Most project management standards advocate performing qualitative risk analysis to prioritize and subsequently address high-priority risks. Unfortunately, common risk assessments only use probability and impact. These two dimensions, although widely advocated, are inadequate in analyzing project risks qualitatively.
What good is it to know the probability and impact of a risk if we have no clue on how easily (or difficult) we can detect it? In order to better perform qualitative risk analysis, we need to add a third dimension—the project’s ability to detect a risk.
Based on historical records, we can determine the probability of when a tornado or earthquake may occur during certain times of the year for specific locations. Likewise, we can determine its impact. But, what if we don’t have an early detection system? Our best probability analysis will not prevent us from getting blindsided.
Connect with Dr. John A. Estrella via Facebook, LinkedIn and Twitter.
I think for many projects PMI descriptions of standard risk analysis are kind of overblown. I’m talking about rolling out a software package here more than building the golden gate bridge. In many cases a quick and dirty list of forseeable risks with simple mitigation strategies is all you really need.
Curt, I somewhat agree with you. If you have a list of 25 or so risks, a simple risk register may do the trick. However, for larger projects, it is usually good to prioritize the risks so that you can plan your risk responses accordingly. Otherwise, you may end up spending effort on risks that are not really that important.