Identifying risks is everyone’s job and, thus, is covered on the PMP Certification Exam. Even though the risk management plan defines roles and responsibilities for risk management, everyone should be on the lookout for events that could negatively affect the project as well as opportunities to improve project performance. Think about it as a sailor in a crow’s nest with a telescope, constantly sweeping the horizon for perils.
Identify Risks. Determining which risks may affect the project and documenting their characteristics.
Risk identification and the subsequent analysis and response take place throughout the project.
Identify Risks: Inputs
To do a thorough job in identifying risks, you need to look at all the elements in the project management plan and all the other project documents as well as environmental factors associated with the project.
Planning takes place throughout the project, as does risk management. Not all project management plan components or project documents are available at the beginning of the project. As they become available, though, they should be referenced for sources of risk.
The four categories of documents you can look at are
Project management plan elements
Project documents
Enterprise environmental factors (EEFs)
Organizational process assets (OPAs)
Here is a list of the relevant information from each category.
Project management plan elements
Risk management plan
Cost management plan
Schedule management plan
Quality management plan
Human resource management plan
Scope baseline
Schedule baseline
Budget
Project documents
Project charter
Stakeholder register
Cost estimates
Duration estimates
Network diagram
Assumption log
Issue log
Performance reports
Earned value reports
Resource requirements
Procurement documents
Enterprise environmental factors (EEFs)
Benchmarks
Industry information
Studies, white papers, and research
Risk attitudes
Organizational process assets (OPAs)
Risk registers from past projects
Lessons learned
This probably seems like quite the laundry list. However, risk can come from any aspect of the project. That’s why it is important to review all project management plan elements, project documents, and the project environment to get a full understanding of the risks on your project.
Identify Risks: Outputs
The risk register is started as an output of this process. However, you will add to it as you analyze your risks and develop responses to them. Initially, you’re documenting your risks.
Documenting a risk statement like, “The budget is at risk” is not acceptable. That gives very little information to work with when addressing the risk. The following risk statements are much better:
Because the cost to install security cameras in a childcare center is greater than anticipated, there is a risk you will overrun the budget.
The city might not approve the plans, thus causing a schedule delay.
A team member might be reassigned to a higher priority project, thus causing a schedule delay.
All risk statements start with the cause and then define the effect. The approach to describing the risk event is different, but both approaches provide something to work with when deciding how to analyze and respond to the risk. At this point in time, you might already know how you’re going to respond to the risk event.
In that case, you can enter a potential response in the risk register. However, it’s a good practice to get a robust list of risks, analyze them, and then develop responses because a group of risks can often be addressed by one response. Your risk register will follow you throughout the rest of the risk management processes.
Risk register. A document in which the results of risk analysis and risk response planning are recorded.
The risk register details all identified risks, including description, category, cause, probability of occurring, impact(s) on objectives, proposed responses, owners, and current status.
The risk management plan describes how risk management will be structured and performed on the project. It is a management document. The risk register keeps track of identified risks, their ranking, responses, and all other information about individual risks. It is a tracking document.
Because you are progressively elaborating your project plan elements and your project documents, you will also progressively elaborate your risk register. As more is known about the project, existing risks can be further elaborated, and new risks will be identified.