The essence of risk control and monitoring is different from the other control processes we have discussed so far. While the scope, costs, schedule, and quality dimensions are expected to closely follow the initial implementation plan without significant changes, the risk landscape is expected to change drastically during the execution of the project: new risks will emerge, initial risks will not be relevant anymore, the estimated impact of previously assessed risks will change.

This makes periodic risk control and monitoring an important part of ensuring the success of your project. Among other relevant goals, the risk control and monitoring processes target:

  1. Reassessing the project assumptions and checking their validity.
  2. Revisiting previously assessed risks to verify whether they are still relevant for the project and, if yes, whether they need to be updated.
  3. Ensuring that the project team (the project manager included) is following the correct procedures for responding to materialized risks.
  4. Recalculating project reserves based on the most updated version of the risk assessments and the project management plan.

Since the risk control and monitoring process is dynamic, it might require you to perform full risk assessments and analyses even after the initial estimations are completed and approved. This is why we will start this article by revisiting the most common and useful tools for qualitative and quantitative risk analysis.

1. Revisiting Qualitative and Quantitative Tools for Risk Analysis

In our article about creating a risk management strategy, we have discussed in details how to define risks, estimate their impacts on the project outcome, and implement several preventive measures to minimize the risks of a project.

Due to the unique nature of risk monitoring, many of the tools presented in that article are actually very useful for properly implementing risk control processes. This is why we will dedicate this section to briefly revisit the process for identifying, classifying, and quantifying the risks in a project. Before we move on to discuss risk control and monitoring in more details, we will take the opportunity and revise the recommended process phases, as well as estimation techniques relevant to each phase.

1.1 Risk Identification and Categorization

Risk identification and categorization are the two initial steps in the process of assessing new project risks. It involves dropping all barriers and prejudgments and letting ideas flow freely regarding both threats against and opportunities in favor of your project.

An important distinction must be made at this stage. In this article, we will mostly use threats to the project as examples for our risk assessment and control tools. This doesn’t mean, however, that you cannot apply the same reasoning to identify project opportunities. The process is fairly the same regarding the impact and probability estimations, as well as expected impact and quantitative analyses; the only difference is that opportunities are expected to facilitate the execution of your project, while threats are expected to hinder it.

1.1.1 Risk Identification

Risk identification is the first phase in the risk analysis process and it provides essential inputs to all subsequent risk evaluation stages. Without properly identifying and categorizing risks, there are non-negligible chances that you might miss an important risk or spend a disproportionate amount of resources in assessing irrelevant threats.

The first step is to identify all the potential risks to the project. There are several techniques for that, the most common being Brainstorming Sessions. They bring together the project team and give everyone the opportunity to contribute by pointing potential risks to the project. There should be no filter or pre-assessment here: the goal of brainstorming is exactly to list as many risks as possible.

The second source of potential risks is historical data. Past similar projects within your organization are an important source of past relevant risks and their impact on the project outcome. Since past data normally contains information about whether a risk actually materialized or not and its actual impact, it can be used during the impact and probability estimation stages. In addition to project-specific data, analyzing your industry widespread risks and the macroenvironment where your business is placed are two ways of identifying external risks that might have important repercussions in your project.

A third source for risk identification is expert interview. This might not be as relevant as the two previous sources, but it still plays an important role. The historical data might not always reflect all potential risks; for example, if several risks were discarded as irrelevant at the very beginning of the risk analysis process, they might simply not appear in the historic registers. Therefore, it might be valuable to consult with the higher management and with people that have managed or participated in previous projects to discuss potential project risks.

In addition to the three sources mentioned above, the Delphi Method and the Root Cause Analysis are two other common techniques that might be relevant to identifying the risks in your project.

1.1.2 Risk Categorization

Once you have identified the risks, it’s time to conduct a first screening process by categorizing the risks into relevant categories (which might include, but are not limited to, the sources of the risk, the project area that might be affected, whether the risk has cost, schedule, and/or quality impacts, among others).

There are two main advantages to risk categorization:

  1. You dedicate enough time and effort to analyze the sea of potential risks generated by an unconstrained risk identification process and discard risks that are very unlikely to materialize. By doing so, you become more familiar with the potential threats and opportunities to your project.
  2. By classifying the risks under different categories, the most vulnerable areas of the project become clearer, and you get a better understanding of how to manage them.
1.2 Qualitative Risk Analysis

Once the risks are roughly identified and categorized, it’s time to move to the second stage in the risk analysis journey and implement a qualitative risk analysis. Qualitative techniques are not number-intensive and are very useful for broadly assessing the priority of the risks identified during the first stage. Since it might quite resource consuming to perform a quantitative risk analysis in each and every risk, qualitative methods come to support you with qualitative data to choose on which risks you will want to focus.

