Risk Management
2026-02-23
Risks your project probably has
(and the three that will actually kill it)
A practitioner's risk taxonomy for project and IT delivery, cross-linked to the articles that explain each risk in detail.
Why this article exists
Most project risk registers start empty and stay that way until something goes wrong. The risks that kill projects are predictable. They show up on every engagement in slightly different clothes.
This is a starter list. Not exhaustive, not theoretical. These are the risks I keep seeing, organised by domain, with links to the articles that explain each one in detail.
Every risk links to the article that explains it in detail. The list grows as the article series grows.
How to use this list
Pick your project type. Scan the relevant domains. If you recognise three or more risks from a single domain, that domain needs a dedicated mitigation strategy, not just a line in the risk register.
The risk IDs (V1, G1, etc.) are stable references. Use them in your own registers if they're useful.
Quick reference card
All 48 risks on a single A4 landscape page, with pattern links. Print it, pin it to the wall, or keep it open during steering committees.
Vendor / Procurement risks
| ID | Risk | Source | Pattern |
|---|---|---|---|
| V1 | PM absorbs commercial authority by default. Nobody else steps into vendor relationship management, so the PM fills the gap. Creates irreconcilable tension between quality enforcement and relationship maintenance. | The vendor management trap | Authority Vacuum |
| V2 | Vendor runs the personality narrative. When one person holds all three authorities, the vendor reframes legitimate quality enforcement as a personality problem. "The PM is difficult" is cheaper than fixing defects. | The vendor management trap | Narrative Capture |
| V3 | Executive disengagement from vendor delivery. Executives find vendor meetings tedious and the technical detail opaque. They disengage during delivery and inherit unresolved disputes in BAU without the governance structure to manage them. | The vendor management trap | Entropy Ratchet |
| V4 | Replacing the PM is cheaper than fixing delivery. When the vendor has successfully reframed quality enforcement as interpersonal conflict, swapping the PM becomes the path of least resistance. The systemic issues persist. | The vendor management trap | Narrative Capture |
| V5 | No contract manager on the engagement. Most organisations skip the contract manager role. The PM absorbs commercial mechanics (milestone payments, variations, performance notices) without the delegation or expertise. | The contract management gap | Authority Vacuum |
| V6 | Contract manager role conflated with PM, procurement, or relationship owner. Organisations that do have a contract manager often merge it with the PM role, leave it in procurement, or combine it with business relationship ownership. Each conflation recreates the structural impossibility of enforcing consequences while maintaining rapport, just at a different level. | The contract management gap | Incompatible Mandate |
| V7 | Post-project vendor disputes with no governance structure. Project governance dissolves at closure. Unresolved vendor issues transfer to BAU teams who lack the context, the authority, and the contract knowledge to manage them. | The contract management gap | Transition Cliff |
| V8 | Multiple vendors independently discover the personality play. When a programme has no contract manager, multiple vendor streams independently learn that complaining about the PM is easier than fixing deliverables. The pattern is structural, not coincidental. | The contract management gap | Narrative Capture |
Governance / Authority risks
| ID | Risk | Source | Pattern |
|---|---|---|---|
| G1 | Three hats on one head. Delivery authority, technical authority, and commercial authority converge on the PM. Not because the PM seized them, but because nobody else stepped in. | The vendor management trap | Authority Vacuum, Incompatible Mandate |
| G2 | Escalation treated as failure. PMs absorb commercial decisions because escalating feels like admitting weakness. Escalation is a governance mechanism, not a confession. | The vendor management trap | Compliance Theatre |
| G3 | No explicit escalation path. Without a defined split between PM decisions and executive decisions, commercial authority defaults to whoever is in the room. Usually the PM. | The vendor management trap | Authority Vacuum |
| G4 | Governance gap becomes permanent. The longer the PM compensates for missing governance roles, the harder it becomes to fix. Executives learn they don't need to engage. | The vendor management trap | Entropy Ratchet |
| G5 | Contract management invisible until crisis. The role only becomes visible when something goes wrong. By then, the relationship damage, the commercial exposure, and the knowledge gaps are already established. | The contract management gap | Entropy Ratchet |
| G6 | Milestone payments approved without commercial review. PM signs off on payments that should involve someone with commercial delegation. Financial decisions made without financial authority. | The contract management gap | Authority Vacuum, Compliance Theatre |
