ISO 21502:2020 Clause 7.8.2 Identifying risk

Project Management 10 Minutes

Risks can be identified throughout the project life cycle and previously identified risks can change or reoccur. Risks should be recorded when identified. Risks can originate from various sources, either internal or external to the project. Each risk should have an assigned owner.
NOTE The record of risks can be referred to as a “risk register”, “risk log” or any other term used within an organization.

Identifying risks is a crucial step in risk management, and there are several techniques and approaches that the project organization can use to identify risks effectively. Here are some common methods:

  1. Brainstorming Sessions: Conducting brainstorming sessions with project stakeholders, team members, subject matter experts, and relevant stakeholders can help generate a wide range of potential risks. Participants are encouraged to freely express their ideas and concerns about potential threats and opportunities that may impact the project.
  2. Risk Workshops: Risk workshops bring together key stakeholders and experts to systematically identify and assess project risks. These workshops typically involve structured exercises, facilitated discussions, and interactive techniques to explore different risk scenarios, evaluate their likelihood and impact, and prioritize them based on their significance.
  3. Documentation Review: Reviewing project documentation, including project plans, scope statements, requirements documents, contracts, and historical data, can help identify potential risks. Analyzing past projects, lessons learned, and industry best practices can provide valuable insights into common risks and challenges that may arise during project execution.
  4. Checklists: Using risk checklists or risk registers can help project teams systematically identify potential risks based on predefined categories, project phases, or industry-specific standards. Risk checklists provide a structured framework for reviewing project activities, deliverables, and dependencies to uncover potential threats and opportunities.
  5. SWOT Analysis: Conducting a SWOT (Strengths, Weaknesses, Opportunities, Threats) analysis can help identify both internal and external factors that may impact the project’s success. By assessing the project’s strengths and weaknesses, as well as external opportunities and threats, project teams can identify potential risks and develop appropriate risk response strategies.
  6. Expert Judgment: Seeking input from subject matter experts, experienced project managers, and industry professionals can provide valuable insights into potential risks and their implications. Expert judgment can help validate risk assessments, identify blind spots, and uncover hidden risks that may not be apparent to the project team.
  7. Simulation and Scenario Analysis: Using simulation tools or scenario analysis techniques can help project teams explore different risk scenarios and their potential outcomes. By simulating various risk events and their impacts on project objectives, project teams can better understand the range of potential risks and develop proactive risk response strategies.
  8. Stakeholder Consultation: Engaging project stakeholders, including customers, end-users, suppliers, and regulators, can help identify risks from different perspectives. Stakeholder consultation allows project teams to capture stakeholders’ concerns, expectations, and requirements related to project risks and incorporate them into the risk management process.

By using a combination of these techniques and approaches, the project organization can systematically identify potential risks and uncertainties that may impact project objectives. It’s important to involve a diverse group of stakeholders, leverage relevant expertise, and apply structured methods to ensure comprehensive risk identification and effective risk management throughout the project lifecycle.

Risks can be identified throughout the project life cycle and previously identified risks can change or reoccur.

Risks are dynamic and can evolve throughout the project lifecycle. Here’s a breakdown of how risks can be identified at different stages of the project and why they can change or reoccur:

  1. Initiation Phase: During project initiation, risks are often identified at a high level, focusing on strategic, organizational, and environmental factors that may impact the project’s feasibility or success. These risks may include uncertainties related to market conditions, funding availability, stakeholder support, or regulatory requirements.
  2. Planning Phase: As the project moves into the planning phase, risks are identified in greater detail, focusing on specific project activities, deliverables, and dependencies. Risk identification techniques such as brainstorming, documentation review, and expert judgment are used to uncover potential threats and opportunities that may arise during project execution.
  3. Execution Phase: Risks continue to be identified and assessed during the execution phase as the project progresses. New risks may emerge as project activities are executed, and existing risks may evolve or materialize into issues that require immediate attention. Project teams must remain vigilant and proactive in monitoring and managing risks throughout the execution phase.
  4. Monitoring and Control Phase: In the monitoring and control phase, project teams focus on tracking and managing identified risks, as well as identifying new risks that may arise. Changes in project scope, schedule, resources, or external factors can introduce new risks or alter the likelihood and impact of existing risks. Continuous monitoring and control are essential to identify emerging risks and take timely corrective actions.

