It's easy to miss project risks. And, until a project manager has identified the threats and opportunities, the risks cannot be managed properly. Projects rise and fall with the project manager's ability to properly identify and manage their most significant risks.
Project managers don't want to spend an inordinate amount of time identifying risks—rightly so.
Neither can project managers afford to miss the critical risks. Let's look at strategies to identify risks and save time when identifying project risks. You can choose and scale these strategies as needed.
Risk Identification Techniques
1. Use a risk list. A risk list is a list of potential risks for an industry, organization, or company. Ideally, the risks are listed by categories such as schedule, budget, quality, and scope. For example, you could identify schedule risks using a schedule risk list such as:
- Schedule is missing key activities
- Excessive schedule pressure
- Schedule is optimistic, not realistic
- The product or service cannot be developed to the size specified in the time allocated
- Schedule was baselined without review by key stakeholders
- Scope has increased with no change to the schedule
- A delay in a critical path activity is causing cascading delays in the subsequent activities
- A key resource has been reallocated half-time to another project, adversely impacting the work on this project
- Estimates were created by the project manager, not the individuals doing the work
- One activity may not provide the required information that a subsequent activity needs
- Coordination issues are arising from the crashing of several critical path activities
2. Use risk categories. What can we do if we don't have a risk list? Try a prompt list, a generic list of categories used to "prompt" the identification of risks. Typical project risk categories include:
- Schedule risk - schedule events or conditions, that if they occur, will cause a positive or negative impact to the project goals
- Budget risk – budget events or conditions, that if they occur, will cause a positive or negative impact to the project goals
- Quality risk – quality events or conditions, that if they occur, will cause a positive or negative impact to the project goals
- Scope risk – scope events or conditions, that if they occur, will cause a positive or negative impact to the project goals
3. Identify internal and external risks. It’s obvious that we need to identify internal risks. However, project managers may fail to identify external risks. Out of sight, out of mind. For example, an organization may contract with a third party to provide products, services, and supplies. There is the temptation to forget about it.
Just because a contract exists does not mean that the project manager has washed her hands of these risks. The project manager is still responsible for overseeing the activities, making sure the contracted products and services fulfill the project’s needs and integrate properly into the project deliverables.
“The secret of getting ahead is getting started. The secret of getting started is breaking your complex overwhelming tasks into small manageable tasks, and then starting on the first one.” —Mark Twain
4. Perform top-down and bottom-up risk identification. With a top-down approach to risk management, the project sponsor (and sometimes senior management) declares which threats and opportunities matter. The benefit is that it provides a high-level perspective. The project sponsor defines the project goals and determines the business strategies to make it happen.
However, the project sponsor will not likely understand the project planning and execution risks. A bottom-up approach provides the advantage of getting the views of the team members and key stakeholders. An excellent tool for the bottom-up risk identification is the work breakdown structure (WBS). The project manager can work with team members to discuss the lowest level WBS activities in order to identify risks.
5. Perform risk reviews periodically. Remember—risks change over time. Imagine never having your vehicles checked or never having a physical exam by a doctor. Project risk reviews should be performed regularly. In addition, reviews should be performed for the following events:
- Significant change of project goals, deliverables, assumptions, of constraints
- Change in team members
- Significant change in requirements
- New or changing external requirements such as regulatory requirements or contract requirements
- High number of issues are occurring
Risk Identification Tips
Keep in mind, we are NOT trying to identify every possible risk. We are scanning the project environment to find the most significant risks. If done properly, these strategies can help us identify the critical risks quickly. Then we can take the next step—treat the risks.
Some project managers take a different approach - it's called wait and see. It works like this: Don't invest time (i.e., waste time) identifying and treating risks. When the uncertain event or condition occurs, the project manager would fix it—translate, the project manager and affected stakeholders would put out the fires!
Responding to issues almost always require more time and cost more money than identifying and treating risks ahead of time. Being disciplined and applying an appropriate amount of time and focus on risks can reduce project expenses, promote the project schedule, reduce stress, and help a project team achieve its mission.
Join the 21 Day Challenge
Risks derail projects. We make risk management easy to understand and practical to apply, putting you back in the driver's seat.
Spend five minutes per day for 21 days--discover practical risk management techniques that can help you turn uncertainty into success!
Plus, you'll get weekly project management tips.