Understanding project risk exposure using the two-dimensional risk breakdown matrix


Projects are complex undertakings involving a unique set of tasks and activities conducted within a set of constraints to meet defined objectives. One of the key areas requiring proactive management within projects is risk, arising from uncertainties, which could affect achievement of objectives. Risk in projects is also complex, arising from a wide range of sources and having a broad scope of possible effects on the project. Given these two dimensions of project complexity, in both the tasks to be performed and the risks inherent in the project environment, managing the relationship between project work and project risk is a key success factor for every project manager.

However the risk process often produces nothing more than a long list of risks, which can be hard to understand or manage. The list can be prioritised to determine which risks should be addressed first, but this does not provide any insight into the structure of risk exposure on a project. The Risk Breakdown Structure (RBS) was developed to address this concern, acting as a framework for the risk process (Hillson, 2002a; Hillson, 2002a; Hillson, 2003a).

This paper takes the benefits of structuring one step further to provide a powerful means of understanding and managing risk on a project, using a combination of the Work Breakdown Structure (WBS) and Risk Breakdown Structure (RBS), resulting in the Risk Breakdown Matrix (RBM). An example is used to demonstrate how to measure risk concentration within the RBM using a ‘risk score’ based on the scale or size of individual risks. It is also possible to combine different levels of the WBS and RBS into a pyramidal structure where each of the layers are RBM matrices. This allows a range of analyses to be undertaken with different levels of focus.

Using the Risk Breakdown Structure (RBS)

Since it was first described the Risk Breakdown Structure (RBS) has been widely accepted as a useful tool for structuring the risk process, and is now included in several risk management standards and guidelines, including the current A Guide to the Project Management Body of Knowledge (PMBOK® Guide) (PMI, 2004, p. 244). The RBS is defined in similar terms to the WBS (PMI, 2002), as “A source-oriented grouping of project risks that organises and defines the total risk exposure of the project. Each descending level represents an increasingly detailed definition of sources of risk to the project” (Hillson, 2002a). The RBS is therefore a hierarchical structure of potential risk sources, which can be an invaluable aid to understanding the risks faced by the project, acting as a framework to structure and guide the risk management process, in the same way that the WBS has been the project manager's greatest tool in planning activities, because it scopes and defines the work.

A generic RBS might seem to be useful, but it would be unlikely to include the full scope of possible risks to every project. An alternative is therefore to produce a specific RBS structure relating either to a given industry or to the types of project undertaken by a particular organisation. Once the RBS has been defined, it can be used in a variety of ways. Some of these facilitate the risk management process on a particular project, while others are relevant across projects. The main uses and benefits of the RBS are as follows (Hillson, 2002b):

  • Risk identification aid – The higher levels of the RBS can be used as a prompt list to ensure complete coverage of risk identification, or lower levels can be used as a checklist. In addition the RBS can be used to structure lists of risks identified by other methods.
  • Risk assessment – Identified risks can be mapped into the RBS and categorised by source. This exposes the most significant sources of risk to the project, and indicates areas of dependency or correlation between risks.
  • Comparison of alternatives – Risks associated with competing bids and tenders can be compared directly if the same RBS is used to structure their associated risks. This can also provide input to trade-off studies examining alternative development options or investment decisions.
  • Risk reporting – Different project stakeholders need different levels of reporting, and the RBS can be used to roll-up risk information to a higher level for senior management, as well as drilling down into the detail required to report on project team actions.

Successful and effective risk management requires a clear understanding of the risks faced by the project and business. This involves more than simply listing identified risks and prioritising them by their probability of occurrence and impact on objectives. The large amount of risk data produced during the risk process must be structured so that we can understand it and use it as a basis for action. A hierarchical Risk Breakdown Structure (RBS) framework similar to the WBS provides a number of benefits, by decomposing potential sources of risk into layers of increasing detail.

Linking WBS and RBS

The interconnection between the Work Breakdown Structure (WBS) of a project and its Risk Breakdown Structure (RBS) is a useful technique to associate risks to the activities of a project (Aleshin, 2001). The WBS uses a hierarchical structure to define the major tasks, minor tasks and work packages (WPs) necessary to reach the final objectives of a project, while the Risk Breakdown Structure (RBS) classifies project risks using a hierarchical system of sources of risk (Hillson, 2002b; Hillson, 2003a) . Both WBS and RBS commonly have three or four levels of increasing detail. There are evident analogies between WBS and RBS : WBS constitutes the basic framework for the management of a project (PMI, 2002); likewise, RBS is a tool to structure the risk management process (Hillson, 2002b).

