Security

See effect of dependent risk by using decision tree

It's possible that certain risks will only appear as a result of actions taken as a result of managing another risk. That's where you would use a decision tree.

Most of the risks we face on a project are independent of other risks. These types of risks are easier to identify and easier to manage. However, there are times when risks are connected. That is, it's possible that certain risks will only appear as a result of actions taken as a result of managing another risk. That's where the decision tree is used. A decision tree is a technique for determining the overall risk associated with a series of related risks.

For example, let's say your project is going to need to place a large equipment order. You think there is a 20% risk that your primary hardware supplier may not be able to provide all the equipment you need for a large order in a timely manner. This could be risk A. As a part of the risk response plan, you decide to talk to a second vendor to see if they can help fulfill the equipment order on short notice. They normally have the equipment in stock. However, you also discover that there is a 25% possibility that there may be a disruption in their plant because of a potential strike. This is risk B.

Do you see how the two risks are related? Risk A is the primary project risk. If you can successfully manage Risk A, there will be no reason to work with the second vendor and therefore risk B will never enter into the project. However, if risk A comes true, then your risk plan will need to deal with a second risk B.

Of course, what you really want to know is what the chance is that risk A will come true (your primary vendor cannot fulfill the entire order) AND risk B will also come true (the backup vendor goes on strike). That would be the worst case scenario for you. The total risk is calculated by multiplying the individual risks. Since there is a 20% chance of risk A, and a 25% chance of risk B, the probability that both risks will occur is 5% (.20 * .25). 

You can use risk trees to come up with financial implications as well. Let's look at the following generic decision tree that is slightly more complex.

Figure A

This decision tree shows two risks--A and B. Risk A has two outcomes. Outcome 1 is 20% likely to occur and outcome 2 is 80% likely to occur. The monetary value of Risk A is $10,000. If outcome A occurs, a second Risk B is introduced and there are three likely outcomes, 1.1, 1.2 and 1.3. The monetary value of Risk B is $30,000. Using the decision tree, you see that the financial risks of the various outcomes are as follows:

  • Outcome 1.1 has a financial risk of $9,500 ($10,000 * .2) + ($30,000 * .25)
  • Outcome 1.2 has a financial risk of $23,000 ($10,000 * .2) + ($30,000 * .70) 
  • Outcome 1.3 has a financial risk of $3,500 ($10,000 * .2) + ($30,000 * .05).
  • Outcome 2 has a financial risk of $8,000 ($10,000 * .8)

What this tells you is that we should try to achieve outcome 1.3 if possible. It has the smallest financial risk impact. If you don't think you can achieve outcome 1.3 (and there is only a 1% chance you can (.2 * .05)), you should try for outcome 2. There is an 80% chance you can hit outcome 2.

You can see that this process can get complicated. Fortunately, most risks on your project are independent of each other. However, when you discover that one risk leads to another dependent risk (and perhaps more dependent risks), the decision tree can help you determine the probability and impact of each risk combination.


0 comments