Risk analysis is both easy and hard at the same time. If that sounds confusing, read on, because I’ll make everything clear. But one thing is for sure. No project manager can get by without knowing how to analyze risk on your project.
Risk is important because it is baked into the nature of projects. They are time-pressured and need to deliver something new or even unfamiliar. And, to make matters worse, you have the twin problems of limited resources on the one hand, and competing stakeholder expectations, wishes, and demands on the other.
Is it any wonder that one of the most quoted aphorisms in project management is this, from Tim Lister:
‘Risk Management is Project Management for Grown-Ups’
Our Agenda
I have divided this exploration of Project Risk Analysis into five parts:
- How Does Risk Analysis Fit into the Wider Risk Management Process?
I’ll use this section to signpost related articles that cover the other aspects of the wider risk management process. - What is Risk Analysis?
A short, sharp answer to the basic question. - How to Conduct a Risk Analysis
This is the meat of this article, with my guide to how to do risk analysis. - Documenting your Risk Analysis
If a risk materializes, it can have a profound impact on your sponsoring organization (and your employer). So, for good governance, good communication, and to protect yourself, you need to document your work, to demonstrate that you have acted with all due professionalism. - No Change without Action
Analyzing your project risks is no use, unless you use that analysis to inform choices and actions.
I’ll start by setting risk analysis into a wider project risk management context…
How Does Risk Analysis Fit into the Wider Risk Management Process?
Introduction to Risk Management
This short video will introduce you to the key ideas of Project Risk Management:
Four-step Project Risk Management Process
Risk analysis is one part of the wider Risk Management process. This consists of four basic steps.
Identify
You can do nothing until you know what your risks are, so the first step is to identify the threats and opportunities your project faces. To learn about spotting project threats and how to find the sources of Project Risk, take a look at our ‘Guide to Sources of Project Risk’.
Analyze
Once you have identified your risks, you need to understand them. This is risk analysis.
This article will give you the tools you need to assess you risks, considering them both qualitatively and quantitatively.
Plan
Once you understand your risks, you need to put together a plan for how you will handle them. You will base your plans on the fundamental risk response strategies. So, I recommend you get more detail from our article, Every Project Management Risk Response Strategy: Are there 6, 7 or more?
We also have a video, How to Create a Risk Management Plan.
Action
Planning is all very well, but unless you take action, nothing will change. Carry out the steps in your risk management plan.
Monitor and Control
These four steps will only work if you persevere. You must constantly review what is happening on your project and analyze what you are learning. Did you get the result you expected from your action? If you did; that’s great. If you did not, then you need to analyze why not, make a new plan, and take more action.
This is the ‘Monitor and Control Loop’ for risk management and it is the secret of success.
Thomas Edison said:
Genius is one per cent inspiration: ninety-nine per cent perspiration’
And the same is true of project success. It is your commitment to persevere that will give you real control over risks
Simple is not the same as easy
This is a simple process. But, remaining committed to it, and to doing it well, is far from easy.
Before reading on, if this process is not familiar to you, do have a read of our earlier article, ‘How Project Risk Management will Make You a Better Project Manager‘.
What is Risk Analysis?
Risk analysis is the process of understanding your project risks, so you will be better able to manage them effectively.
And that purpose is important. It dictates how much analysis you will need to do, and what kinds of analysis. If you don’t think about the ‘why’, then you will run into the classic problem: analysis paralysis. This getting stuck carrying out too much analysis, and focusing too little on the actual doing of risk management.
Risks are a threat to your project, or an opportunity for it. So, you must build your analysis process around the two objectives of:
- reducing the threats
- harnessing the opportunities
If you don’t do so, then you are mismanaging your project.
How to Conduct a Risk Analysis
Let’s start by defining what a risk is…
‘Risk is uncertainty that can affect outcome’
So the two primary characteristics of a risk are:
- The level of uncertainty
…which we call the likelihood (or probability) of the risk occurring - The effect on the outcome
…which we call the impact (or severity)
Together, these are often sufficient to give us the third thing we need, which is the relative priorities of each risk. I like to think of Primary Risk Analysis as being about these three things:
- Likelihood
- Impact
- Priority
So, we’ll examine these three things first, before briefly considering other factors you could bring into your risk analysis.
