If you Google ‘why projects fail’ you’ll get several pages of articles and resources, including 5 Reasons Why Project Work Plans Fail and How to Avoid Them here on Wrike. A lot of the reasons are procedural relating to scope definition, methodology, and communication, for example, but there is a common theme: an inadequate risk identification process.
Poor risk management isn’t just an issue that impacts big businesses. Smaller businesses are prone to the same types of mistakes and their consequences, which can be just as (if not more) catastrophic for them. Project risk identification is not just for enterprises but a practice that should sit at the core of any business’ modus operandi.
What is risk management?
Risk management is the process of identifying, tracking, and managing potential risks that can impact the overall health and reputation of a business. The Association for Project Management (APM) in the UK describes it well: “Risk analysis and risk management is a process that allows individual risk events and overall risk to be understood and managed proactively, optimizing success by minimizing threats and maximizing opportunities and outcomes.”
Without buy-in from the top, proper stakeholder engagement, and a disciplined approach to risk identification and management, a project will carry a higher risk of failure.
The lesson here is to tackle risk at the very start of a project and let your learnings inform decisions relative to scope, process, and resourcing. Consider issues that come up time and again across projects, such as fixed price contract risk, or risk related to certain times of year for customers. Our How to Make a Risk Management Plan article covers this and includes examples you can refer to.
Remember this too — risk management is not just a process but about culture as well As Tom Wilson, Allianz Chief Risk Officer, reminds us: “Risk management is a culture, not a cult. It only works if everyone lives it, not if it's practiced by a few high priests.”
On a higher note, there are also risks that can benefit a project. For example, a potential change in an organization’s policy that would remove red tape and save you time. These are typically referred to as opportunities, while negative risks as threats. You can learn more about this by reading our What Are Positive Risks in Project Management? post.
What is the risk identification life cycle and process?
Diving deeper we find risk identification, which is the first step of the risk management process. We’ve described step one in our Project Risk Assessment guide: "Create a list of every possible risk and opportunity you can think of. If you only focus on the threats, you could miss out on the chance to deliver unexpected value to the customer or client."
Notice how the latter part of the definition makes a strong case for including positive risks in your planning — take every opportunity to delight stakeholders.
So, how do you go about identifying risks? There are different frameworks for this and you should choose one that best fits your organization's working practices and resourcing. The Project Management Institute (PMI), for example, published a comprehensive guide that explains its model in detail. This may be overkill if you’re working on a simple project or within a small organization but worth understanding nevertheless.
Let’s consider context first. Much like a project within a project, the risk identification life cycle is a process that delivers key elements of an overall risk management plan. The Risk Identification process itself follows a defined structure and is elaborated progressively through six stages:
- Template specification
- Basic identification
- Detailed identification
- External cross-check
- Internal cross-check
- Statement finalization
How to identify risks in project management
For brevity, we’ll focus on the initial three steps as they cover risk identification specifically (while the remaining steps are about validating and formalizing findings against the overall project’s scope).
This is a risk statement based on feedback about causes, effects, impacts, areas of risk, and events. A structured template helps you capture this in a consistent way.
Answering two questions about potential risks: why or why not us and whether they have been experienced before. The former can be captured via SWOT analysis exercise while the latter is a statement, ideally referenced from a project post mortem or lessons learned library.
This step is more time-consuming than the previous ones but also delivers the detail you need to properly assess risk. PMI identifies five tools to use:
- Assumptions analysis
- Document reviews
- Delphi technique
Once you’ve completed these steps you’ll need to categorize risk in the next one — the External cross-check step. We’ve covered this in our Understanding Risk Breakdown Structure article.
Step five is the Internal Cross-check which maps risks to corresponding elements in the scope of work. At this point you will start forming a view of what project elements are riskier than others, and what mitigation strategies to adopt.
The final step, Statement Finalization, packages findings in a series of diagrams covering risky areas, causes, and impacts.
Tip: Use a tool like Wrike to maintain a risk register spanning all of your projects which you can refer to whenever you start a new one.
Risk identification example
Here are a couple of examples, the first one based on PMI’s methodology outlined above and the second one captured in an online risk register.
Risk identification example 1
Risk identification example 2
The two examples are not necessarily alternative approaches. Rather, the first one is a sample risk identification template, and the second one is a risk register holding the same information.
By using an online project management tool it becomes much easier to manage both processes and give visibility to stakeholders.
How to make a risk management plan
Think of the risks you have identified as the foundation blocks of your risk management plan which typically includes the following elements
- Risk identification
- Risk evaluation
- Assignment of risk ownership to project team members
- Risk responses
- Plan to constantly monitor for new risks and address them appropriately
By the time you have completed the risk identification step, you will be able to refer back to detailed information for each to evaluate them, assign ownership, and determine responses.
Work doesn’t stop once you’ve done that. As the project progresses, you’ll need to monitor for and identify new risks. Risk ownership plays an important role here too, so make sure you’ve defined processes for communication and escalation. This brings us to the next question: who should oversee risk?
Who should oversee risk?
Large organizations appoint risk managers at the C-suite level and often form risk committees with representatives from different departments, who report back to the CEO and the Board. Large organizations will have their risk governance regularly audited by external parties too.
The model becomes increasingly ‘risk governance lite’ for smaller businesses but project risk identification and management should always be a priority.
It’s good practice to assign responsibilities at the very start of a project, mapping roles with responsibilities. Here’s what this could look like for larger organizations.
- Project sponsor
Has overall responsibility for a project and a view of and signs off on the risk management plan.
- Project manager
Overall responsibility for risk management including communication and escalation.
- Risk owner
This could be a member of the project team or a stakeholder who isn’t part of it but nevertheless owner of individual risks.
- Risk Committee
Has a view of risk across every project of an organization.
In smaller organizations, you’ll see business owners wearing the project sponsor hat and are less likely to have risk committees too. The more diligent ones will cover risk just as effectively by streamlining the process.
Risk identification template
A template to list and analyze risks is an easy way to ensure you and your stakeholders are on the same page. With Wrike's Project Risk Analysis Template, your team can quickly and easily identify potential risks and their scope, mitigate risks by prioritizing certain tasks, and implement RAID (risks, assumptions, issues, and dependencies) logs into your workflow.
Wrike's template comes with pre-built request forms to help you create detailed RAID entries when they arise. As you can see from the table above, each risk, along with its impact, probability, and proximity scores, are all listed in one place, so your team can capture and mitigate risks at a glance.
Using Wrike to manage (and mitigate) risks
Risk management is a critical and substantial component of project management. It can be an expensive exercise too if you consider that it can eat up to 20% of the total project’s time.
It’s therefore surprising to learn that many larger organizations rely on outdated tools like documents, spreadsheets, and emails to manage risk. . This presents all kinds of risks if you think about it. How many times has a file gone missing or an older version updated and circulated?
By using a modern, versatile, and powerful project management tool like Wrike you gain efficiency and reduce risk at the same time. Here’s how:
- Your risk identification and management process is centralized and easily accessible
- You can design workflows to facilitate steps in your risk management plans
- You can add multiple levels of categorization and tagging to risks to search them across multiple projects
- You get alerted of the more critical and high priority risks
- You’re always up to date and can run reports at the touch of a button
- You communicate and collaborate in real-time
If this looks like a more streamlined approach than what you’ve currently got then you really need to consider Wrike for your next project. Get started today with a free two-week trial and learn how Wrike can help manage project risks and of all sizes.