Risk assessment probably started in your head when you were first assigned the project: you began thinking about what it would take to be successful. Risk assessment is a natural human behavior. We look at situations and assess the probability of achieving our desired outcome—is it safe to cross the street, change lanes, or eat the food off the buffet? Mitigation and management follow: once the risk has been assessed, we take the necessary actions to
reduce the risk (wait for the light to change, allow an opening to occur before changing lanes ... ) and we monitor our progress for changes in the level or presence of risk as we take action.
Risk assessment occurs formally in the planning process of a project, as the project's scope and requirements are defined and plans created. Risks to achieving the functionality, level of performance or quality of the deliverable, as well as achieving project schedule or cost targets, need to be assessed and discussed across the team before a plan is agreed to. With everyone's involvement in risk identification, the team benefits from different perspectives and a greater pool of experience as to what might go wrong!
With the risks identified, at least those known at the start of the project, mitigation actions—steps to reduce or eliminate or manage the risks—can be planned. This also occurs during the planning phase, and those mitigation actions become part of the project plan and schedule—they require work and incur costs as well.
The goal is for the project plan and schedule to include all the known activities and tasks associated with producing the deliverables, including those to address risks which could block progress. Your plan should contain tasks for the risks you already know how to address, and the known risks for which the solution is presently unknown and must be worked out.
Be aware that there might be unknown risks as well, which of course will take time to deal with if they occur during execution. Risk management then becomes part of ongoing project execution. The project manager monitors the team's progress at handling known risks, and also looks out for previously unknown risks that need to be mitigated. Although the timing of the first pass at risk assessment by the project manager occurs at the start of the project in the planning phase, risk assessment, mitigation, and management are a constant process throughout the course of the project.
Our Product and Project Risk Assessment and Mitigation Tables includes tools for assessing risks, identifying mitigation steps, and using that information to monitor risks. Our planning guideline Planning and Scheduling: Make Trade-offs and Optimize, which includes a discussion of how to build risk mitigation work into a project's schedule.
NOTE: Although the project manager is not typically assigned yet, risk assessment also should occur at a high level before a project is even initiated, to help test a new project idea's feasibility and likelihood of success. Risks posed to a potential project by culture issues, resource availability, regulatory impacts, technical or other complexity, and so on, can be looked at early as a decision factor on starting a project. See our Project Risk/Opportunity Assessment Models for detailed assessment worksheets. These worksheets can also be used during the team's planning stage risk assessment.