What Is Project Risk Identification?
Project risk identification is the first step in the risk management process. During this step, managers identify events that might influence a project. Identifying risks helps teams prepare for any outcome. Risks can be either positive or negative.
Mary Beth Imbarrato, Owner of MBI Consulting, shares how risk arises in projects: “Projects introduce change. Change can introduce risks, surprises and unknown issues or challenges. Risk identification is not a static activity.”.
Identifying project risks early and often is the key to minimizing their impact. In order to identify as many risks as possible, project managers need to learn about the various types of risk and where to look for them.
Why Is Risk Identification Important in Projects?
Risk identification is important because it increases the chances of project success. Many projects fail because managers do not identify important risks. Early risk identification helps the project team respond to risks quickly and effectively.
“By definition, risk management is the process of identifying, tracking, and managing potential risks that can impact your scope,” shares Amy Black, Director of Security, Privacy, and Risk at RSM US LLP. “Risk identification is no different. Without proper tracking, the risk can delay or be a significant failure point for the success of your end deliverables. This will impact cost, schedule, and performance.”
The benefits of early project risk identification include the following:
- Fewer Delays: Stay on schedule by identifying risks that could cause delays.
- Better Adaptability: Minimize the impact of negative risks, and maximize the impact of the negative risks by identifying them early on.
- Fewer Surprise Expenses: By helping you avoid delays and resource shortages, project risk identification decreases the number of surprise expenses or penalties.
- Increased Chance of Success: Decrease the chances of project failure caused by unforeseen risks.
“It is not an ‘if’ but ‘when’ something goes wrong in your project,” says Alexis Nicole White, a Project Management Professional (PMP)®, Scrum master, and project delivery consultant with North Highland. “It is important to identify all those things that can go wrong within your project or program as early as possible and associate an impact to each item. Failure to identify risks will result in costly delays. Subsequently, it can impact other project areas such as your budget, resources, and key success metrics.”
When Should Risks Be Identified in a Project?
Risk identification is an iterative process. Teams should first identify risks during project planning. Then, it is best practice to continue identification throughout the entire project. The project manager, project team, and all relevant stakeholders should participate.
Project managers will prepare a process and cadence for identifying and evaluating risks. The earlier a project manager identifies a risk, the better the team can mitigate its effects and proceed without losing time. “Risks should be captured during all facets of the project. Proactively identifying potential risks during the planning and initiation of a project will save you time and money down the road,” states Black.
Alan Zucker, Founding Principal at Project Management Essentials, confirms the need to identify risks throughout the lifecycle of a project. “The business case and project charter should identify the project’s opportunities — why are we undertaking this effort — and the threats that could derail it. We should continue identifying risks until the project is formally closed. New risks will materialize from internal projects or external sources,” he says.
Although risk identification is a continuous process, it should begin before project risk assessment and project risk analysis, and before you finalize your project risk management plan.
How to Identify Project Risks
In order to identify project risks, project managers first need a clear definition of risk. Next, they should use techniques such as brainstorming sessions to determine all possible risk events. Finally, they should document these risks for later reference.
Risk identification is not static. Risks can and will change throughout a project’s lifecycle. “Some risks may be applicable at the start of a project (e.g., resource allocation) and can be closed later in the project lifecycle,” says Imbarrato. “Risks can arise at any stage of a project effort: initiation, planning, execution, or closing. The risk response plan will need to be part of all regularly scheduled meetings with the project team. The timing of those meetings will depend on the complexity, the criticality, and the length of the project.”
Six Phases of the Project Risk Identification Lifecycle
Six phases comprise the project risk identification lifecycle. These include creating a statement template, conducting a SWOT analysis, researching risks, reviewing internal and external risks, cross-checking risks, and creating a final risk statement.
In the Guide to the Project Management Book of Knowledge (PMBOK® Guide), the risk identification lifecycle indicates that the risk management plan should provide a statement for “a fully specified risk statement.” This includes the cause, event, time window, impact, and effect on the project’s objective for each risk.
These are the six phases of the project risk identification lifecycle:
- Create a Statement Template: A statement template allows you to capture the same key pieces of information for each risk. A risk statement template might look like this: Because of <cause>, <event> could occur during <time window>, which could lead to <impact> with an <effect on a project objective>.
- Conduct a SWOT Analysis: Basic identification begins with analyzing the strengths, weaknesses, opportunities, and threats (SWOT) associated with the project. For example, a threat may be that market competitors have more brand recognition than you do.
