OK, back to the practicalities of implementing the process. A risk brainstorm should be undertaken (but can be supplemented by a more structured template list of the most common risks according to your experience/the experience of your team).

There are a number of resources you can use to help you focus attention on possible risks. A few good links to use are:

• Risk Taxonomy - http://www.sei.cmu.edu/publications/documents/93.reports/93.tr.006.html

• Risk Resources - http://fox.wikis.com/wc.dll?Wiki~CategoryRisk

These risks should initially be assessed at a high level, and you should define a numbering system for both Impact and Probability. It is important to categorise the risk at a high level and this can be readily achieved by defining a clear range for each of these variables. A sample categorisation follows (but should be customised to your projects needs):

Impact
- (5) Catastrophic (Very High) – (30% < x of project budget, mandatory milestone threatened, critical path activity impacted)
- (4) Significant (High) – (15% < x < 30% of project budget, critical milestone threatened, near-critical path activity threatened – minimal float eliminated)
- (3) Moderate (Medium) – (5% < x < 15% of project budget, milestone threatened, near-critical path activity threatened, float reduced but still not critical path)
- (2) Minor (Low) – (1% < x < 5% of project budget, non-critical path activity float eliminated)
- (1) Insignificant (Very Low) – (x < 1% of project budget, non-critical path activity float reduced)

Probability
- (5) Probable (Very High) - (30% < x )
- (4) Possible (High) - (15% < x < 30%)
- (3) Unlikely (Medium) – (5% < x < 15%)
- (2) Rare (Low) – (1% < x < 5%)
- (1) Negligible (Very Low) - (x < 1% )

This initial scoring will help bring the most significant risks to the forefront and ensure valuable project time isn’t lost concentrating on the risks with lower, overall, severity.