September 28 & 29, 2020 | Virtual
Please login or join to subscribe to this thread
Reduction in overall risk profile or level is certainly one driver for prioritizing risks but if we remember that risks can be negative or positive, then it should not just be about staying safe - we should also consider what we can do to maximize the benefit of opportunity realization.
With negative risks (threats) a simple prioritization approach is to look at just the combination or probability and impact. If you use FMEA, you could add the likelihood of detection as another factor when prioritizing.
If you were to use a traditional 5x5 risk matrix with probability on one axis, and consequence on the other, prioritization based on reducing risk would be to focus on risks closest to the upper right hand corner of the matrix.
I don't disagree that the focus tends to be on the risk events that result in the greatest exposure to the project. Exposure being defined as the product of probability and impact. However, I think there is a danger in prioritizing individual risk events - focusing on the highest exposures only. The priority has to be on mitigating risks events so that all individual exposures become tolerable as does the cumulative exposure.
As an example, every project has numerous risk events, some with the potential to be terminal which would be defined as "High". Others are not be terminal by themselves and may be defined individually as Medium or Low but the cumulative effect may be High or terminal.
The key to risk management is not only identification, analysis, development of mitigating measures AND implementing those measures. Additionally the risk management plan has to consider the cumulative effect of risk events and implement a process to enforce, monitor and document the mitigative measures.
Prioritize risk management and its elements rather than specific risk events.
Please login or join to reply