- Research Risks: Project managers can identify risks while conducting interviews, reviewing assumptions, brainstorming with their teams, and researching similar projects.
- Review External Risks: Many risks will come from within the project team or company. However, everyone should be on the lookout for external risks that can impact the outcome of a project. It’s essential to gather knowledge from as many outside sources as possible. For example, you might interview a market specialist familiar with competitors to evaluate the actual market share of your company or project and that of your competitors.
- Cross-Check Risks: It’s important that all risks are relevant to the project scope and work breakdown structure (WBS). The project manager will ensure each risk corresponds to an element in the WBS.
- Create a Final Risk Statement: The project manager will create a risk statement for each risk in the list. A final risk statement might look like this: Because competitors have more brand recognition, the customer may choose another product before evaluating our product, which could lead to fewer opportunities and have a profound effect on expected product sales and revenue.
Once you complete these steps, you can begin your project risk mitigation efforts.
Project Risk Identification Steps
The steps of identifying project risks align with the phases of the risk lifecycle. The first step is to build the risk statement template. After the internal team and stakeholders identify relevant risks, finalize each risk statement using the template.
Risk Identification Inputs
Project risks can come from anywhere. Review all inputs to better understand potential risks. Common inputs include your project management plan, project documents, enterprise environmental factors (EEFs), and organizational process assets (OPAs).
For each input, review every element to ensure that you identify every major risk to your project.
Here are the main risk identification inputs:
- Project Management Plan: A project management plan includes cost management, scheduling, quality control, human resources, scope, schedule, and budget. For example, it is not uncommon to identify risk within the budget, especially if it is too low to cover all project expenses.
- Project Documents: Project documents include the project charter, stakeholder register, costs, duration, performance reports, resource requirements, and procurement documents. For example, insufficient resources to complete the project pose an enormous risk.
- Enterprise Environmental Factors (EEFs): EEFs include industry information, important benchmarks, research and studies, and attitudes toward risk. For example, industry competitors can pose a risk to a project.
- Organizational Process Assets (OPAs): OPAs include risk registers from previous projects and lessons from the project manager, experts, and the project team. For example, if a subject matter expert reviews your project, they will likely find additional risks.
Risk Identification Tools and Techniques
Each project manager will have their preferred tools and techniques for identifying risks. Gathering data through brainstorming sessions, consulting experts, and conducting a SWOT analysis are all common methods for identifying risks.
These are some helpful risk identification tools and techniques to try:
- Expert Judgment: Experience and subject matter expertise might be enough to identify some project risks. Consult experts to ensure that you haven’t missed key risks.
- Data Gathering: Project managers might host brainstorming sessions with the project team and external stakeholders to dive into potential risks. Checklists, questionnaires, and interviews can help you discover important risks.
- Root Cause Analysis: Root cause analysis means identifying the actual risk as opposed to the symptoms of the risk. Conducting a SWOT analysis and critically reviewing project requirements and assumptions will likely bring hidden risks to the forefront.
- Collaboration: Group or individual meetings, workshops, and brainstorming sessions are all great ways to unearth new risks and eliminate risks that are outside the project's scope.
- Hybrid Approach: Most project managers combine two or more techniques to uncover risks throughout the project.
Project Risk Identification Framework
The project risk identification framework is a tool that standardizes risk identification. Knowing the current and potential risks helps improve the likelihood of project success. Keep everyone on the same page about risks by establishing a common framework.
Each business will create or adopt its own unique framework. In the The Journal of International Technology and Information Management, Jack T. Marchewka puts forth this framework for identifying project risks. Marchewka’s framework is a helpful example of how to standardize risk identification.
In Marchewka’s model, project value is at the core of the risk identification framework. Just outside the center are project elements, such as quality and budget, that significantly impact project success. The next tier includes internal and external risks, which may be outside a project manager’s control. The next layer contains known, unknown-known, and unknown-unknown risks.
Known risks are entirely certain. Unknown-known risks are certain, but some details might be unclear. For example, you might know that you have to hire an engineer for your project, but you don’t know the exact negotiated salary. Unknown-unknown risks are those that the project manager cannot predict. For example, a recession or sudden bankruptcy are unknown-unknowns. The outermost layer of Marchewka’s framework contains the project lifecycle phases because risk identification may occur at any point during the project.
Project Risk Identification Example
Follow along with the risk identification steps to start risk management in any project. After you create your statement template, move through each phase of risk identification to ensure that you identify as many risks as possible.
