Whether or not your organization has established the risk thresholds and tolerances necessary to succeed in risk management, you always have the option of establishing them for your own project.  As discussed in the earlier blog in this series, the key is knowing what you can and cannot tolerate as a project organization.  One client I used to work with had a brilliant approach to this.  In the project charter, they would clearly delineate the “kill criteria” for every project.  They would lay out specific criteria under which the project would be sent to management for review for termination.  In my mind, that was, perhaps, the single most brilliant inclusion in every project they ever did.  There was no ambiguity.  Every project had a time to be born…and a time to die.  Ideally, that would be upon completion, but if not, everyone understood.

In establishing risk practices for our projects, a critical consideration is creating risk practices that may or may not echo what’s being done at an organizational level.  Then, we can get down to the brass tacks of establishing the day-to-day protocols that will ensure we’re covering risk well.  Specifically, in this component of the series, we’re going to look at the first process of risk identification.

What Risk Identification is NOT

Risk identification is not the whole practice of risk management.  It’s a small, significant first step.  I weep for organizations that do risk identification and then color themselves as “done” with risk management.  They are FAR from done.  They have only tackled the critical second step.  (Second only to establishing the risk tolerances and thresholds).  Still, risk identification needs to happen as vital to project success.

Risk identification is also not purely the identification of the one-off or exotic risks.  While terrorism, tsunamis, and tornados are real concerns, they are not what bring most projects down.  Most projects die in very small increments. They die from what most people would consider mundane or lesser risks.  Risks like “the project requirements may be unclear, leading to mis-delivery” are far more likely to bury a project than risks like “the project may be swallowed into a giant chasm after an earthquake.”  Risk identification is at its best when no risks are discounted or disallowed.  And risk identification is best when there are a wide range of participants with a wide range of experience.  The veterans know what to look for.  The fresh faces bring fresh ideas.

Risk is also not one-word answers.  There are frequently individuals who cite categories of risk as risk events.  Weather is not a risk.  Time is not a risk.  Those are categories of risk.

When attempting to manage risk, risk events are best described as full sentences.  Citing both cause and effect, risk events need to include both the bad thing(s) that may happen and the impact they may cause.

What Risk Identification IS

Risk identification is a team sport.  It requires the input of a variety of people from a variety of backgrounds.  Because I grew up in Ohio, I think of tornados.  Someone who grew up in California might think earthquakes.  Someone who has been tormented by a difficult customer might think of customer abuse.  By drawing in a broad array of players, we build a broad array of potential risks identified.

Because we have a variety of personalities involved, risk identification needs to draw on different approaches in order to be successful.  Processes like brainstorming that draw out only the extroverted players are not nearly as effective as processes that engage a broader audience.

Best bets?  Consider paper-driven processes like Nominal Group Technique (silent brainstorming on paper) or the Crawford Slip (a brainstorm where each person writes down one idea per minute for a specific period of time).  Why those?  They promote contributions from everyone.  They create a paper trail.  They discourage whining.  They allow people to share risks openly without fear of reprisal. Those are incredibly powerful tools, and relatively easy to implement.

They also allow for the rapid generation of ideas.  Risk identification doesn’t have to take days or even hours.  Executed properly and with a wide range of players, risk identification can happen with an investment of under 30 minutes and still have meaning.  With the right rules and the right players, this crucial second step brings a project much, much closer to effective risk management.

Carl Pritchard, PMP, PMI-RMP

Studying for the PMP?  Have a Windows8 device?  Consider the “PMP4U” app from the Windows app store.