions are made with open eyes, rather than in hindsight.