| G7 | Variation management without contract literacy. Scope changes with cost impact negotiated by people who haven't read the contract. Variation clauses exist for a reason. | The contract management gap | Leverage Erosion |
| G8 | Quality enforcement indistinguishable from interpersonal conflict. When the governance structure makes the quality enforcer and the relationship holder the same person, every hard conversation looks like a personality clash. | The vendor management trap | Narrative Capture |
| G9 | Steering committee hearing a different story. Vendor influences the narrative through channels that bypass project governance. By the time it reaches the committee, the conversation is about the PM's approach, not the vendor's performance. | The vendor management trap | Narrative Capture |
| G10 | Implicit role-to-position mapping. Roles collapsed by assumption, not by explicit agreement at project setup. The PM absorbs authority nobody formally delegated. Nobody notices until the vendor exploits the gap. | The vendor management trap, The contract management gap | Authority Vacuum, Incompatible Mandate |
| G11 | Programme commitment embodied in individuals, not governance. Decision rationale, escalation context, and enforcement posture live in the executive's head, not in governance artefacts. When they leave, the programme loses its institutional memory at the executive level. The org chart shows continuity; the reality is a reset. | Coming soon | Mandate Decay |
Stakeholder / Political risks
| ID | Risk | Source | Pattern |
|---|---|---|---|
| S1 | Vendor has relationships the PM doesn't control. The customer executive, the business owner, the directors on the steering committee. The vendor can influence the narrative through channels that bypass governance entirely. | The vendor management trap | Narrative Capture |
| S2 | Executive sponsor with existing vendor relationship. Limited visibility into delivery detail plus an existing relationship with the vendor means the vendor's narrative travels upward unchallenged. | The vendor management trap | Narrative Capture |
| S3 | Zero-sum recognition culture. When credit is finite, people hoard information, avoid collaboration, and optimise for individual visibility over team outcomes. | Confelicity | Incentive Inversion |
| S4 | Punishment asymmetry. Failure is punished more visibly than success is rewarded. Teams learn to avoid risk, hide mistakes, and never volunteer for difficult work. | Confelicity | Incentive Inversion |
| S5 | Learned helplessness from repeated reorganisation. After enough restructures, teams stop investing in improvement because they expect the next change to invalidate their work. | Confelicity | Change Sclerosis |
| S6 | "Maintain the relationship" as a directive. Telling the PM to be nicer doesn't fix a delivery gap. The relationship problem is structural, not interpersonal. | The vendor management trap | Narrative Capture |
| S7 | Key decision-maker leaves or changes role mid-programme. Executive context, commitment, and political capital don't transfer to the successor. Decisions queue while the new person ramps up. In large organisations — especially government — this is a near-certainty over any 12+ month programme. | Coming soon | Mandate Decay |
| S8 | Successor deprioritises inherited initiatives. New executive rationally invests political capital in their own agenda, not their predecessor's commitments. Inherited programmes get "auto-pilot" treatment — same meetings, no engagement. | Coming soon | Mandate Decay |
| S9 | Prior relationship capital non-transferable. Trust, rapport, and implicit commitments built with the departing stakeholder have no currency with their replacement. Previous emails are someone else's correspondence. You're back to cold positioning. | Coming soon | Mandate Decay |
Culture / Team Health risks
| ID | Risk | Source | Pattern |
|---|---|---|---|
| C1 | Confelicity deficit. The absence of shared joy in others' success. Teams where people don't celebrate each other's wins develop zero-sum dynamics that corrode collaboration. | Confelicity | Change Sclerosis |
| C2 | Performance management as threat rather than development. When the performance system is punitive, people manage their risk profile rather than doing their best work. | Confelicity | Incentive Inversion |
| C3 | Information hoarding as rational behaviour. In zero-sum cultures, withholding information is a logical response to incentives. The behaviour is a symptom, not the cause. | Confelicity | Incentive Inversion |
| C4 | Emotional labour absorbed by the PM. Writing emails at 10pm trying to manage the vendor relationship is a symptom. The PM is carrying weight that should be distributed across the governance structure. | The vendor management trap | Change Sclerosis |
| C5 | Trust erosion from CC culture. Mass CC'ing signals distrust. People start writing defensively rather than communicating clearly. The email thread becomes a liability record, not a communication tool. | Email triage | Incentive Inversion, Information Fog |
Knowledge Management risks
| ID | Risk | Source | Pattern |
|---|---|---|---|
| K1 | Context-switching cost from unmanaged email volume. Every email interruption costs 23 minutes of refocusing time (UC Irvine research). Unmanaged inboxes create a permanent tax on deep work. | Email triage | Information Fog |
