However, despite the long history of risk management in broader business areas, the practice of risk management in business and IT projects has a less than remarkable  history. It is still too common for our group to find multimillion-dollar projects with no systematic and formal risk assessment and management process. As we outlined in the Project Pathology paper (see our Web site, www.Thomsett.com.au), one of the most interesting aspects of the major project failures we have reviewed is that most team members understood the risks of these projects before they started but the organization either had no mechanism or ” worse ”no willingness to address the risks. We come back to this issue later in this chapter.
In general, the management of risk involves four related processes  as shown in Figure 12.2. On analysis, it turns out that these processes are part of our normal lives, and risk management is simply a formalization of a day-to-day activity.
Figure 12.2. Risk management cycle
The first is generally termed risk assessment or risk analysis. This process involves the identification of risk factors that are intrinsic in the activity being undertaken. For example, in the activity of commuting from home to work, we face a number of risks:
Clearly, the more risk factors involved in the activity, the higher the risk of the activity and the lower the probability of success (i.e., getting to work on time and unstressed). If you lived in an apartment next to the building in which you work, the risk involved in getting to work on time is much lower than that facing a person with a 20-mile commute that involves driving to the station, getting kids to school, taking a prework study course, and using public transportation.
The second process in risk management is the process of risk control, risk reduction, or risk containment. This process involves planning and taking action to reduce the risks and, if that is not possible, to introduce strategies to minimize the impact of failure.
To manage the risks in our commute, we could reduce them by moving closer to work, obtaining flexible working hours, or undertaking community and political action to improve public transportation. 
Risk management also involves the evaluation and management of the impact of failure of the activity. This is typically called risk transfer or risk impact. For example, what is the impact of failing to get to work on time?
Clearly, the greater the impact of failure, the greater the need for positive risk management processes. At the same time as we are attempting to reduce the risks, we could limit the impact by establishing a good reputation at work, negotiating performance agreements not linked to being at work on time, and so on.
The third activity in risk management is the constant activity of monitoring and tracking risks. This involves keeping a watch on the risk factors you have identified in analyzing the risk and, as we show later in this chapter, tracking of the indicators that show the risk is impacting your project.
The fourth component of risk management is the risk monitoring and reporting of the status of risks (particularly high risk factors), the identification of new risk factors that have emerged during the project, and reports on the effectiveness of containment strategies. This is very important, as many organizations undertake risk assessment at the beginning of projects but do not continue to monitor existing and new risks as they emerge. In the turbulent environment of today's projects, it is normal for projects to change (scope, objectives, etc.) and, as a result, for the risk of the project to also continue to change. Therefore, risk management must be an ongoing, integrated component of the management of your project.
Many Classes of Risk
Many of the books and standards on risk do not distinguish among a set of different classes of risk. For example, there is insurance risk, lending or credit risk, audit risk, gambling risk, foreign exchange risk, trading risk, and so on. In our approach to risk management we focus on two classes or types of risk:
In projects, there are two different but completely related risk considerations. The first is the inherent risk of the project that is being planned, or project risk. The second is the exposure or impact that the company undertaking the project faces on project failure, or business risk.
For example, a bank may be undertaking a project to implement new credit controls demanded by government legislation. During the RAP, the project risk is assessed by the project manager as being high because the new legislation involves complex changes to sophisticated existing information systems. The business risk is also assessed as high because if the bank does not implement the new credit controls by the deadline, it will face possible fines , loss of its trading license, and substantial public scrutiny through the media.
Simply put, the higher the project risk, the higher the probability that the project will fail and that the organization will be exposed to business risks. In addition, the higher either the business or project risks associated with the project are, the higher the level of governance should be.
The assessment of project risk and business risk requires consideration of different risk factors, but the control and management of both areas of risk is similar.