The following diagram gives an overview over the process that essentially follows a series of risk analysis workshops, each of which consisting of 4 generic steps.
Let us take a closer look at the basic ideas of risk assessment and start with a definition of terms.
Our daily life language usually refers to risks as events that could have negative impact. A closer look into a dictionary, e.g. Longman, 1998, reveals: A risk is the possibility that something harmful or undesirable may happen. For our purposes, we adopt the definition also used in insurance business. A risk is the probability that an event might occur which could have negative impact. Such an event we call risk event.
Risk = probability (event with negative impact may happen).
(In a similar way, we can define the term opportunity as probability that an event might occur which could have positive impact. In fact, entrepreneurs of the gambling industry count on that.)
Risk management focusses on the question: What can we do about those events that might impact our project in a negative way?
We can prevent some of these events by taking actions which make the event impossible to happen. For most of them we can take actions that decrease their probability. Finally, for those we cannot prevent we can prepare actions that make it easier for us to deal with their impact.
The following form (there is a template in sub-section Free Project Management Tools) reflects this in a more detailed way.
Following the process, we start with step 1, identifying risks, i.e. identifying as many risk events as possible, usually in a brainstorming session. The result is a list of such events. In step 2, evaluation of risks or risk analysis, we estimate probability (in %) and impact (in $) of each event. By multiplying these figures we obtain the expected value of risk, or just risk value. Risks with high risk value will be high on our priority list. Another way of showing the different priorities of risks is by arranging them in the probability-impact-diagram. Mathematically spoken, the risk value is the statistically expected value of impact or damage that risk event could cause.
It is common practice to include those risks with either very high probability or very high impact into the top priority risks, even if their risk values are low.
Step 3 focuses on identifying preventive or corrective actions, again in brainstorming sessions, and by referring to lessons learned of earlier projects. In step 4, evaluation of actions and residual risks, we estimate the cost of each action. For most events, we cannot reduce the probability of its occurrence down to 0 %. After taking preventive action, we usually end up with a residual probability which, of course, is lower than the original one. If we now multiply residual probability with impact we obtain the residual risk value. Through adding the cost of action we get the expected value of action.
By comparing risk value with expected value of action we are able to decide if we want to take the action, i.e. integrate it into the WBS or not.
The decision to prepare for corrective actions depends on the company’s or organization’s accounting principles: it is good practice to include them into the project contingency.
As we proceed through planning phase, and later through implementation and closure phase, we repeat these risk management workshops periodically since new risk event can come into our view which we should not miss.
In case you would like to use practical and useful packages of tools, templates and checklists, here you can get them. They save you a lot of time, are easy to use and easy to change:
All four PM Phases in one Set