22.214.171.124 Risk Identification & Assessment
|Home Page << >>|
Project risk is an uncertain event or condition that, if it occurs, has a positive or negative effect on a project objective. A risk has a cause and if it occurs a consequence. In order to maximize the probability and consequences of positive events and minimize the probability and consequences of adverse events to project objectives, risk management processes must be established.
During the Project Initiation Phase, the risks that might affect the project must be identified and their characteristics must be documented in the Risk Log. The Risk Log is a document that needs to be created during the preparation of Project Fiche and be refined at the next phases of the Project Management Cycle. The Risk Log is a control tool for the Project Manager providing a quick reference to the key risks facing the project, what monitoring activities should be taking place and by whom.
A template of Risk Log is presented in Annex 1-6. In this template except of the suggested structure, guidance is also provided. Furthermore, in the same Annex a completed Risk Log14 [ This example refers to existing Cypriot Project that has been funded by EU Transition Funds. ] is presented in order to facilitate the understanding on how each section should be completed.
When Project Owner studies the Project Fiche, also examines the Risk Log and must decide whether project initiation can be justified or whether there are serious threats for the project’s success. Pragmatically, the Project design team (or the Project Manager if he/she has been appointed) should have discussed informally with the representatives of the Project Owner any known risks that seem to threaten the project’s viability.
Risk identification is an iterative process. The risks identified and registered in the Risk Log during the preparation of Project Fiche, are evident, normally concerning availability of resources, impending or mooted legislation, dependencies with other projects and their results. These risks should be refined during the Planning Phase when the Project Plan is being created. Generally, there should be a check for any new risks every time the Risk Log is reviewed, at least at the end of each stage. The Project Steering Committee has the responsibility to continually check external events for external risks.
Techniques to be used for the identification of possible risks during the Project Initiation Phase are being presented below:
The Checklist presented below has been developed for PRINCE2 Methodology and could be used as a starting point for identifying the main areas of risks for projects implemented using in sourcing or outsourcing.
Risk assessment is the process of assessing the impact and probability of identified risks.
Risk Probability is the likelihood that a risk will occur. Risk impact is the effect on project elements if the risk event occurs. For example, major damage to a building is relatively unlikely to happen (low probability), but would have enormous impact on business continuity. Conversely, occasional personal computer system failure is fairly likely to happen (high probability), but would not usually have a major impact on the business.
Impact should be considered under the elements of:
When considering a risk’s probability, another aspect is when the risk might occur. Some risks will be predicted to occur further away in time than others, so attention has to be paid on the more immediate ones.
In order to increase the visibility of risks and assist management decision making, the probability/ impact risk rating matrix (or Risk Profile – as it is called in PRINCE2 Methodology) can be used. It is a graphical representation of information normally found in Risk Logs. An example of a completed Risk Rating Matrix is presented in the figure below (Tool 1-7).
The horizontal axe represents the risk’s impact and its scale reflects the severity of its effect on the project. Impacts can be ordinal or cardinal, depending on the culture of the organization conducting the analysis. Ordinal scales are simply rank ordered values, such as very low, low, medium, high and very high. Cardinal scales assign values to these impacts. These values could be linear or nonlinear (e.g. 0,1 – 0,3 – 0,5 – 0,7 – 0,9). Both approaches intend to assign a relative value to the impact if the risk in question occurs. However, the ordinal scales are the ones most in use.
The vertical axe represents the risk’s probability. Assessing risk probability may be difficult and expertise of individuals, who have managed similar projects in the past, may be needed. An ordinal scale, representing relative probability values such as: very low (= very unlikely), low, medium, high, very high (= almost certain), could be used. Alternatively, specific probabilities could be assigned by using a general scale like 0,1 – 0,3 – 0,5 – 0, 7 – 0,9.
The thick black line represents the “risk tolerance line”. This line is defined for a specific project by agreement between the Executive and Project Manager and indicates how much risk the Project Steering Committee is prepared to take. It may be prepared to take comparatively large risks in some areas and none at all in others, depending on the characteristics of the project, as well as the general policy of the organisation regarding the risk tolerance. For example in case of an EU funded project, the Project Steering Committee may have very little financial risk tolerance, but allow for more risk tolerance in terms of political changes. When setting the risk tolerance line, it is important to find the optimum balance of accepting a risk’s occurrence against the cost of limiting that risk. In any case, the risk tolerance line should reflect not only the acceptance or not of individual (specific) risks, but also the organisation’s overall tolerance of exposure to risk.
Risks with high probability and high impact are positioned above and right of the “risk tolerance line” and usually need more thorough examination and aggressive formal risk management.
* The numbers in the cells represent the ID numbers of the identified risks of a certain project.
© 2007 Republic of Cyprus, Treasury of the Republic, Public Procurement DirectorateHome Page | Government Web Portal | Disclaimer | Webmaster