When you are defining a project, you want to perform a complete assessment of project risk. The risk assessment is done in two parts. First, look at the risks that are inherent to your project based on its general characteristics. Second, after you identify inherent risks, spend time looking at risks that are specific to your project.
Inherent risks are the place to start. The logic behind inherent risks is as follows:
- A project that is estimated to take 10,000 effort hours is inherently more risky than one that is estimated at 100 effort hours.
- A project that has 20 people is inherently more risky than one with three people.
- A project that is using new technology is inherently more risky than one that is using technology your team is comfortable with.
Notice that in each of these examples, you don't know the specifics of the project. Inherent risks are based on the characteristics of the project--regardless of the specific deliverables being produced.
None of the inherent risks mean that the project is definitely in trouble. Even if you identify some inherent risks as high, other project factors will come into play as well that may mitigate the risk. If your project has many inherent risks that fall into a high-risk category, it doesn't mean you won't be successful. It only means that you should put plans into place to manage the risks.
The table below identifies characteristics that may imply risk, as well as criteria for knowing if it is high-risk and low-risk. Depending on where your project characteristics fall, you can evaluate your project to determine whether each risk is high, medium, or low. (Medium risks fall in between the extremes.) The inherent risks need to be customized for each company or organization. For instance, one company might consider a project over 2,000 hours to be high-risk (for that category). However, if your organization normally deals with large projects, you may change the criteria to state that all projects over 20,000 hours would be high risk.
In addition to the examples given above (effort hours, size of team, and new technology) inherent risks can include:
| Characteristic | High Risk | Low Risk |
| Duration | Longer than 12 months | Less than 3 months |
| Number of clients or client organizations | More than three | One |
| Project scope / deliverables | Poorly defined | Well defined |
| Project team and client business knowledge | Neither the project team nor the client have solid business knowledge | Both the project team and the client have solid business knowledge |
| Dependency on other projects or outside teams | Dependent on three or more outside projects or teams | No more than one dependency on an outside project or team |
| Client commitment | Unknown, passive | Passionate |
| Changes required to existing procedures, processes and policies | Large amount of change | Little change |
| Project manager experience | Little experience on similar projects | Similar experience on multiple projects |
| Use of formal methodology | No formal methods or processes | Standard methods in use |
If your project has many inherent risks rated highly, you might consider the entire project as high-risk. A "high-risk" project might trigger extra scrutiny on the part of management to make sure that the project receives the attention it needs to be successful.
