1

Risk Analysis

Chapter 5

2

Scope & Process of Risk Analysis Risk analysis is a very elastic concept;

It could mean just a simple examination of risk on one side

& on other side of spectrum it’s a full-fledged research study.

In IAMT (identify, analysis, mitigate & track) cycle, it refers to analysis of identified risks Make sure it doesn't means Process Analysis &

Business Analysis as it was use in risk discovery.

3

Scope & Process of Risk Analysis

Definition:

“The purpose of risk analysis is to understand risk better and to verify and correct risk attribute.”

4

Bias For Action Risk Analysis has an inherent bias for action,

the team that analyzes risk is in hurry The hurry of a person, who faces risks & is

anxious to do something about them.

“The urge to act” makes people respond to simple clues instead of waiting for confirmation of the problem. During the course of analysis, a point is reached

when the situation is clear & risk are understood, while sense of direction become apparent.

5

Bias For Action

6

Risk Selection A commonly cited purpose of the risk analysis is

to select the right risk for mitigation. Just like selection of a problem for resolution from

complex set of problems.

Definition:“The purpose of risk analysis is to select risk for

mitigation”

When risk is obvious because of its seriousness, there is not much of a choice. Serious & high impact risk, emerge loud & very clear,

not need much of judgment to pick up these risk.

7

Types of risk Analysis There are few well known types of risk analysis, listing

some of them here:

a. First Order Analysis:1. Risk Screening2. Quadrant Map3. Top ten risk List

b. Risk Distribution:1. Internal-External2. Process-project-product3. Process Risk Signature

c. Second Order Analysis:1. Time Analysis2. Causal Analysis3. Process Map4. Performance Area Map

8

First Order Risk Some kind of analysis of risk occurred at risk

identification path for paving path for Risk analysis.

First Order analysis is simple, it allow to note critical issues quickly, without going into elaborate consideration. It’s an easy-to-read map of risks.

Take an overall view of risks and isolate critical risk, which need immediate actions.

1. Risk Screening2. Quadrant Map3. Top ten risk List

9

Analysis 1: Risk Screening Risk are screened according to their ability to

inflict damage, these maximum impact risks are called hazard…subject to hazard analysis.

A basic tree diagram is constructed and root causes are identified. A consequence tree diagram is also drawn to

assess how damage may spread from hazard in the project.

No chances are taken with hazards. Strategies and plans are developed on the assumption that hazardous risk are going to happen.

10

Analysis 1: Risk Screening In hazard risk analysis, we don’t discount a

hazard because of its low probability of occurrence, apply here Murphy’s law:

“If something can wrong, it will go wrong”

Hazard analysis make use to techniques like fault tree analysis(FTA) and event tree analysis(ETA).

Sure risks or constraints with highest scores for probability are screened and because there is certainty about them so no surprise element. Such risks are grouped under constraint

management.

11

Analysis 1: Risk Screening

The nominal risks are grouped separately and are analyzed for prioritization. Nominal risks are tabulated in descending risk

exposure number(REN) order and marked for consideration.

The trivial risks are kept as low priority items initially. They are left under observation just in case they

become larger issues with time.

12

Analysis 1: Risk Screening

13

Analysis 2: Quadrant Map The risk maps are formed in map ways. Some

people perform quadrant analysis.

Risk are represented in four quadrants in two dimensional chart showing impact in X-axis & probability in the y-axis.

Quadrant 1 High impact & high probability risk

Quadrant 2 High impact & low probability risk

Quadrant 3 Low impact & high probability risk

Quadrant 4 Low impact & low probability risk

14

Analysis 2: Quadrant Map

Instead of four quadrants, some people use 10 x 10 grid analysis, which is a refinement. X-axis represent impact on scale 0 to 10 & similarly Y-

axis represents probability of risk.

Thus each grid has a specific value. Location 1x1 is a lowest, 5x5 is medium & 10 x 10 is the most critical.

