Risk analysis is both easy and hard at the same time. If that sounds confusing, read on, because we’ll make everything clear. But one thing is for sure. No project manager can get by without knowing how to analyze risk on your project.
Risk is important, because it is baked into the nature of projects. They are time pressured, and need to deliver something new or even unfamiliar. And, to make matters worse, you have the twin problems of limited resources on the one hand, and competing stakeholder expectations, wishes, and demands on the other.
Is it any wonder that one of the most quoted aphorisms in project manager is this, from Tim Lister:
Risk Management is Project Management for Grown-Ups’
Where Does Risk Analysis Fit in?
Risk analysis is one part of the wider Risk Management process. This consist of four basic steps.
You can do nothing until you know what your risks are, so the first step is to identify the threats and opportunities your project faces. Take a look at our ‘Guide to Sources of Project Risk’.
Once you have identified your risks, you need to understand them.
This article will give you the tools you need to assess you risks, considering them both qualitatively and quantitatively.
Once you understand your risks, you need to put together a plan.
Planning is all very well, but unless you take action, nothing will change.
Monitor and Control
These four steps will only work if you persevere. You must constantly review what is happening on your project and analyse what you are learning. Did you get the result you expected from your action? If you did; that’s great. If you did not, then you need to analyse why not, make a new plan, and take more action.
This is the ‘Monitor and Control Loop’ for risk management and it is the secret of success.
Thomas Edison said:
Genius is one per cent inspiration: ninety-nine per cent perspiration’
And the same is true of project success. It is your commitment to persevere that will give you real control over risks
Simple is not the same as easy
This is a simple process, but remaining committed to it, and doing it well, is far from easy.
Before reading on, if this process is not familiar to you, do have a read of our earlier article, ‘How Project Risk Management will Make You a Better Project Manager‘.
What is Risk Analysis?
Risk analysis is the process of understanding your project risks, for the purpose of better managing them.
And that purpose is important. It dictates hw much analysis you will need to do, and what kinds of analysis. If you don’t think about the ‘why’, then you will run into the classic problem: analysis paralysis. This getting stuck doing to much analysis, and doing too little doing.
Risks are a threat to your project, or an opportunity for it. So, you must build your analysis process around the two objectives of:
- reducing the threats
- harnessing the opportunities
If you don’t do so, then you are mismanaging your project.
How to Conduct a Risk Analysis
Let’s start by defining what a risk is…
Risk is uncertainty that can affect outcome’
So the two primary characteristics of a risk are:
- The level of uncertainty
…which we call the likelihood (or probability) of the risk occurring
- The affect on the outcome
…which we call the impact (or severity)
Together, these are often sufficient to give us the third thing we need, which is the relative priorities of each risk. I like to think of Primary Risk Analysis as being about these three things:
So, we’ll examine these three things first, before briefly considering other factors you could bring into your risk analysis.
Simple Risk Analysis at its Toughest: Likelihood
The problem with estimating likelihoods is – to be blunt – people are rubbish at it. Unless you are an actuary (who calculates insurance risk) with vast amounts of data and advanced training is statistical theory, forget it. Your estimates are likely to fall prey to bias and inaccuracy. So there is one rule only, here:
Keep it simple’
My preferred scale for most small to medium sized projects is: Low – Medium – High. And for many projects, this more sophisticated scale is entirely appropriate:
Very Low – Low – Medium- High – Very High
It has the merit of not trying to introduce spurious precision into your estimates. It is beyond the scope of this simple guide to take us into quantitative risk likelihood estimates. If you really need these, try the book, ‘Effective Risk Management’ by Edmund Conrow (US|UK).
How Bad will it be? Impact
It’s far easier to estimate the impact, should a risk occur. The first step is to ask yourself what you care about. Impact on what?
- Schedule (time)
- Budget (cost)
- Deliverables (quality)
- Functionality (scope)
- Health and Safety
But what if you don’t have a particular focus for your concern? Then you will need a generic scale for the risk impacts, and the five point scale I recommend is this:
- Very Low: Corrective Action needed
- Low: Adjustments to Plan needed
- Medium: Revised Strategy needed
- High: One or more Objectives threatened
- Very High: Project Goal would not be met
The Goal of Simple Risk Analysis: Prioritization
The most important reason to analyze project risks is to prioritize which ones need most attention. And, not surprisingly, the two most salient factors in deciding this are likelihood and impact. We usually combine these in a chart that looks like this…
From this there are two primary ways to create a simple prioritization score.
