Risk Identification

Have you ever heard the phrase, “We don’t know what we don’t know?”  The idea of risk management – with risk identification in particular – is the process of reducing the unknown to the least amount possible. The problem with that is how do you know when you are done?  The unknown is still the unknown.  The real trick is to eliminate or mitigate as many possible risks as you can reasonably foresee, along with taking the time to actually run through several scenarios in which not everything goes as planned.

http://international.fhwa.dot.gov/riskassess/risk_hcm06_02.cfm

As a “technical” type of person, I used to expect things to work as designed or for projects to be as easy as I envisioned.  From working on my car to installing server systems, experience has taught me that anything can happen, so I always try to add extra time to whatever I figure the project should take.  Most issues can be solved with enough time (and sometimes money), which is the paradox in project management; You try to add in buffer time to account for unforeseen issues, yet still present a short timeline for the customer.  As part of the risk mitigation process, I have always favored extra time in a schedule since no one is ever upset when and if you finish early.

http://www.mitre.org/publications/systems-engineering-guide/acquisition-systems-engineering/risk-management/risk-identification

In risk management, the first thing we have to ask ourselves is, “What is a risk?”  A risk is the “effect of uncertainty on objectives,” and an effect is a positive or negative deviation from what is expected. Most organizations focus on the negative effects from risk, which is what we are truly attempting to mitigate. However, risk by definition can have a positive effect.  I have tried several times to enter a positive risk into our risk databases for projects I was working; Usually they are discarded as they are viewed as a positive outcome.  Now I will admit that some of the “positive risks” I have envisioned involved unknown magical fairies breaking in at night and completing my work ahead of schedule, but some of them were actually possible and could have been leveraged to our advantage.

http://www.praxiom.com/iso-31000-terms.htm

Murphy’s Law is real and applies more often than not in risk management.  There have been more times than I like to admit when I thought of a risk that seemed inconsequential or improbable that later turned out to be a real issue, costing more time to correct than I would have ever imagined.  I believe that you get better at identifying risks with experience – You only have to touch a hot stove so many times before you know to watch out for it.  I have found it helpful to have “Risk Storming” sessions where several engineers will talk a project through and look for the “gotchas;” It is truly surprising what a fresh set of eyes and different perspectives can see.

http://www.murphys-laws.com/murphy/murphy-laws.html