SOFTWARE IN PRACTICE
No game was ever worth a rap for a rational man to play
Risk is the potential for realisation of a set of unwanted circumstances or events.
For example, in the context of the project management process this potential is considered a risk if:
Sample Quantitative Risk Statements
Qualitative Risk Probability
In cases where risk probability cannot be quantified, qualitative measures may be used. The table provides examples.
Identifying Unwanted Outcomes
In identifying risk, risk-aware organisations must first determine the classes of unwanted outcomes that will be considered. For example, one organisation might view fatality and injury as areas of focus while another might add financial loss, property damage, environmental damage and psychological effects.
Classifying Levels of Severity
Determining severity levels is essential component of the risk management process. If a high severity level cannot be tolerated (eg. fatality), an organisation will take action (eg. spend money) to reduce the probability of occurrence. For example a road traffic authority might consider >5 fatalities as a disaster while a rail authority might class a disaster as > 50 fatalities.
Risk classification is a value judgment made by organizations based on community expectations and the practical realities of the environments in which they operate. For example, in the case of a railway network the passenger carrying capacity of trains means that it is possible to have a single incident such as a fire or a collision where greater than 50 fatalities occur. In contrast the road transportation environment does not experience incidents of this severity due to the limited passenger carrying capacity of motor vehicles. As a general rule the scope of risk should accurately reflect hazardous events that are possible in the environment in which the organization operates and the realistic probabilities of these events. Unfortunately there is a significant emotional dynamic in setting risk severity levels. Some organizations are reluctant to admit the possibility of high fatality rates fearing that the documentation of, say, a greater than 50 fatality severity band might imply the organization's acceptance of high casualty rates in the eyes of the general public.
To counter this tendency risk assessors must argue that de-rating realistic risk levels for political reasons is a hazard in itself as a risk assessment that does not recognize real world risks will produce ineffective risk mitigation measures and may result in the realization of the organization's worst nightmare.
The counter argument is that recognising high severity levels does not imply acceptance of these outcomes. Instead it is the first step in ensuring that risk mitigation actions will effectively reduce the probability of these outcomes being realized. The level to which this probability must be reduced is set by community risk tolerability.
The table below provides a sample severity classification for a highway authority.
In managing risks value judgements must be made as to whether something must be done about a particular risky scenario. All risk assessments have one of the following outcomes: