Analyse project risks

Performing a risk analysis

A risk analysis is performed by analysing each risk from the risk register in terms of;

• its probability and
• the impact on the project if it were to happen.

Risk analysis should be undertaken as soon as a threat has been identified. Use the probability and effect matrix (PIM) to define and prioritise risks. This information is then used to document the risk in the risk register.

Like all risk management processes and procedures, the risk analysis process should be carried out on a regular basis. As the project progresses, new risks are discovered, and the characteristics of existing risks will change. The risk management strategy (as part of the overall project plan) will clarify the overall approach to risk management that needs to be taken for the specific project. It will clarify how much risk is reasonable and who should be involved in carrying out the qualitative analysis of the known risk.

Risk probability and impact assessment

A risk likelihood assessment is used to analyse the probability that any particular risk will arise. In contrast, a risk impact assessment examines the possible impact on the target of a project, such as timing, expenditure, quality or results.

• Risk Probability
  • Likelihood each risk will occur
• Risk impact
  • Potential effect on schedule cost, quality or performance

Risks with a high score will be given high priority, and those with a low score for potential monitoring will be placed on a watch list.

Probability and impact matrix

A probability and impact matrix is displayed as a grid. This grid maps the probability of every risk occurrence and its impact on project objectives if that risk occurs. Risks are then prioritised according to their potential implications.

A typical approach to prioritising risks is to use a look-up table or a probability and impact matrix. The specific combinations of probability and impact that cause a risk to be rated as “high”, “moderate”, or “low” importance is usually set by the project manager or organisation. The probability and impact matrix determines combinations of likelihood and effect that contribute to a low, moderate or high priority rating of the risks.

The action that must be taken to address low, moderate or high priority ratings are:

• High-risk—Prioritise and address urgently
• Moderate-risk—Put contingency plan into place
• Low-risk – Provide a contingency plan and track

Likelihood

'Likelihood' refers to the probability of a given risk occurring.

Likelihood can be classified in different ways, such as:

• almost certain
• likely
• moderate
• unlikely
• rare.

When assessing the likelihood of risks, you should refer to the data you have collected during research - How often has a particular risk occurred in the past? Are there any circumstances or events that increase the probability of a risk occurring – if so, what are the chances of this happening? Are there any other variable factors that could influence how often a risk occurs?

Impact or consequences

'Impact' or 'consequence' refers to the severity of the outcome if the risk was to occur, for example:

• catastrophic
• major
• moderate
• minor
• insignificant.

An alternative scale for impact/consequence could be:

• disastrous
• severe
• moderate impact
• minimal impact.

When assessing the potential impact of risks, you should consider:

• organisational historical data, e.g. consequences concerning the financial loss, operation etc.
• industry knowledge, e.g. fines for non-compliance, closure etc.
• knock-on effects – some risks may have the potential to significantly impact other areas of the organisation, even if initially unrelated.
• competitor analysis/performance

Risk prioritisation

Evaluation of risks includes:

• considering the likelihood of the risk occurring
• considering the impact of the risk
• determining risk significance/severity
• determining risk tolerability (priority)

We are now at the stage where we can determine what risks are most significant and tolerable. This, in turn, will allow us to put risks in priority order. Note: Although linked, tolerability differs from severity: Tolerability looks at the severity of risks and ranks them in priority order for treatment.

We can work out risk significance and tolerability using a Risk Assessment Matrix (RAM).

• A RAM includes a risk rating based on tolerability (level of acceptance) and pre-determined criteria for required actions related to each rating.

Each risk is assigned a position on the matrix based on the risk criteria established for likelihood and impact. This will then determine the priority for treatment.

