Internal Risk ChecklistWhen an organization undertakes a major initiative, there is potential for many different factors to influence the project. This checklist identifies categories of risk that exist internal to the organization that may impact the ability of the organization to successfully deliver the project. During the business casing and project review and selection work, the sponsor and senior team members should review this checklist and confirm that they have considered the implications of risks occurring within each of these categories. This document can then become a feeder to the more detailed risk management documentation that will be developed if and when the project is approved.This document should be used in conjunction with the External Risk Checklist, and it should be noted that the risks identified here should remain strategic in nature. The purpose of this document is to help identify the risk exposure that the organization will face if it proceeds with this initiative; while the temptation with internal risks is to identify all of the risks that exist, this is not an exercise in risk identification, simply a support tool to the project review and selection process.GuidelinesThe risk category and description columns are intended to help identify potential internal sources of risk. An individual project may not have risks in every category, and the descriptions are not intended to be exhaustive; rather, they are prompts for discussion as to possible risks that your project may face.

By far the most important column in this template is risk exposure. This field is intended to be an estimate of the potential financial impact of the risks in each category should they trigger. At this pre-approval stage they are only high level planning estimates, and the figure in each category is calculated by adding the potential exposure (risk amount multiplied by % chance to trigger) for each of the risks identified in the risk references column. Effort impact is converted to financial cost for the purposes of planning. Management costs are not considered here as response strategies have not been determined.

The risk references column is intended to identify the risk ID for any risks that you have identified within that category and may well include a hyperlink to the risk document where more details are available. The last review date and last reviewed by fields are simply audit fields to ensure that the analysis is current and complete.

Because these risks are internal to the organization, they will ultimately generate most of the risks that are actively managed by the project. But care should be taken to avoid excessive depth and management strategies at this point; that analysis will be completed during project planning.Risk CategoryDescriptionRisk Exposure ($000s)Risk ReferencesLast Review DateLast Reviewed By

ComplianceCompliance risk is the risk to the organization from the need to comply with laws, regulatory frameworks, etc. Examples of the negative implications of a failure to comply are obvious, censure, exclusion from a professional body, perhaps even legal action. The positive elements are less obvious, but they are still there being one of a few organizations able to claim that they have been given the highest level of industry recognition by the governing body, for example.

FinancialFinancial risks are the risks associated with investment decisions that the organization makes. Every proposed project involves a degree of financial risk whether it is approved or rejected. Financial risks are often assumed as a result of some of the other risk categories, but managing these risks should be key to the decisions made around projects does the expected return justify the investment that is being made?

OperationalOperational risks are those that stem from the day-to-day execution of what the organization does. This is a very broad category and may show itself through quality, customer service, productivity, employee satisfaction or any number of other factors. For most organizations, operational risks need to be broken down to a lower level to be properly understood and managed; the operations category is simply too broad.

StrategicStrategic risks result from the directional decisions that the organization makes the goals and objectives that it sets and the strategies and plans that it puts in place to achieve those goals and objectives. This is the most fundamental type of risk for the organization and will drive all of the others.

TechnologicalWe looked at technological risks as an external environmental factor, but there is also significant internal risk from technology. Decisions about which technologies to use can drive significant risks into the organization. If we choose to embrace new technology, then we may face steeper learning curves, more teething problems, etc. If we instead decide to use older platforms, then we may be faced with an earlier forced upgrade, lower performance and reduced feature sets.