Back2Basics -Project Risk Management: Risk Evaluation

Back to Basics - Project Risk Management: Risk Assessment (Part iii)

In the second part of the series 'Back To Basics' of Risk Management, we looked at what is project risk management, risk lifecycle in risk management process and what is risk analysis. In this part, we will explore - details of Project Risk Assessment or Project Risk Evaluation - what is risk assessment, how to evaluate risk, its impact.

Project Risk Assessment

Also read Why You Should Manage Project Risks | Risk Analysis | Risk Assessment | Challenges in Risk Evaluation and Risk Response.

What is Project Risk Evaluation | Risk Assessment?

There are primarily two aspects of risk evaluation / risk assessment:

  • Probability of a risk: How much likely that the risk will happen?
  • Consequence of a risk: How severely will it affect us?

These two factors determine what is called as : Risk Exposure

Risk assessment is subjective to greater extent but with properly established policies, guidelines and practices it can be standardized to greater degree. Based on above two aspects, the rating for a given risk can be determined.

Determine likelihood of occurrence of a risk

Heat Map helps prioritisation of risks

This element from risk assessment process gives the probability of occurrence of a given risk. Project planner/manager along with team members can determine probability (Rare, unlikely, Possible, Likely and Almost Certain)



Likelihood of Occurrence



Risk occurrence is highly unlikely.Exceptionally it may occur,

but most likely it will never occur



The risk occurrence is not expected. But in slight probability,

it may occur



This risk may occur some times as organization has

observed historical trace of such risks



This risk has strong possibility of occurrence as organization

has frequently observed trace of such risks


Almost Certain

This risk is most likely to occur. The instance/incidence

is expected to occur in speculated timeframe as

organization has observed trace of regular occurrence

of such type of risks

Table 1: Probability of Risk

Determine Consequence of occurrence or a risk

The severity of the potential loss, if risk occurs is the second parameter of risk assessment. Again, this parameter is highly contextual. When team members register a risk, he/she may not have the complete idea of the situation. Hence project planner or manager is expected to take the context into consideration and determine the consequence of the risk if occur in future. Based on the learning from previous risks/history, organization may create a reference or guideline to determine severity of the risk. Project planner/manager refers such guideline and uses his/her judgment to determine the consequence of the risk in consideration as a part of risk assessment process.



Example to illustrate



Minimal project delay| loss; Less than a week| < few hundred $



Minor project delay | loss; more than 3 weeks| $100k< x <$10k



Moderate project delay| loss; more than 12 weeks | $1M<x<$100k



Major project delay| loss; More than 2 month | $1M<x<$100k



Intolerable project delay| loss; More than 6 month | $x >$5M

Table 2: Consequence of risk

Determine the rating of risk

Based on probability of occurrence of risk and potential severity that it may cause, project managers can derive the rating the risk. Organizations with good project risk management practice have escalation guidelines based on the project risk rating. Which specifies what escalation matrix should be used depending on the rating of the risk.

The table below gives indicating ‘Required Action’ based on the rating of a risk. Your organization will have different required action or escalation matrix based on your industry/organization’s practices.

Action: Project Manager to bring-to-notice of Senior management, mentioning expected support.Response plan to be created & reported to Director/ CxO

Action: Project Manager to bring-to-notice of Senior management for immediate action.Response plan to be created, managed by Director/ CxO.


Required Action


Acceptable: Not mandated to deploy additional resources; Such risk is expected to be managed through normal routine.

Action:Track and review


Acceptable:Such risk is not expected to cause much damage or jeopardize the overall objective or effectiveness of project

Action: Project Manager to create a response plan.Track and Respond.


Not Acceptable to larger extent: Such a risk is highly likely to cause considerable damage or jeopardies overall project objective or effectiveness.


Not Acceptable at all :Such a risk is extremely likely to pose as a threat to the continuation/functioning of a project/ organization.

Table 3: Risk Rating

As mentioned earlier, the organization as a whole need to assess these parameters, significance of each parameter and required action i.e. a meaningful guideline to perform risk assessment to state a given risk having ‘Major’ severity with what probability as ‘Likely’. Though ‘Likely’, ‘Extreme’, ‘Moderate’, ‘Catastrophic’ are generic terms, the resource who will work with reference to these terms need to understand clearly, what they need to do with it.

Let me know how you find this post. I would love to hear your feedback.

Also read Why You Should Manage Project Risks | Risk Analysis | Risk Assessment | Challenges in Risk Evaluation and Risk Response.


Project Management Software by Zilicus

Use project management software for project planning & scheduling - Try ZilicusPM a powerful tool that enable online project planning WBS, online scheduling, resource assignment, Gantt chart, project tracking, issue management, online calendar, risk register and much more.