1.2.1 Analysis of Risk Probabilities and Impacts

The first qualitative technique we will revisit is the Analysis of Risk Probabilities and Impacts. Assessing the probability of a risk refers to estimating the likelihood of that specific risk becoming true and assessing the risk impact details all the possible impacts (positive and negative) that a risk might have in your project.

At this stage, assessing the probability and impact of the risks is not a mathematical, quantitative endeavor. Now it’s not the time to dive deep into the different probability distributions and respective expected impacts of multiple risk outcomes. Instead, assessing the risk probability and impact at this stage focuses on generally defining how the risk can affect the project and how likely the risk is to materialize.

This is a second screening process, and it introduces some numbers to help you prioritize threats and opportunities according to their probability and their estimated consequences. The following probability vs impact matrix can be used to help you broadly categorize your risks and opportunities.

Figure 01: Impact vs. Probability Risk Matrix

In Figure 01, the x-axis depicts the impact of a certain risk on a specific dimension of the project (it can be cost, schedule, quality, or any other important metric that you have to keep track of). The y-axis depicts the probability of that specific risk of materializing. The probability and impact matrix gives you an effective tool for assessing risks based on their probability and impact. It forces you to give a broad numeric estimation for the two dimensions and to place the risk on the matrix accordingly.

The next step is to define the threshold areas for low, medium, and high-priority risks. In our example, we have defined them based on the product of probability and impact:

  1. Low priority: the low priority area is composed of any square which has a product lower or equal to 0.10.
  2. Medium priority: the medium priority area is composed of any square which has a product between 0.11 and 0.29.
  3. High priority: the high priority area is composed of any square which has a product greater or equal to 0.30.

Plotting the risks according to their expected impact (the actual impact weighted by the probability of the risk) is more efficient than a unidimensional analysis. If a risk has a high probability (for example, 0.9) but a very low impact (for example, 0.1), the resources we might spend on further quantitative risk analysis and risk prevention might not be worth the value they add by securing the project against the risk. It might be more efficient to provision a general risk reserve and learn how to handle such low-impact risks during the execution of the project. Similarly, risks with a low probability but a high impact might never materialize, therefore neutralizing the benefits of a more detailed quantitative risk analysis.

The main point here is to focus on the combination of probability and impact: focus on the risks that have the highest product of the two dimensions. The specific thresholds that define low, medium, and high-priority risks might be changed and adjusted according to your specific project characteristics.

1.2.2 Expert Judgment

Expert judgment is a complementary source of inputs to help you correctly classify each risk in the probability vs. impact matrix above (Figure 01). If there are risks external to your project - for example, possible changes in your industry landscape or in the political scenario - it might be a good idea to consult with an expert in the field to get more accurate information about the nature and the possible impacts of the risk in your project.

1.3 Quantitative Risk Analysis

Once the risks are classified in the probability-impact matrix, quantitative risk analysis techniques can be applied to profile high-priority risks more accurately.

1.3.1 Three-Point Estimations

The first quantitative technique we will revisit is the three-point estimation. In the three-point estimation, a numerical value is defined for (1) the worst-case scenario, (2) the planned scenario (some resources also call it the most likely scenario), and (3) the best-case scenario. Based on these values and the probabilities of each outcome, you can calculate the expected impact of each risk.

Let’s think this through the lenses of an example. Consider Table 01 (below). The table presents three important areas of a web development project’s WBS, together with the cost estimations for the worst-case, planned, and best-case scenarios. Notice that, because we are talking about costs, the worst-case scenario presents a higher value than the other two.

WBS Section Worst-case scenario Planned scenario Best-case scenario
Design $15,000 $8,000 $5,000
Implement $25,000 $19,000 $13,000
Test $20,000 $14,000 $10,000
Total $60,000 $41,000 $28,000

Table 01: Three-Point Estimation for Sample Web Development WBS

The total cost for the web development project is estimated at $60,000 for the worst-case scenario (assuming that, in all stages, the worst-case scenario becomes reality), $41,000 for the planned scenario, and $28,000 for the best-case scenario. This, however, provides only limited information as we are not aware of how likely each scenario is to happen. It also assumes that each scenario will happen consistently throughout the project, an assumption that might not hold. It might be the case that, after a slow and bumpy design phase, the project evolves to the best-case scenario in both the implementation and test phases, leading to a total cost of $38,000.

