Risk Breakdown Structure (RBS)
Written by Dimitrios Machairas
A Risk Breakdown Structure is a tool that depicts in the form of a graph the risks a project might face as it develops. Commonly, this tool's structure follows a hierarchical representation of risk, starting with the top levels and consequently moving down to more specific risks. The scope of this tool is to help project managers map out the possible risk exposure of the project - every parameter that might affect the regular progression of the project.
Risk Breakdown Structure (RBS) is a tool developed by Dr. David Hillson and he describes it as: "A Source-oriented grouping of project risks that organize and defines the total risk exposure of the project. Each descending level represents an increasingly detailed definition of sources of risk to the project" [1].
Contents |
Introduction: Risk Management
Risk Breakdown Structure is a tool that is part of a broader field called Risk Management. Risk management is a systematic process of identifying, assessing, responding and controlling and monitoring the project risk [2]. The overall goal of the risk management process is to maximize the opportunities and minimize the negative consequences of risk threats [2]. Project Risk Management aims to identify and prioritize risks in advance of their occurrence and provide action-oriented information to project managers. This orientation requires consideration of events that may or may not occur and are therefore described in terms of likelihood or probability of occurrence in addition to other dimensions such as their impact on objectives [3]. RBS relation with Risk Management lies mainly in its implementation in the risk identification but can also provide support in the later stages (risk assessment and risk response) since it offers an overview of the risks which affect the project.[4]. Figure 2 demonstrates an example of RBS [5]
Risk identification
A risk cannot be managed unless it is first identified. Consequently, after risk management planning has been completed, the first process in the iterative Project Risk Management process aims to identify all the knowable risks to project objectives [2]. Risk identification is the process of systematically and continuously identifying, categorizing, and assessing the initial significance of risks associated with a project [7]. Risk identification describes risks that can potentially affect the project. Participants in risk identification activities can be the following: project manager, project team members, risk management team (if assigned), experts that are not member of project, customers, end users, other project managers, stakeholders, and risk management experts [6].
Techniques used for risk identification include brainstorming and workshops, checklists and prompt lists, questionnaires and interviews, Delphi groups or Nominal Group Techniques, and various diagramming approaches (cause–effect diagrams, systems dynamics, influence diagrams, etc.)[4].
Risk Analysis
Risk analysis is subsequent step of Risk Identification and aims to evaluate the consequences associated with risks and to assess the impact of risk by using risk analysis and measurement techniques. These techniques involve Qualitative Analysis (description, likelihood of happening and impact of the risk to the project), Quantitative Analysis (sensitivity analysis, Monte Carlo, decision trees etc.).
Risk Response Planning
The step after risk identification and risk analysis is to strategically plan actions focusing on the most significant risks, in a way that increases the possibility of success and minimizes the impacts of the threats on the project. This process aims to determine effective response actions that are appropriate to the priority of individual risks and to the overall project risk. It takes into account the stakeholders‟ risk attitudes and the conventions specified in the Risk Management Plan, in addition to any constraints and assumptions that were determined when the risks were identified and analyzed.[4]. When the response actions are applied, they affect the project objectives and can generate additional risks. These are known as secondary risks and have to be analyzed and planned for in the same way as those risks which were initially identified [2].
Responses to risks can be one/combination of the following options [4] :
- Mitigate: acts on the reduction of the probability and/or the impact of a risk to an acceptable threshold. This may require further resources and therefore may represent a tradeoff of one objective for another. This is one of the most applied methods.
- Avoid: risk avoidance consists of altering the project plan so that the risk is eliminated and does not impose a threat to the project.
- Transfer: in this option, the risk is transferred to another partner or third party that is better positioned to address a particular threat. A good example is insurance companies that are willing to take the risk in exchange for money.
Risk Control and Monitoring
By the progress of the project, new information becomes available and the list of project risks changes by the appearance of new risks, whether foreseen or unforeseen or disappearance of some anticipated risks. The project risk management planning should therefore be kept current and the project manager should ensure that risk identification, analysis, and response planning are repeated at reasonable intervals, or in response to project events [4].
Risk monitoring and control keep track of the identified risks, residual risks, and new risks. It also monitors the execution of planned strategies on the identified risks and evaluates their effectiveness. Risk monitoring and control continue for the life of the project [8].
The concept of Risk Breakdown Structure (RBS)
Risk Identification provides an unstructured list of risks that is difficult to communicate to other stakeholders. Therefore, different tools that structure the large amount of data have been proposed including risk registers, risk matrix and risk map. Among them, Risk Breakdown Structure (RBS) is a useful tool that groups the identified risk events into different levels following a bottom-up approach. The RBS is a hierarchically organized depiction of the identified project risks arranged by risk categories and subcategories that identifies the various areas and causes of potential risks [2]. It represents the overall project and organizational risk factors and events organized by group and category [9]
Much like a work breakdown structure (or WBS), the risk breakdown structure provides a framework for categorizing and ranking the risks associated with any given project. The development of RBS can be done either ‘’bottom-up’’, by starting with Risk Events and then grouping them together into Risk Categories or ‘’top-down’’, by defining categories, then subcategories and lastly the Risk Events.
Implementing the ‘’top-down’’ approach, the first level of categories must be defined. There are no specific guidelines on how to structure the nodes of the RBS, but some patterns are followed often in many cases [4]:
- Internal and external risks
- Risks associated with the phases of the project (e.g. design, implementation, operation, management)
- Risks associated with the project's stakeholders
Followingly, the Risk Categories are further broken down into more specific subcategories. For example, in the Figure 3 Risks are decomposed into Internal and External Risks and then into Environmental, etc.
