1.5.3.5 Risk Identification & Assessment

Home Page  <<  >>

Project risk is an uncertain event or condition that, if it occurs, has a positive or negative effect on a project objective. A risk has a cause and if it occurs a consequence. In order to maximize the probability and consequences of positive events and minimize the probability and consequences of adverse events to project objectives, risk management processes must be established.

During the Project Initiation Phase, the risks that might affect the project must be identified and their characteristics must be documented in the Risk Log. The Risk Log is a document that needs to be created during the preparation of Project Fiche and be refined at the next phases of the Project Management Cycle. The Risk Log is a control tool for the Project Manager providing a quick reference to the key risks facing the project, what monitoring activities should be taking place and by whom.

A template of Risk Log is presented in Annex 1-6. In this template except of the suggested structure, guidance is also provided. Furthermore, in the same Annex a completed Risk Log14 [ This example refers to existing Cypriot Project that has been funded by EU Transition Funds. ] is presented in order to facilitate the understanding on how each section should be completed.

When Project Owner studies the Project Fiche, also examines the Risk Log and must decide whether project initiation can be justified or whether there are serious threats for the projects success. Pragmatically, the Project design team (or the Project Manager if he/she has been appointed) should have discussed informally with the representatives of the Project Owner any known risks that seem to threaten the projects viability.

Risk identification is an iterative process. The risks identified and registered in the Risk Log during the preparation of Project Fiche, are evident, normally concerning availability of resources, impending or mooted legislation, dependencies with other projects and their results. These risks should be refined during the Planning Phase when the Project Plan is being created. Generally, there should be a check for any new risks every time the Risk Log is reviewed, at least at the end of each stage. The Project Steering Committee has the responsibility to continually check external events for external risks.

Risks Identification

Techniques to be used for the identification of possible risks during the Project Initiation Phase are being presented below:

Performing structured review of the Business Case Document as well as the projects approach recorded in the Project Fiche
Performing brainstorming. The project design team usually performs brainstorming, although a multidisciplinary set of experts can also perform this technique. Under the leadership of a person who plays the role of the facilitator, these people generate ideas about possible project risks.
Risks can be identified by interviews of experienced project managers or subject matter experts. The appropriate individuals have to be identified, the design team briefs them on the project and the interviewees based on their experience identify risks
The design team uses as a guide an almost standard checklist of possible risks, which is usually developed based on historical information and knowledge that has been accumulated from the implementation of different scale and type projects. Since it is impossible to build an exhaustive list of risks, care should be taken to explore items that do not appear at a standard checklist if they seem relevant to the specific project.

The Checklist presented below has been developed for PRINCE2 Methodology and could be used as a starting point for identifying the main areas of risks for projects implemented using in sourcing or outsourcing.

Checklist 1-4: Risk identification

Strategic/ Commercial risks

Under performance to specification

 

Management will under-perform against expectations

 

Collapse of contractors

 

Insolvency of Funding Source (applicable only in case of Private contribution in the funding)

 

Failure of suppliers to meet contractual commitments, this could be in terms of quality, quantity, timescales or their own exposure to risk

 

Insufficient capital revenues

 

Market fluctuations

 

Fraud/ theft

 

Partnerships failing to deliver the desired outcome

 

The situation being non insurable (or cost of insurance outweighs the benefit)

 

Lack of availability of capital investment

 

Economic/ financial/ market

Exchange rate fluctuation

 

Interest rate instability

 

Inflation

 

Shortage of working capital

 

Market developments will adversely affect plans

 

Legal and regulatory

New or changed legislation may invalidate assumptions upon which the activity is based

 

Failure to obtain appropriate approval, e.g. planning consent

 

Unforeseen inclusion of contingent liabilities

 

Failure to achieve satisfactory contractual arrangements

 

Unexpected regulatory controls or licensing requirements

 

Changes in tax structure

 

Organisation/ Management/ Human factors

Management incompetence

 

Inadequate corporate policies

 

Inadequate adoption of management practices

 

Poor leadership

 

Key personnel have inadequate authority to fulfil their roles

 

Key personnel have inadequate time to deal with the project due to heavy workload

 

Poor staff selection procedures

 

Lack of clarity over roles and responsibilities

 

Vested interests creating conflict and compromising the overall aims

 

