Date post: | 13-Dec-2015 |
Category: |
Documents |
Upload: | melvyn-harrell |
View: | 220 times |
Download: | 1 times |
1
Risk Analysis
Chapter 5
2
Scope & Process of Risk Analysis Risk analysis is a very elastic concept;
It could mean just a simple examination of risk on one side
& on other side of spectrum it’s a full-fledged research study.
In IAMT (identify, analysis, mitigate & track) cycle, it refers to analysis of identified risks Make sure it doesn't means Process Analysis &
Business Analysis as it was use in risk discovery.
3
Scope & Process of Risk Analysis
Definition:
“The purpose of risk analysis is to understand risk better and to verify and correct risk attribute.”
4
Bias For Action Risk Analysis has an inherent bias for action,
the team that analyzes risk is in hurry The hurry of a person, who faces risks & is
anxious to do something about them.
“The urge to act” makes people respond to simple clues instead of waiting for confirmation of the problem. During the course of analysis, a point is reached
when the situation is clear & risk are understood, while sense of direction become apparent.
5
Bias For Action
6
Risk Selection A commonly cited purpose of the risk analysis is
to select the right risk for mitigation. Just like selection of a problem for resolution from
complex set of problems.
Definition:“The purpose of risk analysis is to select risk for
mitigation”
When risk is obvious because of its seriousness, there is not much of a choice. Serious & high impact risk, emerge loud & very clear,
not need much of judgment to pick up these risk.
7
Types of risk Analysis There are few well known types of risk analysis, listing
some of them here:
a. First Order Analysis:1. Risk Screening2. Quadrant Map3. Top ten risk List
b. Risk Distribution:1. Internal-External2. Process-project-product3. Process Risk Signature
c. Second Order Analysis:1. Time Analysis2. Causal Analysis3. Process Map4. Performance Area Map
8
First Order Risk Some kind of analysis of risk occurred at risk
identification path for paving path for Risk analysis.
First Order analysis is simple, it allow to note critical issues quickly, without going into elaborate consideration. It’s an easy-to-read map of risks.
Take an overall view of risks and isolate critical risk, which need immediate actions.
1. Risk Screening2. Quadrant Map3. Top ten risk List
9
Analysis 1: Risk Screening Risk are screened according to their ability to
inflict damage, these maximum impact risks are called hazard…subject to hazard analysis.
A basic tree diagram is constructed and root causes are identified. A consequence tree diagram is also drawn to
assess how damage may spread from hazard in the project.
No chances are taken with hazards. Strategies and plans are developed on the assumption that hazardous risk are going to happen.
10
Analysis 1: Risk Screening In hazard risk analysis, we don’t discount a
hazard because of its low probability of occurrence, apply here Murphy’s law:
“If something can wrong, it will go wrong”
Hazard analysis make use to techniques like fault tree analysis(FTA) and event tree analysis(ETA).
Sure risks or constraints with highest scores for probability are screened and because there is certainty about them so no surprise element. Such risks are grouped under constraint
management.
11
Analysis 1: Risk Screening
The nominal risks are grouped separately and are analyzed for prioritization. Nominal risks are tabulated in descending risk
exposure number(REN) order and marked for consideration.
The trivial risks are kept as low priority items initially. They are left under observation just in case they
become larger issues with time.
12
Analysis 1: Risk Screening
13
Analysis 2: Quadrant Map The risk maps are formed in map ways. Some
people perform quadrant analysis.
Risk are represented in four quadrants in two dimensional chart showing impact in X-axis & probability in the y-axis.
Quadrant 1 High impact & high probability risk
Quadrant 2 High impact & low probability risk
Quadrant 3 Low impact & high probability risk
Quadrant 4 Low impact & low probability risk
14
Analysis 2: Quadrant Map
Instead of four quadrants, some people use 10 x 10 grid analysis, which is a refinement. X-axis represent impact on scale 0 to 10 & similarly Y-
axis represents probability of risk.
