How to involve the team and the customer in project risk management

How to involve the team and the customer in project risk management

The Author:
Oleksiy Shebanov
Oleksiy Shebanov,
Trainer & Managing Partner @E5
Director. Head of PMO @ Intellias
Certified PMP, ICP-APM, TKP

Project management is an important role in IT development of absolutely different scales. From a small application where a user can track calories to a fully-fledged cross-platform cloud system.

As of 2023, there are approximately 168,000 companies involved in developing professionals in this field and integrating them into outsourcing projects (or even allowing businesses to hire experts to expand their staff).

This statistic demonstrates to us that the role of a Project Manager is currently critically important and also quite popular among those who are either learning this profession or simply wishing to requalify.

For their work, such specialists use specialized software, the market capitalization of which is projected to reach $9.81 billion by 2028. Once again, using this statistic as an example, we see that the niche is significant, and the role is valued by those who avail themselves of PM services, namely IT professionals.

If you want to learn more about the role of PM in projects, its areas of responsibility, and spheres of influence, we recommend you visit our portal where thematic materials on these issues are gathered.

Today, let’s talk about the importance of project risk management and delve into the following aspects:

  • What are the ceremonies of risk management?
  • How are these risks visualized?
  • What roles and responsibilities exist in the process?
  • How to sell this service to the client.
  • Why a project only benefits from risk management.

The article is crafted by leading experts who, from their own experience, understand the nuances of everything related to Business Analysis (BA) and Project Management (PM). We assure you that you won’t be bored while reading this material.

And let’s begin with a concise definition of the term “risk culture.”

Briefly about the main points: what is risk culture and why it is essential for a project manager. Where to seek support?

“Risk culture” refers to the attitude towards risks and their acceptance at all levels, from top management to project developers.

Typically, “risk culture” is supported by four pillars:

  1. Proper attitude from the top: It is important for top management to set an example of how to adhere to the company’s values and respond to risks.
  2. Accountability: All project participants should understand the values of the same risks and be able to adequately respond to them or even mitigate them as needed during the work process.
  3. Effective response to changes: Absence of constraints that would limit adjustments to processes, goals, or project values, reactions to risks, etc.
  4. Incentives: Financial or non-financial stimulation of employees, rewards for activity and initiative, integration of KPI metrics into processes.

Another important nuance: understanding risks, their value, and impact on the project should be present in everyone involved in development: in teams, stakeholders, investors, clients.


There should be an integrated concept of a “risk sponsor”: the client or investor must understand (usually through financial examples and figures) how a particular risk will impact the project.

For instance, if a key performer (such as an architect or lead developer) leaves the project, it will have certain consequences (missed deadlines, low quality, shift in priorities, etc.). This, in turn, will cost a certain amount of money (N), which will be spent on finding a new specialist and addressing the consequences of the previous person’s departure.

This allows the interested party to make a proactive decision and focus on addressing the issue before it arises.

Business needs

It is essential to have support among those directly involved in the development process. This can include both functional managers and stakeholders, investors, and department heads.

First and foremost, you need to formulate the key points explaining why risk management is crucial for the company. For example, to:

  • Increase the number of successful projects.
  • Identify and eliminate potential risks.
  • Effectively manage resources and processes based on risk assessments.
  • Protect the company’s resources, investors, etc., from the negative impact of problem consequences.
  • Add value to the business.
  • Implement metrics.
  • Make informed decisions.

This is by no means an exhaustive list of arguments that can be used to promote and popularize the idea of risk management within the company, with a priority focus on top management.

GAP Analisys

To convey the value of risk management, it is first necessary to identify and explore them. Only with concrete figures in hand should a constructive dialogue about integrating this algorithm begin.

Alternatively, a GAP analysis can be conducted during which:

  • The amount stakeholders are willing to spend to mitigate potential problems will be determined.
  • The cost of implementing preventive risk identification and neutralization will be assessed.
  • The methodologies to be used, the overall process, and the existence of potential risks that could negatively impact project owners will be examined.
  • Metrics that can describe and visualize the potential impact of theoretical problems on the business as a whole will be identified.

