Internal Risk Checklist

When an organization undertakes a major initiative, there is potential for many different factors to influence the project. This
checklist identifies categories of risk that exist internal to the organization that may impact the ability of the organization to
successfully deliver the project. During the business casing and project review and selection work, the sponsor and senior team
members should review this checklist and confirm that they have considered the implications of risks occurring within each of
these categories. This document can then become a feeder to the more detailed risk management documentation that will be
developed if and when the project is approved.
This document should be used in conjunction with the External Risk Checklist, and it should be noted that the risks identified here
should remain strategic in nature. The purpose of this document is to help identify the risk exposure that the organization will
face if it proceeds with this initiative; while the temptation with internal risks is to identify all of the risks that exist, this is not an
exercise in risk identification, simply a support tool to the project review and selection process.
Guidelines
The risk category and description columns are intended to help identify potential internal sources of risk. An individual project
may not have risks in every category, and the descriptions are not intended to be exhaustive; rather, they are prompts for
discussion as to possible risks that your project may face.
By far the most important column in this template is risk exposure. This field is intended to be an estimate of the potential
financial impact of the risks in each category should they trigger. At this pre-approval stage they are only high level planning
estimates, and the figure in each category is calculated by adding the potential exposure (risk amount multiplied by % chance to
trigger) for each of the risks identified in the risk references column. Effort impact is converted to financial cost for the purposes
of planning. Management costs are not considered here as response strategies have not been determined.
The risk references column is intended to identify the risk ID for any risks that you have identified within that category and may
well include a hyperlink to the risk document where more details are available. The last review date and last reviewed by fields
are simply audit fields to ensure that the analysis is current and complete.
Because these risks are internal to the organization, they will ultimately generate most of the risks that are actively managed by
the project. But care should be taken to avoid excessive depth and management strategies at this point; that analysis will be
completed during project planning.

Risk
Category
Complianc
e

Financial

Operationa
l

Description
Compliance risk is the risk to the
organization from the need to comply with
laws, regulatory frameworks, etc. Examples
of the negative implications of a failure to
comply are obvious, censure, exclusion from
a professional body, perhaps even legal
action. The positive elements are less
obvious, but they are still there being one
of a few organizations able to claim that they
have been given the highest level of industry
recognition by the governing body, for
example.
Financial risks are the risks associated with
investment decisions that the organization
makes. Every proposed project involves a
degree of financial risk whether it is
approved or rejected. Financial risks are
often assumed as a result of some of the
other risk categories, but managing these
risks should be key to the decisions made
around projects does the expected return
justify the investment that is being made?
Operational risks are those that stem from
the day-to-day execution of what the
organization does. This is a very broad
category and may show itself through
quality, customer service, productivity,
employee satisfaction or any number of
other factors. For most organizations,
operational risks need to be broken down to
a lower level to be properly understood and
managed; the operations category is simply
too broad.

Risk
Exposure
($000s)

Risk
References

Last
Review
Date

Last Reviewed
By

Risk
Category
Strategic

Technologi
cal

Description
Strategic risks result from the directional
decisions that the organization makes the
goals and objectives that it sets and the
strategies and plans that it puts in place to
achieve those goals and objectives. This is
the most fundamental type of risk for the
organization and will drive all of the others.
We looked at technological risks as an
external environmental factor, but there is
also significant internal risk from technology.
Decisions about which technologies to use
can drive significant risks into the
organization. If we choose to embrace new
technology, then we may face steeper
learning curves, more teething problems,
etc. If we instead decide to use older
platforms, then we may be faced with an
earlier forced upgrade, lower performance
and reduced feature sets.

Risk
Exposure
($000s)

Risk
References

Last
Review
Date

Last Reviewed
By