Impact vs. Probability
All organizations activities involve risk. Risks are events caused by uncertainties, which can have a positive or negative effect on the activities objectives. As all projects are unique, the associated risk varies between projects. Therefore, Risk Management is an important part of any organizations as proper management increases the success of a project [1]. Risk management involves identifying possible risks, analyzing each risk potential in order to respond to and control the most significant threats and opportunities [2]. The risk analysis is a two-stage assessment process. Initially, qualitative methods are used to examine the identified risk to categorizing and determine the main risk events which are relevant for a quantitative assessment. In risk analysis, risk is traditionally defined as a function of probability and impact [3]. The risk probability is likelihood of an event occurring and the consequences, the extent to which the project is affected by the risk event, are the impacts of risk. By combining the probability and impact, the Level of Risk can be determined. There are various aspects of the project that can be impacted by a risk event [3]. These are aspects such as cost, safety, operational, quality, etc. A commonly used and popular method of risk assessment is preparing descriptive scales to rank risk in terms of probability and impact. These are often referred to as Impact/Probability Matrix or Risk maps and can take both qualitative and quantitative values. This method of risk assessment has its limitations and drawback. However, it is a simple and easy to understand method of prioritizing risks and allocating resources [4] .
Contents |
Background
Risk management is a four-stage process, the first being identification of risks, second analysis (assessment), then the risk response and finally the risk monitoring [1]. In risk analysis, risk can be defined as a function of impact and probability [3]. During the analysis stage, the risk identified during the Risk Identification Process can be prioritized from the determined probability and impact of the risk event. Other factors, such as the response ttime frame and the tolerance should be taken into account when analyzing and categorizing the risks [5].
Objective | Relative / Numerical Scale | |||||
---|---|---|---|---|---|---|
Very Low / 0.05 | Low / 0.1 | Moderate / 0.2 | High / 0.4 | Very High /0.8 | ||
Cost | Ble | Bla | Blu | Blo | Blæ | |
Time | Ble | Bla | Blu | Blo | Blæ | |
Scope | Ble | Bla | Blu | Blo | Blæ | |
Quality | Ble | Bla | Blu | Blo | Blæ |
Impact
Impacts are often defined as the consequences, or effect, of a risk event on a project objectives. These impacts can be both beneficial or harmful to an enterprises activity [3]. The impact of risk events on different project objectives can be defined in both a qualitative and quantitative manner. These project objectives are cost, schedule, quality, scope, health, safety, etc. The Impact scale can vary, but the most common scale is the five-point scale. Typically, the impacts are described relative as very low, low, moderate, high and very high but often also with defined numerical scales. Dependent on the objective, the scales are given a description of what the impact entails [5]. One risk event can affect more than one objective, so the impact of all the possible objective effected must be considered [3].
Likelihood | Description | |
---|---|---|
Relative | Numerical | |
Very Low | 0.1 | Highly unlikely to occur. |
Low | 0.3 | Will most likely not occur |
Moderate | 0.5 | Possible to occur |
High | 0.7 | Likely to occur |
Very High | 0.9 | Highly likely to occur |
Probability
Probability distributions are often used to represent uncertainties in projects. Objects uncertainties such as the duration of activates in the schedule and cost of components, are often represented by the continuous probability distributions. Uncertain events, such as scenarios in a decision tree, are often represented by discrete distributions [5].
Impact vs. Probability
Risk analysis is a two-stage process. Qualitative risk assessment is the first stage in the risk analysis. By using qualitative methods for risk assessment, the risk can be prioritized for further quantitative assessment or even risk response planning. Quantitative risk assessment is the next stage in risk analysis. The process is involves analyzing the effects of risks on the overall project objectives. They primarily focus on the risks which have been prioritized in the qualitative risk assessment. To ensure the quality and credibility of the risk analysis, general definitions of impact and probability levels must be fitted to individual project context [5].
