Risk assessments--developing the

right assessment for your

organization
Abstract

How can project managers assess todayʼs risks so that they wonʼt become
tomorrowʼs problems? Project managers are always on the lookout for risks
and donʼt sit back and wait for risk events to happen. We must take a
proactive approach to managing uncertainty, but it is always helpful if we
have a tool that helps us quickly identify, qualify, and quantify risk. Donʼt
reinvent the wheel! Create a reusable risk assessment that can be used
repeatedly and reliably.

In this presentation, participants will learn how to develop their own

customized risk assessment tool. Risk assessments take on many forms
from very simple matrices to very complex databases with customized
algorithms. There are many ways to go about creating a good risk
assessment that takes into account those criteria important to your
organization. This presentation will provide a step-by-step process for
creating risk assessments that project managers or program officers can
develop and use later in the in the risk management process.

During this process your team shouldnʼt be spending time deciding what
methods youʼll be using to identify, qualify, and quantify risks, since that
should have been defined previously in the risk management plan. Also, itʼs
important to remember that as you gather your risks, it is necessary to
document as many risks as possible within your risk register and quickly
determine their likelihood and impact on a common set of categories
included in your risk assessment. Once these risks are identified,
categorized, qualified and quantified, they will provide essential input into
the rest of the risk management process. It all begins with a robust and
flexible risk assessment tool!

Introduction – Is a Risk Assessment Necessary?

Risk assessments are not performed in some organizations because they

are perceived as a waste of valuable project time. This perception may be
linked to the fact that assessing risk is conducted as a unique and discrete
process for each project. Risk assessments can be conducted utilizing a
reusable but customizable assessment tool in order to save time. I have
spoken with many project managers in corporate America, and I have asked
them why they approach risk assessments in this manner. Most project
managers state that their projects are too unique and that creating a risk
assessment template would be a waste of time or that they just donʼt have
the time to use such an assessment tool. According to them, assessing and
managing risk appears to be the project equivalent of going to the gym to
work out – you know itʼs a healthy habit, but sometimes you just canʼt bring
yourself to do it. If we extend this analogy, we know that those who work
out regularly are healthier because of it. The same principle applies with
project managers; those who are disciplined at risk management have
healthier projects because they are probably managing other aspects of
their projects with the same discipline.

Risks are commonly discussed in project team meetings when risks arise.
However, this process tends to be reactive, and in some cases it may prove
catastrophic if risks are addressed too late. Taking the time to proactively
identify, qualify, and quantify risks is a discipline that every project manager
should pull out from their skills toolbox in order to stave off negative
impacts to project scope, cost, time or quality. Having a scalable risk
assessment template and risk management plan template in your back
pocket will help you ease the pain associated with managing risks.

Organizing Your Risk Assessment Effort

You will first need to determine how a risk assessment will fit within your
risk management processes and eventual risk management plan. The best
approach is one that is scaled to fit your project, your organization, and
your team. As Mark Mullaly puts it, “The risk [assessment] matrix is the
start of the risk assessment process, not the finish. The degree to which
risks influence our process will determine the strategy we take to deal with
the risk, and the response that we plan.” (Mullaly, 2007) A good risk
assessment process includes a two fold identification process. The risk
identification matrix below (Exhibit 1) identifies the risk dynamics faced on
every project. The first process addresses the common risks you and those
in the performing organization and/or industry normally face. Some project
managers refer to these as the known risks. The other process is to address
the unknown or unusual risks that will require you and your team to think
outside of the box in order to properly identify them. These are referred to
as the unknown unknowns. A good risk assessment will address these.
Exhibit 1: Risk Identification Capability Matrix

This process requires a group perspective in order to maximize the known

risks and to minimize the unknown risks. The more people involved in this
process the better, but there is a point of diminishing return – so be
judicious in the number of people involved. It is preferable that a sampling
of senior project managers from throughout the organization be invited to
participate for development of the initial risk assessment template –
preferably less than 20. Once they are gathered, you will use the following
steps to create and update your risk assessment template.

