The risk identification process deals with the prediction of future events whose probability of realization is not 100%.
None of us is a prophet and so the whole process relies on estimates – more or less accurate.
A significant factor in the process of identifying risks is the project’s uncertainty level, which affects the ability to identify and evaluate potential risks. There are known events, for which the odds and impact on the project are predictable since they have happened before. These are the known risks—the “known-knowns”, if you will. Then there are known events, for which the impact on the project cannot be predicted. These are the semi-known risks—or the “known-unknowns”. Finally, there are events that cannot be predicted at all, although this does not mean these events are not lurking just below the surface, waiting to appear suddenly. These are the unknown risks: the “unknown-unknowns” which represent the greatest threat to the project.
The process of risk identification must be thorough and all encompassing. Experts from a variety of disciplines should be asked to weigh in on the subject in order to ensure maximum possible coverage of all events that might pose a risk to the project. Identifying the risks is done using the project’s data, including the contracts and agreements under which it operates and the project plan’s documentation, which includes the project work plan, project scope, quality and control documents and any other project documents that already exist. It is highly advisable to employ risk lists from previous similar projects, too.
In order to ensure that maximum risks are identified – certainly those that threaten our goals, it is important to maintain a routine for identifying and updating risks in the project under our responsibility. It is equally important to involve relevant parties – from different disciplines in the process, to ensure “optimal coverage” of our areas of knowledge and forecasting.
Common methods for identifying risks include:
- Analyzing past scenarios and identifying indicators that may be valid in the present
- Learning from others inside and outside the organization
- Analyzing customer sensitivity and understanding customer value
- Active / proactive scanning of the organizational / business environment
- Scenario analysis in group discussions
And another interesting technique is called a “Pre-Mortem” (analysis before the death of the project).
A group of experts from different disciplines are asked to imagine that the project ended in failure, and that they are now performing a post-mortem on it in order to determine what caused its failure. As part of this process, participants are asked to come up with “what-if” scenarios involving significant project disasters and failures and then devise methods to avoid them.
This brainstorming process of envisioning the future then returning back in time stimulates changes in participants’ thought processes brought on by this “time travel” and contributes significantly to the identification of real risks facing the project.
Identified risks must be classified into categories so they can be tracked and reported. It is best if the category list is concise and shareable across many projects—a practice that will enable latitudinal comparison and study. A person should be assigned to track each risk category, so that every part of the risk list is always the focus of an appropriate managerial or professional entity, ensuring early detection of new risks and changes to existing risks as they occur.