Misplaced Pages

This is an old revision of this page, as edited by Werdna (talk | contribs) at 11:50, 21 June 2011 (→What is a "Risk Breakdown Structure?": "A" before "h" is standard usage in some dialects, no need for .). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

This article has multiple issues. Please help improve it or discuss these issues on the talk page. (Learn how and when to remove these messages) No issues specified. Please specify issues, or remove this template. (Learn how and when to remove this message)

Risk Breakdown Structure (RBS) - A hierarchically organised depiction of the identified project risks arranged by category.

An Introduction to the Risk Breakdown Structure

When planning a project to meet targets for cost, schedule, or quality, it is useful to identify likely risks to the success of the project. A risk is any possible situation that is not planned for, but that, if it occurs, is likely to divert the project from its planned result. For example, an established project team plans for the work to be done by its staff, but there is the risk that an employee may unexpectedly leave the team.

In Project Management, the Risk Management Process has the objectives of identifying, assessing, and managing risks, both positive and negative. All too often, project managers focus only on negative risk, however, good things can happen in a project, "things" that were foreseen, but not expressly planned.

The objective of Risk Management is to predict risks, assess their likelihood and impact, and to actively plan what should be done ahead of time to best deal with situations when they occur.

The risk management process usually occurs in five distinct steps: risk management planning, risk identification, risk analysis, risk response planning, and risk monitoring and control. The central point of risk identification and assessment in risk management is understanding the risk. However, this is also where project managers and risk subject matter experts (SMEs) get the least help from recognized references, best practices, or work standards.

Currently, the Project Management Institute (PMI) has a team of SMEs working on a Practice Standard for Risk Management. This team has identified one very good tool: the Risk Breakdown Structure (RBS). The RBS helps the project manager, the risk manager, and almost any stakeholder to understand, and therefore be able to identify and assess risk.

What is a "Risk Breakdown Structure?"

The RBS will prove extremely valuable to better grasp when a project needs to receive special scrutiny, in other words, when risk might happen. The RBS can also help the project manager and the risk manager to better understand recurring risks and concentrations of risk that could lead to issues that affect the status of the project.

Following the concept of the Work Breakdown Structure (WBS), the Risk Breakdown Structure provides a means for the project manager and risk manager to structure the risks being addressed or tracked. Just as PMI defines the Work Breakdown Structure as a "deliverable-oriented grouping of project elements that organizes and defines the total work scope of the project..." the RBS could be considered as a "hierarchically organized depiction of the identified project risks arranged by risk category."

Many project managers and risk managers currently use "home-grown" methods for listing, identifying, assessing, and tracking risks in their projects. These methods include: spreadsheets, listing, generic risk taxonomy, based somewhat loosely on various standards and guidelines.

An approach that simply places the risks in a list, a simple table, or even in a database does not provide the strength of using a structured, organized method similar to a Work Breakdown Structure. To fully understand the risks and better identify and assess the risk, a "deep-dive" into each risk, recording as many levels of identification as necessary, may be required. The project value of placing risks in a structure such as this lies in the ability of the project manager and risk manager to then quickly and easily identify and assess the risk, identify the potential risk triggers, and develop a more robust risk response plan . If all risks are placed in a hierarchical structure as they are identified, and the structure is organized by source, the total risk exposure to the project can be more easily understood, and planning for the risk more easily accomplished.

Templates for creating a Risk Breakdown Structure

This section may be confusing or unclear to readers. Please help clarify the section. There might be a discussion about this on the talk page. (July 2010) (Learn how and when to remove this message)

The concept of the RBS is new. The PMBoK (2004), barely references its use; however, the PMI Standards team has incorporated the RBS in the Practice Standard for Risk Management (draft for release in 2009). The PMBoK provides an example graphic of the RBS in Chapter 11, Figure 11.4. This reference has as major topics: Technical, External, Organizational, and Project Management. Another source provides the following major topics: Technical, Management, Organizational, External, and Project Management. Dr. David Hillson, in the proceedings of the Project Management Institute Annual Seminars and Symposium, on Oct. 3-10, 2002, provided several different RBS Structure examples, with topics similar to those already shown. Dr. Hillson broke out two different examples, an RBS for Software Development, which had the following major topics: Product Engineering, Development Environment, Program Constraints; and an RBS for Construction Design, which has these major topics: Environment, Industry, Client, Project.

Each RBS is broken into "levels", with each level providing a more in-depth "view" of the identified risk. As an example, in creating a RBS for software development, Level 1 of the RBS might be Technical, followed by Level 2, Requirements, followed by Level 3, Functional Requirements, Informational Requirements, Non-functional Requirements, etc. If desired, Level 3 can be further refined with Level 4, Stability, Completeness, Functionality, Interfaces, Testability, etc., Level 5, etc.

