Project Management

Please login or join to subscribe to this thread

how to deal with legacy risk?

linkedin twitter facebook   Risk Management  
avatar
Luis Javier Caño Applications manager| Davy Stockbrokers Dublin, Ireland
Hi there, 
I'm working on a project to migrate a existing process to a digital solution. There is a known risk on the old process but it was never tracked on any log or ever agreed on any mitigation strategy. Now the new project team has raised the risk for the project and it is causing noise and having a negative impact to the plan. How do you usually deal with these legacy/inherited risks? 
Thanks,
Luis
Sort By:
avatar
Kiron Bondale Retired | Mentor| Retired Welland, Ontario, Canada
Luis -

Regardless of whether a risk is inherited from before or is net new to the project, if it could impact the successful delivery of the project it should be managed efficiently & effectively.

It might be useful to capture the fact that it was not introduced by the project and its origin might have some bearing on who the risk owner is or the range of possible responses, but aside from those considerations, it should be treated like all other identified risks.

Kiron
avatar
Sergio Luis Conte Helping to create solutions for everyone| Worldwide based Organizations Buenos Aires, Argentina
You have to manage the risk using your defined risk management process as in other type of project. Nothing new. Something obvious. But it is what it is.
avatar
Brock Hamill United States
Use the Impact vs. Likelihood matrix. Update it to the new numerical system (which can increase geometry vibes or reduce risk). This will ensure that risk is assessed objectively and not based on personal feelings or experience.
avatar
Teck Huat Ang Singapore, Singapore, Singapore
Hi. Was the risk provided for in the Exclusions section of the Project Charter?
avatar
Luis Branco CEO| Business Insight, Consultores de Gestão, Ldª Carcavelos, Lisboa, Portugal

Luis Javier Caño
Great question.
And a challenge more common than many teams would like to admit.

When transitioning from informal or undocumented legacy processes to structured digital solutions, it's not unusual for latent risks to surface.
hese are often long-known, quietly tolerated, and never formally tracked.
Once exposed under a more rigorous governance approach, they can create noise and threaten delivery - not because they are new, but because they were previously unmanaged.

Here’s how I typically approach legacy or inherited risks, based on best practices from frameworks like the PMBOK® Guide, ISO 31000, and real-world experience in organizational change:

1. Reframe It as a Transitional Risk, Not a Failure
The fact that the current team surfaced this risk is a positive indicator of risk maturity.
Avoid framing it as “something missed” - instead, treat it as part of the natural learning curve during transformation.
This builds psychological safety and trust within the team.

2. Classify and Document Transparently
Even if undocumented, the risk must now be formalized:
-Add it to the current risk register, tagged as "legacy/inherited"
- Identify origin, potential impact, and explain why it wasn't mitigated before
- Include it under the appropriate risk category (e.g., process, compliance, operational)

This aligns with PMBOK® risk categorization and ISO 31000’s emphasis on traceability and context.

3. Engage Stakeholders with Neutral Framing
Legacy risks often involve political or emotional undercurrents.
Position your communication carefully:
- Emphasize that this is about ensuring continuity, not assigning blame
- Create a shared ownership model for assessing and addressing it
- Use “humble inquiry” (Schein) when discussing causes with previous process owners

4. Evaluate and Decide Collectively
Facilitate a quick impact/probability analysis:
- Is this a high-impact risk?
- Can it be accepted, transferred, mitigated, or avoided?
- Does it require escalation or executive attention?

In a recent ERP migration I led, a legacy tax configuration caused similar noise.
By classifying it as a technical debt risk, engaging finance leaders, and mapping scenarios, we absorbed and mitigated it collaboratively.

5. Integrate It into the Transition and Change Plan
Legacy risks should be explicitly tracked as part of the transition roadmap.
This shows stakeholders that you're managing not just the digital system, but also the organizational learning debt - a subtle but critical factor in successful transformation.

Final Thought
Legacy risks are not signs of poor planning - they’re signs of evolving awareness.
How we handle them reflects the maturity of our risk culture.

Would love to hear how others integrate legacy risks into their risk registers, especially when there's no formal documentation behind them.

Please login or join to reply

Content ID:
ADVERTISEMENTS

"The rule is perfect: In all matters of opinion, our adversaries are insane."

- Mark Twain

ADVERTISEMENT

Sponsors







Vendor Events

See all Vendor Events

Newsletters

Jun 3: The Career Problem Facing New PMs
May 20: Your PM Career as a Project Life Cycle
May 13: The Big Lie After Layoffs

See all newsletters