Security

Look for inherent risks before starting your project

If your project has many inherent risks that fall into a high-risk category, it doesn't mean you won't be successful. It only means that you should put plans into place to manage the risks.

When you are defining a project, you want to perform a complete assessment of project risk. The risk assessment is done in two parts. First, look at the risks that are inherent to your project based on its general characteristics. Second, after you identify inherent risks, spend time looking at risks that are specific to your project.

Inherent risks are the place to start. The logic behind inherent risks is as follows:

  • A project that is estimated to take 10,000 effort hours is inherently more risky than one that is estimated at 100 effort hours.
  • A project that has 20 people is inherently more risky than one with three people.
  • A project that is using new technology is inherently more risky than one that is using technology your team is comfortable with.

Notice that in each of these examples, you don't know the specifics of the project. Inherent risks are based on the characteristics of the project--regardless of the specific deliverables being produced.

None of the inherent risks mean that the project is definitely in trouble. Even if you identify some inherent risks as high, other project factors will come into play as well that may mitigate the risk. If your project has many inherent risks that fall into a high-risk category, it doesn't mean you won't be successful. It only means that you should put plans into place to manage the risks.

The table below identifies characteristics that may imply risk, as well as criteria for knowing if it is high-risk and low-risk. Depending on where your project characteristics fall, you can evaluate your project to determine whether each risk is high, medium, or low. (Medium risks fall in between the extremes.) The inherent risks need to be customized for each company or organization. For instance, one company might consider a project over 2,000 hours to be high-risk (for that category). However, if your organization normally deals with large projects, you may change the criteria to state that all projects over 20,000 hours would be high risk.  

In addition to the examples given above (effort hours, size of team, and new technology) inherent risks can include:

Characteristic

High Risk

Low Risk

Duration

Longer than 12 months

Less than 3 months

Number of clients or client organizations

More than three

One

Project scope / deliverables

Poorly defined

Well defined

Project team and client business knowledge

Neither the project team nor the client have solid business knowledge

Both the project team and the client have solid business knowledge

Dependency on other projects or outside teams

Dependent on three or more outside projects or teams

No more than one dependency on an outside project or team

Client commitment

Unknown, passive

Passionate

Changes required to existing procedures, processes and policies

Large amount of change

Little change

Project manager experience

Little experience on similar projects

Similar experience on multiple projects

Use of formal methodology

No formal methods or processes

Standard methods in use

If your project has many inherent risks rated highly, you might consider the entire project as high-risk. A "high-risk" project might trigger extra scrutiny on the part of management to make sure that the project receives the attention it needs to be successful.   

0 comments