Consider the following example:

Risk Matrix

	Consequence
Likelihood	Insignificant (Minor problem easily handled by normal day-to-day processes. No effect on budget)	Minor (Some disruption possible. Over budget 0-5%). Injury that does not require trained first aider (e.g. cut that requires a band-aid)	Moderate (Significant time/recourses required. Significant delay. E.g. unable to operate cafe or warehouse for 1-2 days. Over budget 5-20%, injury requiring first aid, small loss of customers)	Major (E.g., Significant financial loss, unable to operate division or cafe for more than two days or meet customer orders, significant damage to reputation of business. Over budget 20-50%)	Catastrophic (E.g., Business unable to operate for more than two weeks or indefinitely. Significant financial losses. Major reputation damage. Business survival at risk. Over budget 50% or more)
Almost certain (90% chance)	High	High	Extreme	Extreme	Extreme
Likely (50-90% chance)	Moderate	High	High	Extreme	Extreme
Moderate (10-50% chance)	Low	Moderate	High	Extreme	Extreme
Unlikely (3-10% chance)	Low	Low	Moderate	High	Extreme
Rare (less than 3% chance)	Low	Low	Moderate	High	High

Risk ratings and priorities for action are determined as follows:

Risk Action Table

Risk Rating		Required Actions
Low	Acceptable	Unlikely to require specific application of resources. Manage by routine procedures. Monitor and review.
Moderate	Acceptable	Unlikely to cause much damage and/or threaten the efficiency and effectiveness of the program/activity. Treatment plans are to be developed and implemented by Project Managers/Leaders. Manage by specific monitoring or response procedures.
High	Generally not acceptable	Likely to cause some damage, disruption or breach of controls. Project Managers or senior management attention is needed and responsibilities identified. Risk management treatment plans must be developed and communicated.
Extreme	Not acceptable	Likely to threaten the survival or continued effective functioning of the organisation, either financially or reputation-wise. Immediate action is required. Must be managed by senior management or senior project manager with a detailed treatment plan reported to senior management.

In simple terms, an organisation might decide that risks above a certain severity level are unacceptable (e.g. low or moderate), and risks below this are acceptable or tolerable. Alternative approaches might include assigning risk acceptance delegations to organisation staff of different levels of seniority.

Decisions on tolerability should also be made only after considering the broader context of the risk, including the impact of the risk upon other entities inside and outside the organisation, such as other teams, networking associates, partner organisations etc.

Treatment decisions should consider financial, legal, regulatory and other requirements. The next topic will look into the different options for treating risks.

Watch this YouTube video by Ahmed WA Hammad to learn more about the Probability and Impact Matrix.

A risk breakdown structure (RBS) is implemented to structure and organise all defined risks into suitable categories, which will help to identify the highest degree of uncertainty aspects of the project.

The likelihood and effect matrix may be used to identify risks according to their individual importance, relative rating or priority list of project risks.

Formal interviews with subject matter experts may be used to assess the likelihood and effect of risks.

This information can then be used in the following modelling techniques:

• Sensitivity analysis: This includes assessing the project by analysing the effect and magnitude of each danger to determine how susceptible it is to unique hazards.
• Expected monetary value (EMV): This analysis determines the expected monetary value by multiplying the probability of achieving an expected value for each risk by the cost, which is then added to obtain the project's expected monetary value. The use of decision trees is a common way of measuring EMV.
• Decision tree analysis: These take the form of a flow diagram where a summary of the risk aspect and its cost is embedded in each node, represented by a rectangle. Each arrow leading to another box representing the percentage likelihood is connected together by these rectangles through arrows.

• Tornado diagram: These are named because of the shape of their funnel. They graphically reflect the vulnerability of the project to costs or other variables. Each tornado diagram will reflect the effect of risks in terms of specific aspects. These aspects may be the phases of all project phases, ranked vertically and illustrated by a horizontal bar indicating plus or minus cost impacts.

Risk analysis involves examining how project outcomes and objectives might change because of the impact of the risk event. Once the risks are identified, they are analysed to spot the qualitative and quantitative impact of the risk on the project so that appropriate steps can be taken to mitigate them. There are two main processes of risk analysis.

