Once you have identified your risks, to help manage your risks, you need gather additional information about the risk. It is easy to think of this information as answering the question “Who, What, When, Where and How. Let’s use one of Hollywood’s most know risk takers Indiana Jones. In this case we can imagine that Indiana Jones is on another mission to recover an ancient artifact and has the risk “Unwanted encounter with the Maniacal Nazi Scientist”. Here is how he might define the risk in a risk register.
Enter the risk in the risk register “Unwanted encounter with the Maniacal Nazi Scientist”.- Identify risk properties. For example, risk ““Unwanted encounter with the Maniacal Nazi Scientist” will occur only when Indiana Jones is in enemy’s airport just before the plane takes off; Indiana Jones will be an owner and manager of this risk; he is the one man in the airport, and nobody can help him. From this information, Indiana Jones can add also the location and expected time when the risk could occur.
- Select which risk categories this risk will impact. The same risk may affect different categories with different impacts. In this case it is duration and safety; we doubt that Indiana Jones had any concerns about cost, environment, or public relations.
- Each category may have different impact type. Impact type is what exactly may happen if risk occurs. In our case we can define the type of impact for the impact type related to category project duration:
a. Relative delay, for example task is delayed on 20%, if risk is occurred
b. Fixed delay, or task delay on 5 days
c. Restart task
d. Cancel task - Define the impact type for safety. Indiana Jones is quite risk tolerant and decides that a fight with a maniacal scientist is not a problem for him and should not have a high impact on his mission. He can choose how to define safety for:
a. Safety of himself
b. Safety of others
c. Safety of equipment and tools
Since there is nobody else there that he cares about and he does not have any equipment or tools rather than his hat, he chooses “Safety for himself”. - Define impact value. For each impact type Indiana Jones must define an actual impact value. For delay he enters 10%. For safety he has different choices. He chooses “Non-injury accident” meaning he probably gets knocked down a few times, but prevails without any grievous wounds as this is the usual outcome of his fights with villains regardless of their size, skill, and weapons. He enters 10% for this risk impact type.
- Enter probabilities for risk impacts. Indiana Jones enters probabilities for both risk impacts. Usually, a risk has a single probability for all risk categories. So, Indiana Jones enters that there is a 50% probability that he will meet a maniacal Nazi scientist.
After entering in the risk information into his risk register, Indian Jones will be able to understand both the potential impacts of the risk and have information that will help him come up with plans to minimize or avoid the probable consequences of each risk. Information about risk probabilities and impacts will be used in quantitative risk analysis using Monte Carlo simulations.
