Spotlight on SpiraPlan 6.0 - Enterprise Risk Management

Introducing Risk Management to SpiraPlan

One of the key new features in the latest version of SpiraPlan is a new risk management system. Previously, SpiraPlan simply had a type of incident that was classed as Risk, however this limited the functionality that we could provide for managing risks. In the new version, Risks are a completely distinct artifact type (similar to requirements, test cases, etc.) with their own types (business, technical, schedule, etc.), attributes and workflows:

In addition, Risks have special attributes for analyzing and categorizing how important they are:

1. Probability - how likely it will be that the risk will happen. Each one has a color and weighting (called a Score) associated with it.
2. Impact - how serious it will be if the risk happens. Each one has a color and weighting (called a Score) associated with it.
3. Exposure - calculated by multiplying the Score of the Probability X Impact to give an overall value of how serious the risk is, adjusted for how likely it is.

This means that risks that are likely to happen with serious consequences will appear higher up in the lists than risks that are less likely to happen and/or have less serious consequences.

Each Risk will have their own "details page" similar to the other artifacts, where you can assign the Risk to an Owner, associate with a Release and/or Component, as well have various other standard and custom fields:

One important field for Risks is the Review Date since Risks can change in impact or probability during the lifespan of a project and need to be constantly reviewed.

The risk probabilities and impacts can of course be customized by a project template administrator:

Risk Management Process

A standard risk management workflow typically has the following five phases:

1. Step 1: Identify the Risk. You and your team uncover, recognize and describe risks that might affect your project or its outcomes. There are a number of techniques you can use to find project risks. During this step you start to prepare your Project Risk Register.
2. Step 2: Analyze the risk. Once risks are identified you determine the likelihood and consequence of each risk. You develop an understanding of the nature of the risk and its potential to affect project goals and objectives. This information is also input to your Project Risk Register.
3. Step 3: Evaluate or Rank the Risk. You evaluate or rank the risk by determining the risk magnitude, which is the combination of likelihood and consequence. You make decisions about whether the risk is acceptable or whether it is serious enough to warrant treatment. These risk rankings are also added to your Project Risk Register.
4. Step 4: Treat the Risk. This is also referred to as Risk Response Planning. During this step you assess your highest ranked risks and set out a plan to treat or modify these risks to achieve acceptable risk levels. How can you minimize the probability of the negative risks as well as enhancing the opportunities? You create risk mitigation strategies, preventive plans and contingency plans in this step. And you add the risk treatment measures for the highest ranking or most serious risks to your Project Risk Register.
5. Step 5: Monitor and Review the risk. This is the step where you take your Project Risk Register and use it to monitor, track and review risks.

Accordingly, the default workflow for a risk in SpiraPlan has been created to implement these best practices out of the box:

As with all artifacts in SpiraPlan, you will be able to customize the steps, transitions (actions) and permissions associated with risk workflows, as well as specify which fields are required, hidden or disabled at each workflow state.

Risk Mitigations

One of the key phases of Risk Management is identification and analysis of the mitigations that can reduce or eliminate the impact of the risk, should it happen. SpiraPlan provides built-in native support for adding and tracking the various mitigations to the risk, with the ability to specify individual review dates for each mitigation

Further to that, as part of the Risk Treatment process, you can also create SpiraPlan project tasks to identify, prioritize and assign the specific activities that will need to be performed to successfully mitigate the risk. The mitigations and tasks are both tracked back to the parent risk.

Typically the Mitigations list is used to identify the ways that the risk can be addressed, whereas the tasks are the specific actions that different project members will need to take to act on the mitigations. The tasks have a status, priority, effort and date and will be visible in the standard SpiraPlan task lists and Kanban board.

Risk Audit Trail

Using the built-in SpiraPlan history tracking feature, Risks also include a full audit trail of any changes made to the risk, for both standard and custom fields:

In addition, when you make changes to the status of the Risk, moving it through the risk management workflow, the system will enforce rules such as the need to add comments, add mitigations, specify the probability and/or impact:

The risk workflow operations also support electronic signatures for those customers that need to maintain a validated system.

Risk Reporting and Risk Cube

One of the key aspects of risk management is the ability to display the risks to management to ensure that they are adequately understood and that appropriate mitigations are in place. To make this easier, the SpiraPlan project dashboards include two risk widgets:

1. A risk register that lists the most important risks (measured by their composite exposure score)
2. A risk cube that displays a colored matrix of risk probability vs. impact and plots the number of risks in each intersection. Clicking on a value will open up the main risk list page with the filters set to that intersection.

In addition, SpiraPlan includes a risk summary and risk detailed report in the standard SpiraPlan reporting menu that lets you generate risk reports in HTML, MS-Word, MS-Excel, PDF and XML formats: