Project risk assessment
|Project risk assessment|
|Methods and techniques|
Project risk assessment is part of project risk management process, which includes: risk identification, risk analysis and risk evaluation. This definition is similar in ISO 31000:2009 standard and PRINCE2 methodology. The PMBoK treats risk assessment as only one of the tools of project risk management. Instead it distinguishes quantitative and qualitative risk analysis.
Project risk assessment should be performed not only at the beginning of the project, but also in each phase. This is necessary because it is often impossible to identify all the risks before the phase initiation.
Identification of risks includes finding:
- sources of risk,
- areas of impact,
- events (incidents) and their causes,
- potential consequences.
The result of risk identification should be a list of risks with description (risk register). If this step is performed at planning stage of the project, it should include: risk management plan and other plans (if available), activity duration and cost estimates and other project documents.
The simplified identification is performed during the project implementation. Usually employees report possible risks or events to project manager. The project manager decides whether to add them to risk register.
The techniques used in risk identification are:
- documentation reviews,
- collecting information from internal and external sources,
- SWOT analysis or TOWS analysis
- expert judgement
Risk analysis should lead to better understanding of the risk. It includes consideration of:
- positive and negative consequences,
- factors that affect consequences,
- factors that affect likelihood,
- affected project objectives.
Each risk can affect multiple objectives, and have multiple consequences.
Consequences and likelihood analysis
The consequences usually impact on costs or time. As the time can be presented as money value, the consequences are described using currency. The impact value describes how severe will be occurrence of the risk.
The likelihood can be described in percent (100% - the occurrence is certain). The likelihood can be assessed based on data from other project, experts judgement or other sources. Product of likelihood and consequences gives expected value. That is expected impact on the project defined in monetary value (risk level).
The extended analysis should be performed during planning phase. During the project implementation often there is no need for such analysis. Many project managers limit analysis to 3 or 5 points scale of likelihood and consequences. It's faster, easier and gives the same effect.
The risks can be presented in risk assessment matrix.
The risk evaluation is to help making decisions based on risk analysis. The evaluation returns information about which risks need treatment and what are the priorities. The decisions should take into account wide context of the risk, as well as tolerance of the risk in the project.
The risk evaluation in planning phase of the project can lead to determining overall impact of risks and opportunities on the project. It can help plan time and budget reserves.
- ISO 31000:2009 Risk Management - Principles and Guidelines, Geneva:ISO
- PMI Standards Committee, & PMI Standards Committee. (1996). A guide to the project management body of knowledge. Project Management Institute.
- Siegelaub, J. M. (2004, January). How PRINCE2 can complement PMBOK and your PMP. In PMI global congress proceedings.
Author: Slawomir Wawak