Please login or join to subscribe to this thread
I'm not familiar with the risk calculation template on this site. I use a likert scale (1-5) for probability and impact, the product of these two numbers represents risk exposure. I use the risk exposure to prioritize the risk, in determining the appropriate risk response. In some cases, I will also factor in time frame to impact. A risk with medium exposure that needs to be mitigated, that will have an impact within a matter of weeks, might need addressed sooner than a risk with similar, or greater, exposure that won't be realized for months.
You are seraching for the holly grail. Why? because both components in the formula will depend on each organization and for projects you take a subset of all related to risk the organization has defined.
It depends on the need. For general usage, we will typically use a scale of 1 to 3 or 5 for probability, and often the answer is subjective. I like to use a scale of 1 to 5 and find that the discussion of where we should place the risk is more important than the ultimate value. We could argue about whether something is a 3 or a 4, but usually have assessments that are close unless someone brings in all new information. That is why I like a scale to 5 instead of 3.
For critical items like safety, there will be in-depth statistical analysis. Showing a probability of less than 1E-9 requires much more than a conversation between experts.
Keith made a good point. It depends on your need.
From your question I'm not sure whether you are looking for a risk register template used to summarize and document risk events, analysis and response or a risk matrix template to analyze risk events to determining probability, impact and response. Based on your second sentence, I am assuming you are referring to a risk matrix
If you search the WEB for Risk Matrix Template you will get all sorts of examples, including material from PMI. Some simplistic 3x3 as well as suggested numeric values to facilitate analysis and prioritizing. However, as Keith writes, it depends on the project needs and risk tolerance If you don't want to reinvent the wheel, start with a format that makes sense to you and modify it to fit.
The intent of a risk matrix is not so much as to determine a risk score as a score is somewhat meaningless without context. Simplistically, if a project can accept or absorb a moderate level of risk then the intent is to classify risks essentially ignore low risk events and mitigate high risk events to bring them down to moderate or less. Now, it can get much more complicated as numerous low level risks can accumulate to significant project impacts. Also, the cost of mitigation could be greater than the impact of the risk event should it occur.
Bottom line: selecting the risk matrix is only the start.
One of the first things we do in qualitative analysis is to determine the risk impact and the risk probability in order to establish a risk score.
Risk probability evaluation considers the likelihood that an individual risk will occur. Risk impact evaluation considers the potential effect the risk would have on any of the project objectives.
The risk score is determined by multiplying the impact value by the probability value of the risk.
The benefit of a risk score is that it allows you to compare two risks with very different characteristics. It allows you to compare a risk that has a high impact but low probability with a risk that has a low impact but high probability. A risk score provides you with a method of evaluating risks with very dissimilar characteristics against each other. A risk score enables you to compare apples to oranges.
Once you have established a score for each individual risks, you can rank the scores and determine their priorities. The aim of ranking risks is to inform decisions on what the risk responses plan should be, which risks should be addressed first, and how much effort should be applied to each risk.
The key benefit of qualitative risk analysis is that it allows your project to focus on the high priority risks.
Projects should pay more attention to, and dedicate more focus on, risks with a high risk score. You should examine high score risks in more detail. More time and effort will be put into determining their risk response plans for high score risks.
We also enact risk response plans earlier for risks with a higher risk score. Risks with a higher risk score are usually treated with more urgency than risks with a low risk score, and the risk response plans reflect that urgency.
For example, you may decide that a risk with a score of 16 or above must have a risk response plan enacted within a week. And, you may decide a risk with a score of 8 or above must have a risk response plan established within a month.
At the initial qualitative risk analysis stage, we are only looking at the inherent risk. But we should be clear at the outset on the different types of risk scores. To take a simplistic approach, for most projects, there are three important risk scores to consider. The first is the inherent risk score, the second is the residual risk score, and the third is the secondary risk score.
Inherent risk is the risk that exists before any controls or other mitigating factors are implemented (the gross risk or risk before risk response plans are implemented). This is the risk score calculated from the probability and impact before you’ve done anything to affect them.
Residual risk is the risk that remains after you’ve implemented a risk response plan. It’s the risk remaining after you’ve taken action to remove the source of the risk, change the consequences, alter the probabilities, transfer the risk, or accept the risk. For example, if your risk response plan for a risk was to mitigate the risk, your residual risk will be the risk that is left over after you have reduced the probability and/or reduced the impact.
Secondary risk is a risk that arises as a result of the risk response plan that you enact for the inherent risk. It is the new risk that has been introduced by enacting your risk response plan. For example, if your risk response plan for a risk is transfer by engaging a third-party vendor to do a portion of work, you are introducing a secondary risk that the third-party vendor may fail to meet their contractual obligations.
The inherent risk score is the risk score at the time of the workshop, before any control is applied or anything in the risk response plan is implemented to address the risk.
Note: If the risk response plan for the risk is accept then the inherent risk score will be the same as the residual risk score.
Please login or join to reply