Managing Projects: Risks and Issues (part 5 of 5)

Third sector projects present their own unique set of challenges and risks – make sure you’re ahead of the curve when it comes to identifying and managing them.

Managing Projects: Risks and Issues is a 5 part series providing practical advice and a brand new ‘CARE’ model to third sector project managers.

Part 5: Guidelines for creating a risk management strategy

Risks are inherent in all projects and risk management is central to the role of a Project Manager. In parts 1 – 4 of this blog, we have outline our ‘CARE’ model for managing risks.  This final blog of the series focuses on creating a risk management strategy.

The purpose of the risk management strategy is to define the processes, tools and procedures that will be used to manage and control risks for the project.  Your strategy documents how the project will take a planned and systematic approach to the identification, evaluation and control of risk throughout the life of the project and should be updated as needs change.  Specifically, it should outline your risk management approach, constraints, requirements and roles for this project.  It should also detail how risks are identified, recorded, rated, managed and communicated.

Due to the high-risk environment in which we operate as charities / community organisations, we typically have many specialised risk management policies which cover the risks associated with the organisation, your client group and your operations (for example safeguarding policies).  Your project’s risk management strategy is a subset of these and relates specifically to the project.  It does not repeat information incorporated into the charities higher level risk management strategies which should always be adhered to (for example, health and safety policies).

As a Project Manager it is our role to be proactive in ensuring effective risk management on projects.  You should ensure that processes have been put in place to review whether risks still exist, whether new risks have arisen, whether the likelihood and impact of risks has changed, report significant changes which adjust risk priorities and deliver assurance of the effectiveness of control.

The overall risk management strategy should be subjected to regular review to deliver assurance that it remains appropriate and effective.  Review of risks and review of the risk management strategy are distinct from each other and neither is a substitute for the other.

When creating your strategy, you should include sections for:

1. Strategy purpose and overview

You should define the purpose of your risk management strategy and where it sits within the overall organisational policies. Within this you should outline the Project Manager’s role in relation to delivery of this strategy, and include how and when the strategy will be reviewed and updated.

2. Your risk management objectives and how you will achieve these in a clear and summarised format.

For example:

Our risk management objectives are to:

  • ensure that risk management is clearly and consistently integrated into the project management activities and evidenced through the project documentation;
  • comply with the organisations risk management processes and any governance requirements as specified by the Charity Commission; and
  • anticipate and respond to changing project requirements.

These objectives will be achieved by:

  • defining the roles, responsibilities and reporting lines within the team for risk management
  • including risk management issues when writing reports and considering decisions
  • maintaining a risk register
  • communicating risks and ensuring suitable training and supervision is provided
  • preparing mitigation action plans
  • preparing contingency plans
  • regular monitoring and updating of risks and the risk management strategy

3. How you ‘CARE’ about risks

You should include a section / subsection which explains how you will capture and assess risks, respond to risks and evolve because of risks.  Be clear on where, when and how risks might be identified and have mechanisms in place to ensure that identifying and managing risks is thoroughly embedded within the projects management and communication tools (see part 1 – Identifying project risks).

If you have a RAID Log or a Risk Register define how these will be used. Provide guidelines which explain the purpose, definitions, formatting and formulas included within the logs.  This might be done as an appendix but be clear you have these!  Also include definitions of risk ratings and the calculations applied to risk ratings (see part 2 – Assessing project risks).

Specify how risk review dates are set, and how often the risk register will be reviewed and updated. Include information here about how you will respond to risks.  Who is responsible for creating mitigation action plans and what format will these take / how will they be documented?  When are these done?  Are they done for all risks, or only for risks above a specific rating?  Similarly, outline your response process for issues (see part 3 – Responding to project risks and issues).

Previous experience shows that many organisations and Project Managers agree the importance and value of learning and sharing of best practice in their continuous improvement, but only a small percentage are using tools and processes for capturing and sharing lessons learned and applying recommendations.  Outline within your strategy, how you will use your learning from risks and issues, to help your project and your organisation evolve (see part 4 – Evolving as a result of project risks and issues).

4. Communicating risks

Include a section that summarises how risks will be communicated, to whom and for what reason.  This will also be a part of your overall communications plan, so you may also refer to this document.

5. Risk tolerances

Set out the project risk tolerances and risk or issue escalation procedures, being clear on when and how these will be reported upwards.


We hope you have enjoyed reading our risk management blog.  Whilst it’s impossible to include everything in a blog series, we hope you find it useful and welcome your feedback.  If you have enjoyed the blog, and found it of use, please share it, and send us examples of where it has been helpful, so we can share this with others.  For more of our blogs and articles please visit

Nikki-Dee Haddleton is Director of PM3 – Project Management for the Third Sector.  Incorporating feedback from Third Sector organisations and Project Management professionals they have designed a framework specifically for Project Managers in the Third Sector.   PM3 – Project Management for the Third Sector delivers high quality, affordable Project Management consultancy and freelance services, training, support and more. 

PM3 logo

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s