Effective risk management enables project teams to fix problems before they eventuate. Although technical challenges are a primary concern, risk management must consider all internal and external sources of expense, scheduling and technical risk. Early risk identification is critical because it is usually quicker, less expensive and less disruptive to adjust and correct work efforts during the earlier phases of the project rather than later.
By the end of this topic, you will understand:
- risks and risk objectives
- how to identify project risks in context to the risk management process
- how to identify project risks by using valid and reliable methods.
What is a risk?
Risk can be defined as:
- the possibility that events will occur and affect the achievement of strategy and business objectives
- a combination of the occurrence of harm and the severity of that harm
- effect of uncertainty on objectives
- effect of uncertainty
Risk objectives
Risk management aims to detect potential risks and issues before they arise. Once risks have been identified, you can:
- make informed decisions to reduce the uncertainty to an acceptable level
- control the likelihood of events occurring that affect the certainty of achieving objectives
- reduce the likelihood of negative impacts on the project throughout its life.
Risk management should fix problems that may jeopardise the achievement of project goals. A continuous risk management approach is used to efficiently predict and mitigate the risks that substantially impact a project.
How to identify project risks
Two main stakeholder groups are consulted to identify project risk:
- Internal stakeholders (top management, the project team, resource managers and internal customers) and
- External stakeholders (external customers, government, contractors, subcontractors and suppliers etc.).
Ways to identify risks
Project risk can be identified using different techniques. These include interviews, brainstorming, checklists, analysis and diagramming (projectrisk.com):
- Interviews: Interviews are undertaken with the main stakeholders. Each interview must be planned out with specific questions, and the results of the discussion should be recorded.
- Brainstorming: Brainstorming is used to identify risks in advance. Questions are posed to a group or team, and the results are documented. Questions may relate to project purpose, timeline, budget, quality or scope.
- Checklists: Checklists are used to identify the most common risks. They are often updated at the end of a project to include lessons learnt. Checklists are a quick and effective way to address standard risks but do not record specific risks that may not have been addressed in the past or are unique to a particular project.
- Assumption Analysis: Assumptions are necessities within the project that are often not outlined in project objectives. A lack of documentation around assumptions is often a source of risk within a project. These include the availability of project members, the skills that project members hold, vendor delivery times or the realisation that project schedule dates may change.
- Cause and Effect Diagrams: Cause and Effect diagrams are a visual tool used to identify the causes of risk and the facts that can give rise to risks. One form of a Cause and Effect diagram is a fishbone diagram, as shown here.
Risk management standards
Risk management standards provide guidance and best practice strategies to help organisations:
- identify risks
- assess risks
- identify ways to manage risks
- implement risk control strategies
Standards Australia develop Australian/New Zealand Standards that are voluntary for organisations to follow. There are also international standards that Standards Australia use. Relevant standards for risk management include:
- AS ISO 31000:2018 – Risk management – guidelines. This Australian Standard provides guidelines to manage risks faced by organisations, and that can be customised to suit the organisation
- AS/NZS IEC 3100:2020 – Risk Management – Risk assessment techniques
- ISO Guide 31073:2009 – Risk Management – Vocabulary. This document defines generic terms related to the management of risks faced by organisations.
- IEC 62198:2013 Managing risk in projects – Application guidelines. This international standard.
ISO 3100:2018 Standard
Purpose and key elements of risk management standards
ISO 31000:2018 (standards) provides guidelines on managing risk faced by organisations. The standards can be used throughout the life of the organisation and can be applied to any activity, including decision-making at all levels.
The purpose of the standards is to:
- assist in managing the risks effectively through the application of the risk management process
- ensure that the information about risks resulting from the risk management process is accurately reported
- ensure that the information is used as a basis for decision making and accountability at all levels of the business.
The key elements of the standards include the activities of communicating and consulting, establishing the context and assessing, treating, monitoring, reviewing, recording and reporting risk.
The purpose of the risk management framework is to assist organisations in integrating risk management into significant activities and functions.
The framework includes:
Activity: Read the Risk management – Guidelines, including the framework for risk management
https://www.iso.org/obp/ui/#iso:std:iso:31000:ed-2:v1:en
Regardless of the task, a risk factor must be evaluated and calculated to determine threats to a project and ways to mitigate the risk.
Project risk management deals with the processes involved in identifying, evaluating and reviewing possible risks and, ultimately, tracking them over the life of a project. Each project has different risks based on the work being conducted.
- Requirements, assumptions, constraints
- Risk (includes threats and opportunities)
- Creates potential positive or negative outcomes
You may not see all potential risks, but planning for as many as possible gives you the greatest chance of success.
