In Risk Management Series Part 2, we looked at how to assign Risk Probability and Risk Impact ratings to individual risks faced by a project. In this Part 3 of our Risk Management Series, we examine how to use these ratings to classify risks and go on to show various risk treatment options.

Risk Classification

Since we now have our risks labelled according to a scale of 1 to 4 on their liklihood of occurring and their potential impact on project schedule, budget and scope (the ‘triple constraint’ for all projects), we can now apply a simple classification mechanism. A classified risk helps us in two ways:

• firstly, by helping us understand the seriousness of the risk on its own - this will feed into our risk treatment decisions; and
• secondly, by contributing to the overall consideration of the riskiness of the project - here we are seeking to answer the question of whether or not the project carries too much risk to be worth executing.

The Risk Rating is a guide to the priority that should be given in managing project risks. The Risk Rating is qualitative and is developed from the following matrix that incorporates both the Probability of the risk event and the Impact of the risk event.

For example, if you are considering a risk to your project that software provided by a vendor is difficult to integrate, causing schedule delays, and the risk has been rated with a Probability of 1 and an Impact of 2, the risk would be rated as Low.

Many organisations will have procedures for dealing with projects with an overall high level of risk. For example, these procedures may first define how to classify the overall project risk, based on the classification and number of risks faced by the project. The procedure may then specify what is to be done in the case of high-risk projects, for example, a higher level of sign-off authority may be required in order for the project to proceed.

Risk Treatment

There are four basic methods of treating (or dealing with) a risk:

• Risk Avoidance: remove the risk;
• Risk Mitigation: reduce the risk;
• Risk Transfer: transfer risk to another party; and
• Risk Acceptance: accept the risk.

Usually, a variety of factors will be considered when deciding on a risk treatment strategy. Firstly, the Risk Rating (classification) will be contemplated: clearly, more effort should be expended on handling a risk with a Critical or High rating than one with a Medium or Low rating. This is simply because the potential of the risk to derail your project is higher in the first case, and it is wise to invest in strategies to ensure adequate treatment.

Secondly, one would consider thea available options for treatment and weigh their cost against the likely benefits. It’s important to note, too, that not all treatment options will be available for each risk, although one can usually find a way to at least mitigate a risk.

So, Risk Probability and Risk Impact feed into a risk’s Rating, which in turn informs a manager’s Risk Treatment decision.

Risk Reviews should be conducted at regular intervals throughout project initiation and execution. And once done, don’t simply file the review away: this is good stuff for preventing mishaps and trouble, so be sure to implement your risk treatment plans. I recommend either adding risk treatment activities to your schedule or using a tool like I Want Sandy to remind yourself to follow up. Don’t forget it: risk management is a key to good project management.