Risk Identification & Assessment

Home Page  <<  >>

Project risk is an uncertain event or condition that, if it occurs, has a positive or negative effect on a project objective. A risk has a cause and if it occurs a consequence. In order to maximize the probability and consequences of positive events and minimize the probability and consequences of adverse events to project objectives, risk management processes must be established.

During the Project Initiation Phase, the risks that might affect the project must be identified and their characteristics must be documented in the Risk Log. The Risk Log is a document that needs to be created during the preparation of Project Fiche and be refined at the next phases of the Project Management Cycle. The Risk Log is a control tool for the Project Manager providing a quick reference to the key risks facing the project, what monitoring activities should be taking place and by whom.

A template of Risk Log is presented in Annex 1-6. In this template except of the suggested structure, guidance is also provided. Furthermore, in the same Annex a completed Risk Log14 [ This example refers to existing Cypriot Project that has been funded by EU Transition Funds. ] is presented in order to facilitate the understanding on how each section should be completed.

When Project Owner studies the Project Fiche, also examines the Risk Log and must decide whether project initiation can be justified or whether there are serious threats for the projects success. Pragmatically, the Project design team (or the Project Manager if he/she has been appointed) should have discussed informally with the representatives of the Project Owner any known risks that seem to threaten the projects viability.

Risk identification is an iterative process. The risks identified and registered in the Risk Log during the preparation of Project Fiche, are evident, normally concerning availability of resources, impending or mooted legislation, dependencies with other projects and their results. These risks should be refined during the Planning Phase when the Project Plan is being created. Generally, there should be a check for any new risks every time the Risk Log is reviewed, at least at the end of each stage. The Project Steering Committee has the responsibility to continually check external events for external risks.

Risks Identification

Techniques to be used for the identification of possible risks during the Project Initiation Phase are being presented below:

Performing structured review of the Business Case Document as well as the projects approach recorded in the Project Fiche
Performing brainstorming. The project design team usually performs brainstorming, although a multidisciplinary set of experts can also perform this technique. Under the leadership of a person who plays the role of the facilitator, these people generate ideas about possible project risks.
Risks can be identified by interviews of experienced project managers or subject matter experts. The appropriate individuals have to be identified, the design team briefs them on the project and the interviewees based on their experience identify risks
The design team uses as a guide an almost standard checklist of possible risks, which is usually developed based on historical information and knowledge that has been accumulated from the implementation of different scale and type projects. Since it is impossible to build an exhaustive list of risks, care should be taken to explore items that do not appear at a standard checklist if they seem relevant to the specific project.

The Checklist presented below has been developed for PRINCE2 Methodology and could be used as a starting point for identifying the main areas of risks for projects implemented using in sourcing or outsourcing.

Checklist 1-4: Risk identification

Strategic/ Commercial risks

Under performance to specification


Management will under-perform against expectations


Collapse of contractors


Insolvency of Funding Source (applicable only in case of Private contribution in the funding)


Failure of suppliers to meet contractual commitments, this could be in terms of quality, quantity, timescales or their own exposure to risk


Insufficient capital revenues


Market fluctuations


Fraud/ theft


Partnerships failing to deliver the desired outcome


The situation being non insurable (or cost of insurance outweighs the benefit)


Lack of availability of capital investment


Economic/ financial/ market

Exchange rate fluctuation


Interest rate instability




Shortage of working capital


Market developments will adversely affect plans


Legal and regulatory

New or changed legislation may invalidate assumptions upon which the activity is based


Failure to obtain appropriate approval, e.g. planning consent


Unforeseen inclusion of contingent liabilities


Failure to achieve satisfactory contractual arrangements


Unexpected regulatory controls or licensing requirements


Changes in tax structure


Organisation/ Management/ Human factors

Management incompetence


Inadequate corporate policies


Inadequate adoption of management practices


Poor leadership


Key personnel have inadequate authority to fulfil their roles


Key personnel have inadequate time to deal with the project due to heavy workload