The combined use of WBS and RBS can be used to generate a matrix structure, which allows the project team to manage the risk at a level of detail appropriate to the specific business context. To produce such a combined framework, risk analysis is first performed identifying and classifying risks using the RBS, either directly or to support other methods of identification such as brainstorming or interviews. The lowest levels of the RBS are then linked to the WPs in the WBS, producing a two-dimensional matrix. A link is created only if a particular risk can affect a specific WP. A WBS-RBS matrix is generated which we call the “Risk Breakdown Matrix” (RBM) (Hillson, 2003b, p.137). A simple example is shown in Exhibit 1, where the numbers of risks arising from each RBS element and affecting each WP is plotted in each cell of the matrix (for example there are 7 risks from RBS element R1.1 whose impact would affect WBS element W3.1).

Simple Risk Breakdown Matrix (from Hillson, 2003b)

Exhibit 1 : Simple Risk Breakdown Matrix (from Hillson, 2003b)

For every RBM cell containing risks, the value of each risk can be calculated using two components: the probability of occurrence (P) and the degree of impact (I). Probability is related to the presence of a risk in the RBS, and impact refers to the effect of that risk in the WBS. The calculation of the value of each risk can be determined in various ways, depending on the availability of data, as follows (Grimaldi & Rafele, 2002):

  • using an “ordinal scale” approach, the degree of impact (I) and the index of occurrence (P) are assessed using descriptive labels (Franceschini, 2001);
  • using a “cardinal scale” approach, both the degree of impact and the index of occurrence are divided into classes, distinguished with numerical values included in dimensionless preset scales (for example from 1 to 9) (Misani, 1994);
  • using a “quantitative approach”, in which the degree of impact is related to the parameter directly influenced by the risk (e.g. time delay, increase of costs or other), whereas the probability of occurrence is usually described as a percentage (from 1-99%).

Considering the risks for every WP, an evaluation of the level of criticality for a single WP can be obtained, either in absolute terms or relative to other WPs. The degree of criticality is determined by adding the risk values for each row in the RBM matrix (Exhibit 1) (Grimaldi & Rafele, 2002). This can be expressed by the formula:



RWP,i = global incidence of risks in WP-i;

Pi,j = probability of occurrence of risk-j in WP-i;

Ii,j = impact of risk-j in WP-i.

RBM with evaluation of activities and risk events

Exhibit 2 - RBM with evaluation of activities and risk events

A similar reasoning can be applied to analysing risk sources by separately considering the columns of the RBM matrix. The sum of the values for each column identifies the relationship of all WPs of the project to a particular source of risk or the presence of risks in different WPs (Exhibit 2). In this case the formula is:



Rris,j = total effect of risk source risk-j in the whole project.

The value obtained by summing columns in Exhibit 2 allows a classification of sources of risk in terms of their influence on the project. The phase of risk evaluation is followed by the phases of monitoring and control, in which appropriate interventions are defined on the basis of the classification. The following alternatives should be considered:

1. Intervention aimed at the single most significant risk, as determined from the RBM, after having assigned the values of Pi,j and Ii,j. Attention should be focused on the risk with the highest value of Ri,j and continue in decreasing order to the lowest acceptable limit;

2. Evaluation of all the risks related to the element of the project identified as most critical (i.e. maximum value of RWP,i), on the basis of adding the values for each row in the RBM (Exhibit 2). Risk responses should focus on execution of the WP or on the type of resources applied to that element of the project;

3. Evaluation of the influence of the single most significant source of risk on different WPs, considering the totals of RBM columns, based on a calculation of Rris,j, (Exhibit 2). The response will address ways to reduce the risk source, decreasing its manifestation in the project.

The choice among the three options must be made with a special regard to the position of the risks in the RBM matrix and on the basis of the value in each cell. For instance, if risks are concentrated in specific WPs (the highest values occur on the rows related to the WPs), option 2 above is better; whereas if a single value is much higher than the others, it is useful to focus on the most critical risk (option 1).

Use of the RBM to analyse risk can be demonstrated using an example based on a software development project. The analysis starts with definition of WBS and RBS structures. For this example both WBS and RBS have three levels. The first level of the WBS divides the activities of the project into Project Management, Product Requirements, Detail Software Design, System Construction, and Integration & Test. Similarly the first level of the RBS divides the sources of risk into Product engineering, Development environment, and Program constraints (Hillson, 2002a) .

The RBM analysis method proceeds with relating risks in the lowest level of the RBS to the work-packages of the project in the corresponding lowest level of the WBS. (For shortness in this example we only show the Program constraints branch of the RBS and the Project Management branch of the WBS.)

This produces a matrix (Exhibit 3, at the end of this paper), which allows classification of the risks, in this example using a cardinal scale. Based on the numerical values in the matrix, various conclusions can be drawn, including :

  • identifying which activities have more associated risks (in the example this is the activity Develop Project Charter);
  • identifying the most important single risk, i.e. with the highest value of RWP,j (in the example this is the risk Staff);
  • to single out the most significant relationship (in the example the link between Restrictions and Develop Project Charter is highlighted).

