Identify project risks

What is a risk?

Risk can be defined as:

• the possibility that events will occur and affect the achievement of strategy and business objectives
• a combination of the occurrence of harm and the severity of that harm
• effect of uncertainty on objectives
• effect of uncertainty

Risk objectives

Risk management aims to detect potential risks and issues before they arise. Once risks have been identified, you can:

• make informed decisions to reduce the uncertainty to an acceptable level
• control the likelihood of events occurring that affect the certainty of achieving objectives
• reduce the likelihood of negative impacts on the project throughout its life.

Risk management should fix problems that may jeopardise the achievement of project goals. A continuous risk management approach is used to efficiently predict and mitigate the risks that substantially impact a project.

How to identify project risks

Two main stakeholder groups are consulted to identify project risk:

• Internal stakeholders (top management, the project team, resource managers and internal customers) and
• External stakeholders (external customers, government, contractors, subcontractors and suppliers etc.).

Ways to identify risks

Project risk can be identified using different techniques. These include interviews, brainstorming, checklists, analysis and diagramming (projectrisk.com):

• Interviews: Interviews are undertaken with the main stakeholders. Each interview must be planned out with specific questions, and the results of the discussion should be recorded.
• Brainstorming: Brainstorming is used to identify risks in advance. Questions are posed to a group or team, and the results are documented. Questions may relate to project purpose, timeline, budget, quality or scope.
• Checklists: Checklists are used to identify the most common risks. They are often updated at the end of a project to include lessons learnt. Checklists are a quick and effective way to address standard risks but do not record specific risks that may not have been addressed in the past or are unique to a particular project.
• Assumption Analysis: Assumptions are necessities within the project that are often not outlined in project objectives. A lack of documentation around assumptions is often a source of risk within a project. These include the availability of project members, the skills that project members hold, vendor delivery times or the realisation that project schedule dates may change.
• Cause and Effect Diagrams: Cause and Effect diagrams are a visual tool used to identify the causes of risk and the facts that can give rise to risks. One form of a Cause and Effect diagram is a fishbone diagram, as shown here.

Risk management standards

Risk management standards provide guidance and best practice strategies to help organisations:

• identify risks
• assess risks
• identify ways to manage risks
• implement risk control strategies

Standards Australia develop Australian/New Zealand Standards that are voluntary for organisations to follow. There are also international standards that Standards Australia use. Relevant standards for risk management include:

• AS ISO 31000:2018 – Risk management – guidelines. This Australian Standard provides guidelines to manage risks faced by organisations, and that can be customised to suit the organisation
• AS/NZS IEC 3100:2020 – Risk Management – Risk assessment techniques
• ISO Guide 31073:2009 – Risk Management – Vocabulary. This document defines generic terms related to the management of risks faced by organisations.
• IEC 62198:2013 Managing risk in projects – Application guidelines. This international standard.

ISO 3100:2018 Standard

Purpose and key elements of risk management standards

ISO 31000:2018 (standards) provides guidelines on managing risk faced by organisations. The standards can be used throughout the life of the organisation and can be applied to any activity, including decision-making at all levels.

The purpose of the standards is to:

• assist in managing the risks effectively through the application of the risk management process
• ensure that the information about risks resulting from the risk management process is accurately reported
• ensure that the information is used as a basis for decision making and accountability at all levels of the business.

The key elements of the standards include the activities of communicating and consulting, establishing the context and assessing, treating, monitoring, reviewing, recording and reporting risk.

The purpose of the risk management framework is to assist organisations in integrating risk management into significant activities and functions.

The framework includes:

Activity: Read the Risk management – Guidelines, including the framework for risk management

https://www.iso.org/obp/ui/#iso:std:iso:31000:ed-2:v1:en

Regardless of the task, a risk factor must be evaluated and calculated to determine threats to a project and ways to mitigate the risk.

Project risk management deals with the processes involved in identifying, evaluating and reviewing possible risks and, ultimately, tracking them over the life of a project. Each project has different risks based on the work being conducted.

1. Requirements, assumptions, constraints
2. Risk (includes threats and opportunities)
3. Creates potential positive or negative outcomes

You may not see all potential risks, but planning for as many as possible gives you the greatest chance of success.

Key processes in risk management are the identification of risks, the assessment of risks and then the treatment of the identified risks.

