After the risks have been identified, their potential impact on the project must be estimated. This is done by estimating the probability that these risks will be realized and the damage to the project should such a scenario become reality.
Multiplying the ’realization probability’ by the ’degree of damage’ generates a ‘risk exposure’ measurement, according to which the risks will be ranked.
Calculating the probability that a risk will materialize depends on the type of risk. Scientific risks, ones that can be statistically estimated, will be calculated using existing statistical data. When this is not possible, the probability will have to be estimated subjectively, based on a likelihood probability scale as follows:
- Very Low (1%-5%)
- Low (6%-19%)
- Medium (20%-39%)
- High (40%-69%)
- Very High (70%-99%)
N Times every T times
- 40% – 69%
Estimating the potential damage is often done subjectively by the person doing the risk assessment. However, since the purpose of a risk management plan is to supply reliable information so that decisions can be made, a subjective risk assessment is not useful. Therefore, risk assessments should be solicited from a variety of sources. The meaning of the various impact levels should be clearly defined to help risk assessors with this job. For exmaple:
- Very Low
- Very High
Description of the damage in quantitative terms of time, budget, content, etc.
Description of the damage in broad terms relating to the outcome of the project
Example of a detailed damage explanation menu:
Degree of Damage
Project falls a few days behind; Costs are 5% higher; Project boundaries are insignificantly impacted; Project quality is insignificantly impacted.
Project falls a week behind; Costs are 10% higher; Project boundaries are lightly impacted; Project quality is lightly impacted without the client noticing.
Project falls two weeks behind; Costs are 20% higher; Project boundaries are significantly impacted; Project quality is significantly impacted.
Project falls several weeks behind; Costs are 30% higher; Project boundaries are critically impacted; Project quality is critically impacted.
Project falls a month behind; Costs are 40% higher; Project boundaries are useless to the client; Project quality is unacceptable to the client.
As stated above, the ‘risk level’ or ‘risk exposure’ is calculated by multiplying the realization probability of a given risk by the degree of damage should the risk materialize. The result of this calculation can then be used to rank the various risks that the project faces by comparing the threats they pose to the project. This threat level comparison forms the heart of risk control and communication systems.
Furthermore, it is possible to estimate the effect of risks on a given project qualitatively, using a risk matrix that measures the impact on the project (from low to high), as well as the interval in which the risk may occur (listed as a distance: “near”, “mid”, “far”).
Beware of misconceptions of risks that threaten to harm us “only” in the long run. It is very possible that you should start avoiding them right now!