Chapter 6

Identifying Risk

Downloaded from https://asmedigitalcollection.asme.org/ebooks/chapter-pdf/2807211/860236_ch6.pdf by University Of Hong Kong Libraries user on 25 October 2019
Overview
The main goal of the risk identification process is to identify risk
events as early as possible. This is a continuous process as internal and
external factors are always at the play and can potentially impacting your
project in a negative way, compromising the project’s ability to achieve per-
formance or capability outcome goals.
Risk assessment, however, is difficult! Assessing the risk of a project
is one of the most difficult phases to carry out in the entire project. Such
task of ensuring that adequate and timely risk identification is performed
is the responsibility of the project manager, but also of stakeholders. The
sooner risks are identified, the sooner plans can be made to mitigate or
manage them. Assigning the risk identification process to a contractor or
an individual member of the project staff is rarely successful and should be
considered as a way to achieve the appearance of risk identification without
actually doing it.
It is important, therefore, that all project management team receive
specific training in risk management methodology. This training should
cover not only risk analysis techniques but also the managerial skills

35
needed to interpret risk assessments since often project managers—except
for those whom are PMP certified—may lack the specific expertise and
experience to identify all the risks of a project without assistance.
In the process of identifying risks, right off bet, we often advise our
clients to start the process with the internal politics of the project, which
1

Downloaded from https://asmedigitalcollection.asme.org/ebooks/chapter-pdf/2807211/860236_ch6.pdf by University Of Hong Kong Libraries user on 25 October 2019
are not least among the areas of uncertainty in any project. It is not atypical
to find some people who want to look good to their bosses, or conversely,
want to keep a low profile, a quiet life, or for some other reason may wish to
conceal the weaknesses in their project plans. The project manager, contrac-
tors, and any internal and external consultants or advisors should therefore,
carry out the actual identification of risks as a team effort. The risk identifi-
cation function should not be left to chance. It should be explicitly covered
in a number of project documents including but not limited to:

• Statement of work (SOW),

• Work breakdown structure (WBS),
• Budget,
• Schedule,
• Acquisition plan, and
• Execution plan

As depicted in Figure 6.1, risk management encompasses a pro­

active attempt to recognize and manage internal events and external threats
that affect the likelihood of a project’s success.
For example, a constraint in the project of dropping the ball at
Manhattan’s Time Square exactly at mid-night of New Year’s Eve is easy
to understand. Human resources constraints are often more complicated
to grasp, such as the availability of skilled staff at the critical phase of the
project. You may object here by saying we are defining a constraint as an
uncertainty, which just goes to prove how clear the thinking has to be if risk
assessment is to succeed.
While that is a topic for chapter seven, it is important to understand
how important risk identification is to the assessment process, and how

1
At MGCG (www.mgcgusa.com).

36
 Downloaded from https://asmedigitalcollection.asme.org/ebooks/chapter-pdf/2807211/860236_ch6.pdf by University Of Hong Kong Libraries user on 25 October 2019
Figure 6.1 - An Overview of the risk management process

each stage relies on each other. So let’s try to be absolutely clear of what we
mean by uncertainty and constraint. If we look at the Webster dictionary,
certainty is defined as “undoubted fact, indubitable prospect, and a thing
in absolute possession, beyond possibility of doubt.” Since the essence of
project management is estimation, this tells us that just about everything
in the project are uncertain. The Webster also defines constraint as “com-
pulsion, confinement.” So in the process of risk identification what we are
trying to do is to attempt to identify those areas of the project with the most
severe constraints and the highest uncertainty.
When we look at Figure 6.2, which depicts the elements of project
success, the three circles indicate the most important quality measure-
ments of a project. Among these, the most important measurement is
meeting the customer’s requirements, and risk assessment and ­mitigation

Figure 6.2 - Elements of Project Success

37
is a key process to attain that goal. How many projects do we know
where the team has not bothered with ensuring that customers under-
stand what is proposed, but has got on with the interesting part of the
project – actually implementing it?
A key task of risk management, therefore, requires you to identify

Downloaded from https://asmedigitalcollection.asme.org/ebooks/chapter-pdf/2807211/860236_ch6.pdf by University Of Hong Kong Libraries user on 25 October 2019
potential risks, anything that can possibly harm or have a negative impact
on the project. Effective and pro-active risk managers generally approach
this quest for potential risk identification from two distinct angles:

• Source analysis – where they seek to look at the potential sources

of risk
• Problem analysis – where they look at specific individual prob-
lems that could arise.

