Project Management
PMI Sites
Project Management
• Webinars
• Templates
• Community
• Topics
• Knowledge & Tools
• Events
• Other PMI Sites
• PMI Sites

Project Management Central

 Quantifying Risk & Probability? Hi everyone, I'm currently reading the chapter on risk management and am having trouble understanding how you quantify risk and probability is there a specific formula? Thank you for your help Posted: Mar 18, 2021 2:43 PM
Not at all, generally speaking. I have worked in multiple domains then what I found is in those where "risk" is their business (bank, health, insurance, finance, etc) they have very clear data and formulas needed to calculate risk at corporate level and to instantiate them to project level. But in others I do not see that. In the second case what worked for me is a method I learnt inside the CMU SEI. You can search for related papers inside the CMU SEI website. While was created for software things inside the book "Managing Risk" (author Elaine M Hall) about what you are asking for have been used for non-software in case you are not on organizations where "risk is the business".
It depends on the risk and there is no standard formula. The impact may be known or calculated in terms of dollars or time, although those are often estimates and it makes no sense to try and be too precise when estimating a potential variance. Rough order of magnitude is usually sufficient. Other times you may know that if you miss a deadline, you will be charged a per-day fee or perhaps if you miss a schedule opportunity like a board meeting review, the next opportunity won't be for a month.

Probability is usually a rough estimate also, if quantified in terms of percentage. Sometimes statistical analysis is used, but that is an exception that may be reserved for severe risks like a catastrophic failure or safety concerns. Often we don't even try to quantify the probability and simply rank it as High, Medium, or Low.
There isn't a specific formula to evaluate risks.

*Qualitative analysis uses a previously defined scale to ponderate impact, assigning values and a detailed description of the risk level (According to its affectation to Cost, Time, Scope, Quality, Client Satisfaction or the Project in General) to each defined risk gradient (Very Low - Low - Moderate - High - Very High). Probability is also determined with a pre-defined scale, with values assigned to each probability description (Very Low - Low - Moderate - High - Very High). The multiplication of Impact x Probability will give the risk level value.
Predefined risk level value ranges consideration will allow the classification of the risk in Critical Risk - High Risk - Moderate Risk - Low Risk.

*Quantitative analysis, for another part, is performed with various techniques: Three-Point Estimate, Decision Three Analysis, Expected Monetary Value (EMV), Monte Carlo Analysis, Sensitivity Analysis, Fault Tree Analysis, and gives a fixed numeric estimate of the effect of risk
Yassin -

In general, the closer your project's context is and the context of the specific risks to available historical data and expert judgment, the better the ability to quantify the risk from a probability or impact perspective. In the absence of reliable historical data and expert judgment, it's a guess with as much value as the outcomes of qualitative risk analysis.

Kiron
Risk management is a risky business. :-)

In the absence of historical statistics as to risk event identification, probability and impact, you are left with subjective guesswork and hopefully some common sense. In fact it can be so subjective that management may choose to do away with any risk management. However, that approach tends to be of higher risk than a poor risk analysis..

When developing a risk management plan you have to recognize that you will be wrong - risk events you identified won't materialize (hopefully), risk you didn't identify will, the impacts will be more (or less) than what you expected and mitigation measures may or may not have the impact you expected. When you start quantifying, that is apply values (time and/or money), the risk of error becomes greater.

Considering the above you realize that accuracy is beyond possibility. As Keith wrote, it makes no sense to try and be precise.

Although quantifying risk may be appropriate in some circumstances I find that qualitative analysis has greater value. It allows you to identify risk events, recognize possible impacts, and prioritize mitigation measures based on what could happen.

That being said, some quantitative analysis may be necessary to ensure that mitigation measures are not more costly then the initial risk impact. - Don't spend \$10,000 to mitigate a risk event with a \$5,000 impact, especially considering it may not materialize.

Hypothetical formula:
Educated guess (substitute 'estimate' for 'guess' if you must) of risk event x educated guess of impact = educated guess of exposure. Educated guess of exposure x guess of cost = risk allowance before mitigation. Risk allowance before mitigation - cost of mitigation = risk allowance after mitigation.

Now if you're really keen, you apply a probability calculation (Monte Carlo) knowing that not all risks will materialize to the full extent of the exposure..

Final step, apply an error contingency to all the guesses and add it to the above calculation and you have a Final Risk Allowance (cost and/or time).

Maybe "rough-order-of-magnitude" provides more realistic risk allowance.
"Don't spend \$10,000 to mitigate a risk event with a \$5,000 impact, especially considering it may not materialize. "

Far too many times in my career, I have had to remind teams that the cost of our own time discussing this risk, has already exceeded the cost if it does materialize.
...
Mar 19, 2021 10:06 AM
Peter Rapin
...
Return On Investment (ROI) is key to effective risk management. Too often that is forgotten in our zeal to eliminate risk - which, by the way, is not possible.

I find that the best risk mitigation action is the initial awareness of risk. Identifying a risk event goes a long way towards its management.

