Overview of Risk Breakdown Structure (RBS)

The risk breakdown structure is a very popular term in the risk management lifecycle. Depending upon the nature of the product delivered as part of managing the project, the product owners (or managers) and project managers agree on what are the types of risks they would like to capture. This could involve conceptual risk, technical risk, schedule risk, resource risk, supplier risk, business risk, compliance risk, etc.

Good Practice - Agree on RBS / Risk Types

Agreeing on these risk types help the stakeholders and team members identify potential risks. Risk Management is part of the SpiraPlan that offers a risk type that as part of the product template to identify this risk breakdown structure.

Good Practice - Risk Type Agreement

Good Practice - Essential Permissions required to identify risks

To facilitate risks in a product, the roles should have permissions to create risks, view existing risks, and modify risks assigned (or owned) by them to analyze them subsequently. The following screen shows that the Developer role having access to these granular permission to the risk artifact.  The product or project team must evaluate what roles should be equipped with this permission within their own context. As part of the good practice recommendations, it is recommended that everyone has access to these three permissions.

Good Practice - Essential Roles to Identify Risks

Risk Identification

  1. Go to the product, select the risk artifact, and click on the new risk.
  2. It is recommended to have the workflow for the "Identified" state have minimally required fields like the risk type. This facilitates anyone to identify the risks.
  3. Select a risk type corresponding to your risk breakdown structure and enter the risk.
  4. Provide both the name and a detailed description of the risk for facilitating next stage of risk analysis in the risk management lifecycle.
  5. Shown are the steps in the illustration below.

Risks Identified by Risk Type

SQL Query

select 
  r.risk_type_name as name, 
  count(r.risk_id) as TYPE_COUNT
from   
  SpiraTestEntities.R_Risks as R
join 
 SpiraTestEntities.R_RiskStatuses as RS on r.risk_status_id = rs.risk_status_id
where 
 r.project_id = ${ProjectId} and 
 rs.name = "Identified" and 
 r.is_deleted = False
group by 
 r.risk_type_name

Query Explanation

  1. We are counting the number or risks by risk type. So, we bring risk_type_name and count the risk_ids as Type_Count. This aggregation requires a group by clause in the end.
  2. We are joining the risk table with the risk status table based on risk_status_id so that we can get the "Identified" risk status name.
  3. We are applying the ${ProjectId} to select the current product selected and removing any risks that have been deleted from the system by the is_deleted = False clause.

Risk Graph

Shown below is the output of the SQL Query. 

Risk Identified Graph