ArtsAutosBooksBusinessEducationEntertainmentFamilyFashionFoodGamesGenderHealthHolidaysHomeHubPagesPersonal FinancePetsPoliticsReligionSportsTechnologyTravel

How to Evaluate Project Risk

Updated on December 15, 2016

The Concept of Risk Management

The Concept of Risk Management

Risk can be a good thing. Without risk there is no reward, and risk breeds innovation. Risk is therefore to be encouraged within an organization, but it is also dangerous and so has to be managed. A risk management system aims to identify the primary risks that an organization is exposed to, so that an informed assessment can be made and proper decisions made to safeguard the organization.

There are numerous types of risk management system in use. It is very important that they are seen to be cost-effective as far as is possible.

Most risk management systems contain five distinct areas:

1 risk identification

2 risk classification

3 risk analysis

4 risk attitude

5 risk response, control, policy and reporting

Risk Identification

The idea of risk identification is to find out all the risks that are likely to impact on a given project and to explore the linkages and interdependencies between them. This builds up a picture of the risk ‘profile’ that applies to a particular project and enables the decision maker to make an informed response with due consideration for the relevant risks, including both current risk and risks that are likely to occur during the course of the project life cycle.

Risk identification involves the identification and assessment of all the potential project risk areas. Risk identification is the starting point for the entire risk management process. The effectiveness and validity of the risk management system will therefore depend on the accuracy of the identification process.

There are several established risk identification typologies. An obvious classification system for purely project risk would include the following.

Internal risks: - These can generally be identified by breaking the project up into separate work packages using a work breakdown structure (WBS).

External risks: - These originate from outside the project and relate to factors such as interest rates and levels of economic activity. They are obviously more difficult to identify and evaluate.

Project risks:- These overlap internal and external risks. They are a feature of the specific project and of the administration and control techniques that are applied both within the company and by other organizations that impact on the project team.

Risks sources can often be identified in terms of objective and subjective sources.

Objective sources are the sum total of past experience of past projects in relation to the current project. This source is sometimes referred to as ‘experience’.

Subjective sources are the sum total of current knowledge based on current experience. Estimates of current performance are made based on optimistic, likely and pessimistic estimates, relevant to current estimates.

It is important that the identification process is concerned with the source of the risk rather than the event itself or the effect.

The most obvious and widely used method for risk identification is brainstorming.

The idea is that as many people as possible look at the project scenario and try to identify as many risks as possible. These include internal and external, controllable and uncontrollable, and all other forms of risk that could theoretically affect the project.


In brainstorming methodology, a coordinator or facilitator is generally appointed. This person chairs the brainstorming session. He or she steers the discussion and tries to keep the group focused on the problem (to identify risks). A lot of good practice started with ideas and concepts that might have looked doubtful or even absurd initially.

Phase 1: Creative phase.

The idea of phase 1 is to invite as many ideas as possible from the brainstorming team. The team itself should include as many project team members as possible and also other individuals who have an impact on the project or who act as stakeholders.

Apparently crazy ideas should be positively encouraged. The ideas are generally written down as they are extracted from the session. No criticism or discussion is allowed at this stage.

Phase 2: Evaluation phase.

Once the list of ideas is complete (at least for this particular session), each one is evaluated by all members of the team. Technical expertise and experience can now be applied by individual members in order to identify those ideas that have potential and those that do not. It is important that ideas are not linked to individuals, so that free and open criticism and evaluation can take place. Each idea is considered in detail and a final list is formulated of those ideas to do with project risk that are regarded as having real potential and that are worth further development. It is essential to be aware that the final list is the product of collective group effort rather than a list of individual contributions.

Risk Classification and Evaluation

Risk Classification

Once the various risks have been identified, they then have to be classified in some way.

Most work on classifying risk is linked (at least in part) to so-called portfolio theory . This considers risk classification from a financial point of view. A reasonably detailed methodology from portfolio analysis has developed, based around the portfolio theory’s beta coefficient .

Risk can be primarily classified in terms of whether it is market risk or static risk. It can also be classified in terms of its area of impact or the extent to which it will affect the organization. Some risks could only affect the company at an individual project level.

The three level classification system for risk:

1 risk type;

2 risk extent;

3 risk impact.

Risk Analysis

Once the risks have been identified and classified, they have then to be analyzed.

Risk analysis is based on the identification of all feasible options and data relating to the various risks and to the analysis of the various outcomes of any decision.

Most risk analysis methodologies comprise six basic steps.

Step 1. Evaluate all the options.

All the various options should be considered. It is important that all the factors that affect the risk are considered. The brainstorming or other form of risk identification should be exhaustive and all factors that could possibly affect the impact or likelihood of the risk should be identified.

Step 2. Consider the risk attitude.

The risk attitude of the decision maker is an important consideration. Different people will evaluate risks differently and will make different decisions using the same data.

Step 3. Consider the characteristics of the risks.

Consider the risks that have been identified and are controllable and what their impact is likely to be. It is important to ensure that all possible characteristics of the risk are identified.

