There are two types of project risk: known risks and unknown risks.
As you might imagine, the purpose of formal risk identification is to hypothesize as many known risks as possible.
This is because there are significant consequences for how we treat them.
Known risks can be either treated directly or have contingent responses created for them.
All we can do for unknown risks is allocate a general reserve of time and money and hope for the best!
Back in the initiation phase, we started considering project risks, although these were largely at the organizational level.
For example, we looked at the risks of market acceptance, technical capacity, legal and economic risks, as well as the risks of proceeding with different alternatives.
At the project level, the risks we are likely to encounter include:
And that doesn’t even begin to consider the innumerable technical risks of our unique project endeavor!
Risks can be identified by performing a historical review of past projects, engaging stakeholders with relevant expertise in the project under consideration, and applying a wide range of creativity techniques to encourage team members to hypothesize likely risk scenarios.
The knowledge and skills for doing this were covered in the last Module, so I would encourage you to review the relevant presentations.
Regardless of the process followed, though, it is essential that project risks are unambiguously described.
This ensures that team members and stakeholders can easily see the relevance of the risk to the project.
For that reason, we often detail each risk using a three-part statement: cause – risk – effect.
In other words, ‘If X occurs, then Y will happen, which will have Z impact on the project.’
Therefore, the risk identification process can be reduced to three simple questions:
From this starting point, we can further brainstorm some variations using the mind-mapping method.
For example, what else could damage the equipment? It could get dropped.
What else could delay the project by one day? A key team member could fall ill.
And so on…
Ultimately, successful risk identification depends on the following key factors.
Early identification
As we saw in the last Module, even though uncertainty is greatest at the start of the project, the cost of making changes is relatively low, so the earlier you begin the risk identification and management process, the better.
Iterative identification
Since not all risks can be identified at the start of the project, risk identification must continue throughout the project lifecycle.
This should be programmed periodically at key milestones or when significant change occurs.
Emergent identification
Risk identification should not be limited to formal events or scheduled reviews – the risk management process should allow for risk identification and escalation at any time in the life of a project.
Comprehensive identification
A broad range of sources of risk should be considered to ensure that as many uncertainties as possible are identified.
Explicit identification of opportunities
Don’t waste all your time and effort chasing negative risks – use the investigative, analytical, and creative processes to identify opportunities too!
For example, limited access to resources may encourage innovative ways to achieve project objectives.
Multiple perspectives
Engage as many stakeholders as possible in the risk identification process, including risk and subject matter experts.
Limiting risk identification to the project team is unlikely to expose all foreseeable risks.
Risk ownership
Each risk should be assigned, as soon as possible, to an owner with clear accountability and responsibility for its management.
Objectivity
All human activities are susceptible to bias, especially when dealing with uncertainty, even if the bias is unintentional.
Therefore, the assumptions that underlie the risks identified should be challenged, allowing for an open and honest identification of each potential issue.