Evaluate and categorize each identified risk using defined risk categories and parameters, and determine its relative priority.

The evaluation of risks is needed to assign a relative importance to each identified risk and is used in determining when appropriate management attention is required. Often it is useful to aggregate risks based on their interrelationships and develop options at an aggregate level. When an aggregate risk is formed by a roll up of lower level risks, care must be taken to ensure that important lower level risks are not ignored.

Collectively, the activities of risk evaluation, categorization, and prioritization are sometimes called a risk assessment or risk analysis.

The acquirer should conduct a risk assessment before solicitation to evaluate if the project can achieve its technical, schedule, and budget constraints. Technical, schedule, and cost risks should be discussed with potential suppliers before the solicitation is released. Using this approach, critical risks inherent in the project can be identified and addressed in the solicitation.

Typical Work Products

1.    List of risks and their assigned priority

Typical Supplier Deliverables

1.    List of risks and their assigned priority

Subpractices

1.    Evaluate identified risks using defined risk parameters.

Each risk is evaluated and assigned values according to defined risk parameters, which may include likelihood, consequence (severity or impact), and thresholds. The assigned risk parameter values can be integrated to produce additional measures, such as risk exposure, which can be used to prioritize risks for handling.

Often, a scale with three to five values is used to evaluate both likelihood and consequence.

Probability values are frequently used to quantify likelihood. Consequences are generally related to cost, schedule, environmental impact, or human measures (e.g., labor hours lost and severity of injury).

Risk evaluation is often a difficult and time-consuming task. Specific expertise or group techniques may be needed to assess risks and gain confidence in the prioritization. In addition, priorities may require reevaluation as time progresses.

2.    Categorize and group risks according to defined risk categories.

Risks are categorized into defined risk categories, providing a means to review them according to their source, taxonomy, or project component. Related or equivalent risks may be grouped for efficient handling. The cause-and-effect relationships between related risks are documented.

3.    Prioritize risks for mitigation.

A relative priority is determined for each risk based on assigned risk parameters. Clear criteria should be used to determine risk priority. Risk prioritization helps to determine the most effective areas to which resources for risks mitigation can be applied with the greatest positive impact to the project.