I also find that insufficient effort is applied to identifying events to benefit project delivery. In addition to identifying what could go wrong we should be looking at what we can do to improve the probability of success. Management's purpose is not only to control the bad stuff but also find ways to make things better.
The only formula is to estimate the value for classification the risk based on its prioritization, (high prioritization, medium or low). Indeed, the formula is “Value of impact” x “probability of occurrence”. But there is not a formula to estimate the impact and the probability.
The impact value is measured using cost estimation techniques or expert’s assessment. So, depending on the risk classification, analyzing the root cause of the risk, estimates the consequences of whether risk becomes an issue or problem.
The probability is the same, it is based mainly on expert’s assessment, experience from previous issues, timely and current information that help determine if the risk has a high likelihood to become an issue or not because can be mitigated or eliminated based on the actions taken to control it.
Mar 18, 2021 10:11 PM
...
"Don't spend \$10,000 to mitigate a risk event with a \$5,000 impact, especially considering it may not materialize. "

Far too many times in my career, I have had to remind teams that the cost of our own time discussing this risk, has already exceeded the cost if it does materialize.
Return On Investment (ROI) is key to effective risk management. Too often that is forgotten in our zeal to eliminate risk - which, by the way, is not possible.

I find that the best risk mitigation action is the initial awareness of risk. Identifying a risk event goes a long way towards its management.

I also find that insufficient effort is applied to identifying events to benefit project delivery. In addition to identifying what could go wrong we should be looking at what we can do to improve the probability of success. Management's purpose is not only to control the bad stuff but also find ways to make things better.
Thank you very much to all of you, I really appreciate you taking the time and effort. I understand it much more and am grateful for everything.
Measuring risks quantitatively enables us to manage risks more effectively. The risk profile of a project is more than just the sum of the risk exposure of its individual risks.
Qualitative risk analysis on its own can never give you a full view of a project’s risk profile. The risk profile of a project can only be fully understood by performing BOTH qualitative and quantitative risk analysis.
Overall project risk can only be determined through solid, defensible, quantitative information about the likelihood and severity of each important risk faced, and that information can only be derived through quantitative risk analysis.
Without the information gleaned from quantitative risk analysis, one cannot verify whether the project is being run within the bounds of the sponsor’s risk appetite. Nor is it possible to optimize the project’s risk response plans and to compare the risk of different decision options with any meaningful level of precision.
If you are managing a project that is large, complex, or important, you should incorporate quantitative analysis into your risk management process.
What is Quantitative Analysis?
Performing quantitative risk analysis is the process of mathematically evaluating the collective effect of identified individual project risks on overall project objectives. The main advantage of this process is that it quantifies overall risk exposure. This process can also supply extra quantitative information that can be used to support risk response planning.
I’ll expand on that PMBOK concept to say that quantitative analysis gives us two main benefits. First, quantitative analysis enables us to measure overall project risk. Second, quantitative analysis enables us to calculate which individual risks have the most impact on overall project risk. Knowing which risks are most impactful enables us to decide to treat those risks according to their impact on OVERALL project risk.
Quantitative analysis gives us a chance to move from the subjective qualitative risk analysis to a more objective analysis. It gives us the chance to use quantitative metrics and to apply sophisticated software tools that perform calculations on those metrics.
Quantitative risk analysis simulations can be performed on cost, schedule, or a combination of both. I focus on a cost-based simulation, as it is the simplest way to convey the benefits that quantitative risk analysis simulations can bring to your project.
Obviously, we can only analyze the risks that we are aware of. Quantitative analysis is based on known risks. As such, the output from quantitative analysis necessarily excludes any unknown unknowns. The probabilities that we calculate in quantitative analysis cannot, and do not, include unknown unknowns. This caveat should be clearly made anytime we present the results of quantitative risk analysis.
Quantitative risk analysis simulations, such as Monte Carlo analysis, are both complex and complicated.

When to Use Quantitative Analysis
Both PMI and Axelos point out that a quantitative risk analysis is not mandatory for all projects.
Small, repetitive, or insignificant projects rarely merit the effort required to perform a quantitative risk analysis. If you are managing a series of small repetitive projects, quantitative risk analysis is likely not necessary.
For example, if you were running a project installing new printers across all your office locations, the project would not likely be important enough to justify the effort and cost of performing quantitative risk analysis.
But, most ICT projects are, by their very nature, complex projects. And, for the majority of ICT projects, the uncertainty that complexity introduces easily justifies the time and cost of performing quantitative risk analysis.
Quantitative analysis may not be mandatory for projects, but PMBOK recommends considering quantitative analysis if your project is any of the below
• Large in cost, scope, duration, or impact
• Complex
• Strategically important
• When there is a contractual requirement
• When there is potential for legal disagreements with vendors/suppliers
• When the board or sponsor needs assurance that best practices are being applied to the risk management of the projects that they are sponsoring

If you are not sure if you should use quantitative analysis for your project, you can assess your project for free using our Project Risk Profile Assessment tool at: www.ictrisk.com.

The Project Risk Profile Assessment tool will help you assess your project to determine if quantitative assessment is appropriate for your project. The tool will help you understand the reasons why you should, or should not, consider using quantitative risk analysis.