Reasons why risks can change or reoccur:

  1. Project Dynamics: Project dynamics, such as changes in scope, schedule, resources, or stakeholder requirements, can introduce new risks or alter the likelihood and impact of existing risks. For example, a change in project scope may introduce new technical challenges or dependencies that were not previously identified.
  2. External Factors: External factors, such as market conditions, regulatory changes, economic trends, or geopolitical events, can influence project risks. These external factors are often beyond the project team’s control but can have a significant impact on project outcomes. Risks associated with external factors may change over time as the external environment evolves.
  3. Dependencies and Interactions: Risks are often interrelated and dependent on other factors within the project or external environment. Changes in one risk factor may affect the likelihood or impact of other risks, leading to cascading effects or new risk scenarios. Understanding the dependencies and interactions between risks is essential for effective risk management.
  4. Lessons Learned: Lessons learned from past projects or project phases can inform risk identification and management practices. By reflecting on past experiences and identifying recurring or previously overlooked risks, project teams can improve their risk management processes and enhance their ability to anticipate and address potential challenges.

Overall, risk management is an iterative and ongoing process that requires continuous attention and adaptation throughout the project lifecycle. By identifying risks at various stages of the project and recognizing the factors that can cause risks to change or reoccur, project teams can better anticipate uncertainties and proactively mitigate potential threats to project success.

Risks should be recorded when identified.

Recording risks when they are identified is a fundamental aspect of effective risk management. Here’s why it’s important:

  1. Documentation: Recording risks ensures that they are documented and captured in a centralized repository, such as a risk register or database. This documentation provides a comprehensive record of all identified risks, including their descriptions, potential impacts, likelihood of occurrence, and proposed risk responses.
  2. Transparency and Visibility: Recording risks promotes transparency and visibility within the project team and among stakeholders. By documenting risks, project managers can communicate important information about potential threats and opportunities, ensuring that all relevant parties are aware of the risks and can contribute to risk management efforts.
  3. Risk Analysis and Prioritization: Recording risks enables project teams to analyze and prioritize them based on their significance and potential impact on project objectives. By documenting key attributes of each risk, such as severity, urgency, and proximity, project managers can prioritize risk response efforts and allocate resources effectively to address the most critical risks first.
  4. Risk Monitoring and Control: Recording risks facilitates ongoing monitoring and control throughout the project lifecycle. By maintaining a centralized repository of identified risks, project teams can track changes in risk exposure, assess the effectiveness of risk responses, and evaluate the overall status of risk management efforts over time.
  5. Historical Reference: Recording risks provides a historical reference for future projects and decision-making. Lessons learned from past projects can inform risk identification and management practices, helping project teams anticipate common risks and develop proactive risk mitigation strategies based on past experiences.
  6. Accountability and Ownership: Recording risks promotes accountability and ownership within the project team. By documenting risks and assigning ownership to specific individuals or teams responsible for managing them, project managers ensure that risks are actively monitored, addressed, and escalated as needed throughout the project lifecycle.
  7. Auditing and Reporting: Recording risks facilitates auditing and reporting requirements, allowing project managers to provide stakeholders with timely updates on risk management activities. By maintaining accurate and up-to-date records of identified risks, project teams can demonstrate compliance with risk management processes and regulatory requirements.

Overall, recording risks when they are identified is essential for effective risk management. It ensures that risks are documented, communicated, analyzed, prioritized, monitored, and controlled throughout the project lifecycle, ultimately enhancing project resilience and increasing the likelihood of project success.

Risks can originate from various sources, either internal or external to the project.

