❤️ 15/15

Risk isn't only bad news: the two-sided definition and the seven-step loop

The PMBOK defines risk as an uncertain event that, if it occurs, has an effect on project objectives — and note that the effect can be negative (a threat) or positive (an opportunity). 'A module might finish ahead of schedule' is just as much a risk as 'the vendor might deliver late.'

Internationally, the ISO 31000 standard raises risk-management thinking to the organizational level. The core mindset: uncertainty cannot be eliminated, but it can be identified, assessed, responded to, and monitored — turning 'something might go wrong' into 'we have a plan.'

Risk management is not a one-time exercise at kickoff; it is a continuous loop that runs through the whole project. The PMBOK breaks it into seven steps:

1. Plan risk management — set the approach and roles;
2. Identify risks — list everything that 'might go wrong / might turn out well' as completely as possible;
3. Qualitative analysis — quick ranking by probability × impact;
4. Quantitative analysis (optional) — put numbers on the risks that matter;
5. Plan risk responses — pick a strategy for each risk;
6. Implement responses — turn strategies into action;
7. Monitor continuously — new risks emerge and old ones change, so loop back and update.

💡A good project manager manages both 'don't let things go wrong' and 'seize the unexpected upside.' Watching only threats while ignoring opportunities is doing half the job of risk management — which is exactly why the PMBOK gives threats and opportunities each their own set of response strategies (covered in step 3).
Risk's two-sided definition — threats and opportunities — and the seven-step loop from planning all the way to continuous monitoring and back