Premium Resources

Risk Identification and Analysis

Risk Categories

Risk categories can be broad including the sources of risks that the organization has experienced. Some of the categories could be:

  • External: Government related, Regulatory, environmental, market-related.

  • Internal: Service related, Customer Satisfaction related, Cost-related, Quality related.

  • Technical: Any change in technology related.

  • Unforeseeable: Some risks about 9-10% can be unforeseeable risks.

Types of Risks

In addition to risk categories, there is more classification of risk types:

Threats - these are negative risks.

Opportunities - these are positive risks.

Risk Identification: Tools And Techniques

Documentation Reviews

The standard practice to identify risks is reviewing project related documents such as lessons learned, articles, organizational process assets, etc

Information Gathering Techniques

The given techniques are similar to the techniques used to collect requirements. Let's look at a few of them:


Brainstorming is done with a group of people who focus on the identification of risk for the project.

Delphi Technique

A team of experts has consulted anonymously. A list of required information is sent to experts, responses are compiled, and results are sent back to them for further review until a consensus is reached.


An interview is conducted with project participants, stakeholders, experts, etc to identify risks.

Root Cause Analysis

Root causes are determined for the identified risks. These root causes are further used to identify additional risks.

Swot Analysis (Strength, Weakness, Opportunities, and Threats)

Strengths and weaknesses are identified for the project and thus, risks are determined.

Checklist Analysis

The checklist of risk categories is used to come up with additional risks for the project.

Assumption Analysis

Identification of different assumptions of the project and determining their validity further helps in identifying risks for the project.

Outputs to Identify Risks

This process of Risk Identification results in the creation of Risk Register.

Risk Register

A Risk Register is a living document that is updated regularly throughout the life cycle of the project. It becomes a part of project documents and is included in the historical records that are used for future projects. The risk register includes:

  • List of Risks

  • List of Potential Responses

  • Root Causes of Risks

  • Updated Risk Categories

Tools and Techniques:

Some of the tools that can be used for qualitative risk analysis include:

Probability And Impact Matrix

The matrix helps in identifying those risks which require an immediate response. The matrix may be customized according to the needs of the project. Most companies do have a standardized template for this matrix and project managers could leverage those templates as well. Use of a standardized matrix makes the matrix list more repeatable between projects.

Perform Qualitative Risk Analysis

The next step of Qualitative risk analysis is to analyze the probability and impact of risks in Perform Quantitative Risk. The purpose of Quantitative Risk Analysis is:

  • Identification of risk response that requires urgent attention

  • Identify the exposure of risk on the project

  • Identify the impact of risk on the objective of the project

  • Determine cost and schedule reserves that could be required if the risk occurs

  • Identify risks requiring more attention

Risk Data Quality Assessment

Data is collated for the identified risks. The project manager will try to find the precision of the data that must be analyzed for completing the qualitative analysis of risks.

For each risk, in Risk Data Quality Assessment, the project manager needs to determine:

  • The extent of the understanding of the risk

  • Data available

  • Quality and reliability of the data

  • The integrity of the data

Perform Quantitative Risk Analysis

The numerical analysis of the combined effect of individual risks is done in this process, helping in the creation of risk response plans later. This process may be skipped in projects where risk quantifying competency is not available or the project is of a short duration. Risk workshop, sensitivity analysis, representations of uncertainty, sensitivity analysis with Tornado diagrams, influence diagrams are some of the techniques in addition to EMV, simulation and decision tree explained further.

Expected Monetary Value Analysis

Expected Monetary Value is a good measure to determine the overall ranking of risks. The formula is:

EMV = P * I

Where EMV = Expected Monetary Value

P = Probability

I = Impact

Monte Carlo Analysis (Simulation Technique)

The Monte Carlo analysis simulates the cost or schedule results of the project. The primary inputs for this analysis are the network diagram and estimate to perform the project

A Monte Carlo analysis:

  • Requires a computer-based program

  • Evaluates the overall risk in the project

  • Determines the probability of completing the project on any specific day, or for any specific cost

  • Determines the probability of any activity actually being on the critical path

  • Path convergence is taken into account

  • Cost and schedule impacts can be assessed

  • Results in a probability distribution

Decision Tree

A decision tree helps to analyze many alternatives at one single point of time. They are models of the real situation. A decision tree takes into account future events in making the decision today. It helps calculate Expected Monetary Value in more complex situations. It also involves Mutual Exclusivity.


  • Prioritized list of quantified risks

  • Amount of contingency time and cost reserves needed

  • Possible realistic and achievable completion dates and project costs, with confidence levels, versus the time and cost objectives for the project

  • The quantified probability of meeting the project objectives

  • Trends in quantitative risk analysis

Related Topics