Risks can stem from a variety of sources, both internal and external to the project. Understanding the different sources of risks is essential for comprehensive risk identification and management. Here are some common sources of risks:

  1. Internal Sources of Risks:
    • Project Scope: Changes in project scope, requirements, or objectives can introduce risks such as scope creep, resource constraints, or schedule delays.
    • Project Schedule: Risks related to project scheduling, including dependencies, critical paths, and resource availability, can impact project timelines and delivery dates.
    • Resource Constraints: Risks associated with resource availability, competence, and allocation, including human resources, finances, equipment, or facilities, can affect project execution and performance.
    • Stakeholder Expectations: Risks arising from divergent stakeholder expectations, communication breakdowns, or conflicts of interest can lead to project delays, scope changes, or stakeholder dissatisfaction.
    • Technical Complexity: Risks related to technical complexity, innovation, or dependencies on new technologies can affect the feasibility and success of project deliverables.
    • Organizational Factors: Risks stemming from organizational culture, structure, policies, or governance, including changes in leadership, budget constraints, or strategic shifts, can influence project outcomes.
  2. External Sources of Risks:
    • Market Conditions: Risks associated with market volatility, competition, demand fluctuations, or economic trends can impact project viability, funding availability, or market acceptance of project deliverables.
    • Regulatory and Legal Requirements: Risks arising from changes in regulatory requirements, compliance obligations, or legal issues can pose challenges to project execution and delivery.
    • Environmental Factors: Risks related to environmental factors, natural disasters, climate change, or geopolitical events can disrupt project operations, supply chains, or infrastructure.
    • Supplier and Vendor Risks: Risks associated with suppliers, vendors, subcontractors, or outsourcing partners, including delivery delays, quality issues, or contract disputes, can affect project performance.
    • Technology and Industry Trends: Risks arising from advancements in technology, industry trends, or disruptive innovations can impact project assumptions, methodologies, or deliverables.
    • Geopolitical Factors: Risks stemming from geopolitical instability, trade disputes, international conflicts, or global events can influence project planning, execution, and stakeholder relationships.

By considering risks from various sources, project teams can develop a more comprehensive risk management strategy and proactively address potential threats and opportunities that may arise during project execution. Effective risk management involves identifying, assessing, treating, and monitoring risks from both internal and external sources throughout the project lifecycle to minimize uncertainties and increase the likelihood of project success.

Each risk should have an assigned owner.

Assigning ownership to each identified risk is a fundamental aspect of effective risk management. Here are some reasons why assigning risk owners is important:

  1. Accountability: Assigning a specific individual or team as the owner of a risk ensures accountability for managing and mitigating that risk throughout the project lifecycle. The risk owner is responsible for monitoring the risk, implementing appropriate risk response strategies, and communicating updates to stakeholders.
  2. Ownership and Proactivity: Designating a risk owner fosters a sense of ownership and proactive risk management within the project team. When someone is assigned as the owner of a risk, they are more likely to take ownership of the risk response efforts, actively monitor changes in risk conditions, and take timely actions to address emerging threats or opportunities.
  3. Clear Communication: Having a designated risk owner facilitates clear communication and coordination of risk management activities. Stakeholders know whom to contact for information about specific risks, updates on risk response efforts, or escalations of unresolved issues. This clarity helps streamline communication and ensures that risk management efforts are effectively coordinated.
  4. Expertise and Authority: Assigning a risk owner allows for the selection of individuals or teams with the necessary expertise, experience, and authority to manage the risk effectively. The risk owner may possess specialized knowledge or skills related to the risk, enabling them to develop targeted risk response strategies and implement appropriate mitigation measures.
  5. Resource Allocation: Designating a risk owner enables project managers to allocate resources effectively to manage the risk. The risk owner can coordinate with other team members, stakeholders, or external parties to obtain the necessary resources, support, or expertise needed to address the risk and minimize its impact on project objectives.
  6. Monitoring and Control: The risk owner is responsible for monitoring changes in risk conditions, assessing the effectiveness of risk response actions, and updating the risk register accordingly. By regularly reviewing the status of assigned risks and tracking progress on risk mitigation efforts, the risk owner ensures that risks are managed proactively and that appropriate actions are taken to address evolving risk conditions.
  7. Escalation and Resolution: If a risk escalates beyond the risk owner’s ability to manage or requires additional support or intervention, the risk owner can escalate the issue to higher levels of management or relevant stakeholders for resolution. Assigning ownership ensures that risks are promptly escalated when necessary and that appropriate actions are taken to address critical or unresolved risks.

Overall, assigning ownership to each identified risk enhances accountability, fosters proactive risk management, facilitates clear communication and coordination, leverages expertise and authority, enables effective resource allocation, supports monitoring and control efforts, and ensures timely escalation and resolution of critical risks. By designating risk owners, project teams can strengthen their risk management practices and increase the likelihood of project success.

