Start tracking your progress
Trailhead Home
Trailhead Home

Identify, Assess, and Address Risk

Learning Objectives

After completing this unit, you’ll be able to:

  • Explain the three dimensions of a risk.
  • Describe the four ways to address risks.

Let’s look at three main tasks in the risk management process: identify, assess, and address.

The three risk management tasks are: identify, assess, and address.

Identify Risk

The first step in risk management is risk identification—detecting, documenting, and communicating the causes and anticipated effects of project risks.

A person looking through a handheld magnifying glass is ready to identify risk.

When you identify risk, it’s best to look at all project areas. Look internally and externally. Look to the past and the future. Here’s a handy summary to help you be as comprehensive as possible.

Area Considerations
Stakeholders
  • Identify all the key players.
  • Determine how well they know the products in the solution.
  • Assess their availability. Account for planned time off, holidays, and unrelated business commitments.
Cost, quality, and time
  • Clearly define each key area.
  • Ensure all stakeholders agree on these.
Technical complexity
  • What is the complexity level? Is this an out-of-the-box or highly customized solution? What processes are involved?
  • More complex projects typically involve more risk.
Project management and governance
  • Identify how closely your development methodology aligns with the project at hand, and if there are adaptations that need to be made.
  • List the available tools and any dependencies or alternatives.
  • Is there a need for third-party solutions?
Your team
  • Identify team roles and responsibilities.
  • Choose team members who fit these roles best.
  • Account for all their time commitments.
External events
  • Identify risk-inherent events such as mergers and mishaps such as natural disasters.
Historical project data
  • Review historical data for similar projects: risk lists, scope, estimates, schedules, and what actually happened versus what was planned.

As you sleuth out risk, it’s easy to look for apparent problems such as loss of people or functionality that may break. But risks can masquerade as benefits. For example, your customer’s revenue skyrockets. That’s a good thing, but now they can afford more features. Sure enough, they ask to increase scope. That’s a risk. 

Try to follow a sequence of events to help you identify risk in all its forms and from all angles. In this case, more revenue leads to a hunger for more features in your app. That leads to scope creep, and if you’re not careful, an overcommitment to work you’re not equipped to handle.

One more thing to keep in mind: Risk identification isn’t a one-time task. New risks can pop up at any point in the project lifecycle. Keep an eye out for new risks at every stage.

Assess Risk

Now that you know how to identify risks, let’s look at ways to assess each risk.

A person standing near a table with a scale on it is ready to assess risk.

Risks have three dimensions. 

  • Probability: The likelihood that the risk happens.
  • Impact: How risk affects the scope, schedule, and cost of a project.
  • Proximity: How soon will the risk happen, given the length of the project.

Consider all three dimensions. Then, quantify your assessment by assigning a score. Use whatever scale you prefer, such as high-medium-low, or 1–100. Scores make it easier to prioritize risks and determine which to address first. 

Back to those SuperTasty cheese sandwiches. Suppose the cafe uses this approach to assess its risk of running out of cheese. It might come up with something like this.

  • Probability: The cafe manager was vacationing in Bora Bora and hasn’t taken an inventory in 2 weeks. The probability of running out of cheese is high.
  • Impact: If the cafe runs out of ingredients, it can’t sell as many sandwiches. The impact is lost revenue.
  • Proximity: Every day is a new sales cycle. The proximity is imminent.
Risk Probability Impact Proximity Overall Score
The cafe runs out of SuperTasty cheese.
High
High
High
High

The overall score for this risk is high. It’s best to address it as a top priority.

Address Risk

Evaluating the dimensions of each risk not only helps you prioritize them, it also helps you determine the best way to address them. There are four ways to address a risk: transfer, eliminate, accept, or mitigate (TEAM).

A person holding a wrench is ready to address risk.

Transfer: Transfer risks to another team or another project. For example, instead of coding a customization, use an existing third-party plug-in. This may bring up other risks, but ones that are more acceptable to your team.

Eliminate: If it’s possible and sensible to completely eliminate a risk, then all the better! That can be as simple as modifying or removing a requirement, or using only well-known, well-tested features and customizations. 

Accept: Sometimes the likelihood that a risk occurs is negligible, and its potential impact is minimal. If the risk actually materializes, your team feels confident that they can absorb the impact into the project without negative repercussions. No further action is needed, unless the risk actually happens. Throughout the project, revisit accepted risks. Make sure that acceptance is still the best choice. 

Mitigate: Develop options and actions that reduce the likelihood that the risk turns into an issue, reduce the impact if it does, or both. Mitigate all risks that can’t be transferred, eliminated, or accepted. 

It’s important to have everyone agree on mitigation plans so that everyone understands the path forward. If mitigation plans affect scope, schedule, or cost, document that in change orders that you share with your customer.

Set Expectations

Even the best laid risk management plans can go awry if no one knows about them. To ensure that everyone handles risks efficiently, set clear expectations with all your stakeholders.

Here are a few essential expectations to set internally with your project team and any third parties you hire. 

Throughout the project lifecycle, team members regularly:

  • Identify and communicate new risks in a timely manner.
  • Report accurate project task progress.
  • Review and reevaluate risks.

It’s also critical to set expectations externally with customers. Here are some examples.

  • Customers are responsible for communicating with and managing any third parties they hire.
  • Customers are responsible for communicating dependencies, risks, and issues within their team.
  • All change requests are evaluated and documented even if there’s no impact to scope, schedule, or cost.

Now you know the three steps in the risk management process—identify, assess, address. In the next unit, we discuss practical tools and methods that you can use to document, monitor, and communicate project risks.