Red – Amber – Green RAG Rating
The simplest approach is to define levels of high, medium, and low threat. We often label these as Red, Amber, and Green. There is no definitive mapping of these zones onto the chart, but here is a fairly typical approach:
Some people prefer the apparent precision of a numerical score. That’s easy to do if you allocate a score to each level along the likelihood and impact scales. You can then combine those scores in some way. Whilst the easiest approach is to add the scores, we more often use multiplication. This gives a ‘times table’ format to our grid.
The next question is how to allocate numerical scores to the impact and likelihood scales. Here, the commonest approach is the simplest: 1, 2, 3, 4, 5…
However, I favour a logarithmic scale that uses exponentially increasing scores. To me, this better represents the relative impacts and likelihoods at the ends of the scale. Is the worst impact merely five times the least. I prefer to represent the relative impacts by a far bigger ratio. Here are two simple versions of a linear and logarithmic approach:
Secondary Risk Analysis
There are other factors that you may want to bring into your risk analysis. But take care: only do so if you have a real reason. Ask yourself:
If we do this extra analysis, how will it affect our actions?’
If the answer is: ‘it won’t’ or ‘it won’t very much’, then don’t bother. It may be interesting, but you have other, more pressing priorities.
Understanding the Risk: Root Cause and Triggers
These two things are linked by the chain of causality. This is not the article to describe this in full, but every risk has a root cause. If you can address this, then the risk cannot manifest. So this can be a particularly valuable part of your analysis.
But it will often have a proximal cause, or triggering event. Knowing what could trigger the risk allows you to monitor for the trigger, and therefore act quickly. You may be able to act before the impacts of the risk materialize.
Psychological Severity: Risk Proximity
We have a psychological sensitivity to risks that depends on how near or how far aay we perceive them to be. And by near and far we can think in terms of:
- Geographical distance
Risks haf way around the world bother us little
- Emotional distance
A risk to our friend is more salient than the same threat to a stranger
- Temporal distance
A risk tomorrow is more worrying than a risk next year
Of these, proximity in time terms is the one that project managers may need to consider. We often include a ‘Time to Impact’ in our analysis, and this may impact your prioritization.
An Orderly Structure: Risk Categorization
Project managers do this more often than they need to… Because it’s easy.
But if you have a good reason, then by all mean, do classify your risks into a small number of relevant categories. Typical examples include:
- Health and Safety risks
- Technical risks
- Financial risks
- Operational risks
- Personnel risks
- Schedule risks
- Quality risks
Documenting your Risk Analysis
The one form of documentation I’d always expect to see in a project that is spending someone else’s money, and risking their reputation, is a record of risk management. We use a risk register.
During the Identification, you’ll have started your risk register, with your list of risks. Now add your analysis to each. Any fields in your template that represent factors you have not chosen to analyze are superfluous. Either delete of hide them.
One of the biggest reasons for preferring a spreadsheet as the basis for my risk registers is how easy it s to use it to:
- calculate a priority score based on other factors
- sort or group my risks by priority
This will allow me to focus my ext steps appropriately.
No Change without Action
The next steps, of course, are Plan and Act.
These are outside the scope of this article, but you can be sure we’ll return to them soon.
What is Your Experience of Project Risk Analysis?
Anyone who has had exposure to a well run project should be familiar with the ideas here. If you are, what are your thoughts about effective project risk analysis?
If you haven’t been exposed to these ideas before, it would help me enormously to know what questions you have. that way, i can expand and improve this article.
Please use the comments below, and I’ll respond to every contribution.
For More Information…
Managing Risk and Avoiding Failure in Business Projects
This book will take you far beyond what you’d learn in a basic project management book or course, but keeps things simple and easy to understand.
What they say…
‘I am am a PM of 10+ years and I have never found such a concise read on risk management that provided so much valuable information.’[/two_third_last]
Filled with useful diagrams, handy tips, and easy-to-understand tables, this book shows how you can take a practical, systematic approach to risk management.
For other books on Project Risk Management, check out our Project Management Bookshop. These include more advanced texts, of which, the most detailed is Edmund Conrow’s ‘Effective Risk Management’ (US|UK).
Project failure is all too common.
What are the reasons for it, and how can you stop them?
This short course will give you:
- 10 Points of Project Failure
The key ‘Points of Project Failure’ which will alert you to where you need to focus your attention. So you can be seen as a strategically-minded Project Manager.
- 61 Primary Reasons for Project Failure
The ‘Primary Reasons for Project Failure’ that will alert you to specific actions you can set up and take. So you can take preventative actions to stay in control of your project.
- Over 100 Sources of Project Risk
With over ‘100 Sources of Project Risk’, you can jump start your risk identification process and reduce workload. So you can start your project efficiently and effectively with a solid risk register.