Qualitative

Identified project risks are prioritised using a pre-defined rating scale. Risks are rated on their probability or likelihood of occurring and their impact on project objectives if they do. Probability/likelihood is generally ranked on a zero to one scale (e.g., three equating to a 30% probability of the risk occurring). The impact scale is organisationally defined (e.g., one to five, with five being the highest impact on objectives, such as budget, schedule, or quality). Categorisation of the risks is also included, i.e., whether source-based or effect-based.

Quantitative

Highest priority risks are further analysed and assigned a numerical or quantitative rating to develop an analysis based on probability and likelihood. A quantitative analysis: Possible outcomes for the project are quantified and assessed on the probability of achieving specific project objectives. A quantitative approach to making decisions is provided when there is uncertainty. Realistic and achievable cost, schedule or scope targets are created. Quantitative risk analysis requires high-quality data, a well-developed project model and prioritised lists of project risks (usually from a qualitative risk analysis)

Qualitative risk analysis uses a descriptive scale to measure the probability and quantitative risk analysis uses a numerical scale.

Qualitative risk analysis: inputs

• Risk management plans help minimise the impacts of risk and include information gathered from other project management documents such as budgets, schedule activities, risk categories, the probability and impact matrix, and stakeholders’ risk tolerances.

Activity: Learn more about risk management plans from Business Victoria

• Risk register contains the information which will be used to assess and prioritise risks.

Perform qualitative risk analysis: tools and techniques

Risk probability and impact assessment

Qualitative risk analysis is the process of prioritising risks based on their probability and impact. It is an important tool for project managers to use when deciding which risks must be addressed first. When conducting a qualitative risk analysis, you will need to consider the likelihood of each risk occurring, as well as the potential impact if it does occur. This will help you to prioritise the risk and decide which ones are the most important to address.

Project teams use their experience and data from past projects to estimate the impact and probability value for each risk on a scale or matrix.

Commonly, the scale used in risk analysis is shown from zero to one. Thus, if the chance of the risk occurring in your project is .5, there is a fifty per cent chance of it happening. There is also an effect-based scale that measures it from zero to five, with five being the most threatening if you have the relevant risk.

Probability and impact assessment should be undertaken for every identified risk. Read the following article about risk impact/probability charts from MindTools to learn how to calculate risk ratings.

Assumptions log

The declaration of the project scope will contain project assumptions that may be updated as a result of the qualitative risk analysis carried out in this process. This is the method of assessing the effects of certain hazards listed as having the potential to have a major impact on the project. It may be used to individually assign a numerical rating to those hazards or to determine their aggregate impact.

Delegated authority

Delegated authority is the power or permission given to an individual or group to make decisions on behalf of another person or organisation. Corporate governance provides a framework for decision making including policies and procedures. Analysing risks and making decisions about managing project risks must be performed within your role responsibilities and delegated authority.

Risk analysis is about developing an understanding of every risk. It involves consideration of the positive and negative consequences and the likelihood that those consequences may occur. Risk is analysed by combining consequences and likelihood, considering the existing controls.

Communicating with stakeholders

Before you look into the business and project risks, you will need to inform relevant stakeholders about the risk management process you have established up to now, including any key findings to date. Relevant stakeholders at this stage may include:

• all staff
• key external stakeholders
• senior management
• specific teams or business units
• technical experts.

One of the most important aspects of any risk management framework is to ensure continual communication and consultation with all stakeholders. An organisation's risk management process should include ongoing consultation with team members, management, people impacted by any risk management activities, and external stakeholders like customers, government agencies or consultants.

Communication and consultation at this stage of the process are vital for managing risk to ensure that:

• "buy-in" from teams, management, and other stakeholders is secured
• all stakeholders understand, are engaged, and are committed to the risk management process
• feedback, insight, and suggestions can be taken on board

Stakeholder analysis

Stakeholders are people or organisations who have an interest in what you are doing. It could be a financial interest or some other factor that would motivate people to support what you are trying to achieve.

