Page 1 Copyright 2009 David Hillson/Risk Doctor Limited

The importance of risk descriptions

David Hillson
2009 David Hillson/Risk Doctor Limited, Slide 1
When is a risk
not a risk?
The importance of
risk descriptions
Dr David Hillson HonFAPM FIRM FRSA
Director Risk Doctor & Partners
david@risk-doctor.com www.risk-doctor.com
2009 David Hillson/Risk Doctor Limited, Slide 2
With acknowledgements to
http://www.apm.org.uk/PrioritisingProjectRisk.asp
Page 2 Copyright 2009 David Hillson/Risk Doctor Limited
The importance of risk descriptions
David Hillson
2009 David Hillson/Risk Doctor Limited, Slide 3
Why are risk descriptions important?
A good risk description enables:
Understanding
Prioritisation
Management
A good risk description must be:
Clear
Comprehensible
Unambiguous
2009 David Hillson/Risk Doctor Limited, Slide 4
What is the risk?
Typical examples:
Resources
Requirements
The economy
Competition
Overspend/late delivery
Safety incident
Job (in)security

Are these clear, comprehensible, unambiguous?

Page 3 Copyright 2009 David Hillson/Risk Doctor Limited
The importance of risk descriptions
David Hillson
2009 David Hillson/Risk Doctor Limited, Slide 5
Key characteristics of risk
Uncertain (ambiguity, variability)
Matters (affects objectives)
Proto-description: Risk is uncertainty that matters
Effect
Risk
Uncertain
event or set of
circumstances
Contingent
result
2009 David Hillson/Risk Doctor Limited, Slide 6
What is a risk?
A risk event is an uncertain event or set of
circumstances that, should it occur, will have an
effect on achievement of one or more of the
projects objectives (APM PRAM Guide)
Risk connects uncertainty with objectives
http://www.apm.org.uk/PRAMGuide.asp
Page 4 Copyright 2009 David Hillson/Risk Doctor Limited
The importance of risk descriptions
David Hillson
2009 David Hillson/Risk Doctor Limited, Slide 7
Two-dimensional risk
Risk has two dimensions :
1. uncertainty
2. effect on objectives
impact
probability
2009 David Hillson/Risk Doctor Limited, Slide 8
IMPACT
VHI
HI
MED
LO
VLO
VLO LO MED HI VHI
P
R
O
B
A
B
I
L
I
T
Y
Two-dimensional prioritisation
Probability-Impact Matrix
define scales, then rank each risk in both dimensions
determine size and relative importance of risks
Red = urgent, Yellow = monitor, Green = OK
For both threats & opportunities
Page 5 Copyright 2009 David Hillson/Risk Doctor Limited
The importance of risk descriptions
David Hillson
2009 David Hillson/Risk Doctor Limited, Slide 9
VHI
HI
MED
LO
VLO
POSITIVE IMPACT
(Opportunities)
VHI HI MED LO VLO
P
R
O
B
A
B
I
L
I
T
Y
NEGATIVE IMPACT
(Threats)
VHI
HI
MED
LO
VLO
VLO LO MED HI VHI
P
R
O
B
A
B
I
L
I
T
Y
The mirror double P-I Matrix
for both threats & opportunities
2009 David Hillson/Risk Doctor Limited, Slide 10
Is this enough?
Basic risk description must have two elements:
The uncertainty (event, set of circumstances)
Why it matters (effect on objectives)
Any other useful elements to include in risk
description to improve understanding?
Page 6 Copyright 2009 David Hillson/Risk Doctor Limited
The importance of risk descriptions
David Hillson
2009 David Hillson/Risk Doctor Limited, Slide 11
Effect
Risk
Uncertain
event or set of
circumstances
Contingent
result
Where does the risk come from?
Cause
Effect
Risk
Certain fact
or condition
Uncertain
event or set of
circumstances
Contingent
result
Drives probability
Drives impact
2009 David Hillson/Risk Doctor Limited, Slide 12
Real examples: cause, risk, effect
We rely heavily on ABC being delivered on time
We are modifying one of our most complicated components. We have very little time for
these changes.
Allocated resource may be reassigned to higher priority projects
Given the unusually high number of builds to be carried out, test cycles may take longer
than planned, which will consume significant additional amounts of time and resource
One contractor left in week 36, another joined start week 37. The inevitable disruption is
not catered for by contingency.
The development team may not perform the tasks in the order laid out in the schedule.
This could result in the dates and quality of deliverables being unpredictable.
The team does not have a documented design for the XYZ function. Therefore there is the
risk that the architecture may not support the required functionality, resulting in the
requirements not being met and/or a higher number of defects.
Extra work may be identified at the detailed design gateway as the full statement of work
is not available at project start
A number of usability issues have been identified by the supplier who plans to raise
change requests.
The current hardware is not fast enough to support testing. This means that we may be
unable to test performance until production hardware is used.
Page 7 Copyright 2009 David Hillson/Risk Doctor Limited
The importance of risk descriptions
David Hillson
2009 David Hillson/Risk Doctor Limited, Slide 13
Risk description using
risk metalanguage
A structured description of a risk which separates
cause, risk and effect
