2.4 Risk analysis and prioritization

A large number of potential risks can accumulate in the identification phase. The next task is to analyse their effects and the probabilities of their implementation. After that, it is possible to prioritize the risks in order of importance regarding resource management.

Risk impact assessment

The effects of risks can be “hard” or “soft”.

It is possible to measure hard impacts in monetary terms. These include a loss of income, costs of repairs or damages.  The soft effects are qualitative and related to, for example, customer relations and partnerships, personnel and know-how or reputation.

In projects, risks can affect the schedule, the realization of the budget or the quality of the results.

Organizations often prepare their own impact scale with criteria. Here is an example of a five-point scale suitable for businesses:

  1. Critical: The effects can cause significant financial losses, reputational damage or even the termination of the company’s operations. This can also indicate serious health and safety consequences.
  2. Significant: The effects may cause significant financial or operational disadvantages, but do not necessarily threaten the company’s survival. This may mean significant contract breaches or production interruptions.
  3. Moderate: The effects may cause considerable disruptions but may be managed with internal resources and plans. The financial losses are noticeable, but not catastrophic.
  4. Low: The effects are mild and may cause minor disturbances in everyday functioning. The effects are temporary and may be addressed through existing processes and procedures.
  5. Minor. The effects are negligible or very mild. They do not require special actions, and they do not have a significant impact on the company’s financial result or reputation.

A level classification of effects is a good solution for portfolio management as it makes the information consistent and comparable.

Risk impact evaluation scale, example

For an evaluation to be based on uniform criteria, the scale should be made concrete, for example, as follows:

Quantitative criteria (example)

Question:1 – M2 – Low  3 – Moderate4 – Significant5 – Critical
What is the size of a single loss?< 0.2 me0.2–0.5 me0.5–1 me0.5–1 meMore than 5 me

Qualitative criteria (examples)

Question:1 – Minor2 – Low3 – Moderate4 – Significant5 – Critical
What is the impact of the risk on customer and/or partner relationships?The permanence of a significant customer or partner is threatened.We lose a significant customer or partner.The permanence of significant customers or partners is threatened.We lose significant customers or partners.A large number of important customer or partner relationships are put at risk.
What is the impact of the risk on customer and/or partner relationships?We will lose several employees during the year.We will lose a key person or several employees quicklyWe will lose several key personnel during the year.We will lose several key personnel quickly.Key competence is quickly compromised.
How does risk affect reputation?Little or momentary effect.A reputational disadvantage, which, however, will soon disappear.A significant but temporary impact on reputation.Long-term negative reputation damage.Permanent negative reputational damage.

Example of a four-step project risk impact scale:

Criteria:1 – Minor2 – Moderate3 – Significant4 – Critical
TimeSmall schedule changes are required within the project.If the schedule of one phase is exceeded, the impact on the whole is manageable.If the schedules of several stages are exceeded, the entire project is put at risk.The entire project’s schedule is critically exceeded – the project may fail.
Keeping the quality/customer promiseSome member of the project’s stakeholder group experiences inconvenience.Several members of the project’s stakeholder group experience inconvenience.The activities of members of a critical stakeholder group are disrupted.The commitment of stakeholders is in crisis.
Cost / use of resourcesThe project’s need for resources does not change much.The project requires little additional resources.The project requires significant additional resources to continue.The need for additional resources jeopardizes the realization of the project.

Evaluating the probability of risks

Another dimension of risk analysis is probability evaluation. It is based on expertise, previous experiences and data that the organization has collected from its own activities or otherwise acquired. Various simulations, such as Monte Carlo, can help in assessing the probabilities and effects of risks.

The evaluation of probabilities is more subjective, compared to the assessment of effects, especially if no measurable data is available. Therefore, people whose skills and experience complement each other should participate in the evaluation. Personal interests that are too strong may distort the results.

Evaluating scales

Risk probabilities can be described as percentages or levels. Verbal level descriptions facilitate evaluations. In portfolio management, using level values makes the information consistent and comparable.

The following is an example of a four-level probability scale.

1 – RareVery low probability: This has not happened to us, but it is possible.
2 – UnlikelyLow probability: This has sometimes happened.
3 – PossibleModerate probability: The possibility of the risk materializing is about 50-50.
4 – Very likelyHigh / very high probability: This has usually happened in similar circumstances.
5 – Almost certainModerate probability: The possibility of the risk materializing is about 50-50.

It is necessary to involve more people in the probability evaluation of risks and determine the level through discussions. In the risk portfolio, it is possible to supplement the evaluation with a verbal justification.

The likelihood of an occurrence and the time period or the probability as a percentage are sometimes attached to the probability assessment. For example, once in ten years means a 10% probability per year. These descriptions usually aim for a more precise way of presentation and a better understanding in order to make an assessment. A more accurate assessment can enable the risk register to be combined with the simulation, which can help to illustrate the overall picture.

Risk probability evaluation scale, example


Simulations are based on mathematical models and initial data. The most well-known model is the Monte Carlo simulation, which is a method of numerical modelling that utilizes probabilities and statistics. It repeats similar calculations several times in a row by using the Monte Carlo algorithm. Simulations can be performed with statistical software, but Excel or Thinking Portfolio also provide tools for them.

The Monte Carlo simulation needs estimates of ranges or historical information about real events and value fluctuations as input data. As a result, it tells, among other things, the probability of a certain final result. The initial information of the risk management simulation can be given, for example, the estimated ranges of the probability and economic effects of individual risks, and the result of the simulation can be the economic expected value and ranges of the risk of the entire risk portfolio.

Risk prioritization

Prioritization is based on defining the significance of risks based on their impact and probability. If the five-step evaluation scales described above have been used, the significance of the risk can be defined in the simplest way as the multiplication of two integers. The result is a so-called risk index (the result is also often called a risk score).

The visually presented risk map – or matrix is, for example, as follows:

Esimerkki riskimatriisista

Risk management must focus especially on risks with a high risk index. However, risks are not static, so evaluation and prioritization in risk management must be repeated regularly.

In the portfolio, it is possible to record and visualize changes in risks, so that risk management and leadership can decide upon the related actions.