Define parameters used to analyze and categorize risks and to control the risk management effort.


Parameters for evaluating, categorizing, and prioritizing risks include the following:

  • Risk likelihood (i.e., probability of risk occurrence)
  • Risk consequence (i.e., impact and severity of risk occurrence)
  • Thresholds to trigger management activities

Risk parameters are used to provide common and consistent criteria for comparing risks to be managed. Without these parameters, it is difficult to gauge the severity of an unwanted change caused by a risk and to prioritize the actions required for risk mitigation planning.

Projects should document the parameters used to analyze and categorize risks so that they are available for reference throughout the life of the project because circumstances change over time. Using these parameters, risks can easily be re-categorized and analyzed when changes occur.

The project can use techniques such as failure mode and effects analysis (FMEA) to examine risks of potential failures in the product or in selected product development processes. Such techniques can help to provide discipline in working with risk parameters.

Example Work Products

  1. Risk evaluation, categorization, and prioritization criteria
  2. Risk management requirements (e.g., control and approval levels, and reassessment intervals)


1. Define consistent criteria for evaluating and quantifying risk likelihood and severity levels.

Consistently used criteria (e.g., bounds on likelihood, severity levels) allow impacts of different risks to be commonly understood, to receive the appropriate level of scrutiny, and to obtain the management attention warranted. In managing dissimilar risks (e.g., staff safety versus environmental pollution), it is important to ensure consistency in the end result. (For example, a high-impact risk of environmental pollution is as important as a high-impact risk to staff safety.) One way of providing a common basis for comparing dissimilar risks is assigning dollar values to risks (e.g., through a process of risk monetization).

2. Define thresholds for each risk category.

For each risk category, thresholds can be established to determine acceptability or unacceptability of risks, prioritization of risks, or triggers for management action.


Examples of thresholds include the following:
  • Project-wide thresholds could be established to involve senior management when product costs exceed 10 percent of the target cost or when cost performance indices (CPIs) fall below 0.95.
  • Schedule thresholds could be established to involve senior management when schedule performance indices (SPIs) fall below 0.95.
  • Performance thresholds could be established to involve senior management when specified key items (e.g., processor utilization, average response times) exceed 125 percent of the intended design.

3. Define bounds on the extent to which thresholds are applied against or within a category.

There are few limits to which risks can be assessed in either a quantitative or qualitative fashion. Definition of bounds (or boundary conditions) can be used to help define the extent of the risk management effort and avoid excessive resource expenditures. Bounds can include the exclusion of a risk source from a category. These bounds can also exclude conditions that occur below a given frequency.