HKSM

A technique that evaluates additional attributes of identified risks beyond probability and impact. It uses factors such as urgency, proximity, detectability, controllability, and strategic importance to refine prioritization and guide response planning.

Key Points

• Goes beyond probability and impact to consider extra attributes that influence priority and timing of responses.
• Common parameters include urgency, proximity, detectability, controllability or manageability, and strategic importance.
• Scales and weightings should be defined and tailored for the project, and agreed with key stakeholders.
• Supports a more nuanced ranking to allocate attention, budget, and schedule contingency effectively.
• Useful for both threats and opportunities to balance protection and benefit realization.
• Iterative technique updated during risk reviews as new information emerges.
• Facilitated assessment helps reduce bias and improves consistency across the risk list.

Purpose of Analysis

This analysis helps teams prioritize risks that may not appear critical when looking only at probability and impact. By adding attributes like urgency and detectability, the team can decide which risks need immediate action, which can be monitored, and which merit escalation or strategic attention.

Method Steps

• Define the additional parameters to use (for example, urgency, proximity, detectability, controllability, strategic importance).
• Set simple, clear scales for each parameter (for example, Low/Medium/High or 1–5) and agree on definitions.
• Decide whether parameters have equal weight or apply agreed weightings aligned to stakeholder risk appetite.
• Rate each identified risk against the selected parameters using expert judgment and available data.
• Calculate a composite or multi-criteria score, or sort the list using the agreed decision rules.
• Facilitate a review session to validate scores, resolve differences, and document the rationale.
• Update the risk register with parameter ratings, notes, and resulting priority or response triggers.
• Reassess periodically and after significant changes to keep priorities current.

Inputs Needed

• Risk register or risk list with initial descriptions and causes.
• Defined parameter scales, weightings, and decision rules from the risk approach.
• Stakeholder risk appetite and thresholds to align prioritization.
• Historical data, lessons learned, and benchmarking information.
• Project schedule, key milestones, and lead times to gauge proximity and urgency.
• Existing controls, detection methods, and monitoring indicators.
• Expert judgment from the team, subject matter experts, and relevant stakeholders.
• Assumptions and constraints that may affect detectability or controllability.

Outputs Produced

• Updated risk attributes for each risk (urgency, proximity, detectability, controllability, strategic importance).
• Refined prioritization or ranked risk list to guide action sequencing.
• Triggers and timing guidance for responses and monitoring activities.
• Inputs to risk response planning and contingency allocation.
• Updates to the risk register, including rationale and any new monitoring metrics.
• Recommendations for escalation or strategic review where appropriate.

Interpretation Tips

• High urgency or proximity indicates the need for early action even if impact is moderate.
• Low detectability increases monitoring needs; consider adding controls or early warning indicators.
• Low controllability suggests escalation, transfer, or stronger contingency rather than relying on mitigation alone.
• Consider opportunities with high strategic importance, even when probability is modest.
• Use simple scales to avoid false precision, especially with limited data.
• Revisit weightings if stakeholder priorities shift or project context changes.

Example

A team identifies two threats: R1 (supplier lead time variability) and R2 (new regulatory audit). Both have similar impact, but the audit window is in four weeks.

• R1: Urgency = Medium, Proximity = Medium, Detectability = High, Controllability = Medium.
• R2: Urgency = High, Proximity = High, Detectability = Low, Controllability = Low.
• Outcome: R2 ranks higher due to near-term timing, poor detectability, and limited control; the team assigns an owner, books a compliance review, and prepares documentation immediately.

Pitfalls

• Using undefined or vague scales that lead to inconsistent ratings.
• Overcomplicating the model with too many parameters and complex math.
• Double-counting the same effect across multiple parameters.
• Ignoring opportunities or applying different standards to threats and opportunities.
• Allowing dominant voices to bias scores without facilitation.
• Failing to update assessments after major project changes.
• Treating the ranking as absolute truth rather than decision support.

PMP Example Question

A project team has a risk with moderate impact and probability, but it is likely to occur within the next month, is hard to detect early, and is difficult to control. What should the project manager do first with this information?

1. Defer action because the impact and probability are only moderate.
2. Close the risk and move it to the lessons learned register.
3. Prioritize the risk for immediate response planning due to its urgency, low detectability, and low controllability.
4. Transfer the risk without further analysis.

Correct Answer: C — Prioritize the risk for immediate response planning due to its urgency, low detectability, and low controllability.

Explanation: Assessment of other risk parameters highlights timing and management difficulty. High urgency with poor detectability and controllability warrants prompt planning even when impact and probability are moderate.