This will allow demonstrating to stakeholders the importance of risk management not only for the current project but also for the business as a whole.

The roadmap for risk management integration

Don’t expect the process of implementing risk management to kick off and progress on its own. The role of the Project Manager (PM) is crucial in this regard. As the saying goes, “if you cooked the porridge, you should also be the one to cook and consume it.”

Therefore, following the genre’s conventions, as a PM, you need to execute the roadmap for implementation. Here’s how to do it:

  • Break down the process into several stages (monthly, for example).
  • Sequentially introduce specific aspects of management, such as risk levels, then procedural templates, followed by priorities, and so on.
  • Identify individuals responsible for risks, the “owners”, who, alongside you, will track and respond to potential problems, such as development team leads.
  • Establish criteria for assessing risks.
  • Develop algorithms for proactive problem mitigation.

In the end, you will be able to effectively, and most importantly, systematically implement risk management in the company (or at least in a specific project).


Another significant factor in forming risk management is the roles. Roles, in a very conditional sense, are distributed among all stakeholders.
For example:

  • Steering Committee: This can be seen as a commission overseeing the identification of risks and ensuring that processes for their mitigation are proactively executed. Typically includes stakeholders, investors, product owners, etc. They are vested with the authority to make key decisions regarding what to do with the risks.
  • Risk Owners: Responsible individuals (often team leads, department managers, etc., down to individual developers) who control risks at each level, either mitigating them or minimizing their impact on the project.
  • Project Manager: The linchpin of the entire risk management process. Ensures that rules and processes are followed by everyone involved in the project. Also communicates with upper and lower levels to synchronize the understanding of what these risks are, what consequences they might have, and how to address or prevent them.
  • Business Analyst: The person who documents and analyzes risks, their potential impact on the project. Accordingly, communicates with the Project Manager, stakeholders, top management to develop an effective risk management strategy.

Without these specified roles, the entire risk management system will collapse before its full implementation begins. Therefore, consider this and allocate roles at the early stages of methodology implementation.

Risk Management: Integration and Emphasis at Different Stages

Depending on the phase at which you, as a Project Manager (PM), want to implement the risk management system, the complexity and feasibility of this process are determined. The further from the project launch, the more you and all development participants will focus on issues rather than their prevention. Therefore, it is crucial to implement the system in the early stages.

Initiation stage or pre-project release

First and foremost, it is important to think about risks together with the team to identify them more effectively, considering both positive and negative aspects.

The positive aspect involves opportunities that arise from risks. It may sound like a paradox, but it is not. For instance, if there is a risk that the project may fail in a specific region, it makes sense to reconsider the market where the product will be launched.

Imagine the prospects that open up if you replace the region of publication from the Commonwealth of Independent States (CIS), for example, to Europe, the USA, or Asia. This includes a broader target audience, better monetization conditions, and more democratic regulators. Isn’t it a potential profit?

The negative aspect is primarily associated with potential problems. They may or may not occur, but it is better to anticipate them and implement preventive measures to mitigate these risks.

During the initiation stage, it is also crucial to discuss risks from three perspectives:

  1. Client perspective: segmentation, promotion channels, monetization models, value, demand, etc.
  2. Product perspective: problem/solution, value of the solution and proposals, measurement metrics, etc.
  3. Market perspective: alternatives, revenue channels, implementation cost, potential ROI, prospects.

Identifying risks at this stage allows engaging the client in the risk management process. It is also an opportunity to discuss with the client (or investor) the difference between the costs of preventive risk mitigation and addressing problems. Typically, the latter is more expensive and extensive since it requires quick and massive resource involvement in the project.

Next, pay attention to contracts, or more precisely, their types. Each type of contract carries certain risks for all parties involved. Therefore, it is important to find a golden compromise, and typically, this is the Time and Materials (T&M) model. Risks, especially those identified at early stages, should be explicitly outlined in the contract.

Another aspect to consider is the Cost of Quality (COQ). Mistakes always cost more, so it is worth focusing on the project’s quality from the beginning. Even the ISO 9001 standard stipulates that the quality of the product depends entirely on risk management. Therefore, using the language of quality will make it easier to convince the client of the necessity to implement such a system.

