One of the things we need to know about a project or business risk is what does it mean for us now? To classify risk, basically means putting risks into categories. When they are categorized, you can see the bigger picture. Do you have lots of risks that have a potential financial impact? Or a lot of risks that might all materialize in the next six months?
Knowing that information helps you better plan your responses and the management activities required to stay on top of the risk portfolio.
But what should these categories be? The categories typically relate to the attributes of a risk. You can create any type of classification to manage risk, whatever is useful and meaningful to your organization. If it helps you manage your risk portfolio, it’s acceptable!
However, as a starting point we’ve provided five common ways to classify risk below.
A common way to classify risk is by magnitude. In other words, how big is the problem or opportunity?
Magnitude is often measured in financial terms, for example, impact under $50k, or over $1m, with sub-divisions in between. Ideally you’d only want a few big buckets of cost impact, as you’ll be estimating the impact. The more categories you have, the harder it is to agree on which bucket the risk should fall into. Of course, if you know you’ll be able to measure the financial impact accurately with your estimates, then do!
You could also have a subjective measure of how big the impact would be, or use different criteria to assess the impact. For example, amount of time it will take to deal with the risk, or the number of people likely to be affected if it happens.
What you are looking for with magnitude is a statement as to whether the impact is going to be big, medium or small. As a business, you may only want to tolerate a few risks with serious impacts, but you are prepared to tolerate dozens with small impacts.
When is the risk going to hit? And when will the impact be felt?
These two points could be at different times. You may suffer the risk of a flood in the factory, for example, and feel the impact immediately as work needs to stop to clear up the mess. But if the price of steel changes, the impact might not be felt until six months later when you need to order more, and the invoice is finally processed and paid. The financial impact comes later and affects the financial projections you made.
Looking at timescales helps you work out when you’ll need to take the most action. It can help identify periods of time where your business faces greatest exposure, and therefore helps you take better decisions about what steps to take.
3. Originating team
Where did the risk come from? Sometimes it’s helpful to know the source or origin of the risk. It might not be an internal business team. The risk could relate to an external body changing the requirements for compliance, for example.
If this information is useful to know, note it down. It could help you to predict trends.
4. Nature of impact
What sort of impact is this risk going to have? You can come up with categories here, for example:
- Financial impact
- Reputational impact (which could affect share price and lead to a financial impact)
- Environmental impact
- Health and safety impact
- Impact to project measures, such as delivering a project late or over budget, which could incur penalties on a contract
- Impact on staff morale
- Impact on customer satisfaction
And so on.
Again, this is an interesting piece of data as it helps you assess the overall risk exposure for the business or project. If all your risks present a potential negative financial impact, then you might want to urgently address the risk portfolio!
Too many risks that could impact customer satisfaction might mean you want to slow down the rate of change to monitor the situation carefully.
5. Group affected
Finally, it’s worth thinking about who is going to be affected by the impact should it happen. This can also help you balance the risk portfolio and make better decisions about what projects to take on.
If you have a large number of risks, that could occur in the next six months, that all affect one particular business team, you would want to look at that. The team could be hit with several problems all at the same time, and together, the risks could present a larger problem than if they each hit separately.
As we’ve seen, you can come up with a number of categories and classifications to give you interesting and useful data about project risk across the organization. However, it’s only useful if you use it! So think about what you want to capture and how you can turn those data points into management information from which to make decisions and plans.
While you can create a totally bespoke solution for managing your own risk, you could also align the categories you use to a risk management standard.
If your organization subscribes to a risk management standard, or is working towards a particular approach for risk maturity, then your first point of call should be to look at what classifications they suggest.
Use the recommended categories from the standard as a starting point. You can always add in extra information such as the points above if they aren’t adequately covered by what your industry guidance recommends. But instead of starting from scratch, if you have access to a standard approach, consider using that as your baseline.
There are so many different aspects to how you classify risk, so choose the elements that are most relevant to your business and the management information you want to collect for decision making. The above is simply a suggestion – as your risk management maturity levels improve, you’ll be able to tweak your processes to best fit your business needs.