When addressing risks, many organizations usually start by correcting those risks with a lower

impact to the organization and a lower probability because these are easier to fix — and fixing a
greater number of open issues in a short amount of time looks better on paper. However, auditors
should recommend that organizations start by addressing those risks that will have the highest
likelihood of occurring and will have the highest impact. This is because by focusing on the low-
impact risks first, the company still remains vulnerable to the high impact risks that can cause
irreparable damage (Edmead, 2008).

In addition, while high impact/high likelihood risks should be a high priority, low impact/high
likelihood risks and high impact/low likelihood risks also may require immediate attention.
Therefore, each risk should be carefully evaluated before determining which risk needs to be
addressed first.
(https://iaonline.theiia.org/understanding-the-risk-management-process)
Following the risk assessment, the organization should be able to list all business risks (prioritized
by those that would have high impact and have a high probability of occurring), and a list of
mitigating control options to address the business risks (Rupert, 2013).
https://perspectives.avalution.com/2013/the-relationship-between-the-business-impact-analysis-
and-risk-assessment/

Low Impact, Low Probability

Risks that can be characterized as both low impact and low likelihood of occurrence are essentially
negligible and can usually be eliminated from active consideration. The main concern of the
owner’s project director is to monitor these factors sufficiently to determine that the impact or
likelihood does not increase.

High Impact, High Probability

Risks that are characterized as both high impact and high likelihood of occurrence often cause a
project to be terminated, or to fail if it is continued in spite of the risks. In this situation, the owner’s
management must determine if the project should be terminated or if the project is so mission
critical or the potential benefits are so great that taking the risks is justified. Risk management does
not imply that no risks are taken; it means that the risks taken should be calculated risks. For
example, an owner may decide to proceed if there is a reasonable expectation that enough
engineering or management effort can reduce either the impact or the likelihood of the events, such
that the risk can become either low impact, high probability or low probability, high impact. Often
such a decision is contingent on achieving the necessary risk reductions by some deadline.

Low Impact, High Probability

Low-impact, high-probability risks are those largely due to uncertainties about a number of
elements that may be individually minor risks but that in the aggregate could amount to a
significant risk. These include uncertainties concerning the actual costs of labor and materials
(such as steel), the actual durations of activities, deliveries of equipment, productivity of the
workforce, changes due to design development or the owner’s preferences, and other uncertainties
that are typically considered to lie within the natural variability of project planning, design,
construction, and start-up (they do not include catastrophic events or radical design changes). Each
of these uncertainties, taken alone, would have little impact on the project. However, taken
together, there is the possibility that many of the estimates of these factors would prove to be too
optimistic, leading

Page 27
Suggested Citation:"4 Risk Identification and Analysis." National Research Council. 2005. The
Owner's Role in Project Risk Management. Washington, DC: The National Academies Press. doi:
10.17226/11183. ×

Add a note to your bookmark

Save
Cancel
to cumulative effects such as performance shortfalls, schedule overruns, and cost overruns.
Methods for dealing with such risks include

Provision for adequate contingencies (safety factors) for budget and schedule (contingencies are
discussed in Chapter 6).
Improvement in the work processes in order to reduce the uncertainties. Prefabrication of major
components to avoid the uncertainties of construction at a job site is one example of changing the
normal process to reduce risks (although in this example the change may also introduce new risks,
such as transportation of the components to the job site; thus the resolution of one risk may give
rise to another).

High Impact, Low Probability

By definition, high-impact, low-probability events are rare occurrences, and therefore it is very
difficult to assign probabilities to them based on historical records. Data do not exist and so
subjective estimates of probabilities are necessary. However, the objective is not the scientific
determination of accurate probabilities of rare events but the determination of what management
actions should be taken to monitor, mitigate, and manage the risks. For example, if a certain risk
is identified and management determines that some specific mitigation actions should be taken if
the risk has a likelihood of more than 1 in 100 of occurring, then a precise characterization of the
probability is unnecessary; the only issue is whether it is assessed to be more than 1 in 100 or less
than 1 in 100.
(
(https://www.nap.edu/read/11183/chapter/6#27)

Low impact/low probability – Risks in the bottom left corner are low level, and you can often
ignore them.
Low impact/high probability – Risks in the top left corner are of moderate importance – if these
things happen, you can cope with them and move on. However, you should try to reduce the
likelihood that they'll occur.
High impact/low probability – Risks in the bottom right corner are of high importance if they do
occur, but they're very unlikely to happen. For these, however, you should do what you can to
reduce the impact they'll have if they do occur, and you should have contingency plans in place
just in case they do.
High impact/high probability – Risks towards the top right corner are of critical importance. These
are your top priorities, and are risks that you must pay close attention to.
(https://www.mindtools.com/pages/article/newPPM_78.htm)
Risk assessment basically involves the calculation of the magnitude of potential consequences
(levels of impacts) and the likelihood (levels of probability) of these consequences to occur (EAF,
). Probability impact matrix is one of the commonly used qualitative methods for risk assessment.
After awarding of the total (scores) for likelihood and impact of risk categories identified by the
risk manager or project team members will proceed to multiplying the two variables. The result of
this operation will expunge degree of risk.
According to The IIA, risk is defined as the possibility that an event will occur, which will impact
an organization's achievement of objectives (The Professional Practices Framework 2004).