When should risk assessment begin? The short answer is: at the beginning. When I teach my standard PMP® Exam Prep course, risk assessment is taught on Day 4 of a 5 day class. From a PMBOK® perspective, there are ten (10) knowledge areas in which risk management is the eighth. This leads many people to believe that risk assessment should be conducted at the end of planning but the reality is that risk assessment should be started during project initiation and shouldn’t stop until the project is completed.
Risk assessment should be included during project initiation when the executives are considering a new project. Although done very informally, both opportunities and threats should be discussed when evaluating the feasibility of doing any project. The feasibility study, typically conducted before a large project is funded, is done to address the probability of success and failure of a potential project.
Formal structured risk planning is conducted during the planning phase. Risk Identification is a brainstorming activity to simply list the threats and opportunities that may arise during a project. This should be done the same day planning starts, when requirements are being collected. Because the project is still being progressively elaborated, prioritization of these risk events should not be conducted until later in the planning process at a point where the project management team is confident they understand the risks and can accurately assign probability and impact scores.
Once the Project Scope Statement is written, Qualitative Risk Assessment can begin. This should be the point where team members are getting a solid grasp of the scope of the project and can begin assessing the probability and the impact of failure. Quantitative Risk Assessment should follow to perform a deeper dive into the high probability and high impact events. Expected monetary values can be calculated to monetarily quantify the risks and summarize contingency reserve. The contingency reserve is a good indicator of the financial risk the project is facing. The higher the reserve, the greater the project risk.
Risk Responses should be written throughout planning, specifically no earlier than after the qualitative analysis has ended for any given risk event. Before responses can be written, the project management team must understand the “value” or degree of importance of the risk event. This understanding will drive the level of detail needed in the response. Writing a response to the threat of a team member leaving the project should be less cumbersome then writing a response to the threat of a cyber attack. Regardless of when the response is written, the project management team must work these responses back into the scope of the project. This will undoubtedly create additional activities and time to the project schedule as well as additional costs.