Process
Areas
(staged)

Level 2
 RM
 ARD
 PP
 PMC
 AM
 SSAD
 MA
 PPQA
 CM
Level 3
 ATM
 AVER
 AVAL
 OPF
 OPD
 OT
 IPM
 RSKM
 DAR
Level 4
 OPP
 QPM
Level 5
 OID
 CAR

 SP 2.2 Evaluate, Categorize, and Prioritize Risks
Process AreaRSKM
Level2
GoalSG 2
PracticeSP 2.2

Evaluate and categorize each identified risk using defined risk categories and parameters, and determine its relative priority.

The evaluation of risks is needed to assign a relative importance to each identified risk and is used in determining when appropriate management attention is required. Often it is useful to aggregate risks based on their interrelationships and develop options at an aggregate level. When an aggregate risk is formed by a roll up of lower level risks, care must be taken to ensure that important lower level risks are not ignored.

Collectively, the activities of risk evaluation, categorization, and prioritization are sometimes called a risk assessment or risk analysis.

The acquirer should conduct a risk assessment before solicitation to evaluate if the project can achieve its technical, schedule, and budget constraints. Technical, schedule, and cost risks should be discussed with potential suppliers before the solicitation is released. Using this approach, critical risks inherent in the project can be identified and addressed in the solicitation.

Typical Work Products

1.    List of risks and their assigned priority

Typical Supplier Deliverables

1.    List of risks and their assigned priority

Subpractices

1.    Evaluate identified risks using defined risk parameters.

Each risk is evaluated and assigned values according to defined risk parameters, which may include likelihood, consequence (severity or impact), and thresholds. The assigned risk parameter values can be integrated to produce additional measures, such as risk exposure, which can be used to prioritize risks for handling.

Often, a scale with three to five values is used to evaluate both likelihood and consequence.

Likelihood, for example, can be categorized as remote, unlikely, likely, highly likely, or a near certainty.

 

Example categories for consequence include the following:

·       Low

·       Medium

·       High

·       Negligible

·       Marginal

·       Significant

·       Critical

·       Catastrophic

 

Probability values are frequently used to quantify likelihood. Consequences are generally related to cost, schedule, environmental impact, or human measures (e.g., labor hours lost and severity of injury).

Risk evaluation is often a difficult and time-consuming task. Specific expertise or group techniques may be needed to assess risks and gain confidence in the prioritization. In addition, priorities may require reevaluation as time progresses.

2.    Categorize and group risks according to defined risk categories.

Risks are categorized into defined risk categories, providing a means to review them according to their source, taxonomy, or project component. Related or equivalent risks may be grouped for efficient handling. The cause-and-effect relationships between related risks are documented.

An acquirer’s risk categories may include sourcing, contract management, and supplier execution, in addition to project management, technology, and requirements.

 

3.    Prioritize risks for mitigation.

A relative priority is determined for each risk based on assigned risk parameters. Clear criteria should be used to determine risk priority. Risk prioritization helps to determine the most effective areas to which resources for risks mitigation can be applied with the greatest positive impact to the project.

Table  | Images  | Glossary  | Index  | Faceted index


Process
Areas(continuous)

Process
management  
 OPF
 OPD
 OT  
 OPP 
 OID
Project
management
 PP
 PMC
 IPM
 QPM
 RSKM
 REQM
Acquisition
 AM
 SSAD 
 ARD
 ATM
 AVER
 AVAL
Support
 CM
 PPQA
 MA
 DAR
 CAR