Page 1 Copyright 2009 David Hillson/Risk Doctor Limited
The importance of risk descriptions
David Hillson 2009 David Hillson/Risk Doctor Limited, Slide 1 When is a risk not a risk? The importance of risk descriptions Dr David Hillson HonFAPM FIRM FRSA Director Risk Doctor & Partners david@risk-doctor.com www.risk-doctor.com 2009 David Hillson/Risk Doctor Limited, Slide 2 With acknowledgements to http://www.apm.org.uk/PrioritisingProjectRisk.asp Page 2 Copyright 2009 David Hillson/Risk Doctor Limited The importance of risk descriptions David Hillson 2009 David Hillson/Risk Doctor Limited, Slide 3 Why are risk descriptions important? A good risk description enables: Understanding Prioritisation Management A good risk description must be: Clear Comprehensible Unambiguous 2009 David Hillson/Risk Doctor Limited, Slide 4 What is the risk? Typical examples: Resources Requirements The economy Competition Overspend/late delivery Safety incident Job (in)security
Are these clear, comprehensible, unambiguous?
Page 3 Copyright 2009 David Hillson/Risk Doctor Limited The importance of risk descriptions David Hillson 2009 David Hillson/Risk Doctor Limited, Slide 5 Key characteristics of risk Uncertain (ambiguity, variability) Matters (affects objectives) Proto-description: Risk is uncertainty that matters Effect Risk Uncertain event or set of circumstances Contingent result 2009 David Hillson/Risk Doctor Limited, Slide 6 What is a risk? A risk event is an uncertain event or set of circumstances that, should it occur, will have an effect on achievement of one or more of the projects objectives (APM PRAM Guide) Risk connects uncertainty with objectives http://www.apm.org.uk/PRAMGuide.asp Page 4 Copyright 2009 David Hillson/Risk Doctor Limited The importance of risk descriptions David Hillson 2009 David Hillson/Risk Doctor Limited, Slide 7 Two-dimensional risk Risk has two dimensions : 1. uncertainty 2. effect on objectives impact probability 2009 David Hillson/Risk Doctor Limited, Slide 8 IMPACT VHI HI MED LO VLO VLO LO MED HI VHI P R O B A B I L I T Y Two-dimensional prioritisation Probability-Impact Matrix define scales, then rank each risk in both dimensions determine size and relative importance of risks Red = urgent, Yellow = monitor, Green = OK For both threats & opportunities Page 5 Copyright 2009 David Hillson/Risk Doctor Limited The importance of risk descriptions David Hillson 2009 David Hillson/Risk Doctor Limited, Slide 9 VHI HI MED LO VLO POSITIVE IMPACT (Opportunities) VHI HI MED LO VLO P R O B A B I L I T Y NEGATIVE IMPACT (Threats) VHI HI MED LO VLO VLO LO MED HI VHI P R O B A B I L I T Y The mirror double P-I Matrix for both threats & opportunities 2009 David Hillson/Risk Doctor Limited, Slide 10 Is this enough? Basic risk description must have two elements: The uncertainty (event, set of circumstances) Why it matters (effect on objectives) Any other useful elements to include in risk description to improve understanding? Page 6 Copyright 2009 David Hillson/Risk Doctor Limited The importance of risk descriptions David Hillson 2009 David Hillson/Risk Doctor Limited, Slide 11 Effect Risk Uncertain event or set of circumstances Contingent result Where does the risk come from? Cause Effect Risk Certain fact or condition Uncertain event or set of circumstances Contingent result Drives probability Drives impact 2009 David Hillson/Risk Doctor Limited, Slide 12 Real examples: cause, risk, effect We rely heavily on ABC being delivered on time We are modifying one of our most complicated components. We have very little time for these changes. Allocated resource may be reassigned to higher priority projects Given the unusually high number of builds to be carried out, test cycles may take longer than planned, which will consume significant additional amounts of time and resource One contractor left in week 36, another joined start week 37. The inevitable disruption is not catered for by contingency. The development team may not perform the tasks in the order laid out in the schedule. This could result in the dates and quality of deliverables being unpredictable. The team does not have a documented design for the XYZ function. Therefore there is the risk that the architecture may not support the required functionality, resulting in the requirements not being met and/or a higher number of defects. Extra work may be identified at the detailed design gateway as the full statement of work is not available at project start A number of usability issues have been identified by the supplier who plans to raise change requests. The current hardware is not fast enough to support testing. This means that we may be unable to test performance until production hardware is used. Page 7 Copyright 2009 David Hillson/Risk Doctor Limited The importance of risk descriptions David Hillson 2009 David Hillson/Risk Doctor Limited, Slide 13 Risk description using risk metalanguage A structured description of a risk which separates cause, risk and