In the Risks Identification Process, we’ll develop the risk register, which is a comprehensive list of all threats and opportunities that might be encountered on the project.
The risk management plan is a key input to this process because it establishes the time and budget allocated to identification activities, and it also describes what activities will be used to uncover risks.
Risks identification should be done early in project planning because later risk processes rely on the risk register and risk decisions may impact the budget, schedule, and scope of the project.
Some identified risks may require immediate action.
Risks Identification Process will reoccur throughout the entire project since:
- New risks may become evident only after project execution is underway.
- Approved project changes may introduce risks.
- Changes outside the project boundaries may introduce risk factors.
- Actions taken in response to occurring risks may themselves generate risks.
- Symptoms, risk causes, probability, and impact may not be as originally planned.
Proper risks identification requires a thorough understanding of the work being undertaken, and uncovering risks is a collaborative effort involving the project team, stakeholders, subject matter experts, and possibly consultants, vendors, and risk professionals.
The project manager should foster a project culture where everyone on the project is aware of risks and is on the lookout for them.
No one should feel hesitant about openly raising risk issues for fear that it'll be perceived as "bad news."
Risks Identification Process Decomposition
Risks Identification Process: Inputs
- Risk management plan:
The risk management plan defines the risk management activities for the project, and it establishes the risk methodology, risk roles and responsibilities, risk categories, probability and impact scales, risk tolerances, frequencies of risk management activities and reporting, and the budget and schedule for risk management activities.
- Activity cost estimates:
Activity cost estimates are a complete accounting of all component costs, such as labor, resources, services, fees, licenses, of a scheduled activity. The reliability of these estimates can be a source of project risks.
- Activity duration estimates:
Activity duration estimates are the work periods required to complete a scheduled activity.
Since there are many factors that influence duration, including resource availability, duration estimates can be a source of project risks.
- Scope baseline:
The scope baseline is the approved project scope statement, WBS, and WBS dictionary.
The scope includes explicit and implicit assumptions (which are risks) and constraints, which are also risks. The scope can also highlight risk elements due to project complexity.
- Stakeholder register:
The stakeholder register identifies all project stakeholders and contains attributes such as the person's name, title, position, project interest, expectations, and influence. Stakeholders should participate in the risks identification process, and their interests and expectations may also be risk factors.
- Cost management plan:
The cost management plan is a part of the project management plan, and it establishes how project costs will be planned for, estimated, organized, reported on, forecasted, and managed. The plan’s approach to cost management may increase or decrease project risk factors.
- Schedule management plan:
Part of the project management plan, the schedule management plan details how the project schedule will be managed and controlled. The plan’s approach may increase or decrease project risk factors.
- Quality management plan:
The quality management plan is a component of the project management plan.
The quality management plan details the quality policy of the project, including how the project management team will address quality assurance, quality control, and continuous improvement for the project. The plan’s approach may increase or decrease project risk factors.
- Project documents:
Project documents outside of the project management plan can be used to uncover risk elements.
- Enterprise environmental factors:
Commercial databases, checklists, benchmarking, and industry-specific articles may help uncover risk elements.
- Organizational process assets:
Lessons learned, risks identification templates, and historical project information may help risks identification process.
Risks Identification Process: Tools and Techniques
- Documentation reviews:
A review of project documentation can expose constraints, assumptions or incomplete documentation that can be sources of risks.
- Information gathering techniques:
Risks can be identified through any combination of information gathering techniques, such as brainstorming, interviewing, SWOT analysis, root cause identification, and the Delphi technique.
- Checklist analysis:
Risk checklists from previous projects can be used to assist in risks identification process, or risk checklists can be established. Checklists used should be reviewed and improved upon so that they're useful for later projects.
- Assumptions analysis:
Assumptions analysis reviews the validity and soundness of assumptions since assumptions are always a source of risk.
- Diagramming techniques:
Diagrams can help risks identification process by exposing relationship or by delving into the root causes of risks. Risk diagramming techniques include cause-and-effect diagrams, flowcharts, and influence diagrams.
- SWOT analysis:
SWOT analysis involves the review and analysis of group discussions on strengths, weaknesses, opportunities, and threats for project objectives.
- Expert judgment:
Expert judgment is based on the experience and knowledge of subject matter experts.
