The first step in a good risk management plan is the identification of risks. The other phases of project risk management are built on this foundation. It involves developing a list of the potential risks to a project. This list is called a Risk Register.
A good risk register might have the following six columns:
- Name/Description of risk
- Probability
- Impact
- Priority
- Triggers
- Response plan
Obviously it is not feasible to attempt to identify all risks to a project – Maybe a plane will crash into your office. But it is important to be open minded at first, then revisit the list and narrow it down to the most important. Since risk has two components – probability and impact – you can proceed to eliminate risks that are too low in one or the other category.
In fact, an airplane crashing into your office might be a high impact event, but contain a probability so low that it isn’t a significant overall risk to the success of the project.
You might wonder about the value of risk registers on small projects, and I don’t disagree. But I believe good project management would require that risks are considered on some level, and hence the level of effort should simply scale down to the size of the project. Particularly for small projects they are likely to be similar to other projects and can have some sort of broader risk analysis applied.
Terminology
Any good description of the risk event will suffice, but the Project Management Institute provides a guideline for the risk description which is comprehensive and ensures you will have the basics covered.
- Event may occur, causing Impact.
- If Cause exists, Event may occur, leading to Effect.
Simply replace the bold words with your project specific details.
How to Identify Risks
There are many different techniques that can be used to identify project risks, including the following:
- Checklists
- Lessons Learned
- Subject Matter Experts
- Documentation Review
- SWOT Analysis
- Brainstorming
- Delphi Technique
- Assumptions Analysis
- Influence Diagrams
Checklists
This should be the starting point. You should have a checklist of common risks to your organization or type of project. If not, maybe it’s time to develop one, even if just for your own future use. The checklist will allow you to quickly realize which risks are the most important and in which circumstances they apply.
We have a checklist which can be a good starting point, but it is better to have a more specific one.
Lessons Learned
Only once have I encountered an organization that maintains a lessons learned database, but it is an amazing tool for them. It’s a highly visible record of problems encountered, mistakes made, and what the project manager should do differently in future projects. When you’re starting a new project and you spend a few minutes reading that, how can you go wrong?
Subject Matter Experts
There is essentially no substitute to having experts who know the subject matter advising you of the risks involved with the work. Often they are in other departments but their advice is second-to-none. If you have access to a subject matter expert you must use them. If you have subject matter experts available but far removed from you, it is imperative that you get their input if you can.
Documentation Review
Many project risks can be identified by reviewing the project’s technical details, backgrounds on the project team, and other data. This can involve researching previous, similar projects or even projects carried out by other organizations. For example, if you were attempting to land a rocket on a landing pad it might be advantageous to look into the results of others who have attempted this maneuver.
Particularly when there are unusual and/or unique aspects to the project, this can bring out some major risks that weren’t considered before. I mena, maybe your project doesn’t involve something as unique as landing a rocket on a landing pad, but you probably do have some unusual aspects that could or should be investigated for potential to go wrong.
SWOT Analysis
A Strengths-Weaknesses-Opportunities-Threats (SWOT) analysis will assist in drawing out the risks inherent in the project. The SWOT analysis is a 4-quadrant box that allows you to see the project from the perspective of the competitive environment with other industry players. In particular, the “Weaknesses” and “Threats” quadrants can help you to focus on the weak links where potential project derailments lie dormantly in wait of their moment.
Brainstorming
Brainstorming involves focusing on quantity over quality. You write everything on paper, and then come back later to narrow down the list. There should be no wrong answers.
This technique separates the generation of ideas from the analysis. You would be surprised how many are missed when you attempt to combine these two steps.
Delphi Technique
The Delphi Technique is a way to develop a concensus among knowledgeable participants. It involves querying the group anonymously, then sharing all of the answers anonymously with the whole group. Upon seeing the opinions of the others, they are allowed to revise their original opinions. After several rounds a consensus should emerge.
Assumptions Analysis
Every project contains certain underlying assumptions upon which its business case is built. Identifying these assumptions, and analyzing their reliability, can result in the identification of new risks.
Influence Diagrams
Drawing out a simple decision network for the major turning points within a project can yield the important risks.