Understanding risk exposure using multiple hierarchies


Risk management is recognised as an essential contributor to business and project success (Project Management Institute, 2004; Association for Project Management, 2004; Hillson & Simon, 2007), since it focuses on addressing uncertainties in a proactive manner in order to minimise threats, maximise opportunities, and optimise achievement of objectives. There is wide convergence and international consensus on the necessary elements for a risk management process, and this is supported by a growing range of capable tools and techniques, an accepted body of knowledge, an academic and research base, and wide experience of practical implementation across many industries.

Common implementations of risk management focus on individual risks, and often do not address overall project risk exposure. Recent project risk management guidelines have begun to distinguish between individual “risk events” and “overall project risk”. An individual risk can be defined as “An uncertain event or condition that, if it occurs, has a positive or negative effect on a project's objectives” (Project Management Institute, 2004, p 373; Project Management Institute, 2005, p 74). Overall project risk on the other hand is defined as “The exposure of stakeholders to the consequences of variation in outcome” (Association for Project Management, 2004, p17). Consequently overall project risk results from the accumulation of a number of individual risk events, together with other sources of uncertainty to the project as a whole such as variability and ambiguity.

Some practitioners suggest that only quantitative risk analysis methods can properly assess overall project risk (Hulett, 2007; Piney, 2007). While such techniques are undoubtedly useful for this purpose, this paper proposes simple enhancements to the qualitative risk assessment process in order to provide significant additional insights into overall project risk exposure.

Failure to consider patterns of risk can lead to inappropriate risk responses and ineffective risk management. This paper presents a simple technique for mapping identified risks to a variety of hierarchical frameworks in order to reveal concentrations of risk exposure. This mapping includes the standard project frameworks as well as risk-related frameworks.

Having mapped risks to these frameworks, the resulting hierarchies can be combined to provide further insights into the nature of overall risk exposure faced by the project. In addition, risk exposure can be analysed at various levels, from whole project to particular sub-areas.

The value of structure

Risk identification often produces nothing more than a long list of risks, which can be hard to understand or manage. The list can be prioritised to determine which risks should be addressed first, but this does not provide any insight into the structure of risk on the project. Traditional qualitative assessment does not indicate those areas of the project which require special attention, or expose recurring themes, concentrations of risk, or “hotspots” of risk exposure. There is also often no assessment of overall project risk exposure, or of the linkages between risks, either at the same level or aggregated to a higher level. Instead the most common techniques (such as the Probability-Impact Matrix, possibly also using a P-I scoring system) focus simply on prioritising individual risks, producing ranked lists such as the “Top Ten” risks.

In order to understand which areas of the project might require special attention, and whether there are any recurring risk themes, or concentrations of risk on a project, it would be helpful if there was a simple way of describing the structure of project risk exposure. The human propensity for pattern recognition supports this need.

In any situation where a lot of data is produced, structuring is an essential strategy to ensure that the necessary information is generated and understood, and to support levels of management and control. Since project management is essentially a reductionist approach, it makes wide use of structures. Traditional structures within project management are based on the characteristics of the work to be done, since this is the primary focus of the project. As a result several standard project frameworks exist to support the project management process. These are described in the following section.

In addition to these project frameworks, there are several characteristics relating to the risk exposure of the project which require structuring in order to support effective management and control of risk. Two risk-related frameworks are also described below.

Standard project frameworks

The most obvious demonstration of the value of structuring within project management is the Work Breakdown Structure (WBS), which is recognised as a major tool for the project manager, because it provides a means to structure the work to be done to accomplish project objectives. The Project Management Institute defines a WBS as “A deliverable-oriented hierarchical decomposition of the work to be executed … it organises and defines the total scope of the project. Each descending level represents an increasingly detailed definition of the project work.” (Project Management Institute, 2002; Project Management Institute, 2004, p 379; Project Management Institute, 2005, p 91). The aim of the WBS is to present project work in hierarchical, manageable and definable packages to provide a basis for project planning, communication, reporting and accountability.

