The PMBOK defines risk as an uncertain event that, if it occurs, has an effect on project objectives — and note that the effect can be negative (a threat) or positive (an opportunity). 'A module might finish ahead of schedule' is just as much a risk as 'the vendor might deliver late.'
Internationally, the ISO 31000 standard raises risk-management thinking to the organizational level. The core mindset: uncertainty cannot be eliminated, but it can be identified, assessed, responded to, and monitored — turning 'something might go wrong' into 'we have a plan.'
Risk management is not a one-time exercise at kickoff; it is a continuous loop that runs through the whole project. The PMBOK breaks it into seven steps:
1. Plan risk management — set the approach and roles;
2. Identify risks — list everything that 'might go wrong / might turn out well' as completely as possible;
3. Qualitative analysis — quick ranking by probability × impact;
4. Quantitative analysis (optional) — put numbers on the risks that matter;
5. Plan risk responses — pick a strategy for each risk;
6. Implement responses — turn strategies into action;
7. Monitor continuously — new risks emerge and old ones change, so loop back and update.
