Risk Quantification

Risk quantification or assessment involves assessing risks to determine potential project consequences. This consists of determining the likelihood of the identified risk actually occurring, assessing the impact if it does occur, and then assigning an overall rating to the risk. The contractor shall collect this information and communicate it with all involved members of the project team.

The guidelines for use of the project risk assessment matrix are given below.

a. Determining Likelihood

Risks shall be categorized by likelihood or probability of occurrence. Generally, a risk that is determined to be in the “Very Likely” to occur category is one that has a probability of 80% or greater of occurrence. A risk that is “Likely” to occur is one that has a probability between 40%–80%. A risk that has less than a 40%

chance of occurring is categorized as “Unlikely”. It should be noted that even risks categorized as “Very Unlikely” or “Not Credible” to occur may still happen.

b. Determining Impact

Risks can also have varying impacts/consequences on a project. If a risk occurs, a negative consequence usually results. The consequence shall typically adversely affect the technical accomplishment, result in a schedule or milestone slip, and/or cause a cost impact. The degree of the consequence is what is measured in this step. Each risk shall be categorized as follows

z Negligible z Marginal z Significant

z Critical z Crisis

c. Overall Risk Rating

A risk’s probability shall be weighed against its potential impact in order to effectively gauge the measure necessary for dealing with that risk. Each risk shall be assigned an overall risk rating as high, moderate or low based on the X and Y axis intersection point of the risk assessment matrix. The management actions to be taken correspond to the overall risk rating.

High Risks. Require close monitoring and active on-going involvement of the contractor. These risks also require the identification of a mitigation strategy (recorded on the risk register), and regular review at project management meetings. Frequent high-level visibility of these risks is required. Elimination and/or mitigation of risks rated as “High” overall is a priority.

Moderate Risks. Require regular periodic assessment and action by the Contractor., as appropriate to reduce the chance of these risks occurring or escalating. Although not usually of the severity of “High” risks, the risks with an overall categorization of “Medium” can still have, in some cases, a high impact to the project if they occur. “Medium” risks shall also be reviewed at the project status meetings.

Low Risks. Risks with an overall categorization of “Low” shall be monitored by the Contractor. 

d. Risk Assessment Matrix

The project employs an established risk methodology for consistency and quality in the risk management process, as represented by the risk assessment matrix shown below. The y-axis determination (Likelihood of occurrence) is first made for an identified risk, followed by the x-Axis (Impact/Consequence). The table then yields an “overall risk rating”. This overall rating is initially reviewed and validated as the “best fit” by the person identifying the risk, and then presented to their Management for their review. Adjustments may be made based on an initial

“fact finding” period. The risk is then expeditiously entered into the Project Risk Register. Later adjustments in the overall risk rating may be made, up or down, depending on governing events and/or the relative success of applied mitigation strategies.

Risk assessment matrix is shown below.

Probability of Risk

Very Likely Moderate Moderate High High High

Likely Low Moderate High High High

Unlikely Low Moderate Moderate High High

Very Unlikely Low Low Moderate Moderate High

Not Credible Low Low Low Low High Negligible Marginal Significant Critical Crisis

Consequence 4.13.3.3 Risk Handling and Mitigation

Risk handling and/or mitigation is the identification of the course of action or acceptance selected for the purpose of effectively responding to a given risk.

There is generally four risk handling strategies for responding to risks: 1.) Avoid, 2.) Transfer, 3.) Mitigate, or 4.) Accept.

a. Avoid

This strategy focuses on totally eliminating the specific threat or risk-driving event usually by eliminating the potential that the risk event can occur (i.e. – take action to drive the likelihood of occurrence to zero). This can be accomplished through total structure, system, or component redesign, or by selecting an alternate design approach, which does not include the particular risk event, etc. Generally it is not possible to eliminate all risks, but specific risk events can often be eliminated with this strategy.

If the strategy is to avoid the risk, the cost and duration to implement this strategy is determined and documented on the Project Risk Register. Once the strategy is implemented, the risk level for the specific element shall be reduced to zero. No residual risk remains with this strategy. In some cases, substitute activities or processes may introduce new risk.

b. Transfer

This strategy is used when an activity scope with identified risks can be transferred to another activity or entity, especially when this risk can be more easily handled within the receiving activity or entity. A risk can be transferred to an outside. This in itself is a risky strategy in that the organization may fail to meet the agreed requirements, or introduce news risks into the organization. In any case, the individual or organization receiving the risk must accept the risk transfer.

If the strategy is to Transfer the risk, the cost and duration to implement this strategy is determined and documented. Once the strategy is implemented, the risk level for the specific site shall be reduced to zero. No residual risk remains with this strategy.

c. Mitigate

This strategy identifies specific steps or actions that shall improve the chances that an activity shall succeed by:

z Reducing the likelihood of the occurrence of the risk event, or z Mitigating the consequence of a risk event, or

z A combination of the two.

The expected outcome of a risk event can be reduced by using proven technology to lower the likelihood that the activity shall be impacted, or by adding specific mitigation actions to the activity scope. Any corresponding cost and schedule implementation impacts due to the mitigating actions must be addressed during impact determination. Using this strategy, a risk remains, but at a reduced level. The remaining diminished risk is called residual risk. The impacts of these residual risks shall be identified during impact determination.

If the strategy is to Mitigate the risk, then the cost and duration to implement this strategy is determined and documented. Included in the analysis is a determination of whether to initiate a mitigation plan – depending on the plan cost and schedule opposed to the cost and schedule impact if the risk is realized. In addition, the likelihood, the consequence, and the risk level of the residual risk (i.e.

risk after mitigation action) are then determined. The potential cost and schedule impacts of the residual risk are identified using three data points, namely the best case (or most optimistic), the most likely, and the worst case (or most pessimistic).

These are used in a triangular distribution to assess the cost and/or schedule uncertainty brought on by the risk element.

d. Accept

Accepting a risk is essentially a “no action” strategy. Selection of this strategy is based upon the decision that it is more cost or schedule effective to continue the activity as planned with no resources specifically dedicated to addressing this risk.

However, the “no action” strategy may be hedged by developing a contingency plan in case the risk event occurs and then tracking the risk to assure that it does not increase during contingency execution. In this case, the contingency plan does not mitigate the consequence, but seeks to control the impacts that typically result from the event consequence. Low risks are typically accepted. However,

even though Low risks may be accepted, one must not overlook the cumulative impact to an activity resulting from a multitude of Low risks, especially if those risks are concentrated in one specific activity area.

For a handling strategy of Accept, the residual risk equals the initial risk because this strategy does not change the risk level. If the risk is accepted, without additional actions, then the cost and duration of this handling strategy implementation is zero, which is documented on the Project Risk Register.