The record of risks can be referred to as a “risk register”, “risk log” or any other term used within an organization.

The record of identified risks, along with relevant details such as descriptions, assessments, ownership, and mitigation strategies, is commonly referred to as a “risk register,” “risk log,” or by any other term used within an organization’s specific terminology or project management framework.

Here’s a brief overview of these terms:

  1. Risk Register: A risk register is a structured document or database that contains a comprehensive record of all identified risks associated with a project. It typically includes information such as risk descriptions, likelihood and impact assessments, risk owners, risk response strategies, status updates, and any additional relevant details. The risk register serves as a central repository for managing and monitoring project risks throughout the project lifecycle.
  2. Risk Log: A risk log is another term commonly used to refer to the document or database where risks are recorded and managed. Like a risk register, a risk log contains detailed information about identified risks, including their descriptions, assessments, ownership, and mitigation actions. The term “risk log” may be preferred in some organizations or project management methodologies to describe the record of project risks.
  3. Other Terms: In addition to the “risk register” and “risk log,” organizations may use alternative terms to refer to the document or database where risks are recorded and managed. These terms may vary depending on the organization’s industry, culture, or specific project management practices. Some examples of alternative terms include “risk database,” “risk repository,” “risk tracker,” or any other term that accurately describes the purpose and function of the document.

Regardless of the terminology used, the primary purpose of the risk register, risk log, or equivalent document is to provide a structured framework for identifying, assessing, documenting, and managing project risks. By maintaining a centralized record of identified risks, project teams can effectively track risk exposure, prioritize risk response efforts, and communicate key risk-related information to stakeholders, ultimately enhancing the project’s ability to anticipate and address potential uncertainties.

Published by Pretesh Biswas

Pretesh Biswas has wealth of qualifications and experience in providing results-oriented solutions for your system development, training or auditing needs. He has helped dozens of organizations in implementing effective management systems to a number of standards. He provide a unique blend of specialized knowledge, experience, tools and interactive skills to help you develop systems that not only get certified, but also contribute to the bottom line. He has taught literally hundreds of students over the past 5 years. He has experience in training at hundreds of organizations in several industry sectors. His training is unique in that which can be customized as to your management system and activities and deliver them at your facility. This greatly accelerates the learning curve and application of the knowledge acquired. He is now ex-Certification body lead auditor now working as consultancy auditor. He has performed hundreds of audits in several industry sectors. As consultancy auditor, he not just report findings, but provide value-added service in recommending appropriate solutions. Experience Consultancy: He has helped over 100 clients in a wide variety of industries achieve ISO 9001,14001,27001,20000, OHSAS 18001 and TS 16949 certification. Industries include automotive, metal stamping and screw machine, fabrication, machining, assembly, Forging electrostatic and chrome plating, heat-treating, coatings, glass, plastic and rubber products, electrical and electronic equipment, assemblies & components, batteries, computer hardware and software, printing, placement and Security help, warehousing and distribution, repair facilities, consumer credit counseling agencies, banks, call centers, etc. Training: He has delivered public and on-site quality management training to over 1000 students. Courses include ISO/TS -RAB approved Lead Auditor, Internal Auditing, Implementation, Documentation, as well as customized ISO/TS courses, PPAP, FMEA, APQP and Control Plans. Auditing: He has conducted over 100 third party registration and surveillance audits and dozens of gap, internal and pre-assessment audits to ISO/QS/TS Standards, in the manufacturing and service sectors. Other services: He has provided business planning, restructuring, asset management, systems and process streamlining services to a variety of manufacturing and service clients such as printing, plastics, automotive, transportation and custom brokerage, warehousing and distribution, electrical and electronics, trading, equipment leasing, etc. Education & professional certification: Pretesh Biswas has held IRCA certified Lead Auditor for ISO 9001,14001 and 27001. He holds a Bachelor of Engineering degree in Mechanical Engineering and is a MBA in Systems and Marketing. Prior to becoming a business consultant 6 years ago, he has worked in several portfolios such as Marketing, operations, production, Quality and customer care. He is also certified in Six Sigma Black belt .

Published

Leave a ReplyCancel reply