Risk Management

What is risk management?

Risk management is the systematic approach and practice of managing uncertainty to minimize potential harm and loss and maximize potential opportunities and gains. The goal of risk management is “to set the best course of action under uncertainty by identifying, assessing, understanding, making decisions, and communicating risk issues.” Risk management is inherently an enabling process: rather than provoking decisions to stop programming, effective risk management processes create the conditions necessary for the program to proceed, and, indeed, succeed. See resource below. 

What is a risk in the context of a project?

The International Organization for Standardization (ISO) defines risk as “the effect of uncertainty on objectives.” The effect can be positive (provide benefit/opportunity) or negative (serve as a threat, provoke damage). Accordingly, a risk involves a deviation from the expected. 

Why is risk management important for P/CVE projects?

There are risks in implementing any P/CVE activity. Therefore, consider a proactive approach to identifying and responding to risks throughout project implementation. 

Find this in our resource library

Two Features of the P/CVE Field that Make Risk Management Essential

The potential for negative or positive impact is especially high.

If risks are not identified and planned for in a P/CVE project, the potential for harm to individuals, communities, and the organization can be significantly increased. On the other hand, if we identify and manage risks to help the project improve activity prioritization, effectiveness, and efficiency, individuals and communities involved in a P/CVE project can become more resilient to VE in their communities.

There is an increased likelihood of risk when working on P/CVE.

When operating in conflict-affected locations or in at-risk areas for VE, you are working on issues that are often misunderstood, controversial, and polarizing. This raises risks related to organizational reputation and staff security. Also, since P/CVE is a relatively new field, there are ongoing debates and ambiguity around key definitions, the factors that drive VE, and what works or doesn’t work when it comes to P/CVE programming.

By identifying and managing risk in a P/CVE project, you are mitigating possible negative impacts and enhancing the potential for effective implementation and positive impact of your project, while protecting your community, project beneficiaries, team, and organization.

While risk management approaches differ from one project or organization to another, such approaches typically include the steps outlined in the table below.


Identify the risk

Usually you identify "categories of risk" to make sure you are considering different parts or phases of the project. These categories could include: operational risks; contextual risks; security risks; institutional risks; and programmatic risks.


Assess the risk

For each risk identified, answer two key questions:

  • What is the probability/likelihood that this risk will happen?
  • What impact will this risk have on your project?

Using this assessment, your team can numerically score or rank (low, medium, high) the probability/likelihood and expected impact of a risk. The results of this assessment are often presented in the form of a risk matrix, with probability and impact on different axes, to show which risks are the most important to consider.


Plan a response

Develop a plan for how to respond to these risks. Most of the time, risks cannot be eliminated and the response should identify how to manage these risks. Possible responses usually involve one of the following methods:

  1. Mitigating risks by taking steps to decrease the probability/likelihood of a risk or its impact on your project
  2. Transferring the risk to another individual or organization, such as to an insurance provider
  3. Tolerating the risk by deciding that the risk is so unlikely or has such a low impact that it makes sense to do nothing about it
  4. Avoiding the risk by not conducting the risky activity in the first place

This table draws on the overview of risk management provided in the Operational Guidelines on the preparation and implementation of EU financed actions specific to countering terrorism and violent extremism in third countries.

There are several risk management frameworks and tools that you can draw on for your project. UNDP’s Risk Management for Preventing Violent Extremism (PVE) Programmes: Guidance Note for Practitioners describes five key steps (see graph below) for applying a risk management process to your P/CVE project. Click on this quick reference document summarizing the five steps of UNDP’s risk management process.

Risk Management Process

Check out this example of a Risk Register adapted from the UNDP’s guide. This risk register will help you to develop your plan for responding to identified risks. 

Additional Resources

Security Risk Management: A Basic Guide for Smaller NGOs
Do you want to learn more about security risk management? This guide outlines a basic security risk management framework that can help smaller NGOs develop key processes and actions that will enhance their staff security and improve their organization’s reputation and credibility. The manual includes guidance, additional resources, and templates that can be adapted by your organization. 


Considerations for Using Data Responsibly at USAID
Do you want to learn about risks associated with data and how to manage the data your project collects and generates? This resource introduces a framework for identifying and understanding risks associated with development data. The resource highlights important concerns and provides actionable advice to help those who use data to maximize utility while also managing risk.  

Risk Management or Conflict Sensitivity: Which One Should I Be Doing?

The short answer is: both! Risk management and conflict sensitivity often work together, and some frameworks might combine the two. For example, the UNDP Risk Management framework noted above includes conflict sensitivity as one core principle. Conflict sensitivity is needed for effective risk management because doing harm, while usually unintended, can amplify risks to the organization, the program, or staff members themselves.

CDA has developed a set of questions that can help you integrate Do No Harm into your risk analysis and risk mitigation planning.

What do P/CVE risks look like?

Risks will differ for each project based on the context and the organization implementing the project. Organizations can identify categories and/or types of risk that guide its risk management process. The UNDP Risk Management Framework identifies three categories of risks and opportunities - contextual, institutional, and programmatic.

Interaction Between Contextual, Programmatic, and Institutional Risks  

The European Commission identified the following risk categories or types: Financial, Operational, Security, Legal, Political, Reputational, and Administrative.

This illustrative list reflects risks that other P/CVE projects or implementers have identified. The list is not comprehensive, but it can help your organization consider the categories and types of risks that could be relevant for your project.