Risk Management - Assess

| Home | Guidelines | Manage | Organize | Identify | Assess | Root Cause Analysis
| Mitigate | Monitor & Control |

Once a set of risks are identified, they must be assessed to determine their severity and hence relative priority in mitigating them.    Risks are rated on the dual basis of likelihood and consequence.  The product of the likelihood and consequence score is called the risk rating.  Risks rated medium to high are worth taking some preventative actions to avoid them.  Click on the link below to view a sample risk rating schema.

Risk Score Card

The likelihood score is based on the chance that the undesirable event might happen and cause some negative consequence during the execution of the decision choice (or project).    If the decision-maker is unable to assess the probability of occurrence directly, another approach is to compare all the risks identified together.   Rank-order the list of risks from highest to lowest likelihood.   Then pick those risks whose likelihood the decision-maker can estimate and use them as reference points for gauging the likelihood of the others that are more difficult to estimate their likelihood.  

For each of the five likelihood interval scores, there is an associated numerical score ranging from 1 to 5.   The highest likelihood is rated a 5 (if the likelihood is greater than 80%) and the lowest likelihood is rated a 1 (if the likelihood is less than 20%).  As an example, suppose risk A is estimated to have a 50% chance of the event happening and risk M is rated at a 30% chance of happening.  If risk B is located in the rank-order list between risks A and M, then the decision-maker knows that the likelihood of risk B's occurring is somewhere between 30-50%.   The decision-maker then assigns a comparative rating base on known comparisons as to whether their estimate of likelihood is closer to risk A or risk M.  In other words, risk B is either a 2 or a 3 on the likelihood scale.  If in doubt, give the risk the higher likelihood score.  

The consequence rating is based on the assessed potential impact on the decision-maker's original need, providing a specific risk does occur.  The likelihood and the consequence must be aligned such that the magnitude of the impact is matched with the appropriate likelihood.  For example, if an undesirable event (risk) occurred, there might be a high likelihood of a small consequence or a small likelihood of a large consequence.   It is up to the decision-maker to pick what they think is the worst combination of likelihood and consequence.    If in doubt, pick the likelihood that matches the worst potential consequence.   

The description on the consequence scale must be defined by the decision-maker.  The scale on the risk score card is what is  often used by large corporations implementing large programs.   These programs are determined to be successful if they are completed within cost and schedule (which are two of the consequence scales in the risk score card).   The other condition of success is whether the final product meets the original objectives of the customer (decision-maker).  In other words, did the decision choice satisfy the intended need once it was implemented? 

The decision-maker can create their own success scale with five intervals of successful implementation.  For each of the five intervals on the consequences scale, there is an associated numerical score ranging from 1 to 5.   The highest adverse consequence (worst) is rated a 5 (as defined by the decision-maker) and the lowest adverse consequence is rated a 1 (as defined by the decision-maker).  At the top of the consequence scale, describe the worst outcome possible for this particular decision choice and implementation plan such as...the original need is not met.   At the bottom of the scale, describe the conditions where the essence of the need is met but slightly off target.   In-between these two extreme points, describe intermediate outcomes so that the scale represents a progressive description of consequences between low to high impact.  

Finally, the risk rating is the product of the two scores: the consequence score multiplied by the likelihood score.  For example, if the likelihood was rated a 3 and the consequence was rated a 3, then the risk rating would be a nine (3*3).   By referring to the risk score card, the decision-maker would rate the risk as medium.  As a general rule, all risks rated as medium or high warrant a risk mitigation plan.   If the decision-maker is strapped for resources (funds or schedule), then they could limit themselves to just mitigating the high risks whose risk rating is 15 or higher.    See the section on risk mitigation for methods on how to handle risks once they are identified and assessed.