ISO 21502:2020 Clause 7.8.3 Assessing risk

Project Management 7 Minutes

Each risk should be assessed for probability, consequence and proximity, and prioritized for further action. Interrelations and dependencies between individual risks should be assessed.
NOTE 1 Consequence can also be referred to as “impact”.
NOTE 2 Probability can also be referred to as “likelihood”.

Assessing risks is a critical step in the risk management process, allowing project teams to understand the potential impact and likelihood of identified risks on project objectives. Risk assessment involves evaluating various factors to determine the severity of each risk and prioritize them for further action. Here’s how project management typically assesses risks:

  1. Risk Identification: Before assessing risks, project teams must first identify and document potential risks that may impact the project’s objectives. Risks can be identified through techniques such as brainstorming, documentation review, expert judgment, and stakeholder consultation. Once risks are identified, they are documented in a risk register or similar repository.
  2. Risk Analysis: Once risks are identified, project teams analyze each risk to assess its potential impact and likelihood of occurrence. Risk analysis typically involves two main components:
    • Qualitative Risk Analysis: In qualitative risk analysis, risks are assessed based on subjective judgments and relative scales. Risks are evaluated based on their potential impact on project objectives, such as cost, schedule, scope, quality, and stakeholder satisfaction, as well as their likelihood of occurrence. Risk assessment scales, such as low-medium-high or numeric scales, may be used to rank risks according to their severity.
    • Quantitative Risk Analysis: In quantitative risk analysis, risks are assessed using numerical data and probabilistic techniques. This involves quantifying the potential impact of each risk on project objectives, estimating the probability of occurrence, and calculating the overall risk exposure. Quantitative risk analysis techniques, such as Monte Carlo simulation, decision trees, and sensitivity analysis, may be used to assess risks more precisely and provide quantitative measures of risk exposure.
  3. Risk Prioritization: Once risks are analyzed, project teams prioritize them based on their significance and potential impact on project objectives. Risks with higher severity and likelihood ratings are given higher priority for further action. Prioritization helps project teams focus their resources and attention on addressing the most critical risks that pose the greatest threat to project success.
  4. Risk Response Planning: Based on the results of risk assessment and prioritization, project teams develop risk response strategies to address identified risks effectively. This involves determining appropriate risk response actions for each risk, such as avoiding, mitigating, transferring, or accepting the risk, and developing contingency plans or fallback options as needed.
  5. Continuous Monitoring and Review: Risk assessment is an ongoing process that requires continuous monitoring and review throughout the project lifecycle. As project conditions change, new risks may emerge, and existing risks may evolve or materialize into issues that require attention. Project teams must regularly review and update risk assessments to ensure that risk management efforts remain effective and responsive to changing circumstances.

By following these steps, project management can systematically assess risks, understand their potential impact on project objectives, and develop appropriate risk response strategies to mitigate their effects. Effective risk assessment helps project teams anticipate uncertainties, make informed decisions, and increase the likelihood of project success.

Each risk should be assessed for probability, consequence and proximity, and prioritized for further action.

Assessing risks for probability, consequence, and proximity is essential for understanding the severity of each risk and determining the appropriate course of action. Let’s break down each of these elements:

  1. Probability: Probability refers to the likelihood or chance that a risk event will occur. Risks can be categorized as low, moderate, or high probability based on the likelihood of occurrence. Assessing the probability of a risk helps project teams gauge the likelihood of encountering the risk and allocate resources accordingly. Risks with a higher probability of occurrence may require more immediate attention and proactive mitigation efforts.
  2. Consequence: Consequence, also known as impact or severity, refers to the potential harm or damage that may result from a risk event occurring. Risks can have various consequences, including financial, schedule, technical, reputational, or safety impacts. Assessing the consequence of a risk helps project teams understand the potential magnitude of its effects on project objectives. Risks with more severe consequences may pose a greater threat to project success and require prioritized attention and robust mitigation measures.
  3. Proximity: Proximity refers to the timeframe or proximity in which a risk event is likely to occur. Risks can be categorized as immediate, near-term, or long-term based on their proximity to the project timeline. Assessing the proximity of a risk helps project teams anticipate when the risk may materialize and take timely preventive or corrective actions. Risks with immediate or near-term proximity may require more immediate attention and proactive monitoring to prevent or mitigate their impacts.