The process aims to determine the following:

• What could happen, where and when?
• Why and how could it happen?
• What might be the results if it happened?
• What are controls in situ to reinforce gains and stop or minimise adverse impacts?
• How effective are these controls?
• What is the level of risk?
• How can we best treat the danger further?

There is not one process or method that must be used for risk assessment and treatment. The type of risk assessment process adopted will depend on the severity of potential risks and their likelihood so that:

• where there are high levels of risk, a very rigorous risk assessment is required
• If risk outcomes are less serious or the extent of risk is low, simpler techniques can be used. 

Risk management process

The risk management process based on ISO 31000:2009 is documented in the graphic below.

Communication and consultation within the project team and with stakeholders are key to supporting all parts of the risk management process (broadleaf.com.au).

Monitoring and review

The monitoring and review processes detect whether a project risk has changed and determine the validity of the identified risks. Both monitoring and review are necessary to ensure that an organisation or project operates within its risk criteria.

The context of project risk looks at the external and internal environment that may affect the organisation’s or project’s objectives.

To manage project risks, review the organisations:

• external context, including its external stakeholders—its local, national and international environment—and any external factors influencing its objectives.
• internal context, including its internal stakeholders, approach to governance, contractual relationships, capabilities, culture and standards.

All project activities carry some risk factor, and ambiguity about this could have either a positive or negative effect on the project. A project manager has to consider what danger is likely to arise and what it will affect if it does, such as impacts on the project schedule. Risks may impact project scope, timetable, expense or quality.

Understanding the distinction between business or company risks and project risks is crucial. Company risks are more common and apply to the organisation, while project risks directly relate to the project's aims.

Business risk means uncertainty about income or risk of loss and incidents that may pose a risk in the future due to any unexpected events, causing the business to fail.

For example, if undertaking a project to construct a stadium, the difference between project and business risk would be:

• Project risk—The construction cost could be higher than expected due to a rise in the price of materials or labour.
• Business risk—Even if the stadium is completed on schedule and within budget, it won't make money for the company.

Continuing the example above: during the construction process, a change in health and safety regulations must be addressed and may disrupt the project. The effect of this change to the project in terms of expense, schedule and efficiency must be assessed and may include:

• Shortage of trained staff due to demand for other construction projects
• Unexpected inspection and license costs
• The affected part of the stadium may need to be expedited to finish the project on time.

Organisations and stakeholders must be prepared to consider various levels of risk. This is called the ‘tolerance for threats. Threats within a project have potentially harmful effects that the project management team should mitigate. If they are balanced, risks that endanger the project will be acknowledged.

Each business will have a defined 'risk tolerance' informed by its legal status and culture.

To successfully manage projects, an organisation must proactively and systematically manage risks and make deliberate decisions about the risk treatment plan.

PESTLE analysis

A PESTLE analysis is a helpful tool used to examine external factors out of a business's control that might impact an organisation in achieving its project objectives.

Political	Economic	Social	Technology	Legal	Environment
Stability of government  Potential changes to legislation global influence	economic growth employment rates monetary policy consumer confidence	income distribution demographic influence lifestyle factors	international influences changes in information take up rates	taxation policies employment laws industry regulations health and safety	regulations and restrictions attitudes of customers

Common risk categories

Common categories of risks include:

• Natural disasters including storms, floods, drought and bushfires
• Pandemics such as flu or COVID-19
• Legal risks relate to legal issues that could arise during or after the project, including non-compliance with the law, insurance issues, breach of contracts, being sued
• Global events, including political issues and restrictions on overseas travel
• Technology includes cyber security issues, computer failures, hardware or software failures, changes in technology
• Regulatory and government policy changes such as quarantine restrictions, tax, power or water restrictions
• Environmental risks include pollution, climate change and chemical spills
• Work health and safety risks, including injury or illness caused by accidents or an event at work
• Property and equipment failure or damage caused by power failure, natural disaster, vandalism or robbery
• Security risks such as theft, fraud, terrorism and cyber security fraud
• Economic and financial risks caused by changes in global financial events, interest rates, cash flow charges, unexpected costs increasing, customers not paying, unexpected expenses
• Human resources such as staff strikes, inability to retain existing staff, failure to attract new staff, conflict or performance issues
• Market changes in preference or new competition
• Utilities and services include power failure, internet failure, computer or server issues, and telephone interruptions.