Creating Your Risk Assessment

Identify Applicable Risk Types and Organize Them

It is highly recommended that you use facilitated workshop sessions for this
process. Once a subject matter expert group is gathered, it is best to
explain to them that this process will require everyone to put on their
thinking caps and be prepared to think outside of the box during this and
any future sessions. Use the topics included in this section as the agenda
for your sessions. Once you are ready, ask all participants to do the
following:

Take 20-30 minutes to think of types risk events commonly faced on

projects
Write down each risk event on a separate sticky note
Take an additional 15 minutes to brainstorm additional risk events that
are uncommon but could still occur
Write down each additional risk event on a separate sticky note
Ask participants to bring these forward and place them on the board

Then ask participants to form into teams of two or three and compare
notes, and ask them to do the following:
 Take an additional 20 minutes to brainstorm specific risk events
Write down each additional risk event on sticky notes and place them
on the board

Now, canvas the group and ask them if these risk events can be
categorized.

Ask participants to identify if specific risk events can be classified and

grouped under specific categories
As categories are identified, ask someone to serve as a scribe and
write down each new risk category on a larger sticky note and place
this as a heading on the board
Then ask participants where each identified risk event should be
placed according to category
Adjust until everyone is reasonably satisfied with the placement of all
identified risks under specific classifications and groups
If new risks are identified, ask someone to serve as a scribe and write
down each new risk event on a new sticky note and place it under the
prescribed risk category

After this is done, you can then conduct a session to build consensus as to
whether or not risk categories could be combined or split into more
convenient groupings. Continue the review and revision until a general
consensus has been reached.

When you have completed this process, you should have a risk
categorization matrix (Exhibit 2) that will look something like this:

Exhibit 2: Risk Categorization Matrix

Determine How These Risks Will Be Qualified and Quantified

The hardest part of developing a custom risk assessment template requires
that you identify the potential and affect on the project should a risk event
occur. The probability of a risk occurring and its impact on a project are
used in tandem as decision aids.

Each risk event identified above will require that thorough analysis be
conducted in order to identify the criteria and thresholds for the probability
and impact, as well as be well documented. Use the team process again to
do this. Ask team members to pair up and to take several risk events items.
Their job will be to establish the criteria for each and to document what they
think the thresholds should be. This process can happen in a group setting
or as an assignment outside of group meetings. You can then bring the
team together in order to refine the work to be done by the smaller groups.

First and foremost, a qualitative ranking system should be established for

these thresholds. Most organizations employ a simple low, medium, high
ranking to start with. Specific qualitative criteria then need to be identified
for each risk event in order to properly identify what is considered low,
medium or high risk. For instance, a particular risk event might include a
team member leaving the team. In assessing its likelihood, you may
consider the turnover rate of employees in the organization in order to
determine the likelihood of this happening with the corresponding ranking
of low, medium and high. In assessing the impact you may need to qualify
what constitutes low, medium and high risk as well. In a large team, losing
one team member may be considered low risk. However, if the team
member who is leaving has a unique skill, the risk to the team may be
considered a medium risk. If three team members where to leave all at
once, this would be considered a high risk to the team.

In quantitative analysis, numerical values for both probability and impact

using data from a variety of sources are utilized. Quantitative analysis may
consist of simply applying a score to each ranking:

Low =1
 Medium = 2
High =3

The overall risk level should take into account the probability of the risk
arising and the impact to the project. These two scores may be multiplied to
give you the overall risk rating for each risk event. This may be referred to
as the Probability-to-Impact (PI) ratio. In general if the two scores are low
the overall risk would be low. Though it is great to have a single PI score to
identify the overall risk posed by each risk event, it is important to consider
the strength of both indicators and the overall plan you develop to manage
each risk. When you have completed this process, you should have a risk
assessment matrix (Exhibit 3) that will look something like this:
Exhibit 3: Risk Assessment Matrix

Determine Your Organizationʼs Risk Tolerance

When developing your custom risk assessment matrix, donʼt forget to

consider the risk tolerance levels within your organization. Some industries
and related organizations are naturally adverse to risk, while other
industries and related organizations require a certain degree of risk. In
addition, though your organization has a specific risk tolerance, your
leadership or management may have a desirably different risk tolerance.
Your probability and impact criteria and eventual scoring should reflect your
organizationʼs risk tolerance including leadership preferences.

