How many times have you forgotten a whole category of risks on your project? I have long advocated the use of a standard list of risk categories (high-level areas of risk such as technology changes or cultural issues) to make sure areas of risk are not forgotten.
Risk categories are lists of common areas or sources of risk experienced by the company, or on similar projects. The categories help analyze and identify risks on each project.
Companies and project management offices should have standard lists of risk categories that all projects can use to help identify risks. Those leading risk identification should make sure that each category is considered when looking for risks.
There are many ways to classify or categorize risk such as:
A better way is based on specific categories of risk that may occur on your company’s projects. My risk research shows over 300 potential categories of risk.
Another way is to categorize risks by source; “Where do risks come from?” as shown below:
Expect the phrases “sources of risk” and “risk categories” to be used interchangeably on the exam. They can be organized in an organizational chart or WBS-like format called a risk breakdown structure.
This is where risks are identified. Any risks missed here may be harder to deal with later in the project. This effort should involve all stakeholders and might even involve literature reviews, research and talking to non-stakeholders.
Sometimes the core team will begin the process and then the other members will become involved, making risk identification an iterative process.
When you get a question about who should be involved in risk identification, the best answer is everyone! Everyone has a different perspective of the project. Take off your blinders and look beyond what you are used to.
Smart project managers begin looking for risks as soon as a project is first discussed. However, the major risk identification effort occurs during planning. Risk identification cannot be completed until a project scope statement and WBS have been created and the project team knows “what is the project.” The sponsor may supply a list of risks in the preliminary project scope statement.
Because risk identification can occur during the initiating and planning process groups, the exam has often said that risk identification happens at the onset of the project. Risks may also be identified during any part of the project.
The exam will specifically look for you to include risk identification during such activities as project changes, when working with resources, and dealing with project issues.
The PMBOK® Guide does not go into detail here and neither will the exam. The exam is likely to weight the questions toward project executing and project monitoring and controlling-related questions on risk. Therefore, details of risk identification are not explained in this section. It does include:
What is and what is not included in the preliminary project scope statement, the project charter and later documents can help identify risks. Lessons learned, articles and other documents can also help uncover risks. This used to be a trick for risk management and now has become standard practice. Think about how valuable this would be in your real world.
Information Gathering Techniques
You should know there are many ways to identify risks and that risk identification can be an art form. Luckily, you need not be a risk identification expert to pass the exam.
Keep it simple and just know the following!
These can be classified under two main types:
Pure (Insurable) Risk Only a risk of loss (e.g., fire, theft, personal injury)
The checklist of risk categories was previously described in risk management planning. One does not just go down the checklist asking “Do we have this type of risk?” Actual risks should be more specific and detailed than those in the checklist.
Risks are identified using one of the techniques previously described. The checklist is then used to make sure the risk identification process has addressed all the categories of risk.
Analyzing what assumptions have been made on the project and if they are valid, for the purpose of identifying more risks.
There are many tools described in the Quality lesson that help one analyze the root causes of issues. These include cause and effect diagrams and flowcharts. When used as part of risk identification, they help identify additional risks.
Outputs of PMP Risk Identification
The risk register is the place where most of the risk information is kept. Think of it as one document for the whole risk management process that will be constantly updated with information as risk identification and later risk management processes are completed.
The risk register becomes part of the project management plan and is also included in historical records which will be used for future projects.
You will notice that the risk register is the only output of many of the risk management processes. Read exam questions carefully as the risk register contains different information depending on when in the risk management process the question is referencing.
At this point the risk register would include:
If I was writing a tricky question for the exam I might write, “When in the risk management process are responses documented?” You will know the answer is risk identification and risk response planning.