Implementing Different Types of Risks

The article notes that common types of risks include the following: compliance, financial, operational, reputational, security, and quality risks.

The organization must decide what types of risks it faces. Not all of the types listed in the article may be relevant to a given organization, or it may face other types of risks.

The basis of the implementation is the representation of a risk as a Jira issue. The simplest and probably best solution is to create an issue type, Risk, and differentiate the different types of risk by creating a custom field of type Single Select, Risk Type, with options for each of the types. It would also be possible to differentiate the types using Jira components, but it should be borne in mind that components are project-specific. So every project that needs to handle risks would have to create the same components. (But if the projects need to handle differing types of risks, this might after all be a good solution.) Another possible implementation would be to create different issue types for each type of risk. However, in general, it’s a good idea to avoid unnecessarily multiplying issue types so the other two solutions are to be preferred.

Implementing Steps in the Risk Management Process

The article lists a number of steps in managing risks, such as identification, analysis and mitigation.

The organization must decide what steps make sense for it in managing risks, though the three just mentioned would seem to belong to any reasonable process. Once the steps are identified, they can be implemented in a Jira workflow using different issue Statuses - for example:

• Identified: The risk has been recognized.

• Analyzed: The risk has been analyzed and measures to address it determined.

• Mitigated: The potential negative consequences of the risk have been reduced.

Implementing the Risk Register

The article states that risks should be documented in a database of risks, risk owners, mitigation plans, and risk scores. It calls this database a “Risk Register”.

Since risks are implemented as Jira issues, the Risk Register is fundamentally a list of issues of type Risk and can be viewed in the Jira Issue Navigator. The Risk Register provided by easeRisk for Jira is an advanced development of the issue navigator that supports risk mitigation - see Risk Register.

The Jira system field Assignee should be used to represent the owner of a risk.

The article identifies two crucial attributes in determining a risk score:

• Likelihood: How probable it is that the possible event occurs.

• Impact: How severe the consequences will be if it occurs.

The attributes are implemented in Jira using custom fields of type Single Select with appropriate options. The organization should decide on how these attributes are to be measured. Typically, this is done by assigning a numerical value between 1 and 5.

The article does not mention a third attribute, generally called “exposure”. Exposure is typically determined as a function of likelihood and impact, allowing risks to be ordered. This attribute is implemented in Jira using a custom field, Risk Exposure, of type Number Field. easeRisk for Jira allows an organization to define a formula that is used to compute the value of this field based on the values of the probability and impact fields. For example, the formula might be

Implementing Risk Assignment Matrices

The article suggests that so-called Risk Matrices are useful for visualizing the relationship between likelihood and impact. A risk matrix is a two-dimensional n*m matrix, where n is the number of values of Likelihood and m is the number of values of Risk Impact - e.g. a 5x5 matrix.

Risk Matrices are provided by easeRisk for Jira - see Risk Matrix. The organization has complete flexibility in creating matrices appropriate to its practices.

Implementing Risk Mitigation

The article states that risk mitigation involves determining measures to mitigate risks and following up on the effectiveness of these measures.

This practice is implemented in Jira by creating an issue type, Measure, and a link type, Risk Measure, that is used to associate individual risks with one or more measures - see How to Configure Risk Measure Association. Measures are Jira issues in their own right, so the organization can determine custom fields and a workflow for them that supports its practices.

The Risk Register provided by easeRisk for Jira not only displays a list of risks, but also displays the measures associated with them, thus supporting the organization in assessing the status of a risk and the effectiveness of its measures - see Risk Register.

Implementing Risk Mitigation Treatment

The article claims that there are four generally accepted “treatment” strategies for risks: acceptance, transfer, avoidance and mitigation. These “treatments” are also known as “response strategies”.

The organization must decide what response strategies make sense for it according to its practices. There are various ways of implementing response strategies in Jira - see How to Configure Jira to Model Risk Response Strategies.

Implementing Risk Monitoring, Reviewing, and Reporting

The article stresses the importance of these activities in Risk Management.

In addition to all the built-in features of Jira in support of these activities, easeRisk for Jira provides organizations with the following additional features:

• Risk Register: This database documents the risks faced by an organization and the measures it takes to address them.

• Top Risks Report: This report shows a configurable number of the most important risks faced by the organization.

• Risk Matrix Comparison: This report compares two risk matrices, showing how risks have changed over time.