To generate a more precise figure for our numbers and avoid such assumptions, we should go one step further and gather information about the likelihood of each outcome. Does the planned scenario have the same probability as the other two? Is it twice as probable? We already talked about estimating probabilities in our risk management guide, but the bottom line is that you and the project team will have to somehow come up with realistic probabilities for each outcome. They need not be extremely precise (after all, they are estimations), but they should reflect reality as close as possible considering the information you have at hand.

Suppose that, after analyzing historical data about similar projects and talking to specialists in your company, you have concluded that the planned scenario is two and a half times as likely as the worst-case scenario, and that the worst-case scenario is twice as likely as the best-case scenario. Let x denote the probability of the best-case scenario becoming true. Following the above specification, 2xaccounts for the worst-case scenario probability and 5xfor the planned scenario probability. Since we assume that there is no other possible outcome (that’s the idea behind the three-point estimation), the sum of all probabilities should equal one and we can compute the probabilities of each scenario as follows:

x + 2x + 5x = 1 ⇒ x = 0.125, or 12.5%


  • Probability of best-case scenario: x = 12.50%
  • Probability of worst-case scenario: 2x = 25%
  • Probability of planned scenario: 5x = 62.50%

With that in mind, we can update our numbers to reflect the expected value of each WBS area:

EDesign = 150000.25 + 80000.625 + 50000.125 = $9,375

EImplement= 250000.25 + 190000.625 + 130000.125 = $19,750

ETest = 200000.25 + 140000.625 + 100000.125 = $15,000

Table 02 (below) has the updated numbers. Notice that now it doesn’t make sense to assume that only the worst-case scenario or only the best-case scenario will materialize. Since we are dealing with probabilities and expected amounts, we can present the total sum of $44,125 as being the expected total cost of our web development project when considering the aforementioned probabilities for each outcome.

WBS Section Expected worst-case scenario Expected planned scenario Expected best-case scenario Expected total for WBS stage
Design $15,000 $8,000 $5,000 $9,375
Implement $25,000 $19,000 $13,000 $19,750
Test $15,000 $8,000 $5,000 $9,375

Table 02: Updated Three-Point Estimate including expected outcomes based on probabilities.

An additional improvement that might be relevant for your project is to extend this model to include different probabilities for each scenario at different stages of the WBS. If, for example, the probability of the worst-case scenario for the implementation phase is impacted by the outcome of the design phase, it makes sense to have different probabilities for each step of the WBS.

Another variation of the three-point estimation technique involves, as already mentioned, substituting the planned column by a most likely column. Nonetheless, the process remains the same: impact and probability estimates must be provided for each column, enabling you to calculate the total expected cost of the project.

The three-point estimation technique relies on both accurate impact and accurate probability estimations. It’s not enough to simply assume that each scenario will be equally likely, or to throw some random numbers for worst and best-case scenarios. The whole idea is to look at how your data and processes behave (or should behave) and come up with meaningful figures to help you identify which areas of your project need more attention, and which ones are less likely to be impacted by project risks.

1.3.2 Continuous Probability Distributions

Using continuous probability distributions is a more advanced technique than the three-point estimation, and it requires more advanced statistical techniques to be implemented. Discussing them is out of the scope of this article, but if you are interested in reading more about them, the four most common continuous distributions used in project management are the Beta Distribution, the Triangular Distribution, the Uniform Distribution, and the Normal Distribution.

1.3.3 Expected Monetary Value Analysis

The Expected Monetary Value Analysis extends the idea of expected impact on decisions that involve uncertain future outcomes. In simple terms, it looks at the expected outcome of each alternative in the decision-making process and chooses that alternative that has the highest positive (or the lowest negative) expected outcome.

Let’s consider another simple example: your Web Development company is really successful. The demand for your services is booming, so your team is considering whether to build a new office in another city or to expand the current office. Building a new office requires a higher investment than the expansion, and its success depends on future demand (which can be either high or low). We have set up some numbers to make the example clearer:

  • Probability of high demand: 60%
  • Probability of low demand: 40%
  • Building a new office:
    • Upfront investment (cannot be recovered, not even partially): $240,000
    • Revenue under high demand: $400,000
    • Revenue under low demand: $180,000
  • Expand current office:
    • Upfront investment (cannot be recovered, not even partially): $100,000
    • Revenue under high demand: $240,000
    • Revenue under low demand: $120,000

With these numbers, we can build a decision tree, include the monetary values to calculate the expected payoff of each alternative, and then choose that with the highest payoff. Figure 02 (below) shows how the decision tree would look like, together with the expected payoffs of each choice (build or expand).