Other common hierarchies in project management include the Organisational Breakdown Structure (OBS) and the Cost Breakdown Structure (CBS). The OBS provides “a hierarchically-organised depiction of the project organisation, arranged so as to relate the work packages to the performing organisational units” (Project Management Institute, 2004, p 365; Project Management Institute, 2005, p 54), subdividing the project staffing by increasingly lower levels of organisational unit, such as department, groups and teams. This reflects the management structure of the project, describing different levels of control of the team. The CBS is defined as “the hierarchical breakdown of a project into cost elements” (Association for Project Management, 2006, p 133), and is a similarly structured hierarchy which describes the total cost of the project in increasing levels of detail, providing a basis for cost estimation, budgeting and control, and it is often used in Earned Value Management systems.

Risk frameworks

A Guide to the Project Management Body of Knowledge (PMBOK® Guide) (Project Management Institute, 2004, p 238) states that “A risk may have one or more causes and, if it occurs, one or more impacts.” These three elements of cause-risk-effect need to be distinguished, to ensure that the risk management process focuses on managing risks (Hillson, 2000). However information on the causes and effects of each risk should not be lost, since it provides useful insights into the nature of the risk, and may suggest effective ways to manage the risk. Use of a three-part risk structured description (also known as risk metalanguage (Hillson, 2000)) aims to separate these three elements.

Understanding risk exposure may be facilitated by the use of hierarchical structures analogous to the project WBS, OBS and CBS frameworks. The cause-risk-effect structure suggests that two risk frameworks might be useful, addressing sources of risk (causes) and their potential effects on project objectives (impacts).

One hierarchical risk-related structure has already been developed and is being used increasingly widely. This is known as the Risk Breakdown Structure (RBS), and presents sources of risk (Hillson, 2002a & b, 2003). The RBS is defined as “A hierarchically-organised depiction of the identified project risks arranged by risk category and subcategory that identifies the various areas and causes of potential risks.” (Project Management Institute, 2004, p 373; Project Management Institute, 2005, p 75). The RBS is therefore a hierarchical structure of potential risk sources, and can be used in a variety of ways to structure and guide the risk management process. An example RBS is shown in Exhibit 1.

The RBS indicates the source from which the risk has arisen. Another key characteristic of a risk is its impact (also called effect or consequence). A new risk-related hierarchy is proposed here to structure this aspect of the risk, called the Risk Impact Breakdown Structure (RiBS). Following the WBS definition (above), the RiBS is defined as “An impact-oriented grouping of project risks that organises and defines the total risk exposure of the project. Each descending level represents an increasingly detailed definition of risk impacts on the project.” An example RiBS is shown in Exhibit 2, with four Level 1 impact types (Time, Cost, Scope/Quality, and Other Objectives). Each of these is decomposed into a number of Level 2 impact types, below which individual risks can be mapped. While the RiBS shown in Exhibit 2 is an illustration, one would expect most examples to include Time, Cost and Scope/Quality at Level 1, since these represent the familiar “triple constraint”. Further Level 1 RiBS elements might be added depending on the specific objectives of the project, such as Reputation, Regulatory Compliance, Business Benefits, Safety etc., and also depending on the level of detailed analysis required to support effective management of risk.

Mapping key risk characteristics to reveal hotspots

Risks have a number of characteristics of interest, including: probability, impact on project objectives, source, cost of impact, cost of response, owner etc. Typically qualitative risk assessment schemes focus only on probability and impact, prioritising risks through the P-I Matrix. It is however possible to create a variety of different categorisation schemes for identified risks, based on these characteristics (Hillson & Simon, 2007). These simply require identified risks to be mapped into the related framework, followed by a summation of either the number of risks, or (better) a weighted sum taking risk severity into account. For example:

  • WBS. Mapping risks to the WBS indicates which parts of the project scope are most at risk. The individual work packages containing most risk can be identified, and this can be aggregated or rolled up the WBS framework to find the most risky minor tasks, major tasks etc.
  • OBS. Categorising risks using the OBS shows where risks lie in relation to the areas of responsibility of the various individuals, teams or groups in the project organisation, and can be used to propose appropriate risk owners for risks.
  • CBS. Linking risks into the CBS allows the cost of risk impacts and planned risk responses to be mapped into the project budget, exposing which cost elements are most uncertain, allowing calculation of an appropriate risk budget, and suggesting where contingency might be required.
  • RBS. Grouping risks by the RBS indicates common sources of risk, allowing preventative measures to be taken, and increasing the efficiency of risk responses by targeting root causes to tackle multiple related risks.
  • RiBS. Mapping risks against the RiBS allows analysis of the types of risk exposure faced by the project, indicating where the management team should focus attention when developing risk responses.

