Risk identification is the first of three steps in the ISO 31000 Risk Management Process that comes under the heading of Risk Assessment.
What is Risk Identification?
Risk identification refers to the “process of finding, recognizing, and describing risks” (ISO 31000). For safety risks, this may refer to formal processes like hazard reports or scheduled inspections. However, for schedule and cost risks and uncertainties, processes such as workshops, interviews, or historical data sets are more commonly used. The relative benefits of these different approaches are discussed in the section that follows.
Risk Identification Methods
There are many ways to gather risk data, and some are more suited to some situations than others. Ultimately, there is no “right answer” as to which is best, but risk managers / analysts should be aware of the alternatives available and choose the best combination for the project and the risk management context identified.
- Historical Data – Where available, historical data is almost always the best resource to use as the input to an analysis, as it bypasses the potential influence of individual risk attitudes. If performing a quantitative analysis in a sophisticated analytical tool, actual historical data can be incorporated into models (along with trend information for future projections) using custom probability density distributions. This provides the most unbiased basis for identification of uncertainty trends, but is complicated and time consuming to prepare. An example of where use of historical data may be appropriate is in the modelling of a project where the price of fuel will be a determinant of project economic success.
- Interviews – Conducting interviews to gather risk information involves identifying key personnel within a project team and spending time with them individually to assess their attitudes towards different sources of uncertainty in the project. After all participants have been interviewed, the results for each source of uncertainty are collated and averaged to arrive at a final position for inclusion in the risk database or model. Interviews that are conducted so that the results are anonymous are especially effective in reducing the effect of senior management pressures to “toe the company line” which can sometimes cause people to provide overly optimistic responses to risk questions. However, interview processes usually take an extended time, and interviewees may have different frames of reference and biases when providing opinions on sources of project uncertainty that necessitate further time to reconcile conflicting opinions.
- Workshops – Workshops are useful in that they provide a quick and straightforward means of arriving at consensus views on sources of uncertainty within a project. They have the added benefit of ensuring a common frame of reference for all persons involved when expressing attitudes towards the uncertainties discussed. However, workshops require careful and experienced facilitation to ensure that some voices and opinions do not become dominant and others are forced to “fall into line” or are not heard. Further, organizing all the necessary (usually quite senior) stakeholders to be available at the same time can prove difficult.
For information on the what data should be gathered as part of best practice processes for risk identification, please refer to the section on Risk Properties
Interview / Workshop Techniques
The following are some general techniques for the identification of risks. Each has their own benefits and limitations:
- Brainstorming – A simple technique whereby stakeholders are asked to identify risks to the project based on their own perceptions or experience. This type of exercise is unstructured and particularly useful for identifying risks that might fall outside of traditional risk breakdown structures. If combined with use of “Post-its” on a board, groups can build up clusters of similar risks to indicate perceived importance and risks on which to focus (see also Risk Breakdown Structures and Checklists below).
- SWOT Analysis – SWOT, as it applies to risk analysis is a structured risk identification process whereby stakeholders are asked to identify the strengths & weaknesses (internal factors) and opportunities & threats (external factors) of a particular project or process. SWOT analysis tends to follow the same general processes as brainstorming, but overlays the structure of the 4 quadrant approach to assist in the identification process. Unlike other techniques, SWOT analysis is particularly useful for helping in the process of identifying positive risks (opportunities).
- Assumptions Analysis – The principal behind assumptions analysis is that every assumption actually represents a potential risk to the project. By challenging every assumption we’ve made to ask “what if it’s wrong?” we can identify new sources of risk.
- Risk Breakdown Structures and Checklists – An RBS is another example of a structured approach to brainstorming that can help in the risk identification process. By first identifying classes of uncertainty on a project (eg. Procurement uncertainty, weather uncertainty, etc.) we are provided with a prompting for the different potential sources of risk. Organisations typically develop an RBS for recurring types of projects against which risks are identified in order to ensure that the risk identification process always covers all the known potential sources of risk.
- Specific Opportunity Identification Sessions – Experience has shown, notwithstanding the benefit of SWOT analysis, that opportunities are difficult for groups to identify when also identifying threats. The tendency is for threat identification to dominate. It can be especially beneficial, rather like value engineering, to run special Opportunity identification sessions, whether guided by an RBS or alternative systematic approach, to identify Opportunities and how to enhance them through treatments.