David Hillson on Risk Identification

The following is a guest post by David Hillson, Ph.D., PMP, FAPM, FIRM of Risk Doctor & Partners, who contributed the essay “Risk Management in Practice” to The AMA Handbook of Project Management, Third Edition, edited by Paul Dinsmore, PMP and Jeannette Cabanis-Brewin.

Identifying Risk

Because it is not possible to manage a risk that has not first been identified, some view this initial step as the most important in the risk process. Many good techniques are available for risk identification, the most common of which include:
-Use of brainstorming in a workshop setting, perhaps structured into a SWOT Analysis to identify organizational strengths/ weaknesses and project opportunities/threats
-Checklists or prompt lists to capture learning from previous risk assessments
-Detailed analysis of project assumptions and constraints to expose those that are most risky
-Interviews with key project stakeholders to gain their perspective on possible risks facing the project
-Review of completed similar projects to identify common risks and effective responses.

For each of these techniques, it is important to involve the right people with the necessary perspective and experience to identify risks facing the project. In addition, use a combination of risk identification techniques rather than relying on just one approach – for example, perhaps using a creative group technique, such as brainstorming, together with a checklist based on past similar projects. The project manager should select appropriate techniques based on the risk challenge faced by the project, as defined in the Risk Management Plan.

Another good idea is to consider immediate “candidate” responses during the risk identification phase. Sometimes an appropriate response becomes clear as soon as the risk is identified, and in such cases it might be advisable to tackle the risk immediately if possible, as long as the proposed response is cost effective and feasible.

Whichever technique is used, it is important to remember that the aim of risk identification is to identify risks. While this may sound self-evident, in fact this step in the risk management process often exposes things that are not risks, including problems, issues, or complaints. The most common mistake is to identify causes of risks or the effects of risks, and to confuse these with risks.

Causes are definite events or sets of circumstances which exist in the project or its environment, and which give rise to uncertainty. Examples include the requirement to implement the project in a developing country, the need to use an unproven new technology, the lack of skilled personnel, or the fact that the organization has never done a similar project before. Causes themselves are not uncertain because they are facts or requirements, so they are not the main focus of the risk management process. However, tackling a cause can avoid or mitigate a threat or allow an opportunity to be exploited.

Risks are uncertainties that, if they occur, would affect the project objectives either negatively (threats) or positively (opportunities). Examples include the possibility that planned productivity targets might not be met, interest or exchange rates might fluctuate significantly, the chance that client expectations may be misunderstood, or whether a contractor might deliver earlier than planned. These uncertainties should be managed proactively through the risk management process.

Effects are unplanned variations from project objectives, either positive or negative, which would arise as a result of risks occurring. Examples include being early for a milestone, exceeding the authorized budget, or failing to meet contractually agreed performance targets. Effects are contingent events, unplanned potential future variations that will not occur unless risks happen. As effects do not yet exist, and indeed they may never exist, they cannot be managed directly through the risk management process.

Including causes or effects in the list of identified risks can obscure genuine risks, which may not then receive the appropriate degree of attention they deserve. One way to clearly separate risks from their causes and effects is to use risk metalanguage (a formal description with required elements) to provide a three-part structured “risk statement” as follows: “As a result of (definite cause), (uncertain event) may occur, which would lead to (effect on objective(s)).” Examples include the following:

“As a result of using novel hardware (a definite requirement), unexpected system integration errors may occur (an uncertain risk) that would lead to overspend on the project (an effect on the budget objective).”

“Because our organization has never done a project like this before (fact = cause), we might misunderstand the customer’s requirement (uncertainty = risk), and our solution would not meet the performance criteria (contingent possibility = effect on objective).”
“We have to outsource production (cause); we may be able to learn new practices from our selected partner (risk), leading to increased productivity and profitability (effect).”

The use of risk metalanguage should ensure that risk identification actually identifies risks, distinct from causes or effects. Without this discipline, risk identification can produce a mixed list containing risks and nonrisks, leading to confusion and distraction later in the risk process.

Finally, the risk identification step of the risk process is where the Risk Register is launched, to document identified risks and their characteristics. Where software tools are used to support the risk process, those usually offer a Risk Register format, though some organizations develop their own. The Risk Register is updated following each of the subsequent steps in the risk process, to capture and communicate risk information and allow appropriate analysis and action to be undertaken.

David Hillson, Ph.D., PMP, FAPM, FIRM of Risk Doctor & Partners contributed the essay “Risk Management in Practice” to The AMA Handbook of Project Management, Third Edition, edited by Paul Dinsmore, PMP and Jeannette Cabanis-Brewin. He is an international consultant and trainer, frequent author on risk management, and regular conference speaker on risk management.

Paul C. Dinsmore, PMP is an international authority on project management and organizational change. He has been honored with PMI’s Distinguished Contributions Award, and is a Fellow of the Institute.

Jeannette Cabanis-Brewin, editor-in-chief for Project Management Solutions, Inc., and principal of WordSource, LLC, has written about project management for over fifteen years. In 2007, PMI honored her with a Distinguished Contributions Award.

Tomorrow’s guest post on Budget Problems is by Tom Kendrick, author of 101 Project Management Problems and How to Solve Them.


One response to “David Hillson on Risk Identification

  1. ernest patino

    good article, to the point with examples.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s