Risk Analysis

last edited by: Thiago Iglesias on Mar 27, 2015 5:19 PM login/register to edit this page

1 Applications
2 Procedures
3 Instructions
4 Example

A technique to identify and assess all major factors that may jeopardize the success of a project or achieving a goal.

This technique also helps define preventive measures to reduce the probability of these factors from occurring and identify reactive measures to successfully deal with these constraints, when they start to develop.


  • To identify potential inhibitors to the successful completion of a project.
  • To determine strategies to overcome the inhibitors or constraints.


  1. Brainstorm all possible risks of implementation.
  2. Rank alternative implementation strategies by their risk potential.
  3. Develop measures to prevent or mitigate risk.
  4. Develop a risk register.
  5. Manage current risks.
  6. Capture new risks.


Identifying Possible Risks

Brainstorm possible project risks using an appropriate set of techniques (e.g., Brainstorming, Force Field Analysis, etc.).

Risks can often be assessed in terms of the following factors:

  • Cost of failure
  • Lost business opportunities
  • Catastrophic loss
  • Business as usual (failure of the project to create real value)
  • Others as required
Also consider time delay when assessing risk factors. Certain changes, particularly those touching social systems, are often more pervasive and threatening than those involving technology, but may take longer to manifest.

Project HEADWAY separates risk into the following 6 types. Considering potential risks using this framework can help surface many more possible stumbling blocks.

Delivery Risk, the risk of the project being able to be completed successfully, and the budget, schedule and resource constraints which may prevent project success. What risks exist within the project that could delay or compromise delivery?

Project Definition Risk, the risk that the project is not fully and completely defined, understood and estimated prior to initiation. Are there uncertainties regarding the objectives or requirements of the project, or for whom the project is being done?

Business Impact Risk, the magnitude of change the project represents for the customer organization and the likelihood of adoption. What barriers exist to the customer organization in using the results of the project once it is finished/

Business Support Risk, the degree of support for the project within the customer organization. Are there champions of the project? Where is resistance to the project likely to come from, and why is the project likely to be opposed?

Technology Impact Risk, the risk to the project based upon the newness and degree of familiarity with the technology employed on the project. What software, hardware or toolset risks are in place? Has the technology already been implemented within the organization, or in other similar organizations? Is the organization familiar with the technology?

Project Management Risk, the risks presented as a result of the project management processes being employed on the project. What are the project management risks? What activities or deliverables may encounter difficulties in managing the project?

Creating Risk Strategies

Brainstorm measures to prevent or lessen the impact of the risk factors (see Brainstorming).

Once they have been identified, there are four types of risk strategies that can be adopted in responding to identified risks:

Avoidance The first and most direct means of dealing with risk factors is through avoidance. This is often the result of re-planning the project or an aspect of it in order to prevent the risk from being an issue on the project.

Transference Transference of risk involves shifting of the consequence and impact of the risk to a third party. This can include the use of insurance, as well as performance bonds, warranties, guarantees, or fixed price contracts.

Mitigation This approach involves taking active steps to reduce the probability or impact of the risk should it in fact occur. This may include preventative measures or introducing redundancy into the project effort.

Acceptance Acceptance of the risk involves recognition that the risk is a factor, and that the project team is not actively changing its approach to the project to respond to it. Acceptance is not the same as ignoring the risk, however; contingency plans should be put in place to be able to respond to the risk should it in fact occur.

Given the magnitude and nature of the risk, the project team will need to choose the strategy that is most appropriate. Risks that are significant in probability and impact will want to be avoided. Risks that are of low probability and impact are more likely to be accepted. Where there is higher probability of a risk, we may choose to mitigate the risk – thereby reducing the probability. Where the impact is higher, we are more likely to transfer the consequences of the risk to someone else.

Comparing and Ranking Risk Strategies

Use a simple matrix diagram to compare alternatives, based on the relative probability of the threats occurring. The risk factors corresponding to each alternative strategy are weighted high (H), medium (M), or low (L), according to the likelihood of the risk factor occurring. Each alternative is scored by summing the weights in its column, where L=3, M=2, and H=1. The alternative with the highest score, is therefore, the least risky. Forced Ranking, Forced Choice Paired Comparison or Decision Tree techniques may also be applied to select the best strategy.

Simulation and Decision Tree Analysis are two additional techniques that may be used to analyze risk. For example, a Monte Carlo risk analysis may provide a hypothetical revenue stream for a new sales process, based on the level of risk the decision maker is willing to assume. A decision tree may be useful in demonstrating how hypothetical probabilities of each risk factor occurring play out among different alternatives. For this approach to be successful, there must be a consensus on the probabilities for each risk factor of each alternative. Repeat the matrix process above, using the revised weights. Document the policies, procedures, etc., that are necessary to mitigate risk, and include in the implementation strategy. The implementation strategy should seek to address all aspects of managing change, including all managerial, operational, social systems, and technology (MOST) viewpoints.


risk analysis matrix

last edited by: Thiago Iglesias on Mar 27, 2015 5:19 PM login/register to edit this page

Comments (1)

Login/join to subscribe

"If God had meant for us to be naked, we'd have been born that way."

- Mark Twain

Test your PM knowledge