Most people regularly assess risks and stop short in their assessment. For years we have been told to pay close attention to the two main dimensions of risks: probability and impact. What if we are stopping short on our assessment by limiting ourselves to only these two? In this article, we will look at other dimensions to consider. Let us try to come up with a clearer version of our crystal ball so as to better predict the risks to our projects.
As individuals and organizations start using techniques and working in more intricate ways with processes and frameworks, it becomes clear that there is often some more work that could be done to improve our outcomes or the confidence in the data generated. In recent years what used to be simple risk management analysis has become a domain for improvement and additions to come up with clearer and more accurate predictions.
Most risk registers and risk management plans out there focus on defining probability and impact via the use of scales and matrices. This is a lean and mean way of graphically conveying the level of risks for a project. If you work in this area, you often see some flaws with this identification and analysis process. It is hard to get out of this equation any biases and to clearly predict how the data will be influenced by the stakeholders’ tolerance and appetite levels. I often discuss in my risk classroom the fact that a stakeholder walking into a room will not say: “Hello, my name is John, and I am risk-averse,” and you won’t be able to read that information off of their forehead.
Risk managers all over the world have recognized this issue and are always trying to find ways to pinpoint how to get clearer or more targeted information out of the process. This has led to the definition of several new dimensions of risks being introduced with additional calculations or formulas generated. What used to be an easy formula (Probability x Impact or P x I) has now become a whole pile of layers of formulas to accelerate, diminish, or target the final score.
If these modified dimensions are utilized on a specific project, you should find a description or definition of their use in the risk management plan, while most of them are then added to the risk register as an additional column of information which may or may not impact your final score or rank calculation.
Let us have a look at some of the common dimensions that you might have seen recently being used in a risk register near you.
Velocity: This is a common dimension that often becomes used on projects. Risk velocity can best be described as the time to impact. Not all risks occur over the same period. When the velocity is low, we have more time to respond to the risks, while if the velocity is high, we might not have any or very little time to respond to the risk. This is reflected by the contingency, fallback, or workaround plans we will come up with.
The basic formula would be modified as such: (Probability + Velocity) x Impact = Risk Score
Urgency: This dimension looks at the timing of our risks in time (at our doorstep or next year). It helps in identifying risks that might be soon versus those that might be further down our horizon. This means that it “allows project managers to identify which risks should be considered urgent or require their immediate attention” (Alby, n.d.). This potential dimension of risks is often defined by the time that is available before a risk might occur, the identification of warning signs of the risk being near, and finally, some modification of the risk ranking score by the addition of multiplication of an additional factor such as in velocity above.
Familiarity: Have we or any of our stakeholders encountered or had to deal with a similar risk before? How familiar is this risk event?
Manageability: The understanding of how we are adept or not at managing specific risks. This comes from having had experience or not in doing so in the past.
Detectability: Having an indication of how easy or not it is to find a trigger and document that trigger to easily detect the occurrence of a particular risk. Some risks are hard to spot, let alone detect, ahead of an event, especially if the team has not been introduced before.
Capacity: This looks potentially at our capacity to add or handle more risks on a project as part of our overall load from a PMO or ERM perspective.
Corporate vulnerability: The degree to which a risk can have an impact within the organization on other levels. This can also be tied to strategic impact risks and often will need to be escalated and discussed prior to planning completion on the project.
As you can see, these can add understanding but can also add to the complexity of truly understanding our risk situation. Several of these dimensions are linked with our understanding of the project, and potentially having had experience before that allows for further analysis. Personally, I have always been of the mind that I would rather spend more time gathering solid risk data at the onset than “decorate” my data with more dimensions that then create slanted or hard-to-diagnose scores.
The simple risk matrix will not suffice if you are to try to map or graph more than two elements. In some cases, the use of heat maps over a matrix will do a good job of representing the picture of your project with additional dimensions.
A question I will pose: “How do these additional dimensions make a risk more/less certain or provide a better understanding of our project context?” At the end of the day, that is what we want to do but do all these new dimensions really achieve their goal or simply make something simple into something complex? I will leave you to decide.