Is risk management being practiced in a company?

For a given risky project, this list helps determine if Risk Management is being performed1:

  • Is there a published census of risks that contains major causal risks? Is it accessible to those on the project? Is it fullsome?
  • Is there a risk discovery process and can people safely raise risks?
  • Are any of the risks potentially fatal?
  • Is each risk quantified as to probability and cost and schedule impact?
  • Does each risk have a transition indicator allocated to it to spot materialization (warning signal)?
  • Is there a single person responsible for risk management? If everyone is responsible, no one is?
  • Are there tasks on the work breakdown structure that might not have to be done at all?
  • Does the overall effort have both a schedule and a goal, where the schedule and goal are markedly different?
  • Is there a significant probability of finishing well before the estimated date?


DeMarco, T. Slack: Getting Past Burnout, Busywork, and the Myth of Total Efficiency. (Currency, 2002).