By assessing risks for probability, consequence, and proximity, project teams can prioritize them for further action based on their significance and potential impact on project objectives. Prioritizing risks allows project teams to focus their resources and efforts on addressing the most critical and time-sensitive risks, ultimately enhancing the project’s ability to manage uncertainties and achieve its goals. Effective risk prioritization ensures that project teams can allocate resources effectively, make informed decisions, and implement targeted risk response strategies to mitigate the effects of potential threats and opportunities.

Interrelations and dependencies between individual risks should be assessed.

Assessing interrelations and dependencies between individual risks is crucial for comprehensive risk management. Here’s why it’s important and how it can be done:

  1. Impact Amplification: Risks are rarely isolated events; they often interact with and influence each other. Assessing interrelations between risks helps project teams identify situations where the occurrence of one risk may exacerbate the likelihood or impact of another. Understanding these relationships allows project teams to anticipate potential cascading effects and implement targeted mitigation strategies to address interconnected risks effectively.
  2. Risk Interdependency: Some risks may be interdependent, meaning that the occurrence or mitigation of one risk affects the likelihood or impact of another. For example, delays in obtaining regulatory approvals may impact the availability of resources, leading to schedule delays or cost overruns. By assessing interdependencies between risks, project teams can identify critical linkages and develop integrated risk response strategies that address multiple risks simultaneously.
  3. Risk Aggregation: Assessing interrelations between risks helps project teams understand how risks aggregate or compound to create cumulative impacts on project objectives. Certain combinations of risks may amplify their collective effects, resulting in greater overall risk exposure. By evaluating the combined impact of interconnected risks, project teams can prioritize their response efforts and allocate resources more effectively to address high-risk scenarios.
  4. Risk Response Coordination: Understanding interrelations between risks enables project teams to coordinate their risk response efforts more effectively. By identifying common underlying factors or root causes that contribute to multiple risks, project teams can develop holistic risk response strategies that address shared vulnerabilities or systemic issues. This coordinated approach ensures that risk response efforts are aligned and mutually reinforcing, reducing the likelihood of gaps or overlaps in risk management activities.
  5. Scenario Analysis: Assessing interrelations between risks allows project teams to conduct scenario analysis to explore potential outcomes under different combinations of risk events. By simulating various risk scenarios and their potential impacts on project objectives, project teams can identify critical thresholds, tipping points, or emergent patterns that may warrant specific risk response actions. Scenario analysis helps project teams anticipate and prepare for complex interactions between risks, enabling more robust risk management strategies.

Overall, assessing interrelations and dependencies between individual risks enhances the effectiveness of risk management by enabling project teams to identify interconnected relationships, anticipate cumulative impacts, coordinate risk response efforts, and conduct scenario analysis. By understanding how risks interact and influence each other, project teams can develop more holistic risk management strategies that address the full spectrum of project uncertainties and increase the likelihood of project success.

Consequence can also be referred to as “impact”.

“consequence” and “impact” are often used interchangeably in the context of risk management. Both terms refer to the potential harm, damage, or effect that may result from a risk event occurring. When assessing risks, project teams consider the consequences or impacts of each risk to understand the severity of its effects on project objectives. These consequences or impacts can manifest in various forms, including financial, schedule, technical, reputational, environmental, or safety impacts. Here’s a breakdown of how “consequence” and “impact” are commonly used in risk management:

  1. Consequence: Consequence is typically used to describe the result or outcome of a risk event occurring. It emphasizes the direct or indirect effects that the risk may have on project objectives, stakeholders, or organizational assets. Consequence assessments help project teams evaluate the severity of potential outcomes and prioritize risks based on their significance.
  2. Impact: Impact is another term used to describe the effects or consequences of a risk event. It underscores the influence or implications that the risk may have on project performance, deliverables, or success criteria. Impact assessments help project teams understand the magnitude or scale of potential repercussions and determine appropriate risk response strategies.

