Core-Strategy Blog

Menu

Blogs

Risk Management in Projects: Applying PMBOK® 7 Principles

Posted on

Written by Ivan Klepikovski

Ivan Klepikovski is a Project and Program Management professional with over 16 years of experience leading digital transformation initiatives across IT, construction, engineering, and e-commerce industries. He is a PMP® and PMI-PBA® certified Business Analyst with expertise in Agile delivery, requirements management, ERP/CRM systems, and process automation.

The Role of Risk Management in Project Success

Risk management is a vital part of every project. It helps teams anticipate, evaluate, and respond to potential events that could affect project outcomes. The Project Management Institute (PMI)—a leading global organization in this field—developed the body of knowledge for project management known as the PMBOK® Guide

In its latest edition, PMBOK® 7, the focus shifts from rigid processes to flexible principles that encourage adaptability. In this version, risks are viewed not only as negative threats but also as uncertainties that can lead to new opportunities.

From a theoretical standpoint, risk management follows several key phases. These include risk identification (finding which risks may affect the project), analysis and assessment (measuring their likelihood and impact), response strategy development (deciding how to act if a risk occurs), and monitoring and control (tracking and updating plans as the project evolves).

In this article, we’ll start with an overview of these PMBOK® 7 foundations. Then, we’ll explore practical, real-world examples and see how modern cloud-based tools can enhance Strategic Portfolio Management.

Before diving into each phase, it’s helpful to visualize the overall process. The diagram below shows the four main stages of managing project risks based on PMBOK® 7 principles.

 

Diagram showing the four main stages of managing project risks: identification, analysis, mitigation, and monitoring

The four main stages of managing project risks as outlined in PMBOK® 7

Phase 1 – Risk Identification: Theoretical Basis from PMBOK® 7

Risk identification in the context of PMBOK 7 is the first and one of the key phases of risk management. It is aimed at systematically identifying all possible events that may affect a project. In PMBOK 7, this phase emphasizes the importance of recognizing not only threats but also potential opportunities associated with uncertainty.

Key Aspects of Risk Identification in PMBOK 7

Methods and tools:
PMBOK 7 suggests using a variety of methods for identifying risks, including brainstorming, document analysis, expert interviews, lessons learned from past projects, and the use of checklists. All of these help capture the broadest possible range of potential risks.

Risk Register:
All identified risks are documented in a risk register. This document records risk descriptions, their potential causes, categories, and initial classification. PMBOK 7 also stresses the importance of including not only threats but also opportunities at this stage.

Explore Core Strategy Templates for Risk Management

Iterative Process:
In PMBOK 7, risk identification is not treated as a one-time event. It is an iterative process carried out throughout the entire project life cycle, as new risks may emerge as the project evolves.

Practical Example – Risk Identification in a Large Construction Project

“As part of the risk identification phase, I worked as a project manager on a large project to implement a new flotation technology in a plant under construction. This was a significant project worth tens of millions of dollars. When we had already developed the project documentation and moved into detailed planning, we realized it was necessary to formally organize the risk management process.

We engaged several departments: capital construction, logistics, contractor management, and the technical department. Practically every specialist involved in the project was invited to take part in this process. We asked each department to think in advance about potential risks related to their processes and provide them to us.

Once we collected this information, we consolidated all risks into a single risk register using a simple Excel file, since at that time we did not have specialized tools. We placed this file on the server so each department could make updates. We held a kickoff meeting where we discussed all identified risks, documented them, and assigned responsible persons. We also defined which specialists would be responsible for further analysis and assessment of these risks.

It was important not only to document the risks but also to assign ownership and set deadlines for preparing a detailed analysis. We understood that after identification, the next step would be prioritization and evaluation, so assigning responsibility was a critical step.

We held regular monthly meetings to review the risk register, since risk management is an iterative process. Over time, some risks became irrelevant while others turned into opportunities. Our risk register became a single source of truth and an important tool for managing uncertainties.”

It is important to emphasize that the risks could be quite diverse and touch on different aspects of the processes. For example, one of the significant risks was related to equipment delivery timelines, especially since 80% of the equipment was shipped from overseas. Delays in payment or logistics could have led to missed delivery deadlines and deviations from the project plan.

Another key risk involved working with contractors and tendering procedures, which often took twice as long as expected. These were documented in the risk register and regularly reviewed to ensure alignment with project objectives.

At that time, Excel was the primary tool for maintaining the register. Today, with the development of cloud-based solutions, such registers can be maintained online with 24/7 access and integrated tracking.

Example of a project risk register created in Core-Strategy cloud solution

A cloud-based risk register showing categorized project risks and assigned owners.

To make risk identification easier, download our Risk Register Template. It follows PMBOK® 7 standards and helps organize potential threats and opportunities in one place.

Phase 2 – Risk Analysis and Assessment

In PMBOK 7, risk analysis isn’t just about spotting problems—it’s about understanding uncertainty in all its forms. Every uncertain event can have either a negative or a positive effect on project objectives. Risks and opportunities are viewed as two sides of the same coin.

A threat is a negative risk that can cause loss, delay, or added cost. An opportunity is a positive risk that can create gains, save time, or improve results.

Real-World Example – Strategic Supply Chain Risk

“Between 2012 and 2015, I worked in the Department of Strategic Management and Development. One of my main tasks was analyzing how our company was supplied with raw materials — mainly coal — for our metallurgical plants in eastern Ukraine.

