The Risk Register is a useful and necessary repository of information about threats, but let’s face it: it isn’t a snappy, visual interface that enables the user to get a sense of the big picture, or how risks compare relative to one another. Here are three ways to “think outside the register” and get a better sense for the risk on your project:
1. Risk Breakdown Structure (RBS). This idea comes from multiple sources such as the Project Management Institute (PMI) as well as other experts in the field. For this post, I’ll draw from a 2002 article by Dr. David Hilson entitled, Use a Risk Breakdown Structure (RBS) to Understand Your Risks. According to the author, an RBS is “a source-oriented grouping of project risks that organizes and defines the total risk exposure of the project. Each descending level represents an increasingly detailed definition of sources of risks to the project. The RBS is therefore a hierarchical structure of potential risk sources” (p. 1). I’ve reproduced an example from his paper below:
This depiction is valuable in multiple ways, but I’ll focus on two: a) If created during the Planning phase of the life cycle, it can aid brainstorming activities during risk identification and also reveal gaps. For example, using the RBS above, the team would spot the oversight quickly if there was nothing in the Level 3 column associated with Technology/Requirements. b) Conversely, what if the team has an abundance of Technology/Requirements risks? Although the illustration above has an equal number of risks per category, that may not be the case in practical applications. Perhaps the Technology/Requirements area has 16 risks, but External/Cultural only has one. The RBS highlights the riskiest deliverables and timing of the project in a graphical way that makes it easy to see hot spots.
2. Time-phased Risk Count by Severity chart. In his 2009 book entitled, Identifying and Managing Project Risk, author Tom Kendrick shows just such a chart on page 310 and I’ve taken a stab at it below. It shows the number of open High, Medium, and Low risks over time. Project Managers can use this tool to understand their current risk position and trends, such as the burn-down of risk over the course of the project.
In the example below, the team has stayed relatively constant in the number of risks per category over a 12 month span. However, that may be a red flag: if the project period of performance is two years, the data below indicates very little retirement of risk in the first year. Yes, a few threats in each category have been retired every month, but from the numbers it seems several more have taken their place.
3. Risk Impact/Probability Chart. This is a simple plot of the risk’s Probability of Occurrence (Pf) and Severity of Consequence (Cf). Most qualitative assessments of risk include both measures, and they can be used to prioritize risks on the project.
The example below shows there are four risks in the danger zone, all with a probability of occurrence greater than 60% (one has a greater than 80% likelihood). However, that’s not enough to elevate them as priorities on the project. When combined with their potential impact to the project – in this case greater than eight days for all four – they become high priorities for the team.
Although the above chart does not show risk aggregated by categories like the RBS, it does show the distribution of current High, Medium, and Low project threats.
Ideally, the project team would use all three charts because each contributes a unique perspective on risk. If you have to choose just one, #3 is probably the best and the most commonly used in industry. Remember that any way you creatively show data in a graphical form will prove a better management tool than an Excel-based spreadsheet with columns of information and no clear way to “see” the big picture.