According to the PMBOKĀ® Guide, specifically the Project Risk Management knowledge area, formal risk identification occurs within the Planning Process Group.
The process is titled Identify Risks, which is the process of identifying individual project risks as well as sources of overall project risk, and documenting their characteristics. While high-level risks may be noted in the Project Charter during the Initiating phase, the systematic process of identifying, categorizing, and documenting risks into the Risk Register is a core planning activity.
Planning (Identify Risks): This is where the team uses tools such as brainstorming, checklists, interviews, and SWOT analysis to create the initial Risk Register.
Initiating: This process group produces the Project Charter, which may contain high-level " key risks " or assumptions, but the " project team " as a whole typically begins the detailed identification process once the project is authorized and planning begins.
Executing: During this phase, the team implements risk responses. While new risks can be identified at any time (as risk management is iterative), the initial identification is a planning function.
Monitoring and Controlling: This involves Monitor Risks, where the team tracks existing risks and identifies new risks that emerge during the project.
Per PMI standards, the Identify Risks process should be performed as early as possible in the planning phase and continue throughout the project life cycle because new risks may evolve or become known as the project progresses through its life cycle.
