After we have found the Risks in our Project, next step is to estimate the Risk Exposure for every risk. We must have “Probability and Impact Matrix”. Here is an example:
- 1 = (5 – 10%)
- 2 = (10 – 20%)
- 3 = (20 – 40%)
- 4 = (40 – 80%)
- 5 = (>80%)
- 1 very low (insignificant time and cost overrun)
- 2 low (up to 10% time and cost overrun)
- 3 medium (10% – 20% time and cost overrun)
- 4 high (over 20% time and cost overrun)
- 5 the highest (PROJECT FAILURE)
Risk exposure or risk score = Probability x Impact
Very often different team members estimate different Probability and Impact for the same Risk. In such a case you should find out WHY someone thinks that probability is, for example 3, and some other person thinks that probability is, for example 1. Maybe one person is too optimistic, and the other is too pessimistic, or one person has more information then the other. However, after that procedure you should have only one estimation of probability and impact for each risk.
Another important thing is, that if you have risk with very high probability (for instance, more than 90%), you should consider that issue as a FACT, NOT AS A RISK. I will give you example. Suppose that you are working on a project which is: “BUILDING A HIGHWAY”. 15 kilometers (or miles, whichever you like) of that Highway will be built in the mountain which is at 3500 meters height above sea level. In the winter time there is a huge snow at that mountain. But, once in a century there is a winter without the snow. You have the risk that you will not be able to build this section of your highway in a winter, and a probability is 99%. What will you do? Will you start with your work in the mountain in October, and then, IF THE RISK OCCUR, you will stop with the work and start with saving your equipment, and spend a lot of money for that? NO, OF COURSE YOU WILL NOT. You will consider that risk as a fact, and you will make your project plan in a way that you will build this “Mountain section” only during Spring and Summer.
OK, we have probability, Impact, and Risk Exposure for every Risk in our Project. No, we have to found the PROJECT RISK EXPOSURE. Here is an example:
- RISK 1 Probability = 3, Impact = 2, Risk Exposure = 3X2 = 6
- RISK 2 Probability = 4, Impact = 3, Risk Exposure = 4X3 = 12
- RISK 1 Probability = 5, Impact = 4, Risk Exposure = 5X4 = 20
- RISK 1 Probability = 1, Impact = 5, Risk Exposure = 1X5 = 5
- RISK 1 Probability = 3, Impact = 4, Risk Exposure = 3X4 = 12
The Sum of risk exposures is: 6 + 12 + 20 + 5 + 12 = 55. We have 5 Risks. So, THE PROJECT RISK EXPOSURE IS 55 / 5 = 11.
In your company you should know THE TRESHOLD of the Project Risk Exposure. If it is, for example 15, than all Projects with Project Risk Exposure larger than 15 are not acceptable, and you will not work on them. When you find PROJECT RISK EXPOSURE you are in the so called “GO / NO GO DECISION”
If you will continue to work on your Project you should put all the risks with a lower Risk exposure, to the “watch list”. For example, if Risk has a Risk exposure below 12 it will be on the watch list. DO NOT EVER DELETE RISK FROM RISK REGISTER OR WATCHLIST!!! Why? Because, during the Project lifecycle probability and/or impact can change! So, if you delete the risk, because it has got very small Risk Exposure (for example 1), and after one month the probability raises from 1 to 5, you will probably FORGET the deleted risk, and you will be very surprised if it happens!
Now, we have our Risk Register with Probabilities, Impacts, and Risk exposures, and they are sorted form biggest Risk Exposure to the smallest. We, also have a Watch list. The best tool for the Risk register is the Microsoft Excel. (I hope that someone from Microsoft will read this post, and give me some money for this advertisement! I AM KIDDING, of course).
Next step in the Risk Management is RIKS RESPONSE PLANNING. What is that? That is something about you will read in my next Blog Post.
I cannot recommend strongly enough that anyone who has to produce a Probability Impact Matrix, whether qualitative or quantitative, should read:-
1. Louis Anthony (Tony) Cox, Jr., What’s Wrong with Risk Matrices? Risk Analysis, Vol. 28, No. 2, 2008.
(This is a bit heavy going check out this review for a simplified summary:- http://eight2late.wordpress.com/2009/07/01/cox%e2%80%99s-risk-matrix-theorem-and-its-implications-for-project-risk-management/ )
2. Douglas Hubbard, The Failure of Risk Management. Chp 7. Worse than Useless The most popular risk assessment method and Why it doesn’t work.Wiley & Sons. 2009
3. Stephen Cresswell. ‘Qualitative Risk & Probability Impact Graphs: Time for a rethink? http://www.intorisk.co.uk/insights.htm
4. Chris Chapman & Stephen Ward. How to manage Project Opportunity and Risk. Chp 2. The Probability-impact grid – a tool that needs scrapping. Pp 49-51. 3rd Ed. Wiley. 2011