15

Analysis 3: Top Ten Risk List The Top Ten Risks is not an elegant technique,

its just a list of top ten risks in the project.

The list is created after considering all risk aspects and applying some decision rules, thus focusing on one set of risks. It’s just an intuitive creation of the analysts.

The structured and complete risk analysis is very complex. But still during First Order Risk analysis the

subconscious mind runs through all the branches and choice emerges.

16

Useful Risk Distribution Analysis

To known where the problem lies, a few distribution analysis on risk data can be done. The pie chart can be used to show the distribution.

1. Internal-External2. Process-project-product3. Process risk signature

17

Analysis 4: Internal-External Risk Distribution First mentioned on the list is a distribution of

risk origin. It a just simple pie-charts showing external and

internal risks.

Thus analysis shows whether the dominant issues are outside the organization boundary or inside it.

It makes a lot of sense to have different classification system for internal & external risks.

18

Analysis 4: Internal-External Risk Distribution

Internal risk attributes look inward at process and product areas.

If external risk dominate, those risk need to be selected and a separate classification done with attributes that reflect the external world.

External risk attributes are different they must capture : market behavior, competition, price factor,

product obsolescence, customer preference & other external forces.

19

Analysis 5: Process, Project & Product Risk distribution

The internal risks can be distributed, for example, among three categories: Process Risks, Project risks & Product risk.

The project Risks are meant the risks in project deliverable & project performance variables.

Process risks are Logical and technical Risks in the product

Product risks suspect failure i.e. failure modes and probable shortcomings.

20

Analysis 5: Process, Project & Product Risk distribution

Care must be taken as there can be a cause-effect relationship between three categories.

They are not mutually exclusive but interdependent.

Product risk can be induced by project risks & project risk in turn result form process risks.

21

Analysis 6: Process Risk Signature

Risk Signature is a plot(plan) of risk count across a family of risk factor. Risk signature is the framework used to extract

risk.

The process risk signature is also a map of process vulnerability. When the map is ready, we know where the dam

is likely to burst.

22

Analysis 6: Process Risk Signature

In above fig, there is a risk signature of a full Life-Cycle project. Largest number of risks are clustered in HRM,

Human Resource Management.

23

Analysis 6: Process Risk Signature To better understand the HR risks, they can be

categorized further and a sub-signature drawn. By tabulating risk counts under various HR issues.

If this level of detail is not enough to guide mitigation plan, the analysis can be further continued.

HR issues Categories No. of Identified Risks

Recruitment 50

Competencies 5

Attrition 10

Compensations 20

24

Analysis 6: Time analysis

Risk have a time dimension. Therefore, risks already present must be distinguishable from risks that are likely to appear soon.

Again the futuristic risks can be further divided into times zones e.g. as in Risks that are likely to appear within a quarter Risks that are likely to appear within a year Risks that are likely to appear beyond a year

25

Analysis 6: Time analysis Most project teams will have identified risks

that are present and those that are likely to appear within project lifecycle.

Risks that appear beyond the project delivery date “do not” concern here in SRM, through they are issues for the PM.

As soon as the time analysis is done, the risks are flagged with a time trigger and looked for the expected time. If they occur, their occurrence is recorded. If not,

the risks will be analyzed again.

26

Analysis 6: Time analysis Having fixed a timeframe for risk, scheming for

risk count can be done against expected time. This is a dynamic analysis and will have to be

repeated periodically, under the “tracking” phase.

Time analysis should be supplemented by identification, as level as specification of risk triggers. What will be risk indicator? What will be the intensity level the risk indicator

would have raised in specific timeframe? What is the threshold level necessary to judge that

the risk is genuine?

27

Analysis 6: Time analysis

Another related analysis consider the duration for which the risk will stay.

Will it stay for good? Will it be repetitive? Or it may be a just a single

event may not repeat?

28

Analysis 8: Causal Analysis There are also some risks related to causal analysis,

which is based on the principle of causality, Which states that all the selected risks have been caused

and are not freak event.

