Risks have many different attributes and components, all of which need to be considered and addressed if we are to characterise a risk appropriately.
People often use the term “risk” as a purely negative word, but as explained earlier, it’s really defined as “effect of uncertainty on objectives”. This means that it encapsulates both positive and negative potential effects. As such, two different terms are used to qualify the term risk to differentiate between positive and negative uncertainties:
- Opportunities are those risks with potential to impact positively on a project’s objectives.
- Threats are those risks with potential to impact negatively on a project’s objectives.
For effective risk management, it is important that similar effort be devoted to the identification and management of opportunities and threats to maximise value to the project.
Nomenclature & Meta-Language
After risk type, the definition of a risk is critically important; it sets the context for the rest of the attributes that follow. When people are browsing through a risk register, they will typically be looking at the risk name and its positioning within the register. Therefore, it’s important that the risk name concisely defines the full nature of the risk including its cause and effects.
One way of ensuring that this happens is to use risk meta-language: a structured risk naming technique that clearly separates the cause-risk-effect aspects of a potential threat or opportunity to succinctly express the full nature of the risk. Risk meta-language usually follows a structure similar to “Due to , there is a risk that may happen, resulting in .”
If a risk can’t be expressed in this format, it’s likely that it lacks definition or perhaps isn’t even really a risk!
Managing Risks Qualitatively: Bow Tie Diagrams
At this point, the different emphases of Qualitative and Quantitative Risk Analysis become relevant.
For Qualitative Risk Analysis, risks are often grouped into Areas of Risk, whereby a common Risk Event may be triggered by a range of causes and may cause another range of consequences. Treatments and controls are then listed, divided into Proactive or Causal, affecting the causes on the one hand and Reactive, Consequential or Adaptive, affecting or dealing with the Consequences on the other hand.
For Qualitative Risk Analysis it makes sense to construct so-called “Bow Tie Diagrams” with the various causes directed at the single Risk Event and the various Consequences flowing from the Risk Event. The Bow Tie diagram can show the Causal Controls in between the Causes and the Risk Event and the Consequential Controls between the Risk Event and the various Consequences.
It is possible to develop Semi-Quantitative Risk Analysis Bow Tie Diagrams, combining features of Fault Trees and Event Trees.
The following Bow Tie Diagram was included in a paper “Combining EA techniques with Bow-Tie Diagrams to enhance European Port Security” by Nikolaos Papas of BMT Hi-Q Sigma Ltd., Basingstoke, UK (Nikolaos.firstname.lastname@example.org).
Managing Risks Quantitatively
For Quantitative Risk Analysis using the Monte Carlo Method, each cause of the risk event is treated as a separate risk definition, with the consequences for that causal risk included in the risk definition, whether singular or multiple. This enables applicable treatments for that causal risk event to be associated with it and for Pre- and Post-treatment Risk Assessments to be determined for the applicable risks. It also enables analysis and comparison of combinations of proposed treatments for a given risk to select the best cost/benefit combination of treatments.
Risk Registers for Quantitative Risk Analysis are likely to include higher numbers of separately defined and more precise risks than Risk Registers for Qualitative Risk Analysis. But the Qualitative Risk Register based on Bow Tie Risks is more suitable for managing groups of related risks and treatments.
Likelihood / Probability
Each threat and opportunity within a register must be assessed for Likelihood. A risk’s likelihood is an expression of the chance that the risk will occur. Likelihood can be expressed qualitatively using terms for levels such as “Rare”, “Unlikely”, “Possible”, “Likely”, and “Almost Certain”, or quantitatively using a percentage scale from >0% to <100%, when it is referred to as Probability.
A risk is only a risk insofar as it has potential to produce an impact on a project’s objectives. However, a risk with a probability of 0% could be considered to not be a risk at all as it will never occur. A risk with a probability of 100% is defined in projects as an Issue and should appear in an Issues Register instead of the Risk Register if it is a Threat and has a negative impact on one or more Project Objectives such that the Objective(s) cannot be achieved.
Consequence / Impact
ISO 31000 defines Consequence as the outcome of an event affecting objectives. In the context of project risk management, the event may be taken as a risk event. The consequences may be certain or uncertain and may be expressible qualitatively or quantitatively. When expressed quantitatively, it is normally defined as an Impact.
Risk consequence is an expression of the effect of the risk should it occur. A risk can have multiple categories of consequence such as; Safety, Cost, Environmental, Schedule, & Reputational.
