First let's define what is a risk is - according to ISO 31000, risk is the “effect of uncertainty on objectives” affecting the completion of a project. Uncertainty (or lack of certainty) is a state of being that involves a deficiency of information and leads to inadequate or incomplete knowledge or understanding. In the context of risk management, uncertainty exists whenever your knowledge or understanding of an event, consequence, or likelihood is inadequate or incomplete.
We use a Risk profile for each work item that enters our Kanban system. In order to prepare the Risk Profile for the product we will have to analyse it first. If we know the work that needs to be done (B part of the matrix) we can start analysing for the C part of the matrix.
The uncertainty about nature of the demand or the amount and type of work is the source of the Business risk. There are three major cases:
1. The client knows exactly what needs to be done e.g. develop an algorithm for calculating Pythagoras' theorem. (B1)
2. The client knows what needs to be done but not exactly e.g. develop my site to be like Oxford University site but better! (B2)
3. The client has just a vague idea of what needs to be done e.g. develop an indoor positioning system using RFID tokens (B3)
The uncertainty about if our capability would match the demand is the source of the Capability risk. Again three major cases:
1. We have all the skills and knowledge required to do the job (C1)
2. We have almost all of skills and knowledge required to do the job (C2)
3. We have none of the skills and knowledge required to do the job (C3)
The C/B matrix represents the Risk Profile for the project we'll need to execute in order to deliver the product.
The worst case for us is the combination B3C3. We should never work on it if that is the case. We can safely make a delivery date commitment for B1C1, not that safely for B1C2. The most challenging but at the same time the most rewarding case is B3C2. One may say how come since we have almost all of the skills & knowledge (C2) but not all (C1)? First of all if the product is something new and never done before we could not be able to know beforehand the exact skills set needed. And second - it is more rewarding both for us and for the client if the product is something unique something never done before.
We are assigning a Risk profile to the project and not to the product. The reason behind is that one and the same product implemented by a different team will definitely end up with different lead time and budget. The project represents the unique combination of Product and Development team.
In order to simplify the quantification we will group the work items based on their Risk profiles.
Here is the new grouping:
• Low Risk Profile - all B1C1, B2C1 work items
• Medium Risk Profile - all B1C2, B2C2 work items
• High Risk Profile - all B1C3, B2C3, B3C2, B3C3 work items
Risk profile quantification:
• Shows variability in cycle time per work item
• The numbers are unique per project