Risk Identification is an ongoing and continuous activity that takes place during the Risk Management Process and throughout the life-cycle of a project. Each step in the Risk Management Process should include some level of risk identification. Project activities such as programmatic and technical meetings, risk analysis, risk planning, telecons, reviews bring to light new and old project risks. Lessons learned databases also are a good source for identifying potential risks. When this occurs, they should be recorded in a database and analyzed.

Risk Identification Procedures

The procedures outlined below help the Risk Integrated Product Team (IPT), Program Manager (PM) and Systems Engineer identify project risks throughout the life of a project. Procedures include:

1. Risk Integrated Product Team (IPT) identifies a list of potential risk items.  There are various methods of identifying risks. Risk can be identified from:
   • Lessons Learned
   • Subject Matter Experts (SME)
   • Prior Experiences
   • Technology Readiness Level (TRL) determination
   • Programmatic Constraints
   • Brain Storming
   • Work Breakdown Structure (WBS)
2. Risks are determined to be acceptable or not. Not all risk items identified in step 1 are accepted.
3. Accepted risks should be recorded and put into a Risk Register
4. Identify root causes for each identified risk
5. Risk analysis should examine each identified risk to refine the description of the risk, isolate the cause, determine the effects, and aid in setting risk mitigation priorities. (Risk Reporting Matrix)
6. Risk Mitigation Planning should address each risk with action items and due dates.
7. Risk Integrated Product Team (IPT) meets regularly (every 2 weeks) to assess risks and add new risk items, if necessary.
8. Risks are closed when all the actions to close the risk have been taken. Some risk items are closed quickly; others are open for a long time. Some are considered watch items and the action plan doesn’t kick in until certain negative events happen.
9. Closed risks remain in the database for future learning.

Common Risk Identification Methods

• Objectives-based risk identification: Organizations and project teams have objectives. Any event that may endanger achieving an objective partly or completely is identified as risk.
• Scenario-based risk identification: In scenario analysis, different scenarios are created. The scenarios may be the alternative ways to achieve an objective, or an analysis of the interaction of forces in, for example, a market or battle. Any event that triggers an undesired scenario alternative is identified as risk.
• Taxonomy-based risk identification: The taxonomy in taxonomy-based risk identification is a breakdown of possible risk sources. Based on the taxonomy and knowledge of best practices, a questionnaire is compiled. The answers to the questions reveal risks.
• Common-risk checking: In several industries lists with known risks are available. Each risk in the list can be checked for application to a particular situation.

AcqLinks and References:

• DoD Risk, Issue, and Opportunity Management Guide for Defense Acquisitions- Jan 2017
• (old) DoD Risk Management Guidebook – Aug 06
• Risk Assessment Checklist
• Risk Assessment Worksheet and Management Plan
• Continuous Risk Management Guidebook by Carnegie Melon
• Template: Risk Management Plan
• Template: Project Rick Management Template

Updated: 7/20/2021

Rank: G1