• Project Manager: acts as the chairperson and facilitates the risk assessment meeting
• Project Team: the project manager must assign members of the project team the roles of recorder and timekeeper
• Key Stakeholders: those identified that may bring value in the identification of project risks and/or mitigation and avoidance strategies
• Subject Matter Experts: those identified that may specialize in a certain project activity but are not formally assigned to the project but may add value
• Project Sponsor: may participate depending on the size and scope of the project
Common Phases of Risk Assessment
In many projects, risks are identified and analyzed in a random, brainstorming, fashion. This is often fatal to the success of the project, as unexpected risks arise, which have not been assessed or planned for and have to be dealt with on an emergency basis, rather than be prepared for and defended against in a planned, measured, manner. It is essential that potential risks are identified, categorized, evaluated & documented. Rather than look at each risk independently and randomly, it is much more effective to identify risks and then group them into categories, or, to draw up a list of categories and then to identify potential risks within each category. In general, the following are the usually followed phases in Risk Assessment.
Before plunging into risk assessment, the project manager will have compiled a list of risks from previous project experiences. These will be reviewed at the beginning of the project as a way to identify some common risks. This will also give an insight to the members to predict possible risks. While there are many methods for identifying risks, the Crawford Slip method is very common and effective. Each risk identified and discussed should be stated in a complete sentence which states the cause of the risk, the risk, and the affect that the risk has on the project.
Categorize and Group Duplicates
Categorizing risks is a way to systematically identify the risks and provide a foundation for awareness, understanding and action. Each project will have its own structure and differences. Categorization makes it easy to identify duplicate risks and acts as to trigger for determining additional risks. The most common, easy and the most effective method for this is to post the sticky notes on a large board where the manager has posted categories. The participants then put their risks on the board beneath the appropriate category. As they identify duplicate risks they stick the duplicates on top of the other. The project manager then discusses the risks identified under each category with the participants. All the risks identified, categorized should be documented for the approval of all stakeholders.
Qualify Risks (Assign Probability and Impact to Each Risk)
The key questions to assess any risk in projects are: • What is the risk – how will I recognize it if it becomes a reality?
• What is the probability of it happening – high, medium or low?
• How serious a threat does it pose to the project – high, medium or low?
• What are the signals or triggers that we should be looking out for? A risk assessed as highly likely to happen and as having a high impact on the project will obviously need closer attention than a risk that is low in terms of both probability and impact.
Determine Risk Response
For the risks which have been identified with a high risk score, the participants will determine the triggers or causes and identify responses. Responses may include:
• Adding the risk to the project plan and scheduling for it.
• Adding funding to the project to mitigate any potential increase in costs,
• Adding resources to the project to mitigate any potential shortage in assigned resources;
• Developing a course of action for avoiding the risk.
Documentation of Risks
The Project Manager will enter all the risks, probability-impact scores, and responses and maintain a document to explain all risks. The high scoring risks will be added to the Project Management Plan. This document will also be included as an appendix to the Project Management Plan. Additionally, the risks with a high score will be added to the project schedule as a method to track the risk at the correct time. Although these risks are added to the schedule, the schedule itself is not necessarily changed. This step is to provide awareness and visibility to the participants of all high scoring risks throughout the project’s lifecycle.
The last thing that any project will want to face is risks. Projects are designed to take advantage of resources and opportunities and with these, come uncertainty, challenges and risk.