What is a Risk Analysis?
A risk analysis in a project is a structured procedure through which the project team identifies potential risks, estimates their probability and potential damage, and then prioritizes them. It answers three central questions: What can go wrong? How likely is that? And how severe would the consequences be?
The basic formula is:
Risk Value = Probability of Occurrence × Extent of Damage
The higher the risk value, the more urgently the project team must act. The risk analysis thus provides the decision-making basis: Which risks require immediate action, which will be monitored, and which are consciously accepted?
The risk analysis is one step within the broader risk management process. While the analysis ends with identification and assessment, risk management covers the entire lifecycle — from analysis through action planning to ongoing monitoring.
Goals of a Risk Analysis in Projects
- Make risks visible early. Anyone who only recognizes risks when they materialize can only fight symptoms. Risk analysis makes threats visible before they become problems.
- Deploy resources in a targeted way. No project can guard against every conceivable risk. Prioritization directs limited resources toward the greatest threats.
- Create transparency for stakeholders. A documented risk analysis shows clients and senior management that the project team is acting proactively — and where it needs support.
- Lay the groundwork for countermeasures. Without analysis, there can be no effective countermeasures. The assessed and prioritized risks are the direct input for action planning.
What Types of Risks Exist in Projects?
Project risks can be divided into five categories. The boundaries are not always clear-cut — a risk can affect multiple categories — but the framework helps ensure no blind spots are overlooked.
- Technical risks: Faulty systems, incompatible interfaces, insufficient performance, data loss during migrations.
- Organizational risks: Resource shortages, scope creep, low user acceptance, unclear responsibilities, dependence on key personnel.
- Economic risks: Budget overruns, rising supplier prices, unexpected market changes. An early cost-benefit analysis helps quantify these risks before the project even starts.
- Legal and regulatory risks: New legislation, data protection requirements (GDPR), compliance violations.
- External risks: Political changes, supply failures, natural events, pandemics.
In public administration, the German Federal Administrative Office (Bundesverwaltungsamt) identifies additional typical categories: politics and strategy, subject-matter expertise, contract management with external contractors, and organizational risks related to project structure.
A detailed guide to systematically collecting risks can be found in our article on identifying project risks.
Conducting a Risk Analysis: 5 Steps
1. Define the Context
Before the team collects risks, it needs a shared understanding of the project: What are the project goals? What scope has been defined? What constraints apply — budget, deadlines, regulatory requirements? Who are the relevant stakeholders?
In this step, the team also defines the assessment criteria: What scale will we use for probability of occurrence and impact? At what risk value do we act? These agreements prevent everyone from later assessing based on their own judgment.
2. Identify Risks
Now the team collects all risks that could jeopardize the project. Proven methods include:
- Team brainstorming — different perspectives uncover different risks.
- Checklists from previous projects — lessons learned are one of the most fruitful sources.
- Expert interviews — consulting specialists individually to avoid groupthink.
- Change of perspective — instead of asking “What will go well?”, ask: “How could this project fail?” This shift in thinking often relieves pressure and creates space for honest assessments.
The result is a comprehensive risk list. The practical tip from the Bundesverwaltungsamt’s S-O-S handbook: only include project-relevant risks. Risk lists quickly become too large and unwieldy when general corporate risks are added in.
3. Assess Risks
Each identified risk is evaluated on two dimensions — separately from each other, to avoid conflating the values:
- Probability of occurrence: How likely is it that the risk will materialize?
- Impact: How severe would the consequences be for time, cost, or quality?
The two values together yield the Risk Priority Number (RPN = P × I). The higher the RPN, the more urgent the need for action. Our article on assessing risks describes detailed methods and scale definitions.
4. Prioritize Risks
The assessed risks are entered into a risk matrix. The position of each risk — determined by the intersection of probability and impact — yields the risk category:
- Red (Critical): Immediate action required, escalate to project management.