Both “consequence” and “impact” play a critical role in risk assessment and prioritization, guiding project teams in evaluating the severity and significance of identified risks. By assessing the consequences or impacts of each risk, project teams can prioritize their response efforts, allocate resources effectively, and develop targeted risk mitigation strategies to address the most critical threats and opportunities. Ultimately, understanding the consequences or impacts of risks enables project teams to make informed decisions, manage uncertainties, and enhance the likelihood of project success.

Probability can also be referred to as “likelihood”.

“Probability” and “Likelihood” are often used interchangeably in the context of risk management. Both terms refer to the chance or likelihood that a risk event will occur. When assessing risks, project teams consider the probability or likelihood of each risk to understand the likelihood of its occurrence and prioritize risks based on their likelihood. Here’s a breakdown of how “probability” and “likelihood” are commonly used in risk management:

  1. Probability: Probability is typically used to describe the likelihood or chance of a risk event occurring. It quantifies the likelihood of the risk event happening within a given timeframe or under specific conditions. Probability assessments help project teams evaluate the likelihood of potential threats or opportunities and prioritize risks based on their probability of occurrence.
  2. Likelihood: Likelihood is another term used to describe the probability or chance of a risk event occurring. It emphasizes the probability or chance that the risk may materialize and affect project objectives. Likelihood assessments help project teams understand the frequency or recurrence of potential risk events and determine the level of concern or attention required for each risk.

Both “probability” and “likelihood” play a critical role in risk assessment and prioritization, guiding project teams in evaluating the likelihood and significance of identified risks. By assessing the probability or likelihood of each risk, project teams can prioritize their response efforts, allocate resources effectively, and develop targeted risk mitigation strategies to address the most significant threats and opportunities. Ultimately, understanding the probability or likelihood of risks enables project teams to make informed decisions, manage uncertainties, and enhance the likelihood of project success.

Published by Pretesh Biswas

Pretesh Biswas has wealth of qualifications and experience in providing results-oriented solutions for your system development, training or auditing needs. He has helped dozens of organizations in implementing effective management systems to a number of standards. He provide a unique blend of specialized knowledge, experience, tools and interactive skills to help you develop systems that not only get certified, but also contribute to the bottom line. He has taught literally hundreds of students over the past 5 years. He has experience in training at hundreds of organizations in several industry sectors. His training is unique in that which can be customized as to your management system and activities and deliver them at your facility. This greatly accelerates the learning curve and application of the knowledge acquired. He is now ex-Certification body lead auditor now working as consultancy auditor. He has performed hundreds of audits in several industry sectors. As consultancy auditor, he not just report findings, but provide value-added service in recommending appropriate solutions. Experience Consultancy: He has helped over 100 clients in a wide variety of industries achieve ISO 9001,14001,27001,20000, OHSAS 18001 and TS 16949 certification. Industries include automotive, metal stamping and screw machine, fabrication, machining, assembly, Forging electrostatic and chrome plating, heat-treating, coatings, glass, plastic and rubber products, electrical and electronic equipment, assemblies & components, batteries, computer hardware and software, printing, placement and Security help, warehousing and distribution, repair facilities, consumer credit counseling agencies, banks, call centers, etc. Training: He has delivered public and on-site quality management training to over 1000 students. Courses include ISO/TS -RAB approved Lead Auditor, Internal Auditing, Implementation, Documentation, as well as customized ISO/TS courses, PPAP, FMEA, APQP and Control Plans. Auditing: He has conducted over 100 third party registration and surveillance audits and dozens of gap, internal and pre-assessment audits to ISO/QS/TS Standards, in the manufacturing and service sectors. Other services: He has provided business planning, restructuring, asset management, systems and process streamlining services to a variety of manufacturing and service clients such as printing, plastics, automotive, transportation and custom brokerage, warehousing and distribution, electrical and electronics, trading, equipment leasing, etc. Education & professional certification: Pretesh Biswas has held IRCA certified Lead Auditor for ISO 9001,14001 and 27001. He holds a Bachelor of Engineering degree in Mechanical Engineering and is a MBA in Systems and Marketing. Prior to becoming a business consultant 6 years ago, he has worked in several portfolios such as Marketing, operations, production, Quality and customer care. He is also certified in Six Sigma Black belt .

Published

Leave a ReplyCancel reply