Project managers who identify project risks very well do the following things:
First, project managers clarify what they mean by project risk.
Second, they use a variety of risk identification tools and techniques, not just one.
Third, they write the risks in a consistent format.
Fourth, project managers engage the right stakeholders.
Fifth, they look beyond the obvious risks. Look around the corners.
Lastly, project managers capture their project risks in a central repository.
But you’re probably wondering:
“How do I actually do this? How can I identify and capture project risks in a manner that creates value for my projects?”
Free Bonus: Click here to get access to a free PDF checklist that shows you 7 ways to identify project risks.
If we are going to identify project risks, it’s critical that we first define what we mean. What are risks and non-risks?
When people hear the term “risk,” they often think of negative events. Why? Well, the dictionary defines risk as “the possibility that something bad may happen.”
Notice the words “possibility” and the phrase “may happen.” Uncertainty is implied.
We’re on the right track, but something is missing here. The definition has a singular focus on bad things that may happen.
A more modern definition of risk includes not only the bad things but recognizes the possibility of good things that may happen. (Some project managers push back on the concept of positive risks.)
The Project Management Body of Knowledge defines risk as “an uncertain event or condition that, if it occurs, has a positive or negative effect on a project’s objectives.”
That works for me. It contains two sides of the coin of uncertainty—threats AND opportunities.
What’s the bottom line?
Whether you support the concept of positive risks or not, wise project managers employ a method for identifying and seizing opportunities (positive events and conditions). Project managers who neglect opportunities lose one of the most powerful ways of achieving their objectives.
The important thing in your projects is that your stakeholders have a common understanding of the term risk. This is the beginning point of identifying risks.
While we are on the topic, allow me to share my simplified view of risk management. Risk management is simply gathering appropriate information and making better choices, with the primary aim of meeting your objectives. Those choices not only involve managing negative events and conditions but positive ones.
There may be some things in your project that are non-risks, perhaps risks that have already occurred. That’s another topic called issues.
So, you’ve thought of some risks. How should you write them?
Try using a simple syntax such as:
You may be thinking:
That sounds robotic. Well, I’m not asking you to turn your brain off. Rather, I’m suggesting that you think about your risks in a consistent fashion.
Neither am I suggesting that you write every risk in the exact same way.
Here are some examples of risk statements:
Because of the lack of user involvement in the requirements process,
the developers may not have the right requirements
resulting in rework later in the project.
There have been five instances of the test regions going down in the last two weeks. No changes have been made to stabilize the test environments.
which may mean that the testing team may rush the testing when the test region is working
resulting in deliverables that do not meet the requirements.
Notice that the causes and the effects are NOT risks. Think of your risks as future events or conditions that may or may not occur.
Tip: If the Cause is uncertain, you have another risk. Ask the subject matter experts what is causing the uncertainty. In effect, you should continue to drill down until you understand the root cause (e.g., a fact or condition that gives rise to the risk).
Next, it’s tool time.
If I looked in your risk management toolbox, what tools would I see? Do you have one or two tools to identify project risks?
Some project managers do the same thing on every project. They have one meeting with a few subject matter experts, brainstorm the risks, and call it done.
That’s a good start, but consider adding and using more tools and perform periodic risk reviews to evaluate current risks and identify new risks.
What other tools, you say?
How about a root-cause analysis to discover the underlying causes of your threats and opportunities?
Next, the SWOT analysis can help you and your stakeholders to identify strengths, weaknesses, opportunities, and threats. This technique may be applied to a business process, a system, or your project, to name a few.
How many times have you been bitten by wrong assumptions or poorly understood constraints? Project managers can perform assumption analysis to test assumptions. The constraint analysis can help you identify limitations that you can work to reduce or remove.
Lastly, consider using a predetermined list of risk categories called a prompt list. For example, you could facilitate a meeting where you ask stakeholders to identify risks for the project schedule, cost, quality, and scope.
One mistake that some project managers make is trying to identify risks by themselves. You’re smarter than that!
You may have the best facilitation skills in the world, but if you don’t have the right people in the room, you’ll likely miss some of the most significant risks.
I know your stakeholders are busy. And I know how hard it can be to get these people to your meetings. But put your sales hat on. Do whatever is necessary to get the subject matter experts to help you identify project risks.
How do you know WHO to engage?
It starts with your stakeholder analysis while you are initiating your projects. Identify the individuals, groups, and organizations who may impact your project.
Identify anyone who may be impacted by your project. What about people outside your organization? Yes, those people too.
As you plan for your risk identification meetings, review your stakeholder register and select the appropriate stakeholders.
Many project managers make the mistake of only looking for the obvious risks.
I’m suggesting that you look around the corners. What are the other potential risks?
Have you ever had a home inspection?
The home inspector crawls on your roof and under your house. He checks the electrical system and the heating and air units. He performs a comprehensive inspection of every room and every system.
Like the home inspector, you can take a holistic approach to risk management.
You may be thinking:
That would take too much time.
But the more you do this, the easier it gets. You know what to look for and where. The scan of your environment can actually save you time and money.
Another way to look around the corners is to perform quantitative risk analysis—analyze the risks at a deeper level.
Perhaps you think the impact of a risk is high, but you really don’t know how much. You could use a technique such as the Expected Monetary Value technique to quantify the impact.
What do you do with all this risk information? I’ll explain.
As you identify projects risks, you should capture the risks in a risk register. Make your job easy. Use one place to store all your risk-related information.
What kind of information should we store in the risk register? Common things include:
Keep in mind, risk identification is NOT a one-time event.
Start early in your projects. And perform periodic risk reviews to review and update your current risks as well as add new risks.
How will things be different with this information?
Reduced uncertainty. Fewer missteps. More positive things happening.
You cannot manage risks until you first identify them. As you read this article, perhaps you thought, “That’s something I need to work on.”
Select one or two of these tips and incorporate in one of your projects. Over time, incrementally take additional steps to help you better identify your project risks. Best wishes!
Risk Identification Checklist. Ninety percent of all project risks can be greatly reduced by simply identifying the risks. Grab this checklist and start identifying your project risks.
Bonus: I will send you a sequence of emails where I describe each of the seven risk identification techniques in detail.
You will also receive my weekly blog updates.