A risk can be defined as an undesirable development, about which there can only be a degree of certainty that it will happen, but if it does happen there will be a significant impact on the project.
Lack of certainty implies that there is a probability, but not certainty, associated with the risk. The impact of the risk implies that there will be an effect on the project, in terms of time, cost or quality.
The exposure of the project to the risk can be calculated from this:
Exposure = (Risk Probability) x (Risk Impact)
On its own, the figure for exposure indicates the scale of actions required to keep the risk under control. For example, if the risk impact has been calculated to $10,000 and the risk probability is 0.5%, then the exposure is $500. This means that the scale of action to be taken to track the risk should have a value of $500 approximately. This indication is essential when estimating task cost and duration. By adding criteria to the exposure, a metric system has been achieved. Undesirable events should be identified and managed throughout all phases of the project. Once a risk has been identified and planned for, it as to be managed as a task. The below diagram illustrates the MSF Risk Management Process.
More important, prior to making the project plan, there's a need to analyse the context of the project and identify the categories of risk sources and their consequences. The following example are based on MSF Risk Sources.