Determine Final Output Format of the Risk Assessment

The final format of the risk assessment may be produced in Microsoft Word,
Excel, Access Database or an application within a Project Management
Information System (PMIS). The lowest common denominator will likely
dictate the format of the risk assessment in organizations that lack a PMIS.
If a PMIS does exist, it should be made available – either as a downloadable
template or a customized application. Excel worksheets prove to be the
easiest to work with for most organizations because of its ability to use
formulas in order to develop scores. Also, there are several “dashboard”
tools that take advantage of Excel data or databases and convert them into
professional-looking dashboards and project displays.

Create a Plan to Maximize the Risk Assessmentʼs Applicability to Every

Project

Once the risk assessment has been completed, it is important that it be

adopted by all project management personnel within the organization. It has
been my experience that many such initiatives have failed because they
lack an implementation plan. Create an appropriate implementation plan
that takes into account the following success factors:
 Presentation, review and approval by executive management
Centralized storage and placement for easy access via a PMIS
repository
Communication regarding the upcoming availability of the new risk
assessment
Presentation, review and buy-in by all project personnel through
targeted training events
Ultimate ownership and continued quality updates via User Groups
sponsored by the Project Management Office (PMO) or Quality Group

Create a Final Risk Assessment That Is Flexible and Scalable

Not all projects are created equal. Since a key aspect of every project is its
uniqueness, the risk assessment should be made to accommodate
differences amongst projects. Some organizations have risk assessments
that are tailored to the types of projects being managed including
Information Technology, Marketing, Legal, and so forth.

Also, not every pre-identified risk event applies to every project within these
types of assessments. Risk assessment template users should be allowed
to bypass specific risk events that do not apply to their project.

Finally, there should be a free-form section at the bottom of the risk

assessment to capture additional risks that are unique to each project.
Project teams should be encouraged to use this section and apply the same
qualification and quantification measures to assure that risks are properly
identified and rated.

Determine Process to Update the Risk Assessment

As part of the implementation strategy, it is highly-recommend that

regularly-scheduled User Group meetings be set up to review and update
the risk assessment tool. This process will ensure continued use of this tool
and will help improve the overall quality of each project.
Quickly Assess Risk on New Projects

Conduct Risk Identification and Rating Using the Risk Assessment

If a risk cannot be identified, then it cannot be evaluated and managed. The

risk assessment should help project staff quickly manage the most common
project risks because they are already identified in the template. Project
personnel should also be able to quickly qualify and quantify the risks
because these details are included in the risk assessment template. Using
the risk assessment template, enter the rating for the probability of the risk
occurring and record the rating of the impact of the risk should it occur.
Then calculate the PI index.

It is important to note that there is a tendency in every project manager and

team member to let the assessment tool do the work and avoid extending
risk analysis beyond the borders of the template. There are three important
factors required to diagnose the real risks faced on projects using any risk
assessment template:

Bypass those pre-identified risk events that do not apply to your

project
Flush out additional risks through extensive “what if” analysis and
document those risk events that have not yet been identified
Adjust probability and impact criteria where necessary to pre-existing
and new risk events

Once the risk assessment has been completed by the project team it should
be reviewed regularly. For projects that face critical, time-constrained
deliverables and where quality is critical, weekly risk assessment reviews
may be considered standard operating procedure. On the other hand, other
“less-critical” projects may require only monthly or quarterly risk
assessment reviews.

The results of the risk assessment should be directly tied to the risk
management plan. Within this plan, each qualified risk will require that an
appropriate risk response be developed and assigned to appropriate team
members who are responsible for identifying these risk events should they
occur.

