The first step in a good risk management plan is the identification of risks. The other phases of project risk management are built on this foundation. It involves developing a list of the potential risks to a project, which is called a Risk Register.
A good risk register might have the following six columns:
- Name/Description of risk
- Response plan
Obviously it is not feasible to attempt to identify all risks to a project – Maybe a plane will crash into your office. But it is important to be open minded at first, then revisit the list and narrow it down to the most important.
Risk has two components, probability and impact. The risk level of an event is defined as the product on the two.
- Risk = Probability x Impact
In fact, an airplane crashing into your office might be a high impact event, but contain a probability so low that it isn’t a significant overall risk to the success of the project. However, if you were in charge of building a navigation tower near the runway, the probability increases significantly, maybe even enough to prompt you to take mitigative actions.
Any good description of the risk event will suffice, but the Project Management Institute provides a guideline for the risk description which is comprehensive and ensures you will have the basics covered.
- Event may occur, causing Impact.
- If Cause exists, Event may occur, leading to Effect.
Simply replace the bold words with your project specific details.
How to Identify Risks
There are many different techniques that can be used to identify project risks, including the following:
- Lessons Learned
- Subject Matter Experts
- Documentation Review
- SWOT Analysis
- Delphi Technique
- Assumptions Analysis
- Influence Diagrams
This should be the starting point. You should have a checklist of common risks to your organization or type of project. If not, maybe it’s time to develop one, even if just for your own future use. The checklist will allow you to quickly realize which risks are the most important and in which circumstances they apply.
We have a checklist which can be a good starting point, but it is better to have a more specific one.
Only once have I encountered an organization that maintains a lessons learned database, but it is an amazing tool for them. It’s a highly visible record of problems encountered, mistakes made, and what the project manager should do differently in future projects. When you’re starting a new project and you spend a few minutes reading that, how can your project go wrong?
Subject Matter Experts
There is essentially no substitute to having experts who know the subject matter advising you of the risks involved with the work. Often they are in other departments but their advice is second-to-none. If you have access to a subject matter expert you must use them. If you have subject matter experts available but far removed from you, it is imperative that you get their input if you can.
Many project risks can be identified by reviewing the project’s technical details, backgrounds on the project team, and other data. This can involve researching previous, similar projects or even projects carried out by other organizations. For example, if you were attempting to land a rocket on a landing pad it might be advantageous to look into the results of others who have attempted this maneuver.
Particularly when there are unusual and/or unique aspects to the project, this can bring out some major risks that weren’t considered before. I mean, maybe your project doesn’t involve something as unique as landing a rocket on a landing pad, but you probably do have some unusual aspects that could or should be investigated for its potential to go wrong.
A Strengths-Weaknesses-Opportunities-Threats (SWOT) analysis will assist in drawing out the risks inherent in the project. The SWOT analysis is a 4-quadrant box that allows you to see the project from the perspective of the competitive environment with other industry players. In particular, the “Weaknesses” and “Threats” quadrants can help you to focus on the weak links where potential project derailments lie dormantly in wait of their moment.
Brainstorming focuses on quantity over quality. You write everything down, and then come back later to narrow down the list. There are no wrong answers, only low priority items that get crossed off later.
This technique separates the generation of ideas from the analysis. You would be surprised how many are missed when you attempt to combine these two steps.
The Delphi Technique is a way to develop a consensus among knowledgeable participants. It involves querying the group anonymously, then sharing all of the answers anonymously with the whole group. Upon seeing the opinions of the others, they are allowed to revise their original opinions. After several rounds a consensus should emerge.
Every project contains certain underlying assumptions upon which its business case is built. Identifying these assumptions, and analyzing their reliability, can result in the identification of new risks.
Drawing out a simple decision network for the major turning points within a project can yield the important risks.
Risk Management on Small Projects
You might wonder about the value of risk registers on small projects, and I don’t disagree. They require a minimum project size. But I believe that risk management always presents roughly the same value relative to the project value. If project managers on large megaprojects spend time on risk management, then the same value must be present if a proportionately smaller time is spent on smaller projects.
Megaprojects actually have entire teams dedicated to risk management. The Project Management Institute certifies Risk Management Professionals (PMI-RMP) for these jobs.
One could also produce a risk register for a certain type of project (rather than an individual one) since most companies have a significant amount of overlap in their projects.