Assessing risk probability
Dr David T. Hulett, Principal, Hulett & Associates LLC, email@example.com
Effective risk management requires assessment of inherently uncertain events and circumstances, typically addressing two dimensions: how likely the uncertainty is to occur (probability), and what the effect would be if it happened (impact). While unambiguous frameworks can be developed for impact assessment, probability assessment is often less clear. This is particularly true for projects where data on risk probability from previous projects is either not available or not relevant. The credibility and value of the risk process is enhanced if data are collected with care, taking the time and using the tools that are needed properly to develop information based on judgemental inputs. Conversely, the process is undermined when probability assessment appears to be wholly subjective (a guess). It is therefore important to be able to assess probability with some degree of confidence. This paper presents a range of alternative techniques for assessing risk probability in an attempt to remove the subjectivity from this vital element of the risk management process.
There is broad consensus over the definition of “risk” among leading national and international standards and guidelines, as well as professional bodies (Simon, et al., 1997; Australian/New Zealand Standard AS/NZS4360, 1999; Project Management Institute, 2000; British Standards Institute, 2000; Institution of Civil Engineers, 2002; UK Office of Government Commerce, 2002; Institute of Risk Management, 2002). Although the precise wording of different definitions may vary, all agree that risk has two dimensions. The first relates to uncertainty, since a risk is something which has not yet happened and which may or may not occur. The second is about what would happen were the risk to occur, since risks are defined in terms of their effect on objectives. A typical two-dimensional definition of risk in the realm of project management is “An uncertain event or condition that, if it occurs, has a positive or a negative impact on a project objective” (Project Management Institute, 2000, 127).
It is common to use the terms “probability” and “impact” to describe these two dimensions, with “probability” addressing how likely the risk event or condition is to occur (the uncertainty dimension), and “impact” detailing the extent of what would happen if the risk materialised (the effect dimension). When assessing the significance of any given risk, it is necessary to consider both dimensions. Clearly an uncertain event which is likely to occur (i.e. it has high probability) but which would have little or no effect on objectives (low impact) is not significant. Similarly a risk may have such a low probability that it might not be worth considering even if some significant impact were theoretically possible. Risk management processes often include frameworks for determining the significance of a risk based on both probability and impact, such as the two-dimensional Probability-Impact Matrix (Project Management Institute 2000, 137).
In order for assessments of risk to be consistent and meaningful, attention must be paid to the way in which probability and impact are assessed. It is relatively simple to assess the impact of a risk, since this merely requires defining the situation after the risk has occurred, and then estimating the possible effect on each objective. Assessing impact is an exercise in structured imagination: “If this were to happen, what would the effect be?” The other dimension of risk is less amenable to assessment however. Risk practitioners and project teams alike experience repeated difficulty in assessing the probability that a given risk might occur. There are a number of reasons for this, discussed below.
The problem with probability
The first problem in assessing the probability of project risks is the term itself. “Probability” has a precise statistical meaning, for example “a measure of the relative frequency or likelihood of occurrence of an event, whose values lie between zero (impossibility) and one (certainty), derived from a theoretical distribution or from observations” (Collins 1979). However, its general usage is less clear, including its use within the risk management process. Confusion has also arisen as a result of the use of alternative terms in risk guidelines to describe the uncertainty dimension, such as “frequency”, “likelihood” or “chance”, giving the impression that these are mere synonyms for “probability” when, in fact, they are distinctly different. If the uncertainty dimension of risks is to be properly assessed and described, using the term “probability”, it is essential that assessors understand what they are trying to assess.
Setting aside the terminology issue for the purpose of this paper, there is another set of problems with assessing risk probability when considering risks within the context of projects. Projects themselves exhibit certain inherent characteristics which have a significant influence over assessment of risk probability.
Projects are unique
A project can be defined as “a temporary endeavour undertaken to create a unique product, service or result” (Project Management Institute 2000, p4), or as “a unique process, consisting of a set of coordinated and controlled activities with start and finish dates, undertaken to achieve an objective conforming to specific requirements, including the constraints of time, cost and resources” (British Standards Institute, 2000; British Standards Institute, 2002). It is inherent in the nature of projects for at least some aspect of the undertaking to be unique. Consequently, for significant elements of the project, there is no body of relevant previous experience on which to draw. This is particularly true of project risks, those uncertain events or conditions which if they occurred, would affect project objectives. Since the objectives of a given project are likely to be different from those of previous projects, the risks affecting a new project are also likely to be different. This means that some (many?) risks on a particular project will be unique to that project, and there will be no relevant data on their probability of occurrence.
