Tuesday, February 27, 2007

Quantifying Project Risk

Prevailing wisdom regarding project risks states that your risk management plan must:
  • Identify project risks
  • Quantify the risks
  • Based on potential impact, develop plans to avoid, mitigate, transfer, or accept each risk.
  • Monitor and control risks
During the quantification phase, a team will typically assess the probability of a risk actually occurring. This usually results in a percentage score assigned to the risk probability. For example, Risk R1 has a 0.2 or 20% probability of occurring.

So far so good.

Then the team assesses the impact. This almost always results in either a "T-Shirt" estimation (large/medium/small), or a relative one to ten score where a larger number implies a greater impact.

This impact measurement is then multiplied by the probability factor, giving a total risk score.

But a T-shirt or relative type number does not result in a meaningful impact measurement. What does .2 X high mean? Or even .2 X 7? The risk has not actually been quantified because a relative estimate does not provide enough information to make meaningful decisions. At best, we are only able to rank the risks by score to determine an order of priority.

Now we have a problem because as project managers, we need to answer certain questions:
  • How much will it cost me in time and money if this risk actually occurs?
  • How do I know whether to avoid, mitigate, transfer, or accept the risk?
  • How much should I spend to mitigate the risk?
We can only answer these questions if the quantification process returns an impact measured in absolute hours or dollars. Then the risk score can be calculated in the same units. So: Risk score (dollars or hours) = Probability X Impact (dollars or hours).

We are now in a position to truly understand the potential cost of a risk and we can make an informed decision whether to avoid, mitigate, transfer, or accept the risk. If we choose to mitigate, we can answer the questions about how much time or money to apply to the mitigation effort. Since we know the cost of the risk, there is no reason to spend more to mitigate the risk than the risk itself would cost if it occurs.


Post a Comment

<< Home