“Risk comes from not knowing what you’re doing.”—Warren Buffett

“Plans are worthless, but planning is everything.”—Dwight D. Eisenhower

Risk management is a well-established discipline. We identify, assess, prioritize, and respond to risks—often with detailed registers, probability-impact matrices, and regular reviews. But once the project closes, how do we evaluate whether that process was effective?

One question that’s rarely asked, but potentially very revealing, is this: How many of the project’s issues were risks we had already identified? And just as important: How many issues weren't identified by our risk processes. These aren’t standard performance metrics in most risk frameworks, but they should be part of the conversation.

It’s easy to focus on the number of risks identified or how thoroughly they’re documented. But risk management isn’t about documentation—it’s about foresight and response. When a project runs into trouble, take a moment to reflect: Was this risk identified ahead of time? If so, did our response strategy work? If not, what caused the blind spot? That’s not finger-pointing—it’s feedback. And it can be one of the most useful inputs for improving risk practices across future projects.

Here are three metrics that go beyond standard tracking and provide real insight into the strength of your risk process:

• Number of issues that were never listed as risks

  A high number here might indicate a need to strengthen your identification techniques—or broaden who’s involved in the process.

  
  

• Number of risks that turned into issues

  This highlights whether your response strategies are working as intended or need adjustment.

  
  

• Number of risks that were effectively resolved

  These are the proactive wins—risks that were mitigated, avoided, transferred, or accepted with clear awareness and minimal impact.

  
  

Over time, tracking these numbers can help you move beyond compliance and toward genuine risk maturity.

PMI and other frameworks provide solid guidance on building risk processes—but they often stop short of evaluating outcomes. That’s understandable: measuring foresight isn’t easy. But it’s also why adding this layer of analysis can set your projects apart. You’re not just managing risks—you’re learning from them.

Risk management isn’t only about anticipating what might go wrong. It’s also about reviewing what actually did, and asking how well we saw it coming. If you’re not already tracking the connection between risks and resulting issues, it may be worth starting. The insights could reshape how your team defines success—not just in theory, but in practice.

Do you track how many issues originated from your risk register? I’d love to hear how others are approaching this.

Coda

Many of my colleagues have just retired or are thinking of doing so, so I've had a lot of discussions with them about what is going into that decision. This isn't universal, but their opinions seem split into two camps - they are running away from something (dislike the job, stress, etc.) or they are running toward something. If you don't have something you are looking forward to in your retirement, I suggest you reconsider. The worst thing would be to take a successful career and replace it with nothing.

#RiskManagement #ProjectLeadership #PMI #PMPCertification #ProjectManagement #LessonsLearned #IssueTracking #RiskRegister #RiskMetrics #RiskStrategy #ProfessionalDevelopment #ProjectSuccess #ContinuousImprovement #RootCauseAnalysis #ProjectGovernance