HKSM

Systematically discover and record uncertain events or conditions—both threats and opportunities—that could affect project, program, or product objectives.

Purpose & When to Use

Identify Risks finds uncertainties that might help or harm objectives, so the team can analyze and plan responses early. It is not a one-time step; repeat it throughout the life cycle and at key change points.

• Start early during chartering and planning to shape realistic scope, schedule, and budget.
• Repeat at iteration boundaries, major milestones, phase gates, and when significant changes or new information appear.
• Use it in any delivery approach (predictive, hybrid, or agile) to capture both threats and opportunities.

Mini Flow (How It’s Done)

• Set context and categories. Define objectives, boundaries, and a simple Risk Breakdown Structure or prompt list (for example, technical, external, organizational, project management) to guide thinking.
• Gather inputs. Review the charter, business case, roadmap or WBS, schedule, cost estimates, assumptions and constraints, stakeholder information, contracts, and prior lessons learned.
• Select techniques. Use a mix such as brainstorming, checklists, interviews, Delphi, document and interface analysis, assumption and constraint analysis, root cause analysis, SWOT, and prompt lists.
• Run sessions. Facilitate inclusive workshops and focused interviews; encourage psychological safety so people share potential problems and benefits.
• Write clear risk statements. Use a cause–risk–impact format and note category, potential triggers, potential owners, and early response ideas.
• Screen and consolidate. Merge duplicates, clarify scope, distinguish threats vs. opportunities, and remove non-risks or current issues.
• Create or update the risk register. Record descriptions, categories, sources, root causes, potential owners, and links to objectives or deliverables.
• Update related logs. Refresh the assumptions and constraints log, stakeholder register, and lessons learned as needed.
• Plan next steps. Schedule qualitative risk analysis, capture any urgent immediate responses, and define cadences for ongoing identification.
• Communicate. Share outcomes with stakeholders and integrate into backlog refinement, planning meetings, or status reviews.

Quality & Acceptance Checklist

• Each risk uses a clear cause–event–impact statement that ties to objectives or deliverables.
• Both threats and opportunities are captured and labeled.
• Each risk has a preliminary owner or point of contact.
• Categories are applied consistently using an agreed taxonomy or RBS.
• Sources, root causes, and potential triggers or early indicators are documented.
• Key assumptions and constraints were reviewed and updated.
• Stakeholder input was sought from diverse roles, including vendors or end users when relevant.
• Non-risks were filtered out and moved to the issue log if already occurring.
• Entries are traceable to scope items, backlog elements, or work packages.
• Data quality and notable uncertainties or information gaps are noted.
• Results are shared and stored in the agreed repository for easy access.

Common Mistakes & Exam Traps

• Treating risks as only negative and ignoring opportunities.
• Confusing current issues with future uncertainties.
• Using a single technique and missing risks outside that lens.
• Not involving the right stakeholders or subject matter experts.
• Jumping to detailed response planning before basic identification and prioritization.
• Failing to update the assumptions and constraints log.
• Missing external or systemic risks such as regulatory, supply chain, or market shifts.
• Writing vague risk statements without cause or impact.
• Treating risk identification as a one-time workshop instead of a continuous activity.
• On adaptive projects, skipping risk conversations during backlog refinement and reviews.

PMP Example Question

During a risk workshop, the team lists many uncertainties. What should the project manager do next to ensure the results are usable?

1. Start calculating overall project contingency based on the list.
2. Assign detailed mitigation actions and schedule them immediately.
3. Consolidate and clarify each risk using a cause–event–impact format and update the risk register.
4. Escalate all high-impact items to the sponsor for approval.

Correct Answer: C — Consolidate and clarify each risk using a cause–event–impact format and update the risk register.

Explanation: After identification, ensure entries are clear, categorized, and recorded in the risk register before prioritizing or planning detailed responses.