Risks Identification Process: Outputs
- Risk register:
The risk register, a component of the project management plan, is a comprehensive list of all threats and opportunities the project faces. It also contains supplementary data about each risk, including its impact, probability, risk response, budget, risk owner, and contingency and fallback plans.
Risks Identification Sources
Risks Identification Process is best started by looking at a few key project documents and factors.
Project Scope Baseline
The project scope statement, work breakdown structure, and WBS dictionary are the best places to begin looking for risks since these documents thoroughly explain the project work and identify constraints and assumptions.
Anywhere we find a constraint, we should consider it a risk factor since it limits the project's options, usually time, cost, or technology.
For instance, a constraint that requires a specific technology to be used could introduce risks.
Constraints are risk factors only as long as the constraint is in effect, so once the project successfully fulfills the objective within the constraint (or the constraint is removed) then the risk factor no longer exists.
Though every project is unique, some are more so than others, and the scope statement can also illuminate risks due to unconventional approaches, complexity, or technical elements.
Projects using unproven methods, techniques, personnel, or technology have added risks that need to be subjected to further analysis.
The activity list, activity attributes, activity resource estimates, and activity duration estimates are useful for risks identification process.
Risks can be embedded in the technical components of activities, the relationships between activities, their resource needs, or in the duration allotted to the activities.
Project Management Plan
Risks can also be found in the project management plan and its components.
Risk factors can be embedded in any of the management plans (scope, schedule, cost, quality, human resources, communications, or procurement), as well as the risk management plan itself.
The integrative aspects of the component plans and the interplay between time, cost, quality, and scope can generate elements of risk.
In particular, the following subcomponents should be well understood and scrutinized for risk elements:
- Scope baseline.
- Cost management plan.
- Schedule management plan.
- Quality management plan.
- Procurement management plan.
Risk factors can be found in other sets of project documents:
- Earned value measurements can expose early signs of risks related to cost or schedule performance.
- Network diagrams can show risks related to activity dependencies and resource contention.
- Project baselines, like scope, schedule, cost, and quality, can be a risk source when the baseline is too restrictive or aggressive.
- Work performance information should be regularly monitored for signs of risks related to schedule, budget, and quality.
- The issue log should be monitored since it may contain problems that are early signs of risks.
- The change-log can also give clues to risks by reviewing what types of changes are being requested.
Enterprise Environmental Factors
Benchmarking, white papers, commercial databases, or academic studies relating to the project subject matter can expose risk factors.
Factors within the organization can also be risk elements, including its culture, portfolio management practices, organizational hierarchy, and reporting structures.
Even the personalities of the stakeholders and the project team members or their interrelationships can lead to threats or opportunities.
Organizational Process Assets
Lessons learned from similar projects can be valuable sources for risks identification process and there may be risk checklists available that can serve as reminders so that risk factors are not overlooked.
Risks Identification Methods
Risks can be uncovered using a variety of tools and methods:
- Information gathering techniques
- Documentation reviews
- Assumptions analysis
- Checklist analysis
- Information gathering techniques
- SWOT analysis
- Diagramming techniques
Information Gathering Techniques:
Brainstorming sessions with a mix of diverse and experienced people are critical to finding risks.
Risk discussions are best when they include a mix of participants with different backgrounds, experiences, and skills.
For risks identification process, the facilitator will want to encourage participants to think broadly about risks and not focus too narrowly only on what is commonly perceived as "risk."
A short introduction to project risk management may be necessary for the project team.
The facilitator can also use specific project objectives and well-worded, leading questions as starting points like "what events might keep us from reaching this goal?" Prompt-driven questions are good for not only uncovering risks but identifying causes and impacts.
Some of the best ways to identify risks are listening and asking good questions of people with knowledge in the project's subject areas.
Interviewing can be as simple as talking with someone via e-mail, over lunch, or through a structured, sit-down meeting in his or her office.
In whatever manner it takes place, the interviewer should be well prepared about the subjects involved and ask open-ended and focused questions.
Yes or no answers are generally not helpful, and conversely if the questions are too broad, the interviewee may not be able to provide specific enough answers regarding risks.
Surveys, such as the Delphi technique, can be used to gather risk information from subject matter experts.
The Delphi technique does this anonymously so that the results can be analyzed by a third party without any bias as to the source of the opinion.
The tabulated results can then be used to reach a consensus on project risks.