Figure 02: Decision tree involving Expected Monetary Value calculations

The calculation of the expected payoffs is fairly straightforward:

Build a new office: pHD (RevHD - Inv) + pLD (RevLD - Inv) = $72,000

Expand current office: pHD (RevHD - Inv) + pLD (RevLD - Inv) = $92,000

Notice that each branch includes its actual outcome (the outcome in case it becomes true). There is no probability adjustment when calculating the monetary value of each possible outcome. The probability adjustment happens only at the EMV calculation. Calculating the EMV is the process of taking each actual outcome and adjusting it according to its probability. As it can be seen, expanding the current office has a higher EMV, so this should be our preferred choice.

1.3.4 Sensitivity Analysis

Last but not least, let’s briefly discuss sensitivity analysis. The goal of sensitivity analysis is to identify the isolated potential impact of a risk on the project, therefore allowing you to prioritize risks. This is done by calculating the extent to which an uncertainty affects the project outcome when all the other risks are kept at their baseline. In other words, what would be the impact of a specific risk if only that risk materialized?

The Tornado Diagram is one of the most common tools for visualizing the isolated impact of each risk and to classify them from most relevant to less relevant. If you want to dig deeper into sensitivity analysis, here is a very detailed guide that presents not only a great explanation about the concept but also other interesting techniques such as univariate, bivariate and probabilistic sensitivity analysis.

2. Techniques for Risk Control and Monitoring

Now that we have revised an extensive array of risk identification and estimation techniques, we can move to the ones specifically used for risk control and monitoring.

As the project evolves, some risks become irrelevant, while other unforeseen uncertainties come into play and might become important for the future of your endeavors. Risk control is the process of updating your risk estimations based on the new data that is continuously collected during the project execution and identifying new risks that deserve your attention.

2.1 Gathering the necessary inputs for the risk control process

To start with, you will need to gather a few specifications and data tables to conduct several risk monitoring analyses.

The first important document is the risk register, and it is composed of all the identified risks that are being monitored, as well as previously defined risk responses, action plans, warning signs of risks, and risk reserves. This document is essential for you to know exactly how to handle each risk, reassess it, and properly respond to it if necessary.

In addition to the risk register, you will need to gather work performance data and performance reports. Work performance data refer to the raw numbers collected during the project execution. They are normally related to employee output and productivity, costs incurred, the current status of the project, unplanned events that had to be handled, the schedule progress, among other relevant indicators.

Performance reports, on the other hand, contain a detailed analysis of the work performance data and include information such as variance, earned value, and forecasts. Both the raw data and the processed reports are relevant because they provide unique insight into different dimensions of your project execution. Forecasting reports, for example, are key to reassessing risks that involve different future and uncertain scenarios.

2.2 Data Quality Assessment

Risk control and monitoring processes are as good as the data you collect. Therefore, the first stop when monitoring your project risks is to ensure that the data is being gathered and manipulated properly.

There are four major components of high-quality data:

  1. The first, accuracy, means that both the risk essence and how it should be measured are truly understood by your project team and that the most appropriate type of data is being collected.
  2. The second, unbiasedness, means that the instruments and techniques used for the measurement are providing consistent measurements and that there is no inherent bias to it.
  3. The third, reliability, means that there is almost no random variability in the data and that there are no unrelated external or internal influences to the data being collected.
  4. Finally, integrity refers to the consistency and extensiveness of the data. In other words, it means that there are very few missing measurements, that the measurements follow a reliable and consistent pattern, among other integrity concerns.

These four major qualities of the data must be ensured both to the collected work performance data and to the raw indicators that will be measured during risk control and monitoring processes. If you work performance information is flawed in even one of the four dimensions mentioned above, make sure to update the process for data collection, cleaning, and analysis to fix the issues as soon as possible, as these data are also used for cost, schedule, and quality control.

2.3 Risk Reassessment

The risk reassessment technique involves three main activities:

  1. Identification and assessment of new risks
  2. Reassessment of current risks
  3. Closing of irrelevant risks

All these processes require an extensive knowledge of the tools and techniques revised above. When reassessing risks, your task is to incorporate the new data collected during the planning and execution of the project to update each risk’s expected impact and reconsider their priorities.

