Guideline: Assessing Risks
This guideline explains how the team can collaborate to analyze and prioritize project risks.
Main Description

When no more risks are being found, look at the risk list as a group to see if there are any natural groupings (occurrences of the same risk), and combine risks where possible in order to eliminate duplicates. Sometimes, the risks identified will be symptoms of some more fundamental risk; in this case, group the related risks together under the more fundamental risk.

Quantitative risk management techniques recommend that risks be prioritized according to the overall risk exposure the risk represents to the project. To determine the exposure for each risk the group should estimate the following information:

  • Impact of risk: The deviations of schedule, effort, or costs from plan if the risk occurs 
  • Likelihood of occurrence: The probability that the risk will actually occur (usually expressed as a percentage) 
  • Risk exposure: Calculated by multiplying the impact by the likelihood of occurrence 

As a group, the exposure of each risk should be derived by consensus. Significant differences of opinion should be further discussed to see if everyone is interpreting the risk the same way. Typically this information is included as columns in a tabular Risk List.

It is human nature to worry about the highest impact risks, but if these are very unlikely to occur they are really less important than more moderate risks that are often overlooked. By considering both the magnitude of the risk and its likelihood of occurrence, this approach helps project managers focus their risk management efforts in areas that will have the most significant affect on project delivery.

Once the exposure for each risk has been determined, you can sort the risks in order of decreasing exposure to create your "top 10" Risks List.

Because estimation of likelihood and cost is expensive and risky in itself, it is generally only useful to gauge the impact of the top 10 to 20 risks. Smaller projects may consider fewer risks, whereas larger projects present a larger 'risk target' and as a result have a larger number of relevant risks.

In addition to ranking the risks in descending order of exposure, you may also find it useful to group or cluster the risks into categories, based on the magnitude of their impact on the project (risk magnitude). In most cases, having five categories is sufficient:

  1. High
  2. Significant
  3. Moderate
  4. Minor
  5. Low

Document the risks and circulate them among the project team members.