Root cause analysis:
Root cause analysis uses techniques that work to identify and solve the underlying causes of an issue.
A review of project documents can expose additional risks.
A documentation review looks for incomplete, missing, or out-of-date documents, which implies a lack of integrative project management.
Document reviews might also uncover assumptions and constraints that were not explicitly identified in the project scope statement.
Assumptions anywhere in the project are risks elements because they are unproven.
Assumptions can be explicit, such as those identified in the scope statement, or they may only be indirectly indicated in other project documents.
To make it easier to track and update assumptions, they can be documented in an assumptions log.
Assumptions are always used with the best of intentions; however, until the assumption is proven otherwise, it's still an uncertainty and all uncertainties are risk factors.
The reliability of assumptions should be tested through assumptions analysis, which reviews the reliability of each assumption, what consequences will occur if the assumption turns out to be inaccurate, and what risk factors are generated by the assumption.
Assumptions that are not likely to hold up or clearly erroneous should be diverted back to the appropriate project management process for replanning rather than trying to manage the assumption as a risk.
Checklists can be developed based on the risk categories (used in the risk breakdown structure) or from similar projects.
As these checklists are reviewed throughout the project, they should be improved upon so that they’re beneficial to subsequent projects.
The PMBOK refers to this as checklist analysis.
SWOT is credited to Albert Humphrey, who led a research study to find out the reasons why corporate planning failed.
SWOT is a strategic planning tool based on brainstorming that identifies strengths, weaknesses, opportunities, and threats related to an objective.
SWOT results are subjected to additional reviews and converted into action items through SWOT analysis.
SWOT is best performed in a diverse team setting with one, clearly stated project objective being discussed at a time.
Participants then identify factors affecting the objective and write them in the corresponding quadrant on the grid.
- Strengths: Positive attributes or elements within the performing organization that will help the project reach the objective.
- Weaknesses: Negative attributes or elements within the performing organization that can inhibit the project from reaching the objective.
- Opportunities: Positive attributes or elements outside the performing organization that will help the project reach the objective.
- Threats: Negative attributes or elements outside the performing organization that can inhibit the project from reaching the objective.
During the SWOT brainstorming session, the participants shouldn't over analyze their responses, especially as they might find that a strength for one objective may turn up again later as a weakness for another goal.
After SWOT items have been gathered, each one needs to be subjected to further questioning and converted into identified risks --how strengths and opportunities can be exploited and how weaknesses and threats can be avoided or mitigated.
Diagramming techniques can include flowcharts, cause-and-effect diagrams, and influence diagrams.
Diagramming techniques can aid in risks identification process for the same reasons that they're used as part of quality control (process 8.3) --they can highlight relationships and dependencies between project factors that might generate risks, and diagrams can help to identify the root causes of risks.
A flowchart graphically illustrates the steps, sequences, and decision points in a process. It can identify contention points or relationships in the process that could generate risks.
A cause and effect diagram shows what root causes can be contributing to an issue or problem. It's also known as a fishbone diagram or an Ishikawa diagram.
An influence diagram is a visual representation of a decision.
Influence diagrams offer a way to identify and display the essential elements, including decisions, uncertainties, and objectives, and how they influence each other.
Unlike flowcharts, influence diagrams do not show paths in any sequential order.
The risk register is an important component of the project management plan.
The risk register is a complete and running list of project risks, and it's an input to all risk processes.
The information about each risk will also be expanded upon in later processes.
The full contents of the risk register are described below along with the risk processes where each element is most likely to be collected:
Risk register – alternate views: As the risk register gets completed, it can provide several alternative views by being reorganized, resorted, or summarized.
Watchlist: Low priority risks should be regularly monitored to make sure they are not occurring and that their probability, impact, or priority hasn't changed.
Prioritized risks: Qualitative analysis results in which risks are the highest priority and should receive detailed risk management efforts.
Urgent risks: Risk processes may uncover risks that are already underway or which are imminent.
Urgent risks need immediate planning and action.
Trends and common factors: Risk categories, root causes, and impacts may expose trends that can make for more efficient risk response planning or risk monitoring.
Probabilities: Risk scores can be aggregated and analyzed at the objective, deliverable, or project level to predict how likely it is that the project will reach its objectives. An overall risk level for the project can also be tabulated.