We have a situation in our PMO which truly requires expert judgement/SME advice. I have summarized our problem @ PMO, concerning the calculation of overall project risk for our engineering projects. I have posted the question here on the Risk forum, yet received very generic, vague, and non-specific advice.
Our PMO has 100+ engineering projects at different stages of project life cycle (initiation -- execution). Every project has a traditional Risk Register (RR) w/ approx. 20+ risks. Each inherent risk is assessed (w/ Impact:1-5, and P:1-5, where both P&I values are based on unified Risk Assessment Matrix) to obtain Risk Score=P*I (1-25). Data is tabulated and RR is updated during different stage gates, risk response/mitigation measures planned, and residual risk assessment is conducted, some risks are closed, and RR is continuously updated, etc.
However, with all this info. for 120 engineering projects, we are still unable to identify the project(s) with the highest overall risk, or even to prioritize/sort the most "risky" projects.
Despite the PMT & PMO teams recommendation, I am sure that the # of identified risks is not a valid parameter eh !? I have learned from you the 6 types of uncertainty, and the significance of 1 single risk (black swan); I know better than that, not all risks are equal and there is no way I will pretend that Project A (50 risks) indicates more overall risk than project B w/ 10 risks.
As such, your expertise and guidance would be appreciated bigtime ! To ensure we are all on the same wavelength, pls. refer to specific questions below for your advice & recommendations.
Q1) How do we calculate the overall Project's risk using P&I (if values range from 1-5). Do we just use Risk Score=P*I, then take avg. for project ?
Q2) How do we assign a financial/$ value to overall risk rating ?
Q3) Main objective is to identify projects with the highest risk ? With 123 projects, how do we technically identify/justify these are the highest risk projects using data from Risk Register ?
Q4) How can we compare projects based on their overall risk rating ? ie. Project A has 10x overall risk of project B ?
Q5) How can we sort/prioritize and claim this/these are the most "risky" project(s) ?
Q5) How does the Cost of the project affect the Risk rating ? $10M project vs. 0.5M
As an engineer, PMP, and RMP, I don't even know where OR how to start...
Am confident of the depth of your knowledge in this domain, and am sure you have done this before; probably lectured on the concepts, correlations, and latest trends....
As such, I ask you to please guide me to the proper methodology, or even a tool / formula, to utilize our P & I numbers and indicate overall project risk; such that we may sort these 120 projects in terms of overall risk, obtain total risk exposure for PMO, and get on with our life ;)
Appreciate your input, and instructions.
It is a difficult question, as you're essentially asking to address a general case solution suitable for a research paper in model based systems engineering, rather than a specific problem.
If all you care about is cost, what it sounds like you want is a project lifecycle cost model, which you would use to perform statistical error analysis based on your identified risks. If you care about KPIs not involving cost, it gets more complicated to develop models with weighted KPIs. The project domain and scope could be anything, so any discussion of that modeling would necessarily be very broad.
Those types of problems can turn into the "numerical soup" I mentioned in your other post. What the output actually means can be questionable and people tend to put a lot of faith in the numbers because the output makes them appear very precise.
There are ways to simplify the problem and give you more useful information from a PM perspective than trying to develop complicated models of debatable validity. For example, with 100+ projects (something I'm very familiar with), you might use direct labor hours for a proxy metric of technical difficulty and bucket them into high/medium/low categories. A PMO would focus on the high risk ones if you want to split hairs about which are the highest.
Even then, trying to quantify risks based on KPIs can be inherently flawed in some technical domains. I could have a small SOW that requires a high risk test late in development. The impact is entirely dependent on what goes wrong, which you don't know until it happens. Expert judgment in those cases can be more valuable from a practical standpoint, than all the fancy math. Saving Changes...
We recently introduced two "new" variables into our risk "equation". They are "urgency" and "controllability" as we have the same issue. It's too early to see if this will help as I have my doubts, but risks will now be scored up to 625 points ( 5 x 5 x 5 x 5). Urgency really just looks at the next "event horizons", 6 mons, 12 mons, etc. Controllability as the name suggests is meant to help define whether or not we have any control over the identified risk. I have more info, but will need to dig a little more next week. Saving Changes...