Such considerations will allow risk responses and actions to be planned, increasing the effectiveness of the interventions.

Using an WBS/RBS/RBM pyramid for layered risk analysis

Optimal analysis of risk identifies risks with a sufficient degree of detail to be able to determine the most vulnerable points in a project. Therefore it is necessary not only to classify individual risks, but also to quantify their relationship with areas of the project, in order to understand the correct priority of intervention among the possible mitigation actions. As a result, it is useful to analyse risk in a hierarchical manner at different levels within the project. This can be achieved by developing a pyramidal structure, linking the hierarchical levels of WBS and RBS into RBMs with increasing degrees of detail.

The WBS and RBS hierarchies can be visualized as two triangles, whose dimensions depend on the number of levels and the degree of detail in each level. If the WBS and RBS have the same number of levels, it is possible to join the two triangles to form the faces of a pyramid, where the detailed RBM matrix between lowest levels of RBS and WBS constitutes the base. At each level another RBM is created, whose area depends on its position within the two triangles, i.e. depending on the degree of detail of the WBS and RBS (Exhibit 4).

It follows that the number of layers in the pyramid will match the levels of detail in the WBS and RBS, and each layer represents an RBM matrix at a different level of detail. The highest RBM matrix is defined by the intersection of the first levels of the WBS and RBS. This identifies the macro areas of risks in a project, because it crosses the main tasks or “aggregated deliverables” with generic types of risk. This first level of generic analysis therefore only allows identification of areas of risk within the main sectors of the project.

The next level of the WBS defines the main deliverables of the project (Villa, 2003) and if they are crossed with the second level of RBS, the possible vulnerability and criticality of each deliverable is exposed. At this level, an ordinal scale could be used, with descriptive categories of impact and probability of occurrence. If the detail of WBS and RBS is increased further, a more precise analysis of the risk can be undertaken, using the cardinal scale approach, or if the economic or time impacts are known, a quantitative analysis becomes possible. In the construction of the pyramid, with a top-down approach from the vertex to the base, risks are defined and quantified at an increasing level of detail related to the elements of the project affected.

Risk pyramid

Exhibit 4 – Risk pyramid

This is the most important phase of the risk evaluation, in which it is necessary to put the greatest energies in terms of knowledge, competence and ability of all the project resources with the purpose to get the best quantification of the risk. In this way, it is possible to understand which risks have the biggest impact, and also to establish where it is necessary to intervene and which are the priorities.

After the most detailed quantification of all the risks for every activity of the project, compiling the RBM matrix at the base of the pyramid, it is also useful to conduct a bottom-up assessment, going up the pyramid from a specific level of evaluation to a more general one. For instance, passing from a larger RBM matrix to a smaller, it is possible to aggregate the risks affecting particular areas of the project. At any higher level of the pyramid, the management could get information on macro areas of the projects mostly affected by risk.

The pyramid representation clearly visualises the hierarchical nature of the RBM matrixes. It also allows identification of the links that connect data on different levels, which can be used to structure management of risk information at different levels of RBM matrixes. This approach can be used not only as a means of risk analysis, but also as a way of facilitating communication between the different stakeholders in a project. For instance, project managers who understand the specific issues on their project can introduce detailed data on the risks in the lowest layers of the pyramid to form the base RBM, and top management can then obtain summary information on risk exposure from the higher-level RBM matrixes allowing them to make appropriate strategic decisions.

This pyramidal RBM approach can also support different levels of risk process dependent on the level of risk maturity of the organisation (McKenna, 2001; Hillson, 1997). For example it is likely that organisations with low risk management maturity might be able to complete only the first levels of the pyramid, whereas organisations with higher risk management maturity might be able to complete the whole pyramidal structure.

Going back to the software development example, we can complete the risk analysis using the pyramidal structure of the risk. At the highest level of WBS and RBS, it is possible to define the smallest matrix, that distinguishes fifteen main areas of risk affecting the project (Exhibit 5a).

Each of these areas must be expanded, to obtain a precise quantification of the risk. In this way, larger RBM matrixes would be produced. A full analysis of the software development example at all RBM levels is beyond the scope of this paper : our analysis therefore expands the single RBS branch of Program constraints in the WBS area of Project Management. This uses the second levels of the WBS and RBS: for the WBS area of Project Management, three sub-areas can be decomposed: Planning, Meetings, and Administration. For the RBS area Program constraints the defined groups are Resources, Contract, and Program interfaces. Their combination produces a 3×3 matrix (Exhibit 5b), in which it is possible to associate more specific sources of risk to every single deliverable of the project. In this phase, the degree of detail of the matrix optimises identification of the risks within Project Management. Nevertheless, to allow analysis using an ordinal scale or a cardinal scale, it is necessary to expand again the matrix of Exhibit 5 using the third levels of the WBS and RBS. With a cardinal scale approach, a 7×17 matrix is produced, which attributes a value to each risk based on its impact and occurrence. Our analysis stops at the third level of WBS and RBS: with the third matrix of dimension 38x36, which constitutes the base of the pyramid.

