Your project team has identified a bunch of risks. Now you’ve come together to assess the threats and opportunities that these present to the project with the aim of working out the probability of occurrence and the impact that will have if they do occur. When I started out as a project manager this exercise was basically just guessing. “Oh, that sounds pretty serious, let’s mark it as a 5,” we’d say. The problem with the guessing approach is that it is too much based on your own interpretation of the facts and doesn’t really involve any serious analysis. The benefit of the guessing approach is that it is quick.
Let’s assume that quick isn’t what we want from risk assessment. We want to have confidence that we have identified the issues that are likely to arise from risks and that our estimates of impact and likelihood are grounded in some kind of reality. There are estimating techniques that you can use to get better at assessing risk, and they take some of the guesswork out of your risk management process.
Expected value
Expected value helps you work out the financial cost of a risk in order to rank it. You combine the cost of the risk impact with the probability to give you a financial amount. For example, if a risk will cost £100k to address if it happens and it is 50% likely to happen, then your expected value will be £50k.
It isn’t foolproof – if your £100k risk occurs it will still cost you £100k – but it does give you data rather than guesses and can help you prioritise.
Pareto
You might know Pareto as the 80/20 rule. The aim is to identify the 20% of risks that will have 80% of the impact, as illustrated by the graphic at the top of the page. You rank the risks in order and you’ll get an idea of where you should be spending your management effort and risk management budget. Put your efforts towards those top 20% risks. Of course, there is still some guesswork involved in coming up with those impact statements, but at least you’ll be managing your risks effectively by concentrating on the most important ones.
Probability tree
A probability tree is useful when you have lots of historical data about similar risks and when there are several different paths that a problem could take. You can predict an outcome in a qualitative way but you do need the data to help. For example, a risk related to operating in a different currency market could involve customer problems, economic issues, banking problems and so on. Each of these ‘branches’ is plotted on the probability tree along with the likelihood of it happening (preferably based on your historical data). You’ll end up with risks at the very end of the branches with a statement of likelihood based on the events that happened before.
The downside is that this is quite complicated to do well and if you don’t do it well all you end up with is a pretty graphic but the data is still basically guesses.
Remember, estimating risk is not a static business. As Rahul Sonje shows in this white paper, it should be a fluid affair. Just because you’ve done risk assessments on your risks in the first few weeks of your project doesn’t meant that they will necessarily stay that way. That’s why continuous risk assessment is important – risks come and go and change in priority. That £100k risk might cost you double that to put right if it occurs in six months, so stay on top of the changing situations through regular risk reviews.
Regular risk reviews tend to focus, in my experience, on individual risks at a time. That’s good, but it isn’t enough. Oracle says that a risk assessment workshop is an important part of risk management and it gives the team the opportunity to come together to see all the risks on the project together. This gives you the chance to put all those estimates in a big bucket and assess the overall impact on the project. Individually, you may see that the risks do not pose a great threat, but together the picture is likely to be very different. A risk assessment workshop will help you understand where the greatest problems are going to be.
In summary, there is always going to be an element of guesswork when it comes to risk – after all, the thing hasn’t happened so you are trying to predict the future. What you do need to do, though, is to take as much of the guesswork out as possible by using effective estimating techniques, viewing the risk impact overall on your project and updating your risks assessments regularly. Are you doing that already on your project?