| K2 | Thread drift. Email threads that change topic mid-conversation. The original subject line becomes misleading. Key decisions get buried in threads nobody can find later. | Email triage | Information Fog |
| K3 | CC culture as governance substitute. Mass CC'ing replaces actual decision-making governance. Everyone is "informed" but nobody is accountable. The inbox becomes a compliance theatre. | Email triage | Compliance Theatre |
| K4 | No documentation discipline for vendor meetings. Solo PM in a vendor meeting is a PM whose version of events can be disputed. Without written follow-ups, commitments evaporate. | The vendor management trap | Compliance Theatre, Information Fog |
| K5 | Contract knowledge concentrated in one person. When the PM is the only person who has read the contract, every commercial decision depends on their availability and memory. Single point of failure for commercial intelligence. | The contract management gap | Transition Cliff, Leverage Erosion |
Commercial / Contractual risks
| ID | Risk | Source | Pattern |
|---|---|---|---|
| CO1 | Milestone payments as the only vendor leverage. If the contract's remediation clauses are weak or unused, withholding payment is the only enforcement mechanism. That puts the PM in an impossible position. | The contract management gap | Leverage Erosion |
| CO2 | Variation mechanisms not understood by the project team. Scope changes get negotiated informally because nobody on the project team knows how the contract's variation clause works. | The contract management gap | Leverage Erosion |
| CO3 | BAU inherits commercial liability without commercial authority. Unresolved vendor issues transfer to operational teams who have no contract management capability, no relationship leverage, and no budget for remediation. | The contract management gap | Transition Cliff |
| CO4 | Legal counsel not briefed until crisis. On non-trivial contracts, the PM needs legal already read in. Starting from scratch when the vendor play is already running costs two or more weeks of lead time you don't have. | The vendor management trap | Transition Cliff |
Procurement / Pre-Contract risks
| ID | Risk | Source | Pattern |
|---|---|---|---|
| P1 | Requirements cover functional but omit non-functional, integration, migration, and transition domains. The vendor fills the gaps with assumptions that favour their commercial position. Variations emerge post-contract from scope that should have been specified pre-market. | Coming soon | Specification Gap |
| P2 | Integration falls between organisational boundaries during procurement. The business unit owns requirements; enterprise architecture owns the integration landscape. Neither owns the gap. Integration is deferred to "implementation detail" because nobody at the procurement table has authority or expertise to specify it. | Coming soon | Integration Blind Spot |
| P3 | Milestone payments decouple from formal acceptance testing. The vendor creates urgency around payment; the customer pays "in good faith" losing contractual leverage. Payment becomes the de facto acceptance event. | Coming soon | Acceptance Drift |
| P4 | Evaluation criteria designed to look rigorous but structured so any compliant vendor scores similarly. The decision is made on price or relationship, but the process creates the appearance of merit-based selection. | Coming soon | Evaluation Theatre |
| P5 | Procurement thresholds shape the scope rather than the scope determining the threshold. Requirements are artificially narrowed or phased to stay under a governance tier, excluding the non-functional and integration requirements that would have pushed the total over. | Coming soon | Threshold Blindness |
| P6 | No dedicated procurement capability persists across the lifecycle. Procurement knowledge fragments across business analysts, PMs, and central procurement. Nobody owns the full lifecycle from specification through contract management. | Coming soon | Contract-as-Filing |
The three that will actually kill it
If I had to pick three risks from this list that kill more projects than any others, they would be:
G1: Three hats on one head. The structural root cause behind most vendor delivery failures. Everything else in the vendor/governance domain flows from this.
S3: Zero-sum recognition culture. You can have the best governance structure in the world and it won't matter if the team culture makes collaboration irrational. Confelicity deficits are invisible in project reports but devastating in practice.
G5: Contract management invisible until crisis. The missing role that nobody notices until the first disputed milestone payment. By then, you're already behind.
These three share a common trait: they are structural, not situational. You can't fix them with better project management. You fix them with better governance design.
How this list grows
Each new article on reportinglines.com adds risks to this taxonomy. The cross-links work both ways: the risk list drives traffic to the articles, and the articles provide the evidence base for each risk. If you want to follow the series, the best way is to check back here periodically or connect on LinkedIn.
All examples in this article are composites drawn from multiple engagements. The patterns are real. The specifics are abstracted.