Once the project team has created its RBS, then individual risks can be identified. Several different techniques for defining the individual risks are available, including brain-storming, surveys, workshops, etc. Each identified risk needs to be categorized, and placed in the RBS under a specific topic (or topics if the risk spans two or more topics, such as a risk in gathering requirements might span Technical, organizational and project management.

NOTE: the RBS will be different between projects, even projects within the same project area,
e.g., construction, information technology, environmental remediation, etc.

After the RBS has completed its first "pass" in the creation phase, it can then become an input to qualitative risk analysis, where probabilities, priorities, and impacts are determined.

Using the Risk Breakdown Structure

The RBS serves as more than just a "database" for identifying risks to the project. When created, the RBS provides a vehicle for risk analysis and reporting, and risk comparison across projects. Most importantly, the RBS is "the" tool for risk identification.

Risk Identification

Risk identification will be the first step in determining which risks may affect a project. Identification also provides documentation of the risk characteristics. The first level (Level 1) of the RBS can be used as a sanity check to make certain that all topics that might include risk are covered during the risk identification process. Using the RBS, an iterative process can be initiated that will persist throughout the project life-cycle. The frequency and applicability of this iterative process will be different in each phase of the life-cycle

Using a risk identification checklist that is focused on the RBS, using Levels 2, 3 and below, assists in identifying specific and generic risks. This checklist can then become a part of the project managers' and risk managers' tool set for future projects.

Risk identification leads to quantitative risk analysis, conducted by the Project Risk Manager. Interestingly, sometimes merely identifying the risk will suggest the proper response, which can be entered into the Risk Response Plan.

Risk Analysis (Qualitative Risk Analysis)

Risk analysis is more easily achieved if, after identification, the risks are placed in proper perspective within the RBS by categorizing the risks in the various levels. Risk analysis (quantitative risk analysis) involves the use of techniques for prioritizing the risk, determining the probability of the risk, and calculating the impact of the risk. At no point should the project manager or risk manager decide that the total number of identified risks should cause the cancellation of the project. The total number does not take into account the probability with which the risk will occur, nor the impact to the project, should the risk occur. A few risks, with high probabilities and high impact, are far more critical to the overall success of the project than a large number of risks with low probability and minimal impact. Using the RBS, the project manager and the risk manager should create a "risk score" based on the priority, probability and impact of each risk, and with each "group" of risks (according to the appropriate Level of the RBS).

Using the RBS also offers other valuable understanding into the analysis of the identified risks. Some of these new understandings are:

• Risk exposure type
• Dependencies between risks
• Root causality of risks
• Most significant and least significant risks
• Correlations between risks

Another benefit of the RBS is the ability to focus risk responses to the high probability, high impact, high priority risks using the risk topic groupings.

Summary

Effective risk management demands that the project manager and risk manager fully understand the risks of a project. A successful risk management process would also require a good knowledge and understanding of the business objectives of the project. During risk identification, a large volume of risks can be identified. Simply listing these risks or putting them in a spreadsheet or database does not provide the in-depth understanding of the identified risks necessary to allow a solid risk response planning task. The RBS provides the tool necessary to assist in identifying risks, analyzing risks, and creating a successful risk response plan, and it provides a vehicle for "deep-dives" into the complexity of the risk. Using a hierarchical RBS, similar in its design to the WBS, allows the project and risk managers the opportunity to carefully align the risks in proper categories, using as deep an analysis as time and resources would permit .

References

1. PMBoK-Project Management Book of Knowledge
2. PMI Practice Standard for Risk Management - currently under development
3. PMI PMBOK, 3rd Edition, Chapter 11, Risk Management
4. NIST Risk Management Guide for Information Technology Systems http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf
5. NASA Procedural Requirements 8000.4: Risk Management Procedural Requirements http://nodis3.gsfc.nasa.gov/displayDir.cfm?t=NPR&c=8000&s=4
6. PMI PMBOK Chapter 11, Risk Management http://www.pmi.org/Marketplace/Pages/ProductDetail.aspx?GMProduct=00100035801
7. IEC 62198:2001 Project Risk Management - Application Guidelines International Electrotechnical Communication, Geneva Switzerland
8. http://certifedpmp.wordpress.com/2008/10/11/risk-breakdown-structure-rbs/
9. http://www.risk-doctor.com/pdf-files/rbs1002.pdf
10. Continuous Risk Management Gudidebook, Richard L. Murphy, et al., SIE/Carnegie-Mellon University press.
11. op cit Hillson,
12. Project Management Institute, Risk Management Special Interest Group (SIG), http://www.risksig.com/

• Risk