Risk identification is an integral part of project risk management. It is essential for any project manager to know what risks might affect a project and navigate them. This article will examine five techniques for risk identification in projects.
Techniques for Risk Identification
1. Use a Risk List
A risk list is a list of potential risks for an industry, organization, or company. Ideally, the risks are listed in categories such as schedule, budget, quality, and scope. For example, you could identify schedule risks using a schedule risk list such as:
- Schedule is missing key activities
- Excessive schedule pressure
- Schedule is optimistic, not realistic
- The product or service cannot be developed to the size specified in the time allocated
- Schedule was baselined without review by key stakeholders
- Scope has increased with no change to the schedule
- A delay in a critical path activity is causing cascading delays in the subsequent activities
- A essential resource has been reallocated half-time to another project, adversely impacting the work on this project
- Estimates were created by the project manager, not the individuals doing the work
- One activity may not provide the required information that a subsequent activity needs
- Coordination issues are arising from the crashing of several critical path activities
2. Use Risk Categories
What can we do if we don't have a risk list? Try a prompt list, a generic list of categories used to "prompt" the identification of risks. Typical project risk categories include:
- Schedule risk - schedule events or conditions that, if they occur, will cause a positive or negative impact on the project goals
- Budget risk - budget events or conditions that, if they occur, will cause a positive or negative impact on the project goals
- Quality risk - quality events or conditions that, if they occur, will cause a positive or negative impact on the project goals
- Scope risk - scope events or conditions that, if they occur, will cause a positive or negative impact on the project goals
3. Identify Internal and External Risks
It's evident that we need to identify internal risks. However, project managers need to identify external risks too. Out of sight, out of mind. For example, an organization may contract with a third party to provide products, services, and supplies. There is the temptation to forget about the associated risks.
Just because a contract exists does not mean the project manager has washed her hands of these risks. The project manager is still responsible for overseeing the activities, ensuring the contracted products and services fulfill the project's needs and integrate appropriately into the project deliverables.
“The secret of getting ahead is getting started. The secret of getting started is breaking your complex overwhelming tasks into small manageable tasks, and then starting on the first one.” —Mark Twain
4. Perform Top-down and Bottom-up Risk Identification
With a top-down approach to risk management, the project sponsor (and sometimes senior management) declares which threats and opportunities matter. The benefit is that it provides a high-level perspective. The project sponsor defines the project goals and determines the business strategies to make it happen.
However, the project sponsor will not likely understand the project planning and execution risks. A bottom-up approach provides the advantage of getting the views of the team members and key stakeholders. An excellent tool for bottom-up risk identification is the work breakdown structure (WBS). The project manager can work with team members to discuss the lowest-level WBS activities to identify risks.
5. Perform Risk Reviews Periodically
Remember—risks change over time. Imagine never having your car engine checked or never having a physical exam by a doctor. Project risk reviews should be performed regularly. In addition, reviews should be performed for the following events:
- Significant change in project goals, deliverables, assumptions, or constraints
- Change in team members
- Significant change in requirements
- New or changing external requirements such as regulatory requirements or contract requirements
- High number of issues are occurring
Risk Identification Tips
Keep in mind we are NOT trying to identify every possible risk. We are scanning the project environment to find the most significant risks. If done correctly, these strategies can help us identify critical risks quickly. Then we can take the next step—treat the risks.
Some project managers take a different approach – wait and see. It works like this: Don't invest time (i.e., waste time) identifying and treating risks. When an uncertain event or condition occurs, the project manager will fix it—translate, the project manager and affected stakeholders will put out the fires!
Responding to issues almost always requires more time and money than identifying and treating risks ahead of time. Being disciplined and applying an appropriate amount of time and focus on risks can reduce project expenses, promote the project schedule, reduce stress, and help a project team achieve its mission.