Communicating Risk

5 Steps to Better Manage Risks

So, how do we manage risk once your risk assessment matrix is complete?
As stated earlier, the process of simply identifying, qualifying and
quantifying risks is the starting point, not the end. The degree that risks will
influence our project will determine our strategies for responding to risk
events when they occur. A solid risk Management Plan should be developed
that proactively addresses how we will avoid, mitigate, or transfer risk. Here
are some best business practices when developing and executing against
your risk management plan:

Involve senior management – required senior management involvement

should not be overlooked. Involve them in the process of risk planning
and the selection of risk response strategies. Again, their risk tolerance
may be different from what you assume. It is best to incorporate their
risk tolerance into the plan.
Consider the overall costs associated with each risk event response
strategy where possible. Using a risk leverage calculation will help.
Shari Lawrence Pflegger states that risk leverage is “the difference in
risk exposure divided by the cost of reducing the risk. In other words,
risk reduction leverage is (risk exposure before reduction-risk exposure
after reduction)/ (cost of reduction).” (Pflegger, 2007) Knowing if a
particular risk response is financially practical should be considered
when choosing an appropriate risk response strategy.
Assign specific risk events and corresponding risk responses to
specific owners. These risk owners will serve as scouts or “lookouts”
 that are responsible for identifying these risk events before they are
about to occur or as soon as they occur. Train them or gain agreement
on early warning signs for particular risk events.
Update your risk assessment regularly. Donʼt wait until it is too late.
Risk management is not like a Ronco™ Rotisserie where you can “set it
and forget it.” You must be willing to reassess possible risk events. Add
regularly scheduled risk reviews to your project schedule and maintain
a disciplined approach to revising risk probability and impact ratings.
As projects move through time, risk ratings may increase or decrease
for particular risk events. Some risks will drop off your risk assessment
entirely, while new risk events will need to be added to your risk
register.

4 Steps on How to Communicate Risk

Make sure risks (no matter how large or small) are identified and
documented in your weekly project status reports. It is better to
provide appropriate advanced notice early on rather than waiting for a
risk event to occur.
Update your risk management plan and specific risk responses in
conjunction with your risk assessment. Be prepared to deal with new
risks in a proactive manner.
Develop project dashboards that are web enabled and available to all
project stakeholders. I have had a lot of success in developing
dashboards that are used primarily by executive management and
project management personnel. Providing up-to-date risk assessment
information via such mechanisms quickly provides a snapshot of the
health of a project in regards to risks. Though there are many PMIS
applications that provide this function, I have found it very beneficial to
create interactive dashboards from data contained in my standard risk
assessment template and publish these dashboards to the web. The
following dashboard component example (Exhibit 4) is a simple
mechanism that can be accessed by all project stakeholders.
 (Interactive version of this file can be found at: http://pmi07.pcg-
global.com )

Exhibit 4: Risk Dashboard Component

Develop an escalation process to deal with high-priority risk events.

When a high-priority risk occurs it is best to know who to contact right
away and who else will be informed once a risk event occurs. Using the
regular chain of command may prove ineffective where speed and/or
executive approval is required.

Responding to Risk

A new risk management response approach used by project managers is

the creation of a pre-identified risk response SWAT team that will quickly
respond to risks once they occur. This team may be composed of project
team members and executive managers that have agreed to participate in
advance. Their responsibilities will include:

Assess the severity of a risk once it occurs

 Determine if the previously defined risk response is appropriate to the
risk event
Update the risk response strategy if necessary
Assist in implementing the appropriate response
Document the results of the applied risk response strategy and
communicate lessons learned

Again, this approach can be tailored appropriately to any project. The SWAT
team may consist of a few people including the project manager, an analyst
and an executive manager to provide approval, or it may include a large
team which includes very specific technical and business specialists who
are skilled at dealing with and responding to risks.

Conclusion

In the end, using a disciplined approach to risk management similar to the

discipline used to mange scope, cost and time will be made easier by using
a standard risk assessment tool that is tailored to your organization as well
as to your project. The best project organizations are those who realize that
a risk assessment template is a valuable asset in managing the
organizationʼs bottom line. Sure, it may seem that it requires a bit of time to
organize and develop, but in reality it will save time and money in the long
run.