Many people ask me how I proceed when doing a project risk assessment workshop on a project. Well… I ask questions. Actually 12 of them repeatedly. Not only for the assessment portion, but to cover the whole project risk management process cycle: identification, reality check (not in PMBoK per se), analysis, response, and monitoring and control. Firstly, I never use the word “risk” in those workshops, but rather “concern” or “worry”. Most people just hate to talk about risks....a primitive type of magic thinking to the effect that if we talk about a risk, it will happen (a curious belief since it is the contrary that will happen!!).

Secondly, I do risk management on the project at stake, not using so-called risk checklists and taxonomies. I start with having everybody on the workshop agreeing on a project charter and a workable WBS (which most of the time do not exist the first time I am called in, six to 12 months after the start of the project). Thus, addressing each of the major elements of the charter, and after of the WBS, I start asking my questions.

I separated these questions by risk management process step, with commentaries, to help you see clearly how this goes.

Risk identification

1- Do you have any worries or concerns with respect to...?

I ask this question systematically to everyone present, for each of the major elements of the charter (constraints, project strategy, key success factors, assumptions, etc..) and then for each of the major element of the WBS (looking in this case at inputs, outputs and the transformation process used to deliver the outputs of the element)

Reality check

This is not in the PMBoK, as a separate step per se. This is a little Ishikawa process I added to find root causes and treat them instead of acting on risk symptoms. (It’s my little contribution to improving on the currently used and often unsuccessful risk assessment methodologies)

2- Why are you concerned or worried? Because of a past experience, a current state of affairs or an intuition about possible future events?

On a 100 M $ project I looked at, after a year since its start, this question helped the risk assessment team (12 people) reduce the original 300 concerns or so, found with the first question above, to 67 root causes that everyone could see “in the present” or concerns based on past experiences (I threw away nothing since many original concerns had a the same root cause)

Risk analysis

I then ask three questions on each root cause identified “in the present”, thus one that everybody can see, a “known-known,” if we use the cryptic terminology of the seasoned PMP. Here, I want everybody on the team to agree on the foreseen impact…and it is a lot easier to agree on this if everybody can see the same present situation.

3- What happens if we do nothing with respect to this concern?

4- Would it put the project objectives or part of them in danger?

5- If we do nothing, how fast can we be endangered?

....measures urgency to act if we have to act

6- What is the probability this thing could happen if we do nothing?

...measures probability of occurrence. I purposely delay talking about probabilities at the latest moment possible, since this is highly fuzzy business and nobody sees the same future. But usually, if I got people to agree on root causes everyone can see in the present, they very rapidly agree about the impact of doing nothing about it. So the probability question is settled very fast, as everybody desires to act on the group-perceived danger of doing nothing.

Risk response

7- So, if we need to act, what do we do?

8- Who is responsible to do it and report on it?

9- When will that be done?

Acting on perceived dangers or current problems is the real reason we do risk assessment workshops on projects. I say that because most organizations, which have documented project risk management processes (not many), do not use them consistently. Most, of the very few that do use them, feel happy with stopping the process after producing those colourful red-yellow-green risk probability-impact matrices (that cannot be understood, by the way, by 15 % of the male population, the men who are color-blind). These nice looking matrices are useless if we do not act on them. So, do something (which is only possible if all stakeholders agree to act on a risk element. They can only agree if they see the same present root causes and are all worried together when they see them).

I got a complete risk response plan with 67 elements (dates, everything) on the 100 M $ project mentioned above, after a discussion of only 90 minutes or so, because everybody (12 people in the workshop) knew that they had to act fast, all convinced of the dangers they ALL saw clearly in the same “present situation” they at last shared on this project.

Risk monitoring and control (so...continuous risk assessment)

10- Does our risk response plan works?

11- If not, what do we do now?

12- ...And today, do you have any new worries or concerns with respect to...?

Here we start the cycle all over again.

Since project risk management is a continuous process, who should ask these questions?
Me or another facilitator? No, we are not there all the time.
A “special” risk management manager assigned to the project? No, we already have a manager on this project.

A project manager fully aware that risk management is his/her responsibility, because s/he has been hired to do just that; manage uncertainty? I strongly believe so.