I briefly covered the risk assessment process in my previous article for my Risk Management Basics series. One of the things I mentioned was that risk assessment has two main parameters to be evaluated: risk probability and impact.
These are the main parameters because they apply to 100% of the cases. Probability assessment considers the likelihood that a risk will occur, and impact considers the potential effect on your objectives, and this is valuable information no matter the context.
However, there are many other risk parameters that can also be more or less useful to assess depending on the context or industry where the risk is being considered.
Let's take a look at some risk parameters beyond impact and probability.
Urgency: The period of time within which a response to the risk is to be implemented in order to be effective.
A short period indicates high urgency.
Proximity: The period of time before the risk might have an impact on one or more project objectives. A short period indicates high proximity.
Dormancy: The period of time that may elapse after a risk has occurred before its impact is discovered. A short period indicates low dormancy.
Manageability: The ease with which the risk owner (or owning organization) can manage the occurrence or impact of a risk. Where management is easy, manageability is high.
Controllability: The degree to which the risk owner (or owning organization) is able to control the risk's outcome. Where the outcome can easily be controlled, controllability is high.
Detectability: The ease with which the results of the risk occurring or being about to occur can be detected and recognized. Where the risk occurrence can be detected easily, detectability is high.
Connectivity: The extent to which the risk is related to other individual project risks. Where a risk is connected to many other risks, connectivity is high.
Strategic Impact: The potential for the risk to have a positive or negative effect on the organization's strategic goals. Where the risk has a major effect on strategic goals, strategic impact is high.
Propinquity: The degree to which a risk is perceived to matter by one or more stakeholders. Where a risk is perceived as very significant, propinquity is high.
Source: Project Management Body of Knowledge 5th Edition
As you can see, there are many other parameters to be assessed and this is not even an exhaustive list. Depending on the industry or context you will find even more.
So, why does traditional risk management only look at impact and probability?
It comes down to aplicability. As I previously mentioned, these two parameters are relevant to nearly 100% of projects. No matter what industry you are in or what technology you are using, having an idea of potential threats, their probability and their impact is always a good thing to know.
However, there is also another thing: probability and impact are easy to assess. That's especially true if you are only conducting qualitative analysis. You don't need much more than a few conversations with subject matter experts in order to have a pretty good idea of potential risks and a rough estimate of their probability and impact.
The other parameters that were introduced in this article are either very specific or hard to assess - sometimes both - which is why they have very limited applicability.
That does not mean, however, that they can be ignored. In some cases, they are just as important, if not more important, as probability and impact. It's up to the project team, and especially the project manager, to define which parameters should be considered and how they will be tracked and measured.
I hope this helped to expand your horizons on risk management. The idea of this series is to be a primer on risk management and the many concepts under this discipline. If you are interested in this topic and would like to know more about a particular aspect of risk management, do let me know in the comments!
Posted Using INLEO