Evaluate and categorize each identified risk using the defined risk categories and parameters, and determine its relative priority.

The evaluation of risks is needed to assign relative importance to each identified risk, and is used in determining when appropriate management attention is required. Often it is useful to aggregate risks based on their interrelationships, and develop options at an aggregate level. When an aggregate risk is formed by a roll up of lower level risks, care must be taken to ensure that important lower level risks are not ignored.

Collectively, the activities of risk evaluation, categorization, and prioritization are sometimes called “risk assessment” or “risk analysis.”

Typical Work Products

1.    List of risks, with a priority assigned to each risk

Subpractices

1.    Evaluate the identified risks using the defined risk parameters.

Each risk is evaluated and assigned values in accordance with the defined risk parameters, which may include likelihood, consequence (severity, or impact), and thresholds. The assigned risk parameter values can be integrated to produce additional measures, such as risk exposure, which can be used to prioritize risks for handling.

Often, a scale with three to five values is used to evaluate both likelihood and consequence. Likelihood, for example, can be categorized as remote, unlikely, likely, highly likely, or a near certainty.

Probability values are frequently used to quantify likelihood. Consequences are generally related to cost, schedule, environmental impact, or human measures (e.g., labor hours lost and severity of injury).

This evaluation is often a difficult and time-consuming task. Specific expertise or group techniques may be needed to assess the risks and gain confidence in the prioritization. In addition, priorities may require reevaluation as time progresses.

2.    Categorize and group risks according to the defined risk categories.

Risks are categorized into the defined risk categories, providing a means to look at risks according to their source, taxonomy, or project component. Related or equivalent risks may be grouped for efficient handling. The cause-and-effect relationships between related risks are documented.

3.    Prioritize risks for mitigation.

A relative priority is determined for each risk based on the assigned risk parameters. Clear criteria should be used to determine the risk priority. The intent of prioritization is to determine the most effective areas to which resources for mitigation of risks can be applied with the greatest positive impact to the project.