The risk management process is not difficult, because it is just a structured way of dealing with significant uncertainty. All you need to do is determine which objectives are at risk, then identify uncertainties that might affect their achievement. The next step is to prioritise identified risks and decide how to respond, and then take action. But although this process is simple to describe, it seems hard to make it work in practice. And the hardest part of all is the last step - implementation.

For some reason, we seem well able to identify and assess risks, and to devise appropriate responses. The problem arises with putting our plans into action, and actually doing the agreed responses. Why does this happen?

A common problem is lack of time or effort for response implementation. Many of us are so busy doing our normal tasks that we have no time to do the extra work involved with risk responses. But if we are "too busy to manage risks", then we are "too busy". Since risks by definition are uncertainties which if they occurred would affect accomplishment of our objectives, then addressing them is essential. Risk responses are not "optional extras", but are vital to the successful achievement of our goals. Removing threats and capturing opportunities should be part of our normal job as we seek to maximise our chances of success. Instead we seem to believe that risk responses are additional tasks, to be performed if and when we get time, and only after we have done all our "proper work" first. Many project teams identify and assess risks, develop response plans and write a risk report, then "file and forget". Actions are not implemented and the risk exposure remains the same. How can we overcome this barrier?
One answer is to treat agreed risk responses as normal work, with the same priority as pre-planned tasks. The following steps might help:

• Ensure that every risk response is fully defined, with a duration, cost, resource requirement, owner, completion criteria etc.

• Add an extra task to the project plan for every agreed response (accepting that this might also require changes to the project budget or timeline).

• Monitor progress on these risk response tasks in exactly the same way as for all other tasks, including requiring progress reports from owners, and reviewing at project meetings.

Giving risk responses equal importance with other project tasks will encourage people to implement them. When response owners realise that these actions are important to project success, and that risk responses will be treated as legitimate project tasks, then they will give them the same degree of attention and effort as their other tasks. Viewing risk responses as "extra work, optional, different" gives them second-class status behind "real work". Accepting that they are valid and essential tasks which make a significant contribution to achieving objectives makes sure that they will be treated seriously and actually implemented. After all, identifying risk responses but not doing them is a complete waste of time. Only when we put agreed responses into action can we change the risk exposure and improve our chances of meeting our goals.

風險管理的程序並不困難，因為它只是一個處理不確定性的方式，你只需決定哪些目標是有風險的，然後辨識出那些可能影響目標達成的不確定事件，下一步是決定已辨識出風險的優先等級及如何回應，然後採取行動。雖然這個程序說來容易，但在實務上似乎很難生效，而最困難的部分便是最後那個步驟—執行。

不知道為什麼，我們似乎很能夠辨識及評估風險，並策劃適當的回應行動；然而問題總是出現在將計畫付諸實現上，以及切實執行已決議的回應行動，為什麼會這樣呢？

通常的問題在於缺乏時間與精力去執行因應行動，我們許多人都忙於進行我們必須做的常態工作，以致於沒有時間去做與風險回應有關的額外工作，但是若我們「太忙以致於無法管理風險」，那麼我們是真的「太忙啦！」。既然風險的定義是那些如果發生了會影響目標達成的不確定性，那麼處置他們便是重要的事情。風險回應不是一個「額外的選項」，而是我們要成功達成目標的重要項目。移除威脅並掌握機會，對尋求使我們有最高的成功公算而言，應該是常態工作的一部份。然而我們卻似乎相信風險回應是一種額外的作業，當我們有時間時才去執行，而且要在我們做完了所有「該做的事」以後。許多專案團隊辨識並評估風險、發展風險回應計畫、並且寫了一個風險報告，然後「歸檔並拋諸腦後」，行動並未被執行因而維持著原來的風險暴露程度，要如何才能跨越這個障礙呢？

答案之一是要將已決議的風險回應行動視為常態工作，並有著和計畫性作業一樣的優先等級。以下的步驟可以有些幫助：

• 確定每個風險回應皆已被完整的定義，包括期程、成本、資源需求、負責人、完成的判準等。

• 將每個已決議的風險回應加入到專案計畫中（並同意這樣可能也需要變更專案的預算或時間排程）。

• 以和（專案中）所有其他作業完全相同的方式監督這些風險回應作業的進度；包括要求負責人提出進度報告，以及在專案會議中進行審查。

以和專案其他作業相同的重要性對待風險回應，將可鼓勵人們去執行風險回應，當回應的負責人認知到這些行動對專案成功的重要性，且這些回應行動將被視為法定的專案作業項目後，他們便會給予和他們的其他作業相同的注意及努力。將風險回應視為「額外工作、可選擇的、不同的」會使其成為「真正工作」之下的次級項目，接受其為對達成目標有明顯貢獻之有效且重要的作業項目，才可以確保風險回應將被嚴肅地對待且確實執行。畢竟，辨識出了風險回應卻不執行完全是浪費時間而已，唯有將決議的風險因應付諸行動才能改善暴露於風險的程度並提高達成目標的公算。