The first step in risk management is identifying risks and capturing them in a risk management spreadsheet. In risk identification and capture teams work together to capture the following four attributes for each risk.
Assign a title
The title is a short 1-5 word name for the risk.
Describe the risk
Provide a short description of the risk; enough to get the team thinking about the right things when they get to the Analysis step. During analysis, the list of risk drivers - key questions we’ll need to answer to mitigate the risk, will be completed. Often the description includes risk drivers. In fact, many teams we work with don’t actually capture a separate description, but rather they start by populating the drivers. This is fine as it serves the same purpose.
Assign an owner
We must assign each risk an owner. The risk owner is the person responsible for making sure the risk is analyzed and mitigated. This may or may not be the person doing most of the mitigations. Note: Avoid the temptation to assign multiple owners. Capturing who needs to be involved in the discussions is a good idea when it isn’t obvious, but have a single owner who can be the main point of contact about the risk and who has primary responsibility for getting it through the risk management process.
Estimate risk severity/risk exposure
Rating the risk is optional at this stage but it helps establish priorities for risk analysis and planning. Rank each risk high, medium or low. The severity rating can be changed during analysis.
Make risks easy to capture
Risks that don’t make it into the risk management process will become future issues and ultimately reduce profits -- so it's important to make them easy to capture.
For example, when the team is reading through the project’s requirements, there are always questions that come to mind. Also when we are developing conceptual designs, mockups, and early-learning tests, even more new ideas and questions come to mind. Risks can also come up when we are driving home, just dozing off for the night, or in the morning shower.
As such, making it easy to capture these ideas any place, any time is a key requirement of an effective risk management process.
Effective project risk identification meetings
A risk identification meeting is generally characterized by a team meeting, which includes most or all of the core team members and often some more peripheral team members. It's also helpful to pull in a few people not on the team but with experience and knowledge of risks the team members may not yet have.
During project risk meetings it's important to be open about new ideas and concerns. It is essentially brainstorming about what could go wrong on a project. Astute teams will also include some time to identify opportunities to go above and beyond the current objectives.
4 Tips for effective risk identification meetings
Establish meeting rules
No judging, avoid interrupting others and jumping around to too many different topics too fast, etc.
Give everyone access to the risk register
Give everyone a stack of Post-it notes or access to the electronic tool you use to capture risks. Ideas often pop-up during discussion about a different risk but are ‘off-topic’ enough to defer. Have a quick way to keep them from being forgotten.
Include every type of risk you can imagine
technical, supply chain, marketability and other risks which are more project-specific, but also those resource and process risks (such as resources being pulled off the project to do other work). Outline the main categories, focus on one category at a time, and cover all of them.
Use a Risk Checklist
This is a list of common risks we’ve identified on previous similar projects. If this checklist isn’t available, review risk registers from past projects with the team and use those to jog the team’s memories.
The risk checklist can also include other important info, such as mitigations that have worked well previously, answers to questions, as well as recommendations on which people (roles) to involve in risk analysis and mitigation planning.
Capture just name and description initially. Then go back toward the end of the meeting to assign owners and initial exposure ratings. Keep people focused on what could go wrong until the popcorn stops popping. (The rate at which people are identifying new risks drops to a trickle.)
Other opportunity to capture risks
During other team meetings focused on a specific topic, new ideas and risks often arise. This is common in meetings about design concepts, project/product requirements, product architecture, and design reviews, but any meeting has potential for new risks to be identified.
Most teams have a weekly team meeting to review the project status and resolve schedule issues. This meeting, like the other examples above, often has new risks brought to light during the conversation. However, this meeting also presents a good opportunity to solicit risks that may not have yet made it into the conversation.
Allocate 5 minutes in the agenda for a little risk identification meeting, where the team is asked to think about what else could go wrong and/or what new ideas are there to improve on the current plan. Sometimes there won’t be any new ideas, but when there are, this is a good way to keep them from falling through the cracks.
Similarly, teams having frequent stand-up meetings can have 1-minute dedicated to risk identification. This provides a good platform to collect those ideas that came up outside of work, during the drive into work or morning shower, and for those that come from ad-hoc discussions at the proverbial water cooler (or coffee machine).
Tips for getting new risks into the risk register
In every case, an easy way to capture risks in the risk management system is critical. Some recommended ways to easily get newly identified risks into the system include:
Invest in an electronic risk capture system
The system should be shared across the team and is easily accessible to everyone, rather than a spreadsheet that can only be edited by one person at a time.
White Board Risks
Have a white-board or some designated wall-space in the room where the team meeting and/or standup meetings are held. Have people put new risks onto a post-it note and stick it to the wall as soon as something comes up. The project manager can collect those and get them entered into the risk management tool.
Once a risk has been officially identified, it is up to the owner to get it into and through analysis and planning quickly. The higher the risk, the faster it should go through the rest of the process.
In the next post, we’ll start reviewing the details of the analysis step of the process. Analysis has more sub-steps than identification, so it will take a couple/few posts to get through it all. However, good analysis is one of the keys to good risk mitigation, so we want to make sure the analysis steps are clear.
Interested in taking risk management a step further? Download your free risk management template.