Qualitative Risk Management - Part 2

In this article we are going to continue our journey in the qualitative risk management knowledge area. The risk management subject is vast and complex. A full understanding requires years of study and practice. Throughout the years we, from Akaiu, have developed simplified methods for qualitative risk management that enables non-expert to manage their project risks.

This article is the third one of a series of articles we have planned. If you have not read the first ones, click on the buttons below and then come back here to continue reading this article.

So far, we have defined risk, have talked about qualitative and quantitative risk management methods. We have also discussed threats, opportunities and risk identification methods. In this article we will cover probability, impact, risk ranking and the risk matrix.

Let's start right away with probability.

What is probability under the risk management optics? It's not much different from the way we utilize on the day-to-day activities. Probability is the chance of occurrence of the risk and goes from 0% to 100%. Both extremes of the scale are not considered as a risk, they're considered as certainty. If a risk has a probability of occurrence of 0%, means that it will never occur. The other end of the scale has the same approach, if a risk has a probability of occurrence of 100%, it's not a risk, is a certainty. Both extremes of the scale should be avoided.

Now the catch is how to evaluate the probability of occurrence. There is where experience, common sense and historical data comes into play. During the evaluation of the probability, the team should use the same range of probability for consistency and convert the ranges in a scale of 1 to 5.

Now is time to talk about impact. Impact is the consequence to the project if the risk materializes, or the effect it will have on the project. There are multiple dimensions of impact, could be financial, time, quality, safety and many others. The risk manager should define for the project the adequate set of dimensions and divide them in a scale of 1 to 5 as well.

The evaluation of probability and impact seem quite simplistic and straightforward, but we have seen cases where project team members try to show-off to the colleagues how smart they are, and it ends up affecting the effectiveness of the risk register. We have come across to people overly pessimistic, classifying everything as high probability and high impact.

Finally let's finish with the risk matrix. The risk matrix helps us to complete the risk identification and ranking process. Depending on the combination of the probability and the impact. Some people prefer to use the terms "Low", "Medium" and "High" and others the colors green, yellow and red to group the risks... The end result is the same. Below you'll find the risk matrix commonly used.

It is important to highlight that this matrix is valid for threats and opportunities. The only difference in treatment is that for threats you want to minimize them and for opportunities you 'll want to maximize them.

Some organizations like to have the risk matrix mirrored for threads (on the left side) and opportunities (on the right side). We have inserted both here so you can choose which one you like the most.

We have seen organizations that totally ignore risk management and organizations that go over the top with it, having a risk register with hundreds of risks identified and a lot of administrative work to keep up. There is a optimum balance to be achieved. Not too few and not too many. Depending on the project circumstances, the risk management professional could decide to work only on the high risks and disregard the low and medium ones. Or maybe give special attention to the high ones and update the medium and low less frequently. It all depends on the project specifics and the organization maturity.

By now, you should have understood the new concepts of probability, impact, risk ranking and risk matrix. So far we covered a lot of ground. Let's stop this article here and continue on the next one with more definitions and details for qualitative risk management. Next article we plant to talk about triggers, risk response and mitigation plan.