At this point in the process, the known risks for the project have been identified and captured in a risk register, which can be a simple spreadsheet. Since no project is staffed to deal with every identified risk, it is necessary to prioritize the risks to focus resources on the biggest potential problems first. To determine the rank order:

1. Assess the probability and impact of each risk.

  • Probability is the likelihood of a risk actually happening.
  • Impact reflects the detriment to the project if it does.

2. Determine the rank by multiplying the value of the probability and the impact.

Definition of Impact and Probability Levels

Before you can assign probability and impact levels, the team must first have a standard definition of what the levels represent. These definitions are a reflection of how much risk you, your team, your stakeholders, your organization, and/or your customer are willing to tolerate.

These definitions theoretically would have established when you were planning how to do risk management. But if not, do so now. It’s important that everyone on the team uses the same standard.

I tend to use a 3-tier ranking system – high, medium, and low. Two examples are shown below. If the team is small and they know each other well, high level descriptions of what high, medium, and low represent (see example in Table 1) are sufficient. If the team is large or the members do not have much experience working with one another, you will need greater clarity in the definitions (see example in Table 2).

Also notice that the numerical values assigned to the levels in the second example have a larger spread. They range from 1 to 10 versus 1 to 3 in the first table. This will create a bigger differentiation when you get to the step of ranking the risks (discussed below).




(to cost, schedule, scope, etc.)


1 Low



2 Med



3 High



Table 1. Example with high level descriptions.





Cost Scope Quality Schedule
1 Low


Minor Minor <1 week


5 Med

Up to 5%

Major Internal Change Control Board 1-4 weeks


10 High


Catastrophic Customer notification required

>4 weeks


Table 2. Example using detailed descriptions with larger value scale.

Assign Impact and Probability Values

With the definitions established, the team can assign a probability and impact value for each risk.

It can be a long and tedious effort if there is discussion around each assigned value. So, I tend to go through the process quickly. I encourage the experts to speak out loud their recommendation. If there are no objections to what is called out, I capture the numerical value in the proper cell of the spreadsheet and move on to the next one until every probability and impact value has been identified for every risk. If there is an objection, I give the team time to discuss and come to an agreement. Be careful that the team does not go down a bunny trail in these discussions.

Determine the Rank

After assigning each probability and impact value, multiple the two to give the rank for each risk.

Sort the spreadsheet by the rank column from largest to smallest. This puts the highest priority risks at the top. Do a quick scan down the list as a sanity check to make sure the top risks make sense and that one is not missing because of data entry or calculation mistakes.

Excellent. You are now done with ranking the risks. The next post will discuss defining the necessary actions to mitigate or eliminate the top risks.