Qualitative Analysis
Qualitative methods for risk assessment are relatively rapid in practice, cost effective and easily understood [3]. The result form qualitative assessments are not an accurate estimate of risk. However, they provide a rather a descriptive result and often with sufficient information for planning responses. The results from qualitative risk assessment also lay the foundation for more detailed quantitative risk analysis, if possible and warranted. It is performed regularly throughout a projects life cycle as new risk may emerge at later stages as well as response to a risk may result in other risk events [5]. Classifying the risks enables organizations to reduce uncertainty levels and focus primarily on the high-risk events. There are two qualitative methods of assessing risk events in terms of impact and probability, both involving rating the impact and probability. These are Risk Probability and Impact Assessment and Probability and Impact matrix [5]. t.
Risk Probability and Impact Assessment
The probability assessment involves estimates the likelihood that the risk will occur. The risk impact assessment estimates the effect of a risk event on a project objective. These impacts can be both positive and negative, that is opportunities and threats. The project objectives are numerous, the schedule, cost, quality and scope to name a few. For each identified risk, the impact and probability are assessed. Interviews and meeting with experienced project participants, stakeholders, and experts in the subject are the basis for the risk impact and probability assessment. These impacts and probabilities are rated and the level of impact and probability is assessed. The risk which receive high ratings are investigated further or an appropriate response is planned. The low rated risks do not require an emaciated action but should be included in the risk register or monitoring [5].
Probability and Impact Matrix
The Probability and Impact Matrix is one the most commonly used qualitative risk assessment method. It is based on the two components of risk, probability of occurrence and the impact on objective/objectives if it occurs. The matrix is a two-dimensional grid that maps the likelihood of the risk occurrence and its effects on the project objectives [5]. The risk score, often referred to as risk level or the decree of risk, is calculated by multiplying the two axes of the matrix.
As the impact and probability can be described in both a relative and numerical manner so can the risk score. The higher the combined ratings are, the higher the score and thus risk level. These ratings are generally defined from low to high or very low to very high [3]. The ratings for likelihood and impact are made using gathered opinions from interviews [2]. These ratings of must be classified by each organization, specific for each activity, as they must define what would result in high, moderate or low risk for their activity. Creating these definitions of impact and probability levels can hlp reducing the influence of bias [5]. The result from these risk matrices are used to prioritize the risks, plan the risk response, identify risk which need to be examined further, possibly by quantitative methods and guide resource allocations [6]. However, the objective which is effected by the risk must also be considered. For example, a risk events which has high safety or health risk would be prioritized over a risk event which would have very high financial risk [3].
Low impact – Low probability: The risks that are characterized as low, or very low, risks have both a low impact and likelihood of occurrence. For negative risks, threats, the response required is not necessarily as proactive management action. However, they should be included within the risk register for future monitoring. Positive risks, opportunities, within the low-risk category should be monitored or just simply accepted. Opportunity acceptance means taking advantage of the opportunity if it arises, but not actively pursuing it [5].
High impact – Low probability: Risks with high impact but low likelihood of occurrence can be characterized from low to high risks but most often within the moderate category. The characterization is dependent on the organizations defined threshold. These events rarely occur, defined as rare catastrophes. It is difficult to determine the probability based on historical records due to lack of data. Therefore, the probabilities must be estimated subjectively. The most commonly responses are to insure or mitigate the problem [7].
Low impact – High probability: Risks with low impact but high likelihood of occurrence can be characterized from low to high risks but most often within the moderate category. The characterization is dependent on the organizations defined threshold. These risks are mostly due to uncertainties of numerous elements that individually, are minor risks but combined, could amount to higher risks. These are such uncertainties as actual cost and duration of different aspects of a project, changes to activates or other similar uncertainties, that alone, have little impact [7].
High impact – High probability: The risks that are characterized as high risks have both a high impact and likelihood of occurrence. A risk which has a negative impact, is a threat to the objective, may need priority actions and aggressive responses. These aggressive responses could be mitigation of the risk or even terminating the project if the risk is to great. A risk that has a positive impact, is an opportunity, is most likely obtained easily, with the greatest benefits and should thus be targeted first [5].
Quantitative Analysis
Quantitative risk assessment methods provide a more accurate analysis results than the qualitative risk assessment. However, they are costlier and often time consuming, so only the risk prioritized by the qualitative risk assessment are analyzed. These methods are mostly used to analyze the combined effect of all affecting risks. The most important benefit is that the information produced support decision making and reduce project uncertainty. In some cases, quantitative methods are not applicable due to lack of sufficient data but that must be evaluated by the project manager. The analysis should be repeated as a part of risk control to determine whether the overall risks are reaching a desirable state [5].