Key processes in risk management are the identification of risks, the assessment of risks and then the treatment of the identified risks.
The process aims to determine the following:
- What could happen, where and when?
- Why and how could it happen?
- What might be the results if it happened?
- What are controls in situ to reinforce gains and stop or minimise adverse impacts?
- How effective are these controls?
- What is the level of risk?
- How can we best treat the danger further?
There is not one process or method that must be used for risk assessment and treatment. The type of risk assessment process adopted will depend on the severity of potential risks and their likelihood so that:
- where there are high levels of risk, a very rigorous risk assessment is required
- If risk outcomes are less serious or the extent of risk is low, simpler techniques can be used.
Risk management process
The risk management process based on ISO 31000:2009 is documented in the graphic below.
Communication and consultation within the project team and with stakeholders are key to supporting all parts of the risk management process (broadleaf.com.au).
Monitoring and review
The monitoring and review processes detect whether a project risk has changed and determine the validity of the identified risks. Both monitoring and review are necessary to ensure that an organisation or project operates within its risk criteria.
The context of project risk looks at the external and internal environment that may affect the organisation’s or project’s objectives.
To manage project risks, review the organisations:
- external context, including its external stakeholders—its local, national and international environment—and any external factors influencing its objectives.
- internal context, including its internal stakeholders, approach to governance, contractual relationships, capabilities, culture and standards.
All project activities carry some risk factor, and ambiguity about this could have either a positive or negative effect on the project. A project manager has to consider what danger is likely to arise and what it will affect if it does, such as impacts on the project schedule. Risks may impact project scope, timetable, expense or quality.
Understanding the distinction between business or company risks and project risks is crucial. Company risks are more common and apply to the organisation, while project risks directly relate to the project's aims.
Business risk means uncertainty about income or risk of loss and incidents that may pose a risk in the future due to any unexpected events, causing the business to fail.
For example, if undertaking a project to construct a stadium, the difference between project and business risk would be:
- Project risk—The construction cost could be higher than expected due to a rise in the price of materials or labour.
- Business risk—Even if the stadium is completed on schedule and within budget, it won't make money for the company.
Continuing the example above: during the construction process, a change in health and safety regulations must be addressed and may disrupt the project. The effect of this change to the project in terms of expense, schedule and efficiency must be assessed and may include:
- Shortage of trained staff due to demand for other construction projects
- Unexpected inspection and license costs
- The affected part of the stadium may need to be expedited to finish the project on time.
Organisations and stakeholders must be prepared to consider various levels of risk. This is called the ‘tolerance for threats. Threats within a project have potentially harmful effects that the project management team should mitigate. If they are balanced, risks that endanger the project will be acknowledged.
Each business will have a defined 'risk tolerance' informed by its legal status and culture.
To successfully manage projects, an organisation must proactively and systematically manage risks and make deliberate decisions about the risk treatment plan.
PESTLE analysis
A PESTLE analysis is a helpful tool used to examine external factors out of a business's control that might impact an organisation in achieving its project objectives.
Political | Economic | Social | Technology | Legal | Environment |
---|---|---|---|---|---|
|
|
|
|
|
|
Common risk categories
Common categories of risks include:
- Natural disasters including storms, floods, drought and bushfires
- Pandemics such as flu or COVID-19
- Legal risks relate to legal issues that could arise during or after the project, including non-compliance with the law, insurance issues, breach of contracts, being sued
- Global events, including political issues and restrictions on overseas travel
- Technology includes cyber security issues, computer failures, hardware or software failures, changes in technology
- Regulatory and government policy changes such as quarantine restrictions, tax, power or water restrictions
- Environmental risks include pollution, climate change and chemical spills
- Work health and safety risks, including injury or illness caused by accidents or an event at work
- Property and equipment failure or damage caused by power failure, natural disaster, vandalism or robbery
- Security risks such as theft, fraud, terrorism and cyber security fraud
- Economic and financial risks caused by changes in global financial events, interest rates, cash flow charges, unexpected costs increasing, customers not paying, unexpected expenses
- Human resources such as staff strikes, inability to retain existing staff, failure to attract new staff, conflict or performance issues
- Market changes in preference or new competition
- Utilities and services include power failure, internet failure, computer or server issues, and telephone interruptions.
Project risks
- Scope creep occurs when the project scope expands beyond the project's original scope. This can happen when new stakeholders are involved or if the original project goals change.