At that time, our company owned several coal mines near Luhansk, in the Donbas region. Owning those mines felt like a huge opportunity: we had stable, high-quality coal, full control over supply, and a strong competitive advantage through vertical integration.

But there was another story running in parallel. A few years earlier, our management had decided to buy a coal company in the U.S. It seemed like a smart diversification move — expanding our reach and reputation internationally.
By 2012, though, the U.S. energy-coal market was in decline, and the American company, which produced both energy and coking coal, was becoming a burden. Maintaining it was expensive and risky.

So, on one side, we had the Ukrainian mines — our opportunity.
On the other, the American acquisition — our threat.
For a while, we carefully balanced between them, constantly reassessing where the greater risk lay.

Then 2014 changed everything. When part of Donbas was occupied by Russian forces, our reliable Ukrainian mines suddenly turned into a critical threat. Supplies stopped almost overnight.
Meanwhile, the American company — the one we once saw as a mistake — became our lifeline, the only stable source of high-quality coking coal that kept our plants operating.

By 2022, during the full-scale invasion, that same U.S. company had become the only dependable source of coal left for us. Everything we once owned in Donbas was either destroyed or occupied.

Looking back, it taught me a lasting lesson: risks and opportunities are never static. Something that looks like a threat today can become your greatest advantage tomorrow — and what once felt safe can suddenly become the biggest risk of all.”

Methods and Techniques for Risk Analysis

Qualitative Analysis:

  • Probability–impact matrices to compare severity

  • Categorizing risks (technical, schedule, supplier, financial)

  • Evaluating urgency and velocity

  • Scoring models, SWOT, or Bow-Tie diagrams

Quantitative Analysis:

  • Monte Carlo simulations

  • Sensitivity (tornado) charts

  • Decision trees or Expected Monetary Value (EMV) models

  • Scenario analysis for best, worst, and likely outcomes

The result is a prioritized risk register that highlights where to focus attention in the next phase — planning responses.

Risk identification process aligned with PMBOK 7 principles

Identifying risks across departments using brainstorming and checklist methods.

Phase 3 – Risk Response Planning

Once risks and opportunities have been analyzed and prioritized, the next step is to decide what to do about them. In PMBOK 7, this phase connects directly to the principle “Optimize Risk Responses” — the goal is not only to reduce threats but also to maximize opportunities.

Responding to Threats

  • Avoid — Change the plan so the threat no longer exists.

  • Mitigate — Reduce probability or impact through proactive actions.

  • Transfer — Shift responsibility via insurance, outsourcing, or contracts.

  • Accept — Acknowledge the risk and prepare a contingency plan.

Responding to Opportunities

  • Exploit — Take direct advantage to realize benefits.

  • Enhance — Increase the likelihood or impact of positive outcomes.

  • Share — Partner with others to maximize gain.

  • Accept — Be ready to act if favorable conditions arise.

Each strategy should have an assigned risk owner, action plan, and trigger conditions for activation.

Practical View of Risk Response

In real projects, this phase often translates into a mix of preventive and corrective measures. For example, during construction or manufacturing projects, teams often mitigate supply chain threats by creating local vendor options while exploiting opportunities like discounted early shipments or technology upgrades.

The key is to stay flexible — every plan is a living document that evolves with project conditions.

Risk analysis dashboard displaying probability and impact scoring

Quantitative and qualitative risk analysis showing probability–impact ratings.

For more insight on developing response strategies, explore our Project Management Best Practices guide.

Phase 4 – Risk Monitoring and Control

Once responses are planned and in motion, risk management becomes part of daily project life. This phase focuses on tracking, measuring, and adapting — keeping risks visible and ensuring actions remain effective.

Keeping the Risk Picture Current

Common practices include:

  • Regular risk reviews (monthly or per sprint)

  • Risk audits for process effectiveness

  • Early-warning indicators (KRIs)

  • Issue tracking for realized risks

  • Risk trend charts to visualize exposure

Adapting to Change

Monitoring isn’t just about control—it’s about learning. New risks appear, old ones fade, and lessons learned inform future planning. This continuous feedback loop strengthens organizational learning and improves future project performance.

Example from Experience

Regular monthly reviews made a huge difference in project outcomes. A structured process and clear dashboard helped reveal which risks were growing, improving, or evolving into new opportunities.

Integrating Risk Management with Cloud Solutions

The CORE-STRATEGY Strategic Portfolio Management Solution integrates risk management directly into project governance. This enables real-time collaboration, automated risk tracking, and centralized reporting across portfolios.

Key components include:

  • Cloud-based risk registers accessible by all departments

  • Automated alerts for risk changes

  • Interactive dashboards for decision-makers

Risk response planning workflow with mitigation and opportunity strategies

Planning proactive responses for threats and opportunities identified in the project.

Core-Strategy risk management dashboard with visual analytics and KPIs

An integrated risk dashboard providing real-time visibility into risk trends and project performance.

Conclusion

Effective risk management in projects, guided by PMBOK® 7 principles and supported by cloud-based tools, ensures organizations can anticipate uncertainty, capture opportunities, and achieve strategic success.

The combination of structured methodology and technology — like the Core-Strategy platform — provides a clear path to continuous improvement and resilience in complex project environments.

Explore more project management templates and tools aligned with PMBOK® 7 in our Template Library.
To discuss how Core-Strategy can support your organization’s approach to portfolio risk management, contact our team.