Chapter 10. Project Risks
10.4 Risk Assessment
After the potential risks have been identified, the project team evaluates the risks based on the probability of occurrence and impact if they occur. This is a qualitative risk analysis method. In this textbook, we will not discuss quantitative risk analysis process. Readers can check “11.4 Perform Quantitative Risk Analysis” in PMBOK Guide Sixth Edition for an overview of quantitative risk analysis methods.
Not all risks are equal. Some risk events are more likely to happen than others, and the impact of a risk event can vary greatly. Therefore, project teams perform qualitative risk analysis in order to prioritize individual project risks by assessing their probability of occurrence and impact[1]. This assessment technique is conducted by the project team. Team members indicate their opinions regarding each risk. Therefore, this kind of process introduces bias into the assessment. However, project manager assumes the role of a facilitator or a moderator to minimize the bias by implementing techniques such as Delphi. Besides, in order to minimize the bias and provide a consensus, the project manager should clarify the underlying mechanism of how each team member and expert justify their perceptions as regards the probability and impact.
For the qualitative risk analysis, let’s use a five-scale measure: Very low, low, medium, high, and very high (Table 10.3). It is always possible to have more and fewer number of scales. Each level may correspond with different percentage values depending on the project, project manager, and organizational policies. Table 10.2 displays two different percentages of probability. Organizations may have an overarching policy to implement levels, percentages, and risk categories. In this case, project manager must comply with this policy.
Table 10.3: Risk Probability Levels
| Level Names | Level Values (%) | Alternative Level Values (%) |
| Very low | 5% | 10% |
| Low | 10% | 30% |
| Medium | 30% | 50% |
| High | 50% | 70% |
| Very High | 70% | 90% |
The probability, alone, wouldn’t make sense if we disregard the impact of the risk. Just think that our project is in an area where a large earthquake hits every thirty years. Since the frequency doesn’t look high, we can give a very low probability level (5%). However, we should consider the impact of an earthquake if it occurs. Although the probability may be 5%, the impact of an earthquake to disrupt project activities would be high. Even in our m-commerce project, an earthquake would have a number of negative effects such as power outages, water supply problems, transportation issues, supply chain problems, and in a worse scenario, destroyed buildings and infrastructure, and fatalities. This is also the case for an epidemic or pandemic. Therefore, we can decide on a very high impact value (0.9) while the probability is 0.05.
Table 10.4 displays the impact levels and values for the impact of risks on schedule. Project managers can use criteria for different areas such as schedule, cost, safety, environment and quality to determine the impact of level. For each area, description for each impact level should be described to eliminate ambiguities. According to Table 10.4, if an activity takes 10 days to finish, and we found that a risk may add an additional 1 day, it means that we have a delay by 10%. Therefore, the impact is low, and its value is 0.3.
Table 10.4: Description of Impact Levels Regarding Schedule
| Impact | Description | Value |
| Very low | Delay by 5% | 0.1 |
| Low | Delay by 10% | 0.3 |
| Medium | Delay by 20% | 0.5 |
| High | Delay by 40% | 0.7 |
| Very High | Delay by 50% | 0.9 |
When we use several areas besides schedule, we should formulate how to generate an overall impact level. We can use a non-weighted or a weighted model to combine all areas’ values. Table 10.5 shows the impact levels regarding cost.
Table 10.5: Description of Impact Levels Regarding Cost
| Impact | Description | Value |
| Very low | Budget overrun by 5% | 0.1 |
| Low | Budget overrun by 10% | 0.3 |
| Medium | Budget overrun by 20% | 0.5 |
| High | Budget overrun by 40% | 0.7 |
| Very High | Budget overrun by 50% | 0.9 |
Table 10.6 displays the risk severity score which is found by multiplying probability by impact percentages. In Table 10.6, there are three severity levels: (1) Green indicates low-level severity, which is between 0% and 15%, inclusive, (2) Orange indicates medium-level severity, which is between 16% and 40%, inclusive, and (3) Red indicates high-level severity, which is at 41% and above.
Table 10.6: Probability – Impact (Severity) Score
| Probability | |||||||
| Very low | Low | Medium | High | Very High | |||
| 0.05 | 0.10 | 0.30 | 0.50 | 0.70 | |||
| Impact | Very Low | 0.10 | 0.01 | 0.01 | 0.03 | 0.05 | 0.07 |
| Low | 0.30 | 0.02 | 0.03 | 0.09 | 0.15 | 0.21 | |
| Medium | 0.50 | 0.03 | 0.05 | 0.15 | 0.25 | 0.35 | |
| High | 0.70 | 0.04 | 0.07 | 0.21 | 0.35 | 0.49 | |
| Very High | 0.90 | 0.05 | 0.09 | 0.27 | 0.45 | 0.63 | |
Not all project managers conduct a formal risk assessment on projects. There may be barriers to identifying risks. David Parker and Alison Mobey (Parker & Mobey, 2004)[2] found in a phenomenological study of project managers that there was a low understanding of the tools and benefits of a structured analysis of project risks. The lack of formal risk management tools was seen as a barrier to implementing a risk management program. The level of investment in formal risk management was also associated with managerial psychological dimensions.
Some project managers are more proactive and will develop elaborate risk management programs for their projects. Other managers are reactive and are more confident in their ability to handle unexpected events without prior planning, while some managers are risk averse and prefer to be optimistic and not consider risks or to avoid taking risks whenever possible.
In projects with low complexity, the project manager may informally track items that may be considered risk items. On more complex projects, the project management team may develop a list of items perceived to be higher risk and track them during project reviews. On projects with greater complexity, the process for evaluating risk is more formal with a risk assessment meeting or series of meetings during the life of the project to assess risks at different phases of the project. On highly complex projects, an outside expert may be included in the risk assessment process, and the risk assessment plan may take a more prominent place in the project execution plan.
On complex projects, statistical models are sometimes used to evaluate risk because there are too many different possible combinations of risks to calculate them one at a time. These are considered as quantitative risk analysis. One example of the statistical model used on projects is the Monte Carlo simulation, which simulates a possible range of outcomes by trying many different combinations of risks based on their likelihood. The output from a Monte Carlo simulation provides the project team with the probability of an event occurring within a range and for combinations of events. For example, the typical output from a Monte Carol simulation may reflect that there is a 10 percent chance that one of the three important pieces of equipment will be late and that the weather will also be unusually bad after the equipment arrives.
- Project Management Institute. (2017). A guide to the Project Management Body of Knowledge (PMBOK guide) (6th ed.). Project Management Institute. ↵
- Parker, D., & Mobey, A. (2004). Action Research to Explore Perceptions of Risk in Project Management. International Journal of Productivity and Performance Management 53(1), 18–32. ↵
