RSKM.SP 2.2 Evaluate, Categorize, and Prioritize Risks
Summary
Evaluate and categorize each identified risk using defined risk categories and parameters, and determine its relative priority.
Description
The evaluation of risks is needed to assign a relative importance to each identified risk and is used in determining when appropriate management attention is required. Often it is useful to aggregate risks based on their interrelationships and develop options at an aggregate level. When an aggregate risk is formed by a roll up of lower level risks, care should be taken to ensure that important lower level risks are not ignored.
Collectively, the activities of risk evaluation, categorization, and prioritization are sometimes called a “risk assessment” or “risk analysis.”
The acquirer should conduct a risk assessment before solicitation to evaluate if the project can achieve its technical, schedule, and budget constraints. Technical, schedule, and cost risks should be discussed with potential suppliers before the solicitation is released. Using this approach, critical risks inherent in the project can be identified and addressed in the solicitation.
Example Work Products
- List of risks and their assigned priority
Example Supplier Deliverables
- List of risks and their assigned priority
Subpractices
1. Evaluate identified risks using defined risk parameters.
Each risk is evaluated and assigned values according to defined risk parameters, which can include likelihood, consequence (i.e., severity, impact), and thresholds. The assigned risk parameter values can be integrated to produce additional measures, such as risk exposure (i.e., the combination of likelihood and consequence), which can be used to prioritize risks for handling.
Often, a scale with three to five values is used to evaluate both likelihood and consequence.
- Low
- Medium
- High
- Negligible
- Marginal
- Significant
- Critical
- Catastrophic
Probability values are frequently used to quantify likelihood. Consequences are generally related to cost, schedule, environmental impact, or human measures (e.g., labor hours lost, severity of injury).
Risk evaluation is often a difficult and time consuming task. Specific expertise or group techniques may be needed to assess risks and gain confidence in the prioritization. In addition, priorities can require reevaluation as time progresses. To provide a basis for comparing the impact of the realization of identified risks, consequences of the risks can be monetized.
2. Categorize and group risks according to defined risk categories.
Risks are categorized into defined risk categories, providing a means to review them according to their source, taxonomy, or project component. Related or equivalent risks can be grouped for efficient handling. The cause-and-effect relationships between related risks are documented.
3. Prioritize risks for mitigation.
A relative priority is determined for each risk based on assigned risk parameters. Clear criteria should be used to determine risk priority. Risk prioritization helps to determine the most effective areas to which resources for risks mitigation can be applied with the greatest positive impact on the project.