When no more risks are being found, look at the risk list as a group to see if there are any natural groupings
(occurrences of the same risk), and combine risks where possible in order to eliminate duplicates. Sometimes, the risks
identified will be symptoms of some more fundamental risk; in this case, group the related risks together under the
more fundamental risk.
Quantitative risk management techniques recommend that risks be prioritized according to the overall risk exposure the
risk represents to the project. To determine the exposure for each risk the group should estimate the following
information:
-
Impact of risk: The deviations of schedule, effort, or costs from plan if the risk occurs
-
Likelihood of occurrence: The probability that the risk will actually occur (usually expressed as
a percentage)
-
Risk exposure: Calculated by multiplying the impact by the likelihood of occurrence
As a group, the exposure of each risk should be derived by consensus. Significant differences of opinion should be
further discussed to see if everyone is interpreting the risk the same way. Typically this information is included as
columns in a tabular Risk List.
It is human nature to worry about the highest impact risks, but if these are very unlikely to occur they are really
less important than more moderate risks that are often overlooked. By considering both the magnitude of the risk and
its likelihood of occurrence, this approach helps project managers focus their risk management efforts in areas that
will have the most significant affect on project delivery.
Once the exposure for each risk has been determined, you can sort the risks in order of decreasing exposure to create
your "top 10" Risks List.
Because estimation of likelihood and cost is expensive and risky in itself, it is generally only useful to gauge the
impact of the top 10 to 20 risks. Smaller projects may consider fewer risks, whereas larger projects present a larger
'risk target' and as a result have a larger number of relevant risks.
In addition to ranking the risks in descending order of exposure, you may also find it useful to group or cluster the
risks into categories, based on the magnitude of their impact on the project (risk magnitude). In most cases,
having five categories is sufficient:
-
High
-
Significant
-
Moderate
-
Minor
-
Low
Document the risks and circulate them among the project team members.
|