Non-availability of “risk actuals”
Of course some risks on a given project will have arisen previously, since not all aspects of every project are completely unique. However even for these risks, data are often not available from previous projects due to the weakness of the project closure process in many organisations. It is widely recognised that project closure is the least well implemented of the project processes, and that many organisations do not have effective ways of learning lessons from completed projects in order to benefit future projects. Without an effective “lessons to be learned” process, each new project has to face its challenges without access to the structured experience of past projects. This affects risk management in the same way as all other elements of project management. It is rare to find an organisation which conducts post-project reviews to identify and capture risk-related lessons to feed forward to future projects. Such lessons should include which identified risks actually occurred and why, and determine whether there are there any generic risks that might affect similar projects. It should also address which identified risks did not occur and why, which responses were effective in managing risks, and which were ineffective. Without such “risk actuals” from previous projects, the task of assessing the probability of risks which recur on a later project is made more difficult.
Sometimes risks are identified for which some details are inherently unknowable. Where the impact of an uncertain event cannot be defined, it is arguable whether it should be raised as a risk at all, since a risk must by definition affect an objective if it occurs. An uncertainty that does not affect an objective is not a risk. It is however possible to identify a risk, but for its probability of occurrence to be unknowable. This can arise where occurrence of the risk is dependent on influences outside the project (such as the decisions and actions of other stakeholders or competitors), or where the project team lack the necessary knowledge to understand and assess the risk, or, in the case of uncertain events, which are in the realm of pure chance.
Estimating vs. measuring
A further problem with assessing risk probability is that risks are possible future events that have not yet occurred, and, as such, their probability of occurrence cannot be measured, but can only be estimated. In a philosophical sense it can even be said that the risk does not have a real existence in the present, but it only exists in the future. It is therefore not possible to measure any characteristic of a risk since it is not present in reality. It is only possible to estimate what the risk might be like if and when it should arise. This is not too difficult when considering the impact of the risk, but estimation of risk probability is much more problematic. Consequently, estimation of probability tends to be influenced by a wide range of subjective and unconscious sources of estimating bias, making it even less reliable. Such sources of bias need to be understood and managed if realistic and useful assessments of probability are to be made.
Sources of estimating bias
The topic of estimating bias is too large to be covered in this paper, but it deserves mention since it has such a major influence over the ability to assess risk probability. The area is also well covered in the literature (Fischhoff, et al 1981; Janis, 1982; Fischhoff, 1985; Lopes, 1987; Slovic, 1987; Yates, 1992; Hammond, et al 1998). Here it is sufficient simply to mention the two main sources of estimating bias, and to emphasise that these need to be understood and addressed when assessing probability.
A wide range of factors influence the way uncertainty is perceived by both individuals and groups. Of these, four deserve special mention here, since they are particularly relevant to the assessment of risk probability.
- Familiarity. The extent to which an individual, team or organisation has previously encountered the situation drives whether risk probability is perceived as high or low. Where there is little or no previous relevant experience, skill or knowledge, the degree of uncertainty is perceived as higher than is the case when it is assessed by individuals or groups who have come across the situation before.
- Manageability. The degree of control or choice that can be exercised in a given situation drives the assessment of uncertainty, even if the perception is illusory. Where a risk is seen as susceptible to control, risk probability is assessed as lower than in situations where controllability or choice are absent (or perceived to be so).
- Proximity. If the possible occurrence of a risk is close in time or space to those assessing its probability, it will be seen as more likely than risks which might occur later in time or further away in space.
- Propinquity. This term is used to describe the perceived potential for the consequences of a risk to affect the individual or group directly. The closer the impact is to those assessing the risk, the higher is its perceived probability.
Each of these factors (and other similar perceptual influences) operate subconsciously when individuals and groups assess risk probability, making them hard to diagnose and correct. Work is however underway to develop approaches to understanding and managing the factors driving risk attitudes (Hillson & Murray-Webster, 2004).
