Risk impacts' evaluation matrix
Thank to Glen (Herding cats) for introducing this important topic. The standard formula used for calculating risks (that is presented in most Project Management manuals) shall be presented in a less trivial way.
There are at least two areas for improving the usage of the formula (and derived matrix):
Risk impact = importance x likelihood
- Introducing a values’ categorization that makes more intuitive and usable both factors.
- Adopting standard and visual (vectors and matrices) elements. For every value, the “evaluation by confrontation” shall be made possible.
Categories and levels
These considerations come from (http://www.sei.cmu.edu/risk/dod-risk.pdf).
Importance is the value given by business for any variance in the project’s outcome. It is measured in money (either windfalls or costs).
In the graph are showed all potential areas created by the matrix. Each square is ready to receive one or more risks, depending upon their values.
This is the visual classification:
- Green: acceptable – no action required.
- Yellow: to be evaluated – setting threshold values and specific controls.
- Red: alert – if unavoidable, some forms of mitigation are needed.
In order to make the formula more correct on math side and easier to be applied:
the importance shall be presented as percentage of costs and or schedule.
- The arising costs have a direct impact on the budget.
- The delays on the delivery time are calculated on FTE of each “trouble” feature (related either to the product or architecture) shall be linked to the impact on the budget (the Business Case does not have a proper plan yet).
This will create 5 categories of values that correspond to 5 types of actions:
| Impact on costs / performances | Impact on schedule | Impact on budget | Action required |
| Minimal | Minimal | Within Work package tolerances | No action |
| < 1% | < 1% | Within Project tolerances | Setting specific controls |
| < 5 % | < 5% | Risky project | Checking resources/technology |
| < 10% | < 10% | Reviewing priorities | Involving stakeholders |
| > 10% | > 10% | Reviewing feasibility | Negotiating another solution |
Available type of actions
Dealing with risks can be done using one of the following actions:
- Mitigation. It ranges from eliminating the root cause, to reduce the impact either removing the element that hampers the production (i.e. at planning level) or absorbing the effects (within tolerance). Setting proper controls is the first and most important action.
- Transfer of risk on to others. It could be outsourcing specific parts (e.g. using COSTS).
- Acceptance. A common situation, the low (< 30-40%) likelihood reduces the impact of the negative event. Therefore, the premium paid by the whole project can cover the risk.
Issuing the Business Case
All efforts are dedicated in building the concepts (guidelines and strategies) that will be developed and deployed during the project. The Risk Analysis carried through this process shall be orientzed more on the risk attitude and the communications (collaboration) channel. The efficiency of controls depends upon the quality of signal received by management.
Conclusion
This post is limited to the Business Case (i.e. a high level viewpoint, involving few high skilled persons for a limited time). Risk Management is growing of importance; when the assurance of delivering sound projects becomes the priority of every company.
There is no security on this earth. Only opportunity.
D/load PDF version
![[Valid RSS]](/wp-content/uploads/2009/05/valid-rss.png "Validate my RSS feed"){kind=small}