Clearly each of these categorisations can be used to support risk response planning, ensuring the responses are aimed at the right target, and making best use of the resources available. The simple expedient of mapping risks into the various project and risk frameworks provides valuable additional information to assist the project manager in addressing the risk challenge faced by the project.

However, even though these simple classifications are useful, they are still only uni-dimensional analyses of the multi-dimensional risk problem area. Cross-framework mapping takes the analysis to another level, yielding even more information about the risk exposure of the project.

Cross-framework mapping to improve understanding of risk concentration

Use of two hierarchical frameworks in project management is not new. For example the Responsibility Assignment Matrix (RAM) can be constructed by combining the WBS (project scope of work) and the OBS (project organisation) (Project Management Institute, 2004, 2005; Association for Project Management, 2006). This indicates at the higher level which project teams or groups are responsible for each component of the WBS, and at lower levels of the RAM individual roles, responsibilities and accountabilities can be assigned for specific activities.

This combination of frameworks can also be applied in the risk area, providing new insights into patterns of risk exposure. Three paired combinations are proposed below (though others are of course possible), namely:

  • RBS x WBS
  • RBS x RiBS
  • RiBS x CBS

RBS x WBS. A Risk Breakdown Matrix (RBM) has previously been proposed (Rafele et al., 2005), which combines the WBS (project scope) with the RBS (sources of risk). This reveals which types of risks are affecting which areas of the project. Because both WBS and RBS are hierarchies, the RBM can be analysed at different levels, as illustrated in Exhibit 3. At the highest level of course, the whole project is affected by all types of risk. However analysis of lower levels of the RBM indicates the particular types of risk faced by specific WBS elements, right down to work package level.

RBS x RiBS. Cross-mapping of RBS against RiBS indicates the combination of sources of risk and potential impacts on project objectives. Hot-spots within this matrix shows particular cause-effect chains which are significant for the project, and will be useful to support development of effective risk responses. These might be either preventative (targeting common causes of risk) or corrective (addressing common impact areas with fallback plans and/or contingency). As before, this analysis can be conducted at different levels.

RiBS x CBS. The third proposed combination of frameworks maps the RiBS (types of risk impact) against the CBS (cost structure of the project). This exposes which types of risk impact are likely to have the greatest effect on the project budget, and can be used to develop targeted contingency funds.


A common weakness of the risk management process as it is applied to many projects is its inability to properly diagnose overall project risk. Some blame this on an assumed inherent failing of qualitative risk assessment techniques which focus on individual risks and do not consider the project as a whole. One solution is to employ quantitative risk analysis techniques to predict the combined effect of individual risks on the overall project outcome. However there are barriers to adoption of these methods which prevent some from using them.

Adoption of a range of hierarchical categorisation frameworks within the qualitative risk assessment step can go some way towards analysing the overall risk exposure of a project. While these will not replace quantitative risk analysis methods, they do provide additional insight into where and how a project is exposed to risk. Use of qualitative categorisation also has the benefit of being easy to implement, and offers a hierarchical understanding of risk not easily available from quantitative risk analysis models.

This paper proposes two ways in which hierarchies can be used. Firstly a simple uni-dimensional mapping of identified risks to the various frameworks (WBS, OBS, CBS, RBS, RiBS) reveals important information on which parts of the project are most affected (WBS), candidate risk owners (OBS), potential cost variation and contingency planning (CBS), common causes of risk (RBS), and major types of potential impact (RiBS). In addition to these valuable insights, further analysis of project risk exposure is possible by creating various combinations of the frameworks, building on earlier work combining WBS and RBS (Rafele, Hillson, & Grimaldi, 2005)

The value of this type of mapping lies in its ability to support development of effective risk responses, by revealing different aspects of the risk exposure of the project. The use of hierarchical frameworks has an additional benefit in allowing responses to be developed at different levels, ranging from whole-project generic responses to detailed specific actions targeting particular hotspots of exposure.


