Identifying risk

From apppm
Jump to: navigation, search

The process of identifying risk in project management can be summarised as both identifying individual risk for the project and sources of overall risk to the project. Thereafter documenting their characteristics. When a risk has been identified, this allows the project team to tackle the challenges arising with these risks. Identifying risks is a process that is performed throughout the project’s lifetime. When identifying risk, the step that you go through is create input, applying tools and techniques, and finally getting output. Creating input is essential for management to identifying the risks. Examples of what the input consist of: project management plan, project documents, and more. After creating input, certain tools can be used to identify the risks. An in-depth look into a selection of these tools can be found on this site, like: Expert judgement, data gathering, and data analysis. The last part is the output. The output is 3 folded; 1. Risk register. 2. Risk report. 3. Project documents updates.

The 3 parts of identifying risks (input, tools & output) will be descried in greater details. [1][2][3]


Big idea

Identifying risk is a never-ending job for a project and should be treated as such. By not only identifying the risks at the beginning of the project, but throughout the project’s life cycle. Some risk will inevitably be overseen when first preforming the risk identification and new risk will arise. Therefore, this process needs to be repeated. [1][2] [3]

When identifying risks, we seek to identify both individual projects risks and sources of overall project risk. When concluding this process, we should end up with some documentation of the risks. To be more specific, the output we achieve is a risk register and a risk report, as well as an opportunity to update existing document to reflect new knowledge found. [1]

To produce this output there must first be some input to work with. This is input like a project management plan, project document, and so on. The input is the first thing that must be in place. When it is, it enables us to use some given tools and techniques to identify the risks. These tools are not limited to the ones described on this page, but the ones highlighted are some good tools to use. [1]

All stakeholders should be encouraged to bring any risk they see to light. However, for the specific process of identifying risks the persons or groups that usually participate in this process are: [3] [1]

- Project manager

- Project team

- Risk specialist

- Customers and end users

- External subject experts

- Relevant stakeholders

- Internal risk management expert


When talking input for risk identification we are talking about all documents and knowledge developed beforehand, that enables us to identify any risks. These are output from task/processes which were carried out prior to the risk identification. Hence, laying the groundwork to the actual risk identification. [1]

Some examples of input needed are:

• Project management plan

• Project Documents

• Agreements

• Procurement documentation

• Enterprise environmental factors

• Organisational process assets

Project management plan

The project management plan include knowledge from underlining components. These components include:

• Requirements management plan

• Schedule management plan

• Cost management plan

• Quality Management plan

• Resource management plan

• Risk management plan

• Scope baseline

• Schedule baseline

• Cost baseline

Other relevant Management plans, Baselines, or relevant documents can be included in the project management plan. [1]

Project Documents

Some project documents can be included as input in the risk identification. Examples of these are: [1]

• Assumption log

• Cost estimates

• Duration estimates

• Issue log

• Lessons learned register

• Requirements documentation.

• Resource requirements

• Stakeholder register


There might be some agreement/contract with some external partner/stakeholders. The information in such an agreement may present both risks and opportunities for the project. Information in the agreement may include, but are not limited to, milestones dates, acceptance criteria, awards and penalties. [1]

Procurement documentation

Procuring goods and services from external sources may increase or decrease the risks for the project, as well as introduce new risks. The most up to date procurement documentation should therefore be reviewed for potential risks. [1]


From the generated and gathered input, the management team have a variety of tools in the toolbox, that will help them identify the risks. [1]

Examples of such tools are: • Expert judgment

• Data gathering (Brainstorming, Checklists, Interviews)

• Root cause analysis

• Assumption and constraint analysis

• SWOT analysis

• Risk breakdown structure

• Document analysis

• Interpersonal and team skills

• Prompt lists

• Meetings

Expert judgement

The project manager should identify individuals or groups that could act as experts when identifying projects risks and the source of these risks. The expert should both consider specific risk and overall project risks.

The experts can be people with experience in a specific area relevant to the project. Or they could be people with some form of specialized knowledge that relate to the project. [1]

Data gathering

There are multiple techniques to gather data related to risk. Here there are highlighted some, which are widely used


In a brainstorm the goal is to generate an overview of potential risk for the project. The brainstorm is carried out by the project team. However, have experts been gathered they should also participate in the brainstorm.

