Professional Documents
Culture Documents
Identifying Risk
Identifying Risk
Identifying Risk
Downloaded from https://asmedigitalcollection.asme.org/ebooks/chapter-pdf/2807211/860236_ch6.pdf by University Of Hong Kong Libraries user on 25 October 2019
Overview
The main goal of the risk identification process is to identify risk
events as early as possible. This is a continuous process as internal and
external factors are always at the play and can potentially impacting your
project in a negative way, compromising the project’s ability to achieve per-
formance or capability outcome goals.
Risk assessment, however, is difficult! Assessing the risk of a project
is one of the most difficult phases to carry out in the entire project. Such
task of ensuring that adequate and timely risk identification is performed
is the responsibility of the project manager, but also of stakeholders. The
sooner risks are identified, the sooner plans can be made to mitigate or
manage them. Assigning the risk identification process to a contractor or
an individual member of the project staff is rarely successful and should be
considered as a way to achieve the appearance of risk identification without
actually doing it.
It is important, therefore, that all project management team receive
specific training in risk management methodology. This training should
cover not only risk analysis techniques but also the managerial skills
35
needed to interpret risk assessments since often project managers—except
for those whom are PMP certified—may lack the specific expertise and
experience to identify all the risks of a project without assistance.
In the process of identifying risks, right off bet, we often advise our
clients to start the process with the internal politics of the project, which
1
Downloaded from https://asmedigitalcollection.asme.org/ebooks/chapter-pdf/2807211/860236_ch6.pdf by University Of Hong Kong Libraries user on 25 October 2019
are not least among the areas of uncertainty in any project. It is not atypical
to find some people who want to look good to their bosses, or conversely,
want to keep a low profile, a quiet life, or for some other reason may wish to
conceal the weaknesses in their project plans. The project manager, contrac-
tors, and any internal and external consultants or advisors should therefore,
carry out the actual identification of risks as a team effort. The risk identifi-
cation function should not be left to chance. It should be explicitly covered
in a number of project documents including but not limited to:
1
At MGCG (www.mgcgusa.com).
36
Downloaded from https://asmedigitalcollection.asme.org/ebooks/chapter-pdf/2807211/860236_ch6.pdf by University Of Hong Kong Libraries user on 25 October 2019
Figure 6.1 - An Overview of the risk management process
each stage relies on each other. So let’s try to be absolutely clear of what we
mean by uncertainty and constraint. If we look at the Webster dictionary,
certainty is defined as “undoubted fact, indubitable prospect, and a thing
in absolute possession, beyond possibility of doubt.” Since the essence of
project management is estimation, this tells us that just about everything
in the project are uncertain. The Webster also defines constraint as “com-
pulsion, confinement.” So in the process of risk identification what we are
trying to do is to attempt to identify those areas of the project with the most
severe constraints and the highest uncertainty.
When we look at Figure 6.2, which depicts the elements of project
success, the three circles indicate the most important quality measure-
ments of a project. Among these, the most important measurement is
meeting the customer’s requirements, and risk assessment and mitigation
37
is a key process to attain that goal. How many projects do we know
where the team has not bothered with ensuring that customers under-
stand what is proposed, but has got on with the interesting part of the
project – actually implementing it?
A key task of risk management, therefore, requires you to identify
Downloaded from https://asmedigitalcollection.asme.org/ebooks/chapter-pdf/2807211/860236_ch6.pdf by University Of Hong Kong Libraries user on 25 October 2019
potential risks, anything that can possibly harm or have a negative impact
on the project. Effective and pro-active risk managers generally approach
this quest for potential risk identification from two distinct angles:
Identifying Risks
There are a number of methods in use today for risk identification.
Comprehensive databases of the events on past projects are very helpful,
but this information frequently lies buried in people’s heads, and access
to it involves brainstorming sessions by the project team or a significant
subset of it. In addition to technical expertise and experience, personal con-
tacts and group dynamics are keys to successful risk identification.
There are many techniques to conduct risk identification. Two often-
used approaches are:
Both approaches can work, but the project team may find it easier to
identify all the factors that are critical to success, and then work backward
38
to identify the things that can go wrong with each one. Project team partici-
pation and face-to-face interaction is needed in this process to encourage
open communication and trust. Without it, team members will be reluctant
to raise their risk concerns in an open forum. While typically smaller in
size, specialized teams are often capable of performing risk assessment and
Downloaded from https://asmedigitalcollection.asme.org/ebooks/chapter-pdf/2807211/860236_ch6.pdf by University Of Hong Kong Libraries user on 25 October 2019
analysis. Do not forget, however, that ongoing risk identification will also
require input from the entire project team and from stakeholders.
It is best then, as the first step in identifying risks, to consider the
project’s strategies and activities and then ask these very important ques-
tions: What can go wrong? What types of failures or events could nega-
tively affect this strategy, initiative, activity, or product? Can you think of
some of the potential answers to these questions? Answers may include
some of these:
Downloaded from https://asmedigitalcollection.asme.org/ebooks/chapter-pdf/2807211/860236_ch6.pdf by University Of Hong Kong Libraries user on 25 October 2019
conditions. But if for whatever reason the project is delayed, causing the
task to be executed during the fall season, the risk event associated with
this task may change, and therefore, forces you to adapt. New risks will be
identified as the project progresses through the life cycle.
Risk assessment process on the other hand can be varied. You may
develop one to assess program management risks, or to support an invest-
ment decision, analysis of alternatives, and assessments of operational or
strategic costs, or even the cost of uncertainty. Hence, when planning the risk
identification process, you must match the type of assessment required to
support risk-informed decision-making. For example, if you are conducting
a plant maintenance program, the first step to take is to identify the goals and
objectives for the maintenance program in an effort to foster a common under-
standing across the maintenance team of what is needed for the program to
success. This not only gives context to the entire process, but also bounds the
scope of your program, by which risks are identified and assessed.
