The Risk Matrix

Table 10.1 illustrates the basic risk-management matrix. It summarizes the risk, the assessment of the risk, and the planned actions to monitor, prevent, or mitigate the results of the risk. The content in the table is only for illustration; your content should be much more specific to your project. However, I do encourage you to follow the lead of combining like risks in order to keep the overall length of the list to a reasonable number of items (i.e., less than a dozen or so). You should define what a reasonable number of items is based on the overall risk and size of your project. Relatively small projects (i.e., less than a few million dollars and under one year) should not have a risk list in excess of ten items. If your list for a project of this size just seems to have many more high-impact, high-consequence risks, you should ask yourself if you really want to do that project!

The second column in Table 10.1 gives a description of the potential risk event. You may start with a list of many specific events that people can imagine and then lump them together for subsequent analysis. You may also categorize risks in terms of their probability and potential impact; the next two columns; that is, you may have one event for low-impact natural events and another for high-impact natural events. The reason to do this is that the two types of events will lead to different mitigation strategies.

David Hilson [6] provides a risk-statement format that I find useful to clarify the risk: "As a result of <cause>,<effect> may occur, which would lead to consequence." I have used italics for the effect in the example risk statements in Table 10.1 to illustrate how to use the format.

Columns 3,4, and 5 provide a relative quantification of risk. Risk is the product of consequence and probability. The legend below the table provides one possible

Table 10.1 The Risk Matrix

# Risk Event

1 As a result of a natural event, work delay may result, which would lead to delaying project completion

2 As a result of fire, loss 1 of supplies or building may occur, leading to loss of entire project

3 As a result of being unable to meet technical development objectives, technical performance may not be achievable, leading to inferior product

4 As a result of regulatory impact, additional work may be required, increasing cost and/or delaying schedule

5 As a result of supplier delay, we may be unable to build components on time, delaying the overall project

Legend: P (Probability) 3 = 20-50% 2 = 5-20% 1 = <%%

Trigger to Monitor

Weather reports Trends

Fire prevention inspections Alarm system

Development tests and gates

Excessive questions or no action from regulators

Late contracts Delayed delivery

Prevention Mitigation

Actions Actions

Plan outside work Erect tents and tarps during dry season over work areas

Build dikes around facility Implement a high-wind design Implement a seismic design

Install pumps for rain and flood

Use noncombustibles Install fire

Fireproof storage cabinets suppression ASAP

Develop quality Develop an process and parallel alternative alternatives technology

Hold face-to-face discussions with regulators Use consultants to prepare applications

Impose late-delivery penalties Buffer deliveries Check supplier delivery references

Put together a task team to respond to causes of delay or denial

Prepare alternative suppliers and equipment

C (Consequence) 3 = > Project Buffer

2 = >20% of Project Buffer, <Project buffer 1 = <20%

way of quantifying the probability and consequence of a risk for a project. Note that the probability refers to the probability of the risk occurring during the project. This probability only goes to 50% because if you judge the probability to be higher than that, you should assume that the risk event will occur when preparing your project plan; that is, risks with a probability greater than 50% should be treated as a baseline assumption. The impact is put in terms of the project buffer for schedule and may be put in terms of the cost buffer for cost. You may have additional consequence criteria, such as safety risk or public-reaction risk. Section 10.3 provides additional detail on qualifying and quantifying risk. Note that with the recommended scale, risk quantification can range from 1 to 9.

The sixth column in Table 10.1 lists the triggers to monitor. You should assess these frequently to see if you should change your risk assessment or activate your contingency plans. You should, of course, attempt to come up with leading indict-ors whenever possible.

Columns 7 and 8 of Table 10.1 are the most important as they list the actions you will take to prevent or mitigate the potential risk. Prevention and mitigation may work on either the event probability or the event impact. For example, a spill-control dike reduces the potential impact of a spill but not the probability. On the other hand, a double-wall tank reduces the probability of a spill. Actions to prevent the risk should then become part of your project work plan. Actions to mitigate may require actions in your project work plan to plan for mitigation, such as training or purchasing emergency supplies.

Project Management Made Easy

Project Management Made Easy

What you need to know about… Project Management Made Easy! Project management consists of more than just a large building project and can encompass small projects as well. No matter what the size of your project, you need to have some sort of project management. How you manage your project has everything to do with its outcome.

Get My Free Ebook

Post a comment