Lastly, the Risk Events are allocated into the relevant categories. At this stage, the Risk Events might have been either previously identified by the use of tools described in the Risk Identification paragraph (brainstorming, workshops, checklists, etc) or they can be identified at this point.
Building blocks of the RBS
In order to develop a Risk Breakdown Structure, there is the need to explain the building blocks of this tool. Specifically, this tool consists of Risk Events (RE), Risk Categories (RC) and Micro trees (MT) that all together structure the RBS.
Risk Events (RE)
Risk event (RE) is considered an event whose occurrence may have a negative impact on the project. Building a RE database requires firstly the identification of Risk Events and afterward the classification of these into categories, the so-called Risk Categories (RC).
As mentioned in the Introduction, Identification of RE is conducted using tools such as brainstorming and workshops, checklists, prompt lists etc. The result of Identification is a list of uncorrelated Risk Events. Identification is usually an iterative process that happens along the course of the project, but a first database version should be created that is going to be updated later on.
The classification stage consists of defining all RCs to which the RE can belong. For example in a construction project the identified Risk Events: "Mistake in design" and "Project design does not comply with building regulations" can be grouped up together under the Risk Category "Defective Design"
Risk Categories (RC)
A Risk Category (RC) is a group of several risk events. Any category can be split into subcategories when wanting a more detailed view or, reversely, grouped with other categories when a more general view is desired.
Micro trees (MT)
Micro trees are created when grouping up multiple Risk Categories.
In the example at Figure 3, we can notice two levels of Micro trees: Starting from the bottom nodes, "Economic/Financial"', "Political", "Legal and regularities" and "Context" are "son" nodes while "Country Risks" is the "father" node of this Micro tree. In the same manner, "Country Risks", "Force majeure" and "Environmental risk" are "son" nodes of the Micro Tree with "father" node "External risks".
More often than not, there are some patterns followed when structuring the top-level nodes:
- Internal and external risks
- Risks associated with the phases of the project (e.g. design, implementation, operation, management)
- Risks associated with the project's stakeholders
In the example of Figure 2, we can notice that the structure of Internal and external risks is followed
Advantages of the RBS
- The main advantage of the RBS is its intuitive structure. Risk events can be grouped together in a synthetic view which is helpful to communicate to the project's stakeholders. It provides a perspective of where are the risks coming from and concentrated at [10].
- In addition, RBS allows for the aggregation of information along its branches, from the bottom to the top, once rules have been defined for this aggregation. More specifically, several risk events can be compiled into a risk category which consequently can be also compiled together with other risk categories [4].
- Another advantage of the RBS is the ease to update the information. As noted in this article, RBS can be an iterative process that updates along with the project, it is therefore important that this tool can be easily modified.
Drawbacks of the RBS
- It is argued by Rasool Mehdizadeh (2012) that RBS suffers from lack of specific guidelines on how to structure and develop an RBS. For example, a node such as "project risks" can be decomposed in "internal risks" and "external risks" but there are other possibilities of splitting according to project phases (contract, design, construction etc). The result is that it is difficult to identify "good practices" for developing RBS [4].
- Another drawback of RBS, is that it is difficult to account for interactions between risks [4]. RBS lacks the way to describe the relationship between the risks and how much a risk can affect another. For example, the occurrence of an event of natural hazard could trigger the event of financial instability in the company.
Annotated Bibliography
For those who are interested in further research of the topic of this article, I encourage them to study the recommended annotated bibliography.
Hillson, D. (2002). "Use a risk breakdown structure (RBS) to understand your risks", Project Management Institute: If there is interest in learning more about Risk Breakdown Structure then it is recommended to read the article published by Hillson in 2002 which was the first to spotlight this tool and emphasize its benefits on Risk Management
Rasool Mehdizadeh. (2012)."Dynamic and multi-perspective risk management of construction projects using tailor-made Risk Breakdown Structures": Provides extensive analysis of the Risk Breakdown Structure, the theoretical background, and case studies
References
- ↑ Hillson, D. (2002). "Use a risk breakdown structure (RBS) to understand your risks", Project Management Institute
- ↑ 2.0 2.1 2.2 2.3 2.4 Project Management Institute, (2008),"A Guide to the Project Management Body of Knowledge - Fourth Edition"
- ↑ Project Management Institute. (2009). "Practice standard for project risk management. Newtown Square"
- ↑ 4.00 4.01 4.02 4.03 4.04 4.05 4.06 4.07 4.08 4.09 4.10 Rasool Mehdizadeh. (2012)."Dynamic and multi-perspective risk management of construction projects using tailor-made Risk Breakdown Structures"
- ↑ 5.0 5.1 Tah, J.H.M. and Carr, V. (2001) "Towards a Framework for Project Risk Knowledge Management in the Construction Supply Chain" Advances in Engineering Software
- ↑ 6.0 6.1 Mojtahedi, Mohammad & Mousavi, Sana & Makui, Ahmad. (2010). "Project risk identification and assessment simultaneously using multi-attribute group decision making technique", Safety Science
- ↑ Al-Bahar, J.F. and Crandall, K.C. (1990), "Systematic Risk Management Approach for Construction Projects", Journal of Construction Engineering and Management
- ↑ Uzulāns, Juris. (2016). "Project Risk Register Analysis Based on the Theoretical Analysis of Project Management Notion of Risk" Economics and Business
- ↑ Holzmann, Vered & Spiegler, Israel. (2011). "Developing risk breakdown structure for information technology organizations" International Journal of Project Management
- ↑ Zacharias, O. & Panopoulos, Dimitrios & Askounis, Dimitris. (2008)."Large scale program risk analysis using a risk breakdown structure"