All projects possess risk that needs to be managed. The most important step in any project risk management process is to identify these risks. Project risk identification is done in two parts:
- Look for risks that are inherent to our project based on its general characteristics.
- After we identify inherent risks, we look for risks that are specific to our project.
Most project managers would agree that large projects are generally riskier than small ones, having an inexperienced project manager and team is riskier than having an experienced project manager and team, and using new technology introduces additional risk than does a project that uses proven technology.
The table below shows examples of “inherent” risks. They are risks that could be inherent in the nature of our project. In other words, these types of risks could be applicable to any project to a greater or lesser extent. INCIS was a very expensive and overly risky project to establish a NZ Integrated National Crime Information System in the 1990s, which was abandoned in 1999. INCIS was big and was going to lead the world; a couple of prerequisites for a disaster. However, the initials help us indentify inherently risky projects:
I – Imprecise (unclear project goal and parameters).
N – Novel (unique endeavour).
C – Complex (many diverse components to coordinate).
I – Inexperience (lack of relevant knowledge and skills).
S – Sizeable scope (huge job).
These five characteristics are not the only inherent risk factors, but they are key considerations. In fact, size alone does not create more risks, just bigger ones. Novelty is most certainly a very influential factor and perhaps the biggest, since risk is lowest when we revisit familiar ground. Also, complex projects usually involve significant levels of uncertainty. Complexity is the degree to which a system or component has a design or implementation that is difficult to understand and verify. More practically, if your average person can’t understand the project after a detailed description it is likely to be complex. Project duration is a key factor insomuch as the longer our project’s lifespan, the greater is our project’s exposure to changes, particularly those arising from outside our project and also from outside our organisation. Such changes include inflation, market conditions, competitors’ activities, cost increases, resource shortages, political uncertainty, changing weather patterns, earthquakes and so on – any of which could occur concurrently to compound the risk inherent in our project.
When we are identifying project risks, we might use this table to help us identify inherent risks. These risks are not in any particular order, but with experience, this checklist could be customised and prioritised for our organisation. Medium-level risks would fall somewhere in the middle of these high and low risk categories.
If our project has three of these inherent risks rated “high”, and given that such risk factors are more likely to have a compounding effect than a compensating effect, we might best consider the entire project as high-risk. If our project falls into the high-risk category, it doesn’t mean our project will be unsuccessful, rather it means we should fully apply the risk management process.
Checking for inherent risks is a useful starting point for risk identification – but it is not the end. After we check for inherent risks, we still need to identify risks that are specific to our project. The combination of inherent risks and project specific risks make up the totality of risks that we record, analyse and then respond to as appropriate. Although all projects have risk, the seriousness in which each organisation manages risk varies greatly. Nonetheless, risk plays a significant role in the final outcome of most projects.
Mountain climbing can have massive inherent risk. Given the recent death of 16 Sherpas on Mount Everest, Peter Hillary suggests that rather than stop or restrict the number of climbers, which would deprive Sherpas of their livelihood, the solution lies in better risk management systems (Dom 24 April 14). Maybe. Meanwhile, Sherpas strike and grumpy climbers depart with their bucket lists unfulfilled.
Sherpas risk life and limb lugging staggering loads to enable climbers with day packs to “conquer” the mountain, while jettisoning human excrement, equipment and occasionally team members in their wake, creating the world’s highest dump and obstacle course – all less tolerable with global warming. “Climbing” Everest today with its handrails, steps, bridges and Sherpa support hardly confers bragging rights.
A possible answer is to avoid these inherent risks and prohibit treks up the top half. And while this maxed-out mountain recovers, entrepreneurs might develop a Las Vegas-like base camp, exclusively staffed by Sherpas. And for those visitors who seek the risky vain glory of the summit, a pressurised helicopter service should suffice, with optional ultra-risky wing-suit return flights. “Make the project investment and the tourists will come” might be the mantra.
A more detailed checklist of inherent risks is here and for a very detailed and comprehensive description of project risk management and its application, hit here for a free copy of my “Managing Murphy.”