Most of us are familiar with the conventional risk management methods and models. The often cited risk identification, risk analysis, risk assessment, risk score, risk matrix and the quirky name of FMEA, all sounds so close to home. We have tinkered and struggled with them in our projects. What is not so clear is when we look at risks across several interrelated projects or within the context of a larger program. Things become more complicated when a risk may depend on or affect other risks. These new relationships introduce additional dynamics that may change the way we manage risk especially in the areas of risk identification and risk assessment.
Let’s first take a look at how it will affect the way we conduct risk identification. When risks are interrelated with one another, we can no longer deal with them individually as standalone records. We have to manage them collectively taking the relationships into consideration. Therefore, during the risk identification process, apart from identifying risks that will have an impact on the current project, we also need to determine if a specific risk has any dependency or influence on other risks. One option that we have is to tap into the knowledge and experience of the subject matter experts. Running a risk workshop involving the subject matter experts in the initial stage of the project or program may help to derive the first cut of the list of risks and the associated dependencies. Alternatively, we may also utilize the task dependencies as a convenient source to provide some references to aid in the identification of risk dependencies. Not only do we need to capture these relationships, we also need to provide some means to track the information for risk analysis and future reference (e.g. we may archive this knowledge into a risk bank or library). A quick solution is to add a dependencies field in the risk log, just like what we usually do for task dependencies in the Gantt chart, to keep track of relationships among the risks within a project and across multiple interrelated projects. We may also extend this further by plotting the risk dependencies on a map, similar to that in the Benefits Dependency Network, to allow us to visualize and analyze the dependencies holistically.
Next, let’s examine how risk assessment will be affected by these relationships. There are two parameters that we often use in risk assessment to determine the importance of a particular risk and the amount of time and effort that we should spend on it. They are the ‘Probability’ – the likelihood of the risk occurring, and the ‘Impact’ – the consequences if the risk does occur. When we look at a risk by itself in isolation, we are actually assessing the absolute values of these two parameters. This is what we have been practicing so far. However, these absolute values become less meaningful in a more complex environment involving the dependency relationships. In order to be more accurate in the assessment, we will then need to take the compounded effect of the risk dependencies into consideration. Now, the question is how should all these work?
For those of you who are familiar with Einstein’s Theory of Relativity, you should not be new to the concept of ‘Frame of Reference’. The theory states that – “There is no such thing as an absolute frame of reference.” Following this idea, we may postulate that we can never use the same absolute frame of reference to holistically assess the parameters of the risks with dependency relationships within a complex environment. Therefore, we need to introduce two new parameters ‘Relative Probability’ (RP) and ‘Relative Impact’ (RI) and rename the original parameters to ‘Absolute Probability’ (AP) and ‘Absolute Impact’ (AI) to provide better clarity. In addition, we also have to determine how each of these two factors will be affected by the dependencies and how they should be assessed.
Now, let’s first take a look at the ‘Relative Impact’ parameter which is the easiest between the two. In order to obtain the RI of the risk being assessed, we just need to sum up the RI of the dependee (a risk that is depended on by another risk) with the AI of the depender (a risk that depends on another risk). For example, if risk B with an AI of $1,000 has a dependency on risk A of $2,500 RI, then the RI of risk B will be the sum of the RI of risk A and the AI of risk B or $3,500 (i.e. $2,500+$1,000) in this case. In a multiple dependencies (a risk depends on more than one risk) situation, the ‘Relative Impact’ parameter should always be calculated based on the worst case scenario or the maximum combined impact of all the related risks. For example, if risk C with an AI of $1,000 has dependencies on risk A of $2,500 RI and risk B of $500 RI, then the RI of risk C will be $4,000 (i.e. $2,500+$500+$1,000). In general, we may express this calculation in a formula as shown below,
RI of depender = AI of depender + ∑ (RI of all dependees) --- (1)
If the above sounds relatively difficult for you to digest, then the method to calculate the ‘Relative Probability’ parameter will be a little bit trickier as it requires a good understanding in the field of probability taught in the math classes in old school. In a one-to-one dependency relationship, the RP of the risk being assessed (or we may think of this as the joint probability) will be the product of the RP of the dependee and the AP of the depender. For example, if risk B with an AP of 50% has a dependency on risk A of 80% RP, then the RP of risk B will be the product of the RP of risk A and the AP of risk B or %40 (i.e. 80%*50%) in this case. Unfortunately, the calculation for probability in a multiple dependencies situation is not so straight forward. From the old school math classes, we have learned that the calculation of union probability involves the combination of all the possible outcomes. In other words, the ‘Relative Probability’ parameter, which is a combined probability, should be calculated by summing up all the probabilities of each of the individual one-to-one dependency relationships. For example, if risk C with an AP of 50% has dependencies on risk A of 80% RP and risk B of 10% RP, then the RP of risk C will be the sum of the probability of ‘risk C depends on risk A’ dependency and the probability of ‘risk C depends on risk B’ dependency. The actual calculation is (80%*50%)+(80%*10%) which gives 48% as the RP of risk C. An easier way to calculate this is to take the total sum of the RP of all the dependees and multiply the result with the AP of the depender. This can be clearly expressed in the formula shown below,
RP of depender = AP of depender * ∑ (RP of all dependees) --- (2)
If you find the calculations described too confusing, all you need to do is just remember the two formulas (1) and (2) given above. One point to take note is, with this approach, we do not have to worry about any dependency relationship beyond the immediate dependee since we are taking the relative value of the parameter and it should have already accounted for everything upstream. This is the beauty of being ‘relative’.