PMP Risk Categories
How many times have you forgotten a whole category of risks on your project? I have long advocated the use of a standard list of risk categories (high-level areas of risk such as technology changes or cultural issues) to make sure areas of risk are not forgotten.
Risk categories are lists of common areas or sources of risk experienced by the company, or on similar projects. The categories help analyze and identify risks on each project.
Companies and project management offices should have standard lists of risk categories that all projects can use to help identify risks. Those leading risk identification should make sure that each category is considered when looking for risks.
PMP Risk Category Examples
There are many ways to classify or categorize risk such as:
- External Regulatory, environmental, government, market shifts
- Internal Time, cost, scope changes, inexperience, poor planning, people, staffing, materials, equipment
- Technical Changes in technology
- Unforeseeable Only a small portion of risks (some say about 10 percent) are actually unforeseeable
A better way is based on specific categories of risk that may occur on your company’s projects. My risk research shows over 300 potential categories of risk.
- Project management (yes, your lack of project management effort can add risk)
- The customer’s customers
- The suppliers
- Resistance to change
- Lack of knowledge of project management by the project manager and stakeholders
- Stakeholder-caused risks
- Sponsor-caused risks
- Cultural risks
PMP Risk Categories by Source
Another way is to categorize risks by source; “Where do risks come from?” as shown below:
- Schedule risk “The hardware may arrive earlier than planned, allowing work package XYZ to start three days earlier.”
- Cost risk “Because the hardware may arrive later than planned, we may need to extend our lease on the staging area at a cost of $20,000.”
- Quality risk “The concrete may dry before winter weather sets in, allowing us to start successor work packages earlier than planned.”
- Performance or scope risk “We might not have correctly defined the scope for the computer installation. If that proves true, we will have to add work packages at a cost of $20,000.”
- Resources risk “Riki is such an excellent designer that he may be called away to work on the new project everyone is so excited about. If that occurs, we will have to use someone else and our schedule will slip between 100 and 275 hours.”
- Customer satisfaction (stakeholder satisfaction) risk “There is a chance that the customer will not be happy with the XYZ deliverable and not tell us, causing at least a 20 percent increase in communication problems.”
Expect the phrases “sources of risk” and “risk categories” to be used interchangeably on the exam. They can be organized in an organizational chart or WBS-like format called a risk breakdown structure.
PMP Risk Identification
This is where risks are identified. Any risks missed here may be harder to deal with later in the project. This effort should involve all stakeholders and might even involve literature reviews, research and talking to non-stakeholders.
Sometimes the core team will begin the process and then the other members will become involved, making risk identification an iterative process.
When you get a question about who should be involved in risk identification, the best answer is everyone! Everyone has a different perspective of the project. Take off your blinders and look beyond what you are used to.
Smart project managers begin looking for risks as soon as a project is first discussed. However, the major risk identification effort occurs during planning. Risk identification cannot be completed until a project scope statement and WBS have been created and the project team knows “what is the project.” The sponsor may supply a list of risks in the preliminary project scope statement.
Because risk identification can occur during the initiating and planning process groups, the exam has often said that risk identification happens at the onset of the project. Risks may also be identified during any part of the project.
The exam will specifically look for you to include risk identification during such activities as project changes, when working with resources, and dealing with project issues.
How do you identify risks?
The PMBOK® Guide does not go into detail here and neither will the exam. The exam is likely to weight the questions toward project executing and project monitoring and controlling-related questions on risk. Therefore, details of risk identification are not explained in this section. It does include:
What is and what is not included in the preliminary project scope statement, the project charter and later documents can help identify risks. Lessons learned, articles and other documents can also help uncover risks. This used to be a trick for risk management and now has become standard practice. Think about how valuable this would be in your real world.
Information Gathering Techniques
You should know there are many ways to identify risks and that risk identification can be an art form. Luckily, you need not be a risk identification expert to pass the exam.
Keep it simple and just know the following!
- Brainstorming Brainstorming is usually done in a meeting where one idea helps generate another
- Delphi Technique A technique used to build consensus of experts who participate anonymously. A request for information is sent to the experts, their responses are compiled, and the results are sent back to them for further review until consensus is reached
- Interviewing Also called expert interviewing on the exam, this consists of the team or project manager interviewing project participants, stakeholders or experts to identify risks on the project or a specific element of work
- Root cause analysis What if you could reorganize the risks you have uncovered by their
causes? Might you see more risks? Of course, maybe many more!
- Strengths, weaknesses, opportunities and threats analysis (SWOT) This analysis looks at the project to identify its strengths, etc. and thereby identify risks.
Types of PMP Risks
These can be classified under two main types:
- Business Risk of a gain or loss
Pure (Insurable) Risk Only a risk of loss (e.g., fire, theft, personal injury)
The checklist of risk categories was previously described in risk management planning. One does not just go down the checklist asking “Do we have this type of risk?” Actual risks should be more specific and detailed than those in the checklist.
Risks are identified using one of the techniques previously described. The checklist is then used to make sure the risk identification process has addressed all the categories of risk.
Analyzing what assumptions have been made on the project and if they are valid, for the purpose of identifying more risks.
There are many tools described in the Quality lesson that help one analyze the root causes of issues. These include cause and effect diagrams and flowcharts. When used as part of risk identification, they help identify additional risks.
Outputs of PMP Risk Identification
The risk register is the place where most of the risk information is kept. Think of it as one document for the whole risk management process that will be constantly updated with information as risk identification and later risk management processes are completed.
The risk register becomes part of the project management plan and is also included in historical records which will be used for future projects.
You will notice that the risk register is the only output of many of the risk management processes. Read exam questions carefully as the risk register contains different information depending on when in the risk management process the question is referencing.
At this point the risk register would include:
- List of risks
- List of potential responses Though risk response planning occurs later, one of the things experienced risk managers know is that it is not always logical to separate work on each part of risk management. There will be times when a response is identified at the same time as a risk. These responses should be added to the risk register as they are identified, and analyzed later as part of risk response planning
- Root causes of risks Previously explained, these are now documented
- Updated risk categories You will notice lots of places where historical records and company records are updated throughout the project management process. Make sure you are aware that lessons learned and communicating information to other projects does not just happen at the end of the project. Here, the project is providing feedback to the rest of the company regarding new categories of risk to add to the checklist previously described.
If I was writing a tricky question for the exam I might write, “When in the risk management process are responses documented?” You will know the answer is risk identification and risk response planning.