Analyze

1
What is Analysis?
 Analysis is a process of examining the risks in detail to determine the extent
of the risks, how they relate to each other, and which ones are the most
important. Analyzing risks has three basic activities:
• Evaluating attributes of risks
• Classifying risks
• Prioritizing (ranking) risks
 The objective of the Analyze function is to convert risk data into decision-
making information.

2
Inputs and Outputs of the Analyze
Function

3
Inputs and Outputs of the Analyze
Function

4
Inputs and Outputs of the Analyze
Function

5
Methods and Tools for the Analyze Function

6
Evaluating Attributes of Risks
 Evaluating the attributes of a risk involves establishing the current values for:
• Impact: the loss or effect on the project if the risk occurs
• Probability: the likelihood the risk will occur
• Timeframe: the period when action is required in order to mitigate the
risk
 The objective of evaluating the attributes is to gain a better understanding of
the risk by determining the expected impact, probability, and timeframe of
the risk.

7
Levels of Analysis
 Risks should be evaluated at a level of analysis that is sufficient to determine
the relative importance, for planning cost-effective mitigation strategies, and
to support tracking.
 Therefore, individual risks can be analyzed and managed at various levels of
detail.
 Example: A high impact, high probability risk may require a more detailed
level of analysis to plan a mitigation strategy.

8
Levels of Analysis and Attributes

9
Levels of Analysis and Attributes
 Air Force Example: The Air Force Systems Command / Air Force Logistics
Command (AFSC/AFLC) Pamphlet 800-45 describes a four-level analysis
approach.

 Combination Example: A risk may have the impact evaluated qualitatively

using the 5-level, probability evaluated qualitatively using the 3-level, and
the timeframe evaluated qualitatively using the binary level.
10
Levels of Analysis and Attributes

11
Risk Exposure
 Risk exposure is an attribute of risk that is derived from two of the attributes:
impact (loss) and probability (likelihood).
 You may use the combined attribute of risk exposure in place of the
individual values of impact and probability.
 RE = Prob(UO) * Loss(UO). Where Prob(UO) is the probability of an
unsatisfactory outcome (UO) or risk, and Loss(UO) is the loss to the parties
affected if the outcome is unsatisfactory (i.e., the risk occurs).

12
Levels of Risk Exposure

N-level:
  There are
Possible values of
risk exposure.

13
Risk Exposure – Air Force Summary

14
Risk Exposure and Ordinal Numbers
 If the impact and probability have been evaluated qualitatively using ordinal
numbers, beware of performing multiplication on the ordinal scale values to
obtain risk exposure.

15
Choosing a Level of Analysis
 Choosing a level of analysis depends on a number of factors, such as:
• What fits in your organization
• What is prescribed by a customer or policy
• What is sufficient for planning a mitigation strategy for an individual risk
 Note: Consider the purpose of the evaluation effort. The time and resources
required for the evaluation must be balanced against the value of the added
level of information.

16
Methods and Tools for Evaluating Attributes of Risks

17
Classifying Risks
 Classifying risks involves grouping risks based on shared characteristics.
 The groups or classes show relationships among the risks.
 Classification helps to identify duplicate risks and supports simplifying the
list of risks.
 The objective of classifying risks is to look at a set of risks and how those
risks relate to each other within a given structure. The classes or groups of
risks provide a different perspective when planning risks.

18
Classifying Risks

19
Classifying Risks
 Within the Continuous Risk Management approach, risks are classified using
two conceptual perspectives as listed in the following table.

20
Classification by Source or Impact
 When classifying risks using the predefined structure, the criterion chosen
will affect the outcome of groups of risks. There are two criteria for grouping
risks:
• By Source: Risks are grouped based on the same source or root cause.
This will show the major sources of risk to the project.
• By Impact: Risks are grouped based on where or how the impact will be
felt by the project. This shows the project the major product areas that will
be impacted by the risks.
 Note: Classification by impact can occur at several levels. Risks may be
classified by their impact on technical work, budget, or schedule.

21
Classification Uses
 The ultimate purpose of classification is to understand the risks the project
faces and group related risks to help build more cost effective mitigation
plans.
 Multiple views may provide insight into how best to deal with the risks in
planning.
 It is important to maintain the classification structure during planning.
 The classification is not helpful if it is not used consistently in planning.
 If the structure is changed, reclassify all the risks.

22
Multiple Classification
 The first time project members identify risks, they may come up with a large
number of them.
 Initially, they may classify according to the source of risk (e.g., what are the
risks resulting from requirements instability?) to understand the global risk
picture.
 However, mitigating the risks may best be done by a different classification
based on who should deal with it or what other risks affect the same area (e.g.,
what are all risks affecting the compiler performance?).
 Both views provide valuable information to the project.
 There are no specific rules for selecting a classification scheme. Projects should
consider what will help during the planning process.
 Note: With database technology, storing multiple classification information is
manageable. 23
Classification Bar Graph
 The result of a classification may be shown as a Bar Graph.
 A classification bar graph is a graphic display of the groups in a classification and the
number of risks in each group.
 Example: The following bar graph indicates the number of risks that were classified,
based on source of risk, into each taxonomy element of the software development risk
taxonomy structure.

24
Combining Duplicate Risks
 The process of classifying risks may reveal that two or more risks are
equivalent – the statements of risk and context indicate that the subject of
these risks is the same.
 Equivalent risks are therefore duplicate statements of the same risk and
should be combined into one risk.

25
Classification Methods and Tools

26
Prioritizing (Ranking) Risks
 Prioritizing risks involves partitioning risks or groups of risks based on the
Pareto "vital few" sense and ranking the risks or sets of risks based upon a
criterion or set of criteria as appropriate.
 While prioritizing, it is common to deal with both single risks and sets of
risks.
 The objective of prioritizing risks is to separate out which risks should be
dealt with first (the vital few risks) when allocating resources.

27
Prioritizing (Ranking) Risks

28
Vital Few/Most Important Risks
 The perspective of importance to the project is used to identify the most
important risks or sets of risk of the entire set in the Pareto sense (separating
the "vital few" from the "useful many").
 Example: A project has recently identified a set of fifty risks. Based on the
probability, impact, and timeframe information, the project identified a subset
of eight as the vital few that need to be dealt with first.

29
Ranking Top N
 Ranking the top N risks or groups of risks involves taking the list of top N
risks and ordering these based upon a criterion or set of criteria into a rank-
ordered list.

 Prioritization Criteria: The criterion or set of criteria used to rank the risks
is chosen based on what's most important to the project. Examples:
• Meeting the timing requirement for function x
• Schedule for major milestones
• Cost within budget
30
Most Important (Top N) Selection

 Note: While the project-wide Pareto "vital few" can be managed at the
highest levels, all of the other risks can be managed within the departments
or teams of the organization most suited to effectively manage those risks
(i.e., these risks are delegated to the appropriate level of management). 31
Prioritization Methods and Tools

32
Guidelines and Tips for Analyze
 Allocate scarce resources to the important issues rather than letting due dates
drive resource allocation.
 Address the urgent risks (e.g., near timeframe) or risks having the potential
for extremely significant impact first.
 Combine items that have similar origins or that are duplicates.
 Reword risk statements to make them clear to all project members.
 Eliminate risks that are already being addressed.

33