30 Quick Risk Evaluation Tips

Occasionally, I teach a virtual Project Risk Management Short Course where we review PMI’s Practice Standard for Project Risk Management. When I teach the course, I like to share these 30 risk evaluation tips. I hope you find them helpful.

Photo courtesy of DollarPhotoClub.com (edited in Canva)

Photo courtesy of DollarPhotoClub.com (edited in Canva)

  1. One of the top reasons for evaluating risks is to determine which risks are most significant.
  2. Always perform the qualitative risk assessment. The assessment is quick, but keep in mind – it’s also subjective.
  3. Determine if your organization has organizational assets such as a risk register template and probability/impact rating scale to jump-start your evaluation.
  4. Be sure to update the risk register each time you evaluate your risks.
  5. When evaluating each risk, consider the causal factors, the risk itself, and the impacts.
  6. Probability is the likelihood that a risk may occur.
  7. Impact is the effect or consequence on the project if the risk occurs.
  8. Multiply probability and impact to calculate a risk score (e.g., 8 x 5 = 40).
  9. Be sure to define your rating scales for probability and impact.
  10. Concerned with the velocity (e.g., time-to-impact) of your risks? Consider rating velocity along with probability and impact. Here is an example of how you can calcuate a risk score using velocity: Risk Score = (Probability + Velocity) X Impact.
  11. Improve the quality of your risk information through interviews and workshops before evaluating your risks.
  12. There may be multiple causal factors for a single risk.
  13. There may be multiple impacts for a single risk.
  14. Some root causes result in multiple risks. Responding to these root causes often provide high leverage.
  15. Look out for the high power/high influence stakeholders who wish to bias risk ratings for their own benefit.
  16. Beware – some individuals may be biased in their assessments because they lack an understanding of the risks. Educate stakeholders on the risks.
  17. Perform an assumption analysis before evaluating your risks.
  18. In some cases, you want to bias the risk ratings. If the sponsor says that the budget is the most important priority, consider this factor in your ratings.
  19. Things change. Conduct periodic risk reviews.
  20. Consider evaluating your risks again when there are significant changes in the project or when you hit project milestones.
  21. Lots of small risks can create a large cumulative risk exposure.
  22. When multiple activities converge into a successor activity, the risk for the successor activity is greatly increased.
  23. Sum the individual risk scores to calculate the total project risk score. You may divide the project risk score by the number of risks to calculate the average risk score. Compare the total project risk score for each project risk review. Look for trends.
  24. Risks that may occur later in a project should be considered as a higher risk than the risks that may occur early in the project. Why? There is less response time, greater uncertainty, and greater impact.
  25. The same risk may occur multiple times in the same project. Should you use the same risk response? Yes, if the response plan is working. Look for ways to tweak the response for a one-two punch.
  26. Want a way to analyze risks at a higher level than the individual risks? Group risks by category (e.g., time, cost, scope, and quality). Sum and compare risk scores by category. How have the risk exposures in the categories changed from one risk review to the next risk review? Why did the exposures change?
  27. Determine high-priority risks (e.g., The risks with a risk score of 80 or greater on a scale up to 100 will be considered urgent risks.).
  28. Be sure to involve appropriate stakeholders in the evaluation of your risks.
  29. Right size your risk evaluation process.
  30. Perform quantitative risk assessments when more detailed information is required for project decisions. Quantitative risk analysis is not always mandatory.

Don’t try all of these tips as once. Pick a few and implement. Incrementally try others. I would love to hear your results.

Question: How often do you review risks (e.g., daily, weekly, monthly) in the majority of your projects?

Please note: I reserve the right to delete comments that are offensive or off-topic.

Leave a Reply

Your email address will not be published. Required fields are marked *

5 thoughts on “30 Quick Risk Evaluation Tips

  1. I’ve been thinking about how to include velocity (which I called urgency). Thank you for bringing it up.

    (To be anal about it, Velocity is the inverse of time-to-impact.)

    The value of considering Velocity lies in having enough time to respond to the risk. For example, you have two risks:

    Risk A
    P = 0.5
    I = 0.5
    V = 0.1 (it happens near the end of the time limit)
    RS = (P + V) x I = 0.3

    Risk B
    P = 0.01
    I = 0.5
    V = 0.9 (it will happen very soon)
    RS = (P + V) * I = 0.455

    In this case, you will deal first with the risk that has very low EMV (estimated monetary value, P x I). It’s a case of doing what’s urgent instead of doing what’s important.

    I believe we should use Velocity when we cannot deal with risks all at once. We would use it for prioritizing the risks for Quantitative Analyses.

    If (P x I) describes an area, then to be consistent, I would add Velocity as a third dimension. That is, PS (Priority Score) = P x I x V. Thus. (EMV x V) gives the EMV a weight equal to the weight of Velocity.

    The reason we would not consider the Velocity by itself goes back to the principle about the cost of rework. The later you deal with a problem, the more it costs because you have to re-do the work that came before. Similarly, the longer you wait to deal with a risk, the more rework you have to do. Therefore, we need to factor both EMV and Velocity into prioritizing work.

    In summary, my recommendation is to perform Qualitative Analysis, then Priority Analysis, then Quantitative Analysis (if needed).

  2. In #24, did you say “later” when you meant “sooner?”

    How do you define the scale in the presence of outlier risks that have extremely high impact? For example, one in 100,000 ignition switches might fail, but if one does, it could kill one or more people. If you define an impact of 100 as one whose value is the value of the project, a death would be off the chart. If you define the value of the highest impact as being 100, mundane risks drop to the noise level. Or, do you simply send outliers directly to Quantitative Analysis?

    #26 (summing and comparing categories) — If identifying risks in a category depends on competency in that category, then would cross-category comparisons be misleading?

    • Hi Richard. I actually meant to say “later”. If a risk occurs later in the project, we have less time to respond.

      Yes, you could deal with the ignition switch risk through quantitative analysis.

      Good point on #26 – this is one reason it’s good to have a team reviewing the risks.