Every project manager deals with risks. We all face significant uncertainty. Allow me to share seven things you ought to know about identifying risks.
Project managers must address unrealistic time frames where failure seems unavoidable, scope creep, ambiguous requirements, delays from third parties, and the lack of required skills, to name a few.
How do we manage risks and the causal factors?
Risk management begins with the practice of identifying risks. In this process, we consider future events or conditions that may impact our ability to achieve our goals. Risk identification includes figuring out where, when, how, and why such events may occur.
Not sure how to get the most value from risk identification? Well, here are answers to common questions. If you understand these basic principles, you have the foundation for an effective and efficient risk identification process.
Risks cannot be managed if they are not first identified. —Harry Hall
21 Days to Better Risk Management
Feeling uncertain about your projects? Struggling to identify your project risks? Join the 21-day challenge where you will receive risk management tips for 21 days to help you turn uncertainty in success.
What You Need to Know About Identifying Risks
1. Why identify risks? Risks cannot be managed if they are not first identified. The project manager should help to identify risks that may affect the achievement of program and project goals. What threats may hinder the stakeholder’s ability to achieve their goals? What opportunities may stakeholders exploit or enhance to reach the goals?
Some well-meaning individuals question why we should take the time to identify risks at all. Isn’t this common sense? These individuals think they can manage the risks without going through a formal process of identifying and assessing the risks. However, engaging other stakeholders in the process helps to leverage their insights and mitigate the possibility of overlooking significant risks.
2. Who should be involved in identifying risks? Not only should the project manager and the project team be involved, engage other relevant stakeholders. For example, if you are identifying threats associated with the development of a data center, you should include representatives of third-party vendors. If you are managing a project to move a leasing company from Canada to a U.S. location, include human resource representatives from both locations.
3. When should risk identification occur? Risk identification should begin early in the project when uncertainty and risk exposure is greatest. Identifying risks early allows risk owners to take action when the risks are easier to address. Risk owners who execute early responses often reduce cost as compared to addressing risks and issues later in the project.
Project managers should continue to work with the project team throughout the course of the project to identify risks. It is impossible to identify all the risks at the beginning of a project. Things change over time that may lead to new risk exposures.
4. How do you identify risks? There are numerous ways to identify risks such as brainstorming, the Delphi Technique, Pre-mortem, and the Cause and Effect Diagram. Depending on the nature of your project, project managers may use two or more of these methods during the course of a project.
5. How should the risks be written? Many risk registers are difficult to read and understand. Why? Each risk is written in a different format and style. Consider writing your risks in a consistent (at least similar) form using this syntax: Cause -> Risk -> Effect. For example: Because of [cause], the [risk] may or may not occur, which results in [effect].
Another useful syntax is the simple but powerful If/Then formula. For example: If you add an additional developer to task ABC, then the task will be completed one week earlier.
6. What is the main deliverable from risk identification? All risks should be captured in a risk register. The risk register is simply a list of risk-related information including items such as risk description, risk owner, category, probability risk rating, impact risk rating, risk score, and risk response plans. The risk register may be created in a tool such as a spreadsheet, SharePoint, or a project management information system.
7. How should risks relate to project goals? All risks should relate to at least one of the project goals (schedule, cost, scope, and quality). A good practice is to walk through each goal and ask: What may hinder the accomplishment of the goal? What opportunities should be exploited?