Risk Management Strategy: Probability and Impact explained

Questions about Risk Management

What does it mean if someone says this is a HIGH RISK?

Is it high probability or high impact or both?

And what is a high impact anyway? High cost to fix, high impact to time?

One of the things that is contained in the Risk Management Strategy is definitions for estimating probability and impact for any given risk event.  We all know those people who raise risks and think that all their risks are a big deal and need to be acted on immediately. By providing definitions, the Risk Management Strategy promotes consistent analysis of risk events.

Often words like high, medium and low are used for both probability and impact.

Is 1% probability a low probability? Be careful. When a small probability is extrapolated over a large population it can still be a big deal.

Is a $10,000 impact to the project a high impact to cost? If your project budget is only $50000, then YES. If you project is being funded from a finite source such as loans or grants, the YES, it is a high impact.

Is a 1 day delay a high impact to time? If your project is a regulatory compliance project then 1 day late can be considered high if it leads to penalties and fines. Consider the Y2K project. Even 1 second after the stroke of midnight would not have been a good thing.


Some Answers !

Many project management experts suggest using verbal descriptions to assist the stakeholders in analyzing risk events.  They also suggest breaking up the impact areas of a project as well as any given risk event might have differing scales of severity based on the topics. For example:

Risk Event: A higher priority project may pull an expert from my project resulting in delays and potential quality issues with products this person was creating.

Impact: This situation is likely to have a higher impact to time due to the delays while we try to find an alternate expert or spend time training a new person. It is not likely to have much cost impact as there will already have been funds in the budget for the expert's work.

For probability definitions, I find it best to keep things simple. Especially since many organizations do not have the skills required to a full on numerical or statistical analysis of probability.  There is value in the experience and "gut feel" of the project stakeholders in relation to this project. Ask yourself "If I had to bet money, would I say this risk is going to happen or not, what would it be?"

If you find yourself saying "I would bet yes", then you are saying that you think this risk event is more likely than not to happen. Therefore, pushing it towards high in the probability spectrum. If the answer is no, then it is in the low end. Not a fancy or scientific approach, but for most of us it will be a more "conscious" approach than we are used to using.

Beware of using percentage to identify probability. Small percentages are often translated into NEVER. I just don't get why that happened, it was such a low probability!

Also, don't confuse probability with impact. The chance of you getting hit by lightening is beyond small. Needless to say, the impact is disastrous.

Below is an example of the definitions of impact for a project. In this example, a key topic of concern is the technical side of the project. In another project, this might be safety, public perception, publicity, legal or any other risk category.  

The numbers assigned to the magnitude column do not specifically represent dollar amounts or time delays. They are ordinals for comparison.
















Risk is a topic that deals with uncertainty. There are no guarantees.

“The illusion of precision can be a source of risk in itself; avoid making subjective information seem like objective by inappropriate application of quantitative techniques.”

From: Identifying & Managing Project Risk by Tom Kendrick