Identifying Risks
There are a number of methods in use today for risk identification.
Comprehensive databases of the events on past projects are very helpful,
but this information frequently lies buried in people’s heads, and access
to it involves brainstorming sessions by the project team or a significant
subset of it. In addition to technical expertise and experience, personal con-
tacts and group dynamics are keys to successful risk identification.
There are many techniques to conduct risk identification. Two often-
used approaches are:

• To identify the root causes of risks—that is, identify the unde-

sirable events or things that can go wrong and then identify the
potential impacts on the project of each such event
• To identify all the essential functions that the project must per-
form or goals that it must reach to be considered successful and
then identify all the possible modes by which these functions
might fail to perform.

Both approaches can work, but the project team may find it easier to
identify all the factors that are critical to success, and then work backward
38
to identify the things that can go wrong with each one. Project team partici-
pation and face-to-face interaction is needed in this process to encourage
open communication and trust. Without it, team members will be reluctant
to raise their risk concerns in an open forum. While typically smaller in
size, specialized teams are often capable of performing risk assessment and

Downloaded from https://asmedigitalcollection.asme.org/ebooks/chapter-pdf/2807211/860236_ch6.pdf by University Of Hong Kong Libraries user on 25 October 2019
analysis. Do not forget, however, that ongoing risk identification will also
require input from the entire project team and from stakeholders.
It is best then, as the first step in identifying risks, to consider the
project’s strategies and activities and then ask these very important ques-
tions: What can go wrong? What types of failures or events could nega-
tively affect this strategy, initiative, activity, or product? Can you think of
some of the potential answers to these questions? Answers may include
some of these:

• Government or regulatory actions, which would include but

not be limited to changes to laws or to tax, trade, or economic
policy;
• Hostile human action, such as theft, embezzlement, or other
crimes;
• Human errors or failures, for instance, inattention or confu-
sion;
• Market and cultural forces, for example, bad publicity or chang-
ing styles;
• Natural or manmade disasters, including earthquakes, storms,
fires, terrorism, wars, and the like;
• Process or product failure, or failure of materials or systems,
and so on.

To identify risks, you consequently, must look for the possibility of

these events within each strategy, initiative, process, and activity. The more
familiar you are with the types of risk or project or industry it is exposed
to, the more precisely you can identify them. For instance, if your organi-
zation plans to launch a new product or service on the market, it may be
wise to assess how a specific failure, such as a poor scope definition, could
generate various risks.
Risk identification process does not happen in isolated instance.
To the contrary, this is a very interactive process. As the project execution
39
advances, more information will be gained about the project, which will
impact early risk identification and assessment, whereas risk statements
may be adjusted to reflect the current situation. For instance, you may have
identified a risk for a task scheduled to be completed during the winter
months, due to snowstorms, low temperatures and other weather related

Downloaded from https://asmedigitalcollection.asme.org/ebooks/chapter-pdf/2807211/860236_ch6.pdf by University Of Hong Kong Libraries user on 25 October 2019
conditions. But if for whatever reason the project is delayed, causing the
task to be executed during the fall season, the risk event associated with
this task may change, and therefore, forces you to adapt. New risks will be
identified as the project progresses through the life cycle.
Risk assessment process on the other hand can be varied. You may
develop one to assess program management risks, or to support an invest-
ment decision, analysis of alternatives, and assessments of operational or
strategic costs, or even the cost of uncertainty. Hence, when planning the risk
identification process, you must match the type of assessment required to
support risk-informed decision-making. For example, if you are conducting
a plant maintenance program, the first step to take is to identify the goals and
objectives for the maintenance program in an effort to foster a common under-
standing across the maintenance team of what is needed for the program to
success. This not only gives context to the entire process, but also bounds the
scope of your program, by which risks are identified and assessed.
A poorly defined scope might, for instance, lead to risk of financial
losses, because of money already invested in the project. It can also cause
regulatory risks, because of laws regarding project claims, or even legal
risks, due to project-liability suits. Your project, and organization, can actu-
ally be exposed to even reputational risk, as your company’s brands may
be at risk as well.
Risk identification is, therefore, as depicted in Figure 6.3, the most
critical first step of the risk management process. The subsequent chapters
will cover the other three main steps—risk assessment, response and moni-
toring—in more details, but for now, let’s focus on the identification process.
As discussed earlier in this chapter, there are multiple sources of risk.
When attempting to identify risk events, you should make sure to review the
project scope, cost estimates, schedule—the so-called triple constraint of any
project. Also, makes sure to include an evaluation of the critical path, tech-
nical requirements and maturity, key performance indicators, performance
challenges, stakeholder expectations versus current plan, external and internal

40
 Downloaded from https://asmedigitalcollection.asme.org/ebooks/chapter-pdf/2807211/860236_ch6.pdf by University Of Hong Kong Libraries user on 25 October 2019
Figure 6.3 - Risk Management Process

dependencies, implementation challenges, integration, interoperability, sup-

portability, supply-chain vulnerabilities, ability to handle threats, cost devia-
tions, test event expectations, safety, security, and more. In addition, historical
data from similar projects, stakeholder interviews, and risk lists provide valu-
able insight into areas for consideration of risk.

