In an effective project risk management system, the project managers must focus their attention on the highest priority risks. Thus, upon determination of the primary risks to a project, this step seeks to sort the list into priorities and to develop categories for further action.
During the initial Risk Identification step, a risk register was completed, which was simply a list of the most important risks to the project. In this step the risks will be prioritized by their underlying factors, probability and impact. From those, an overall priority will be given to each risk, and the highest priority risks will be identified for risk response planning.
It is okay, even recommended, that the original list have some risks that are determined insignificant and will be struck off. The focus was on ensuring nothing was missed. Now, the focus is on putting the risks in their rightful place.
Although the there is no accepted ‘correct’ format of specifying the results of risk analysis, the general procedure would be that the list of risks will be turned into a table with the following columns added:
Qualitative Risk Analysis
Since risk has two components, probability and impact, both need to be considered.
In the qualititative risk analysis phase, a probability and in impact score is given to each risk.
Assessing the probability of an uncertain event is a difficult task. In the insurance industry, actuaries use similar events with known statistical outcomes to determine a standard “distribution” for an unknown event. Here are some ideas to determine the probability of an event happening:
- Determine how often the event actually occurred on previous projects. Many projects have tasks that have been performed on other projects. For example, if an event occurred twice in ten previous projects, the probability of the event might be approximately 20%.
- Compare to a known probability. The odds of throwing a dice and landing on a six are obviously 6:1. The odds of giving birth to twins is 70:1. Maybe you have a known probability of an event within your company or project. Compare your uncertain outcome to something certain.
- Decompose the risk into constituent parts. Are there any sub-events that contain a known probability, which can then result in a better estimation of the whole?
- Ask experts to rank the risks as “high/medium/low.” Then average the answers into a score out of 10. Using broad categories to assign probabilities makes it clear which one the event belongs in, then averaging the result into a greater distribution utilizes the wisdom of crowds.
Probability can be stated in percent or return period (eg. 6:1). For smaller projects however, I suggest using a simple 1-10 scale.
The impact of the event is often easier to define but can be a range of possibilities rather than an exact number. There are many different aspects of the project which can be impacted, but the most common are:
- Quality (technical performance)
Impact can be stated in monetary terms (i.e. dollar, euro, etc.). However, for small project I would recommend simply using a scale of 1-10.
The purpose of risk analysis is to determine the overall priority of a risk so that further action can be taken on the most important ones. There are two primary ways to amalgamate the probability and impact into an overall priority:
- If you’ve stated the probability in percent (or return period) and the impact in monetary terms (dollars, etc.), you can simply multiply them to obtain the risk level. This value essentially functions as a contingency. If you performed the exact same project many times, this amount would be the ideal contingency.
- If you’ve simply ranked or prioritized each risk on a scale of 1-10 (or similar) you can multiply the values to obtain a priority level. This number will not have an meaning outside of individually ranking the risks.
Based on the priority of the list, the bottom risks can be removed altogether or added to a “watch list.” The watch list could be looked at throughout the project to ensure they do not increase in probability and/or impact to the point of requiring response plans or other action.
In high risk projects such as nuclear power plants, the highest risks require documented action plans in advance. Even in the absence of one major risk, I would argue that all project should have action plans for the highest risks. They can be as simple as several sentences describing how the event would be handled, how people will be removed from the area, etc. Developing risk response plans is what we deal with in the next section.