As a result of <1. existing condition>,
<2. something uncertain> may occur,
which would lead to <3. effect on objectives>
Key words :
1. is, do, has, has not [present condition]
2. may, might, possibly [uncertain future]
3. would, could [conditional future]
2009 David Hillson/Risk Doctor Limited, Slide 14
Cause
Effect
Risk
Certain fact
or condition
Uncertain
event or set of
circumstances
Contingent
result
Drives probability
Drives impact
Effect(s)
Cause
Effect(s)
Risk
100% Probability
of occurrence
Variable impact
What about variable impact?
Page 8 Copyright 2009 David Hillson/Risk Doctor Limited
The importance of risk descriptions
David Hillson
2009 David Hillson/Risk Doctor Limited, Slide 15
Variable exchange rates:
The supplier has provided a fixed price in foreign currency for
the delivery of gas turbines. For planning purposes, the
project budget has been set at the current exchange rate.
However, uncertainty in future exchange rates will drive
actual costs that may be either higher or lower than this
baseline.
Immature software specification:
The signal processing software specification is immature. It is
uncertain as to how well aligned it is to the overall system
specification. A detailed review can be expected to produce
changes. An increase in software resource requirements can
be expected, although these could range from 3 man-months
to 5 man-years.
Real examples: cause, risk, effect
2009 David Hillson/Risk Doctor Limited, Slide 16
Multiple causes, multiple risks,
variable impact
Relevant
Facts
Risk(s) Risk(s)
Effect(s) Effect(s)
Probability
drivers
Impact
variability
drivers
Page 9 Copyright 2009 David Hillson/Risk Doctor Limited
The importance of risk descriptions
David Hillson
2009 David Hillson/Risk Doctor Limited, Slide 17
Real example: cause, risk, effect
Failure to co-locate software team
It is planned that the software design team of 40 will
be co-located in Reading within 2 months of contract
award. This may not be achieved, either because
suitable facilities for the team may not be established
in time or because key members of the proposed
software team may refuse to relocate from their
current base in Edinburgh. This would necessitate
running the software team with its current geographic
split, leading to requirements for additional effort and
expenses to support communication, a parallel test
environment to be set up and an estimated increase of
between 1 and 3 months in the development phase
due to inefficient working practices.
2009 David Hillson/Risk Doctor Limited, Slide 18
Causal map
many(C) : many(R) : many(E)
Cause
Risk Risk
Effect(s) Effect(s)
Cause
Cause Cause Cause Cause
Risk Risk Risk Risk Risk Risk
Effect Effect Effect Effect
Page 10 Copyright 2009 David Hillson/Risk Doctor Limited
The importance of risk descriptions
David Hillson
2009 David Hillson/Risk Doctor Limited, Slide 19
Real example: Risk concept map
[Ref. Bartlett 2002]
Euro
changeover
is a holiday
period
Retention of
required
resources may
be difficult and
costly
Novelty of
the Euro
Demand
will be
unusually
high
Most of the
currency will
only be first
seen close to
E-day
Potential for
many
forgeries
Big-bang
switchover
Unprecedented
number of
simultaneous
software instructions
to ATMs within 2/3
hour time period on
Jan 1
Local
variations
Replenish-
ment may
be a
problem
Robusticity of
notes and
coins over
time has yet
to be proven
Lack of
consistency
between banks
and between
countries makes
comparisons
difficullt
Different
approaches to
hardware,
software,
support, testing,
operations and
changeover
CIT
avail-
ability
On
premise
storage
ECB
rules
Local
practice
Risk of mis-
dispense if
notes not
robust
Volume
testing cannot
fully simulate
use over time
Potential for
widespread
system
crashes and
ATM down-
time
Has a power
down and re-IPL
been tested for
the whole ATM
network?
First time
every ATM
will have
new cash
Potential
for help
desk call
surge
New note
blocks need
to be
"broken"
Banks need
to consider
staff
incentives
Resources
need to be
committed
Bank
Customer
dis-
satisfaction
Risk of
litigation
Support
response
impacted
Banks could
run out of
cash in
certain areas
Help desk
support has
to be more
localised
Support
contract
impacted
Planned
branch
opening times
may be
impacted
Handlers
more prone
to making
errors
R1
R2
R3
R4
R5
R6
R7
R8
R9
R10
R11
R12
R13
R14
R16
R17
R15
R17
= effect
= cause
= risk
2009 David Hillson/Risk Doctor Limited, Slide 20
Best approach?
It depends on:
Level of detail required for risk description
Complexity of risk process
Types of risk encountered
But also on reason for risk description:
To generate understanding
To permit prioritisation
To support management
All approaches must produce risk descriptions that
are clear, comprehensible & unambiguous
Page 11 Copyright 2009 David Hillson/Risk Doctor Limited
The importance of risk descriptions
David Hillson
2009 David Hillson/Risk Doctor Limited, Slide 21
More information from David Hillson
david@risk-doctor.com www.risk-doctor.com