Risk Breakdown Structure (RBS)
Written by Dimitrios Machairas
A Risk Breakdown Structure is a tool that depicts in the form of a graph the risks a project might face as it develops. Commonly, this tool's structure follows a hierarchical representation of risk, starting with the top levels and consequently moving down to more specific risks. The scope of this tool is to help project managers map out the possible risk exposure of the project - every parameter that might affect the regular progression of the project.
Risk Breakdown Structure (RBS) is a tool developed by Dr. David Hillson and he describes it as: "A Source-oriented grouping of project risks that organize and defines the total risk exposure of the project. Each descending level represents an increasingly detailed definition of sources of risk to the project" [1].
Contents |
Introduction: Risk Management
Risk Breakdown Structure is a tool that is part of a broader field called Risk Management. Risk management is a systematic process of identifying, assessing, responding and controlling and monitoring the project risk [2]. The overall goal of the risk management process is to maximize the opportunities and minimize the negative consequences of risk threats [2]. Project Risk Management aims to identify and prioritize risks in advance of their occurrence and provide action-oriented information to project managers. This orientation requires consideration of events that may or may not occur and are therefore described in terms of likelihood or probability of occurrence in addition to other dimensions such as their impact on objectives [3]. RBS relation with Risk Management lies mainly in its implementation in the risk identification but can also provide support in the later stages (risk assessment and risk response) since it offers an overview of the risks which affect the project.[4]. Figure 2 demonstrates an example of RBS [5]
Risk identification
A risk cannot be managed unless it is first identified. Consequently, after risk management planning has been completed, the first process in the iterative Project Risk Management process aims to identify all the knowable risks to project objectives [2]. Risk identification is the process of systematically and continuously identifying, categorizing, and assessing the initial significance of risks associated with a project [7]. Risk identification describes risks that can potentially affect the project. Participants in risk identification activities can be the following: project manager, project team members, risk management team (if assigned), experts that are not member of project, customers, end users, other project managers, stakeholders, and risk management experts [6].
Techniques used for risk identification include brainstorming and workshops, checklists and prompt lists, questionnaires and interviews, Delphi groups or Nominal Group Techniques, and various diagramming approaches (cause–effect diagrams, systems dynamics, influence diagrams, etc.)[4].
Risk Analysis
Risk analysis is subsequent step of Risk Identification and aims to evaluate the consequences associated with risks and to assess the impact of risk by using risk analysis and measurement techniques. These techniques involve Qualitative Analysis (description, likelihood of happening and impact of the risk to the project), Quantitative Analysis (sensitivity analysis, Monte Carlo, decision trees etc.).
Risk Response Planning
The step after risk identification and risk analysis is to strategically plan actions focusing on the most significant risks, in a way that increases the possibility of success and minimizes the impacts of the threats on the project. This process aims to determine effective response actions that are appropriate to the priority of individual risks and to the overall project risk. It takes into account the stakeholders‟ risk attitudes and the conventions specified in the Risk Management Plan, in addition to any constraints and assumptions that were determined when the risks were identified and analyzed.[4]. When the response actions are applied, they affect the project objectives and can generate additional risks. These are known as secondary risks and have to be analyzed and planned for in the same way as those risks which were initially identified [2].
Responses to risks can be one/combination of the following options [4] :
- Mitigate: acts on the reduction of the probability and/or the impact of a risk to an acceptable threshold. This may require further resources and therefore may represent a tradeoff of one objective for another. This is one of the most applied methods.
- Avoid: risk avoidance consists of altering the project plan so that the risk is eliminated and does not impose a threat to the project.
- Transfer: in this option, the risk is transferred to another partner or third party that is better positioned to address a particular threat. A good example is insurance companies that are willing to take the risk in exchange for money.
Risk Control and Monitoring
By the progress of the project, new information becomes available and the list of project risks changes by the appearance of new risks, whether foreseen or unforeseen or disappearance of some anticipated risks. The project risk management planning should therefore be kept current and the project manager should ensure that risk identification, analysis, and response planning are repeated at reasonable intervals, or in response to project events [4].
Risk monitoring and control keep track of the identified risks, residual risks, and new risks. It also monitors the execution of planned strategies on the identified risks and evaluates their effectiveness. Risk monitoring and control continue for the life of the project [8].
The concept of Risk Breakdown Structure (RBS)
Risk Breakdown Structure (RBS) is a tool, among others like risk registers, risk matrix and risk map, that structures risks that have been previously identified in order to better communicate it to the project’s stakeholders. Risk Breakdown Structure is a useful tool that follows a hierarchy of Risk Categories and Risk Events identifying the various areas and causes of potential risks [2]. It represents the overall project and organizational risk factors and events organized by group and category [9].
The building blocks of RBS are Risk Events and Risk Categories. A Risk Event (RE) is considered an event whose occurrence may have a negative impact on the project while a Risk Category (RC) is a group of several risk events. Any Risk Category can be split into subcategories when wanting a more detailed view or, reversely, grouped with other categories when a more general view is desired [4].
