Project, program and portfolio managers alike will be familiar with contrasting the likelihood of a risk occurring with the consequence should the risk eventuate to determine a risk rating.
Within the industry, the following diagram—known colloquially as a risk matrix or a slight variation thereof—is used by most, if not all, project, program and portfolio managers to assess and prioritise risks.
Project, program and portfolio managers alike will also be familiar that most organisations only permit a limited number (typically five) risks to be reported in regular progress/status reports. Organisations may also have ‘business rules’ that specify which risks are to be reported: typically project and program managers are to report their ‘top five’ risks.
Now this might not be problematic for many projects and programs. But what should a project or program manager do if they have more than five risks of the highest rating? Which risks are to be reported?
A typical risk approach
The majority of project, program and project managers use Microsoft Excel or equivalent as their risk register/log and will accordingly use the ‘sort’ function to sort active risks by their risk rating.
Thereafter, they will select the first five to include in their status reports. Unfortunately, this approach does not prioritise between risks of the same risk rating. Consequently, the risk that should have the highest priority may not be presented at the top of the list of risks being experienced by a project.
Another approach, is to assign a number (or priority value) to each cell in the risk register as below.
This approach will enable project and program managers to differentiate between some risks that have the same rating. It does not, however, differentiate between risks that have the same likelihood and consequence rating combinations.
Furthermore, the assignment of numbers (or priority values) to each cell in the risk matrix is fairly arbitrary and subjective: there is no real science behind it.
Finally, neither of these approaches addresses the granularity of the risk matrix that produces sometimes incongruous distinctions between risk ratings.
The Risk Radial
The concept of the risk radial is based on the visual presentation of the typical risk matrix. As one can see, the risk rating increases as the likelihood and consequence increase.
Indeed, one could map a set of curves over the top of the risk rating and see that risks of a common rating are approximately the same distance from the nil-nil intersection (bottom-left hand corner of the risk matrix).
From this realisation, the risk radial was born. Under the risk radial approach, each risk would be assigned a value according to the following equation:
As we now see, each risk should be capable of having a different risk radial score. This would enable risks to be separated from one another and ordered according to their risk radial score.
Now, we’re not suggesting that the risk radial score should replace the risk rating other than for the purpose of determining the order in which risks should be reported. Stakeholders still need a simple rating of risks. Therefore, using the risk radial score, risks could be graded as either Low, Medium, High or Extreme as shown below.
In addition to assisting to differentiate between risks, the risk radial approach also removes the incongruous distinctions between risk ratings that is a feature of the risk matrix approach.