Risk Analysis Explained

Published: 2009-02-28
Last updated: 2022-03-20

Risk analysis is one of the most powerful project management tools we have. In sub-section Risk Management, we introduced the risk management process.

Risk Management ProcessRisk Management Process

Here, we focus on what we can do in order to analyze risks and their impacts.

In sub-section Risk Management, we introduce the definition of the term risk:

Risk = probability (event with negative impact may happen).

For a given work package, identifying risks is about asking the question: what can happen that makes the achievement of that work package's results impossible or more difficult than usual? This leads to a list of risk events.

In the next step, we evaluate each risk event: what is the probability that it happens and what is its impact? This evaluation we call risk analysis.

Risk Analysis: Just Guess Work?

In case data from earlier projects with similar work packages, and thus, similar risk events, are not available, we end up with simply doing guess work. Like in effort estimation, we can ask experienced experts who give us their best guess on probability (= risk) and impact of such an event. In order to make our guess work a little bit more reliable, we ask the experts for their best guess, normal guess, and worst guess in terms of both, probability and impact.


Work package: Delivery of 200 photovoltaic panels, 224 Watt and USD 1,800.-- each. One event could be: delay of that delivery by 4 weeks. Our experts give us their estimates of probabilities

p_best = 5%
p_normal = 10%
p_worst = 20%

and impact:

i_best = 3,000.-- (lost interest, because the payment of that delivery 360,000.-- is delayed by 4 weeks)

i_normal = USD 30,000.-- (lost interest, because other work packages are also delayed, we miss a major payment milestone of USD 1'200,000.--, payment comes with the next milestone, 3 months later, assumed yearly interest rate of 10%)

i_worst = USD 90,000.-- (because the whole project gets delayed by 3 months, liquidated damages based on the contract are USD 1,000.-- per day, assumed yearly interest rate of 10%)

How can we use these estimates for risk analysis without making it too complicated (by combining 3 probability figures with 3 impact figures we would end up with 9 different values to follow up)?

As in the Delphi Method of effort estimation, we could calculate for probability

p = (p_best + 4 • p_normal + p_worst) / 6 =
= (5 + 40 + 20) / 6 =
= 11%

and similarly for impact

i = (i_best + 4 • i_normal + i_worst) / 6 =
= (3,000 + 120,000 + 90,000) / 6 =
= 35,500.-- USD

After this "risk analysis", which is actually guess work, we continue with the next step of the risk management process which we describe more detailed in sub-section Risk Management.

Risk Analysis: the Next Level

Now let us assume that our organization supports a knowledge management process with a project management information system in which we collect data about risks of earlier projects.

For certain work packages that are similar from project to project, we have data available. With a little bit of mathematical statistics we can use those data to replace, or at least back up, our guess work in a new project by some simple calculations.

Underlying assumption of the approach we describe below is: we have done a certain work package 50 times already, in 50 earlier projects; this is not unusual for most of our organizations. Now, we apply some mathematical statistics to those data.

Of course, it might be the case that those 50 work packages were not exactly the same. In our example above, delivery of a number of photovoltaic panels, it makes a difference if we had to deliver within our own country or across borders, if the panels had to be state of the art or off-the-shelf units, if the delivery went into a remote area or nearby a town, etc. So, we refer to those work packages that had to be carried out under similar or comparable conditions. Then, we will identify similar or comparable risk events.

For these risk events, we continue with risk analysis as follows. In our risk data base, we find actual data about how often a certain risk event happened and what impact it really had. Then, we can calculate:

mean value of probability, p_mean
standard deviation of probability, p_SD

mean value of impact, i_mean
standard deviation of impact, i_SD

In our further risk analysis, we now can take values for probability and impact out of the intervals

from p_mean – p_SD to p_mean + p_SD
from i_mean – i_SD to i_mean + i_SD

or maybe, with 2 • p_SD or even 3 • p_SD, and 2 • i_SD or even 3 • i_SD, respectively, depending on how far we want to be on the safe side.


In our example above, we find 20 similar work packages from earlier projects in our data base. The values for probability and impact are:

p_mean = 9%
p_SD = 1%

i_mean = USD 28,000.--
i_SD = USD 3,000.-

For the new work package under risk analysis, we can choose values for

p, from 8% to 10%
i, from USD 25,000.-- to USD 31,000.--

under the condition that + or – 1 single standard deviation gives us enough safety.


(1) Quantity of data: It is clear that this method of risk analysis only works where we have a certain minimum of data from earlier projects. A number of 10 is minimum requirement, the more the better. Therefore, project managers and team members must be motivated to contribute all the actual results of their projects.

(2) Quality of data: It is absolutely essential that we refer only to work packages that were carried out under the same or comparable conditions. This accounts again for a high level of motivation of project managers and team members to fill the risk data base with all available details, including work package requirements and specifications, assumptions, interpretation of contract wordings, etc.

35+ templates, tools, and checklists in one set

To save you time in your daily work as a project manager, I packaged more than 35 project management templates, tools, and checklists into one zip file.

  • You un-zip it, and you get all items in formats you can edit to your requirements.
  • They strictly contain only standard functionality and no macros or other code.
  • You are allowed to use your logo.
Templates & Checklists for Implementation and Closure Phase
for only
or click here for more info.

Traditional PM
Learning Path Navigation

Related topics

  • Project Risk Management

    In this sub-section, we explore some risk management and risk assessment details.

  • Planning the Project Budget

    In this sub-section we describe how we are going to plan the project budget.

  • Assigning Resources

    In this sub-section we describe the transition from planning the project schedule to planning the project budget, i.e. assigning resources.

  • Critical Path

    In this sub-section, we describe how we can analyze the critical path of a project.

  • Planning the Project Schedule

    In this sub-section we describe how we are going to plan the project schedule.

  • Effort Estimation

    In this sub-section we describe the transition from planning the project scope to planning the project schedule, i.e. effort estimation.

  • Planning the Project Scope

    In this sub-section we explain how to plan the project scope.

  • Project Planning

    In this section, we describe the project planning process that prepares implementation and closure.

Return to Planning Phase

Return to Implementation Phase

Return to Closure Phase

Return from Risk Analysis to Home Page

Your Comments

Have your say about what you just read! Leave me a comment in the box below.
Enjoy this page? Please pay it forward. Here's how...

Would you prefer to share this page with others by linking to it?

  1. Click on the HTML link code below.
  2. Copy and paste it, adding a note of your own, into your blog, a Web page, forums, a blog comment, your Facebook account, or anywhere that someone would find this page valuable.