Risk Project Management

Risks help achieve the qualitative goals of the project. They show where and how we deviated from the course of development and what needs to be done to get back on track.

To prevent potential problems, project risk management is implemented. Typically, it consists of 7 key stages:

  1. Planning: Selecting tools and methodologies, setting priorities, role allocation, etc.
  2. Identification: Defining risks, localization and description, preparing a plan for their mitigation. Also, categorizing risks, such as:
    – Project risks.
    – Technical risks.
    – Organizational risks.
    – Business risks.
    – External risks.
    – Financial risks.
    – Reputational risks.
  3. Analysis: Constructing a matrix of possibilities, including various risks with an index indicating the likelihood of occurrence and the difficulty of mitigation.
  4. Another Analysis: Translating risks into the language of finance and time. Usually used for working with investors, stakeholders, or clients. Visually demonstrates how much and why the client may lose.
  5. Risk Response Planning: Focusing on designing appropriate actions that will be taken depending on the situation. Typically, these have the following options:
    – Escalation: Taking the issue beyond the project scope.
    – Avoidance or exploit: Changing the plan to exclude the risk.
    – Transfer or share: Delegating the risk to another party.
    – Reduction or enhance: Minimizing the impact of the risk on the project.
    – Acceptance: Accepting the risk.
  6. Implementation of Risk Responses: Describing how risks are controlled and what scenarios are available for responding to them.
  7. Risk Monitoring: Conditionally, the ROAM strategy from SAFe:
    – Resolved: The risk is resolved, the opportunity is utilized.
    – Owned: The risk exists, it is under control.
    – Accepted: The risk is accepted, and we manage it.
    – Migrated: Transferred to another party.

For all risks, a reporting system must be implemented. It is necessary to effectively monitor active, resolved, delegated, or ignored risks. Additionally, it facilitates reporting on the execution of the risk management plan to stakeholders, investors, the team, etc.

What to pay attention to before starting to implement risk management.

Everything you have read in this material can be applied only if all standards are adhered to and preparatory work has been carried out. And the latter probably plays a key role and directly affects whether you can build a risk management system and whether it will be effective.

Therefore, before starting the implementation, evaluate: • The level of risk management maturity in the company and the client organization. It may be that you have established a system, but the client does not need it. Conversely, when the client has already implemented this management at the micro level, and your level is much simpler. In the latter case, you will need to adapt fairly quickly. • The scale of the project and the overall scope of potential risks. Are you sure you can cover absolutely all risks and manage them effectively? How many risks can there be in general? Is your client willing to incur additional costs, etc.? • The amount of resources. Risk management is primarily about the availability of personnel, about the number of experts that can be involved in control. This includes not only from the executor’s side but also from the client’s side. The larger the project, the more people you will need. Take this into account.

If you are confident that you can handle the quest, that is, provide the resources and experience for effective risk management, then go ahead, set up the system, and reap the benefits!

Let’s summarize

The quality of the product, as well as its ultimate value, and the reputation of the development studio and IT solution provider, depend heavily on the effectiveness of risk management. Although the role of a Project Manager (PM) focuses on other aspects of development, implementing a risk management system is an additional option that can impact a professional’s career growth. However, these are more of the beneficial aspects.

From a practical perspective, risk management is a complex but effective process that allows not only to enhance the product’s quality but also to optimize costs for its development and maintenance. In numerical terms, it translates into savings on what could have occurred if the problem had not been proactively addressed.

For a development company, investors, or clients, risk control enables making informed decisions that are guaranteed to improve both the project and its viability in the market. Therefore, the implementation of these processes is critically important for everyone involved in working on a product or project.

If you would like to learn more about project or risk management, nuances of business analysis, or anything else from this industry, register on our portal and get exclusive access to the best educational materials and the expertise of professionals. Learn, grow, and join the ranks of experts who bring exceptional value to IT companies and the world.
E5 – your knowledge partner in the field of project management, business analysis, and other niches in the management industry.