There are three steps to assessing a risk; Likelihood, Impact, Priority/Importance. Priority/Importance is determined by the likelihood and impact.
Risks are often assessed by project team members who have prior experience in a particular area, but bringing in experts can also add value. In fact as most risks have to be assessed by rule of thumb as they are estimates of future behaviour and events the more subject matter expertise you can bring to bear the better.
Be warned that subject matter expertise can also bring a skewed view. People who have been burned by a particular risk can often over-estimate its impact in the future. Similarly people’s assessment of risks can be skewed by their objectives and their horizons. An example from my past work is subject matter experts from operational areas often assess risks as having a huge impact (to their business unit) when in fact, in the context of the whole organisation the impact is insignificant and any inconvenience can be absorbed.
Organised project offices often have defined thresholds for likelihood and impact and they should be contextualised to the environment. For example, my family’s suburban legal practice would consider a $100,000 critical, while Telstra would probably consider this minor.
Examples of Likelihood and Impact thresholds are provided in the sample Risk Management Spreadsheet attached/linked at the end of this article.
Typically risk management systems use Likert scales (score from 1-5) to assess impacts and likelihood, with each score corresponding to a minimum, maximum or both threshold.
I’ll address assessing likelihood and impact in more detail separate posts.