Project Risk Identification
Identifying and assessing risk are essential components of project management. Risk identification needs to begin as early in the project as is possible and should include, at the very minimum, the project manager, project team members and key stakeholders. Ideally, if the project is part of a larger portfolio of, for example, technology projects, then the technology project portfolio manager would also be present during the initial phases of the project risk identification process. The portfolio manager can provide insight into the overall relationship between the organization’s various projects, and identify risks or impacts associated with other projects within the portfolio. This level of participation also ensures consistency of approach to risk identification, management and mitigation across the organization.
Project risk identification and management is an iterative process, to be undertaken regularly. Risks need to be clearly defined and documented. Otherwise, the precise nature of the risk cannot be understood, making mitigation and control difficult. The following are examples of a clearly defined risk:
- Market Risk – insufficient demand for product. If market penetration is 40% less than anticipated, then funding for phase 2 will not be available.
- Legal Risk – land title not properly researched.
- Acquisition Risk – failure of equipment to be delivered to site on time.
- Security Risk – IT infrastructure vulnerable to attack due to aging software infrastructure
- Budget Risk – likely cost overages due to significant fluctuations in materials cost.
There are many methods for identifying risk in a project. This list is not intended to be exhaustive, but simply to provide an overview of the most popular approaches to risk. All risks identified should be documented on the project risk register.
- Lessons Learned – using lessons learns from previous projects as input into the current project risk identification and assessment process is an excellent starting point. Often projects are similar enough in circumstance that many of the risks pertinent to one project will apply to another.
The accuracy of lessons learned documentation is normally quite high, and is often quite detailed.
- Brainstorming –brainstorming is neither the most thorough nor efficient technique for risk identification. However, most project managers and team members are familiar with the process, as it is generic enough to be utilized in most problem solving situations. Brainstorming involves team members freely sharing ideas relating to one particular topic. In a risk identification session, this might entail the project manager or brainstorming facilitator to ask, for example “what are the risks associated with deploying this product?” Results are usually documented for later prioritization and review by the project manager.
- Crawford Slip – the Crawford slip is a technique for collecting risk identification data. The advantage of this method is the large amount of data that can be collected from various sources in a relatively short amount of time. The process is also anonymous, freeing participants to provide genuine answers without fear or prejudice.
The process involves team members documenting responses on to a particular question or premise. All participants respond to the same question or premise 10 times (many project managers will shorten this to 5) in order to extract the greatest amount of information. Results are then collated, either by the team as a whole (as part of an impact assessment strategy) or separately by the project manager.
- Delphi Technique – the Delphi technique of risk identification relies on experts to provide information on projects risks. The technique essentially involves a question, answer and follow-up process, enabling the project manager to refine the expert responses and minimize disagreement between the different project experts. Key to this process is both the identification of the experts and the definition of the questions to be posed to the experts. Once the questions have been formulated, they are sent to each individual expert for response. The role of the project manager is to identify the commonalities and specific concerns of each expert. The expert responses are reformulated and sent again to each of the experts for comment.
There are dozens of other techniques and tools for use in project risk identification, each with its own strengths and weaknesses. It is important to investigate the different risk identification tools and techniques, as many are best suited to use in particular situations or for identifying a particular type of risk.
Once project risks have been identified, the next step is risk impact and probability assessment, which defines how cost, time, quality and scope are affected by the risk, should it be realized.