Risk Identification in Project Management

Project Management Institute defines risk as “an uncertain event or condition that, if it occurs, has a positive or negative effect on a project’s objectives.” Potential risks include external, internal, technical, or unforeseeable threats and opportunities to your project and deliverables. Learn more about how to identify risk in project management and what you should know about risk identification for the PMP® Exam.

On this page:

• Introducing and Defining Identify Risk PMP®
• Risk Identification Lifecycle
• How to Identify Risk PMP®: Tools and Techniques
• What sort of inputs are required to identify risks?
• What sort of outputs does identifying risks drive?
• Summary

How to Identify Risk PMP®: Tools and Techniques

The tools and techniques listed below will assist you through the risk identification lifecycle.

Documentation Review and Analysis

Missing, inaccurate, or incomplete information will make it more challenging for you to identify and track risks. Perform documentation reviews to evaluate all the information you have gathered so far within your project. Documents you should review can include:

• Checklist analysis using risk lists and categories from current or past risk breakdown structures
• Lessons or analogies from past projects
• Articles, checklists, category lists, or other resources created by industry experts
• Organizational process assets
• And more!

Review each document for completeness and consistency to ensure you have identified all risks.

Diagramming Techniques and Root Cause Analysis

Influence diagrams, flow charts, and fishbone diagrams can all help you understand how internal and external project factors can contribute or lead to risk events. Diagramming techniques and root cause analysis are valuable tools because they can break complex information down to be more easily understood.

Strengths, Weaknesses, Opportunities, and Threats (SWOT) analysis

All projects and organizations have elements in the following categories:

• Strengths: advantages or things your project or organization does well
• Weaknesses: vulnerabilities or things your project or organization could improve
• Opportunities: favorable external factors that you could take advantage of
• Threats: potentially harmful factors that pose a hazard to your project or organization

SWOT analysis is a powerful visual tool that allows you to analyze these elements together. Start with a square split into four quadrants. Assign one element to each quadrant, then plot each risk in your list in the relevant quadrant. Using SWOT analysis equips you to stay aware of threats and weaknesses while leveraging strengths and opportunities as appropriate.

Information Gathering Techniques

You can gather project risk information in many ways. Here are a few techniques you can use:

• Brainstorming sessions: encourage your project team to think together in a verbal, partly written, or nominal group brainstorm to inspire surprising synergy and ideas.
• Delphi technique: consult a group of experts anonymously by sending them a list of relevant information, compiling their responses, and sending results back for further review.
• Expert or stakeholder interviews: allocate time and resources to developing relevant questions and holding more formal conversations between the appropriate people.

These example information-gathering techniques can help you compile sufficient information to identify, define, and track risks throughout your project.

Assumptions Analysis

One obstacle to assumptions analysis is trying to identify and analyze unconscious assumptions. However, whether your assumptions are conscious or unconscious, every assumption has the potential to be wrong or inaccurate.

Investing some effort in assumptions analysis is a useful way to determine if your assumptions are valid and avoid some potentially significant project risks as a result. Challenge your assumptions and analyze any potential risks they could cause.

What sort of inputs are required to identify risks?

Risk identification requires an extensive list of project elements, documents, and other inputs. Here is a checklist to help you keep track of all the inputs you need to understand your project risks fully.

Project Management Plan Inputs

Project management plans can reveal new risk information as you work to identify risks.

• The risk management plan. Identify potential risks and organize project risk information. Learn more in our Introduction to Risk Management Plans.
• Scope and schedule baseline. Keep your timeline, activities, and deliverables in mind as you think about potential risks to the project.
• The cost, schedule, and quality management plans. These management plans can reveal additional sources of project risks.
• Human resource management plan. People tend to be unpredictable, so your use of human resources can be a significant source of risks.

Project Document Inputs

Project documentation gives you concrete sources of information to draw from and ensures there are no gaps in project risk knowledge.

• Activity cost estimates (project budget)
• Activity duration estimates (project schedule)
• Procurement documents (requests for information, proposals, and quotations)
• Stakeholder register
• Project charter
• Network diagram
• Assumption log
• Issue log
• Performance reports
• Earned value reports
• Resource requirements

Enterprise Environment Factors (EEFs)

It can be challenging to keep track of external risk factors. Here are some enterprise environmental factors you should consider:

• Relevant laws, regulations, and policies
• Operational environment information
• Industry or market research
• Performance benchmarks
• Studies, white papers, and other research
• Risk attitudes

Organizational Process Assets (OPAs)

Leveraging previous experiences, news stories, or case studies can help you avoid mistakes from the past and identify risks for your current project.

• Established guidelines, policies, or procedures for risk management
• Past polls of relevant audiences
• Historical information or databases published by other professionals
• Lessons learned from previous similar projects
• Risk registers from past projects

What sort of outputs does identifying risks drive?

The primary output of risk identification is the risk register, a document compiling all known project risks and other relevant information about them.

Project managers create risk registers to list and organize risks, causes, response plans, and more. This document can be used to drive the remaining risk processes: Perform Qualitative Risk Analysis, Perform Quantitative Risk Analysis, Plan Responses, and Monitor & Control Risks.

Qualitative Risk Analysis

Qualitative risk analysis aims to determine the severity and likelihood of each risk event. This type of analysis helps project managers prioritize risks, understand the project’s risk exposure, the potential impact on the project, and determine the appropriate responses to a risk event.

Risk identification provides information for a probability and impact matrix, a qualitative risk analysis tool also known as a risk assessment matrix. You can use this matrix to identify the most urgent risks that require immediate action. There are standardized matrix templates available you can leverage for multiple projects or customize to your project’s specific needs.

After identifying risks, you should also perform a risk data quality assessment. This qualitative risk analysis activity helps project managers collate data to determine how much data is available, the quality, reliability, and integrity of the data, and how well they understand the risk.

Quantitative Risk Analysis

While qualitative risk analysis is more subjective, quantitative risk analysis relies on data to analyze the probability and impact of risk events. Quantitative risk analysis is helpful for calculating, simulating, or estimating risk-related information through activities such as expected monetary value analysis, Monte Carlo analysis, cost and schedule impact assessments, and more.

You may require formulas or computer-based programs to perform a quantitative risk analysis, but the results are valuable for risk reporting and informing crucial project decisions.

Plan Response

Once you know what risks your project faces, you can plan your responses to the hypothetical risk events. Document these responses in your risk management plan to have a structured, established, written strategy for performing risk management.

A decision tree can help you determine the best response to a risk event by modeling the future situation as though it were happening today. When facing complex situations, a decision tree is useful for analyzing many alternatives at a single point in time.

Monitoring and Controlling Risks

Risk identification also informs Monitor and Control Risk, the process of tracking and monitoring risks, identifying new risks, and executing your planned responses. After all, you can’t monitor and control risks if you haven’t identified any!

Ongoing monitoring and control are crucial to ensure that identified, residual, and new risks don’t threaten your project and deliverables. Potential outputs of this process include document and plan updates, performance reports, change requests, and more.

Summary

Risk identification is essential to project management, but it is no easy task. For the PMP® Exam, you should understand when identifying risk takes place in a project, why it is vital to project management, and the consequences of not performing risk identification.

Learn more about risk management in the Project Management Academy blog or reach out to us to discuss PMP® and PMI-RMP® certification training courses, and other ways to become a more efficient and confident project manager.

Upcoming PMP Certification Training – Live & Online Classes