Those of us who been in the industry for more than a decade will well remember the original Australian Standard for Risk Management (AS 4360) and the example likelihood and consequence categories contained therein. That standard was such a thought leader in its own right that the standard became the basis of the international standard for risk management (ISO 31000). The risk matrix contained in the original Australian Standard can be found in many a project management methodology and training manual.
That said, this risk matrix is often replicated without alteration or normalisation for the particular organisation or project for which it is adopted as required by the standard.
This failure is not necessarily a bad thing. The time and cost associated with tailoring the risk matrix for a stand-alone project is not normally returned to the project through improvements in the management of project risks. We need to remember that the likelihood and consequence categories and the risk rating derived using the risk matrix are typically used by a single individual, the project manager, to prioritise between risks to a singular project.
Accordingly, one could say that project managers are taking a risk management approach to managing risk.
Where this approach falls down is in programs and portfolios comprising multiple projects managed by different project managers that make different value judgements about the likelihood and consequence, and hence the risk rating, of comparable risks. In this situation, if project managers are left to make their own subjective determinations of likelihood, consequence and risk rating there is a high probability that a risk will be rated one way by one project manager and another way by a different project manager operating in the same program or portfolio.
As a consequence there is the real possibility that the overall program or portfolio risk profile may be distorted towards a project whose manager over-categorises likelihood and consequence and away from a project whose manager under-categorises likelihood and consequence. This may lead to program or portfolio resources and/or management attention being drawn away from where it is needed most and/or the inefficient allocation of management resources.
The mitigation for this real risk is the development of objective definitions for likelihood and consequence, and the implementation of a common risk matrix that applies to all projects within a program or portfolio.
As a starting point, one could do far worse than use the following objective definitions for the five likelihood categories.
With respect to consequence it is often hard to develop a single definition for each consequence category unless one reverts to defining all consequence by the cost required to rectify the issue that would result if a risk was to eventuate.
An alternative it to provide multiple definitions as guides to project managers operating within the program or portfolio. Again, a good starting point would to provide a definition for each of the project’s scope, schedule and cost.
The development and implementation of common objective definition for likelihood and consequence by all projects within a program or portfolio will enhance project risk management in a program or portfolio environment.