Another group of subconscious influences also affect perception of risk probability, which are known as “heuristics” or rules-of-thumb. Heuristics are internal frames of reference used by individuals and groups to inform judgement when no firm data are available. This is well described in the literature (Tversky & Kahneman, 1974; Kahneman, et al 1986; Cooper & Chapman, 1987, p94-98; Keeney & von Winterfeldt, 1989; Keeney & von Winterfeldt, 1991; Hillson, 2003, p239-258), and the various heuristics need not be detailed here. It is enough to emphasise their influence in introducing bias into estimates or assessments in situations characterised by uncertainty.
Two types of bias are common as a result of the action of heuristics: motivational bias (where the assessor seeks to improve the apparent position of the situation by modifying the estimate of risk probability); and cognitive bias (arising from unconscious attempts to rationalise lack of certain knowledge). Of these two, motivational bias is perhaps more difficult to identify and manage. It arises when the person or organisation assessing risk probability has an interest in influencing the results of the analysis, and it seems to occur more often among more senior managers. The direction of the bias is usually to make the probability seem to be smaller than it really is, in order to reduce the perception of risk among key stakeholders. There may be occasions when the bias runs the other way, towards an increased perception of risk, although that is more rare.
Clearly assessment of risk probability is a situation where uncertainty is evident, and individuals and groups need to become aware of the inherent heuristics, which are operating when they assess probability, so that corrective action can be taken.
A two-step approach is recommended for managing sources of bias when estimating uncertain situations, including assessment of risk probability. This first requires awareness of the issues, understanding sources of bias, whether they originate from perceptual factors or heuristics. Not only must these be understood in theory, but their operation in practice must be identified, drawing on previous experience wherever possible. This diagnosis allows the second step to be taken, namely action. Understanding one's preferred approach to uncertainty can open the door to managing it, reducing or removing sources of bias at both individual and group levels (Hillson & Murray-Webster, 2004).
Alternative approaches to assessing risk probability
The sections above have described the problem – risk probability is inherently difficult to assess or estimate, particularly in the project context, and assessments involving uncertainty are subject to a wide range of sources of bias. Given this challenge, guidance is required on how to approach the assessment of probability. A range of alternative techniques can be identified, some of which are described below. No one technique is foolproof or applicable to every situation, and each has its own strengths and weaknesses. It is, however, recommended that risk practitioners and project participants who are required to assess risk probability should be aware of the variety of techniques available, and should consider using a range of different approaches as appropriate (Moore, 1983, p16-32; Cooper & Chapman, 1987, p93-107). Selection of techniques might be driven by the depth of risk management process being applied to the particular project, or the size and strategic importance of the project, or the extent to which sources of bias have been identified as influencing assessments.
The following sections outline alternative approaches to assessing risk probability, under three basic headings. The first includes techniques which attempt to define probability in various ways, in order to provide unambiguous language for describing probability. The second group uses various comparators against which the probability of a given risk can be compared. The third approach infers risk probability based on a description of various “states of nature” within the project environment.
Probability exists on a spectrum from impossibility to certainty. There are many ways of describing this spectrum, and definitional techniques for assessment of risk probability offer different ways of describing the scale to give assessors meaningful frames of reference against which they can estimate the probability of a given risk (Hillson, 2003, p108-114). For example, positions on the probability spectrum can be defined using labels (for example low, medium, or high), phrases (such as improbable, possible, or likely), odds (e.g. 1:50, 1:10, 1:3), numbers (i.e. either percentages such as 5%, 40%, 70%, or decimals like 0.05, 0.4, 0.7 etc), or ranges (e.g. 1-10%, 25-50%, 70-90%).
Definitional approaches are most commonly used by risk practitioners, but there are several issues affecting their effectiveness. For example, both labels and phrases are ambiguous and can be interpreted subjectively, with “low” or “unlikely” meaning one thing to one person but holding a different meaning for another. Exhibit 1 presents a summary of recent research by one of the authors (Hillson 2004) on the range of probability values associated with commonly used phrases, indicating very large variability of interpretation of phrases which might be thought to be unambiguous. (See also Boehm, 1989, p133; Moore, 1987, p34-35; Hamm, 1991; Lichtenstein & Newman, 1997; Conrow, 2003, p491-513.)