Thus each grid has a specific value. Location 1x1 is a lowest, 5x5 is medium & 10 x 10 is the most critical.
15
Analysis 3: Top Ten Risk List The Top Ten Risks is not an elegant technique,
its just a list of top ten risks in the project.
The list is created after considering all risk aspects and applying some decision rules, thus focusing on one set of risks. It’s just an intuitive creation of the analysts.
The structured and complete risk analysis is very complex. But still during First Order Risk analysis the
subconscious mind runs through all the branches and choice emerges.
16
Useful Risk Distribution Analysis
To known where the problem lies, a few distribution analysis on risk data can be done. The pie chart can be used to show the distribution.
1. Internal-External2. Process-project-product3. Process risk signature
17
Analysis 4: Internal-External Risk Distribution First mentioned on the list is a distribution of
risk origin. It a just simple pie-charts showing external and
internal risks.
Thus analysis shows whether the dominant issues are outside the organization boundary or inside it.
It makes a lot of sense to have different classification system for internal & external risks.
18
Analysis 4: Internal-External Risk Distribution
Internal risk attributes look inward at process and product areas.
If external risk dominate, those risk need to be selected and a separate classification done with attributes that reflect the external world.
External risk attributes are different they must capture : market behavior, competition, price factor,
product obsolescence, customer preference & other external forces.
19
Analysis 5: Process, Project & Product Risk distribution
The internal risks can be distributed, for example, among three categories: Process Risks, Project risks & Product risk.
The project Risks are meant the risks in project deliverable & project performance variables.
Process risks are Logical and technical Risks in the product
Product risks suspect failure i.e. failure modes and probable shortcomings.
20
Analysis 5: Process, Project & Product Risk distribution
Care must be taken as there can be a cause-effect relationship between three categories.
They are not mutually exclusive but interdependent.
Product risk can be induced by project risks & project risk in turn result form process risks.
21
Analysis 6: Process Risk Signature
Risk Signature is a plot(plan) of risk count across a family of risk factor. Risk signature is the framework used to extract
risk.
The process risk signature is also a map of process vulnerability. When the map is ready, we know where the dam
is likely to burst.
22
Analysis 6: Process Risk Signature
In above fig, there is a risk signature of a full Life-Cycle project. Largest number of risks are clustered in HRM,
Human Resource Management.
23
Analysis 6: Process Risk Signature To better understand the HR risks, they can be
categorized further and a sub-signature drawn. By tabulating risk counts under various HR issues.
If this level of detail is not enough to guide mitigation plan, the analysis can be further continued.
HR issues Categories No. of Identified Risks
Recruitment 50
Competencies 5
Attrition 10
Compensations 20
24
Analysis 6: Time analysis
Risk have a time dimension. Therefore, risks already present must be distinguishable from risks that are likely to appear soon.
Again the futuristic risks can be further divided into times zones e.g. as in Risks that are likely to appear within a quarter Risks that are likely to appear within a year Risks that are likely to appear beyond a year
25
Analysis 6: Time analysis Most project teams will have identified risks
that are present and those that are likely to appear within project lifecycle.
Risks that appear beyond the project delivery date “do not” concern here in SRM, through they are issues for the PM.
As soon as the time analysis is done, the risks are flagged with a time trigger and looked for the expected time. If they occur, their occurrence is recorded. If not,
the risks will be analyzed again.
26
Analysis 6: Time analysis Having fixed a timeframe for risk, scheming for
risk count can be done against expected time. This is a dynamic analysis and will have to be
repeated periodically, under the “tracking” phase.
Time analysis should be supplemented by identification, as level as specification of risk triggers. What will be risk indicator? What will be the intensity level the risk indicator
would have raised in specific timeframe? What is the threshold level necessary to judge that
the risk is genuine?
27
Analysis 6: Time analysis
Another related analysis consider the duration for which the risk will stay.
Will it stay for good? Will it be repetitive? Or it may be a just a single
event may not repeat?
28
Analysis 8: Causal Analysis There are also some risks related to causal analysis,
which is based on the principle of causality, Which states that all the selected risks have been caused
and are not freak event.
