If your project has many inherent risks that fall into a high-risk category, it doesn't mean you won't be successful. It only means that you should put plans into place to manage the risks.

When you are defining a project, you want to perform a complete assessment of project risk. The risk assessment is done in two parts. First, look at the risks that are inherent to your project based on its general characteristics. Second, after you identify inherent risks, spend time looking at risks that are specific to your project.

Inherent risks are the place to start. The logic behind inherent risks is as follows:

• A project that is estimated to take 10,000 effort hours is inherently more risky than one that is estimated at 100 effort hours.
• A project that has 20 people is inherently more risky than one with three people.
• A project that is using new technology is inherently more risky than one that is using technology your team is comfortable with.

Notice that in each of these examples, you don't know the specifics of the project. Inherent risks are based on the characteristics of the project -- regardless of the specific deliverables being produced.

None of the inherent risks mean that the project is definitely in trouble. Even if you identify some inherent risks as high, other project factors will come into play as well that may mitigate the risk. If your project has many inherent risks that fall into a high-risk category, it doesn't mean you won't be successful. It only means that you should put plans into place to manage the risks.

The table below identifies characteristics that may imply risk, as well as criteria for knowing if it is high-risk and low-risk. Depending on where your project characteristics fall, you can evaluate your project to determine whether each risk is high, medium, or low. (Medium risks fall in between the extremes.) The inherent risks need to be customised for each company or organisation. For instance, one company might consider a project over 2,000 hours to be high-risk (for that category). However, if your organisation normally deals with large projects, you may change the criteria to state that all projects over 20,000 hours would be high risk.

In addition to the examples given above (effort hours, size of team, and new technology) inherent risks can include:

Characteristic	High Risk	Low Risk
Duration	Longer than 12 months	Less than 3 months
Number of clients or client organizations	More than three	One
Project scope / deliverables	Poorly defined	Well defined
Project team and client business knowledge	Neither the project team nor the client have solid business knowledge	Both the project team and the client have solid business knowledge
Dependency on other projects or outside teams	Dependent on three or more outside projects or teams	No more than one dependency on an outside project or team
Client commitment	Unknown, passive	Passionate
Changes required to existing procedures, processes and policies	Large amount of change	Little change
Project manager experience	Little experience on similar projects	Similar experience on multiple projects
Use of formal methodology	No formal methods or processes	Standard methods in use

If your project has many inherent risks rated highly, you might consider the entire project as high-risk. A "high-risk" project might trigger extra scrutiny on the part of management to make sure that the project receives the attention it needs to be successful.

TechRepublic is the online community and information resource for all IT professionals, from support staff to executives. We offer in-depth technical articles written for IT professionals by IT professionals. In addition to articles on everything from Windows to e-mail to firewalls, we offer IT industry analysis, downloads, management tips, discussion forums, and e-newsletters.

Ã,©2006 TechRepublic, Inc.