The risk identification stage attempts to identify all risks, each of which threatens the achievement of the project's or organization's goals. It is clearly important, however, that attention is focused on those risks that pose the greatest threat.

## Defining qualitative risk descriptions

A qualitative assessment of the probability P of a risk event (a possible event that would produce a negative impact on the project or organization) and the impact(s) it would produce can be made by assigning descriptions to the magnitudes of these probabilities and impacts. The assessor is asked to describe the probability and impact of each risk, selecting from a predetermined set of phrases like: Nil, Very Low, Low, Medium, High and Very High. A range of values is assigned to each phrase in order to maintain consistency between the estimates of each risk. An example of the value range that might be given to each phrase is shown in Table 1.

Table 1: An example of the value ranges that could be associated with qualitative descriptions of the probability and impacts of a risk on a project

The value's range can be selected to match the size of the project. Alternatively, they can be matched to the effect the risks would have on the organization as a whole. The drawback in making the definition of each phrase specific to a project is that it becomes very difficult to perform a combined analysis of the risks from all projects that the organization is involved in.

## Visualizing a portfolio of risks

A P-I table offers a quick way to visualize the relative riskiness of all identified risks that pertain to a project (or organization). Table 2 illustrates an example. All risks are plotted on the one table, allowing for the easy identification of the most threatening risks as well as providing a general picture of the overall riskiness of the project. Risks number 13, 2, 12 and 15 are the most threatening in this example.

Table 2: Example of a P-I table for schedule delay

The impact of a project risk that is most commonly considered is a delay in the scheduled completion of the project. However, an analysis may also consider the increased cost of the project resulting from each risk. It might further consider other, less numerically definable impacts on the project, for example: the quality of the final product; the goodwill that could be lost; sociological impacts; political damage or strategic importance of the project to the organization. A P-I table can be constructed for each type of impact, enabling the decision-maker to gain a more rounded understanding of a project's riskiness.

P-I tables can be constructed for the various types of impact of each single risk. Table 3 illustrates an example, where the schedule delay (T), cost (\$) and product quality (Q) impacts are shown for a specific risk. The probability of each impact may not be the same. In this example, the probability of the risk event occurring is high and hence the probability of schedule delay and cost impacts are high, but it is considered that, even if this risk event does occur, the probability of a quality impact is still low. In other words, there is a fairly small probability of a quality impact even when the risk event does occur.

Table 3: P-I table for a specific risk

## Ranking risks

P-I scores can be used to rank the identified risks. A scaling factor, or weighting, is assigned to each phrase used to describe each type of impact. Table 4 provides an example of the type of scaling factors that could be associated with each phrase/impact type combination:

Table 4: Example of the type of scaling factors that can be applied to determine a P-I score

In this type of scoring system. the higher the score the greater the risk. The severity of a risk S, is then some combination of the P and I scores. For example:

 S=MAX(P_i+I_i)

where i are the various categories of impact. Using the above scaling factors, the risk of Table 3 would be assigned a P-I (severity) score of: MAX(-2-2, -2-3, -4-5) = -4. In other words this scoring system values only the severity of the greatest impact category, which is not ideal. A slightly more complex, but more comprehensive, severity scoring system could be:

 S=log_{\quad 10}\bigg[\displaystyle\sum_{i}10^{ P_i+I_i}\bigg]

For the risk of Table 3, this formula gives a score of S = -3.96, which is not so different from the crude score as the time component of the risk dominates. However, if the quality, money and time had all been high/high, the simple severity formula would return -4, and the more complex formula -3.5.

The severity scores are then used to determine the most important risks, enabling the management to focus resources on reducing or eliminating risks from the project in a rational and efficient manner. A drawback to this approach of ranking risks is that the process is quite dependent on the scaling factors that are assigned to each phrase describing the risk impacts.

S scores enable the risks to be categorized according to severity. In the scoring regime of Table 4, for example, an unacceptably severe risk could be defined as having a score higher than -5, an acceptable risk as having a score lower than -7, and a risk with a severity score between -5 and -7 as being probably acceptable (or unacceptable if you are conservative), but undetermined because of the simplicity of the method (unless one is confident about the scores given). Table 5 shows how this segregates the risks shown in a P-I table into the three regions.

Table 5: Segregation of risks into Low, Medium and High severity by P-I scores

P-I scores for a project provide a consistent measure of risk that can be used to define metrics and perform trend analyses. For example, the distribution of S scores for a project gives an indication of the overall "amount" of risk exposure. More complex metrics can be derived using S scores, allowing risk exposure to be normalized and compared with a baseline status. These permit trends in risk exposure to be identified and monitored, giving valuable information to those responsible for controlling the project.

## Efficient risk management

Efficient risk management seeks to achieve the maximum reduction in risk for a given amount of investment (of people, time, money, restriction of liberty, etc.). Thus, we need to evaluate in some sense the ratio (reduction in risk)/(investment to achieve reduction). If you use the log scale for severity described here, this would equate to calculating:

Efficiency =

 (\sum 10^{s_{new}}- \sum 10^{s_{old}})/Investment

Whatever risk management options provide the greatest efficiency should logically be preferred, all else equal.