Risk identification is an integral part of the risk management process in project management. According to the Project Management Body of Knowledge (PMBOK):
“Identifying risks is the process of determining which risks may affect the project and documenting their characteristics. The key benefit of this process is the documentation of existing risk, knowledge and the ability it provides to the project team to anticipate the events” (2004).
Risk identification allows the organization to address risks as they occur. This makes the organization more streamlined and efficient, as early risk identification leads to mitigation. Acceptable and well-timed risk identification is the responsibility of the owner of a project, because they are usually the first to take part in the project.
Some key questions regarding risks are:
- How are risks identified?
- When should risk identification occur?
- How often should the risk identification process occur?
- Who should be involved in the risk identification process?
- What is the main deliverable from risk identification?
Acceptable and timely risk identification is the responsibility of the owner of an organization because they are usually the first to take part in the project.
How are Risks Identified?
In order to identify risks the following methods and techniques can be used:
- Brainstorming: This method is best achieved when the approach is not structured (the random inputs are provided by the person conducting the session). Group members discuss and identify risks that will give them the chance to supplement each other's’ ideas. A team member should be identified to document the ideas that are discussed. It is best if the brainstorming sessions are structured in such a way that all group members will be able to participate.
- Interviews: These are a productive way to identify risk areas. Interviews can be conducted in a group setting and this can help to identify the risk on a project. During the interview questions are asked. Questions can also be restrictive due to the competency of the interviewer. Interviews can be done after a brainstorming session.
- Surveys: Lists of questions are developed to seek out risk in a particular area. One way that this method is limited is most people innately do not like to complete surveys and may not supply correct information.
- Checklist analyses: These analyses are usually lists of risks that have been found in similar areas and/or similar situations. However, this information should be compatible and pertinent to the current circumstances.
- Documentation review: This is the collection of information or data that has been recorded about a particular area. This information is a good basis for data that imparts knowledge to the organization regarding risks that are in an area that is relevant and applicable to the current position.
- Questionnaires: A risk questionnaire that includes a series of questions on both internal and external events can also be used effectively to identify risks. Questionnaires are valuable because they can help an organization to evaluate their own risks by providing a list of questions around certain risks.
- Strengths-Weaknesses-Opportunities-Threats (SWOT) analyses: Often used in the formulation of strategy; in order for SWOT analysis to be helpful in the risk identification process, a lot of time and effort has to be spent on evaluating the organization’s weaknesses and threats.
When Should Risk Identification Occur?
Risk identification should begin early in the project when uncertainty and risk exposure is greatest. Identifying risks early will allow the organization to take action when the risks are easier to address. Organizations who execute early responses often reduce cost as compared to addressing risks and issues later in the project. Project managers should continue to work with the project team throughout the course of the project to identify risks. It is impossible to identify all the risks in the beginning of a project.
How Often Should the Risk Identification Process Occur?
Risk identification should be conducted at the start of the project and should continue throughout the project life cycle. The reasoning for this is because new risks may develop or may arise while the project is continuing. The identification of risks should be documented and disclosed.
Who Should be Involved in the Risk Identification Process?
The participants in the risk identification process should include the following: the owner, the project team, risk management team, subject matter experts in other departments of the company, stakeholders as appropriate, clients, other project managers and external experts. For example, if identifying risks in connection with the opening of a new data center, the representatives of third party vendors should also be included in the risk identification process.
What is the main deliverable from risk identification?
According to PMBOK, “all risks should be captured in a risk register. The risk register is a list of risk related information including items such as; description of the risk, risk owner, category, probability risk rating, impact risk rating, risk score, and risk response plans” (2004). The risk register can be created in a tool such as an Excel spreadsheet, SharePoint, or a project management information system.
Risk identification is a critical part of project management because it will help the organization to address risks and develop strategies that will reduce them. Methods such as brainstorming, interviews and surveys provide a way for the organization to identify possible risks that may occur on a project. Risk identification is not an area of project planning that should be missed as it is one of the pivotal processes in risk management.