Consequences can be expressed qualitatively using terms for levels such as “Insignificant”, “Minor”, “Moderate”, “Major”, & “Catastrophic”. Alternately, where appropriate, consequences can be expressed quantitatively using increments of an appropriate unit, in which case they are referred to as impacts.
Each quantifiable impact type may be assigned an impact distribution to define the range of uncertainty in understanding of the risk’s effect. This is useful because often risks may not be definable with precisely quantifiable outcomes. Take for example the risk of a flood. Historical weather data may show that a flood occurs, say, every 5 years in a particular region, so we may be able to define the probability in any one year as 20%. What is not definable is the extent of the flooding should it occur. It could range from heavy rain causing minor localised flooding, through to moderate or even major flooding throughout a region. In these situations an impact distribution range may be required to define the time delay for project activities affected by the flood and/or the costs of recovery from damage caused by the flood.
An impact distribution range can be characterised by a minimum, most likely, and maximum impact value for each quantifiable impact type. Such ranges are known as impact probability distributions.
Risk Magnitude / Exposure
A risk’s magnitude or exposure refers to the combined effect of its probability and impact assessments. A low probability risk with a low impact assessment may be considered to affect the project objectives negligibly or to have a low risk exposure, whereas a high probability risk with a high impact assessment would be considered to affect project objectives with high or even extreme risk exposure.
A risk may be able to be expressed with a range of probabilities and impacts representing in some cases a continuum of risk exposures from Low Impact/High Probability through Moderate Impact/Moderate Probability to High Impact/Low Probability. An example may be the risk of an adverse weather event. These may range from regular occurrences of high rainfall in a 24 hour period causing cessation of work on parts of the affected project, through unusually high rainfall causing minor flooding through a major cyclonic event directly striking the project site and causing substantial damage taking weeks to reinstate. As the impact severity increases, the frequency or probability in any given period decreases.
In some Risk Registers one, two or all three of these descriptions may be included as separately identifiable and treatable risks, each with a separate probability and impact range (as described under Consequence / Impact) and possible set of treatments.
For quantitative risk analysis, there are typically three different types of exposure rating associated with any given risk:
- Pre-treatment exposure refers to the combined effect of the original probability and impact assessment. This is the magnitude of the risk if nothing is done about it.
- Post-treatment exposure refers to the combined effect of the probability and impact assessments of the risk after applying all accepted or implemented treatments. This is the magnitude of the risk if all accepted treatments are successfully implemented.
- Target exposure refers to the expected probability and impact of the risk after implementation of all accepted treatments. There should be some auditable basis for expecting that the Target Exposure is achievable if all accepted treatments are implemented, preferably based on realistic assessments of the effects on probability and impact of the risk by each accepted treatment. If this cannot be demonstrated, the validity of the Target Exposure may be open to question.
It is not uncommon in qualitative risk analysis for Target Exposure ratings to have no audit trail to prove their validity.
Risk Status (Inactive / Active / Past)
To manage the risks in the register effectively, a helpful feature is that of the risk status, to focus attention where it is most needed. Typically, risks are assigned one of three statuses:
- Inactive risks are those that have been identified but not accepted as actively applicable in the risk register. Inactive risks may be awaiting further information to better define them before being accepted or may have been rejected, either as being invalid or as of negligible or too low magnitude to warrant being made active. Inactive risks need to be regularly reviewed and converted to “active” status if justifiable or discarded from further consideration and transferred to a discarded risk register.
- Active risks are those that are currently recognised as open threats to or opportunities for the project. Active risks need to be regularly monitored and fully assessed by the project team to ensure that they are treated as necessary. Active risks need to be regularly reviewed, the status of agreed treatments reported against planned implementation commitments and dates and action taken to ensure revised dates are agreed where planned dates have not been met.
- Past risks are those that have been assessed to no longer pose a threat or opportunity to the project’s objectives. This usually occurs through change of project phase or through the passage of time. Risks should only be assessed as “past” when they genuinely can no longer have an impact on a project’s objectives. Where risks are no longer applicable, they should be converted to “past” status as appropriate and recommendations made regarding any time or cost contingency allocated against them.
Each risk should be assigned a risk owner. The risk owner is the person accountable for all necessary steps required to manage the risk including its treatments. That person may be responsible for the day to day monitoring and management of the risk or may delegate that responsibility to someone else, in which case that responsible person reports regularly to the Risk Owner. The risk owner should be someone with a full technical understanding of the risk and its implications. Additionally, the risk should only be assigned to an owner who has the authority to ensure that all necessary steps required to manage the risk are enacted. Assigning risk responsibility without authority ultimately results in the inability to effectively manage the risk.