For risk management, the most important stakeholders include people or organisations that may expose the organisation to risk, are exposed to an organisation's risks, or be able to help an organisation manage risk.

Stakeholder analysis considers the relationships, perceptions, values, needs and expectations that could impact the risk management process.

Some of the stakeholders that may be involved in the risk management process include:

• employees
• senior management
• specific teams or business units
• shareholders (owners)
• technical experts
• banks, financiers and/or business operators
• suppliers
• customers and clients
• general public
• different levels of government and government agencies
• police/lawyers.

Project managers need to understand which people or groups are interested in what they are doing and why so they can best manage their interests and involvement. This includes ensuring information is timely, clear, and available as needed.

Appropriate involvement of stakeholders throughout the process also enables their knowledge, views, and perceptions to be considered. This results in improved awareness and informed risk management.

Assigning priorities

In risk control management, risk prioritisation involves identifying all risks in a project and deciding which risks are the most significant, and addressing those risks first. Risks are determined by analysing the likelihood of a risk and the potential harm of the risk.  

Identifying Risk and the Risk Treatment Plan

Here is an example of a Risk Treatment Plan:

Technique	Description
Acceptance	This technique recognise the risk and its uncontrollablity
Avoidance	This technique uses an approach that avoids the possibility of risk occurence
Control	This technique is made up of actions that are to be taken that reduce the likelihood or impact
Investigation	This technique defers all actions until more work is done and/or facts are known
Reduction	Reduction is the active lowering of risk by a planned series of activities
Transference	Transference is the process of moving something from one place to another or from one part to another. In this, the risk can be transferred to the customer or to the contractor

Too much intervention to align your risks will produce chaos. To begin, take on a judging mindset and get a head start on your project by using effective prioritising skills.

To prioritise risk, take the following steps:

• Project or Product Risk
  • This needs to be the first. If the project or product will be affected by a defined risk, that is significant.
  • Process
    • What is your project process? How is it going to flow? The risks that you identify here are crucial to remaining on track.
• Resources
  • For selecting the project team, use the six sigmas.
• Stakeholders
  • Who are the stakeholders, and to what extent will risk affect them? Consult and gain agreement with the project client and stakeholders about the risk priorities.
• Risk Tools
  • What tools will you use to cope with risk? Your risk treatment plan can assist you in defining these tools.
• Acceptable Risk
  • These should be a low priority and are not hazards that impact the results of a project.

Controlling and mitigation of risk

Many projects begin in an organised manner with a robust Risk Matrix, but as the day-to-day management of the project carries on, it becomes harder to remain on top of this document.

The failure to update the Risk Matrix is the most common reason some risks appear out of nowhere at the last minute.

Mitigating the highest calculated risks doesn't completely prevent them from occurring but instead makes it easier to establish workarounds and contingencies to reduce the overall impact on the project.

Every project comes with risks, and risk events will occur regardless of the initial plan. A solid risk management program is the best way to keep these risk factors low, maintaining priorities for the good of the project. Stakeholders should contribute to the Risk Matrix early and regularly, and this can be accomplished by following the three simple steps of recognising, prioritising and controlling risks.

A risk plan outlines how the project management team will implement risk management. Establishing this procedure early in the project ensures that all project management team members use the same risk assessment methods and that the relevant tasks are budgeted for in the project schedule.

Risk categories

This provides a framework that ensures that threats are regularly identified to a consistent standard of detail in a systematic process. As seen in the diagram, an individual can use a previously prepared categorisation framework, which could take the form of a simple list of categories or a risk breakdown structure (RBS).

This is a hierarchically-organised summary of the project risks defined, structured by category and subcategory of risk, which identifies the various locations and causes of potential risks.

Definitions of risk probability and impact

Defining the probability and impact of risks will ensure all stakeholders have a shared understanding of project risks. If a risk likelihood is defined as low, medium or high, you must ensure the stakeholders understand what this means.