Other definitional approaches also have problems, since odds are unfamiliar to many (the average person has some difficulty in ordering a series of odds such as 1:2 against, 4:3 on, 9:13, 15:1 etc.), specific percentage or decimal values introduce spurious apparent precision where reality is less certain, and fixed ranges are artificial and do not usually reflect the real range of probability for a given risk.
For all definitional approaches, assessors are faced with the challenge of justifying which point on the defined scale they select, since the assessment of risk probability remains subjective.
A number of techniques have been developed to assist in assessment of risk probability by providing values against which the likelihood of the risk occurring can be compared, asking whether the probability of the risk occurring is more, or less, or the same as the value being presented. The aim of all these techniques is to adjust the comparator until the assessor cannot distinguish between the risk probability and the value being presented. This value is then taken as the best estimate of the risk probability. There are different ways of presenting probabilities against which risk probability can be compared. These include:
- Wagers : The assessor is asked what odds they would give on the risk occurring (though the response is affected by the individual's utility curve, which must be known if the wager is to be properly interpreted).
- Value-oriented : The risk probability is compared to an event whose probability is known, for example is it more or less than the chance of obtaining 10 heads in a coin-toss experiment. Different events are presented until the assessor sees no difference.
- Relative likelihood : Similar to the value-oriented approach, the assessor is asked how much more likely the risk is to occur than some other event whose probability is known. The process can be continued using a value-based approach until equality is reached, or the differential probability can be added to the comparator to give the estimated probability of the risk occurring.
While comparative approaches appear to be simple to use, there are a number of difficulties, including problems with understanding the comparators. In addition, assessments using comparative techniques are particularly subject to perceptual bias and heuristics as discussed above.
The “state of nature” approach
A less-commonly used technique has been developed for inferring risk probability from a description of the state of a project-related variable (hence the approach is called the “state of nature” technique). This involves describing a range of alternative situations or scenarios which might occur for a given risk source on a project, where each scenario has an associated probability of related risks arising. The assessor then identifies where the project is on the scale of scenarios, and the chance of risks occurring in this area is then inferred. Exhibit 2 presents an example where the probability of risks relating to vendors or suppliers is inferred from the status of the supply chain.
This approach has the benefit of being less subjective than others, since the project situation is compared against a defined and objective set of alternatives, and assessment is based on known facts about the project rather than relying on subjective opinion. Of course, it requires scenarios to be developed and graded in advance for each source of risk. This can be done at a generic level or scenarios can be focused on specific risks; more detail is better but requires more work to develop sufficient scenarios to cover all risks.
The state of nature approach also allows comparison of exposure to risk from a given common source across related projects (for example in a portfolio), and facilitates learning from previous experience since “states of nature” can be constructed based on past project performance.
Conclusions and recommendations
Risk is defined in two dimensions: the uncertainty dimension (assessed as probability of occurrence), and the effect dimension (assessed as impact on objectives). Proper assessment of risks requires appropriate assessment of both probability and impact. The effect on objectives is relatively simple to estimate, as it involves a simple exercise in imagining the situation where the risk happens. Assessing probability of occurrence is less straightforward, for the reasons outlined above. Proper assessment of risk probability is however critical to the effectiveness of the risk process, for the following reasons:
- If risk probability assessment is faulty, the accuracy of risk prioritisation will be affected, leading to a potential failure to focus on the most significant risks. This in turn could lead to selection of inappropriate responses, with attention being paid to wrongly-prioritised risks. Inappropriate response selection results in failure to manage risks effectively, with the possibility of loss of confidence in the risk process.
- Conversely if assessment of risk probability is sound, then the resulting understanding of each assessed risk will be more accurate, supporting better decisions in terms of response selection and risk management strategy. The improvement in risk management effectiveness that follows will enhance the credibility of the risk process, and will ultimately lead to more reliable achievement of project and business objectives.
In order to ensure the most robust assessment of risk probability, a two-part solution is recommended. The first part requires awareness of the issues, including understanding the problems associated with assessing probability, the effect of psychological influences, the importance of reliable probability assessment, and the various alternative approaches available. This must be accompanied by action to address the concerns, by identifying and managing sources of bias (both perceptual and heuristic), modifying practice by using different probability assessment techniques, monitoring subsequent project and risk management performance to determine the accuracy of assessed risk probability, and learning lessons to further improve the effectiveness of the probability assessment process.
