Recently I have a discussion with Glen B. Alleman about the risk assessment approach described in the PMBOK Guide. Here is an article on how he thinks the PMBOK Guide has failed to assess risks properly, and how the DoD’s approach overcomes these issues. However, I do not think it is where the PMBOK Guide is flawed. In this article, I will revise how to rank and prioritize risks according to the PMBOK Guide.
According to the PMBOK Guide, Fourth Edition, there are two processes for risk assessment:
- Perform Qualitative Risk Analysis and
- Perform Quantitative Risk Analysis
Qualitative analysis always precede quantitative analysis. The main concept here is that a project team should perform qualitative analysis for all identified risks in order to prioritize them by their likelihood and impacts on the project objectives. Only after that a project team can perform quantitative analysis for some risks with highest priority. The purpose of quantitative analysis is to determine the effect of these risks on overall project objectives in numbers.
Risk matrix (or Probability and Impact Matrix in the PMBOK Guide) is used in qualitative risk analysis to rank the identified risks qualitatively, based on theirs probability and impact.
The main weakness in the PMBOK Guide risk matrix, according to Glen, is that
each element on each axis is “uncalibrated.” By this I mean the “meaning” of a 0.10 (10%) impact or a 0.70 (70%) probability is not connected to “real” risks and outcomes
In fact, these numbers are related to real probability and impact of risks. Here is how:
In the Plan Risk Management process, a project team define the definition of risk probability and impact. Below is an example. There is not a universal matrix for all projects. To quote the PMBOK Guide
general definitions of probability levels and impact levels are tailored to the individual project during the Plan Risk Management process for use in the Perform Qualitative Risk Analysis process
A particular risk can have impact on each project objective. The overall risk impact is the highest among the risk’s impacts on the project objectives. For example, if a risk has low impact on cost, but very high impact on quality, that risk will have a high overall impact.
Similar matrices can be constructed for risk probability and opportunities (positive risks)
Therefore, you can understand the numbers on the axises in the first matrix, using the appropriate definition matrix (like the second matrix above).
For example, a risk with a number 0.2 on the X-axis is a risk of moderate impact.
Risk assessment is also described in more details in the Practice Standard for Project Risk Management (you need to be a PMI’s member to access the standard in PDF format).
One more area where Glen thinks the PMBOK Guide does not address in risk management
The missing critical piece is PMI does not connect the management of risk with the management of the project. They have all the steps in risk management listed, but fail to provide guidance on how to connect the static elements of risk with the dynamic elements of the project
I do agree that the PMBOK Guide does not explicitly connect risk management processes with overall project management processes. There are five risk management processes , four of which are in the Planning Process Group, and the last one is in the Monitoring and Controlling Process Group. Not any process in the Executing Process Group!
However, many outputs from risk management processes include updates to the project management plan: scope, cost, schedule, communication, quality management plan etc.. which in turn are executed during the Direct and Manage Project Execution process. Therefore, The PMBOK Guide does imply the integration of risk management into overall project management. In fact, many questions on the PMP exam test your knowledge in this relationship.