Log in / Register
Home arrow Business & Finance arrow Project Risk Governance
< Prev   CONTENTS   Next >

Project Risk Modelling and Ranking

When confronted by risk, the inconsistency between different possible outcomes creates uncertainty about which outcome(s) will in fad materialise. To reduce uncertainty, risk analysis is conducted: project risks are identified, their potential impacts on the project's objectives and the probability of them occurring are estimated, and a range of potential responses is determined.

While uncertainty can be reduced as much as possible, it can never be eliminated; to accurately predict the future requires us to predict future opportunities and potential problems. Even our best attempts are not uniform as various perspectives will exist. Risk may be very dear to some but not to others and hence consensus is difficult to achieve. The process of risk analysis can be time consuming and its value and benefits are not always clear to senior management.


Qualitative assessment differs from the quantitative approach in two fundamental ways. These are illustrated by reference to the earlier example of university staff travelling overseas for student recruitment. First, qualitative analysis is subjective. Assessing the risk of a staff member performing adequately overseas will produce different outcomes, in that one person may think highly of the person in question while another person may not think so highly. Second, the analysis uses an educated guess. The rating of the person's performance is based on perceptions such as past experiences with that person and likes and dislikes. At best, the outcome is a 'guesstimate' since there is not enough factual data available to make an accurate assessment.

To assist in developing a qualitative assessment of project risks, reference is made to the following documents:

• Organisational process assets. By assets is meant available data and documents. These can take many shapes and may include data about risk encountered in past projects and lessons learned from completed projects. Documentation in the form of standards and templates provide guidance for identifying project risk, assigning probabilities and determining risk severity.

• Project scope statement. This document is crucial in all project activities since it outlines the nature of the project, its activities and deliverables. For common or recurrent types of project, risk is generally well understood. For complex projects, such as those involving state-of-the-art technology, there is greater uncertainty and hence greater risk. This should be explicitly acknowledged in the project scope statement.

• Risk management plan. This is a key document for project risk management as outlined earlier in the chapter. The plan shows how project risk management will be conducted and refers to roles and responsibilities, the schedule of activities and possible risk categories.

• Risk register. A document that contains information about project risk events and conditions. It is usually displayed in a table or spreadsheet format and will be introduced in a later section.

The quantitative approach differs from the qualitative approach by its focus on numbers and use of numerical and/or statistical analysis. It is often preceded by qualitative risk analysis because this enables the project team to identify critical risks which are then subjected to the quantitative risk analysis approach. Quantitative risk analysis includes the following:

• Expert judgement. Experts have in-depth knowledge of the project and/or extensive experiences with similar projects and associated risk analysis. They are asked to participate in a Delphi study in which they evaluate potential risks via a questionnaire. Responses are collected, ranked and sent back for another round of evaluation.

After about three rounds, consensus is reached among the group on the project risks that exist and their severity.

Sensitivity analysis. This approach measures the sensitivity of project objectives to changes in one project variable (i.e. risk) while holding all other variables constant. Sensitivity analysis determines which risks have the largest potential impact on project objectives. The approach is also called a 'what if?' analysis and uses spreadsheet software to carry out the analysis for various scenarios.

Expected monetary value analysis. The expected monetary value is the product of two numbers: risk event probability (a number between 0 and 100) and risk event value (the amount of money to be gained or lost if the event occurs). The worked example in Table 8.2 shows how cost and probability can be used to calculate the expected value of the project. For each of three alternatives the costs are established and probabilities assigned. The total of probabilities equals 100. By multiplying cost and probability, the earned value of each option is calculated and compared to determine the most attractive option, in this case option B.

Decision tree analysis. This approach is similar to 'earned monetary value analysis' in concept but differs in presentation. It uses a tree structure where each branch is a possible option. Various options are evaluated by considering their probabilities and impacts. Outcomes are compared and the most favourable is selected.

Simulation. A project risk simulation uses a model that evaluates the impact of risk, specified at a detailed level, on objectives that are expressed at the project level. An example is Monte Carlo analysis, where a model's outcome is simulated many times to provide a statistical distribution of the calculated results.

Table 8.2 Expected monetary value analysis




Earned Value

A - Optimistic




B - Most likely




C - Pessimistic








There are a number of strategies for completing risk analysis (Renn 2010). The traditional approach uses intuitive heuristic and judgement processes to determine risk probabilities and impacts. More specifically, 'rule of thumb' guidelines would have been developed and previous experiences would also be applied. In another strategy, importance is placed on contextual factors in forming perceptions about risk characteristics and the risk situation. In a further strategy, the use of semantics determines risk sources, people and the circumstances of the situation. The way risk is described and communicated plays a critical role in risk analysis. A complicating factor is the trust and credibility of the actors involved in the risk debate. The chosen strategy should align closely with approaches commonly used within the organisation in order to gain acceptance.

