Skip to content

Risk

A Risk models a project risk: its RASCI responsibility matrix, its assessment before and after mitigation, and the RiskControl measures that move it from one to the other.

See Domain Model — Risks for a conceptual overview and Merging — Risk merging for merge semantics.

Risk

Risk

Bases: MergeableModel

A project risk, its assessments before and after controls, and its controls.

Attributes:

Name Type Description
id int

Integer identifier, unique within the enclosing Scope's risks.

description str

Non-empty description of the risk.

rasci frozenset[RasciAssignment]

RASCI responsibility bindings for managing this risk overall (not for executing any single control measure). Each role name must appear at most once. Defaults to an empty frozenset.

potential_assessment RiskAssessment

The assessment of the risk before any controls are applied.

residual_assessment RiskAssessment

The assessment of the risk after its controls are applied.

risk_controls frozenset[RiskControl]

The measures taken to move from the potential to the residual assessment. Defaults to an empty frozenset.

RiskAssessment

RiskAssessment

Bases: MergeableModel

A scored and categorized evaluation of a Risk's impact, probability, and threat.

Attributes:

Name Type Description
impact float

Index in [0.0, 1.0] measuring the consequence if the risk materialises.

probability float

Index in [0.0, 1.0] measuring the likelihood of occurrence.

threat float

Index in [0.0, 1.0] measuring the overall danger posed by the risk.

impact_category str

Non-empty label categorizing impact, produced by strategy.

probability_category str

Non-empty label categorizing probability, produced by strategy.

threat_category str

Non-empty label categorizing threat, produced by strategy.

strategy RiskAssessmentStrategy

The strategy instance that produced the three categories above.

strategy_name property

The concrete strategy's class name, for identifying it once serialized.

Returns:

Type Description
str

type(self.strategy).__name__.

assess(impact, probability, threat, *, strategy=DEFAULT_RISK_ASSESSMENT_STRATEGY) classmethod

Build a RiskAssessment by categorizing the three indexes with strategy.

Parameters:

Name Type Description Default
impact float

Index in [0.0, 1.0] measuring the consequence if the risk materialises.

required
probability float

Index in [0.0, 1.0] measuring the likelihood of occurrence.

required
threat float

Index in [0.0, 1.0] measuring the overall danger posed by the risk.

required
strategy RiskAssessmentStrategy

The categorization policy to apply. Defaults to :data:DEFAULT_RISK_ASSESSMENT_STRATEGY.

DEFAULT_RISK_ASSESSMENT_STRATEGY

Returns:

Type Description
RiskAssessment

A new RiskAssessment with categories computed by strategy.

RiskLevel

RiskLevel

Bases: SemanticallyOrderedEnum['RiskLevel'], Enum

Orderable classification of a risk's threat index.

Attributes:

Name Type Description
LOW

Minimal threat; unlikely to warrant dedicated controls.

MODERATE

Noticeable threat; worth monitoring and controlling.

HIGH

Significant threat; requires active controls.

CRITICAL

Severe threat; requires immediate and thorough controls.

semantic_order() classmethod

Define the threat ranking from lowest to highest.

Returns:

Type Description
tuple['RiskLevel', ...]

Members ascending from LOW to CRITICAL.

ImpactLevel

ImpactLevel

Bases: SemanticallyOrderedEnum['ImpactLevel'], Enum

Orderable classification of a risk's impact index.

Attributes:

Name Type Description
NEGLIGIBLE

Little to no consequence if the risk materialises.

MINOR

Limited, easily absorbed consequence.

MAJOR

Substantial consequence requiring recovery effort.

SEVERE

Consequence threatening the project's or organisation's goals.

semantic_order() classmethod

Define the impact ranking from lowest to highest.

Returns:

Type Description
tuple['ImpactLevel', ...]

Members ascending from NEGLIGIBLE to SEVERE.

ProbabilityLevel

ProbabilityLevel

Bases: SemanticallyOrderedEnum['ProbabilityLevel'], Enum

Orderable classification of a risk's probability index.

Attributes:

Name Type Description
RARE

Very unlikely to occur.

UNLIKELY

Occurrence is possible but not expected.

LIKELY

Occurrence is expected under normal circumstances.

ALMOST_CERTAIN

Occurrence is expected to happen.

semantic_order() classmethod

Define the probability ranking from lowest to highest.

Returns:

Type Description
tuple['ProbabilityLevel', ...]

Members ascending from RARE to ALMOST_CERTAIN.

RiskAssessmentStrategy

RiskAssessmentStrategy

Bases: BaseModel, ABC

A pluggable policy that categorizes raw [0.0, 1.0] risk indexes into labels.

Each index has its own default vocabulary (:class:ImpactLevel, :class:ProbabilityLevel, :class:RiskLevel), but a strategy is free to return any non-empty label; :class:RiskAssessment stores categories as plain strings rather than being bound to these enums.

categorize_impact(value) abstractmethod

Categorize an impact index value.

Parameters:

Name Type Description Default
value float

The raw impact index, within [0.0, 1.0].

required

Returns:

Type Description
str

A non-empty label for the impact category.

categorize_probability(value) abstractmethod

Categorize a probability index value.

Parameters:

Name Type Description Default
value float

The raw probability index, within [0.0, 1.0].

required

Returns:

Type Description
str

A non-empty label for the probability category.

categorize_threat(value) abstractmethod

Categorize a threat index value.

Parameters:

Name Type Description Default
value float

The raw threat index, within [0.0, 1.0].

required

Returns:

Type Description
str

A non-empty label for the threat category.

ThresholdRiskAssessmentStrategy

ThresholdRiskAssessmentStrategy

Bases: RiskAssessmentStrategy

The default strategy: splits [0.0, 1.0] into four quartile buckets.

Attributes:

Name Type Description
low_max float

Upper (exclusive) bound of the lowest bucket. Defaults to 0.25.

medium_max float

Upper (exclusive) bound of the second bucket. Defaults to 0.5.

high_max float

Upper (exclusive) bound of the third bucket. Defaults to 0.75. Values at or above this bound fall into the fourth (highest) bucket.

RiskControl

RiskControl

Bases: MergeableModel

A measure taken to reduce a Risk from its potential to its residual assessment.

Attributes:

Name Type Description
description str

Non-empty description of the control measure.

procedure Procedure | None

An optional, self-contained flowchart to follow when carrying out this control. Defaults to None for controls that do not require a formal procedure.