BABOK v3 (English)

Chapter 6 – 6.3 – Assess Risks

admin

6.3.1 Purpose

The purpose of Assess Risks is to understand the undesirable consequences of internal and external forces on the enterprise during a transition to, or once in, the future state. An understanding of the potential impact of those forces can be used to make a recommendation about a course of action.

6.3.2 Description

Assessing risks includes analyzing and managing them. Risks might be related to the current state, a desired future state, a change itself, a change strategy, or any tasks being performed by the enterprise.

The risks are analyzed for the:

  • possible consequences if the risk occurs,
  • impact of those consequences,
  • likelihood of the risk, and
  • potential time frame when the risk might occur.

The collection of risks is used as an input for selecting or coordinating a change strategy. A risk assessment can include choosing to accept a risk if either the effort required to modify the risk, or the level of risk outweighs the probable loss.

If the risks are understood and the change proceeds, then the risks can be managed to minimize their overall impact to value.

Important A number of methods include “positive risk” as a way of managing opportunities. Although the formal definition of risk in the BABOK® Guide doesn’t preclude this usage, “opportunities” are captured as needs (and managed accordingly), and risk is used for uncertain events that can produce negative outcomes.

6.3.3 Inputs

  • Business Objectives: describing the desired direction needed to achieve the future state can be used to identify and discuss potential risks.
  • Elicitation Results (confirmed): an understanding of what the various stakeholders perceive as risks to the realization of the desired future state.
  • Influences: factors inside of the enterprise (internal) and factors outside of the enterprise (external) which will impact the realization of the desired future state.
  • Potential Value: describing the value to be realized by implementing the proposed future state provides a benchmark against which risks can be assessed.
  • Requirements (prioritized): depending on their priority, requirements will influence the risks to be defined and understood as part of solution realization.

6.3.4 Elements

.1 Unknowns

When assessing a risk, there will be uncertainty in the likelihood of it occurring, and the impact if it does occur. Business analysts collaborate with stakeholders to assess risks based on current understanding. Even when it is not possible to know all that will occur as a result of a particular change strategy, it is still possible to estimate the impact of unknown or uncertain events or conditions occurring.

Business analysts consider other historical contexts from similar situations to assess risks. The lessons learned from past changes and expert judgment from stakeholders assist business analysts in guiding the team in deciding the impact and likelihood of risks for the current change.

.2 Constraints, Assumptions, and Dependencies

Constraints, assumptions, and dependencies can be analyzed for risks and sometimes should be managed as risks themselves. If the constraint, assumption, or dependency is related to an aspect of a change, it can be restated as a risk by identifying the event or condition and consequences that could occur because of the constraint, assumption, or dependency.

.3 Negative Impact to Value

Risks are expressed as conditions that increase the likelihood or severity of a negative impact to value. Business analysts clearly identify and express each risk and estimate its likelihood and impact to determine the level of risk. Business analysts estimate a total risk level from the aggregated set of risks, indicating the overall potential impact for the risks being assessed. In some cases, overall risk level can be quantified in financial terms, or in an amount of time, effort, or other measures.

.4 Risk Tolerance

How much uncertainty a stakeholder or an enterprise is willing to take on in exchange for potential value is referred to as risk tolerance.

In general, there are three broad ways of describing attitude toward risk:

  • Risk-aversion: An unwillingness to accept much uncertainty; there may be a preference to either avoid a course of action which carries too high a level of risk, or to invest more (and therefore accept a lower potential value) to reduce the risks.
  • Neutrality: some level of risk is acceptable, provided the course of action does not result in a loss even if the risks occur.
  • Risk-seeking: A willingness to accept or even take on more risk in return for a higher potential value.

An individual or organization may exhibit different risk tolerances at different times. If there is low tolerance for risk, there may be more effort on avoidance, transfer or mitigation strategies. If the tolerance for risk is high, more risks are likely to be accepted. Typically, the highest-level risks are dealt with no matter what the risk tolerance level.

.5 Recommendation

Based on the analysis of risks, business analysts recommend a course of action. Business analysts work with stakeholders to understand the overall risk level and their tolerance for risk.

The recommendation usually falls into one of the following categories:

  • pursue the benefits of a change regardless of the risk,
  • pursue the benefits of a change while investing in reducing risk (likelihood and/or impact),
  • seek out ways to increase the benefits of a change to outweigh the risk,
  • identify ways to manage and optimize opportunities, and
  • do not pursue the benefits of a change.

If the change proceeds with risks, stakeholders should be identified to monitor the risks and consequences if the risk event occurs. The risk may alter the current state of the enterprise and require revision of the change strategy. A plan of action in this case may be developed before the risk materializes.

6.3.5 Guidelines and Tools

  • Business Analysis Approach: guides how the business analyst analyzes risks.
  • Business Policies: define the limits within which decisions must be made. These may mandate or govern aspects of risk management.
  • Change Strategy: provides the plan to transition from the current state to the future state and achieve the desired business outcomes. This approach must be assessed to understand risks associated with the change.
  • Current State Description: provides the context within which the work needs to be completed. It can be used to determine risks associated with the current state.
  • Future State Description: determines risks associated with the future state.
  • Identified Risks: can be used as a starting point for more thorough risk assessment. These can come from Risk Analysis Results, from elicitation activities, from previous business analysis experience, or based on expert opinion.
  • Stakeholder Engagement Approach: understanding stakeholders and stakeholder groups helps identify and assess the potential impact of internal and external forces.

6.3.6 Techniques

  • Brainstorming: used to collaboratively identify potential risks for assessment.
  • Business Cases: used to capture risks associated with alternative change strategies.
  • Decision Analysis: used to assess problems.
  • Document Analysis: used to analyze existing documents for potential risks, constraints, assumptions, and dependencies.
  • Financial Analysis: used to understand the potential effect of risks on the financial value of the solution.
  • Interviews: used to understand what stakeholders think might be risks and the various factors of those risks.
  • Lessons Learned: used as a foundation of past issues that might be risks.
  • Mind Mapping: used to identify and categorize potential risks and understand their relationships.
  • Risk Analysis and Management: used to identify and manage risks.
  • Root Cause Analysis: used to identify and address the underlying problem creating a risk.
  • Survey or Questionnaire: used to understand what stakeholders think might be risks and the various factors of those risks.
  • Workshops: used to understand what stakeholders think might be risks and the various factors of those risks.

6.3.7 Stakeholders

  • Domain Subject Matter Expert: provides input to the risk assessment based on their knowledge of preparation required in their area of expertise.
  • Implementation Subject Matter Expert: provides input to the risk assessment based on their knowledge of preparation required in their area of expertise.
  • Operational Support: supports the operations of the enterprise and can identify likely risks and their impact.
  • Project Manager: helps to assess risk and is primarily responsible for managing and mitigating risk to the project.
  • Regulator: identifies any risks associated with adherence to laws, regulations, or rules.
  • Sponsor: needs to understand risks as part of authorizing and funding change.
  • Supplier: there might be risk associated with using a supplier.
  • Tester: identifies risks in the change strategy, from a validation or verification perspective.

6.3.8 Outputs

Risk Analysis Results: an understanding of the risks associated with achieving the future state, and the mitigation strategies which will be used to prevent those risks, reduce the impact of the risk, or reduce the likelihood of the risk occurring.

Related Posts

BABOK v3 (English)

Appendix A: Glossary – s, t, u, v, w

admin
BABOK v3 (English)

Appendix A: Glossary – o, p, q, r

admin

Leave a Reply

Your email address will not be published. Required fields are marked *