Simple Risk Analysis at its Toughest: Likelihood
The problem with estimating likelihoods is that – to be blunt – people are rubbish at it. Unless you are an actuary (who calculates insurance risk) with vast amounts of data and advanced training in statistical theory, forget it. Your estimates are likely to fall prey to bias and inaccuracy. So there is one rule only, here:
‘Keep it simple’
My preferred scale for most small to medium-sized projects is: Low – Medium – High. And for many projects, this more sophisticated scale is entirely appropriate:
Very Low – Low – Medium- High – Very High
It has the merit of not trying to introduce spurious precision into your estimates. It is beyond the scope of this simple guide to take us into quantitative risk likelihood estimates. If you really need these, try the book, ‘Effective Risk Management‘ by Edmund Conrow.
For more on this topic, please do read our article, Risky Analysis: Pitfalls and Good Practices in Estimating Likelihood.
Note that, as our use of data improves, along with our understanding of data analytics (probably mediated by AI tools), we will start to see more access to reliable statistical evaluations of risk. This will arrive sooner in some sectors (like construction) and more slowly in others.
How Bad will it be? Impact
It’s far easier to estimate the impact, should a risk occur. The first step is to ask yourself what you care about. Impact on what?
- Schedule (time)
- Budget (cost)
- Deliverables (quality)
- Functionality (scope)
- Reputation
- Health and Safety
- Environment
- Security
If one of these is your predominant concern, you can develop a scale for impacts on that factor, and there are seven such tables (with 2-5 examples in each) in my book, Risk Happens!
But what if you don’t have a particular focus for your concern? Then you will need a generic scale for the risk impacts, and the five-point scale I recommend is this:
- Very Low: Corrective Action needed
- Low: Adjustments to Plan needed
- Medium: Revised Strategy needed
- High: One or more Objectives threatened
- Very High: Project Goal would not be met
The Goal of Simple Risk Analysis: Prioritization
The most important reason to analyze project risks is to prioritize which ones need the most attention. And, not surprisingly, the two most salient factors in deciding this are likelihood and impact. We usually combine these in a chart that looks like this…
From this, there are two primary ways to create a simple prioritization score.
Red – Amber – Green (RAG) Rating
The simplest approach is to define levels of high, medium, and low threat. We often label these as Red, Amber, and Green. There is no definitive mapping of these zones onto the chart, but here is a fairly typical approach:
Numerical Scoring
Some people prefer the apparent precision of a numerical score. That’s easy to do if you allocate a score to each level along the likelihood and impact scales. You can then combine those scores in some way. Whilst the easiest approach is to add the scores, we more often use multiplication. This gives a ‘times table’ format to our grid.
The next question is how to allocate numerical scores to the impact and likelihood scales. Here, the commonest approach is the simplest: 1, 2, 3, 4, 5…
However, I strongly favor a logarithmic scale that uses exponentially increasing scores. To me, this better represents the relative impacts and likelihoods at the ends of the scale. Is the worst impact merely five times the least? I prefer to represent the relative impacts by a far bigger ratio. Here are two simple versions of a linear and logarithmic approach:
Please note, however, that this kind of approach is not truly representative of true likelihoods. It os a simple approach to prioritization and nothing more.
Secondary Risk Analysis
There are other factors that you may want to bring into your risk analysis. But take care: only do so if you have a real reason. Ask yourself:
If we do this extra analysis, how will it affect our actions?’
If the answer is: ‘it won’t’ or ‘it won’t very much’, then don’t bother. It may be interesting, but you have other, more pressing priorities.
However, if you do decide to, here are some of the other factors to consider in your risk analysis.
Understanding the Risk: Root Cause and Triggers
These two things are linked by the chain of causality. This is not the article to describe this in full, but every risk has a root cause. If you can address this, then the risk cannot manifest. So this can be a particularly valuable part of your analysis.
But it will often have a proximal cause, or triggering event. Knowing what could trigger the risk allows you to monitor for the trigger, and therefore act quickly. You may be able to act before the impacts of the risk materialize.
