One of the most important points in risk management is that you find the “right” risks and describe them clearly. Finding and describing risks is not that easy. But if you pay attention to some important points, your efforts will soon bear fruit. This article will help you to find the right risks and describe them in a certain format so that you can define the right measures afterwards.
Finding the “Right” Risks
The first step is to identify potential risks. There are various methods for this, such as brainstorming, expert interviews, checklists, etc. I have described the methods in great detail in this book. Once you have discovered risks, you need to formulate them correctly. This seems banal. In practice, however, you see many inaccurately formulated risks, where nobody understands exactly what they mean.
The more precisely and concretely you formulate your risks, the more concretely you can define the measures for them and the more effective your risk management will be. Only if you formulate the risks systematically and carefully can you ensure that:
- everyone understands exactly what kind of risk it is.
- the identified risk is accepted as relevant
- the right measures are taken
A description at too high level, such as “something unexpected could happen during the project”, is of course not useful, as no meaningful measures are possible at this high level. However, too much attention to detail does not make sense either.
The “Cause – Risk – Effect” Format
Risks are also very often mixed up with facts or current problems, but also often with causes from which risks arise. To understand a risk fully it is helpful to identify its causes as well as its effects. Then describe the risk in your risk log clearly and Unambiguously in the “Cause – Risk – Effect” format. With this format you have to make a little more effort in defining risks. However, it helps you to deal more intensively with the risks and to clearly separate risks from causes and impacts.
„As a result of [Definitve Cause], [Uncertain Event ] may occur, which would/could/may lead to [Effect].”
Note that a risk can have more than one cause or effect.
This sentence construction helps you to focus on the actual risks. However, it can also be used to “generate” risks if you start from one end or the other (i.e. cause or effect). Here is a simple example:
Cause: Change to a new Windows version
Risk: Our planned hardware may not be powerful enough
Effect: Additional costs for hardware upgrade and time delay
It is important that you know the right root cause for the uncertainty. Most of the time the root cause is much deeper than you first assume. With the 5 W-Questions you get much closer to the root cause. How you do this is explained in this article.
Describing risks in the “Cause – Risk – Effect” format will certainly give a little more work—but you will find the “right” risks more likely this way. So you can fill in the columns [Cause], [Risk] and [Effect] in your risk log and see how you discovered the risks. I promise you that if you do it this way, your risk management will be much more effective!
What is your experience with identifying and describing risks? Do you agree with my statements or do you have another opinion? Share your experience with a commentary so that we all get to know another view. Thank you!
Would you like to learn more about risk management in projects? My books on Project Risk Management take you an important step further!
Do you know anyone who might be interested in this article? Then simply forward it or share it. Thank you!