HOW HIGH IS
HIGH?
© January 2007, Dr David Hillson PMP FAPM
david@risk-doctor.com
Common definitions of “risk” describe it as an uncertainty
which if it occurs would affect one or more objectives. These two
dimensions of risk (uncertainty and its effect) are commonly called
“probability” and “impact”, though other terms are used. Deciding
the importance of a particular risk requires assessment of these
two dimensions, as well as other characteristics.
The most basic risk assessments often use descriptive labels for probability
and impact, such as High, Medium and Low. This would mean that a risk which
is not very likely to happen but which would have a major effect if it occurred
could be described as “Low-High”. While this practice is very common, it can
lead to significant misunderstandings. For example if I tell a colleague that
one of my risks was assessed as Low-High, she has no way of knowing exactly
what I mean. When I say “Low probability”, do I mean that the risk has a one-in-a-million
chance of happening, or do I use this term to mean <50% ? In the same way,
does “High impact” mean a total disaster leading to loss of the business, or
does it mean a delivery delay of one month?
The usual solution to this potential problem is to define scales for probability
and impact for a particular situation, and to insist that all risk assessments
of this situation use the same scales. So everyone assessing risks to a specific
project might agree that “Low probability” will mean 10-30%, and that “High
impact” will mean more than 12 months schedule change or >$100,000 cost
change.
This raises a couple of important questions: who defines the scales, and how?
Definitions of probability and impacts are an expression of the risk threshold
or risk appetite for a particular project or business situation. This means
that they should be defined by the person who owns the objectives which are
at risk. For a project, this means the project sponsor in discussion with other
key stakeholders. For a business decision the responsible manager must determine
where to set the risk threshold.
This still leaves the question of how to set the numbers. Probability scales
are easy to define, by simply dividing the 1-99% range into several sections.
Impact is more difficult. Who is to say whether a delay of one month represents
a mere inconvenience or a total disaster? Would saving €50,000 be a triumph
or just a pleasant surprise?
The process for setting the impact scale for threats is for the responsible
person first to decide how much impact would be completely intolerable, describing
this in terms of each key objective (e.g. time, cost, performance, reputation
etc.). These values are associated with the top impact scale point (such as
Very High). The lowest scale point (for example Very Low) is addressed next,
setting this to a level of impact which is regarded as negligible. Intermediate
scale points (e.g. Low, Medium etc) can then be set between these outer limits.
Once the threat scales are set, they can be inverted to form scales to be used
for assessing opportunities. This simply requires treating impacts as negative
for threats (lost time, additional cost, damaged reputation etc), and as positive
for opportunities (saved time or cost, enhanced reputation etc). Alternatively
an organisation may decide to define specific opportunity scales which differ
from threat scales.
Defining probability and impact scales in this way allows everyone assessing
risks to use a common framework. My “Low-High” can then be understood by all
my colleagues, and it will mean the same as their “Low-High”. All the risks
within a particular project or business situation will be assessed using the
same definitions, allowing us to rank them by their relative importance. This
simple definition process answers the question “How high is High?”, and makes
sure that we are all speaking the same language when assessing our risks.
|
|
|
|
PDF
Version