Probability distributions
The continuous probability distributions often represent the uncertainty in objectives. such as durations of schedule activities and costs of project components. Discrete distributions can be used to represent uncertain events, such as the outcome of a test or a possible scenario in a decision tree. Two examples of widely used continuous distributions are shown in Figure 11-14. These distributions depict shapes that are compatible with the data typically developed during the quantitative risk analysis. Uniform distributions can be used if there is no obvious value that is more likely than any other between specified high and low bounds, such as in the early concept stage of design.
Sensitivity analysis
Sensitivity analysis is a quantitative technique useful to determine the variables which have the greatest effect on the risk [7]. They help estimating risks with the most potential impact and how variations in the objectives and different uncertainties are correlated, the effect of each element on the objectives [5]. They also help assess probability of the project decisions being affected by the concrescences and risk actions which result in the desired outcome can be identified. Generally, it is only the highest risk scenarios which are considered in the sensitivity analysis. These analyses can be time consuming and costly, this is often why qualitative analysis such as Probability and Impact Matrix is used to identify the highest concerning risks [8].
Limitations
Qualitative methods are imprecise. They are just estimates and it can happen that unlikely risk do happen and likely things sometimes never come to pass. The quality of the information available influences the quality of the results so the information must be evaluated to help determining the risks importance but it can also [3]. When using the Probability and Impact Matrix, risk that are quantitative different can get the same rating and often the risks are overestimated. The results from the Probability and Impact Matrix are subjective and are thus open to more than one interpretation [6]. The matrix doesn’t provide the possibility of assessing the overall project risks nor address risk interactions and correlations. Not all concepts of risk of risk can be mapped to a Probability and Impact Matrix, as the tool is designed around an event oriented risk concept. The practice often is impractical until a certain maturity level where some of the best opportunities for risk management may have passed [9]. Quantitative methods often provide more accurate results but are costly and time consuming. Using numbers may imply more precision in results. However, the data and techniques used in these methods also need to be considered. If the models used are incorrect or don’t represent reality the result is meaningless. Same with the inputs. If the inputs are wrong the result from the analysis is useless. In risk analysis, this is a problem as assumptions are not always apparent [3].
Annotated bibliography
References
- ↑ 1.0 1.1 1.2 Winch, G.M. (2010) Managing Construction Projects: An Information Processing Approach, Second Edition. Oxford: Wiley-Blackwell Publishing
- ↑ 2.0 2.1 Maylor, H. (2010) Project Management, Fourth Edition. Harlow, England: Pearson Education Limited
- ↑ 3.0 3.1 3.2 3.3 3.4 3.5 3.6 3.7 3.8 3.9 Curtis, P. & Carey, M. (2012) Risk Assessment in Practice. Deloitte & Touche LLP
- ↑ The MITRE Corporation. (2014) MITRE Systems Engineering Guide. The United States: MITRE Corporate Communications and Public Affairs
- ↑ 5.00 5.01 5.02 5.03 5.04 5.05 5.06 5.07 5.08 5.09 5.10 5.11 5.12 5.13 Project Management Institute, Inc. (2013). A Guide to the Project Management Body of Knowledge (PMBOK® Guide) – Fifth Edition. Newtown Square, Pennsylvania: Project Management Institute, Inc
- ↑ 6.0 6.1 Cox, L. (2008). What's Wrong with Risk Matrices? Risk analysis: an official publication of the Society for Risk Analysis. 28(2), 497-512
- ↑ 7.0 7.1 7.2 National Research Council. (2005). The Owner’s Role in Project Risk Management. Washington, D.C: The National Academies Press
- ↑ Iloiu, M. & Csiminga, D. (2009). Project RISK Evaluation Methods - Sensitivity Analysis. Annals of the University of Petroşani, Economics, 9(2), 33-38
- ↑ Risk Management Capability Ltd. (2005). Probabilit- Impact Matrix (PIM). http://www.rmcapability.com/resources/Capability+Guidance+Sheet+-+Probability-Impact+Matrix.pdf
</references>