Risk Identification Process

Risk identification is a key component of a robust project manage-
ment framework. It should be performed early in the project, during the
project initiation phase, even before the preliminary concept is approved,

41
and should continue until the project is completed. In the absence of a risk
identification process, project managers are unable to effectively manage
all key risks and demonstrate whether they are in control of the project
execution.
Risk identification is not an exact science and therefore should be

Downloaded from https://asmedigitalcollection.asme.org/ebooks/chapter-pdf/2807211/860236_ch6.pdf by University Of Hong Kong Libraries user on 25 October 2019
an ongoing process throughout the project, especially as it enters a new
phase and as new personnel, and contractors bring different experiences
and viewpoints to risk identification. For this reason, project managers
should ensure that the project risk management plan undergoes periodic
updates.
Every project manager should expect projects to be in control of sig-
nificant risks. This means understanding the risk profile and identifying
and assessing the significant risks contained within it. Where there is a con-
sensus that risks are under control, there should also be control processes
that are documented, appropriate, and work consistently and effectively.
Where risks have been assessed as not being under control, the factors con-
tributing to this are known and plans to manage them are in place.
An effective risk identification process should:

• Be systematic, disciplined and documented. It should be

­methodical and well organized, and in a format that is capable
of being communicated and understood by all project stake-
holders and sponsors.
• Ensure that the project organization is aware of its major risks
at any point in time, and include elements to update the proj-
ect orga­nization’s understanding of risk on an ongoing basis,
such as key indicators, as discussed a little further later in this
chapter.
• Identify all types of risks associated with major components
and controls currently in place, from all sources, across the­
entire scope of the project’s activities, as shown in Figure 6.4.
• Identify risks around opportunities as well as threats, to ­increase
the organization’s chance of augmenting the benefit of those
­opportunities when they arise.
• Identify the significant risks to the achievement of its business
objectives.

42
 Downloaded from https://asmedigitalcollection.asme.org/ebooks/chapter-pdf/2807211/860236_ch6.pdf by University Of Hong Kong Libraries user on 25 October 2019
Figure 6.4 - Risk identification should happen at all levels

During risk identification process it is also worth considering:

• Focusing on the root causes and influencing factors of risk

events, both internal and external, as well as its effects and out-
comes such as financial, operational, reputational, etc.
• Looking forward, as well as drawing on past experience, by
­including elements such as horizon scanning.

The risk identification process is typically one that relies a lot on

brainstorming, whereas rules such as those listed bellow usually apply:

• All potential risks identified by brainstorming should be

­documented
• Any potential risk identified by anyone should be recorded,
­regardless of whether other members of the group consider it
to be significant
• No criticism of any suggestion is permitted
• Potential risks should be identified by all members of the ­project
team
• The full project team should be actively involved

43
 • Very important, the objective of risk identification is to identify
all possible risks, not to eliminate risks from consideration or to
develop solutions for mitigating risks—those functions are car-
ried out during the risk assessment and risk mitigation stage.
• The risk identification process needs to be repeated as these

Downloaded from https://asmedigitalcollection.asme.org/ebooks/chapter-pdf/2807211/860236_ch6.pdf by University Of Hong Kong Libraries user on 25 October 2019
sources of information change and new information becomes
available.

Some of the documentation and materials that should be used in

risk identification as they become available include these:

• Sponsor mission, objectives, and strategy; and project goals to

achieve this strategy
• Scope of Work (SOW)
• Project justification and cost-effectiveness (project benefits,
­present worth, rate of return, etc.)
• Work Breakdown Structure (WBS)
• Project performance specifications and technical specifications
• Project schedule and milestones
• Project financing plan
• Project procurement plan
• Project execution plan
• Project benefits projection
• Project cost estimate
• Project environmental impact statement
• Regulations and congressional reports that may affect the project
• News articles about how the project is viewed by regulators,
politicians, and the public, and
• Historical safety performance.

It is very important that you carefully consider the risk categoriza-

tion that you adopt. The right risk categories will aid the effective, sys-
tematic and comprehensive risk identification. Hence, when categorizing
risk, you should understand how its categories map to those of the respec-
tive industry. A power generation project will have risk categories very
different than aviation or pharmaceutical ones. Make sure to align your
44
risk categories with those of the industry you are in, as each of these cat-
egories will then form the basis for a more detailed identification process
to ascertain individual risks and their components. Consider employing a
combination of ‘bottom up’ (typically starting with data analysis, building
up into an aggregate view) and ‘top down’ (e.g. starting with the consider-

Downloaded from https://asmedigitalcollection.asme.org/ebooks/chapter-pdf/2807211/860236_ch6.pdf by University Of Hong Kong Libraries user on 25 October 2019
ation of influencing factors or risk groups) tools according to the size and
complexity of the project.

