When qualitatively analyzing risks, we are taught to have our stakeholders estimate the probability of realization and the impacts to project objectives if risks are realized. If we have good historical data or subject matter expertise to rely on, we can take this exercise a step further and attempt to quantify the likelihood of occurrence or the magnitude of the impact. Based on this assessment, risks get prioritized so that we can focus limited efforts on those risks which pose the greatest severity.
But what if we can’t detect when a risk is about to be realized?
For low severity risks this might not seem like a big deal. Our contingency reserves should be sufficient to absorb the impacts of those.
But how about high severity threats? If we have no ability to know when one of those is going to be realized, unless our risk response strategies have focused on minimizing potential impacts, we are still likely to experience some impact to our project’s objectives before our contingency plans take effect.
How about high value opportunities which present a low likelihood of detection? Again, if we don’t have the ability to benefit from them quickly, a delay in implementing plans to exploit them will reduce realized benefits.
Finally, have you ever faced the scenario where you’ve qualitatively analyzed your risks only to realize that based on the estimated probability and impacts, you have a large number of high severity risks? How do you go about prioritizing your risk response efforts and getting the best returns from senior stakeholder engagement?
This is why we should consider leveraging Failure Mode and Effects Analysis (FMEA) practices from product and process design by adding a third dimension to risk evaluation – our likelihood of not detecting imminent realization of the risk.
A low score is given to those risks whose realization will be seen a mile away whereas those with a low chance of detection should receive a higher score. Just as you would do with impact and probability, it’s important to define a standard for the rating with examples to increase the likelihood of consistent evaluation by your stakeholders. There should obviously be alignment between risk triggers and the detection score – the more triggers which can be identified for a given risk, the lower the detection score.
When this new detection rating is multiplied with the traditional probability * impact value, you now should start to see some stratification of your previous uniformly high severity risks – in FMEA terms, this is known as the Risk Priority Number (RPN).
Prioritizing risks using the RPN can improve the efficiency and effectiveness of risk responses. For example, when faced with a high severity risk which has a very low likelihood of detection, response efforts might best be focused on avoiding or transferring the risk if possible.
Charles Duhigg – Between calculated risk and reckless decision-making lies the dividing line between profit & loss.