So, lets get started!!!
Risks are identified by using the risk identification process. An unidentified risk is a danger lurking out of your sight and waiting to attack the project. The significance of the risk identification process cannot be explained enough. Organizations have whole departments whose sole purpose is to identify and mitigate risks. I guess, this is enough to quantify how important risk management is to large organizations. Similarly, from the perspective of running a project as a project manager too, risk management is extremely important and to do that effectively, first you need to identify those risks.
You use the risk identification process to accomplish the following tasks:
• Identify which risks might affect the project at hand
• Document the characteristics of the identified risks in a document called the risk register
As with all process, the risk identification process too has a set of inputs, uses some tools & techniques and produces an output. It is explained in the picture below:
Input to Risk Identification
The risk management plan and the project scope baseline are obvious inputs to identifying risks. As in many other processes, the enterprise environmental factors and organizational process assets relevant to the project at hand must also be considered. The following are all the inputs that need to be considered in the risk identification process.
Project scope baseline - Assumptions in the project scope statement, an element of the scope baseline, are potential sources of uncertainty, hence the risk. Constraints pose a risk by presenting predetermined factors, such as hard deadlines and fixed costs, thereby posing questions such as, “What is the probability that we can meet this constraint with the available resources?”
The WBS, another component of the scope baseline, can be used to recognize risks at different levels of the WBS hierarchy.
Management plans - In the process of identifying risks, you need to look at the cost management plan, schedule management plan, risk management plan, and quality management plan. The approach that any of these plans takes may pose some risks of its own or may enhance some other risks. The key items from the risk management plan useful for risk identification are risk categories, roles and responsibilities, and the budget and timing available for the risk management activities.
Cost and duration estimates - Estimates such as activity cost estimates and activity duration estimates by definition have a degree of uncertainty built into them. They should be looked at carefully to identify the potential risks hiding behind this uncertainty.
Stakeholder register - If you look at the stakeholder register, you might find some stakeholders who can give useful input to identifying risks.
Enterprise environmental factors - The environmental factors internal or external to the performing organization that can influence the project must be considered in the risk identification process. This might include academic and industry studies, published information, benchmarking, and commercial databases.
Organizational process assets - This might include information from previous projects including lessons learned, process controls, and risk-related templates.
Tools and Techniques for Risk Identification
Risk identification is crucial to risk management. If you fail to identify a risk, you will not be able to manage it. Having all these inputs is fine, but the key to the whole process is to identify the risks properly. The tools and techniques we use in this process are:
Assumptions analysis - Assumptions in the project scope statement represent uncertainty. You analyze these assumptions to identify the risks. Assumptions analysis is the technique used to examine the validity of the assumptions and thereby to identify the risks resulting from the inaccuracies, inconsistencies, or incompleteness of each assumption. For example, suppose there is only one person in the organization who has a rare skill needed for the project. An obvious assumption would be that the person will not quit the organization before completing the Project. Ignoring this fact constitutes a potential risk.
Checklist analysis - The carefully prepared checklists in any process are great no-brainer timesavers. Projects in the same organization will more often than not have similarities. As a result, you can develop a risk identification checklist based on the information gathered from a similar set of projects previously performed. Also, if you developed the risk breakdown structure (RBS) in risk planning, the lowest level of the RBS can be used as a checklist.
Diagramming techniques - These techniques use diagrams to identify risks by exposing and exploring the risks’ causes. Here are a few examples:
• Cause-and-effect diagram - A cause-and-effect diagram illustrates how various factors (causes) can be linked to potential problems (effects).
• Flowchart diagram - A flowchart depicts how the elements of a system are related to each other and shows the logical flow of a process. By examining the flowchart of a process, the risk management team can identify points of potential problems in the flowchart diagram.
• Influence diagram - An influence diagram is a graphical representation of situations that shows relationships among various variables and outcomes, such as causal influences and time-ordering of events. By examining these diagrams, the risk management team can recognize potential problem areas and thereby identify risks.