Layers of causes must be analysis. In the visible layer, there sit the identified risks that are assumed to be symptoms.

For example: Scope creep is a risk. It is tip of an iceberg.

The immediate cause were found to be two in numbers.

29

Analysis 8: Causal Analysis1. The first cause for the scope creep was that the

customers were influenced by the competitors.2. The second cause was due to ignorance of the

market.

The two lines of reasoning can be tabulated as follows:

a. Risk: Scope Creep1. Cause: Customer listens to competitors.

1.1 Sub Cause: Customers are not happy with our efforts.1.1.1 Root Cause: Our product has poor GUI features.

1.2 Sub Cause: Competitors have more attractive offers.1.2.1 Root Cause: No Idea

30

Analysis 8: Causal Analysis2. Cause: We don’t know features offered by

competitors.2.1 Sub Cause: We never did market survey

2.1.1 Root Cause: We never thought it would matter

In examples, we moved into deeper layers of causes, moved to the closer to the root cause. Causal Analysis leads to solutions

31

Analysis 8: Causal Analysis

32

Seeing the larger picture

Selection of risk for mitigation may be an essential initial step, but The larger picture needs to synthesized from the

identified risks

Here two questions arise:1. What are the process areas effected by the

risks?2. What are the result areas effected by risks?

33

Analysis 9: The Process Map The simplest framework relevant to risk

analysis is the process flowchart.

The conventional process flowchart is an approximate model taking in the core process areas. The scope of this framework can be explained by

constructing business process map that includes even the support process.

One can never build a complete map covering all processes.

34

Analysis 9: The Process Map Here is three columns constitute a business

Process Map:

An influence diagram connecting the process elements shown on this list can be made.

35

Analysis 9: The Process Map The risk identified in the strategic business

unit are mapped to each process area.

To begin well just count the number of risks present in each process, next find the REN’s for all risks. Total REN can serve as a “Vulnerability” rating a

particular process.

What emerges is a business process map showing vulnerabilities.

36

Analysis 10: Performance Area Map Another Higher-level analysis is to map risks to

performance areas. A Performance framework is needed for this mapping.

The simplest framework is a “Goal tree”. The primary & secondary goals are presented in a tree structure. Then analyze how chance of attaining each goal are

diminished by risk is done.

Beginning can be made by counting risks that map into each goal, thus evaluating of problem magnitude, by summing up

REN of all each risks associated with each goal .

37

Analysis 10: Performance Area Map

Another framework that proves handy is a performance scorecard, defines the following for each goal:1. Objectives2. Targets3. Metric

38

Risk Levels and Analysis Efforts The level of risks must be recognized whether

it is at process, project, program or corporate level.

The identifier can be at any level, but the risk owner may be elsewhere at any level.

Higher-Level risks are larger problems that require high-level analysis & thinking. e.g. Let us take a risk identified by an analysts: non-

availability of skilled resources. This is a high-level risk, belongs to the corporate level.

39

Risk Levels and Analysis Efforts Escalated risks involves much more, needs an

enterprise level risk data collection.

Analysis must be scaled up, because risks are larger & require larger solutions with huge investments.

In depth analysis must be made separately. The analysis effort is proportional to the level of risks.

40

Putting together the Preliminary analyses Preliminary analyses are done, the result must be

complied and assessed, & best choice made.

The risk that are selected for mitigation as well as those not selected for mitigation are understood.

Risks that are kept open will be put under “risk monitoring” and managed with risk trigger.

Thus assessment of analysis result paves the way responding to risk.

41

The Analysis Report The result of ten preliminary analyses can be

summed in a report. Key output of each analyses are tabulated as

follows:

42

The Analysis Report The result of the preceding ten analyses can

be summarized using the following charts:

1. Pareto Charts (REN)2. Landscape Diagram(Risk probability-impact

XY)3. Bar graph (Signature)4. Tree (Causal tree, Consequences tree)5. Flowchart (with hot spots marked)