Poor staff selection procedures


Lack of clarity over roles and responsibilities


Vested interests creating conflict and compromising the overall aims


Group interests given unwarranted priority


Indecision or inappropriate decision making


Lack of  operational support


Inadequate or inaccurate information


Health and safety constraints



Change of governmental policy (national or international)


Change of government


War or disorder


Adverse public opinion/ media intervention



Natural disasters


Storms, flooding, tempests


Pollution incidents


Transport problems, including aircraft/vehicle collisions


Ecosystem (flora, fauna) disturbance


Technical/ Operational/ Infrastructure

Inadequate design


Professional negligence


Human error/ incompetence


Infrastructure failure


Operation lifetime lower than expected


Residual value of assets lower than expected


Increased dismantling/ decommissioning costs


Safety being compromised


Performance failure


Residual maintenance problems


Scope “creep”


Unclear expectations


Breaches in security/ information security


Lack of inadequacy of business continuity


Risk Assessment

Risk assessment is the process of assessing the impact and probability of identified risks.

Risk Probability is the likelihood that a risk will occur. Risk impact is the effect on project elements if the risk event occurs. For example, major damage to a building is relatively unlikely to happen (low probability), but would have enormous impact on business continuity. Conversely, occasional personal computer system failure is fairly likely to happen (high probability), but would not usually have a major impact on the business.

Impact should be considered under the elements of:

Quality of deliverables
People/ resources

When considering a risks probability, another aspect is when the risk might occur. Some risks will be predicted to occur further away in time than others, so attention has to be paid on the more immediate ones.

In order to increase the visibility of risks and assist management decision making, the probability/ impact risk rating matrix (or Risk Profile as it is called in PRINCE2 Methodology) can be used. It is a graphical representation of information normally found in Risk Logs. An example of a completed Risk Rating Matrix is presented in the figure below (Tool 1-7).

The horizontal axe represents the risks impact and its scale reflects the severity of its effect on the project. Impacts can be ordinal or cardinal, depending on the culture of the organization conducting the analysis. Ordinal scales are simply rank ordered values, such as very low, low, medium, high and very high. Cardinal scales assign values to these impacts. These values could be linear or nonlinear (e.g. 0,1 0,3 0,5 0,7 0,9). Both approaches intend to assign a relative value to the impact if the risk in question occurs. However, the ordinal scales are the ones most in use.

The vertical axe represents the risks probability. Assessing risk probability may be difficult and expertise of individuals, who have managed similar projects in the past, may be needed. An ordinal scale, representing relative probability values such as: very low (= very unlikely), low, medium, high, very high (= almost certain), could be used. Alternatively, specific probabilities could be assigned by using a general scale like  0,1 0,3 0,5 0, 7 0,9.

The thick black line represents the “risk tolerance line”. This line is defined for a specific project by agreement between the Executive and Project Manager and indicates how much risk the Project Steering Committee is prepared to take. It may be prepared to take comparatively large risks in some areas and none at all in others, depending on the characteristics of the project, as well as the general policy of the organisation regarding the risk tolerance. For example in case of an EU funded project, the Project Steering Committee may have very little financial risk tolerance, but allow for more risk tolerance in terms of political changes. When setting the risk tolerance line, it is important to find the optimum balance of accepting a risks occurrence against the cost of limiting that risk. In any case, the risk tolerance line should reflect not only the acceptance or not of individual (specific) risks, but also the organisations overall tolerance of exposure to risk.  

Risks with high probability and high impact are positioned above and right of the “risk tolerance line” and usually need more thorough examination and aggressive formal risk management.

Tool 1-7: Risk Rating Matrix








Very High
























Very Low







Very Low




Very High


* The numbers in the cells represent the ID numbers of the identified risks of a certain project.


© 2007 Republic of Cyprus, Treasury of the Republic, Public Procurement Directorate
Home Page | Government Web Portal | Disclaimer | Webmaster