It is also necessary to define the context within which the risks must be managed so as to set the scope for the risk management process. The context includes the external environment in which the organisation operates and key areas of internal context such as organisational culture and structure, internal stakeholders. The external environment of a project may include the business, social, regulatory, financial, and political environment. The perceptions and values of the external stakeholders should be taken into consideration while development the risk management plan. Defining the internal context will help in understanding the capabilities of the organisation in terms of resources (such as people, systems, processes, and capital), goals and objectives, and strategies that are in place to achieve them.

After putting in place the risk management process, the process should be monitored and reviewed on an ongoing basis. This is necessary as the factors that may affect the likelihood and consequences of a risk event may change. Similarly, the factors that may affect the suitability or cost of the risk mitigation options may also change. Monitoring and reviewing on an ongoing basis will provide the necessary inputs to introduce the necessary changes in the risk management process in a systematic manner.

Risk management should not be considered as a process established at the beginning of the project conceptualisation but it is a continuous process which has to be carried in all the phases of project lifecycle. The key milestone points in the project lifecycle when risk management should be done are while carrying out feasibility analysis, preparing business case before launching the tendering process, interacting with bidders during the procurement process, and at the time of contract award. The objectives of the risk management process though changes as the project evolves over the lifecycle. During feasibility analysis, the objective of risk management is on preliminary identification and assessment of project risks, primarily using qualitative risk analysis technique. During business case, the objective of risk management is to thoroughly identify, analyse, and quantify the risks to determine the appropriate risk treatment strategies. Risks identified during this phase are included in project's financial models prepared by conceding authority so as to make it comparable with private sector's model. The objective of risk management during procurement process is to further refine the risk management analysis and strategy in the light of the feedback and input from private sector on project risk profile and risk transfer issues. Undertaking risk management during procurement process also provide an opportunity to analyse and negotiate the risks between the conceding authority and private sector. Finally, the risk management objective at the time of contract award is refinement of the risk analysis undertaken, taking into account the negotiated positions of the public sector and private sector on risk allocation and treatment.