Page 182 -
P. 182
CHAPTER 6 RISK ANALYSIS AND MANAGEMENT 153
tor that has a high impact but a very low probability of occurrence should not absorb
a significant amount of management time. However, high-impact risks with moder-
ate to high probability and low-impact risks with high probability should be carried
forward into the risk analysis steps that follow.
All risks that lie above the cutoff line must be managed. The column labeled
RMMM contains a pointer into a Risk Mitigation, Monitoring and Management Plan
“Failure to prepare is or alternatively, a collection of risk information sheets developed for all risks that
preparing to fail.” lie above the cutoff. The RMMM plan and risk information sheets are discussed in
Ben Franklin
Sections 6.5 and 6.6.
Risk probability can be determined by making individual estimates and then devel-
oping a single consensus value. Although that approach is workable, more sophisti-
cated techniques for determining risk probability have been developed [AFC88]. Risk
drivers can be assessed on a qualitative probability scale that has the following val-
ues: impossible, improbable, probable, and frequent. Mathematical probability can
then be associated with each qualitative value (e.g., a probability of 0.7 to 1.0 implies
a highly probable risk).
6.4.2 Assessing Risk Impact
Three factors affect the consequences that are likely if a risk does occur: its nature,
its scope, and its timing. The nature of the risk indicates the problems that are likely
if it occurs. For example, a poorly defined external interface to customer hardware (a
technical risk) will preclude early design and testing and will likely lead to system
integration problems late in a project. The scope of a risk combines the severity (just
how serious is it?) with its overall distribution (how much of the project will be affected
or how many customers are harmed?). Finally, the timing of a risk considers when
and for how long the impact will be felt. In most cases, a project manager might want
the “bad news” to occur as soon as possible, but in some cases, the longer the delay,
the better.
Returning once more to the risk analysis approach proposed by the U.S. Air Force
[AFC88], the following steps are recommended to determine the overall consequences
of a risk:
? How do we 1. Determine the average probability of occurrence value for each risk component.
assess the
consequences of a 2. Using Figure 6.1, determine the impact for each component based on the cri-
risk? teria shown.
3. Complete the risk table and analyze the results as described in the preceding
sections.
The overall risk exposure, RE, is determined using the following relationship
[HAL98]:
RE = P x C
