Share on Facebook Tweet about this on Twitter Share on LinkedIn
What is Project Risk Management Software?

Project risk management software helps to implement process of identifying, managing, analyzing, and controlling risks affecting projects or portfolio of projects in your organization. In most cases project risk management software is network-based or cloud based and allows multiple users collaborate and share their data. Identified risks are stored in Risk Register, which is a depository of project risks with their properties. Project risk management software helps to determine what happens with risks during a course of project. Important feature of project risk management software is ability to define and manage risk mitigation and response plans and track their execution.  Formalized integrated project risk management and risk analysis process helps to improve overall project management in organization.

If you are just implementing a project risk management in your organization or looking to improve processes, you may be considering purchasing a project risk management software package (if you have not done so already). As there are many software packages to choose from, we thought it would be useful to provide a quick guide to most important capabilities and features that a project risk management software solution should provide. For the purposes of the article, we will look consider those capabilities that support a basic risk management workflow that has the following steps: identify, asses, plan, monitor, and control.

Risk Register

At the center of the risk management process is the risk register. The risk register or risk log is a master document that includes all required information about each risk and is the basis for how each risk is managed during the course of the project. To support this function, risk registers should have 3 components that provide data structure to support risk management.

Risk registers should support multiple risk categories. Risk categories are those project objectives or parameters that a risk could impact. Common risk categories are Cost, Schedule, Safety, and Performance. However, a risk register should be able to accommodate any number of categories required by your organization, though we recommend that the number be minimized as much as possible to avoid overly complicating risk assessments. It is possible to combine related categories into a single category; for example, a single category often represents Quality, Safety, Health, and Environment.

Risk registers are often organized into spreadsheets or similar views where each row represents a risk and each column represents a property of the risk. These properties provide all of the information required to identify, assess, monitor and control you risk over the life of the project and can be people, dates, risk IDs, locations etc. In your risk register, you should be able to add or modify risk properties as required.

Risk Matrix

Risk Matrix is a common tool to assess and prioritize project risks based on their probabilities and impacts. Risk matrix assesses the risk by locating the probability or likelihood of the risk occurring against the severity or consequence of the impact if the risk occurs. Risk matrixes are commonly set up as cubes where rows represent categories for probability and columns represent categories for impact. Each category can represent a range of probabilities and impacts, such as a probability of Very Likely or impact of Critical. The exact meaning of each category should be defined such as Very Likely is greater than 50% probability. All aspects of the Risk Matrix should be customizable including the number of rows and columns, color schemes, and labels.


Risk Matrix for Project Risk Management

Risk Scoring

Risk assessment requires a scoring methodology. Risk scoring can be very simple or quite complex depending upon the type of analysis: qualitative or quantitative. There are many common scoring methods ranging from simple indexes of probability and impact multiplied. For example on a 5X5 risk matrix, a risk with a probability of 4 and impact of 3 would have a score of 12 (of a possible 25). Risk scores can also be calculated based on based on various quantitative methodologies including sensitivity coefficients based on correlations between risk impacts and project objectives such as cost and schedule. It is important that a project risk management software support a variety of common scoring methods.

Risk Planning

Project risk management software should also support risk planning. Risk planning involves setting a risk strategy based on the assessed risk score. Risk management strategies can include Avoid, Transfer, Mitigate, or Accept (under PMI guidelines). The capability to manage risks that will be avoided, transferred, or accepted is fairly straight forward and generally only requires simple flagging the risk so that it can be monitored, in case the strategy changes. Risk mitigation does require additional capabilities including the ability to create risk mitigation activities or plans, cost of risk calculation, and pre and post mitigation scoring.

Risk mitigation plans can consist of one or more risk burn down activities or steps. Each mitigation activity should include the owner, planned reductions in probability and impact, date that the activity will be completed, % completed, cost, and description. Each mitigation plan should be able to be linked to one or more risks.

As part of supporting mitigation plans, the software should support the plotting of mitigation plans on a Waterfall Diagram which shows mitigation activities as a series of planned steps that will seek to reduce the risk impact to it planned or post mitigation state. The Waterfall diagram should include the total cost of the risk mitigation activities as well as visualization of pre- and post mitigation risk scores. This can be shown as Pre and Post Mitigation cubes that are based on the Risk Matrix configuration. The cost of the risk mitigation can be used to calculate the expected costs associated with the residual risk and cost of mitigation activities.

Monitor and Control

Project risk management software should include the ability to monitor risks. Typically, this includes periodic status updates as well as a record of any changes made to the risk over the course of a project. Specifically, this can be accomplished using Risk Reviews. Risk reviews can document the status of risks, with any changes that have occurred since the last review. You should be able to set reviews to occur on a regular basis and include some sort of notification that alerts team members when reviews are due. Reviews can be added as documents or descriptions into provided text boxes and include the name of the submitter and date the review took place. There should some mechanism to view or update previous reviews. In addition to risk reviews, part of the monitoring process should include a Risk History that is a record of all changes to the risk. These records should be auditable and include both a description, owner, and date.

As part of the Control process, the Risk Mitigation diagram should plot actuals against planned, such that any differences between planned and actual changes to risks scores are visualized on the diagram. Therefore, in addition pre and post mitigated risk scores (original vs planned), but also interim or current risk scores that provide a measure of how well the risk is being controlled.


Reports are often very specific to organizations, but project risk management software should have basic reporting functions that include both standard and ad-hoc reports. Standard reports should include the ability to report at both the risk register level and individual risk reports. For example, the ability to generate a risk register report based on specific attributes such as division, owner, impacts etc. These reports can be based on risk register views or risk matrix views. There should also be reports that support reporting on individual risks that includes all details including assessments, properties, mitigation activities and any other essential data. It goes without saying that the software should support generating reports in multiple formats as well as integrating with common office tools such as Excel, Word or similar software.

In conclusion, while every organization can have individual application of the project risk management, there are standard steps that can be found across this process that should be supported by any software packages that you evaluate. These steps include identification, assessment, planning, monitoring and controlling, each of which has components that are required to support each process. Project risk management is not just risk identification or assessment, but also requires additional capabilities outlined above to fully support you consistently managing your project risks