Why do we need to categorize risks?

Let me start with the definition of the word ‘category’

cat·e·go·ry(noun): any general or comprehensive division; a class.

group, grouping, type

The main goal of risk management is to avoid unpleasant surprises. This requires comprehensive list of identified risks. Risk categories are specific way to group risks under a common area which provides a structured & systematic approach in identifying risks to a consistent level of detail.

Some of the advantages using risk categories are:

* A good set of risk categories enable a greater management focus, thought provoking, and increasing the opportunity of identifying a wider range of risks

* As I told earlier, risk categories give structured approach to risk identification through which all risk areas are explored without fail

* Categorizing risks improve the effectiveness & quality of the risk identification & analysis processes

* Grouping risks by common root causes can lead to developing effective risk responses

* Risk categories also helps in risk assessment by interviewing or meetings with participants selected for their familiarity with a specific risk category

* Risk categories give greater ability monitor and control risks identified classified under the same area or root

It isn’t possible to develop one-size-fits-all risk categories for all projects/organizations. There could be common list of risk categories available which can be adapted with specific changes required for our projects. There are many ways to categorize risks. Generally, risks to the project can be categorized by

* sources of risk,

* the area of the project affected i.e. using Work Breakdown Structure(WBS), or

* other useful category like a project phase, to determine areas of the project most exposed to the effects of uncertainty.

Example for risk categories:

* Financial
* Security
* Legal & regulatory compliance
* Safety
* Stakeholder management
* Strategic
* Technology

As per PMBOK® Guide, risk categories are part of organizational process assets. Every organization should have standard lists of risk categories and it can be retrieved from achieves of already executed project.

To identify risks, project managers start with risk categories. But the process of identifying risks can also lead to identification of new risk categories. The newly identified category added to risk category list.

Risk categories can also represented in a structured way into a Risk Breakdown Structure (RBS). The RBS is a hierarchically organized depiction of the identified project risks arranged by risk category and subcategory that identifies the various areas and causes of potential risks.