Step 4. Establish a measurement system.

The risk has to be measured and evaluated in some way, using a qualitative or quantitative (or combined) approach. Some approaches use established modeling techniques where the characteristics of the risk and the situation can be input and a prediction can then be made based on past experience.

Step 5. Interpret the results.

The data produced by the measurement require interpretation. This can again be quantitative or qualitative. The results of the measurement process provide an indication of a prediction or possible outcome, but these are still open to interpretation.

Step 6. Make the decision.

The final stage in the process consists of deciding which risks to retain and which to transfer to other parties. The risk profile that is acceptable for retention will depend on the nature of the organization and the attitude of the decision maker.

Other methodologies adopt a slightly different approach.

Step 1: Identify and source the risk and extract all relevant information.

Step 2: Identify all possible threats and opportunities (SWOT analysis) and map the risk drivers. Identify and brief risk holders where appropriate.

Step 3: Assess the probability and impact of each risk and develop the actual risk map.

Step 4: Consider all available options and develop a target risk map.

Step 5: Assess the value added to the company by taking the recommended risk response action.

Step 6: Set up monitoring and reporting systems to ensure effective evolution of the risk map.

Risk Map

A risk map simply shows individual isolated risks on an axis of probability of occurrence against impact. The process of risk mapping is sometimes referred to as risk profiling or even risk foot printing. It is basically a process of showing the relationship between risk probability and impact for a range of given risks as a function of time.

Quadrant 1: Red zone (high impact and high probability).

These are the dangerous risks. No business can survive accepting these risks at this critical level over the long term. They have to be addressed at once and immediate action has to be taken. They are strategically important, and appropriate action is immediately required. Generally, a risk manager should be established and a specific strategy formed. If the firm cannot manage these risks effectively over the long term, then avoidance strategies should be considered.

Quadrant 2: Upper Yellow zone (high impact and low probability).

These risks are not as crucial as those in the red zone. However, they require close attention as they include the severe effects of extraordinary events. These risks are often typically driven by external or environmental factors beyond management control. Contingency planning is particularly appropriate for these risks.

Quadrant 3: Lower Yellow zone (low impact and high probability).

These risks often relate to day to day operations and compliance issues.

Cost control procedures fall into this category. These are based on monitoring and detection, and they identify a defect downstream from the risk. Cost overruns are virtually certain to occur.

Quadrant 4: Green zone (low impact/low probability).

These are low severity / low likelihood. They are not of sufficient stature to allocate specific resources. They are generally insignificant and are acceptable at their present level. They represent areas that may be outsourced.

Risk maps can be used as planning tools. Some risk management systems use an actual risk map and a target risk map in terms of establishing a baseline and current status methodology. The target risk map shows the risks as we want them. The difference between the actual risk map and the target risk map identifies areas where actions are needed to meet the requirements of the risk management system.

In order to get from the current risk map to the target risk map, a strategy would be developed and risk holders put in charge of each major risk area.

Risk mapping is a fundamental tool. Its usefulness lies in its flexibility. It is by far the most widely used tool for risk classification, and to some extent, risk identification. It can be closely linked to the organizational breakdown structure (OBS) for the company and to the work breakdown structure (WBS) for the project. It effectively links to the task responsibility matrix (TRM) that acts as the link between the OBS and WBS at the operational and strategic levels . Like a TRM, a risk map can be developed upwards or downwards to virtually whatever level of detail is required.

Variability limits for individual or groups of risks can be set by various techniques. It is usually possible to model boundaries using established statistical techniques. Boundaries and limits can be set within specified confidence limits or sub probabilities of occurrence. These can sometimes be useful in analyzing different levels of variability.

Risk Grid

A risk grid is an alternative to a risk map. It would be prepared where a company is looking at a range of activities and deciding on the specific risk cover that is required. This depends directly on the probability of a risk occurring and the impact of the risk if it occurs. The format of the risk grid will also depend directly on the attitude of the risk taker.

Risk Attitude

The attitude of the risk taker is clearly an important element. Much risk evaluation is subjective, and therefore the perceived level of risk involved with a course of action depends on the attitude of the risk taker.

In general terms, risk takers can be either neutral, risk averse or risk seeking.

Once the attitude has been considered in some way, the risk has to be plotted or put in relation to other risks and to the various determining factors that can affect the outcome.

Risk attitude in relation to a project varies in relation to the characteristics of the project team. Individuals tend to take less risky decisions than teams. In addition, multidisciplinary teams tend to make more risky decisions than uni-disciplinary teams. All teams tend to make more risky decisions the longer they are together as a team.


    0 of 8192 characters used
    Post Comment

    • profile image

      Jimmy 2 years ago

      Furrealz? That's mausleorvly good to know.

    • ZIa Ahmed khan profile image

      Dr. Zia Ahmed 4 years ago from Kuwait

      @LaMamaLoli - thanks

    • LaMamaLoli profile image

      LaMamaLoli 4 years ago from London

      I like the way you have presented this hub. I thought it was very well written - clear and logical.

    Click to Rate This Article