Risk analysis is both easy and hard at the same time. If that sounds confusing, read on, because we’ll make everything clear. But one thing is for sure. No project manager can get by without knowing how to analyze risk on your project.
Risk is important, because it is baked into the nature of projects. They are time pressured, and need to deliver something new or even unfamiliar. And, to make matters worse, you have the twin problems of limited resources on the one hand, and competing stakeholder expectations, wishes, and demands on the other.
Is it any wonder that one of the most quoted aphorisms in project manager is this, from Tim Lister:
Risk Management is Project Management for Grown-Ups’
Risk analysis is one part of the wider Risk Management process. This consist of four basic steps.
You can do nothing until you know what your risks are, so the first step is to identify the threats and opportunities your project faces. Take a look at our ‘Guide to Sources of Project Risk’.
Once you have identified your risks, you need to understand them.
This article will give you the tools you need to assess you risks, considering them both qualitatively and quantitatively.
Once you understand your risks, you need to put together a plan.
Planning is all very well, but unless you take action, nothing will change.
These four steps will only work if you persevere. You must constantly review what is happening on your project and analyse what you are learning. Did you get the result you expected from your action? If you did; that’s great. If you did not, then you need to analyse why not, make a new plan, and take more action.
This is the ‘Monitor and Control Loop’ for risk management and it is the secret of success.
Thomas Edison said:
Genius is one per cent inspiration: ninety-nine per cent perspiration’
And the same is true of project success. It is your commitment to persevere that will give you real control over risks
This is a simple process, but remaining committed to it, and doing it well, is far from easy.
Before reading on, if this process is not familiar to you, do have a read of our earlier article, ‘How Project Risk Management will Make You a Better Project Manager‘.
Risk analysis is the process of understanding your project risks, for the purpose of better managing them.
And that purpose is important. It dictates hw much analysis you will need to do, and what kinds of analysis. If you don’t think about the ‘why’, then you will run into the classic problem: analysis paralysis. This getting stuck doing to much analysis, and doing too little doing.
Risks are a threat to your project, or an opportunity for it. So, you must build your analysis process around the two objectives of:
If you don’t do so, then you are mismanaging your project.
Let’s start by defining what a risk is…
Risk is uncertainty that can affect outcome’
So the two primary characteristics of a risk are:
Together, these are often sufficient to give us the third thing we need, which is the relative priorities of each risk. I like to think of Primary Risk Analysis as being about these three things:
So, we’ll examine these three things first, before briefly considering other factors you could bring into your risk analysis.
The problem with estimating likelihoods is – to be blunt – people are rubbish at it. Unless you are an actuary (who calculates insurance risk) with vast amounts of data and advanced training is statistical theory, forget it. Your estimates are likely to fall prey to bias and inaccuracy. So there is one rule only, here:
Keep it simple’
My preferred scale for most small to medium sized projects is: Low – Medium – High. And for many projects, this more sophisticated scale is entirely appropriate:
Very Low – Low – Medium- High – Very High
It has the merit of not trying to introduce spurious precision into your estimates. It is beyond the scope of this simple guide to take us into quantitative risk likelihood estimates. If you really need these, try the book, ‘Effective Risk Management’ by Edmund Conrow (US|UK).
It’s far easier to estimate the impact, should a risk occur. The first step is to ask yourself what you care about. Impact on what?
But what if you don’t have a particular focus for your concern? Then you will need a generic scale for the risk impacts, and the five point scale I recommend is this:
The most important reason to analyze project risks is to prioritize which ones need most attention. And, not surprisingly, the two most salient factors in deciding this are likelihood and impact. We usually combine these in a chart that looks like this…
From this there are two primary ways to create a simple prioritization score.
The simplest approach is to define levels of high, medium, and low threat. We often label these as Red, Amber, and Green. There is no definitive mapping of these zones onto the chart, but here is a fairly typical approach:
Some people prefer the apparent precision of a numerical score. That’s easy to do if you allocate a score to each level along the likelihood and impact scales. You can then combine those scores in some way. Whilst the easiest approach is to add the scores, we more often use multiplication. This gives a ‘times table’ format to our grid.
The next question is how to allocate numerical scores to the impact and likelihood scales. Here, the commonest approach is the simplest: 1, 2, 3, 4, 5…
However, I favour a logarithmic scale that uses exponentially increasing scores. To me, this better represents the relative impacts and likelihoods at the ends of the scale. Is the worst impact merely five times the least. I prefer to represent the relative impacts by a far bigger ratio. Here are two simple versions of a linear and logarithmic approach:
There are other factors that you may want to bring into your risk analysis. But take care: only do so if you have a real reason. Ask yourself:
If we do this extra analysis, how will it affect our actions?’
If the answer is: ‘it won’t’ or ‘it won’t very much’, then don’t bother. It may be interesting, but you have other, more pressing priorities.
These two things are linked by the chain of causality. This is not the article to describe this in full, but every risk has a root cause. If you can address this, then the risk cannot manifest. So this can be a particularly valuable part of your analysis.
But it will often have a proximal cause, or triggering event. Knowing what could trigger the risk allows you to monitor for the trigger, and therefore act quickly. You may be able to act before the impacts of the risk materialize.
We have a psychological sensitivity to risks that depends on how near or how far aay we perceive them to be. And by near and far we can think in terms of:
Of these, proximity in time terms is the one that project managers may need to consider. We often include a ‘Time to Impact’ in our analysis, and this may impact your prioritization.
Project managers do this more often than they need to… Because it’s easy.
But if you have a good reason, then by all mean, do classify your risks into a small number of relevant categories. Typical examples include:
The one form of documentation I’d always expect to see in a project that is spending someone else’s money, and risking their reputation, is a record of risk management. We use a risk register.
During the Identification, you’ll have started your risk register, with your list of risks. Now add your analysis to each. Any fields in your template that represent factors you have not chosen to analyze are superfluous. Either delete of hide them.
One of the biggest reasons for preferring a spreadsheet as the basis for my risk registers is how easy it s to use it to:
This will allow me to focus my ext steps appropriately.
The next steps, of course, are Plan and Act.
These are outside the scope of this article, but you can be sure we’ll return to them soon.
Anyone who has had exposure to a well run project should be familiar with the ideas here. If you are, what are your thoughts about effective project risk analysis?
If you haven’t been exposed to these ideas before, it would help me enormously to know what questions you have. that way, i can expand and improve this article.
Please use the comments below, and I’ll respond to every contribution.
Managing Risk and Avoiding Failure in Business Projects
This book will take you far beyond what you’d learn in a basic project management book or course, but keeps things simple and easy to understand.
What they say…
‘I am am a PM of 10+ years and I have never found such a concise read on risk management that provided so much valuable information.’
Filled with useful diagrams, handy tips, and easy-to-understand tables, this book shows how you can take a practical, systematic approach to risk management.
For other books on Project Risk Management, check out our Project Management Bookshop. These include more advanced texts, of which, the most detailed is Edmund Conrow’s ‘Effective Risk Management’ (US|UK).
What are the reasons for it, and how can you stop them?
This short course will give you:
Dr Mike Clayton is one of the most successful and in-demand project management trainers in the UK. He is author of 13 best-selling books, including four about project management. He is also a prolific blogger and contributor to ProjectManager.com and Project, the journal of the Association for Project Management. Between 1990 and 2002, Mike was a successful project manager, leading large project teams and delivering complex projects. In 2016, Mike launched OnlinePMCourses.
Please log in again. The login page will open in a new window. After logging in you can close it and return to this page.