In a brainstorm there is a risk that the ideas generated are not described in full. This is something that the facilitator should have in mind, so that all risk is fully described and usable. [1]


Information and knowledge gather from similar projects, experience and other sources can be compiled into a checklist of risk. The checklist is a list of potential risk which have been seen before. This list can then be updated throughout the project. [2]

The checklist is a good way for a company to transfer knowledge and learnings from project to project. However, this should not be seen as a reason not to carrier out a risk identification throughout the project life cycle. The checklist may not identify all risks, and other risks must also be explored. [1]


Interview is another method of identifying project risks. The interviews can be carried out with any person or group that have relevant for the project (project participants, stakeholders, experts, ect.). The danger with interviews is that the participant withholds information out fear, shame, or what have you. Therefore, it is essential for the interviews that they are carried out in a trusting and open environment to ensure the right information is extracted. [1]

Root cause analysis

The root cause analysis is a method used to identify the “why” of a risk, i.e. the underlying reason for the risk. When solving the root cause of a risk, all underlining risk will also be solved. By stating a problem/benefit statement a root cause analysis can be used to detect threats or opportunities. [1]

Assumption and constraint analysis

This is an analysis of the projects and project management plans underlining assumption and constraint. The assumptions, which the project has made, represent some unidentified risks. Analysing these assumptions will bring risk to light and assess their threat. The constraint that the project works under could potentially bring some opportunities to light. Analysing the constraint to see if any could be removed, or relaxed. [1]

SWOT analysis

SWOT is an analysis of the project and organizations strengths, weaknesses, opportunities and threats. It can be used to look at internally created risks for the project. It starts with an analysis of the company’s weaknesses and strengths. From this any threats or opportunities should be analyzed, as well as how the company’s weaknesses and strengths affects the given threats and opportunities. [1] [2]

Risk breakdown structure

A risk breakdown structure is a hierarchical representation of risks. Meaning that it starts it that highest level and then moves down into more detailed levels. The RBS is not unlike the Work Breakdown Structure, and it will help the manager create an overview of the risk categories. [3][4]


The output from identifying risk is three folded: the risk register, the risk report, and updates of project documents.

Risk register

The risk register is, as the name may suggest, where all individual risks are registered. This includes a list of all risk found in the identification process. All risks are registered with unique names and/or numbers, as well as a description of the risk so that the information doesn’t get lost. [3]

If there have been identified an owner of the risk, this person should also be registered. The same goes for potential risk responses. Have any responses been identified during the process of identifying the risk they should also be registered. [2]

Any additional information that is relevant for the risk, and the handling of set risk, should also be registered. This could include information such as risk triggers, deadline for action, current risk status, and so on.

As risk identification and risk management is an ongoing process throughout the project, the register should be kept up to date. Any results from other risk processes should also be recorded in the register. [1]

Risk report

The risk report includes the sources of overall project risk, as well as a summary of individual project risks. [1]

Project documents updates

It is important that in the end of the process of identifying risk, all relevant existing documents are updated. This could include documents such as: Assumption log, Issue log, and lessons learned register. [1]


All risk to a project will not be identified at ones. Even if all risk could be identified, changes are some will be missed/undetected. This only enhances the importance of conducting a risk identification process throughout the project’s life cycle. [2]

One should also be aware of expert bias. It is quite common and can be a threat to the quality of the risk identification, as well as the response. [1]

Annotated bibliography

• Project Management: A guide to the Project Management Body of Knowledge (PMBOK guide), 6th Edition (2017).

For risk identification, chapter 11 is a very good walkthrough of how to conduct a risk identification process.

• Standard for Risk Management in Portfolios, Programs, and Projects

A very good reference for all things risks in projects, portfolios, and programs.

• Managing Successful Projects with PRINCE2 2017 Edition

Chapter 10 looks into risk, and PRINCE2 standards for handling risk, as well as what risk are.


  1. 1.00 1.01 1.02 1.03 1.04 1.05 1.06 1.07 1.08 1.09 1.10 1.11 1.12 1.13 1.14 1.15 1.16 1.17 1.18 1.19 1.20 1.21 Guide to the Project Management Body of Knowledge (PMBOK® Guide) (6th Edition), Project Management Institute (PMI), Inc.(2017)
  2. 2.0 2.1 2.2 2.3 2.4 2.5 Standard for Risk Management in Portfolios, Programs, and Projects, Project Management Institute, Inc. (PMI) (2019)
  3. 3.0 3.1 3.2 3.3 3.4 Managing Successful Projects with PRINCE2 2017 Edition, AXELOS (2017)
  4. Understanding the Risk Breakdown Structure (RBS), Internet article, 12/10/2018,(,
Personal tools