For many project teams out there in various organizations, risk identification is just another process that we accomplish in order to keep risk from undermining our project management efforts. It becomes, for certain people, a component of a methodology that we deal with, not unlike a repetitive aspect of a routine. That is when risk identification loses its value. Why do we often underestimate the importance of the time that we spend doing a good and thorough job at risk identification? More importantly, why do most of us not recognize the importance of setting the proper tone for risk management via a well-attended and well-performed risk identification session?
One of the putting in perspective questions that I always ask when performing a risk audit for an organization is if we plan for risk on the projects with a structured risk identification process supported by the right number of tools, techniques, and time. I am quite surprised to hear over and over that the extent of our risk identification is often limited to talking to some of the stakeholders, cursively reviewing our documentation, and having some sessions with the team. I even have some organizations that tell me that in order not to “panic” stakeholders, they go out of their way to leave the risk planning to the team which performs this in isolation. Wow…
In order to set the tone for risk management on any project, most teams will depend on how well they’ve accomplished and how thorough their risk identification process was. Part of planning any project should involve a good amount of time, reflecting on the project within the context of risk. That is what risk identification does. It makes us focus on the project through the lenses of risk. When we look at our project this way, it is certain that different things will come to the surface.
So how should we perform risk identification?
I personally love risk identification as a process. It is and always will be my favorite process in risk management. Not only does it allow me a chance to talk to a lot of folks, but it also allows me a chance to learn more about the project from everyone’s point of view. Once we have a risk management plan in place to guide our efforts overall and to communicate to our stakeholders how we’re going to go about dealing with risks in the project; the next step is to actually start the discussion and the work around the risks themselves.
Risk identification involves, in my opinion, three levels of review of the risks. Let’s see each of these and what is involved with performing this key process.
1. Examining our risks via the review of project documentation.
The team will, in the first stage, go through our established set of documentation for the project as well as any historical information gathered from previous similar projects. Pulling up a past project risk register or issue log goes a long way towards the understanding of what we might be facing for our current project. The purpose is to give us the first cut at our risk register, which we will then need to corroborate and add to with the help of our stakeholders.
2. With a segment, representative of our stakeholder makeup on the project, review what the organization thinks of this project from a risk perspective.
This is, to me, the fun part and the crucial step, through focus groups, brainstorming, brainwriting sessions, or even one on one interviews, we ask our stakeholders to provide us with their perspective of risk. We don’t leave the team alone in isolation to come up with a view of risks for the project; we go directly to our source: the stakeholders. I am always amazed at what comes out of these sessions and how little I know about the project. The wider the net that you cast here, the more varied the view you will get and the more chances you will have to tackle some of the most hidden risks.
3. Finally compile our information into a risk register with our initial findings, ready for further assessment and analysis.
If you have done your job right, by this last stage you have a pretty solid and sturdy risk register which can support your project going forward.
Where do we miss the mark?
From my experience, many people skip or skim on the second step of this process. To get a good sense of risk, you do have to ask more than just your Sponsor or your team; you have to involve a wider group of stakeholders who will each see the project from a different angle or perspective. We need to be able to see through their eyes to clearly identify the risks and potentially help us plan on how to handle them better if they are to materialize. In some dark corner is where risks can lie undetected until it is too late. In planning this way, you give yourself a chance to be proactive about risks.
Another key factor in doing risk identification this way is that it will promote discussion and support a more open risk culture within the organization. From project to project, you will open your stakeholders to the idea that risks are as any other part of a project, they can be planned, monitored, and controlled as part of our project delivery. This will lead to better plans and ultimately to success.
So, the next time you discuss your risk identification efforts, make sure you give that important process the time that it truly needs to be effective.