A Risk Analysis may identify a number of risks that appear to be of similar ranking or severity. When too many risks are clustered at or about the same level, a method is needed to prioritize risk responses and where to apply limited resources. Such a method should be tied to mission/business needs and maximize the use of available resources.
Risk Prioritization Approach
A rational and common sense prioritization is a key component of a risk management program and becomes necessary when requirements cannot be fully satisfied. To adequately defend risk response decisions made by senior leaders/executives (e.g., why certain risks were or were not mitigated), decision-makers should know or be able to obtain the answers to the following questions: [1]
In the event, the identified risk (or set of risks) materialized: [1]
- How critical would the immediate impact be to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation?
- How critical would the future impact be to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation?
- The answers to the above questions provide the basis for a justifiable prioritization that is based on current and future organizational needs. Mission/business owners (or their designees) and mission/business subject matter experts can be consulted to obtain the most complete and up-to-date information.
These first two (2) questions are tied directly to strategic and tactical operational considerations. Applying the first two questions above may or may not provide sufficient differentiation between risks for identifying which risks require greater attention for mitigation. Senior leaders/executives must decide whether a critical mission/business need today warrants jeopardizing the future capabilities of the organization. If needed, repeat this process for risks with less severity based on current and future capabilities. [1]
Next, answer the following questions to further refine a group of risks with the same or similar rating.
- What is the expected loss from a single occurrence of the threat?
- What if the risk can materialize more than once, what is the overall expected loss for the time period of concern?
In the event that recovery cost for a risk materializing once, is expected to be equal to or greater than the investment in the asset, organizations consider addressing the risk to the greatest extent possible or revisiting other ways of fulfilling the mission/business activities.
The remainder of the questions can be used to better understand the relationship of a particular risk and/or mitigation to other risks and/or mitigations. If a risk materializes that is closely related to multiple risks, it is likely that a cluster of risks will materialize at or near the same time.
Managing Risk Impact
Managing the adverse impact from one threat occurrence may be possible; managing multiple risks of high impact that materialize at the same time may be beyond the capacity of the organization and therefore needs to be managed much more closely.
Will the materialization of a particular risk result in: [1]
- A high likelihood or virtual certainty in other identified risks materializing?
- A high likelihood or virtual certainty in other identified risks not materializing?
- No particular effect on other identified risks materializing?
If a risk is highly coupled to other risks or seen as likely to lead to other risks materializing (whether the risk is the cause or materializes concurrently), such risks are given extra attention and are likely to warrant resources applied to them in hopes of preventing multiple risks from materializing at or near the same time. If risk materializing will actually decrease the likelihood of other risks materializing, then further analysis is warranted to determine which risks become a lower priority to mitigate. To maximize the use of available resources within the organization, the cost of risk mitigation considers whether the mitigation addresses: [1]
- More than one risk; or
- One or more risks completely, partially, or not at all.
AcqLinks and References:
- DoD Risk Management Guidebook – Aug 06
- Defense Acquisition Guidebook (DAG) – Chapter 2 & 4
- Risk Assessment Checklist
- Risk Assessment Worksheet and Management Plan
- Continuous Risk Management Guidebook by Carnegie Melon
- Template: Risk Management Plan
- Template: Project Rick Management Template
Updated: 7/19/2021
Rank: 3.5