Integral to the process of risk assessment is risk classification. Classification of the level of risk is a somewhat subjective exercise in most cases, although some methods of classification rely on a mathematical formula with points assigned for different levels of variance from the established baseline.
Classification methods depend on the type of data being assessed, which can vary widely -- from parameters which lie inside of outside specified ranges to reports reflecting expert judgements. Assessments involving qualitative approaches, like quantitative ratings, should be based on the experienced judgement of your best technical people.
- High risk -- There is significant variance between your program plan/processes and the best practices baseline. Significant corrective action and high priority management attention are required to achieve an acceptable level of risk.
- Moderate risk -- There is some variance
between your program plan/processes and the best practices found in the
benchmark database. Corrective actions and/or careful monitoring of status
by management are required to reduce risk or to see that the level of risk
does not increase.
- Low risk -- There is little or no
variance between your program baseline and the known best practices
baseline. Actions within the scope of the planned program and normal
management attention should result in maintaining an acceptable level of
- It is very hard to honestly assess your own program without
bias or undue optimism. Use outside assessors whenever
- Assessors must consider many factors in judging whether
variance from standards indicates risk for the program.
Assessors must have considerable experience.
- Don't get caught in the common, but erroneous, assumption
that high risk equals bad program! Risk is an inherent part of
any program attempting to implement new ideas, use new
technology or create new products. It is important to identify
risk, not hide it! Assessors must identify all areas of risk
so that they can be corrected and managed.