Prioritizing risk response using the Pareto Principle

You Will Identify No Shortage of Risks

Steve McConnell, author of books like “Code Complete” and “Estimation: Demystifying the Black Art,” once commented—

There are only a limited number of things that can go right on a project.
However, there are an unlimited number of things that can go wrong

This maxim stands up to real-world experience. Once you start to actively apply risk management techniques to your programs and operations, you will soon find many, many risks to manage. As a result, you can quickly get so “bogged-down” managing risks that you divert too much attention from managing your program or operations (defeating the very purpose that let you to actively manage risk in the first place.)

The Trick is Figuring Which Risks to Manage

Not all risks are the same. Some are large; others are small. Some must be avoided; while others can be accepted. Since active management of any risk comes at as cost, the trick is to figure out where the benefit you are achieving by actively managing risk exceeds to cost of doing this. The easiest way to do this is to apply the Pareto Principle.

The Pareto Principle is broadly asserts that the top (or worst 20%) of any population of items cause 80% of the total population’s effect. While this “80/20 ratio” can sound trite, its use for estimation and prioritization purposes had been born out across a wide set of conditions (1 2 3 4). Applying the Pareto Principle to Risk Management yields the following maxim:

If you focus on continually managing the largest 20% of all risks you will achieve 80% of the total benefit you can possibly achieve using Active Risk Management (ARM)

I have found this as good way not only to prioritize risk response but also a good way to avoid getting caught up in the minutia of managing trivial risks.

Visualizing the Worst 20% Risk Quintile

In discussed in an earlier post, an easy way to estimate the size of a risk is to break it down into two component dimensions:

  • P, the probability that it may occur and
  • I, impact it would cause if it did occur

However, not only does it make it easier to estimate the size of a risk using tools like sensitivity analysis, it also makes it clearer why one risk is bigger than another. This simplifies prioritization.

The following diagram plots five risks by priority and impact. To make things simple, it plots the size of the impact on a zero to 100 scale (this can be done through normalization of true risk impact sizes or through mapping of Low, Medium and High ratings to Six Sigma 1-3-5-9 Critical-to-Quality (CTQ) ratings:

Using This Visualization to Prioritize Response

With this type of plot it if very easy to break down risks by quintile, from biggest to smallest. Now you simply need to manage each risk from the upper-right-hand corner, inward, in order to use the Pareto Principle to prioritize your risk response. Simply work downward, keeping the cost of managing each prioritized risk below its estimated size. Remember to keep refreshing your list of identified risks on a regular basis (to keep up with the latest information).

A Quick Look at How This Changes Your Response

This simple approach can dramatically change how people prioritize risk response. To illustrate this, let’s take a look at the five plotted risks above:

  • Many people focus so much on Impact that they use this single dimension to prioritize risks. Under this model, one would prioritize response in the following Order: Risk 3, Risk 4 then Risk 5. This would be delaying a chance to manage Risk 5—the biggest risk—until later (when it is harder to manage—See Note 1)
  • Other people focus on “low hanging fruit” for “quick wins.” While this approach is good for team building, it would start with Risk 1 (and maybe Risk 2). These are low-priority risks that should only be addresses after many larger ones are. (If you continuously look for risks as your program or operations evolve, it may never be worthwhile to waste your time on these risks—See Note 2)
  • It turns out the best thing for you to do is manage Risk 5. Then reevaluate which risk is in the worst Quintile based on the most-current information. Then repeat (until your operations or program is over). Under this model, you are always applying resources to address the most pressing risks only. This lets you apply risk management without letting take over your entire focus of operations.

How This Approach Builds Accuracy over Time

While this approach will be 100% accurate on an individual risk-by-risk basis, it will leverage the Law of Large Numbers and the Pareto Principle to balance out bias errors over the course of your entire program or operation. The end result of this will be judicious, cost-effective application of risk management from start to finish.

What’s Next

This post wraps up the last “lesson” in these series on risk management. The next post will share some lessons learned on folding these approaches into your operations in a way that combines discipline with low complexity and overhead.

Author’s Acknowledgement: I would like to credit the following past associates with whom I put this approach to prioritizing risk response together: James Gaines, Simon Grant and Igor Mandrosov.


  1. Steven Levitt and Stephen Dubner have written extensively about this Impact bias in Chapter Four of Freakanomics.
  2. Remember this analysis the next time your by-the-hour consultant explains their focus on “low hanging fruit.”
Post Topics:
, ,


Share your thoughts