effect As a result of <1. existing condition>, <2. something uncertain> may occur, which would lead to <3. effect on objectives> Key words : 1. is, do, has, has not [present condition] 2. may, might, possibly [uncertain future] 3. would, could [conditional future] 2009 David Hillson/Risk Doctor Limited, Slide 14 Cause Effect Risk Certain fact or condition Uncertain event or set of circumstances Contingent result Drives probability Drives impact Effect(s) Cause Effect(s) Risk 100% Probability of occurrence Variable impact What about variable impact? Page 8 Copyright 2009 David Hillson/Risk Doctor Limited The importance of risk descriptions David Hillson 2009 David Hillson/Risk Doctor Limited, Slide 15 Variable exchange rates: The supplier has provided a fixed price in foreign currency for the delivery of gas turbines. For planning purposes, the project budget has been set at the current exchange rate. However, uncertainty in future exchange rates will drive actual costs that may be either higher or lower than this baseline. Immature software specification: The signal processing software specification is immature. It is uncertain as to how well aligned it is to the overall system specification. A detailed review can be expected to produce changes. An increase in software resource requirements can be expected, although these could range from 3 man-months to 5 man-years. Real examples: cause, risk, effect 2009 David Hillson/Risk Doctor Limited, Slide 16 Multiple causes, multiple risks, variable impact Relevant Facts Risk(s) Risk(s) Effect(s) Effect(s) Probability drivers Impact variability drivers Page 9 Copyright 2009 David Hillson/Risk Doctor Limited The importance of risk descriptions David Hillson 2009 David Hillson/Risk Doctor Limited, Slide 17 Real example: cause, risk, effect Failure to co-locate software team It is planned that the software design team of 40 will be co-located in Reading within 2 months of contract award. This may not be achieved, either because suitable facilities for the team may not be established in time or because key members of the proposed software team may refuse to relocate from their current base in Edinburgh. This would necessitate running the software team with its current geographic split, leading to requirements for additional effort and expenses to support communication, a parallel test environment to be set up and an estimated increase of between 1 and 3 months in the development phase due to inefficient working practices. 2009 David Hillson/Risk Doctor Limited, Slide 18 Causal map many(C) : many(R) : many(E) Cause Risk Risk Effect(s) Effect(s) Cause Cause Cause Cause Cause Risk Risk Risk Risk Risk Risk Effect Effect Effect Effect Page 10 Copyright 2009 David Hillson/Risk Doctor Limited The importance of risk descriptions David Hillson 2009 David Hillson/Risk Doctor Limited, Slide 19 Real example: Risk concept map [Ref. Bartlett 2002] Euro changeover is a holiday period Retention of required resources may be difficult and costly Novelty of the Euro Demand will be unusually high Most of the currency will only be first seen close to E-day Potential for many forgeries Big-bang switchover Unprecedented number of simultaneous software instructions to ATMs within 2/3 hour time period on Jan 1 Local variations Replenish- ment may be a problem Robusticity of notes and coins over time has yet to be proven Lack of consistency between banks and between countries makes comparisons difficullt Different approaches to hardware, software, support, testing, operations and changeover CIT avail- ability On premise storage ECB rules Local practice Risk of mis- dispense if notes not robust Volume testing cannot fully simulate use over time Potential for widespread system crashes and ATM down- time Has a power down and re-IPL been tested for the whole ATM network? First time every ATM will have new cash Potential for help desk call surge New note blocks need to be "broken" Banks need to consider staff incentives Resources need to be committed Bank Customer dis- satisfaction Risk of litigation Support response impacted Banks could run out of cash in certain areas Help desk support has to be more localised Support contract impacted Planned branch opening times may be impacted Handlers more prone to making errors R1 R2 R3 R4 R5 R6 R7 R8 R9 R10 R11 R12 R13 R14 R16 R17 R15 R17 = effect = cause = risk 2009 David Hillson/Risk Doctor Limited, Slide 20 Best approach? It depends on: Level of detail required for risk description Complexity of risk process Types of risk encountered But also on reason for risk description: To generate understanding To permit prioritisation To support management All approaches must produce risk descriptions that are clear, comprehensible & unambiguous Page 11 Copyright 2009 David Hillson/Risk Doctor Limited The importance of risk descriptions David Hillson 2009 David Hillson/Risk Doctor Limited, Slide 21 More information from David Hillson david@risk-doctor.com www.risk-doctor.com