Back to Basics - Project Risk Management: Risk Assessment (Part iii)

In the second part of the series 'Back To Basics' of Risk Management, we looked at what is project risk management, risk lifecycle in risk management process and what is risk analysis. In this part, we will explore - details of Project Risk Assessment or Project Risk Evaluation - what is risk assessment, how to evaluate risk, its impact.

Also read Why You Should Manage Project Risks | Risk Analysis | Risk Assessment | Challenges in Risk Evaluation and Risk Response.

What is Project Risk Evaluation | Risk Assessment?

There are primarily two aspects of risk evaluation / risk assessment:

• Probability of a risk: How much likely that the risk will happen?
• Consequence of a risk: How severely will it affect us?

These two factors determine what is called as : Risk Exposure

Risk assessment is subjective to greater extent but with properly established policies, guidelines and practices it can be standardized to greater degree. Based on above two aspects, the rating for a given risk can be determined.

Determine likelihood of occurrence of a risk

This element from risk assessment process gives the probability of occurrence of a given risk. Project planner/manager along with team members can determine probability (Rare, unlikely, Possible, Likely and Almost Certain)

Rating	Description	Likelihood of Occurrence
1	Rare	Risk occurrence is highly unlikely.Exceptionally it may occur, but most likely it will never occur
2	Unlikely	The risk occurrence is not expected. But in slight probability, it may occur
3	Possible	This risk may occur some times as organization has observed historical trace of such risks
4	Likely	This risk has strong possibility of occurrence as organization has frequently observed trace of such risks
5	Almost Certain	This risk is most likely to occur. The instance/incidence is expected to occur in speculated timeframe as organization has observed trace of regular occurrence of such type of risks

Table 1: Probability of Risk

Determine Consequence of occurrence or a risk

The severity of the potential loss, if risk occurs is the second parameter of risk assessment. Again, this parameter is highly contextual. When team members register a risk, he/she may not have the complete idea of the situation. Hence project planner or manager is expected to take the context into consideration and determine the consequence of the risk if occur in future. Based on the learning from previous risks/history, organization may create a reference or guideline to determine severity of the risk. Project planner/manager refers such guideline and uses his/her judgment to determine the consequence of the risk in consideration as a part of risk assessment process.

Rating	Description	Example to illustrate
1	Insignificant	Minimal project delay| loss; Less than a week| < few hundred $
2	Minor	Minor project delay | loss; more than 3 weeks| $100k< x <$10k
3	Moderate	Moderate project delay| loss; more than 12 weeks | $1M<x<$100k
4	Major	Major project delay| loss; More than 2 month | $1M<x<$100k
5	Catastrophic	Intolerable project delay| loss; More than 6 month | $x >$5M

Table 2: Consequence of risk

Determine the rating of risk

Based on probability of occurrence of risk and potential severity that it may cause, project managers can derive the rating the risk. Organizations with good project risk management practice have escalation guidelines based on the project risk rating. Which specifies what escalation matrix should be used depending on the rating of the risk.

The table below gives indicating ‘Required Action’ based on the rating of a risk. Your organization will have different required action or escalation matrix based on your industry/organization’s practices.

Action: Project Manager to bring-to-notice of Senior management, mentioning expected support.Response plan to be created & reported to Director/ CxO

Action: Project Manager to bring-to-notice of Senior management for immediate action.Response plan to be created, managed by Director/ CxO.

Rating	Required Action
Low	Acceptable: Not mandated to deploy additional resources; Such risk is expected to be managed through normal routine. Action:Track and review
Moderate	Acceptable:Such risk is not expected to cause much damage or jeopardize the overall objective or effectiveness of project Action: Project Manager to create a response plan.Track and Respond.
High	Not Acceptable to larger extent: Such a risk is highly likely to cause considerable damage or jeopardies overall project objective or effectiveness.
Extreme	Not Acceptable at all :Such a risk is extremely likely to pose as a threat to the continuation/functioning of a project/ organization.

Table 3: Risk Rating

As mentioned earlier, the organization as a whole need to assess these parameters, significance of each parameter and required action i.e. a meaningful guideline to perform risk assessment to state a given risk having ‘Major’ severity with what probability as ‘Likely’. Though ‘Likely’, ‘Extreme’, ‘Moderate’, ‘Catastrophic’ are generic terms, the resource who will work with reference to these terms need to understand clearly, what they need to do with it.

Let me know how you find this post. I would love to hear your feedback.

Also read Why You Should Manage Project Risks | Risk Analysis | Risk Assessment | Challenges in Risk Evaluation and Risk Response.

_____________________________________________________________________________

Use project management software for project planning & scheduling - Try ZilicusPM a powerful tool that enable online project planning WBS, online scheduling, resource assignment, Gantt chart, project tracking, issue management, online calendar, risk register and much more.