Documentation reviews - A structured review of the relevant parts of input documents, such as the project scope statement and the project management plan, will definitely help in identifying risks. Furthermore, the knowledge base related to risk management from previous projects can also be used/reviewed.
Information-gathering techniques - To identify risks, you need to gather risk related information. Following are some of the information gathering techniques used in risk identification:
• Brainstorming - The goal here is to get a comprehensive list of potential risks so that no risk goes unidentified. The project team, along with relevant experts from different disciplines, can participate in the brainstorming session. Brainstorming is better performed under the guidance of a facilitator or a moderator. You can use the categories of risks or the RBS as a framework to keep the session focused on the issue.
• Delphi technique - The goal here is for experts to reach a consensus without biases toward each other. I’m sure you will have no problem recalling a time when a decision was made because somebody (usually higher in the management hierarchy) said so. Contrary to this, the Delphi technique is used to ensure that it is the quality of the information and the argument that are important, not who is saying them. It is more or less like a democracy wherein a person putting forth an argument has to convince everyone rather than expect them to nod their heads because he/she is the boss. A facilitator circulates a questionnaire among the experts to solicit ideas about the risks of the given project. The experts respond anonymously. The responses are compiled and circulated among the participating experts for further evaluation without attaching a name to a response. It might take a few iterations before a general consensus is reached.
• Interviewing - This is one of the common methods used for information gathering for risk identification. You interview the appropriate stakeholders and subject-matter experts to gather information that will help identify risks for the project at hand.
• Root cause identification - A powerful way to identify risk is to look for anything in the project that might generate a risk. In other words, if you can spot a potential cause for risks, it’s simple to identify the risks resulting from that cause. Furthermore, if you know the cause of a risk, it helps to plan an effective response. You can also look for risks at the opposite side of causes that is, impacts.
• SWOT analysis - While root cause identification techniques look into the causes of risks to identify risks, a SWOT analysis looks at the potential impacts of risks to identify risks. If you examine the strengths, weaknesses, opportunities, and threats (SWOT) of a given project, you will be exposing the risks involved. Remember that a strength is an opportunity, a weakness is a threat, and opportunities and threats are posed by risks. This helps broaden the spectrum of risks considered. For example, a strength of your project might be that most of its parts are well understood from previously executed similar projects. Therefore, the risks involved in those parts will be easy to identify. A weakness of your project might be that one of the parts involves new technology that is not well-tested. So, this is a source of unknown risks. An opportunity might be that your organization will be the first one to take this product to market. An example of a threat might be that the government is considering a bill that, if it becomes a law, will have profound implications for your project.
Of course, you can always use the judgment of experts on the topic. You will generally be using more than one of these tools and techniques to identify risks. During risk identification, you might discover the causes of the risks, and you might even think of some potential risk responses. All this is part of the output of the risk identification process.
The Output of Risk Identification - The Risk Register
The risk register is a document that contains the output of the risk identification process. The risk register will be constantly updated with a lot of information from other risk management processes. To begin, you store the following information from the risk identification process in the risk register:
• List of identified risks - These are the risks that you identified in the risk identification process. These risks should be described in reasonable detail, which may include the following:
o The risks - The definition and nature of each risk and the causes that will give rise to the risk.• List of potential responses - Risk response planning is a separate process that is performed after risk analysis. However, during risk identification, you might identify potential risk responses that you must document in the risk register. These responses can be further examined and planned in the risk response planning process.
o List of the root causes of the risks - This is a list of events or conditions that might give rise to the identified risks.
o Updates to risk categories - Risks categories were originally identified in the risk management planning process. However, in the process of identifying risks, you might discover new categories or modify existing categories. The updated risk categories must be included in the risk register.
The results of the risk identification process usually lead to qualitative risk analysis. However, depending upon the project and the experience of the risk management team, risk identification might lead directly to quantitative risk analysis and even to risk response planning.
Prev: Planning Risk Management
Next: Analyzing Risks