How often should we perform risk assessment on a project?

This is the third article of our series on Project Risk Management. Click here for the first or second article. We are publishing these articles based on our observations in the market place in regard to the practices of project risk management and the gaps that exist.

Point of Confusion

In this specific article, we address a gap that is related to a major point of confusion. This point of confusion is not specific to risk management but to general aspects of project management. However, this point of confusion has significant impact on how we manage risks on projects.

The confusion is about the project life cycle vs. the PMBOK Guide process groups.

The question is: how often should we perform risk assessment (meaning identification, analysis, and response/treatment) on a project?

Think about it before reading further. On your projects, how many times do you perform risk assessment? Please do not confuse assessment with Risk Monitoring & Control (to use PMBOK terminology).

Here are possible answers:

  • Throughout the project: if this your answer — read the previous sentence; do you mean risk monitoring and control throughout the project or you do assessment throughout the project and if the latter how do you do it?
  • Some will say: once, during project planning, per PMBOK planning process groups. If this is your answer that you are likely falling in the trap that planning processes (including risk assessment) are done once during the project. In this case, you are likely confusing the PMBOK process group called planning and thinking that planning is an actual phase on the project life cycle (span).
  • Others will say: throughout the project … but will continue to say: we identify, analyze, and respond to risks during planning but we monitor and control throughout the project

Neither of the above answers is correct; except maybe for “tiny” projects.

Why the Confusion

Because those answers reflect someone who thinks that the project life cycle = process groups … and therefore (in their views), since planning occur only once during the project the same is applicable to risk management planning processes. Forgive us for repeating but we cannot say this enough and many professionals still miss this point.

This is why it important to note that we cannot address this question (how often should we perform risk assessment on a project) without reflecting back on a common pitfall in project management, especially among PMP and those who studied the PMBOK Guide.

The Origin of the Confusion

The pitfall is not due to errors or gaps in the PMBOK Guide but in the understanding of the guide.

The guide outlines for us five process groups, namely initiating, planning, executing, monitoring and controlling, and closing. The PMP (professionals) and PMBOK Guide “students” confuse these process groups and think of them as project phases. It is even quite common that some organizations use these names for their project phases as well not recognizing a crucial factor. These are process groups that repeat in every phase. Yes repeat; maybe except in tiny projects. So even though the names could be used as project phases we cannot forget that the processes repeat.


Mapping the PMBOK Process Groups Against a Sample Project Life Cycle

How does this relate to risk management?

The PMBOK says risk assessment has to be done as part of the planning processes for the project … OR … a phase. Therefore, risk assessment has to be performed – from scratch or update – with every phase.

So how many times do we perform risk assessments on a project? Depend on the number of phases; once per phase.

Your opinion?

Do you agree or disagree?