Project risks

• Scope creep occurs when the project scope expands beyond the project's original scope. This can happen when new stakeholders are involved or if the original project goals change.
• Quality risks are related to the quality of the product or services delivered by the project. The outcome may need not meet the specifications, is not fit for purpose or does not meet the quality goals.
• High costs are caused when expenditure costs exceed budgeted costs
• Schedule risks occur when tasks take longer than planned. This means that estimated durations, dependencies and assumptions are not accurate.
• Resource risks occur when insufficient resources such as time, finances or skilled workers are required to achieve the goal.
• Operational changes occur when changes in the business or team result in changes in organisational priorities, structure, team roles and responsibilities.
• Misunderstanding is caused by miscommunication, unclear scope, responsibilities, and deadlines.

Risk management context

The process of defining the risk management context includes:

• establishing key information associated with the risk and
• setting the criteria on how the risk is going to be assessed.

This includes defining the following:

• goals and objectives of the risk assessment activity
• scope and parameters of the risk assessment
• risk assessment approach to be implemented
• reporting and recording requirements
• relationship between the risk assessment and other business activities and plans
• criteria against which risks are to be evaluated, including
• how likelihood will be defined,
• the consequences that will be considered and
• what level of risk will require further risk reduction treatment?

A written risk assessment is best broken down into parts or key topics to facilitate risk identification, one by one, that provides a comprehensive list of risks.

Any probable risks must be defined, and a plan for managing those risks is established before a project even begins. One of the best ways to do this is to learn from previous experience, either your own or the organisation's experiences as a whole.

The inputs, tools and techniques, and outputs in identifying project risks are shown in the diagram from the Project Management Institute.

Identify risks: Inputs

A Schedule Management Plan template designed by Ucop.edu outlines the inputs for identifying risks as follows:

Risk management plan

A risk management plan is made up of the following components:

• Identification of risks
• Assessment of risks
• Risk mitigation actions
• Assignments of roles and responsibilities
• Categories of risk or risk breakdown structure.

Cost management plan

Cost management provides the process of estimating, allocating and controlling the costs in a project. It allows a business to predict future expenses to reduce the chances of going over the planned budget.

Schedule management plan

The Schedule Management Plan defines how the project schedule is managed throughout the project lifecycle.

Quality management plan

The Quality Management Plan provides guidance on how the project will ensure quality through design reviews, documentation and other protocols.

Human resources management plan

The Human Resources Management Plan ensures the best fit between employees and jobs while avoiding manpower shortages or surpluses throughout the project's lifecycle.

Scope baseline

The Scope Baseline is the collection of scoping documentation, which includes a scope declaration, work breakdown structure (WBS) and its associated WBS dictionary.

Activity cost estimates

Activity cost estimates provide a quantitative assessment of the likely cost of completing scheduled activities.

Activity duration estimates

Activity time estimate reviews are used in identifying risks related to the time allowed for each activity with the range of risks attached to this activity.

Stakeholder register

A stakeholder register identifies the people, groups and organisations that have any interest in the project work and the project outcome.

Project documents

Project documents provide the project team with detail about decisions to better identify project risk. Examples of project documents are the project charter, project schedule, schedule network diagrams, issue log, quality checklist and other information proven valuable in identifying risks.

Procurement documents

If the project requires external procurement of resources, procurement documents become a key input to the risk identification process.

Identify risks: tools and techniques

Documentation reviews

Project documents, including project plans, assumptions, previous project files, agreements, contracts and other information, may be placed under review to minimise risks within a project. A project risk indicator occurs if the project plan is of poor quality or no longer aligns with the project requirements and assumptions.

Information gathering techniques

Examples of information gathering techniques utilised in identifying risks can include:

• Brainstorming—The goal of brainstorming is to assemble a list of project risks. The project team usually performs brainstorming, where ideas about project risk are generated under the leadership of a facilitator.
• Interviewing—The goal of interviewing is to gather information from experienced project participants, stakeholders and subject matter experts that may help to spot risks.
• Root cause analysis—Root-cause analysis is a specific technique used to identify a problem, discover the underlying causes that cause it and develop preventive action.

Checklist analysis

Risk identification checklists are developed based on historical information and knowledge that has been accumulated from previous similar projects and other sources.

Assumptions analysis

In project management, an assumption is something that is taken to be true without any proof or evidence. When assumptions go wrong, projects can quickly become derailed.