Here is how to apply these risk identification steps to a CRM software project:
- Conduct a SWOT Analysis: The SWOT analysis for the CRM software project will help the team analyze the projects’ strengths and weaknesses, as well as identify opportunities and threats. Threats may include the lack of end-user involvement in requirements, CRM competitors, or no brand recognition in the CRM market.
- Research Risks: While performing research, you might come across a previous software project that is similar to your current project. If the earlier project team encountered unexpected problems with conflicting priorities or late-stage requirement changes from leaders, add these to your risk register. These are important risks to note as they reflect historical behaviors of the company.
- Review External Risks: As you meet with external resources, you might find that the CRM market is saturated with competitors. The risk is that there will be less demand for your product. You might have to consider how to differentiate your product or brand to avoid the immense competitive pressures of an already saturated market.
- Cross-Check Risks: Ensure each risk is within the project scope and corresponds to the work deliverables. It is possible that a risk you have identified is out of scope for the project and doesn’t need to be addressed in your risk mitigation plan.
- Create Final Risk Statements: Some risk statements for this CRM software project might read as follows:
- Because competitors have more brand recognition, the customer might choose another product before evaluating our product, which could lead to fewer opportunities and have a profound effect on expected product sales and revenue.
- Because end-users are not involved in requirement development, the software might not meet their needs once the software is available, which could lead to additional development costs and have an impact on product suitability, product sales, and revenue.
Project Risk Identification Workshop Toolkit
This project risk identification workshop toolkit will help you conduct a successful risk identification workshop. The toolkit includes all the information you will need to run your own workshop, from brainstorming questions to communication guidelines.
The guide includes questions that will help the team think about, discuss, and prioritize potential risks. Following the risk identification workshop, you will document and track all risks in the risk register.
Download a Project Risk Identification Workshop Toolkit for
Microsoft Word | Google Docs
For more useful templates and resources, see our comprehensive list of project risk management templates.
Project Risk Identification Best Practices
Planning for project threats and opportunities is essential to project success. Following project risk identification best practices will help prevent surprises that could derail your project. For example, identify risks early and often throughout the project lifecycle.
Successful project risk identification shares many of the benefits of general project risk management. These are some best practices to help you optimize your project risk identification:
- Detect Risks Early: Project risk identification should happen in the earliest stages of project planning. “Early detection is key. If we can identify risks early enough, we can avoid delays in our overall project timeline and schedule,” shares Black.
- Collect Stakeholder Input: Stakeholders will have important insights into potential risks, so you should always consult them when identifying risks. “Communication is key to capturing as many risks as possible. While you may not perceive something as a risk, another stakeholder or project contributor may experience a significant impact,” says Black. “Bringing risks up during project status meetings or status read-outs is imperative.”
- Review Risks Often: Risks change over the lifecycle of a project. “New risks can arise as the project unfolds. It is critical for project managers to understand that risks are not something they can document and then store. Risk identification and response will never be in a final state until the project ends,” states Imbarrato.
- Analyze Risk Impact: Part of identifying risks is understanding how impactful each risk event will be. White suggests conducting a risk analysis: “Analyze how risk can impact your project and evaluate the outcome of the risks.”
- Learn Lessons from Past Projects: Always review similar past projects as part of your risk identification process. “Many risks from prior projects will manifest in future ones, so old risk registers can be a good starting point for review,” suggests Zucker. “Also, use checklists from other projects in your organization,” says Zucker. “Many people execute similar projects and encounter the same risks. A checklist reduces the effort and ensures we do not forget a common risk.”
- Review Industry Data: Project managers don’t need to start from scratch when identifying risks. “Many industries have standard prompt lists, benchmarks, and common risks that can be a starting point and help us look beyond our current horizon,” says Zucker.
- Interview All Relevant Personnel: The more people you consult about risk identification, the less likely you are to run into surprises during project execution. “Brainstorm possible risks with the project team and key stakeholders,” says Zucker. “Also, interview subject matter experts who can provide insight into potential risks.”
Take Control of Project Risks with Real-Time Work Management in Smartsheet
Empower your people to go above and beyond with a flexible platform designed to match the needs of your team — and adapt as those needs change. The Smartsheet platform makes it easy to plan, capture, manage, and report on work from anywhere, helping your team be more effective and get more done. Report on key metrics and get real-time visibility into work as it happens with roll-up reports, dashboards, and automated workflows built to keep your team connected and informed. When teams have clarity into the work getting done, there’s no telling how much more they can accomplish in the same amount of time. Try Smartsheet for free, today.