Risk Probability and Impact Matrix: Assessment Guide

An Assessment Guide for Project Managers

Projects that do not take the possible risk into account are essentially blindfolded. I have seen many projects go off the rails because the risk was not taken into account, or the team did not evaluate the severity of the impact. However, the probability and impact matrix provides a means to evaluate the risk in a systematic manner.

A probability and impact matrix provides a means of establishing and evaluating the risk factors that could delay a project. If you are about to undertake the PMP certification training, or, in fact, risk manage any real-world projects, learning how to use the probability and impact risk matrix will change the way you evaluate and control risk. I will show you how.

A Probability and impact matrix is a 2-dimensional grid used to evaluate the risks of a project. One axis represents the probability of the risk occurring, and the other axis represents the impact of the risk. This matrix provides a way for project managers to evaluate what risks need to be managed and what controls can be put in place to reduce or eliminate the impact.

Consider thinking about a risk assessment as a type of heat map for your project. The red zone shows risk areas calling for immediate remediation, while the green zone, showing little risk, requires little oversight.

A risk assessment matrix is structured as a risk zone chart.

• Red risks: immediate action is required for the creation of a risk management plan.
• Yellow risks: strategies are needed to manage while risks are monitored.
• Green risks: risks are acceptable to manage.

I've learned that it's cheaper to prevent a problem than to solve it later. A risk assessment matrix is a tool that serves more than one function in project management.

• Streamlined Focus: A risk matrix allows more focus on the risks that are most likely to derail the project. This is more efficient than worrying about a minor risk that is of little concern.
• Effective Communication: Stakeholders are provided a quick understanding of the project risks as opposed to spending time on a lengthy report.
• Justifiable Focus: A matrix removes emotional, gut-choice biases. The decision will be based on the assessment of the risk.
• Use of Resources: Stakeholders are provided a clear understanding of project risks instead of spending time on a lengthy report.

How Likely is This Risk?

In the context of a project, the risk can be defined as the absence of positive events or the presence of negative events that can adversely affect the project objectives in terms of the scope, schedule, cost, and quality. In project management, the risk can be determined using a statistical probability of occurrence and is determined by the team using a 5-point scale. Most teams use a 5-point scale as shown in the table below.

Table 1: Risk Measurement Scales

In my experience, risk evaluation is mostly subjective, depending on the evaluator. Using previous projects, evaluating risk using the expertise of team members, and depending on environmental conditions that may encourage or discourage the occurrence.

How Severe Would This Impact Be?

Impact refers to the magnitude of damage stemming from the occurrence of the risk. This can be assessed in multiple dimensions, such as:

• Time: delays and alterations to the project schedule
• Cost: losses versus uncontrolled/excessive expenditure of project resources
• Quality: decrease in the quality of project deliverables
• Scope: changes to project objectives
• Reputation: loss of credibility to the organization or project team

While assessing the impact, I prefer to use the same 5-point scale as the likelihood of the risk. This is due to the tendency of some teams to vary their measurement scales for each dimension.

Let me show you my step-by-step process of creating a risk probability-impact matrix, and you can start using it immediately.

Step 1: Identifying Possible Risks

Use all brainstorming techniques to involve the entire team. Here are some types of risks:

• Technical risks (failure of tech or software, problems with integration)
• Resource risks (employee turnover, gaps in skills)
• External risks (changes to regulations, the state of the market)
• Schedule risks (timelines are not realistic, delays from dependencies)
• Budget risks (rising costs or losing funding)

Make sure to document any and all risks. Other people may think something is impossible, but in my experience, it's proven downright impossible to me personally and I wouldn't write something off.

Step 2: Determining the Size of Your Matrix

A 5x5 matrix (25 cells) is the optimal size for most projects because it offers sufficient granularity, but not too much complexity. Smaller projects may be more successful with a 3x3 matrix, while enterprise projects may require custom sizes.

Step 3: Create Your Rating Criteria

While preparing for PMP certification training, I find it helpful to be consistent. If this is not done, people use the criteria to make judgments and find the results to be inconsistent.

There should be agreement from all stakeholders to determine what is "high impact" and what is "medium impact" for the project. In one project, a $10,000 overrun may be a disaster. In another, it may be considered a drop in the bucket.

Step 4: Evaluating and Plotting Each Risk

Consider every risk and how it might fit against your established criteria. To evaluate each risk, calculate the risk score by taking the risk probabilities and multiplying them by the respective impact ratings. For illustration: Risk A has a probability of 4 and an impact of 5, so A receives a score of 20 and is, therefore, classified as a high risk. Risk B, on the other hand, has a score of 6 and is therefore classified as a low risk. After the calculation, each risk is placed on the risk matrix according to the coordinates. During my risk assessment, I have found it helpful to use color-coded or numbered markers to reference a specific risk when discussing it.

Step 5: Formulating Response Strategies

Once your risk matrix is drafted, it documents specific responses to the risk in each compartment.

High-Risk Zone (Red)

• Draft and finalize mitigation plans
• Assign risk owners, and articulate specific responsibilities
• Assign a particular portion of the budget to this risk
• Implement and measure stakeholder engagement
• Continually reassess the risk
   

Medium-Risk Zone (Yellow)
 

• Draft and finalize mitigation plans
• Assign risk owners, and articulate specific responsibilities
• Assign a particular portion of the budget to this risk
• Implement and measure stakeholder engagement
• Continually reassess the risk

Low-Risk Zone (Green)

• Assume the risk and document the assumption
• Conduct reviews on a periodic basis
• Minimum resource allocation

Implementing risk management for every project is not a one-time activity. I have witnessed project teams fail to implement risk management simply because they designed beautiful risk assessment matrices at the beginning of the project and then ignored them.

• Weekly for high-priority risks
• Monthly for all other identified risks
• As the project conditions change significantly

There are sometimes new risks in the project. The likelihood or impact of some old risks may decrease. Your matrix should change alongside the evolution of your project management plan.

A matrix of risks' probabilities and impacts is most useful when coupled with other project management strategies. For example, with multi-stage risks, I like to use decision trees combined with the risk matrix.

In your financial model, plan for high-impact risks and allocate the required contingency in your budget. To assess the effectiveness of your risk management, use project KPIs and Mitigate then Lethargize paradox.

Many project managers I have trained integrate the matrix with the PMP exam prep guide to understand how risk management is interwoven with the other project management processes.

• Bias and Subjectivity: Involve multiple stakeholders to gain different points of view and reduce personal bias.
• Set-and-Forget: The risk landscape is evolving, and so should your assessments.
• Low-Probability/High-Impact Events: Those less probable and more catastrophic risks deserve your attention and contingency planning.
• Poor Documentation: Make a record of the assessment justification. The auditors, or the stakeholders, may appreciate it in the future.

However, knowing and applying a risk probability and impact matrix will help change your project management approach from reactive to proactive. This has worked for me in almost every industry, whether in total construction or software. It adds value every small-scale. Start simple, and stay consistent. Remember that predicting risks with absolute certainty will never be possible, and your goal is to improve the quality of your decisions. The risk matrix is a tool that allows you to approach decision-making with more clarity.

Over time, you will develop a sense of the risk behaviors in your area. Don't forget to use the structured approach that the matrix gives you. The value of this does not diminish with experience.