- Quality risks are related to the quality of the product or services delivered by the project. The outcome may need not meet the specifications, is not fit for purpose or does not meet the quality goals.
- High costs are caused when expenditure costs exceed budgeted costs
- Schedule risks occur when tasks take longer than planned. This means that estimated durations, dependencies and assumptions are not accurate.
- Resource risks occur when insufficient resources such as time, finances or skilled workers are required to achieve the goal.
- Operational changes occur when changes in the business or team result in changes in organisational priorities, structure, team roles and responsibilities.
- Misunderstanding is caused by miscommunication, unclear scope, responsibilities, and deadlines.
Risk management context
The process of defining the risk management context includes:
- establishing key information associated with the risk and
- setting the criteria on how the risk is going to be assessed.
This includes defining the following:
- goals and objectives of the risk assessment activity
- scope and parameters of the risk assessment
- risk assessment approach to be implemented
- reporting and recording requirements
- relationship between the risk assessment and other business activities and plans
- criteria against which risks are to be evaluated, including
- how likelihood will be defined,
- the consequences that will be considered and
- what level of risk will require further risk reduction treatment?
A written risk assessment is best broken down into parts or key topics to facilitate risk identification, one by one, that provides a comprehensive list of risks.
Any probable risks must be defined, and a plan for managing those risks is established before a project even begins. One of the best ways to do this is to learn from previous experience, either your own or the organisation's experiences as a whole.
The inputs, tools and techniques, and outputs in identifying project risks are shown in the diagram from the Project Management Institute.
- Risk management plan
- Cost management plan
- Schedule management plan
- Quality management plan
- Human resource management plan
- Scope baseline
- Activity cost estimates
- Activity duration estimates
- Stakeholder register
- Project documents
- Procurement documents
- Documentation reviews
- Information gathering techniques
- Check analysis
- Assumptions analysis
- Diagramming techniques
- SWOT analysis
- Expert judgement
- Risk register
Identify risks: Inputs
A Schedule Management Plan template designed by Ucop.edu outlines the inputs for identifying risks as follows:
Risk management plan
A risk management plan is made up of the following components:
- Identification of risks
- Assessment of risks
- Risk mitigation actions
- Assignments of roles and responsibilities
- Categories of risk or risk breakdown structure.
Cost management plan
Cost management provides the process of estimating, allocating and controlling the costs in a project. It allows a business to predict future expenses to reduce the chances of going over the planned budget.
Schedule management plan
The Schedule Management Plan defines how the project schedule is managed throughout the project lifecycle.
Quality management plan
The Quality Management Plan provides guidance on how the project will ensure quality through design reviews, documentation and other protocols.
Human resources management plan
The Human Resources Management Plan ensures the best fit between employees and jobs while avoiding manpower shortages or surpluses throughout the project's lifecycle.
Scope baseline
The Scope Baseline is the collection of scoping documentation, which includes a scope declaration, work breakdown structure (WBS) and its associated WBS dictionary.
Activity cost estimates
Activity cost estimates provide a quantitative assessment of the likely cost of completing scheduled activities.
Activity duration estimates
Activity time estimate reviews are used in identifying risks related to the time allowed for each activity with the range of risks attached to this activity.
Stakeholder register
A stakeholder register identifies the people, groups and organisations that have any interest in the project work and the project outcome.
Project documents
Project documents provide the project team with detail about decisions to better identify project risk. Examples of project documents are the project charter, project schedule, schedule network diagrams, issue log, quality checklist and other information proven valuable in identifying risks.
Procurement documents
If the project requires external procurement of resources, procurement documents become a key input to the risk identification process.
Identify risks: tools and techniques
Documentation reviews
Project documents, including project plans, assumptions, previous project files, agreements, contracts and other information, may be placed under review to minimise risks within a project. A project risk indicator occurs if the project plan is of poor quality or no longer aligns with the project requirements and assumptions.
Information gathering techniques
Examples of information gathering techniques utilised in identifying risks can include:
- Brainstorming—The goal of brainstorming is to assemble a list of project risks. The project team usually performs brainstorming, where ideas about project risk are generated under the leadership of a facilitator.
- Interviewing—The goal of interviewing is to gather information from experienced project participants, stakeholders and subject matter experts that may help to spot risks.
- Root cause analysis—Root-cause analysis is a specific technique used to identify a problem, discover the underlying causes that cause it and develop preventive action.
Checklist analysis
Risk identification checklists are developed based on historical information and knowledge that has been accumulated from previous similar projects and other sources.
Assumptions analysis
In project management, an assumption is something that is taken to be true without any proof or evidence. When assumptions go wrong, projects can quickly become derailed.
