Risk Qualification (Prioritization)

Posted on: December 20th, 2012 by admin

Now that you’ve identified all the risks on the project, you have to figure out which ones have priority over others, either by imminence or, most likely, by greatest probability and impact. They can’t all be priority number one no matter how much easier that may seem for us. PMI calls this process Qualitative Risk Analysis. They say that, “it is the process of prioritizing risks for further analysis or action by assessing and combining their probability of occurrence and impact.”1  Let’s just call it risk prioritization and be done with it.

Recall in my post on Risk Management Planning I mentioned something called the Probability/Impact Matrix. This is a very low-tech yet very important tool as a waystation towards prioritizing your risks. In Risk Management Planning, we defined probability and impact on a five-level scale. (See post of September 21st).  Here, P is probability, I is impact. Let’s say we’ve previously identified some risks, say on an IT project. What the team has to do is draw the P/I matrix on a whiteboard or flipchart. Then using their best judgment, put the Post-it notes they’ve created up on the matrix. So for example, it was determined that Dock strike had an impact of 1 and a probability of 3. Likewise, labor shortage had an impact of 3 and a probability of 4. So its number is 12. Remember. These numbers translate into specific meanings based on your risk management planning. Drawing below is best I can do here.  So imagine the below graphic in an X/Y matrix, X being impact and Y probability.




Upgrade fails (20)
Labor shortage (12)
Dock strike (3)

Now you should be aware that these determinations are subjective. And so, could “Dock strike” be higher? Or “Upgrade fails” be lower? Absolutely. And so that’s why we do this with Post-it Notes. So we can move them around. But I would maintain that the project manager should “win” these discussions as he or she has to live with the results.

One thing I didn’t mention in the risk management discussion is the idea of having thresholds set in your risk management plan. So maybe any risk of 20 or above is a high risk, 11 – 19 medium, below that, low.  And you might decide, for example, that all high risks will have mitigations, medium have contingency plans, low go on a watch list. That’s not necessarily the rule but it’s one way you could look at it.

Once you’ve prioritized all the risks, the next thing to do is populate your risk register. So the risk register is typically a spreadsheet listing the following:

Name of risk
Response to risk
Risk owner

It’s also possible to add such items as the cause of the risk and triggers, which are indicators that the risk might happen.  As to the risk owner, you as project manager can’t be directly in charge of everything. So in a sense you are delegating tracking of the risk to a team member. He or she will report on it every week at your meeting. And that Response to Risk? Well, that’s what we’ll cover in a subsequent post. But just as a heads up, that means, What will I do should the risk occur?

1. PMBOK page 289. (electronic edition)

Comments are closed.