We have wondered why project risk management often doesn’t work in practice. The theory is understood and the process of project risk management is well documented in books, guides and procedures. Our observations are that the first four stages of the risk management process: 1) initiate or plan risk management; 2) identify risks; 3) assess risks; and 4) plan responses are generally performed well. Unfortunately, these stages are essentially just risk analysis with a bit of planning of what you intend to do. Risk management really only starts when you implement planned risk responses such that overall risk exposure is reduced in a cost efficient and risk effective way. This is where we see the enthusiasm that was evident in risk analysis falling away. Consequently, risk responses are rarely implemented and therefore risks are never managed.