Insurance agents work with individuals to help them identify their loss exposures, any condition or situation that presents the possibility of loss, whether or not an actual loss occurs.
Many policyholders have property and liability loss exposures for their homes and automobiles, some known and some unknown. Individuals with small businesses have a more complex set of risk exposures that may include personnel and net income loss exposures. Whether the loss exposure picture is simple or complex, one thing is certain — the risks will not be covered until the exposure is first identified.
The same is true for anything from simple projects to complex programs. Until the project manager or program mananger has identified the threats and opportunities, the risks cannot be managed properly. Projects rise and fall with the project manager’s ability to properly identify and manage their most significant risks.
Project managers don’t want to spend an inordinate amount of time identifying risks — rightly so. Neither can project managers afford to miss the critical risks. Let’s look at strategies to identify risks, save time, and ensure a holistic view of the project risks. Choose and scale theses strategies as needed.
1. Use a risk list. A risk list is a list of potential risks for an industry, organization, or company. Ideally, the risks are listed by categories such as schedule, budget, quality, and scope. For example, you could identify schedule risks using a schedule risk list such as:
- Schedule is missing key activities
- Schedule was baselined without review by key stakeholders
- Schedule is optimistic, not realistic
- The product or service cannot be developed to the size specified in the time allocated
- Excessive schedule pressure
- Scope has increased with no change to the schedule
- A delay in a critical path activity is causing cascading delays in the subsequent activities
- A key resource has been reallocated half-time to another project, adversely impacting the work on this project
- Estimates were created by the project manager, not the individuals doing the work
- One activity may not provide the required information that a subsequent activity needs
- Coordination issues are arising from the crashing of several critical path activities
2. Use risk categories. What can we do if we don’t have a risk list? Try a prompt list, a generic list of categories used to “prompt” the identification of risks. Typical project risk categories include:
- Schedule risk – schedule events or conditions, that if they occur, will cause a positive or negative impact to the project goals
- Budget risk – budget events or conditions, that if they occur, will cause a positive or negative impact to the project goals
- Quality risk – quality events or conditions, that if they occur, will cause a positive or negative impact to the project goals
- Scope risk – scope events or conditions, that if they occur, will cause a positive or negative impact to the project goals
3. Identify internal and external risks. It’s obvious that we need to identify internal risks. However, project managers may fail to identify external risks. Out of sight, out of mind. For example, an organization may contract with a third party to provide products, services, and supplies. There is the temptation to forget about it.
Just because a contract exists does not mean that the project manager has washed her hands of these risks. The project manager is still responsible for overseeing the activities, making sure the contracted products and services fulfill the project’s needs and integrate properly into the project deliverables.
4. Perform top-down and bottom-up risk identification. With a top-down approach to risk management, the project sponsor (and sometimes senior management) declares which threats and opportunities matter. The benefit is that it provides a high-level perspective. The project sponsor defines the project goals and determines the business strategies to make it happen.
However, the project sponsor will not likely understand the project planning and execution risks. A bottom-up approach provides the advantage of getting the views of the team members and key stakeholders. An excellent tool for the bottom-up risk identification is the work breakdown structure (WBS). The project manager can work with team members to discuss the lowest level WBS activities in order to identify risks.
5. Perform risk reviews periodically. Remember — risk changes over time. Imagine never having your vehicles checked or never having a physical exam by a doctor. Project risk reviews should be performed regularly. In addition, reviews should be performed for the following events:
- Significant change of project goals, deliverables, assumptions, of constraints
- Change in team members
- Significant change in requirements
- New or changing external requirements such as regulatory requirements or contract requirements
- High number of issues are occurring
Keep in mind, we are NOT trying to identify every possible risk. We are scanning the project environment to find the most significant risks. If done properly, these strategies can help us identify the critical risks quickly. Then we can take the next step — treat the risks.
Some project managers take a different approach – it’s called wait and see. It works like this: Don’t invest time (i.e., waste time) identifying and treating risks. When the uncertain event or condition occurs, the project manager would fix it — translate, the project manager and affected stakeholders would put out the fires!
Responding to issues almost always require more time and cost more money than identifying and treating risks ahead of time. Being disciplined and applying an appropriate amount of time and focus on risks can reduce project expenses, promote the project schedule, reduce stress, and help a project team achieve its mission.
PMI-RMP Exam Guide
Grab your copy of How to Prepare for the PMI-RMP Exam! And receive weekly project management tips.