Risk Identification in Project Management

Project Management Institute defines risk as “an uncertain event or condition that, if it occurs, has a positive or negative effect on a project’s objectives.” Potential risks include external, internal, technical, or unforeseeable threats and opportunities to your project and deliverables. Learn more about how to identify risk in project management and what you should know about risk identification for the PMP® Exam.

---

---

Introducing and Defining Identify Risk PMP®

The Identify Risk PMP® process is used to pinpoint any potential opportunities and threats that could affect elements of a project or its deliverables.

When & How Often Identify Risk PMP® is used in Projects

Risk identification is especially important during the planning process, but it should continue throughout the life of a project.

New risks or information about existing risks can come up as you progress through your project. Having a solid process to identify risks during project execution will help the project team effectively identify risks during the project and avoid schedule overruns, budget overruns, and a volatile stakeholder relationship.

Ten Common Barriers to Risk Identification

You may face some barriers that could prevent you from identifying risks. Here are ten common barriers outlined by PMI:

1. Identification quality: how precise, accurate, applicable, or relevant is the risk you identified?
2. Imagination: what limits your project team’s ability to think of all plausible risks?
3. Inadequate planning approach: if your planning approach is not well or fully developed, you may not be able to identify the proper risk areas.
4. Lack of knowledge: if you and your project team lack or can’t access sufficient project, technical, or subject matter expertise, such as applying risk identification tools and techniques, you are likely to struggle with identifying risks.
5. Lack of management support: is your risk identification activity supported from the top down? Any resistance or lack of support can impede identifying risks.
6. Level of detail: it can be challenging to determine how detailed your risk exploration and documentation should be. Too little detail may cause you to overlook some critical risks.
7. One observation: limiting yourself to a single risk identification activity severely limits the potential risks you can identify for your project.
8. Risk attitude: your project team being too reckless or too risk-averse can affect the quality of your risk identification activities.
9. Time and cost constraints: if you are limited on time or budget, you may not be able to conduct sufficient risk identification activities.
10. Too many assumptions: you may find yourself making project decisions based on assumptions. Making too many assumptions complicates your risk analysis and identification activities.

---

---

Risk Identification Lifecycle

The risk identification lifecycle ensures you collect consistent and comprehensive information about every project risk.

Template specification

Start by defining a standard template for your risk statement. Your risk statement should include specific information such as the potential event or condition, its consequences, and more.

PMI gives the following example of a thorough risk statement: “Because of [cause], [event] could occur during [time window], which could lead to [impact] with an [effect on project objective].

Basic Identification

In this stage of the risk identification lifecycle, you will need to ask two questions:

• Why might this risk happen to this project or not?
• What similar lessons from the past could apply here?

Analyzing your project or organization’s strengths, weaknesses, opportunities, and threats can help you identify “obvious” internal or external factors related to the risk.

Detailed identification

After basic identification, expand your understanding of each risk and identify additional risks with detailed identification. This step will give you a richer list of “less obvious” risks to consider.

External Cross-check

Once your internal project team has come up with as many potential project risks as possible, expand your understanding of project risks beyond the internal team’s knowledge and ideas by leveraging the experience of others.

Internal Cross-check

At this point, you should have produced a thorough list of risks. Next, it is necessary to check the list against your scope using your Work Breakdown Structure (WBS). Take some time to validate that each risk corresponds to an element of your WBS and that you have considered each WBS element from a risk identification standpoint.

Statement Finalization

Check your final list of risks to fill in any missing information in your risk statements to ensure they are as informative and thorough as possible. Various tools and techniques can assist you during each step of the risk identification lifecycle and add value. Learn how each tool fits into the risk identification lifecycle and read more about the tools and techniques below.

How to Identify Risk PMP®: Tools and Techniques

The tools and techniques listed below will assist you through the risk identification lifecycle.

Documentation Review and Analysis

Missing, inaccurate, or incomplete information will make it more challenging for you to identify and track risks. Perform documentation reviews to evaluate all the information you have gathered so far within your project. Documents you should review can include:

• Checklist analysis using risk lists and categories from current or past risk breakdown structures
• Lessons or analogies from past projects
• Articles, checklists, category lists, or other resources created by industry experts
• Organizational process assets
• And more!

Review each document for completeness and consistency to ensure you have identified all risks.

Diagramming Techniques and Root Cause Analysis

Influence diagrams, flow charts, and fishbone diagrams can all help you understand how internal and external project factors can contribute or lead to risk events. Diagramming techniques and root cause analysis are valuable tools because they can break complex information down to be more easily understood.

Learn more in our guide to root cause analysis steps for the PMP® Exam.

Strengths, Weaknesses, Opportunities, and Threats (SWOT) analysis

All projects and organizations have elements in the following categories:

• Strengths: advantages or things your project or organization does well
• Weaknesses: vulnerabilities or things your project or organization could improve
• Opportunities: favorable external factors that you could take advantage of
• Threats: potentially harmful factors that pose a hazard to your project or organization

SWOT analysis is a powerful visual tool that allows you to analyze these elements together. Start with a square split into four quadrants. Assign one element to each quadrant, then plot each risk in your list in the relevant quadrant. Using SWOT analysis equips you to stay aware of threats and weaknesses while leveraging strengths and opportunities as appropriate.