- Orange (High): Prioritize measures and implement promptly.
- Yellow (Medium): Plan measures, review regularly.
- Green (Low): Monitor, document in the risk register.
Prioritization forces focus: not every risk can be addressed simultaneously. The team concentrates on the red and orange areas — that is where the greatest leverage lies.
5. Document the Results
The central output document of a risk analysis is the risk register. It contains at minimum the following for each risk:
- Unique ID and description
- Assessment (probability of occurrence, impact, RPN)
- Risk category (from the risk matrix)
- Responsible person
- Status (open, in progress, closed)
The risk register is the bridge between analysis and action planning. It becomes a living document that is updated at every status meeting. The risk responses built on it — avoid, reduce, transfer, or accept — are the logical next step.
Risk Analysis Methods
Qualitative Methods
Qualitative methods work with assessments rather than numbers. They are particularly suitable in early project phases, when hard data is lacking.
| Method | Approach | Effort | Area of Use |
|---|---|---|---|
| Brainstorming / Risk Workshop | Free collection within the team, followed by clustering | Low | Any project, starting point |
| SWOT Analysis | Systematically contrasting strengths, weaknesses, opportunities, and risks | Medium | Strategic projects |
| Delphi Method | Anonymous expert consultation in multiple rounds until convergence | High | Complex projects, limited experience data |
| SWIFT Analysis | Structured What-If Technique: systematic what-if questions | Medium | Process changes, technical projects |
For strategic projects, the SWOT analysis offers a proven framework that makes risks visible in the context of strengths and opportunities.
Quantitative Methods
Quantitative methods assign numerical values to risks. They require more data but deliver more precise results.
- FMEA (Failure Mode and Effect Analysis): Evaluates each risk based on three factors — probability of occurrence, severity of impact, and probability of detection. The product yields a more differentiated Risk Priority Number than the simple P × I formula. FMEA is particularly common in product development and quality management.
- Monte Carlo Simulation: Runs thousands of scenarios with random variations of input values. The result is probability distributions — for example: “There is an 80% probability that the project will take between 14 and 18 weeks.” Particularly valuable for scheduling and cost planning.
- Decision Tree Analysis: Maps decision situations as a tree structure, with probabilities of occurrence and expected values at each branch. Helps in evaluating alternative strategies.
Standards-Based Approaches
- ISO 31000: The international standard defines a framework for risk management that can be applied to any industry and project size. The core process follows the PDCA cycle: Plan, Do, Check, Act.
- BSI IT-Grundschutz: Specifically for IT projects, the German Federal Office for Information Security (BSI) offers a structured approach to risk analysis. The associated online course is publicly accessible.
Risk Analysis in Projects — A Practical Example
A mid-sized company is planning a website relaunch. The project includes a new design, a migration to a new CMS, and a revision of 200 content pages. Budget: €60,000, timeline: 4 months. The project team conducts a risk analysis in a two-hour workshop.
Identified Risks
- R1 – Content delivery is delayed. The specialist departments must supply texts and images, but are absorbed by day-to-day operations.
- R2 – SEO rankings drop. Changed URLs and a new page structure may cause existing rankings to be lost.
- R3 – CMS migration partially fails. Not all content can be migrated automatically; manual rework ties up resources.
- R4 – Agency capacity is insufficient. The external agency is serving other clients simultaneously.
- R5 – Go-live date conflicts with trade fair appearance. The marketing team would not be available for the launch in an emergency.
Assessment and Prioritization
| Risk | P | I | RPN | Category |
|---|---|---|---|---|
| R1: Content delivery delayed | High (3) | High (3) | 9 | Critical |
| R2: SEO rankings drop | Medium (2) | High (3) | 6 | Medium |
| R3: CMS migration partially fails | Medium (2) | Medium (2) | 4 | Low |
| R4: Agency capacity | Low (1) | High (3) | 3 | Low |
| R5: Go-live conflicts with trade fair | High (3) | Medium (2) | 6 | Medium |
Assessment on a 3×3 scale: 1 = Low, 2 = Medium, 3 = High
Result
The risk analysis revealed R1 (content delivery) as the most critical risk. The consequence: the project team set fixed delivery deadlines per specialist department and started the content phase four weeks earlier than planned. For R2, a complete redirect map was created in Sprint 1, rather than being added — as is typical — shortly before go-live. Without the risk analysis, both issues would only have come to light when the time pressure was already critical.
