The Impact of a risk may be to the project and its success criteria (eg budget and timeframes or the quality of the project output) or it could be to the business as a result of the way the project is carried out, or even by bringing in a new product.
If you launch a new product there are always risks. These include risks that you won’t achieve sales targets, risks that customer complaints will go up, and risks that regulatory and compliance requirements may be introduced that increase forecast operational expenses. (Risks can also be positive.)
The easiest risk impacts on project performance to measure are impact to project time and schedule, and to some degree quality, through compliance with requirements, but how do you measure customer satisfaction or company brand or some of the other more long term and strategic impacts?
Impact assessments, like likelihood estimates, are often classified into tiers. As a demonstration of the types of impacts I have created a sample table below with more than just financial impacts. It includes impacts such as shareholder value, reputation and regulatory compliance.
There are many more types of impacts as well and you can look to your industry to come up with typical examples. Health and Safety and environmental impact are two popular categories.
However you categorise risks your team doesn’t have to restrict themselves to the list. Just because my table doesn’t address environmental risks doesn’t mean we shouldn’t consider the risk unexpected disposal costs as a result of the type of batteries e install into our computers we manufacture.
Like most things I have been describing here, these assessment tables are primarily guidelines and communications tools. The aim is to inform people what the impact of risks are so that they can be properly prioritised and managed.
Assessments are best done in groups or in an iterative process to normalise estimates. Regular project risk meetings can provide an opportunity for a consensus assessment of risks. An alternative (and possibly better) approach is to have an expert on (or near) the project team who liaises with the appropriate subject matter experts on the risk metrics.
All sorts of rules and processes can be developed to reduce the impact of personal interpretation but in my opinion the best guideline for risk assessment is breadth of experience and deep local subject matter expertise. An adjunct, but an important one, to this is reading up on the risk areas in your industry so you can be informed beyond your personal experience.
Once the likelihood and impact are understood the risk can be prioritised according to its importance. Prioritisation is a necessity as it’s unlikely that the project will have the resources to deal with all potential risks, nor would it want to if the gates are open for SMEs to suggest all risks that occur to them.
Closing out this topic; categories and thresholds help people rate risks, which in turn can assist people in prioritising them. Appropriate threshold guidelines complement expertise and research. Them more experience you bring to bear the better your assessment and rating.
Craig Brown has worked as a project manager and business analyst mainly in the Australian ITC and the banking industries. He has also worked in the law, education and welfare industries, including starting a law firm. Craig now has a Master’s degree in project management from RMIT university, and is currently working with a Melbourne based IT consulting firm called OptimiseIT. Craig’s personal blog can be found at http://www.betterprojects.net.