Group interests given unwarranted priority

 

Indecision or inappropriate decision making

 

Lack of  operational support

 

Inadequate or inaccurate information

 

Health and safety constraints

 

Political

Change of governmental policy (national or international)

 

Change of government

 

War or disorder

 

Adverse public opinion/ media intervention

 

Environmental

Natural disasters

 

Storms, flooding, tempests

 

Pollution incidents

 

Transport problems, including aircraft/vehicle collisions

 

Ecosystem (flora, fauna) disturbance

 

Technical/ Operational/ Infrastructure

Inadequate design

 

Professional negligence

 

Human error/ incompetence

 

Infrastructure failure

 

Operation lifetime lower than expected

 

Residual value of assets lower than expected

 

Increased dismantling/ decommissioning costs

 

Safety being compromised

 

Performance failure

 

Residual maintenance problems

 

Scope “creep”

 

Unclear expectations

 

Breaches in security/ information security

 

Lack of inadequacy of business continuity

 

Risk Assessment

Risk assessment is the process of assessing the impact and probability of identified risks.

Risk Probability is the likelihood that a risk will occur. Risk impact is the effect on project elements if the risk event occurs. For example, major damage to a building is relatively unlikely to happen (low probability), but would have enormous impact on business continuity. Conversely, occasional personal computer system failure is fairly likely to happen (high probability), but would not usually have a major impact on the business.

Impact should be considered under the elements of:

Scope
Timescale
Quality of deliverables
Benefit
People/ resources

When considering a risks probability, another aspect is when the risk might occur. Some risks will be predicted to occur further away in time than others, so attention has to be paid on the more immediate ones.

In order to increase the visibility of risks and assist management decision making, the probability/ impact risk rating matrix (or Risk Profile as it is called in PRINCE2 Methodology) can be used. It is a graphical representation of information normally found in Risk Logs. An example of a completed Risk Rating Matrix is presented in the figure below (Tool 1-7).

The horizontal axe represents the risks impact and its scale reflects the severity of its effect on the project. Impacts can be ordinal or cardinal, depending on the culture of the organization conducting the analysis. Ordinal scales are simply rank ordered values, such as very low, low, medium, high and very high. Cardinal scales assign values to these impacts. These values could be linear or nonlinear (e.g. 0,1 0,3 0,5 0,7 0,9). Both approaches intend to assign a relative value to the impact if the risk in question occurs. However, the ordinal scales are the ones most in use.

The vertical axe represents the risks probability. Assessing risk probability may be difficult and expertise of individuals, who have managed similar projects in the past, may be needed. An ordinal scale, representing relative probability values such as: very low (= very unlikely), low, medium, high, very high (= almost certain), could be used. Alternatively, specific probabilities could be assigned by using a general scale like  0,1 0,3 0,5 0, 7 0,9.

The thick black line represents the “risk tolerance line”. This line is defined for a specific project by agreement between the Executive and Project Manager and indicates how much risk the Project Steering Committee is prepared to take. It may be prepared to take comparatively large risks in some areas and none at all in others, depending on the characteristics of the project, as well as the general policy of the organisation regarding the risk tolerance. For example in case of an EU funded project, the Project Steering Committee may have very little financial risk tolerance, but allow for more risk tolerance in terms of political changes. When setting the risk tolerance line, it is important to find the optimum balance of accepting a risks occurrence against the cost of limiting that risk. In any case, the risk tolerance line should reflect not only the acceptance or not of individual (specific) risks, but also the organisations overall tolerance of exposure to risk.  

Risks with high probability and high impact are positioned above and right of the “risk tolerance line” and usually need more thorough examination and aggressive formal risk management.

Tool 1-7: Risk Rating Matrix

 

Probability

 

 

 

 

 

Very High

 

 

 

 

 

High

 

2*

4*

 

 

Medium

1*

 

3*

5*

 

Low

 

 

 

 

 

Very Low

 

 

 

 

 

Impact

Very Low

Low

Medium

High

Very High

                                                                       

* The numbers in the cells represent the ID numbers of the identified risks of a certain project.

 


© 2007 Republic of Cyprus, Treasury of the Republic, Public Procurement Directorate
Home Page | Government Web Portal | Disclaimer | Webmaster