Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Understanding risk: An introduction - part 2/3

Previous:  Understanding risk conditions.

Defining risks.

A risk can be divided into three elements, which are:

  • cause,
  • event,
  • effect.

When we write down risks and make them understandable for our team members, we must include these three elements. Normally we would simply say “it is a risk to fly airplane”, because we assume that we all understand each other and therefore implicit knows what those three elements includes. But when you say, “it is a risk to fly airplane”, it is not certain we are thinking of the same thing. We assume everyone thinks about an airplane disaster as the event. But for one who is traveling home after a scuba diving holiday will instantly think about decompression sickness, which is the diver’s worry within 48 hours after the last dive (vary on the type of dive).

We see here the important of expressing the risk in a common way and make sure every team member understands it correctly. This is done by including all three elements. Here we see an example.

 Element  Explanation  Example
 Cause Source of the risk. Large amount of rain.
 Event Threat or opportunity. within the risk Flooding.
 Effect The outcome. Water damage in the basement.

From this we can now construct a sentence that looks like this

Cause can lead to Event which can result in Outcome.

With this construct we can now make a concrete risk which doesn’t lead to misunderstandings:

Large amount of rain can lead to flooding which can result in water damage in the basement.

Every time we define a risk, we should write it down using this template, that means a sentence including the cause, the event and the effect. Here is another example:

More than 1 hour down-time on service ABC can lead the police to lose control over X and Y and cannot inform Z in a timely manner which can lead to loss of lives.

When we have defined a risk, it is possible to respond to the risk.

Risk response.

There are several options to choose from for a risk response, in short these are:

 Negative risk Positive risk 
 Avoid Exploit 
 Mitigate Increase
 Accept Reject
 Share Share 

Fallback means that we will take measurement after the risk is materialised. Imagine a tennis match where we defines one of the arrangement risks like this “Huge amount of rain can lead to wet field which can result in lowering the match quality and the spectators excitement”. We know that the stadium where this arrangement is hosted have a feature where we can close the roof. For the risk defined here vi choose Fallback as the response, and we decide that if it starts raining we close the roof. Notice we took action after the risk materialised, hence Fallback.

Transfer is when we want other parties to take hand of the risks, like we for example do with car and home insurances.

When it comes to Share can this be when for example two persons agree to bet on a football series. They agree to invest EUR 50 on betting slips, that means 25 on each of them. We can identify the risk like this “Several of the matches doesn’t give the results we bet on and can lead to no pay-outs which can result in a loss of 25 EUR on every investor”.

Recognise that we here shared the risk on two parties, both the positive risk and the negative risk. The positive risk here can we define as “All matches give the result we bet on and can lead to full pot which can result in EUR 50 000 profit to share by the investors”. When the positive risk is materialised, it will be a pay-out of 25 000 on each of the two investors".

Avoid, mitigate and accept are all explained in the table under residual risk below.

When we have decided which risk response to use, we should write a description on how to implement the response. Such descriptions will vary in size and complexity, all based on each risk and the type of response we decided on. After the response is executed, there are often still some degree of risk left, we call this the residual risk.

Residual risk

A residual risk is the risk which remains left after a risk response has been implemented on the original risk. It is given that the exact choice of response will affect the variance between the probabilities of the original risk and the residual risk.

 Risk probability Response  Residual risk probability  Comment 
 High Avoid  None  When we avoid a risk it will not exist as a residual risk. If you plan to drive through a snowy mountain range and defined the risk "Too much snow in the mountain can lead to closed roads which can result in a delayed arrival" you can avoid this risk by instead book an airplane ticket. When you avoid risk you should be aware new risk might occurs. 
 High Mitigate  Low  When you want to mitigate the risk the residual risk must always have a lower probability than the original risk. If we continue with the example above with snow in the mountains, a mitigation might be to start your trip a day in advance. 
 High Accept  High  To accept a risk means you continue on with the risk as it is without implement any risk response. You do nothing to reduce the risk. In some cases this a legitim approach. Back to the example above with snow in the mountains. When you accept this risk you simply bet that you will reach you destination within the schedule or you accept that you might arrive too late. 

Next: Part 3 - Risk matrix (soon to be published).

AUG Leaders

Atlassian Community Events