The facilitated risk assessment

When the team meet for the first risk assessment, and the risk management plan has been discussed and understood, they begin identifying risks. A structured workshop usually captures a set of risks from the project team, and other assumptions about the project that may cause uncertainty. Facilitation techniques are used to collect input from as wide a team as possible, and to focus the session on identifying, rather than further qualifying the issues raised.

Subsequent workshops and team and individual interviews further refine the risk assessment by focusing attention on causes, likelihoods and consequences of the risks identified. At this stage similar risks can be combined if appropriate, or agreed to be excluded or outside the scope of the assessment.

The risk assessment is intended to be a realistic, honest expression of risk as the project team sees it. Some risks the project may be able to address and mitigate; others it may need to accept. For all risks within the scope of the assessment, the risk assessment asks the team to quantify (to a certain degree) them: likelihoods are given as probabilities, or bands of probability, and consequences are given as numbers of days, or sums of money, or at least broad bands of magnitude. Assumptions are given degrees of uncertainty, by establishing the reasonable ranges of expectation.

As the risk assessment progresses, the risk model (the framework in which the risks are being assessed) begins to show the logical effect of the assessments the team are making, so that they can see the connection with their individual assessments and the overall project risk assessment. The risk model, by eliciting reasonable ranges of expectation from the project team around individual assumptions, and by showing them the corresponding expectation for the project as a whole, gives the team confidence that their assessment does reasonably reflect the project as it is likely to pan out. The model helps the team understand how risks behave by showing how specific areas of the project are exposed to risk, and how the risk "rolls up" through the project structure; by seeing how the overall risk breaks down through the individual components, the team can explore and validate the risk assessment as they have described it.

As the team discusses the assumptions they are making, and the risks they are taking, they will also discuss actions that could be taken to mitigate risk, or to strengthen the assumptions. The risk assessment needs to capture and document such mitigation actions, and to elicit the team’s beliefs on how effective they will be, and the resources they will require, as well as how much approval they have and how they will be planned and carried out.

Click here for more information on risk assessments.

Between five and ten days of focussed risk assessment could be expected to establish a defendable risk register and risk model, for a typical medium-sized project. The full project team would be required for the initial 2-3 days; the remainder of the assessment is carried out by smaller groups.

Note: These estimates of effort depend on many factors including project complexity, scope of assessment, team availability, and extent of changes to assumptions during the assessment process.

This step repeats as part of the ongoing risk reviews throughout the project.