There are an almost unlimited sources of input into the risk identification process. Assumptions analysis, expert knowledge, constraint, dependencies, a work breakdown structure, and of course the fears, uncertainty and doubt of your team members. With so many inputs, it can be challenging to ensure that a focused, meaningful set of risks is identified and managed.
If you come up with an exhaustive list of risks, the effort spent in managing them will likely exceed the benefits realized, and worse, by drowning your sponsor and other stakeholders in minutiae you will be reducing perceived credibility in your team and in project risk management in general.
So how can we apply an appropriate level of filtering to which risks are managed and communicated?
A good place to start is with stakeholder analysis. By performing a preliminary stakeholder analysis, you can determine the following:
What specific concerns do they have about your project? For example, are they more worried about its change impacts, or are they looking at it through the lens of a “bean counter”? That will help you understand which risks are likely to be meaningful to them as well as which they would be likely to actively respond to as risk owners.
What is their risk bias? If they are highly risk tolerant, you may not get as much support from them in responding to risks as you’d like.
How actively do they wish to be involved in your project? Highly engaged stakeholders will likely add a lot of value by participating in risk identification & assessment sessions and may actively volunteer to own certain risks whereas those who don’t see your project as being of high importance to them may not add much value by being invited to these sessions.
How optimistic are they regarding the project’s chances for success? If you have a stakeholder who is a Sally Sunshine, she might be a great input into opportunity identification, but might be a lot less helpful in identifying threats.
Of course, one of the biggest benefits which stakeholder analysis can deliver is in helping to identify those stakeholders who are clearly not supportive of the project. Their actions pose clear and present danger to your project’s outcomes, and while you may not reflect these risks in a publicly shared risk register, they need to be managed as effectively as the more politically correct risks.
If we accept Dr. David Hillson’s description of risk as being “uncertainty that matters“, the question should arise – matters to whom? The answer is your key stakeholders.