Best Practices for Risk Identification

The use of capability evolution to manage risk is a very effective
strategy. For instance, if particular requirements are driving implementa-
tion of capabilities that are high risk due to unique development, you may
decide to discuss the requirements with the stakeholders for their critical-
ity. It may be that the need could be postponed. . . Helping stakeholders
and sponsors gauge how much risk—and schedule and cost impact—a
particular capability should assume against the requirements to receive
less risky capabilities sooner is also an important strategy. The following is
a list of main risk prone areas in any project:

• Technical feasibility and knowledge – During the risk identi-

fication stage, consider technical feasibility and knowledge of
related implementation successes and failures to assess the risk
of implementing now instead of the future. If you contemplate
deferring capabilities, take care not to fall into the trap of post-
poning ultimate failure by trading near-term easy successes for
a future of multiple high-risk requirements that may be essen-
tial to overall success.
• Key Performance Indicators – An important strategy in the risk
identification process is to work closely with the stakeholders
and sponsors to establish key performance indicators (KPIs).
Overall risk of project cancelation, for example, can be centered
on failure to meet KPIs. Work with the stakeholders and spon-
sors to ensure the parameters are responsive to project needs
and technically feasible.
45
 The parameters should not be so lenient that they can easily
be met, but not meet the mission need; nor should they be so
stringent that they cannot be met without an extensive effort or
pushing technology—either of which can put a project at risk.
Seek results of past operations, experiments, performance as-

Downloaded from https://asmedigitalcollection.asme.org/ebooks/chapter-pdf/2807211/860236_ch6.pdf by University Of Hong Kong Libraries user on 25 October 2019
sessments, and industry implementations to help determine
performance feasibility. Watch out for external and internal
dependencies. Having an overall project perspective can help
project managers, stakeholders, contractors, and partners, bet-
ter understand risk from dependencies of a project execution
effort.
• Integration and interoperability – Almost always the integra-
tion and operability of the various tasks to be completed will be
a major risk factor. These are forms of dependencies in which
the value of integrating or interoperating has been judged to
override their inherent risks. Techniques such as performance
evaluation and review technique (PERT), critical path method
(CPM), or Monte Carlo, to name a few, can help in planning and
executing a viable path to navigate integration and interoper-
ability risks.
• Skill level of project team – Another risk event is associated with
the skill level of the project team. The skill or experience level of
the project team, contractors, partners, suppliers, and even stake-
holders can lead to risk events. Be on the lookout for insufficient
skills and reach across the project organization to fill any gaps. In
doing so, help educate team members at the same time you are
bringing project execution skills and experience to bear.
• Cost risks – Project planning should always include co tangen-
cy funds that account for the main risks identified in the proj-
ect. As the team identifies and refine the project’s technical and
­other risks, the associated costs estimated should evolve as well.
In other words, a risk event that has not been triggered can have
its costs increased or decreased depending on internal or exter-
nal events. Risk cost estimation is not a one-time activity.
• Condition-If-Then construct – A great protocol for developing
risk statements, as depicted in Figure 6.5, is the Condition-If-Then

46
 Downloaded from https://asmedigitalcollection.asme.org/ebooks/chapter-pdf/2807211/860236_ch6.pdf by University Of Hong Kong Libraries user on 25 October 2019
Figure 6.5 - An example of a Condition-If-Then construct

construct. This protocol applies to risk management processes

designed for almost any environment. It is recognition that a
risk, by its nature is probabilistic or deterministic, and one that,
if it occurs, has unwanted consequences.
The Condition-If-Then construct reflects what is known
today. It is the root cause of the identified risk event. Hence, the
Condition is an event that has occurred, is presently occurring,
or will occur with certainty. Risk events are future events that
may occur because of the Condition present.
For example, If is the risk event associated with the Con-
dition present. It is critically important to recognize the If and
the Condition as a dual. When examined jointly, there may be
ways to directly intervene or remedy the risk event’s underlying
root (Condition) such that the consequences from this event, if
it occurs, no longer threaten the project. The If is the probabilis-
tic portion of the risk statement.
The Then is the consequence, or set of consequences, that
will impact the execution of the project if the risk event occurs.

47
• Historical data – Historical information about the project or
similar past projects can act as a guide to risk identification.
Historical information from similar projects can provide valu-
able insight into future risks. Seek out information about opera-
tional challenges and risks in various operation lessons learned,

Downloaded from https://asmedigitalcollection.asme.org/ebooks/chapter-pdf/2807211/860236_ch6.pdf by University Of Hong Kong Libraries user on 25 October 2019
after action reports, exercise summaries, and experimentation
results. Sponsors and stakeholders often have repositories of
these to access.

48