Project managers must thoroughly analyse risks and assumptions early on in the planning process. By identifying and addressing risks associated with assumptions, project managers can help ensure their projects stay on track.
Diagramming techniques
Risk diagramming techniques may include:
- Cause and effect diagrams—These are also called Ishikawa or fishbone diagrams and help identify causes of risks.
- System or process flow charts—These show how various elements of a system or process interrelate.
- Influence diagrams are graphical representations of situations showing causal influences, time ordering of events and other relationships among variables and outcomes.
SWOT Analysis
Project Managers may use the SWOT analysis tool to assess a project’s strengths, weaknesses, opportunities and threats. This information is then used to create a plan of action to help the project succeed.
Strengths and weaknesses are internal factors that the project manager can control. Opportunities and threats are external factors that the project manager cannot control.
A SWOT analysis can be used at any stage of a project. It can help the project manager identify problems early on and make necessary changes, and it can also help assess whether a project is likely to be successful.
A SWOT is best undertaken in a group with input from management, staff, and other stakeholders.
Usually, a template with four quadrants and specific questions is used to encourage critical reflection.
An excellent way to approach a SWOT analysis is to follow these simple steps:
- Firstly, look at your organisation's strengths, i.e. the things you do well in managing risk.
- Next, look at the weaknesses; these are the areas of the process that might not be working so well, contain gaps, or are ambiguous. Often strengths can link to weaknesses. For example, a strength in managing past risk may mean that you have a weakness in not looking at new or emerging risks which may be imminent. If strengths and weaknesses appear to be linked, put them opposite each other.
- Lastly, identify potential opportunities to improve and oppose them with the major threats which will stop you from managing risks. Do you have a "fragile" business that is likely to be hit hard by risk events or a "robust" one that is relatively shockproof?
Strengths and weaknesses should relate to current organisational capabilities. They may include but are not limited to the following:
- resources and technologies, e.g. availability and access to software, recordkeeping tools and templates, previous records, information etc.
- communication and collaboration, e.g. feedback loops, engagement of all stakeholders, clear lines of authority, consultation etc.
- stakeholder relationships/support, e.g. are all personnel invested in the process or is there some work to do in terms of engaging stakeholders and promoting the importance of the risk management process?
- effectiveness, e.g. audit results, risk management evaluation reports, data to show successful/poor control of organisational risk using the current framework etc.
It is a good idea to review strengths and weaknesses collaboratively so that relevant stakeholders can support the process by offering insight, advice, and suggestions. Any key outcomes of the review should be recorded. This could be in the form of a SWOT analysis, report, or as part of other appropriate risk management documentation such as a scope document or risk management plan.
For example:
Internal context | Strengths | Weaknesses | Opportunities | Threats |
---|---|---|---|---|
Organisational structure | Dedicated project team was established with minimal staff turnover for three years | Inability to meet client demand due to insufficient staff numbers | Ability to accept more projects if more staff are recruited. | Increase or decrease in client demand |
Services provided | Dedicated project team providing acquisition services | Administrative errors being made due to services being rushed | Take on more staff and restructure responsibilities | Inability to attract new staff |
Personnel competencies/skill levels | Management team are highly competent in their role for over two years | No skilled staff to backfill manager roles when they are on leave | Provide training to Project Officers to backfill managers when they are on leave or as needed | Insufficient time |
Office premises | Easy to access and safe location | |||
Office equipment/technology | Sufficient budget | Office technology is out of date | Improve efficiency by upgrading technology | Internet outages |
External context | Strengths | Weaknesses | Opportunities | Threats |
---|---|---|---|---|
Legislative/regulatory framework | Legislation was changed last year, so no further changes are expected | |||
Employment market | Inability to attract new staff | |||
Environmental factors | Health pandemic |
Activity: SWOT Analysis
Review the SWOT analysis template and case study example developed by Euromonitor International. This activity aims to show you a step-by-step example of how to create a SWOT analysis.
Expert Judgment
Risks could also be identified directly by experts with relevant experience in similar projects or business areas.
Identify risks: output
Risk register
A record of the risk management processes and outcomes as they are conducted.
Activity: Risk register
Read the following article What is a risk register in project management by Jessica Everitt, wrike to learn more about risk registers and to look at an example of a risk register.
List of identified risks
The identified risks are described in as much detail as is reasonable. Suggested responses or risk mitigation responses are also documented.
“If you don’t invest in risk management, it doesn’t matter what business you’re in, it’s a risk business”.
Gary Cohn