There are many ways to measure and communicate risk – this is just one that we have found useful, and easy to communicate.
The 25 cell “Impact vs Likelihood” Risk Matrix is a popular format used to communicate Risk Scores. It helps you summarise your risks for project reporting.
The Risk Score Heatmap Matrix
This 5 x 5 (25 cell) matrix gives an easy way to associate a “Severity Score” with a Risk. NB you will see a lot of variations on this – so this is just one approach of many that Project Managers can take.
Each cell in the matrix is a combination of impact and likelihood.
This allows you to group your risks, based on a score, into some Risk Severity groups:
This Risk Scoring approach is used in our RAID LOG template.
An approach to assigning Impact and Likelihood scores
Project Managers use a list of score definitions, to help one another assign and understand the scores for each risk.
Here is an example approach:
ASSIGNING RISK LIKLEHOOD VALUES | |||
Score | Title | Likelihood | % Chance |
1 | Rare | Rare. A very unlikely event. It could happen, but probably never will. | Below 5% |
2 | Unlikely | Not expected. Slight possibility. An improbable sequence of events. |
5% – 25% |
3 | Possible | Moderate likelihood. Foreseeable. May have occurred in projects like this before. | 25% – 50% |
4 | Likely | Strong possibility. High likelihood. An easily foreseeable event. |
50% – 75% |
5 | Almost Certain | Very likely. Almost certain without any intervention. |
Above 75% |
ASSIGNING RISK IMPACT VALUES | |||
Score | Title | Outcome / Impact / Consequence | Cost / Time / Scope Implications |
1 | Insignificant | The project will have to make some minor changes to scope. Resolvable by management team. | Can be managed. Acceptible. |
2 | Minor | Some changes to deliverables. Outside of Project Tollerances or Contingency. |
Adjustment to scope with some impact. |
3 | Moderate | One or more areas likely not to deliver as planned. Descoping required. | Significant impact. |
4 | High | Significant descoping required. | Major Impact. |
5 | Extreme | Serious failure of project objectives. | Disastrous Impact. |
Example Guidance for Project Managers according to Risk Severity
GENERAL GUIDANCE ON RISK MANAGEMENT | |
Extreme | Escalate immediately to project authorities. Include recommendations. Actively control. |
High | Manage immediately. Inform project authorities. Act on mitigation and ensure you have response plans ready. |
Moderate | Manage risk and escalate in normal reporting. Watch carefully for change in exposure. |
Low | Manage risk. |
Problems with Scoring Risks with a Matrix
There are many ways to allocate weighting to risks, and to group severity, with no right or wrong answer. The allocation of severity groupings helps you give summaries to your colleagues, but the groupings you choose will need to vary depending on the project type, size and environment.
See more here on Wikipedia about the problems with Risk Matrices.
Project Managers manage their Risks in a “RAID Log”.
RAID Logs are used by project managers and programme managers to track and manage project risks.
Many projects have 10s and sometimes 100s of Risks to manage, and so it is essential to keep track of severity, status, next steps, and who owns each risk.
RAID is an acronym that stands for
- Risks
- Assumptions
- Issues
- Dependencies