Define Risk Parameters
Define the parameters used to analyze and categorize risks, and
the parameters used to control the risk management effort.
Parameters for evaluating, categorizing, and prioritizing risks include:
- Risk likelihood (i.e., probability of risk occurrence)
- Risk consequence (i.e., impact and severity of risk occurrence)
- Thresholds to trigger management activities
Risk parameters are used to provide common and consistent criteria for
comparing the various risks to be managed. Without these parameters,
it would be very difficult to gauge the severity of the unwanted change
caused by the risk and to prioritize the necessary actions required for
risk mitigation planning.
- Define consistent criteria for evaluating and quantifying risk
likelihood and severity levels. Consistently used criteria (e.g., the bounds on the likelihood and severity levels)
allow the impacts of different risks to be commonly understood, to receive the
appropriate level of scrutiny, and to obtain the management attention warranted.
In managing dissimilar risks (for example, personnel safety versus environmental
pollution), it is important to ensure consistency in end result (e.g., a high risk of
environmental pollution is as important as a high risk to personnel safety).
- Define thresholds for each risk category. Thresholds can be established to determine acceptability
or unacceptability of risks, prioritization of risks, or triggers for management action. Examples of thresholds include:
- Project-wide thresholds could be established to involve senior management when product costs exceed 10% of the target cost or when Cost Performance Indexes (CPIs) fall below 0.95.
- Schedule thresholds could be established to involve senior management when Schedule Performance Indexes (SPIs) fall below 0.95.
- Performance thresholds could be set to involve senior management when specified key design items (e.g., processor utilization) exceed 125% of the intended design.
These may be refined later, for each identified risk, to establish points at which
more aggressive risk monitoring is employed or to signal the implementation of
risk mitigation plans.
- Define bounds on the extent to which thresholds are applied
against or within a category. There are few limits to which risks can be assessed in either a quantitative or
qualitative fashion. Definition of bounds (or boundary conditions) can be used to
help scope the extent of the risk management effort and avoid excessive resource
expenditures. Bounds may include exclusion of a risk source from a category.
These bounds may also exclude any condition that occurs less than a given
frequency