Key takeaways
Featured Partners
{{ POSITION }}. {{ TITLE }}
The best project managers are experts at risk estimation. With so many risks threatening to delay or derail a project, the effective estimation of risk has become an essential part of project management. Thankfully, there are a myriad of methods, strategies, and approaches that one can use to identify risks, assess their likelihood, and gauge their potential impact on the project at hand.
What Are Project Risks?
In project management, every project includes a number of inherent risks. While many of these are negative risks, there can be positive risks as well. In either case, risks in project management can generally be classified into one of four broad categories.
Project management risks
Some risks come with the territory of project management. These include potential risks with project controls, planning, or communications. Scope creep, which happens when a project’s requirements grow beyond the project scope, can be lumped into this category.
Organizational risks
These risks arise from within the organization. The most common organizational risks are related to resource allocation, task prioritization, and project decision-making. In most cases, organizational risks stem from executive-level leaders or key stakeholders and because of that, PMs usually have little control over these issues.
Technical risks
Risks that originate from technology are considered technical or technological risks. While these generally include issues with software or hardware, there are risks outside of these areas that are also considered technical in nature, including those affecting process documentation and data-driven performance analytics.
External risks
Potential risks that are beyond the control of the organization, the PM, or the project team are classified as external risks. The entries in this category range from governance and legal risks to societal and even weather-related risks.
Read more: Common Types of Risks in Project Management
Popular Risk Estimation Methods
Project managers use a variety of methods when estimating project risks. While smaller projects can probably be managed by using one of these strategies, larger projects might benefit from the application of several of these methods. There are numerous risk estimation strategies to choose from; we’ll cover some of the most popular ones below.
Risk exposure
Project risk exposure refers to the overall cost of what the project has to lose from a negative risk or what it has to gain from a positive risk. The risk exposure can be determined either quantitatively or qualitatively, depending on the project manager’s needs, stakeholder concerns, and project requirements.
What is the basic formula for estimating risk exposure?
To calculate risk exposure through a quantitative analysis, you’ll need to assign numerical values to both the probability of its occurrence and its potential impact. If your organization plans to invest in automated machinery that contributes $100,000 to your daily production revenue, and the probability of it experiencing issues is 10%, then your overall risk exposure is $100,000 x 0.10 = $10,000.
Alternatively, you can use a qualitative approach to determine risk exposure by assigning each risk to one of three categories: low, medium, or high. In this case, PMs typically implement a probability-impact matrix to determine each risk’s category.
Probability-impact matrix
Also known as the risk assessment matrix, or, more simply, the risk matrix, the probability-impact matrix is one of the most common and effective means of analyzing project risks. As its name suggests, the chart ranks each risk according to its probability of occurrence as well as its potential impact on the overall project.
The probability-impact matrix is generally created in a 5×5 grid with the probability listed down the left hand side and the potential impact along the top. Most probability-impact matrices are designed in an ascending fashion, with the upper-left corner representing rare or unlikely risks that would have a trivial or minor impact on the project. Conversely, the lower-right corner includes the most impactful risks that are either likely or very likely to occur.
| Trivial | Minor | Moderate | Major | Extreme | |
|---|---|---|---|---|---|
| Rare | Low | Low | Low | Medium | Medium |
| Unlikely | Low | Low | Medium | Medium | Medium |
| Moderate | Low | Medium | Medium | Medium | High |
| Likely | Medium | Medium | Medium | High | High |
| Very Likely | Medium | Medium | High | High | High |
The probability-impact matrix can be color-coded too, with low risks colored in green, medium risks colored in yellow, and high risks colored in red. While other matrix sizes do exist, such as 3×3, 4×4, and even 6×6, the 5×5 matrix provides enough granular detail without becoming too confusing or unwieldy.
Risk scoring
Once you’ve created a probability-impact matrix, you can then assign numerical values to each probability and impact category. For example, ranking risk probability across five different categories gives us the following values:
- 1: Very low
- 2: Low
- 3: Medium
- 4: High
- 5: Very high
In a similar fashion, assigning numerical values across three different risk impact categories gives us the following values:
- 1–3: Low
- 4–8: Medium
- 9–10: High
From here, we can simply multiply the risk’s probability by its potential impact. If you have a low-probability risk (2) that has a medium (4–8) impact, your risk’s total risk score will fall between 8 and 16, which, according to our risk ranges listed below, is a negligible risk that is probably worth taking.
- 0–19: Negligible
- 20–39: Manageable
- 40–50: Catastrophic
Determining risk score depends on the probability-impact matrix. Those who want to use an alternate means to estimate a project’s overall risk might consider utilizing parametric estimates to guide their risk management strategy.
Parametric estimates
Generally used as a means of reducing repetition, parametric estimates are a great way of balancing precision with flexibility. By using impact values, risk probability scores, and formulas that have been pre-established by external subject matter experts, PMs can easily produce estimates of the cost, duration, or effort related to a project.