Psychological Severity: Risk Proximity
We have a psychological sensitivity to risks that depends on how near or how far away we perceive them to be. And by near and far we can think in terms of:
- Geographical distance
Risks that can occur halfway around the world probably won’t bother us much (psychologically). Certainly not as much as incidents in our neighborhood. - Emotional distance
A risk to our friend is more salient than the same threat to a stranger. - Temporal distance (time)
A risk that would occur tomorrow is more worrying than a risk that could happen next year.
Of these, proximity in time terms is the one that project managers may most often need to consider. We often include a ‘Time to Impact’ in our analysis, and this may impact your prioritization.
An Orderly Structure: Risk Categorization
Project managers do this more often than they need to… Because it’s easy and gives the impression of progress. It’s a ‘displacement activity’ in that it displaces other, harder, but more meaningful work.
But if you have a good reason to, then by all means do classify your risks into a small number of relevant categories. Typical examples include:
- Health and Safety risks
- Technical risks
- Financial risks
- Operational risks
- Personnel risks
- Schedule risks
- Quality risks
Documenting your Risk Analysis
The one form of documentation I’d always expect to see in a project that is spending someone else’s money, and risking their reputation, is a record of risk management. We use a risk register.
During the Identification, you’ll have started your risk register, with your list of risks. Now add your analysis to each. Any fields in your template that represent factors you have not chosen to analyze are superfluous. Either delete or hide them.
One of the biggest reasons for preferring a spreadsheet as the basis for my risk registers is how easy it is to use it to:
- calculate a priority score based on other factors
- sort or group my risks by priority
This will allow me to focus my next steps appropriately.
No Change without Action
The next steps, of course, are:
- Plan how you can manage each risk (starting with the highest priority risks), and
- Act to manage those risks
These are outside the scope of this article.
What is Your Experience with Project Risk Analysis?
Anyone who has had exposure to a well-run project should be familiar with the ideas here. If you are, what are your thoughts about effective project risk analysis?
If you haven’t been exposed to these ideas before, it would help me enormously to know what questions you have. That way, I can expand and improve this article.
Please use the comments below, and I’ll respond to every contribution.
Learn More
Risk Happens! Managing Risk and Avoiding Failure in Business Projects
This book will take you far beyond what you’d learn in a basic project management book or training course, but keeps things simple and easy to understand.
What they say…
‘I am am a PM of 10+ years and I have never found such a concise read on risk management that provided so much valuable information.’
Filled with useful diagrams, handy tips, and easy-to-understand tables, this book shows how you can take a practical, systematic approach to risk management.
Buy Risk Happens! from Amazon.
For other books on Project Risk Management, check out our article: Project Risk Management: What are the Best Books to Advance You?
Project failure is all too common.
What are the reasons for it, and how can you stop them?
This short course will give you:
- 10 Points of Project Failure
The key ‘Points of Project Failure’ that will alert you to where you need to focus your attention. So you can be seen as a strategically-minded Project Manager. - 61 Primary Reasons for Project Failure
The ‘Primary Reasons for Project Failure’ that will alert you to specific actions you can set up and take. So you can take preventative actions to stay in control of your project. - Over 100 Sources of Project Risk
With over ‘100 Sources of Project Risk’, you can jump-start your risk identification process and reduce workload. So you can start your project efficiently and effectively with a solid risk register.
Full Details of our short course ‘How to Avoid Project Failure’ here
Other Articles About Risk Management
We currently have around 50 free articles and videos on this website about aspects of project risk management. You can check them all out on our risk management topic page.
However, I have curated a few of the best, which are particularly suitable to follow-on from this article, and which are not already linked above:
- 10-Step Risk Management Kick-off for Your Project
- 4 Types of Project Risk – Different Forms of Uncertainty | Video
- 5 Ways to Remove a Risk Entirely | Video
- What is a Residual Risk & What is Secondary Risk? | Video
- 10 Things Project Managers Need to Know about Strategic Risk Management
- How to Do Risk Management in Agile Projects | Video
- Risk! Safety & Security in Project Delivery – Interview with Prof Andrew Sherry
