Assessing the Risk in Project management is a very crucial activity. We will discuss the Quantitative approaches to risk as well. We have to recognise that we may not be able to take action for all possible risks identified. Therefore, we need to prioritise the risks, but before this can happen we need to evaluate the risk itself.

Risk evaluation criteria

The evaluation of the seriousness of a risk is based on two key criteria:

  • the probability that the risk will occur;
  • the impact that the risk will have, should it occur.

Together, risk and impact give an idea of the magnitude of the risk – the risk exposure. A third factor is the proximity of the risk, which takes account of the fact that the magnitude of the risk may vary throughout the project – for example, once coding has been successfully completed, some risks relating to coding disappear.

Risk exposure

We noted above that the impact, or severity of a risk, is the adverse effect that the risk will have on the project should it materialise. This impact might be a longer development time, a reduction in the scope of the deliverable, a reduction in the performance of the deliverable, or an increase in the resources needed. The scope and the performance are often combined as a reduction in quality.

The increased resources, both of materials and labour, are usually referred to as increased costs. The turning of a risk into a real issue needing action could affect the business case because of increased costs or reduced benefits.

A risk can be viewed as an opportunity

A risk can be viewed as an opportunity. Let’s examine the example on the previous page, of developing application software in a language (say Java) with which developers are not familiar.

The plan for the software development could increase the expected duration of the coding tasks to take account of the developers’ lack of experience. If, however, the developers were able to pick up Java very quickly, their tasks could be completed earlier than scheduled. In this case the project manager ought to exploit this opportunity and start the next tasks as soon as possible.

The time gained here will be a useful buffer if other problems occur later in the project. Impact is not the only issue that affects the seriousness of a risk (or risk exposure). A risk could cause immense damage if it occurs – as in the example of an aircraft crashing into a workplace – but in practice be dismissed because of the minute probability of it occurring.

Risk proximity

The proximity relates to the period in the project when the risk could occur. A given risk is more likely to occur during one or more particular activities. After a certain project milestone it might no longer be applicable, or at least have a reduced impact. The risk of inexperienced Java programmers delaying completion of work will affect the software development stage.

Once the software coding is over, this will no longer be a risk. In Chapter 1, it was noted that uncertainty about a project was greatest at the beginning because of all the unknowns associated with a new project. As knowledge is gained about the application and technical domains during the project, much of this uncertainty is reduced.


Risk assessment can be quantitative – based on seemingly precise mathematical values – or qualitative – based on broader management intuition.

Quantitative risk assessment

When a quantitative approach is used, probability is represented as either a percentage between 0 per cent and 100 per cent or a value in the range of 0.00 to 1.00. 0 per cent or 0.00 means there is absolutely no chance of something happening, while 100 per cent or 1.00 means it is absolutely certain that it will happen.

A probability of 0.40 means there is a 4 out of 10 chance of something happening.

Impact is most conveniently measured as a monetary value reflecting the financial loss of the risk should it actually occur, but is sometimes measured in time (that is, the amount of delay caused). The values for probability and potential impact of a particular risk can be used to calculate risk exposure.

Quality Control and quality assurance practices rarely apply risk management in their practices so you need to adapt your management plan to Quality and Agile quality assurance practices also.

Risk exposure = impact × probability

For example, if there were a 0.10 probability of IT equipment worth £20,000 being stolen, the risk exposure would be £20,000 × 0.10, that is, £2,000. (Note that all the numbers here are picked for ease of the arithmetic, not because they are realistic.) Crudely, this risk exposure value can be compared to the amount that might be paid as an insurance premium.

If there were 100 organisations with IT equipment of the same value and the same chance of theft and they all contributed £2,000 to a pool, the pool would be big enough for 10 per cent of them to withdraw £20,000 if they were robbed. (This is a simplified model: in real life the 10 per cent would have to be based on an average over several years. It is unlikely that it would be exactly 10 per cent in any one year.)

Advantage of the quantitative model in risk management

An advantage of the quantitative model is that it is easy to assess the effectiveness of a risk reduction action. Say that in the above example an organisation decided to buy a burglar alarm for £1,500 (once again, this figure has been picked simply to make the calculation easy) and it is estimated that it would reduce the probability of a successful theft to 1 per cent (or 0.01). A risk reduction leverage can be calculated as follows:

Risk reduction leverage (RRL) = (REbefore − REafter) / cost of risk reduction RE before is the risk exposure before the risk reduction action is taken – that is, £2,000.RE after is the risk exposure after the action (the installation of the burglar alarm) – that is, £20,000 × 0.01, or £200.

The calculation of RRL is therefore (£2,000 − £200) / £1,500) = 1.2.

Because the RRL is greater than 1.0, it means that the reduction action is worthwhile. (This could be compared to the cost of the burglar alarm being offset by a reduction in insurance premiums.)

Problems with the practical application of quantitative risk assessment

Risk management practices are not easy to understand and apply. Unless you have a very large set of data about past occurrences of the particular risk, identifying the probability of a risk may end up as guesswork.

In our simplistic example, the cost of the theft was exactly £20,000. In practice the amount of damage can vary, and so this value could be guesswork. Where there is a large amount of data about past occurrences of the risk, it may be possible to produce a table showing the probability of different ranges of cost – but this kind of information is unlikely to be available to a project planner.

Quantitative risk exposure values are based on the principle that when risks actually occur, the situation can be remedied by using resources put aside to meet possible losses. However, this assumption does not hold where the loss caused by a particularly large risk occurring is simply too large and would exhaust the fund. The bankruptcy of the client organization might be an example of these show-stoppers.