Layers of causes must be analysis. In the visible layer, there sit the identified risks that are assumed to be symptoms.
For example: Scope creep is a risk. It is tip of an iceberg.
The immediate cause were found to be two in numbers.
29
Analysis 8: Causal Analysis1. The first cause for the scope creep was that the
customers were influenced by the competitors.2. The second cause was due to ignorance of the
market.
The two lines of reasoning can be tabulated as follows:
a. Risk: Scope Creep1. Cause: Customer listens to competitors.
1.1 Sub Cause: Customers are not happy with our efforts.1.1.1 Root Cause: Our product has poor GUI features.
1.2 Sub Cause: Competitors have more attractive offers.1.2.1 Root Cause: No Idea
30
Analysis 8: Causal Analysis2. Cause: We don’t know features offered by
competitors.2.1 Sub Cause: We never did market survey
2.1.1 Root Cause: We never thought it would matter
In examples, we moved into deeper layers of causes, moved to the closer to the root cause. Causal Analysis leads to solutions
31
Analysis 8: Causal Analysis
32
Seeing the larger picture
Selection of risk for mitigation may be an essential initial step, but The larger picture needs to synthesized from the
identified risks
Here two questions arise:1. What are the process areas effected by the
risks?2. What are the result areas effected by risks?
33
Analysis 9: The Process Map The simplest framework relevant to risk
analysis is the process flowchart.
The conventional process flowchart is an approximate model taking in the core process areas. The scope of this framework can be explained by
constructing business process map that includes even the support process.
One can never build a complete map covering all processes.
34
Analysis 9: The Process Map Here is three columns constitute a business
Process Map:
An influence diagram connecting the process elements shown on this list can be made.
35
Analysis 9: The Process Map The risk identified in the strategic business
unit are mapped to each process area.
To begin well just count the number of risks present in each process, next find the REN’s for all risks. Total REN can serve as a “Vulnerability” rating a
particular process.
What emerges is a business process map showing vulnerabilities.
36
Analysis 10: Performance Area Map Another Higher-level analysis is to map risks to
performance areas. A Performance framework is needed for this mapping.
The simplest framework is a “Goal tree”. The primary & secondary goals are presented in a tree structure. Then analyze how chance of attaining each goal are
diminished by risk is done.
Beginning can be made by counting risks that map into each goal, thus evaluating of problem magnitude, by summing up
REN of all each risks associated with each goal .
37
Analysis 10: Performance Area Map
Another framework that proves handy is a performance scorecard, defines the following for each goal:1. Objectives2. Targets3. Metric
38
Risk Levels and Analysis Efforts The level of risks must be recognized whether
it is at process, project, program or corporate level.
The identifier can be at any level, but the risk owner may be elsewhere at any level.
Higher-Level risks are larger problems that require high-level analysis & thinking. e.g. Let us take a risk identified by an analysts: non-
availability of skilled resources. This is a high-level risk, belongs to the corporate level.
39
Risk Levels and Analysis Efforts Escalated risks involves much more, needs an
enterprise level risk data collection.
Analysis must be scaled up, because risks are larger & require larger solutions with huge investments.
In depth analysis must be made separately. The analysis effort is proportional to the level of risks.
40
Putting together the Preliminary analyses Preliminary analyses are done, the result must be
complied and assessed, & best choice made.
The risk that are selected for mitigation as well as those not selected for mitigation are understood.
Risks that are kept open will be put under “risk monitoring” and managed with risk trigger.
Thus assessment of analysis result paves the way responding to risk.
41
The Analysis Report The result of ten preliminary analyses can be
summed in a report. Key output of each analyses are tabulated as
follows:
42
The Analysis Report The result of the preceding ten analyses can
be summarized using the following charts:
1. Pareto Charts (REN)2. Landscape Diagram(Risk probability-impact
XY)3. Bar graph (Signature)4. Tree (Causal tree, Consequences tree)5. Flowchart (with hot spots marked)