A more detailed example with seven risks, a detailed risk matrix, and a complete risk register can be found in our article Risk Management Example.
Risk Analysis vs. Risk Assessment vs. Risk Management
The three terms are frequently used interchangeably — but they refer to different things:
| Term | Scope | Result |
|---|---|---|
| Risk Assessment | Single step: estimating probability of occurrence and impact | Risk value (RPN) per risk |
| Risk Analysis | Identification + assessment + prioritization | Prioritized risk list, risk matrix |
| Risk Management | Complete cycle: analysis + measures + monitoring | Risk register, implemented measures, status reports |
The risk analysis is thus the analytical core of risk management. It delivers the picture of the risk situation — risk management ensures that this picture translates into action. Detailed information on assessment can be found under Assessing Risks.
Practical Tips
-
Start early. Risk analysis belongs in project planning, not in a project crisis. The earlier risks are identified, the less costly countermeasures will be.
-
Work as a team. Individual assessments are error-prone. Different perspectives — specialists, project management, stakeholders — combine to form a more realistic overall picture.
-
Foster an open error culture. Risks are only honestly named when no one is punished for doing so. Project management must lead the way — including by naming its own competency gaps as a risk.
-
See risks as opportunities. When searching for countermeasures, faster, cheaper, or better solutions may emerge that would never have been found without the risk. Opportunity management uses the same logic with a positive sign.
-
Repeat regularly. A risk analysis at the start of a project is valuable — but only if it is updated as the project progresses. New risks emerge, existing ones change. Make the analysis a fixed part of your status meetings.
-
Start simple. A pragmatic risk analysis with five risks and a 3×3 matrix beats a perfect analysis that fails due to its complexity and is never completed.
Frequently Asked Questions
What is a risk analysis in project management?
A risk analysis in a project is the systematic process of identifying potential threats, assessing their probability of occurrence and impact, and prioritizing them by urgency. The result — a prioritized risk list, often represented as a risk matrix — forms the basis for targeted countermeasures.
How do you conduct a risk analysis?
In five steps: (1) Define the context — clarify project goals and assessment criteria. (2) Identify risks — through brainstorming, checklists, and expert interviews. (3) Assess risks — estimate probability of occurrence and impact separately. (4) Prioritize risks — categorize them in a risk matrix. (5) Document the results — record them in the risk register.
What risk analysis methods exist?
A distinction is made between qualitative and quantitative methods. Qualitative approaches such as brainstorming, SWOT analysis, or the Delphi method work with assessments. Quantitative methods such as FMEA, Monte Carlo simulation, or decision tree analysis assign numerical values to risks and are suitable when sufficient data is available.
What is the difference between risk analysis and risk management?
Risk analysis is one step within risk management. It encompasses the identification, assessment, and prioritization of risks. Risk management goes further: it includes the planning and implementation of measures, as well as ongoing monitoring and control throughout the entire project lifecycle.
How often should a risk analysis be updated?
At minimum at every milestone and in every project status meeting. Risks change as the project progresses: new ones arise, existing ones become more likely or lose relevance. A regular rhythm — for example every two weeks — ensures that the risk register stays current and no surprises emerge.
Senior Advisor
Jörg Friedrich is the original author of the project management software Allegra and continues to accompany its development to this day. He has many years of industry experience as a project and department manager. He also serves as a professor in the Faculty of Computer Science and Information Technology at Esslingen University of Applied Sciences.