Complexity is further increased by psychological factors that influence the estimation of risk probabilities (Renn 2010):

• Availability bias. Probability is likely to be overestimated if the individual recognises risk easily and quickly or is aware of the risk. The example given is that if news is readily available about people being killed by lightning strikes, then the risk of being struck by lightning is regarded as particularly significant.

• Anchoring effect. Probability will also be overestimated if a risk is associated with known events. For example, if waste is known to be incinerated an association is formed between waste and its toxic nature and harmfulness to the environment. This is despite the lack of knowledge about the incineration process and/or the nature of the waste being disposed of.

• Distribution of risk over time. Risk probability is underestimated if risk events are spread over time rather than all occurring at once. This can be illustrated by the occurrence of road accidents throughout the year rather than all happening at once. The public appears to accept the existence of road accidents and attributes a lower probability of occurrence than if they thought accidents were concentrated in a short period of time.

• Assessment bias. It was found that uncertainty about losses resulting from risk events causes the assessment of loss to be close to the median of losses (i.e. the size of loss that occurs most often). As a result, low risks are overestimated and high risks are underestimated.

Complexity, however, can be moderated by introducing a degree of pragmatism into risk analysis. Renn (2010: 3) made the following suggestions. First, avoid 'making all risk judgements subjective reflections of power and interest'. These are examples of biases that distort the outcomes of risk analysis. They can be conscious or unconscious and it is the task of the project risk manager to find out if bias is a significant issue. Hopkinson (2011) makes the point that bias is often caused by organisational pressures to support a preferred profile of the project viz. its costs and objectives. Most pressure appears to be at the pre-approval stage when the project sponsor and team are anxious to proceed with the project.

Second, confirm that the 'task of risk managers is to provide evidence- based information' in support of risk analysis. At project approval it is tempting to make optimistic and even pessimistic adjustments to the information that is presented (Hopkinson 2011). With the former, the positive aspects of the project are over-emphasised, such as relying on 'best-case' rather than realistic scenarios of project outcomes. As a consequence, the project may be difficult to develop within the promised specifications. A pessimistic bias can exist when the project environment is such that serious consequences result when projects do not meet their stated objectives.

Third, accept that while risk assessments are based on observations and perceptions or social constructions of the world, they will have to be justified by logical reasoning (Renn 2010). For example, an economic (financial) approach can be followed during the construction of the project business case as outlined in Chapter 4. A business case takes into account risks that could impact on estimated project costs and benefits and calculates a net figure to indicate a potential positive return on the investment (benefits exceed costs) or a negative return, which could cause the project to be rejected. Senior management is generally familiar with and supportive of this line of reasoning.


The relationship between probability and impact determines risk severity.

Example of Determining Project Risk Severity

To illustrate the approach, reference is again made to the earlier example of a university sending its staff overseas to recruit students. The team believes that costs will increase due to higher oil prices, and that air fares may go up by 10%. They estimate the impact on their travel plan to be in the medium range, a 2 on a scale of 5, because fewer staff may be allowed to travel. The team also determines the probability of the increase to be 1 on a 5-point scale, which is low because there has been a drop in the number of people travelling by air recently and airlines would be reluctant to increase their fares. According to the intersection of probability and impact (probability = 1, impact = 2) in Figure 8.4, the risk severity is at a moderate threshold.

Risk severity assessment

Figure 8.4 Risk severity assessment

Risk severity is more graphically expressed in colour. The above example would indicate a moderate (yellow) value. The other colours are green (low) and red (high). Colours are traditionally associated with our feelings of danger and send a powerful signal to management on the severity of the risk.

The probability-impact grid provides a single risk rating for each risk event or condition. This proves a convenient indication for the risk manager as to where to focus his/her attention: the high-rated versus the low-rated risks. However, Ward (1999) provided warnings for this approach. The risk rating calculated by the impact score times the probability score has no absolute meaning. A numeric value is appealing and gives the impression of objectivity, but it cannot be interpreted that one risk is exactly that much more important than another one. Adding up the numbers also does not give an indication of the overall amount of project risk. Within the grid, the ranges of ratings can overlap depending on the ranges chosen to indicate the severity of risk. This poses a conceptual problem and requires a decision on how thresholds should be classified as low, medium or high.

Ward (1999) suggested that a variety of impact factors could be applied to provide greater understanding of risk severity. This could lead to separate probability-impact grids for project costs, time and quality, for example. Management would thereby obtain a multi-dimensional assessment of risk, especially in the early stages of the project when the first indications about the nature of the possible risks are sought via their potential impact on various project activities.

Found a mistake? Please highlight the word and press Shift + Enter  
< Prev   CONTENTS   Next >
Business & Finance
Computer Science
Language & Literature
Political science