To continue with our example of buying automated machinery for our factory, let’s assume that our $100,000 purchase of equipment is enough to buy 10 new devices. We know, based on historical data, that it takes an average of two hours to install each device. In this scenario, we’d simply multiply the number of devices (10) with the time it takes to install each device (2), for a total of 10 x 2 = 20. As such, we can make a parametric risk estimation of 20 hours that should be pretty accurate.
We can also apply this concept to other industries, including construction project risk assessments. If we’re overseeing the construction of a hotel with 100 separate rooms and it takes one team of workers an average of three days to finish each room, it will take approximately 300 days (100 x 3) to complete the project. Of course we can expedite this process in a number of ways — either by having multiple teams work simultaneously to reduce the number of actual days or by increasing the number of workers per team to decrease the time it takes to finish each room. Either way, we can tick off another box on our construction project risk assessment checklist.
However, parametric risk estimation comes with its own estimation risks. If your information is outdated or incorrect, your overall estimation of risk could be completely inaccurate and irrelevant.
Important Concepts in Risk Management
Those who are just getting started with risk estimation in project management will need to take the time to familiarize themselves with some important terms and concepts. Not only will they make it easier to identify, assess, and mitigate project risks, but they give you the lexicon needed to explain your risk management efforts to stakeholders, teammates, and even the general public.
Risk assessment
The risk assessment refers to the entire cycle of identifying, analyzing, and managing project risks. In most cases, the risk assessment takes on several different steps or phases that keep the cycle moving.
- Risk identification: This is the initial process of identifying any and all potential risks that may affect the current project.
- Risk analysis: This involves performing a surface-level analysis of all the risks that were previously identified in order to better understand their individual nuances and context.
- Risk evaluation: Use this phase to compare and contrast risks against a specific set of criteria in order to help with risk organization and prioritization.
- Risk management and mitigation: Now it’s time to develop and implement the strategies that are needed to keep each risk in check — whether that’s through complete risk mitigation, risk transfer, risk avoidance, or risk acceptance.
- Risk monitoring: The final step of the risk assessment cycle, risk monitoring is an ongoing process that helps PMs identify new risks and gauge the effectiveness of their current strategies.
Remember, the risk assessment cycle is a long-term, continuous activity. New risks are often identified throughout the typical project lifecycle, and skilled PMs regularly adapt their risk management strategies as their projects evolve.
Risk tolerance
Used to describe the amount of risk your organization can withstand or your organization’s willingness to take risks, risk tolerance is ultimately affected by three different types of project stakeholders:
- The organization or project team itself
- The project manager
- The project owner or client
Moreover, risk tolerance is usually described with three different levels or categories. These include:
- Conservative: Stakeholders that aren’t known for taking many risks fall into this category.
- Moderate: While these stakeholders are known to take some risks, they typically only do so when the reward is worth it.
- Aggressive: These stakeholders regularly take risks. As such, they have a high risk tolerance.
Let’s continue even further with our example of buying new machinery. If the project manager proposes a budget of $500,000, but organizational leaders only approve 25% of the budget ($125,000), their risk tolerance limit is 25%.
Risk impact
When charted on a risk probability-impact matrix, the overall impact of each risk is measured by a numerical value. Alternatively, risks can also be described simply as low, medium, or high.
- Low-impact risks will have little effect on the project outcome, so they can usually be accepted without any serious consequences.
- Medium-impact risks need to be measured carefully in order to ensure that the rewards are worth it and that any potential fallout can easily be contained.
- High-impact risks are those that will have a significant impact on the project at hand. These risks will require a large amount of time and/or resources to fix if they get out of hand, so always think carefully before taking any high-impact risks.
The risk impact rating gives you a general idea of how much (or little) a risk will affect the project at hand. If you want to determine the likelihood of each risk occurring, however, you’ll need to calculate its risk probability.
Risk probability
Similarly to risk impact, risk probability is generally charted on a risk probability-impact matrix to determine its numerical value. However, these can also be described as low, medium, or high.
- Low-probability risks have approximately a 10% chance of occurring.
- Medium-probability risks have approximately a 20% chance of occurring.
- High-probability risks have approximately a 50% chance of occurring.
These ratings are sufficient for most projects, but some might want to assess their risk probabilities on a more granular scale. In this case, feel free to add some additional approximations:
- Very low-probability risks have approximately a 1% chance of occurring.
- Very high-probability risks have more than a 50% chance of occurring.
Categorizing your risk probabilities according to these approximations makes it easy for everyone to understand the likelihood that any given risk will occur.
FAQs
If you have any remaining questions regarding risk estimation, project management risk assessment, or risk management in general, please refer to our brief FAQ below.
Bottom Line
You can’t start a project without assuming some amount of risk, and as a project manager, you should not only be able to plan ahead and forecast these risks, but you must also be able to identify them as they happen. You must also learn how to address any problems that occur as a result and how to maintain forward momentum throughout the entire process. While it’s virtually impossible to eliminate every risk from a project, skilled PMs can use every tool at their disposal to overcome these risks and ensure project success.
