Are You Acting on the Highest Priority Risks?

Project Risk Management

Welcome to the third in the series on project risk management. The first article, Risk Management is Project Management, was an overview of risk management and the risk management plan. The second article, Identifying Risk Leads to Successful Projects, identified those risks. So, before we get started, here is a quick review:

When risk is applied to project management, six processes are used in project risk management, according to A Guide to the Project Management of Knowledge, PMBOK.

These processes are utilized to take advantage of the positive events and try to minimize the negative events.

The processes are:

1. Plan risk management

2. Identify risks

3. Perform qualitative risk analysis

4. Perform quantitative risk analysis

5. Plan risk responses

6. Monitor and control risks

Qualitative vs. Quantitative?

Qualitative comes from the root word quality, and quantitative derives from the root word quantity. Qualitative risk analysis involves analysis of data, such as characteristics. When you are talking about numerical data, then quantitative risk analysis comes into play. In this paper, I am concentrating on the third process, qualitative risk analysis, which prioritizes risks for further investigation or action, determines the probability of risk occurring, and its impact.

The risk ranking is the combination of these two variables, impact on the project and the probability of occurrence. The main objective of performing the qualitative risk analysis is to improve the performance of the project by identifying the most urgent or high-priority risks and acting on them to protect your project assets.

Risk management should be part of the daily assessment of your project. Employees from the production floor to C-suite sometimes tend to take shortcuts, but there are no shortcuts with risk management.

I utilize a matrix such as the one below to help with qualitative risk analysis. Some companies make their matrix for their qualitative risk analysis a numeric probability, but I find it simpler and just as reliable utilizing a ranking system.

Risk Priority/Ranking

H = High Risk

M = Medium Risk

L = Low Risk

Who determines risk impact and risk probability? Well, that depends. Each company is different with various titles, but you will most likely have to rely on managers, senior managers and expert judgment to determine the risk impact and probability. Some companies will have design reviews or meetings where issues will be discussed and analyzed. Technical questions would probably be assessed by the technical managers, and business policy questions would be addressed by senior managers.

Risk management, analysis, prioritization, analysis, cost planning, strategy

How to Measure Risk?

If you are new to a company or industry, remember that each company and industry has its own risk tolerance. One company may determine that an issue is high risk, but another would label it a medium risk. It may be due to risk tolerance, expert judgment or other resources that is not available to all companies. Looking at the matrix, if you have determined that an issue is highly likely to occur, and if it does occur with a medium impact on the business or project, then the risk ranking would be high.

The areas with a high risk ranking, of course, have the highest priority and need immediate action. Conversely, the items with a low risk ranking may only have to be watched, and the items with a medium risk should be monitored.

Is All Risk Bad?

No, issues that could affect the project do not have to be threats to the project but could be opportunities. You can still utilize the matrix in the same manner as you do for threats. If the opportunity/risk ranking is high, it may offer the largest benefit to the project and should be addressed prior to lower ranked opportunities.

Do You Have an Example of How to Use the Matrix?

Let us say that you are working on a complex project involving software upgrades. Because the production facility is run 24/7, you have a limited availability of production downtime, causing a high probability of risk. The impact would be high because if the upgrade does not run smoothly, this could mean long production downtimes. So, what would be the risk ranking? It would be high because of the high probability of risk and high impact. Generally speaking, complex projects have a higher uncertainty, hence, a higher risk. Also, any new developments in the product or service, even advancements, could mean a higher level of risk.

Risk Identification Analysis

If you read my second article, I identified the risks or events that could have an impact on the project, which corresponds to the second column in the matrix below. In this article, we will be filling in the third and fourth columns, Risk Ranking and Project Impact. The project impact would be high, medium or low, and the risk ranking would be an output of the project impact and probability.

I've identified the risks, determined the impact, the probability and the risk ranking ... Am I done? No, the risk identification needs to be reevaluated on a regular basis, identifying, ranking, monitoring and controlling the risks in your project. Take note of any trends or re-occurrences of risks, which may signal a systemic weakness that should be analyzed.

What else should a project manager look for while performing a qualitative risk analysis that could further improve the project? Once you have listed all of your risks, try identifying a common denominator in your risks, such as the source of risks, causes, or the area affected by the risk. This exercise could lead you to determine the root causes and concentration of risks, leading you to deal with them more effectively.

After you have completed your qualitative risk analysis, generate a list of risks that might need additional, or numeric, analysis. These are the items that will need quantitative risk analysis performed on them, the subject of our next paper.