Here is a list of changes that might occur to the risk landscape and that call for risk reassessment:

  • Changes in the set of possible outcomes of a risky event: as the project progresses, the possible outcomes of a risk might change. Multi-step approval processes are an intuitive example of this situation: after each approval, the set of possible outcomes is reduced and the respective probabilities must be updated.
  • Changes to estimated probabilities of outcomes: probabilities are one of the fundamental pillars of risk analysis and management. Each and every event that significantly alters the probability of an outcome must lead to the reassessment of that risk.
  • Changes to estimated impacts of outcomes: similarly to probabilities, outcomes play a crucial role in defining the priority and impact of a risk. Risk assessment processes should be implemented whenever there is a significant change to the risk possible outcomes.
  • Changes in the priority of the risk: as already mentioned, risk priority is likely to change during the project execution. If a risk becomes more relevant and enters the high-priority spectrum, you should spend some effort to conduct a detailed quantitative analysis of the expected impact of that risk. Similarly, if a risk leaves the high-priority spectrum, you might consider restricting the resources dedicated to assessing that specific risk.
2.4 Risk Audits

While risk reassessment focuses on updating the general risk landscape of your project, risk audits focus on ensuring the effectiveness of risk responses, contingency plans, and the overall risk management process. Risk audits should be performed regularly in order to ensure that the risk management plan includes the most updated information regarding risk impacts. There are several steps involved in performing risk audits:

  1. Electing the risk auditor: the risk auditor is the team member or external stakeholder responsible for performing risk audits and providing changes and recommendations to the risk management strategy. This is normally delegated to the project manager, but in some situations it might be recommended to choose another party (for example, in highly complex projects with multiple areas, a team expert from each area may be chosen to audit the risks related to his or her respective field).
  2. Reviewing the Critical Success Factors: Critical Success Factors are essential for the success of the project. If they are met, your project has a very high probability of succeeding; if, however, one of them falls behind, your project is likely to fail in meeting important stakeholder expectations. Some widely used CSF include effectiveness of project control and monitoring processes, project budget, project schedule, among others. Identifying the Critical Success Factors at this stage is important because they will define the most relevant types of risk you should audit.
  3. Gathering the evidence: the third step in the risk audit process is to gather actual evidence about how well the team managed past risks and whether the planned risk responses were actually put into place. The evidence is normally collected through interviews (team members, higher management, and stakeholders external to the business) and by accessing past project data.
  4. Auditing the data and creating the audit report: this is where the actual risk audit process takes place. Auditing risks and project performance involves comparing the actual and planned KPIs, as well as identifying the actual impact of past risks in the project indicators. Based on this comparison, the risk auditor should come up with a thorough report containing his or her findings and future recommendations to improve underachieving processes.

Once these four steps are performed and the risk audit report is generated, it’s time for the project manager to review the recommendations and incorporate those considered relevant to the project. Future risk audits will review the effectiveness of these newly implemented changes, giving continuity to a solid and effect continuous improvement process.

2.5 Reserve Analysis

Reserve analysis covers the last of the three critical dimensions of project risks: risk reserves. This task focuses on revisiting your reserves to check whether they have enough resources to handle the current high-priority risks.

As the project evolves, some risks will materialize, others will become irrelevant, and positive externalities might even allow you to save money and time in certain execution stages. All these factors impact both the actual and the required balance of your risk reserves. Hence, periodic reserve analysis is necessary to ensure that risks have a smaller chance of putting your project at risk.

There is no consensus regarding the frequency of reserve analysis: it should be planned according to your project needs. Perhaps you decide that revisiting the reserves is necessary only when a new risk is identified, or perhaps you choose to do that on a regular, periodic basis. It’s up to the project manager to define the frequency based on a cost-benefit analysis of the reserve monitoring process.

3. Closing the Risk Control and Monitoring Process

Risk control and monitoring activities generate a series of outputs that must be incorporated into your project documentation and revisited in future controlling activities.

The updates to the risk register will record any changes to the existing risk assessments, planned responses, and contingency plans, as well as new risks and respective action plans. In addition to that, changes to project processes might also be necessary depending on the new risk profile of your project. Finally, corrective and preventive measures might be required to, respectively, deal with materialized risks and prevent future risks from becoming true.

4. Final Words

In this article, we have not only revised the most common and accessible risk estimation techniques but also presented the most important risk control and monitoring methods for successful risk assessment processes. We have discussed how both qualitative and quantitative techniques are suitable for different types of risks, and how they can be combined to focus on high-priority risks without losing sight of low and medium-priority ones.

Risk control and monitoring is the last of our series about Project Control Processes. In the previous articles, we have discussed the many aspects related to scope, cost, schedule, and quality control. By covering and understanding the underlying principles of each article, you are on the right track for ensuring the sustainability and the long-term success of your project!