How to Categorize, Assess, & Prioritize Project Risks

"Regardless of your job or industry, there aren't always enough hours in the day to get everything done. As a result, you constantly feel like you're always behind. And that's just not good for your productivity or your health."  —Inc.

Many project managers attempt to solve this problem by working late every day. But the ultimate solution is not in working 70 hours a week. It's in doing more of the work that matters most.

"Do More of the Work That Matters Most." —Harry Hall

What is the CAP Method?

Want to reduce your workload? Want to save time? How about reducing some of the anxiety you feel about whether you're doing the right things at the right time?

The CAP Method is a simple set of risk management tools that can aid you in determining the priorities of your project risks and the associated responses. CAP stands for:

  • Categorize Risks
  • Assess Risks
  • Prioritize Risks

Each of these tools can help you determine what matters most. Using these tools together will yield even greater advantages. 

What is Risk?

Since we are talking about risk management, let's review the definition of risk.The PMBOK® Guide, Seventh Edition defines risk as, "an uncertain event or condition that, if it occurs, has a positive or negative effect on one or more project objectives." Think of risk as things that may happen, some good and some bad.

1. Categorize Risks

Why Categorize?

When you want to find bananas in the grocery store, where do you go? The Produce Section, right? Whether we are in a grocery store, a bookstore, or shopping on Amazon, categories help us organize and find things.

So, let's assume that we have a list of project risks such as a risk register. Now, we need a way to turn this list into information that facilitates better analysis, decision-making, communication, and management of risks. Categories help us organize our projects for these purposes.

Examples of Project Risk Categories

Check with your organization to see if there is a standard set of project risk categories. Your risk categories will vary, depending on your industry and type of project. If you don't find a standard set of categories, you can start with the following:

  • Scope
  • Schedule
  • Budget
  • Quality

Project managers may use these categories to identify and manage risks related to your project objectives.

In some projects, you may wish to use a Risk Breakdown Structure (RBS) to provide a more granular approach. For more information, read Use a Risk Breakdown Structure to Understand Your Risks by Dr. David Hillson.

Read: How to Actually Define Risk Categories.

Read: How to Create a Project Affinity Map.

1. Taking Action

Define risk categories for one of your projects. Select the categories that will allow you to focus on the areas of uncertainty. Add the categories to your risk register. Don't have a risk register? Click here to discover how to develop and use a risk register. Once you've determined your risk categories, assign a risk category to each of your project risks.

2. Assess Risks

Why Assess?

So, project managers assess risks in order to distinguish one risk from another in terms of significance. There are several tools and techniques that we can use for assessing risks. They generally fall into qualitative and quantitative methods.

Qualitative Risk Analysis

Qualitative risk analysis should always be performed. These methods are quick, but they are also subjective.

One simple method is the KISS—Keep It Super Simple—Method. Project managers work with subject matter experts to rate risks with a scale such as:

  • Very High
  • High
  • Medium
  • Low
  • Very Low

A common method is the Probability/Impact Matrix. Using a scale such as 1 to 5, project managers rank each risk for probability and impact.

Quantitative Risk Analysis

Quantitative risk analysis is optional. These methods take more time than the qualitative methods, but they also provide much more detailed information for go/no go decisions and the development of contingency reserves. Examples of quantitative risk analysis include:

  • Three-Point Estimates
  • Decision-Tree Analysis
  • Expected Monetary Value
  • Monte Carlo Analysis
  • Sensitivity Analysis

Read: Evaluating Risks Using Quantitative Risk Analysis.

Read: Evaluating Project Schedules Utilizing Quantitative Risk Analysis.

2. Taking Action

Select one of your projects that you've not been assessing risks. Determine a qualitative method that you wish to use such as the KISS or the Probability/Impact Matrix. Engage appropriate subject matter experts and rate each of your project risks.

3. Prioritizing Risks

Risk assessment is the process of assessing the probabilities and consequences of risk events if they are realized. The results of this assessment are then used to prioritize risks to establish a most-to-least-critical importance ranking.

Why Prioritize?

According to the power law theory, certain efforts actually produce exponentially more results than others. Or perhaps you are familiar with the Pareto Principle—80% of your project issues come from 20% of your risks. So, we prioritize to obtain the most value for our efforts.

Another reason we prioritize is to rightly assign risks to risk owners. Project managers should assign risk owners for urgent risks, those above the risk threshold. Furthermore, the risk owners should develop risk response plans  including contingency plans and fallback plans.

Lastly, prioritization helps reduce our risk management cost. Never forget that there is a cost for our risk management activities such as meetings to identify, assess, respond to, and monitor risks. Prioritization helps us respond to the risks that matter most and reduce our cost.

How to Prioritize Risks

Establishing the most-to-least critical importance ranking is fairly simple. We can sort the risk register on the risk score or risk exposure in descending order.

Next, we should define our risk threshold. The risks above the defined threshold are Urgent Risks. The project manager should assign a risk owner to each of these risks. The risk owner should define and execute a risk response plan.

The risks below the risk threshold fall onto the Watch List. Project managers are not required to take action on these risks but they watch these risks since the probability and impact ratings may change over time.

3. Taking Action

Use the output of your qualitative analysis to establish a most-to-least-critical importance ranking. Sort your risk register by the risk score in descending order. Next, work with your project sponsor to determine the risk threshold. Then assign risk owners to the Urgent Risks. The risk owners should develop and execute the risk response plans.

Become a PMI Risk Management Professional


Are you looking for ways to expand your risk management knowledge further? Have you been thinking about taking the PMI-RMP® exam? Are you looking for a course that is aligned with the latest PMI® Standards? I'm here to help with the PMI-RMP® Exam Prep Course. No fluff. Just simple, to-the-point instruction.