Successful project managers have a common trait – they identify and manage risks. Project managers cannot manage a risk until it has been identified.
Often project managers start with a splash. They get the team together, identify lots of risks, and enter them into an Excel spreadsheet. Risks are never discussed again.
What happens when project managers and their team fail to identify risks in an iterative fashion? They do not invest the appropriate time and energy on the risks that matter most. They may focus on the trivial items or the team may not be aware of emerging killer risks.
“They that are on their guard and appear ready to receive their adversaries are in much less danger of being attacked than the supine, secure and negligent.” -BENJAMIN FRANKLIN, SCIENTIST, PUBLISHER, AND DIPLOMAT
When to Identify Risks
The risk exposure is greatest at the beginning of projects. The uncertainty is high because there is less information in the beginning of projects. Wise project managers start identifying risks early in their projects.
Here are some key principles concerning the timing and frequency of identifying risks:
- Identify risks early in the project
- Identify risks in an iterative manner
- Identify risks with a consistent frequency such as weekly
- Identify risks when change control is performed
- Identify risks when major milestones are hit
7 Ways to Identify Risks
There are numerous ways to identify risks. Project managers may want to use a combination of these techniques. For example, the project team may review a checklist in one of their weekly meetings and review assumptions in a subsequent meeting. Here are seven of my favorite risk identification techniques:
- Interviews. Select key stakeholders. Plan the interviews. Define specific questions. Document the results of the interview.
- Brainstorming. I will not go through the rules of brainstorming here. However, I would offer this suggestion. Plan your brainstorming questions in advance. Here are questions I like to use:
- Project objectives. What are the most significant risks related to [project objective where the objective may be schedule, budget, or quality]?
- Project tasks. What are the most significant risks related to [tasks such as requirements, coding, testing, training, implementation]?
- Checklists. See if your company has a list of the most common risks. If not, you may want to create such a list. After each project, conduct a post-review where you capture the most significant risks. This list may be used for subsequent projects. Warning – checklist are great, but no checklist contains all the risks.
- Assumption Analysis. The Project Management Body of Knowledge (PMBOK) defines an assumption as “factors that are considered to be true, real, or certain without proof or demonstration.” Assumptions are sources of risks. Project managers should ask stakeholders, “What assumptions do you have concerning this project?” Document these assumptions and associated risks.
- Cause and Effect Diagrams. Cause and Effect diagrams are powerful. Project managers can use this simple method to help identify causes of risks. If we address the cause, we will reduce the risk.
- Nominal Group Technique (NGT). Many project managers are not familiar with this powerful technique. It is brainstorming on steroids. Input is collected and prioritized. The output of NGT is a prioritized list of risks.
- Affinity Diagram. This technique is a fun, creative, and beneficial exercise. Participants are asked to brainstorm risks. I ask participants to write each risk on a sticky note. Then participants sort the risks into groups or categories. Each group is given a title.
Variety is the spice of life. One sure way to bore your project team to death is to use the same risk identification technique repeatedly. Mixing it up occasionally will help your team think in new ways and improve the identification process.
7 Deadly Sins of Risk Identification
Ninety percent of all risks can be eliminated or greatly reduced through basic risk management. Be sure you do not miss the target through negligence. Take note of the seven sins of risk identification:
- Risks are not identified early when it is less expensive to address.
- Risks are not identified in an iterative fashion.
- Risk are not identified with appropriate stakeholders.
- Risk are not identified using a combination of risk identification techniques.
- Risks are not captured in one location.
- Risks are not visible and easily accessible.
- Risks are not captured in a consistent format (e.g., Cause -> Risk -> Impact).
Consider reviewing this article and refine the risk identification strategy for your current or upcoming projects. Capture the approach in your Risk Management Plan.
Question: What other risk identification techniques do you use?