First (a) and second (b) matrix RBM

Exhibit 5 - First (a) and second (b) matrix RBM

Going up the pyramid, it is possible to quantify risk for every area of the project, summing the numerical values of the single risks at the lowest level of the pyramid. Repeating this procedure to the highest matrix, we could calculate a total value of 568, which represents the total degree of risk arising from RBS source Program constraints that could affect the WBS area of Project Management. Repeating this calculation a further 14 times (there are 15 cells in the first matrix RBM), the evaluation of risks in the whole project can be completed, both for individual project areas and for all areas together. In this way, top management has all the information required to decide the right actions to respond to future risks, focusing resources on the most vulnerable areas of the project.


Two of the main areas of complexity in projects arise from the work to be done and the risks that could affect achievement of objectives. Hierarchical frameworks have been developed to provide structure in these two areas : the Work Breakdown Structure (WBS) for project tasks and activities, and the Risk Breakdown Structure (RBS) for sources of risk. Both WBS and RBS are powerful tools for understanding and managing the scope and risk of the project respectively.

There is however a further level at which these two tools can be used to assist the project manager in addressing project complexity as it affects both scope and risk. Combining WBS and RBS to form the Risk Breakdown Matrix (RBM) allows identified risks to be linked with affected areas of the project. This paper has shown how to generate a base-level RBM from the lowest level of the WBS (Work Packages, WPs) and the lowest level of the RBS (individual risks), revealing the most significant risks and those WPs in the project most exposed to risk.

Further development of the RBM concept allows different levels of WBS and RBS to be linked, producing a pyramid of hierarchical RBMs, each at a higher level of detail. At the top level, the RBM relates key sources of risk to the major deliverables and tasks of the project, allowing senior management to make strategic decisions. Analysis can also be performed up and across the pyramid, providing useful information on patterns of risk exposure. Finally the pyramid provides a consistent framework for project risk reporting at all levels in the project.

The Risk Breakdown Matrix (RBM) is a significant development of the tools available to assist the project manager in addressing project risk, providing unique insights into the effect of risk on different aspects of the project.


Aleshin, A. (2001) Risk management of international projects in Russia, International Journal of Project Management, .19, p. 207-222

Franceschin,i F. (2001) “Dai prodotti ai Servizi”, UTET, Torino, 2001

Grimald,i S. & Rafele C. (2002) Analisi dei rischi nelle attività di progetto, Impiantistica Italiana, Novembre - Dicembre 2002, p. 69-78

Hillson, D. A. (1997) Towards a Risk Maturity Model, International Journal of Project and Business Risk Mgt 1 (1) 35-45

Hillson, D. A. (2000a)“The Risk Breakdown Structure (RBS) as an aid to effective risk management”, Proceedings of the 5th European Project Management Conference (PMI Europe 2002), presented in Cannes France, 19-20 June 2002.

Hillson, D. A. (2000b) “Using the Risk Breakdown Structure (RBS) to understand risks”, Proceedings of the 33rd Annual Project Management Institute Seminars & Symposium (PMI 2002), presented in San Antonio USA, 7-8 October 2002.

Hillson, D. A. (2003a, June) Using a Risk Breakdown Structure in project management, Journal of Facilities Management, 2 (1), 2003, pages 85-97

Hillson, D. A. (2003b) Effective Opportunity Management for Projects, New York, Dekker, 2003

McKenna S. (2001) Organisational complexity and perceptions of risk. Risk Management : An International Journal, 3 (2), 53-64

Misani, N. (1994) Introduzione al risk management, Egea, Milano, 1994

Project Management Institute (2002) “Practice Standard for Work Breakdown Structures”. Project Management Institute, Philadelphia, USA. ISBN 1-880410-81-8

Project Management Institute (2004) A Guide to the Project Management Body of Knowledge (PMBoK® Guide), Third Edition. Project Management Institute, Philadelphia, USA,

Villa, T. (2003) WBS: istruzioni per l'usoxcv, Manuale PMLAB “Tecniche di pianificazione progetti”, Giugno 2003

Matrix RBM for a software development with a cardinal scale approach

Exhibit 3 - Matrix RBM for a software development with a cardinal scale approach

© Carlo Rafele, David Hillson, Sabrina Grimaldi
Originally published as a part of 2005 PMI Global Congress Proceedings – Edinburgh, Scotland