Project managers who identify project risks have some healthy habits:
- First, project managers clarify what they mean by project risk.
- Second, they use various risk identification tools and techniques, not just one.
- Third, they write the risks in a consistent format.
- Fourth, project managers engage the right stakeholders.
- Fifth, they look beyond the obvious risks. Look around the corners.
- Lastly, project managers capture their project risks in a central repository.
But you’re probably wondering: How do I actually do this? How can I identify and capture project risks in a manner that creates value for my projects?
1. Define Project Risk
If we are going to identify project risks, it’s critical that we first define what we mean. What are risks and non-risks?
When people hear the term “risk,” they often think of adverse events. Why? The dictionary defines risk as “the possibility that something bad may happen.”
Notice the words “possibility” and the phrase “may happen.” Uncertainty is implied.
We’re on the right track, but something is missing here. The definition has a singular focus on bad things that may happen.
A more modern definition of risk includes not only the bad things but recognizes the possibility of good things that may happen. (Some project managers push back on the concept of positive risks.)
The Project Management Body of Knowledge defines risk as “an uncertain event or condition that, if it occurs, has a positive or negative effect on a project’s objectives.”
That works for me. It contains two sides of the coin of uncertainty—threats AND opportunities.
Read more: the ISO 31000 definition of risk
What’s the bottom line?
Whether you support the concept of positive risks or not, wise project managers employ a method for identifying and seizing opportunities (positive events and conditions). Project managers who neglect opportunities lose one of the most powerful ways of achieving their objectives.
The important thing in your projects is that your stakeholders have a common understanding of the term risk. This is the beginning point of identifying risks.
While we are on the topic, allow me to share my simplified view of risk management. Risk management is simply gathering appropriate information and making better choices, aiming to meet your objectives. Those choices not only involve managing adverse events and conditions but positive ones.
There may be some things in your project that are non-risks, perhaps risks that have already occurred. That’s another topic called issues.
Read more: Project Risks and Issues — What’s the Difference?
So, you’ve thought of some risks. How should you write them?
2. Write the Risks in a Consistent Format
Try using a simple syntax such as:
If [EVENT], then [CONSEQUENCES].
You may be thinking:
That sounds robotic. Well, I’m not asking you to turn your brain off. Rather, I’m suggesting that you think about your risks in a consistent fashion.
Neither am I suggesting that you write every risk in the same way.
Here are some examples of risk statements:
Because of the lack of user involvement in the requirements process,
the developers may not have the right requirements,
resulting in rework later in the project.
There have been five instances of the test regions going down in the last two weeks. No changes have been made to stabilize the test environments,
which may mean that the testing team may rush the testing when the test region is working,
resulting in deliverables that do not meet the requirements.
Notice that the causes and impacts are NOT risks. Think of your risks as future events or conditions that may or may not occur.
Tip: If the cause is uncertain, you have another risk. Ask the subject matter experts what is causing the uncertainty. In effect, you should continue to drill down until you understand the root cause (e.g., a fact or condition that gives rise to the risk).
Next, it’s tool time.
3. Use a Variety of Risk Identification Tools & Techniques
What tools would I see if I looked in your risk management toolbox? Do you have one or two tools to identify project risks?
Some project managers do the same thing on every project. They have one meeting with a few subject matter experts, brainstorm the risks, and call it done.
That’s a good start, but consider adding and using more tools and periodic risk reviews to evaluate current risks and identify new ones.
What other tools, you say?
How about a root-cause analysis to discover the underlying causes of your threats and opportunities?
Next, the SWOT analysis can help you and your stakeholders to identify strengths, weaknesses, opportunities, and threats. This technique may be applied to a business process, a system, or your project, to name a few.
How often have you been bitten by wrong assumptions or poorly understood constraints? Project managers can perform assumption analysis to test assumptions. The constraint analysis can help you identify limitations that you can work to reduce or remove.
Lastly, consider using a predetermined list of risk categories called a prompt list. For example, you could facilitate a meeting where you ask stakeholders to identify risks for the project schedule, cost, quality, and scope.
- Schedule risk - schedule events or conditions that, if they occur, will cause a positive or negative impact on the objectives.
- Cost risk - cost events or conditions that, if they occur, will cause a positive or negative impact on the objectives.
- Quality risk - quality events or conditions that, if they occur, will cause a positive or negative impact toon the objectives.
- Scope risk - scope events or conditions that, if they occur, will cause a positive or negative impact on the objectives.
Read more: How to Identify Scope Risks.
One mistake that some project managers make is trying to identify risks by themselves. You’re smarter than that! Engage your stakeholders.
4. Engage the Right Stakeholders to Identify Project Risks
You may have the best facilitation skills in the world, but if you don’t have the right people in the room, you’ll likely miss some of the most significant risks.
I know your stakeholders are busy. And I know how hard it can be to get these people to your meetings. But put your sales hat on. Do whatever is necessary to get the subject matter experts to help you identify project risks.
How do you know WHO to engage?
It starts with your stakeholder analysis while you are initiating your projects. Identify the individuals, groups, and organizations that may impact your project.
Identify anyone who your project may impact. What about people outside your organization? Yes, those people too.
Review your stakeholder register and select the appropriate stakeholders as you plan for your risk identification meetings.
5. Look Beyond the Obvious Risks
Many project managers make the mistake of only looking for the apparent risks.
I’m suggesting that you look around the corners. What are the other potential risks?
Have you ever had a home inspection?
The home inspector crawls on your roof and under your house. He checks the electrical system and the heating and air units. He performs a comprehensive inspection of every room and every system.
Like the home inspector, you can take a holistic approach to risk management.
You may be thinking:
That would take too much time.
But the more you do this, the easier it gets. You know what to look for and where. The scan of your environment can save you time and money.
Another way to look around the corners is to perform quantitative risk analysis—analyze the risks deeper.
Perhaps you think the impact of a risk is high, but you don’t know how much. You could use a technique such as the Expected Monetary Value technique to quantify the impact.
What do you do with all this risk information? I’ll explain.
6. Capture Your Project Risks
As you identify project risks, you should capture the risks in a risk register. Make your job easy. Use one place to store all your risk-related information.
What kind of information should we store in the risk register? Common things include:
- Risk ID
- Risk Statements
- Risk Owners
- Risk Triggers
- Risk Categories
- Probability Risk Ratings
- Impact Risk Ratings
- Risk Scores
- Risk Response Strategies (e.g., mitigate)
- Risk Response Plans
- Residual Risks
- Risk Trends
Read more: How to Build and Use a Risk Register.
Keep in mind that risk identification is NOT a one-time event.
Start early in your projects. And perform periodic risk reviews to review and update your current risks and add new risks.
How will things be different with this information?
Reduced uncertainty. Fewer missteps. More positive things are happening.
It’s Your Turn To Identify Project Risks
You cannot manage risks until you first identify them. As you read this article, perhaps you thought, “That’s something I need to work on.”
- Define Project Risks
- Write the Risks in a Consistent Format
- Use a Variety of Risk Identification Tools & Techniques
- Engage the Right Stakeholders to Identify Project Risks
- Look Beyond the Obvious
- Capture Your Project Risks
Please select one or two of these tips and incorporate them into one of your projects. Over time, incrementally take additional steps to help you better identify your project risks. Best wishes!