f you’re building a dam, trying to figure out why the Space Shuttle crashed, or exploring causes of an oil rig fire there is a discipline called Engineering Risk Analysis that has an extremely mathematical basis and rigorous procedure. If on the other hand you’re managing a software project, a marketing roll-out, a construction project or even an event for a school or charity, risk analysis and assessment is a continuous process. Project managers in particular are on the lookout not only for obvious events, but also for trends and decision-making processes that may indicate an increase in risk.

The bulk of this work is in monitoring of current events, situations, and processes and constant evaluation of risk based on these factors as a background activity. Constant small adjustments can be made without fanfare to bring risk anomalies back into line with acceptable parameters; however, when the assessor feels that risk is approaching an unacceptable level closer examination is needed. If the initial indications are borne out (risk is outside acceptable parameters) the assessor should issue a formal Risk Assessment to the appropriate team members and decision makers.

Knowing the parameters:

It’s important for the person assessing risk to have a solid understanding of the project’s (and project sponsor’s or owner’s) risk position. Some projects have a fixed end date (it’s been announced, the venue is booked, etc.); some must adhere to company or governmental codes or specifications; some have a fixed cost. Sometimes the project owner is just very risk-averse and needs to know everything; much more often (and usually much more sensibly) there is some room for movement in some or all of the project dimensions and a rising risk can be easily managed by adjustments in the project or process.

Situations triggering formal risk assessment:

Three primary types of situation trigger a formal risk assessment:

· Current course of action: a current course of action, often based upon a recent decision, has increased risk to the point where it is outside acceptable levels

· Comparison of options: a decision point exists where one of several options must be chosen and an analysis of the risk must be undertaken to show all sides of cost, not just cost of implementation of the option

· Trends: the assessor has observed a trend in behavior or metrics that is escalating risk in some factor of the project or process

How to assess the risk:

The steps to take in performing a risk assessment are fairly straightforward; all costs would be approximations for comparison purposes only:

1. Clearly define the process, project, or action that is causing concern

2. Define goals of process/project/action: Before you can assess the risk of a situation you must understand (and any decision-makers must understand) what is trying to be achieved by the process, project, or action. This is also key to the assessment of risk – if the goal of a process is to shorten schedule time but the current implementation is going to cause a schedule risk an adjustment is clearly necessary.

3. Assess risk of change to any of the four dials: The easiest way to assess risk is to look at each of the four dials and predict whether the activity being assessed will cause a significant change (in the wrong direction) for the parameter. The four dials are these:

· Schedule

· Cost (in people, dollars, other resources)

· Scope

· Quality

4. If multiple options for a course of action to achieve the stated goal are being assessed, determine pros and cons of each and compare the pros, cons, and risks of each.

5. Determine whether any mitigating actions are available to help lower the risk and the cost of each.

6. Note any possible contingencies to be enacted if the projected risk is realized (recovery actions) and the cost of each.

7. Determine recommendations, if any, to be made.


How to report the risk assessment:

Once the assessment is complete it must be communicated to those responsible for making a decision on a course of action. A risk analysis/assessment report should be created with the results of the analysis and issues and sent to (or discussed with)the appropriate stakeholders. The contents of the report may vary depending on the situation that triggered the assessment.

Report Contents– Current course of action

· Overview of course of action

· Current goal

· Current status

· Current risk position

· Current risk factors

· Proposed mitigation steps

· Contingencies

· Recommendations


Report format – Comparison of options

· Overview of need for decision

· Current goal

· Current status

· Risk of delaying selection of option

· For each option:

o Risk factors (4 dials)

o Pros

o Cons

o Implementation cost

o Proposed risk mitigation steps

o Possible contingency plan and cost

· Table comparing options

· Recommendation

Report format – Trend

· Overview of trend

· Current goal

· Current status

· Current risk position

· Current risk factors

· Proposed mitigation steps

· Contingencies

· Recommendations

And then what?

With any luck the project owner will determine a course of action based on the recommendations made in the report, including implementation of mitigation steps. No change is still a decision – if it’s communicated. After issuing the report follow up until you have determined that the owner/sponsor/stakeholders have actually read the report and understand its contents, and ask whether they would like to take any action at this time. Once you receive an answer, proceed with the course of action as decided.


If the project owner did not want to change course be sure to report regularly on the risk and any risk mitigation actions being taken. If the risk mitigation doesn’t work (i.e., something bad happens as predicted), unless there was specific feedback indicating that the contingency plans were not acceptable, announce that the contingency plans will be put in motion and remind everyone of any associated costs. In this way the project owner is kept aware of the risk, mitigation steps, and contingency plans and should be ready to pull the trigger on them. Be sure to continue reporting until the risk (or resulting situation) is contained.