Project managers must thoroughly analyse risks and assumptions early on in the planning process. By identifying and addressing risks associated with assumptions, project managers can help ensure their projects stay on track.

Diagramming techniques

Risk diagramming techniques may include:

• Cause and effect diagrams—These are also called Ishikawa or fishbone diagrams and help identify causes of risks.
• System or process flow charts—These show how various elements of a system or process interrelate.
• Influence diagrams are graphical representations of situations showing causal influences, time ordering of events and other relationships among variables and outcomes.

SWOT Analysis

Project Managers may use the SWOT analysis tool to assess a project’s strengths, weaknesses, opportunities and threats. This information is then used to create a plan of action to help the project succeed.

Strengths and weaknesses are internal factors that the project manager can control. Opportunities and threats are external factors that the project manager cannot control.

A SWOT analysis can be used at any stage of a project. It can help the project manager identify problems early on and make necessary changes, and it can also help assess whether a project is likely to be successful.

A SWOT is best undertaken in a group with input from management, staff, and other stakeholders.

Usually, a template with four quadrants and specific questions is used to encourage critical reflection.

An excellent way to approach a SWOT analysis is to follow these simple steps:

1. Firstly, look at your organisation's strengths, i.e. the things you do well in managing risk.
2. Next, look at the weaknesses; these are the areas of the process that might not be working so well, contain gaps, or are ambiguous. Often strengths can link to weaknesses. For example, a strength in managing past risk may mean that you have a weakness in not looking at new or emerging risks which may be imminent. If strengths and weaknesses appear to be linked, put them opposite each other.
3. Lastly, identify potential opportunities to improve and oppose them with the major threats which will stop you from managing risks. Do you have a "fragile" business that is likely to be hit hard by risk events or a "robust" one that is relatively shockproof?

Strengths and weaknesses should relate to current organisational capabilities. They may include but are not limited to the following:

• resources and technologies, e.g. availability and access to software, recordkeeping tools and templates, previous records, information etc.
• communication and collaboration, e.g. feedback loops, engagement of all stakeholders, clear lines of authority, consultation etc.
• stakeholder relationships/support, e.g. are all personnel invested in the process or is there some work to do in terms of engaging stakeholders and promoting the importance of the risk management process?
• effectiveness, e.g. audit results, risk management evaluation reports, data to show successful/poor control of organisational risk using the current framework etc.

It is a good idea to review strengths and weaknesses collaboratively so that relevant stakeholders can support the process by offering insight, advice, and suggestions. Any key outcomes of the review should be recorded. This could be in the form of a SWOT analysis, report, or as part of other appropriate risk management documentation such as a scope document or risk management plan.

For example:

Internal context	Strengths	Weaknesses	Opportunities	Threats
Organisational structure	Dedicated project team was established with minimal staff turnover for three years	Inability to meet client demand due to insufficient staff numbers	Ability to accept more projects if more staff are recruited.	Increase or decrease in client demand
Services provided	Dedicated project team providing acquisition services	Administrative errors being made due to services being rushed	Take on more staff and restructure responsibilities	Inability to attract new staff
Personnel competencies/skill levels	Management team are highly competent in their role for over two years	No skilled staff to backfill manager roles when they are on leave	Provide training to Project Officers to backfill managers when they are on leave or as needed	Insufficient time
Office premises	Easy to access and safe location
Office equipment/technology	Sufficient budget	Office technology is out of date	Improve efficiency by upgrading technology	Internet outages

External context	Strengths	Weaknesses	Opportunities	Threats
Legislative/regulatory framework	Legislation was changed last year, so no further changes are expected
Employment market				Inability to attract new staff
Environmental factors				Health pandemic

Activity: SWOT Analysis

Review the SWOT analysis template and case study example developed by Euromonitor International. This activity aims to show you a step-by-step example of how to create a SWOT analysis.

Expert Judgment

Risks could also be identified directly by experts with relevant experience in similar projects or business areas.

Identify risks: output

Risk register

A record of the risk management processes and outcomes as they are conducted.

Activity: Risk register

Read the following article What is a risk register in project management by Jessica Everitt, wrike to learn more about risk registers and to look at an example of a risk register. 

List of identified risks

The identified risks are described in as much detail as is reasonable. Suggested responses or risk mitigation responses are also documented.