Information Gathering Techniques

You can gather project risk information in many ways. Here are a few techniques you can use:

• Brainstorming sessions: encourage your project team to think together in a verbal, partly written, or nominal group brainstorm to inspire surprising synergy and ideas.
• Delphi technique: consult a group of experts anonymously by sending them a list of relevant information, compiling their responses, and sending results back for further review.
• Expert or stakeholder interviews: allocate time and resources to developing relevant questions and holding more formal conversations between the appropriate people.

These example information-gathering techniques can help you compile sufficient information to identify, define, and track risks throughout your project.

Assumptions Analysis

One obstacle to assumptions analysis is trying to identify and analyze unconscious assumptions. However, whether your assumptions are conscious or unconscious, every assumption has the potential to be wrong or inaccurate.

Investing some effort in assumptions analysis is a useful way to determine if your assumptions are valid and avoid some potentially significant project risks as a result. Challenge your assumptions and analyze any potential risks they could cause.

What sort of inputs are required to identify risks?

Risk identification requires an extensive list of project elements, documents, and other inputs. Here is a checklist to help you keep track of all the inputs you need to understand your project risks fully.

Project Management Plan Inputs

Project management plans can reveal new risk information as you work to identify risks.

• The risk management plan. Identify potential risks and organize project risk information. Learn more in our Introduction to Risk Management Plans.
• Scope and schedule baseline. Keep your timeline, activities, and deliverables in mind as you think about potential risks to the project.
• The cost, schedule, and quality management plans. These management plans can reveal additional sources of project risks.
• Human resource management plan. People tend to be unpredictable, so your use of human resources can be a significant source of risks.

Project Document Inputs

Project documentation gives you concrete sources of information to draw from and ensures there are no gaps in project risk knowledge.

• Activity cost estimates (project budget)
• Activity duration estimates (project schedule)
• Procurement documents (requests for information, proposals, and quotations)
• Stakeholder register
• Project charter
• Network diagram
• Assumption log
• Issue log
• Performance reports
• Earned value reports
• Resource requirements

Enterprise Environment Factors (EEFs)

It can be challenging to keep track of external risk factors. Here are some enterprise environmental factors you should consider:

• Relevant laws, regulations, and policies
• Operational environment information
• Industry or market research
• Performance benchmarks
• Studies, white papers, and other research
• Risk attitudes

Organizational Process Assets (OPAs)

Leveraging previous experiences, news stories, or case studies can help you avoid mistakes from the past and identify risks for your current project.

• Established guidelines, policies, or procedures for risk management
• Past polls of relevant audiences
• Historical information or databases published by other professionals
• Lessons learned from previous similar projects
• Risk registers from past projects

What sort of outputs does identifying risks drive?

The primary output of risk identification is the risk register, a document compiling all known project risks and other relevant information about them.

Project managers create risk registers to list and organize risks, causes, response plans, and more. This document can be used to drive the remaining risk processes: Perform Qualitative Risk Analysis, Perform Quantitative Risk Analysis, Plan Responses, and Monitor & Control Risks.

Qualitative Risk Analysis

Qualitative risk analysis aims to determine the severity and likelihood of each risk event. This type of analysis helps project managers prioritize risks, understand the project’s risk exposure, the potential impact on the project, and determine the appropriate responses to a risk event.

Risk identification provides information for a probability and impact matrix, a qualitative risk analysis tool also known as a risk assessment matrix. You can use this matrix to identify the most urgent risks that require immediate action. There are standardized matrix templates available you can leverage for multiple projects or customize to your project’s specific needs.

After identifying risks, you should also perform a risk data quality assessment. This qualitative risk analysis activity helps project managers collate data to determine how much data is available, the quality, reliability, and integrity of the data, and how well they understand the risk.

Quantitative Risk Analysis

While qualitative risk analysis is more subjective, quantitative risk analysis relies on data to analyze the probability and impact of risk events. Quantitative risk analysis is helpful for calculating, simulating, or estimating risk-related information through activities such as expected monetary value analysis, Monte Carlo analysis, cost and schedule impact assessments, and more.

You may require formulas or computer-based programs to perform a quantitative risk analysis, but the results are valuable for risk reporting and informing crucial project decisions.

Plan Response

Once you know what risks your project faces, you can plan your responses to the hypothetical risk events. Document these responses in your risk management plan to have a structured, established, written strategy for performing risk management.

A decision tree can help you determine the best response to a risk event by modeling the future situation as though it were happening today. When facing complex situations, a decision tree is useful for analyzing many alternatives at a single point in time.

Monitoring and Controlling Risks

Risk identification also informs Monitor and Control Risk, the process of tracking and monitoring risks, identifying new risks, and executing your planned responses. After all, you can’t monitor and control risks if you haven’t identified any!

Ongoing monitoring and control are crucial to ensure that identified, residual, and new risks don’t threaten your project and deliverables. Potential outputs of this process include document and plan updates, performance reports, change requests, and more.

Summary

Risk identification is essential to project management, but it is no easy task. For the PMP® Exam, you should understand when identifying risk takes place in a project, why it is vital to project management, and the consequences of not performing risk identification.

Learn more about risk management in the Project Management Academy blog or reach out to us to discuss PMP® and PMI-RMP® certification training courses, and other ways to become a more efficient and confident project manager.

---