Australian/New Zealand Standard AS/NZS 4360:1999 (1999) Risk management. Homebush NSW 2140, Australia/Wellington 6001, New Zealand: Standards Australia/Standards New Zealand
Boehm, B. W. (1989) Software Risk Management. Piscataway, New Jersey, USA: IEEE Computer Society Press
British Standards Institute (2000) British Standard BS6079-2:2000 Project Management – Part 2 : Vocabulary. London, UK: British Standards Institute
British Standards Institute (2002) British Standard BS6079-1:2002 Project Management – Part 1 : Guide to project management. London, UK: British Standards Institute
Collins (1979). Collins Dictionary of the English Language. Glasgow, UK: William Collins Sons & Co Ltd.
Cooper, D. F. & Chapman, C. B. (1987). Risk analysis for large projects. Chichester, UK: J Wiley
Fischhoff, B. (1985) Managing risk perceptions. Issues in Science and Technology, 2(1), 83-96
Fischhoff, B., Lichtenstein, S., Slovic, P., Derby, S. L. & Keeney, R. L. (1981) Acceptable risk. Cambridge, UK : Cambridge University Press
Hamm, R. M. (1991) Selection of verbal probabilities : A selection for some problems of verbal probability expression. Organisational Behaviour & Human Decision Processes, 48, 193-223
Hammond, J. S., Keeney, R. L. & Raiffa, H. (1998) The hidden traps in decision making. Harvard Business Review, September/October 1998, pages 47-58
Hillson, D. A. (2003) Effective opportunity management for projects : Exploiting positive risk. New York, NY, USA : Marcel Dekker
Hillson, D. A. (2004) Interpretation of probability-related terms. Risk Doctor Research Paper (forthcoming)
Hillson, D. A. & Murray-Webster, R. E. (2004) Understanding and managing risk attitude. Aldershot, UK: Gower (forthcoming)
Institute of Risk Management (IRM) (2002) A Risk Management Standard. London, UK: AIRMIC/ALARM/IRM
Institution of Civil Engineers (2002) Risk Analysis & Management for Projects (RAMP). (revised edition) London, UK: Thomas Telford
Janis, I. (1982) Groupthink : Psychological studies of policy decisions and fiascos. Boston USA : Houghton Mifflin
Kahneman, D., Slovic, P. & Tversky, A. (eds.) (1986) Judgement under uncertainty : Heuristics and biases. Cambridge, UK: Cambridge University Press
Keeney, R. & von Winterfeldt, D. (1989) On the uses of expert judgment on complex technical problems. IEEE Transactions on Engineering Management, 36(2), 83-86
Keeney, R. & von Winterfeldt, D. (1991) Eliciting probabilities from Experts in Complex Technical Problems. IEEE Transactions on Engineering Management, 38(3), 191-201
Lichtenstein, S. & Newman, J. R. (1997) Empirical scaling of common verbal phrases associated with numerical probabilities. Psychonomic Science, 9
Lopes, L. L. (1987) Between hope and fear : The psychology of risk. Advances in Experimental Social Psychology, 20, 255-295
Moore, P. G. (1983) The business of risk. Cambridge UK: Cambridge University Press
Project Management Institute. (2000) A guide to the project management body of knowledge (PMBOK®) (2000 ed.). Newtown Square, PA, US: Project Management Institute
Simon, P. W., Hillson, D. A. & Newland, K. E. (eds). (1997) Project Risk Analysis & Management (PRAM) Guide. High Wycombe, Buckinghamshire, UK: APM Group
Slovic, P. (1987) Perception of risk. Science, 236, 280-285
Tversky, A. & Kahneman, D. (1974) Judgement under uncertainty : Heuristics and biases. Science, 185, 1124-1131
UK Office of Government Commerce (OGC) (2002) Management of Risk – Guidance for Practitioners. London, UK: The Stationery Office
Yates, J. F. (ed) (1992) Risk-taking behaviour. Chichester, UK : J Wiley
Exhibit 1 : Interpretation of probability-related terms – Research results (Hillson 2004)
Exhibit 2 : “State of Nature” example for vendor/supplier risk
© 2004, David Hillson & David Hulett
Originally published as a part of 2004 PMI Global Congress Proceedings – Prague, Czech Republic
This standard focuses on the “what” of risk management, including: core principles; fundamentals; and life cycle.