We have wondered why project risk management often does not work in practice. The theory is understood and the process of project risk management is well documented in numerous books, guides and procedures. Our observations are that the first four stages of the risk management process: 1) initiate or plan risk management; 2) identify risks; 3) assess risks; and 4) plan responses are generally performed well. Unfortunately, these stages are essentially just risk analysis with a bit of planning of what you intend to do. Risk management really only starts when you implement planned risk responses such that overall risk exposure is reduced in a cost efficient and risk effective way. This is where we see the enthusiasm that was evident in risk analysis falling away. So, why is the implementation of risk responses all too often poor?