A poorly defined scope might, for instance, lead to risk of financial
losses, because of money already invested in the project. It can also cause
regulatory risks, because of laws regarding project claims, or even legal
risks, due to project-liability suits. Your project, and organization, can actu-
ally be exposed to even reputational risk, as your company’s brands may
be at risk as well.
Risk identification is, therefore, as depicted in Figure 6.3, the most
critical first step of the risk management process. The subsequent chapters
will cover the other three main steps—risk assessment, response and moni-
toring—in more details, but for now, let’s focus on the identification process.
As discussed earlier in this chapter, there are multiple sources of risk.
When attempting to identify risk events, you should make sure to review the
project scope, cost estimates, schedule—the so-called triple constraint of any
project. Also, makes sure to include an evaluation of the critical path, tech-
nical requirements and maturity, key performance indicators, performance
challenges, stakeholder expectations versus current plan, external and internal
40
Downloaded from https://asmedigitalcollection.asme.org/ebooks/chapter-pdf/2807211/860236_ch6.pdf by University Of Hong Kong Libraries user on 25 October 2019
Figure 6.3 - Risk Management Process
41
and should continue until the project is completed. In the absence of a risk
identification process, project managers are unable to effectively manage
all key risks and demonstrate whether they are in control of the project
execution.
Risk identification is not an exact science and therefore should be
Downloaded from https://asmedigitalcollection.asme.org/ebooks/chapter-pdf/2807211/860236_ch6.pdf by University Of Hong Kong Libraries user on 25 October 2019
an ongoing process throughout the project, especially as it enters a new
phase and as new personnel, and contractors bring different experiences
and viewpoints to risk identification. For this reason, project managers
should ensure that the project risk management plan undergoes periodic
updates.
Every project manager should expect projects to be in control of sig-
nificant risks. This means understanding the risk profile and identifying
and assessing the significant risks contained within it. Where there is a con-
sensus that risks are under control, there should also be control processes
that are documented, appropriate, and work consistently and effectively.
Where risks have been assessed as not being under control, the factors con-
tributing to this are known and plans to manage them are in place.
An effective risk identification process should:
42
Downloaded from https://asmedigitalcollection.asme.org/ebooks/chapter-pdf/2807211/860236_ch6.pdf by University Of Hong Kong Libraries user on 25 October 2019
Figure 6.4 - Risk identification should happen at all levels
43
• Very important, the objective of risk identification is to identify
all possible risks, not to eliminate risks from consideration or to
develop solutions for mitigating risks—those functions are car-
ried out during the risk assessment and risk mitigation stage.
• The risk identification process needs to be repeated as these
Downloaded from https://asmedigitalcollection.asme.org/ebooks/chapter-pdf/2807211/860236_ch6.pdf by University Of Hong Kong Libraries user on 25 October 2019
sources of information change and new information becomes
available.
Downloaded from https://asmedigitalcollection.asme.org/ebooks/chapter-pdf/2807211/860236_ch6.pdf by University Of Hong Kong Libraries user on 25 October 2019
ation of influencing factors or risk groups) tools according to the size and
complexity of the project.
Downloaded from https://asmedigitalcollection.asme.org/ebooks/chapter-pdf/2807211/860236_ch6.pdf by University Of Hong Kong Libraries user on 25 October 2019
sessments, and industry implementations to help determine
performance feasibility. Watch out for external and internal
dependencies. Having an overall project perspective can help
project managers, stakeholders, contractors, and partners, bet-
ter understand risk from dependencies of a project execution
effort.
• Integration and interoperability – Almost always the integra-
tion and operability of the various tasks to be completed will be
a major risk factor. These are forms of dependencies in which
the value of integrating or interoperating has been judged to
override their inherent risks. Techniques such as performance
evaluation and review technique (PERT), critical path method
(CPM), or Monte Carlo, to name a few, can help in planning and
executing a viable path to navigate integration and interoper-
ability risks.
• Skill level of project team – Another risk event is associated with
the skill level of the project team. The skill or experience level of
the project team, contractors, partners, suppliers, and even stake-
holders can lead to risk events. Be on the lookout for insufficient
skills and reach across the project organization to fill any gaps. In
doing so, help educate team members at the same time you are
bringing project execution skills and experience to bear.
• Cost risks – Project planning should always include co tangen-
cy funds that account for the main risks identified in the proj-
ect. As the team identifies and refine the project’s technical and
other risks, the associated costs estimated should evolve as well.
In other words, a risk event that has not been triggered can have
its costs increased or decreased depending on internal or exter-
nal events. Risk cost estimation is not a one-time activity.
• Condition-If-Then construct – A great protocol for developing
risk statements, as depicted in Figure 6.5, is the Condition-If-Then
46
Downloaded from https://asmedigitalcollection.asme.org/ebooks/chapter-pdf/2807211/860236_ch6.pdf by University Of Hong Kong Libraries user on 25 October 2019
Figure 6.5 - An example of a Condition-If-Then construct
47
• Historical data – Historical information about the project or
similar past projects can act as a guide to risk identification.
Historical information from similar projects can provide valu-
able insight into future risks. Seek out information about opera-
tional challenges and risks in various operation lessons learned,
Downloaded from https://asmedigitalcollection.asme.org/ebooks/chapter-pdf/2807211/860236_ch6.pdf by University Of Hong Kong Libraries user on 25 October 2019
after action reports, exercise summaries, and experimentation
results. Sponsors and stakeholders often have repositories of
these to access.
48