A generic example can be seen in Figure 2 in which the Project's Risk is firstly decomposed to Internal and External Risk and consequently into more specific subcategories. Eventually, Risk Events occupy the bottom nodes of this tree.
Much like a work breakdown structure (or WBS), the risk breakdown structure provides a framework for categorizing and ranking the risks associated with any given project. The development of RBS can be done either ‘’bottom-up’’, by starting with Risk Events and then grouping them together into Risk Categories or ‘’top-down’’, by defining categories, then subcategories and lastly the Risk Events.
Implementing the ‘’top-down’’ approach, the first level of categories must be defined. There are no specific guidelines on how to structure the nodes of the RBS, but some patterns are often followed in many cases [4]:
- Internal and external risks
- Risks associated with the phases of the project (e.g. design, implementation, operation, management)
- Risks associated with the project's stakeholders
Followingly, the Risk Categories are further broken down into more specific subcategories. For example, in the Figure 3 Risks are decomposed into Internal and External Risks and then into Environmental, etc.
Lastly, the Risk Events are allocated into the relevant categories. At this stage, the Risk Events might have been either previously identified by the use of tools described in the Risk Identification paragraph (brainstorming, workshops, checklists, etc) or they can be identified at this point.
Next to the ‘’top-down’’ approach, the ‘’bottom-up’’ approach follows a slightly different methodology. At first, the Risk Events are identified and an unstructured list of different Risk Events is created. The classification phase follows during which Risk Events are grouped up together under the relative subcategory. Then the subcategories are compiled into broader categories and so on.
Advantages of the RBS
- The main advantage of the RBS is its intuitive structure. Risk events can be grouped together in a synthetic view which is helpful to communicate to the project's stakeholders. It provides a perspective of where are the risks coming from and concentrated at [10].
- In addition, RBS allows for the aggregation of information along its branches, from the bottom to the top, once rules have been defined for this aggregation. More specifically, several risk events can be compiled into a risk category which consequently can be also compiled together with other risk categories [4].
- Another advantage of the RBS is the ease to update the information. As noted in this article, RBS can be an iterative process that updates along with the project, it is therefore important that this tool can be easily modified.
Drawbacks of the RBS
- It is argued by Rasool Mehdizadeh (2012) that RBS suffers from lack of specific guidelines on how to structure and develop an RBS. For example, a node such as "project risks" can be decomposed in "internal risks" and "external risks" but there are other possibilities of splitting according to project phases (contract, design, construction etc). The result is that it is difficult to identify "good practices" for developing RBS [4].
- Another drawback of RBS, is that it is difficult to account for interactions between risks [4]. RBS lacks the way to describe the relationship between the risks and how much a risk can affect another. For example, the occurrence of an event of natural hazard could trigger the event of financial instability in the company.
Annotated Bibliography
For those who are interested in further research of the topic of this article, I encourage them to study the recommended annotated bibliography.
Hillson, D. (2002). "Use a risk breakdown structure (RBS) to understand your risks", Project Management Institute: If there is interest in learning more about Risk Breakdown Structure then it is recommended to read the article published by Hillson in 2002 which was the first to spotlight this tool and emphasize its benefits on Risk Management
Rasool Mehdizadeh. (2012)."Dynamic and multi-perspective risk management of construction projects using tailor-made Risk Breakdown Structures": Provides extensive analysis of the Risk Breakdown Structure, the theoretical background, and case studies
References
- ↑ Hillson, D. (2002). "Use a risk breakdown structure (RBS) to understand your risks", Project Management Institute
- ↑ 2.0 2.1 2.2 2.3 2.4 Project Management Institute, (2008),"A Guide to the Project Management Body of Knowledge - Fourth Edition"
- ↑ Project Management Institute. (2009). "Practice standard for project risk management. Newtown Square"
- ↑ 4.00 4.01 4.02 4.03 4.04 4.05 4.06 4.07 4.08 4.09 4.10 Rasool Mehdizadeh. (2012)."Dynamic and multi-perspective risk management of construction projects using tailor-made Risk Breakdown Structures"
- ↑ 5.0 5.1 Tah, J.H.M. and Carr, V. (2001) "Towards a Framework for Project Risk Knowledge Management in the Construction Supply Chain" Advances in Engineering Software
- ↑ 6.0 6.1 Mojtahedi, Mohammad & Mousavi, Sana & Makui, Ahmad. (2010). "Project risk identification and assessment simultaneously using multi-attribute group decision making technique", Safety Science
- ↑ Al-Bahar, J.F. and Crandall, K.C. (1990), "Systematic Risk Management Approach for Construction Projects", Journal of Construction Engineering and Management
- ↑ Uzulāns, Juris. (2016). "Project Risk Register Analysis Based on the Theoretical Analysis of Project Management Notion of Risk" Economics and Business
- ↑ Holzmann, Vered & Spiegler, Israel. (2011). "Developing risk breakdown structure for information technology organizations" International Journal of Project Management
- ↑ Zacharias, O. & Panopoulos, Dimitrios & Askounis, Dimitris. (2008)."Large scale program risk analysis using a risk breakdown structure"