Association for Project Management. (2004) Project Risk Analysis & Management (PRAM) Guide (second edition). High Wycombe, Buckinghamshire, UK: APM Publishing.

Association for Project Management. (2006) APM Body of Knowledge (5th edition). High Wycombe, Buckinghamshire, UK: APM Publishing.

Hillson D. A. (2000) Project risks – identifying causes, risks and effects. PM Network, 14(9), 48-51.

Hillson D. A. (2002a) The Risk Breakdown Structure (RBS) as an aid to effective risk management. Fifth European Project Management Conference (PMI Europe 2002), Cannes, France.

Hillson D. A. (2002b) Using the Risk Breakdown Structure (RBS) to understand risks. 33rd Annual Project Management Institute Seminars & Symposium (PMI 2002), San Antonio, TX, USA.

Hillson D. A. (2003) Using a Risk Breakdown Structure in project management. Journal of Facilities Management, 2(1), 85-97.

Hillson D. A. & Simon P. W. (2007) Practical Project Risk Management: The ATOM Methodology. Vienna, VA, USA: Management Concepts.

Hulett D. T. (2007). Practical Schedule Risk Analysis. Aldershot, Hampshire, UK: Gower

Piney C. (2007), personal communication.

Project Management Institute (2002) Practice Standard for Work Breakdown Structures. Newtown Square, PA, USA: Project Management Institute.

Project Management Institute (2004) A Guide to the Project Management Body of Knowledge (PMBoK®), (Third Edition). Newtown Square, PA, USA: Project Management Institute.

Project Management Institute (2005) Combined Standards Glossary (second edition). Newtown Square, PA, USA: Project Management Institute.

Rafele C., Hillson D. A. & Grimaldi S. (2005) Understanding Project Risk Exposure Using the Two-Dimensional Risk Breakdown Matrix. PMI Global Congress EMEA, Edinburgh, UK.

Example Risk Breakdown Structure (RBS) (from Hillson & Simon, 2007)

Exhibit 1: Example Risk Breakdown Structure (RBS)
(from Hillson & Simon, 2007)

Example Risk Impact Breakdown Structure (RiBS)

Exhibit 2: Example Risk Impact Breakdown Structure (RiBS)

Cross-mapping WBS and RBS to create Risk Breakdown Matrix (from Rafele et al., 2005)

Exhibit 3: Cross-mapping WBS and RBS to create Risk Breakdown Matrix
(from Rafele et al., 2005)

© 2007 David Hillson
Originally published as a part of 2007 PMI Global Congress EMEA Proceedings – Budapest



Related Content

  • Project Management Journal

    Narratives of Project Risk Management member content locked

    By Green, Stuart D. | Dikmen, Irem The dominant narrative of project risk management pays homage to scientific rationality while conceptualizing risk as objective fact.

  • Project Management Journal

    Identifying Subjective Perspectives on Managing Underground Risks at Schiphol Airport member content locked

    By Biersteker, Erwin | van Marrewijk, Alfons | Koppenjan, Joop Drawing on Renn’s model and following a Q methodology, we identify four risk management approaches among asset managers and project managers working at the Dutch Schiphol Airport.

  • Project Management Journal

    Collective Mindfulness member content locked

    By Wang, Linzhuo | Müller, Ralf | Zhu, Fangwei | Yang, Xiaotian We investigated the mechanisms of collective mindfulness for megaproject organizational resilience prior to, during, and after recovery from crises.

  • PMI Case Study

    Saudi Aramco member content open

    This in-depth case study outlines a project to increase productivity with Saudi Arabian public petroleum and natural gas company, Saudi Aramco.

  • PM Network

    The Certainty of Uncertainty member content open

    By Fewell, Jesse, As much as we yearn for a pre-pandemic return, it's naive to think the old ways of work will ever return—even for agile.