Vague risk statements lead to poor risk response planning. When project teams fail to respond to significant risks, these groups fail to achieve their goals and reach their potential. Risk management starts with identifying risks and writing clear risk statements.
Why do people write poor risk statements? I am convinced that most people simply don't know how. Allow me to share some simple tips.
Let's Break Down Risk Statements
When I ask someone to identify a risk, individuals often respond with something like "there is a conflict between two executive sponsors" or "the estimates are incorrect" or "we are experiencing system outages." But these are facts or conditions that are true, not statements of uncertainty. In other words, these are causes that give rise to uncertain events or conditions.
As you write your risk statements, try this syntax:
I start by writing the risk, the uncertain event or condition.
When defining risks, think about what may or may not happen. Risks by definition are uncertain events or conditions, not things that have already happened. Threats that have occurred are called issues; opportunities that have occurred are benefits.
Let's Improve Your Risk Statements
Want to improve results with better risk statements for your project risks? Ask yourself the following questions:
- Does the risk statement focus on uncertain events or conditions?
- Are the causal factors clear?
- Does the statement specify the impact(s)?
- Does the risk statement drive clear response plans?
Progressively Improve Your Risk Statements
Imagine that we are having a discussion about a project risk of underestimating the testing effort of the project. So let's write a risk statement:
Initial Risk Statement
Risk statement: Because the project team does not fully understand the requirements, the testers may underestimate the testing effort.
Let's review this statement.
- Does the risk statement focus on uncertain events or conditions? Somewhat but it could be better
- Are the causal factors clear? No
- Does the statement specify the impact(s)? No
- Does the risk statement drive clear response plans? No
Revised Risk Statement
Risk statement: The project team has not completed the requirements for the interface to the loss notice system (a fact that gives rise to uncertainty). Therefore, the testers do not fully understand the interface requirements and may underestimate the testing effort (uncertain condition), resulting in adverse impacts to the schedule and budget (impact to the project goals).
Better Risk Statements Lead to Better Response Planning
Imagine trying to develop response plans for the initial risk statement which lacks specificity. We are not sure of how to respond to achieve our project goals.
Now imagine defining response plans for the revised risk statement. The risk statement is clear and specific. Consequently, we know where to attack. The response plans may be defined in ways that produce better results. Here are some examples of risk response plans:
- Identify the loss notice interface experts/stakeholders.
- Facilitate additional requirement sessions for the loss notice interface.
- Model the loss notice interface.
- Develop exception processing rules.
- Develop test plans for the interface.
How About You?
Now it's your turn to improve your own risk statements. Review your risks in your risk register. Look for ways to make your risk statements clear and specific. Then define risk response plans that will drive significantly better results.
Related article: The Power of If-Then Risk Statements