How to Estimate and Prioritize Risk


A stunt pilot faces many of the same risks that every other business owner faces. What if a vendor fails to meet requirements, for instance? (Credit: iStock/Getty Images)

Estimating and prioritizing risks is a time-consuming process. Furthermore, the results of risk estimation and prioritization don’t often inspire a great deal of confidence in the process. It’s not a perfect process and it will probably never be. We’re not perfect and nothing we ever make[1] will ever be.

Still, we seem to be doing a much better job of judging risk than we did centuries ago. With the advent of “big data” in every line of business, plus the ongoing increase in computing power and increasing sophistication of applications, designers, and users, it stands to reason we’ll be even better at assessing and managing risk a generation or more from now.

Today, we’re going to look at the basics of estimating and prioritizing risks. We’re going to look at:

  • What is risk estimation and how do you estimate risk?
  • What is risk prioritization and how do you prioritize risk?
  • What is the next step in the risk management process?

Risk Estimation

Risk estimation is taking what knowledge you have about a risk and trying to quantify it so you can fairly and reasonably compare it to other risks. Obviously, not all risks are alike. The risk of my house burning down due to faulty wiring is considerably greater than the risk of my basement flooding due to a storm surge, considering I live[2] hundreds of miles north of the Gulf of Mexico and about 500 feet above sea level.

Considering that risk is essentially a function of:

  • The likelihood that a threat will materialize,
  • The impact that threat could have (on a business, a geographical area, infrastructure, etc.), and
  • Our ability to detect the threat before it causes harm,

I can estimate some risks without performing a detailed analysis. In this example, I sense that I should concentrate on controlling the risk of fire and not concern myself as much with storm surges. The likelihood of a house fire in my neighborhood is considerably greater than the likelihood of a storm surge.

A storm surge would have a much greater impact on the area where I live…if it were ever to happen. It seems reasonable to believe that we’re much more susceptible to house fires – whatever their cause – than to storm surges. In the local news, you will see a story about one or more house fires happening every week. A storm surge? Not in recorded history, at least.

In business, it isn’t so easy to tell what risks your organization should be most concerned about and which risks you should attempt to control. Yes, a few external risks are easy to recognize[3], but most internal and external risks are insidious and the differences between them are subtle. Sometimes, the naked eye is adequate but at other times, you need a magnifying glass or even an electron microscope.

There are several readily-available tools that can help us spot some of the hard-to-discern differences between various risks we face, like the risk matrix and failure mode effects analysis, or FMEA. They’re not perfect tools but they’re immeasurably better than blind guessing.

Risk Prioritization

Using a tool like the risk matrix or FMEA correctly allows you to determine which risks should be your greatest concern – which risks you need to address first, second, and so on. FMEA, in particular, helps you prioritize risks when they’re “like apples and oranges” – when they don’t have much in common – or when your initial perception is that every risk is important and they all have to be taken care of as soon as possible.

You have finite resources; you can’t possibly deal with every risk you’ll face all at once. You have to prioritize risks and address them sequentially. In addition, once you’ve addressed a priority risk – once you’ve gotten it under control – doesn’t mean your concern for it goes away.

Risk management is like every other process. You regularly revisit risks, to determine if they are again a priority and to refine your methods of control.

The Next Step

In our next installment, we’ll look at risk control. Until then, if you have questions about this article or you’re a small company looking for risk management advice, send me an email and let’s get the conversation started.


[1] Yes, even artificial intelligence, I’m afraid.

[2] In the St. Louis, Missouri, metropolitan area

[3] Weather-related risks, such as hurricanes, tornadoes, or flash flooding, have historically been easy to predict. That’s why you must read Reference #1.


  1. Gail, William B., “A New Dark Age Looms”, New York Times, 19 April 2016 –
  2. Flick, Stephen M., “Nine of the Biggest Risks Your Company Faces”, Q9C Consulting blog, 27 November 2012 –

We help small businesses improve their efficiency and effectiveness. Whether you're selling a product or a service, we'll show you how you can improve product and service quality, effectively and affordably. If you need quality, environmental, or health & safety management but can't afford a full-time manager or staff, call on Q9C and we'll pick up the slack. For information or a quote, call or write. Subscribe to the Q9C blog while you're at it.

Tagged with: , , , , ,
Posted in Risk Management

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: