As we manage individual project risks, they pass through a life cycle that can be described using a set of status values.

These can help us to understand where each risk is in its life cycle, so that we can determine what we should do next. The following set of standard status values might be useful:

Unknown: A risk that has not yet been identified.

Draft: A proposed risk that has not yet been validated.

Rejected: A draft risk that is not valid.

Escalated: A draft risk that is outside the scope of the project and that should be managed at program level or elsewhere in the organization.

Active: A valid risk with a probability of occurrence greater than zero and that will impact one or more project objective if it occurs. An active threat can affect the project negatively, while an active opportunity has a potential positive effect.

Deleted: A risk that is no longer valid, perhaps resulting from a change in the project’s strategy, environment, objectives, or scope.

Expired: The time window in which the risk could have occurred has passed, so the risk no longer needs to be considered.

Closed: A risk (threat) for which the response has been fully effective and the risk can no longer affect the project.

Occurred: The risk has happened and the impact is being experienced.

Using these status values, we can describe the life cycle of a typical individual project risk:

All risks start as Unknown. When they are identified, they become Draft risks that need to be reviewed and validated. A draft risk can be Rejected if it is not considered valid, or it can be Escalated if it is outside the scope of the project.

If the project manager decides to escalate a risk, he or she determines who should be notified about the risk, and then communicates the details to that person or party. Draft risks that are considered valid and in scope for the project become Active.

Active risks need to be assessed, and appropriate responses should be developed and implemented. The status of Active risks should be monitored regularly, and they may Remain Active for some time.

Alternatively, active risks might be marked as Deleted or Expired if they can no longer affect the project due to changes in the project context (deleted) or if the time of their potential impact has passed (expired). We might be pleased that a threat has expired since it can no longer have a negative effect, but we might regret an expired opportunity where the positive impact is no longer possible.

When an active threat is successfully managed so that it can no longer affect the project, it is marked as Closed. Opportunities cannot be closed, as they remain active until they have either occurred, expired, or been deleted.

If and when a risk actually happens, it is marked as Occurred. It is good for an opportunity to occur, and bad for a threat to occur. A risk might occur if the response to a threat proved ineffective or the response to an opportunity was successful (or perhaps it was due to chance or luck!).

When a threat has occurred, it is converted to an issue or problem and managed accordingly. When an opportunity has occurred, the additional benefits must be recognized and managed.

Status values should be recorded in the risk register and used to monitor the effectiveness of the risk process. For example, as the project progresses, we can measure how many draft risks become active (indicating how well we identify real risks), and how many active risks actually occur or are closed (showing how good our risk responses are).

This should help us improve performance in future projects, and allow us to take the right risks safely in our projects.

The life cycle of a project risk.