(image source: P. Smith and G. Merritt. Proactive Risk Management: Controlling Uncertainty in Product Development. Boca Raton, FL: CRC Press, 2002.)
One of the first tasks in risk management is to determine the risks. However, one must be careful to not identify something as a risk when it is not. A handy algorithm was developed to aid in this assessment and it is shown above. The process starts with the candidate risk. But wait, you may we be thinking that this assumes candidate risks have already been identified. If you are thinking along these lines, then you are correct. Prior to determining if a candidate is a risk, the risks must be identified. Let’s review risk identification first.
Risk Identification Meeting
Risks are identified during the risk identification meeting. For more information on preparing for this meeting, read my post about the 5 W’s since you need to know about them. There are a few important things to keep in mind during the risk identification meeting. First, it is critical that the meeting include a broad spectrum of individuals which includes management. Second, the attitude in the meeting must be non-judgment and open. Each member must feel confident to speak their mind about the risks. At this stage in the game there are no right or wrong candidate risks. The idea is to capture as many possible risks which can be analyzed later. Third, the risk must be recorded accurately so that they can be assessed. After the risk identification meeting, the task of risk analysis can begin.
The algorithm starts with the list of candidate risks. The first decision point in the analysis is to determine if the candidate is certain to happen. If the candidate risk is certain to occur (i.e., 100% probability of occurring), then it is not a risk and instead it is an issue. Issues must be handled differently than risks by program management. The second decision in the analysis is to determine if there is a possible loss associated with the risk. If there is no possible loss, then the risk will have no impact even if it does occur. Since there is no impact, such a risk is of no concern. The third step is to determine if there is a time component to the risk. In other words, is it possible to resolve the risk in the time available? If not then the risk candidate is not tracked. Once a candidate risk passes these three tests, then it can be it can be further analyzed and prioritized to determine how and if it will be actively managed.
 P.G. Smith, G.M. Merritt, Proactive Risk Management (Boca Raton, FL: CRC Press: 2002)