The process of risk prioritisation is affected by several factors including; risk attitude, risk sensitivity, resource availability, risk severity and risk manageability.
Prioritisation by Attitude
An organisation’s risk attitude is made up of a combination of its risk appetite, risk tolerance and risk threshold. These three attributes are defined as:
- Risk Appetite – The degree of uncertainty an entity is prepared to accept in pursuit of its objectives
- Risk Tolerance – The degree, amount, or volume of risk impact that an organisation or individual will withstand
- Risk Threshold – The level of uncertainty or impact at which a stakeholder will have a specific interest. Below the risk threshold, the stakeholder will accept the risk. Above the risk threshold, the stakeholder will not accept the risk
If an organisation has a high risk appetite but low risk tolerance, it will tend to prioritise its risk responses around the anticipated level of the risk impacts, rather than the level of uncertainty in risk event occurrence. This may be due to the fact that the organisation’s business strategy is to operate in unstable, or high threat environments, where they are constantly exposed to the occurrence of risk events. In this case, the organisation will develop its risk response plan to prioritise the neutralisation (or optimisation, in the case of opportunity risks) of risk impacts rather than focusing on controlling the occurrence of risk events.
Conversely, an organisation with a low risk appetite, but high risk tolerance (a very unusual case!) will prioritise their risk responses by focusing on minimising the probability of risk event occurrence, and put less effort into controlling the risk impacts.
In both cases, the organisations’ risk thresholds will be defined by their respective risk appetite and risk tolerance levels. Risk attitude is also largely determined by the industry sector in which an organisation operates.
In the Oil & Gas and Mining industries, where personnel safety is a major factor, and human fatalities are known to occur on a relatively regular basis, the industry accepted threshold level for loss of life in this sector is 1 x 10-3, or 1 fatality every 1,000 years. Anything over this is considered to be unacceptably high. However, in the Security Services and Defence industries, human fatalities, although not desired, are accepted as part of the job and can be a relatively high frequency occurrence. In these industries, the acceptable threshold for loss of life could be as high as 1 x 10-1, or 1 fatality every 10 years.
In other industry sectors, personnel safety may not be a major driving factor in risk management, and risk thresholds will be defined instead by the types of risks and impacts prevalent in these sectors. Some of the main risk areas around which organisational risk attitudes and thresholds are defined include:
- Health & Safety
- Production / Performance
Prioritisation by Sensitivity
Sensitivity analysis is a method of determining which risks will have the most potential impact on a project. This is typically done by interrogating the uncertainty levels in each risk, and comparing them to the uncertainty levels of all other risks.
In doing so, one can determine the extent to which the uncertainty of a risk may affect the outcome of a project in relation to the uncertainty of all other risks.
Another way of looking at this is to consider sensitivity as a function of change in risk outcome with respect to change in risk input. This applies equally to the range of uncertainty in risk occurrence as it does to the range of uncertainty in risk impact.
In other words, the occurrence of a risk event may be highly sensitive to a set of conditions in one case, while the impacts of a risk may be highly sensitive to a different set of conditions in another case.
This leads to a number of options when prioritising risk by sensitivity.
In the case of risk event sensitivity, risks of this type will require further assessment to develop a better understanding of which conditions or variables have the greatest influence on the probability of risk event occurrence.
In the case of risk impact sensitivity, risks of this type will require the development and implementation of multiple response plans to control the conditions that have the greatest influence on the risk impacts.
Therefore, prioritisation of the types of action required (be it further assessment or implementation of response plans) depends on the type of sensitivity that the risk is subject to.
Where uncertainty ranges from negative to positive values, risks may be plotted on a Tornado diagram, where risks with the greatest uncertainty equate to being the least stable, while risks with the smallest uncertainty equate to being the most stable.
Where the variances in risk uncertainty reflect one type of risk outcome only (positive or negative, but not both) the risks can be plotted on a Pareto diagram by arranging the risks in descending order, from most sensitive to least sensitive.
By way of illustration, consider a project where we need to determine which work packages have the greatest effect on the uncertainty in the total cost of the project.
Firstly, we need to estimate the uncertainty in the cost of each individual work package. Secondly, we determine the associations, or dependencies, between each pair of work packages.
The sensitivity of the uncertainty in the total project cost with respect to each work package is proportional to the combination of the activity uncertainties and the associations between activities. That is, the uncertainty in the total cost is affected not only by the uncertainty in each work package, but also by how much each work package affects, and is affected by, the others.
As an elementary example, the uncertainty in the cost of a construction project may be more sensitive to outdoor activities than to indoor activities, because bad weather can cause a number of outdoor activities to run over budget and over schedule simultaneously. Whereas, indoor activities are typically not linked so tightly to the weather.
By quantifying the relative sensitivities for all work packages, and sorting them from largest to smallest, we can identify those work packages with the largest sensitivities, which are those to which the project manager should give the highest priority. Note that the absolute values of the sensitivities have no importance here, as our only concern is with the relative values.
This is not something that Risk Managers should be doing by choice but, sometimes, it is unavoidable and risks need to be prioritised in this way.
Prioritisation by resource availability should normally only occur in the event of assessment and/or control needing to be carried out by specialist resources, which are not readily available to the project.
This may include the use of human resources with specialist skills in assessing or controlling risks of a certain nature, or it may require the use of specialist materials or equipment needed to assess or control the risk.
In such cases, the affected risks will need to be placed on a monitoring list until such time that the required resources become available. If any changes in severity or manageability of the risk occur, the response plan may need to be revised to deal with these changes.
Prioritisation by Severity
All things being equal (in terms of risk attitude and resource availability) risks are most often prioritised by their severity. That is, the higher the probability of risk event occurrence and the higher the impact of the risk event, the higher the risk response priority.
Determining the severity of a risk is initially done qualitatively. In most cases this would involve using a Probability / Impact matrix to define the severity ranking of a risk by multiplying its probability rank with its impact rank. The size and format of the risk matrix makes little difference (unless extremely small, or extremely large), as long as the risk ranking ranges and definitions are consistent.
Irrespective of whether you use a 4×4 or 5×5 matrix size, or whether the risk ranking values are formatted from bottom to top and left to right, or the other way around, the product of Probability and Impact will always tell you how severe a risk is in relation to other risks measured the same way.
Most of the time, this is sufficient information to establish the priority of the required risk response but, depending on the nature of the risk, it may be necessary to carry out further quantitative risk analysis in order to determine a more precise risk response priority level and appropriate response actions.
Prioritisation by Manageability
Risk manageability is a function of expected risk occurrence date and the number of response actions available to control the risk. This relationship can be depicted graphically by defining a range of risk occurrence dates and a range of available response actions which will, in turn, define the overall manageability of a risk.
For example, if the date of a known risk event is expected to occur within the next eight weeks, this would be considered by most projects to be “Imminent”. And, if there were only a limited number of response options available to control either the probability of risk event occurrence, or the impacts of the risk should it still occur (but not both), then the manageability of this risk would be considered “Very Low”. In this case, the priority of the risk needs to be raised so that whatever response options are available, get implemented as a matter of urgency.