Capturing details or properties about risks is important for management of the current project, but also lessons learned. Here is a real life example on how risk properties are used.  On November 4th, 1979 students seized the US Embassy in Tehran, Iran along with 52 hostages. In response, US President Jimmy Carter ordered Operation Eagle Claw (or Operation Evening Light or Operation Rice Bowl) in an attempt to release the diplomats held captive at the embassy of the United States in Iran. The operation took place 24 April 1980.

The operation was very complex and would take place over 2 nights. On the first night, the aircraft, including eight helicopters RH-53D Sea Stallions (shown above) would enter Iran and fly to a designated refueling point designated Desert One. Jet fuel and troops would be brought to the area by C-130 and EC-130E aircraft. The second stage of the operation would be focused on the hostage rescue itself. It was planned to start from a point closer to Tehran that was given the designation Desert Two. With the troops loaded on, the helicopters were to fly from Desert One to Desert Two, to be met by trucks driven by CIA agents stationed in Iran. At this time, the CIA agents and ground forces would travel from Desert Two into Tehran. AC-130 gunships would be deployed around the site in Tehran where the hostages were being held. At the same time, other US troops would disable electrical power in the area.  Finally, another group of troops would capture Manzariyeh Air Base near Tehran to allow the arrival of several C-141 Starlifters. Once this was all in place, the US troops in Tehran would assault the embassy and release the hostages. The hostages and troops would be evacuated immediately by helicopters stationed across the street from the embassy and flown directly to the Manzariyeh Air Base. Finally, C-141 Starlifters would fly hostages to troops to a designated safe location. How risky does this plan appear? One principle that can tells us is that the more complex a project, the  higher number of risks and chance of project failure.

So, what happened? After the planes landed at Desert One, the helicopters were sent to the area. One helicopter was forced to land in the desert due to a cracked rotor blade. The crew was pickup up by another helicopter. Another helicopter encountered a sand storm and had to return to  the Nimitz aircraft carrier. A third helicopter arrived at Desert One with broken hydraulic system. Although five other helicopters successfully arrived to Desert One, commanders decided that five helicopters would not be enough to continue the operation and received a presidential confirmation to abandon the mission.  As the aircraft were preparing to leave, a plane and helicopter collided killing eight soldiers and destroying both aircraft.  An official investigation blamed deficiencies in mission planning and command and control for the failure of the operation.

Risks are not just the name of an event with a probability and impact. Risks have many attributes. Let’s take a look on one risk associated with the operation – mechanical problem with the helicopters. Here is a set of risk attributes:

  1. Risk Properties: includes general qualitative information about risk. This information comes from a dictionary that can be customized for every organization. For example, if you don’t need to record the cost of risk, this property can be optional or not be included at all. The risk properties can be used to filter the risk register. For example, you may want to see all risks assigned to a particular owner or those which share a certain trigger.
  2. Risk Probability, Impacts, and Scores for Different Categories. Each risk has a certain probability, impact, and score (probability multiplied on impact). If probability equals 100% the risk become an issue. Each risk could a threat, opportunity, but in most cases both threat and opportunity. The opportunity always exists for all risks, although is many cases it is very minor. The same risk can affect different categories. This table shows a common set of risk categories, which can be customized for different organizations.
  3. Assignment to Task or Resources. Risks can be assigned, or linked to tasks and resources. For example, the risk “Mechanical problem with the helicopters” can be assigned to a number of tasks, including Flight to Desert One, Flight to Desert Two, Flight to Tehran, etc. The risk can also be assigned to the resource “Troops”, so the risk can occur in any tasks where the troops are transported by the helicopter. The risk assignment is very important for quantitative risk analysis, where we need to know how risks would affect particular tasks.
  4. Risk Reviews. The character of risks are always changing during the course of a project. After the risk “Mechanical problem with the helicopters”, is identified and included to the risk register, during operation planning, everything could change multiple times. For example:
  • Risk probability and impact, and other attributes could be updated because the scope of the mission can change, for example in case the helicopters need to fly to Desert Two at a different time
  • Mechanical conditions of helicopters must be checked after helicopters arrive to Nimitz.
  • New experts can give another opinion on risk properties.
  • Quantitative schedule risk analysis can be performed and yield different probability and impact.
  • New mitigation and response plans can be generated, for example in the case where new or updated intelligence is received from the CIA agents in Iran.

It is very important that new information about risks does not fall into the cracks. Therefore, risk reviews needs to be conducted regularly (monthly, weekly, etc.) and the risk review information must be recorded as an attribute of the risk.

  1. Risk History. Is essentially a set of change records for each risk. Each time a risk is modified either as a results of review or without any formal review, it needs to be recorded as one of the attributes of the risk. For example, during a review after the completion of any special operation such as Operation Eagle Claw, it is important to understand if certain risks were identified and assessed, and if yes, when and by whom. Risk history is also important for risk audit or complete review of all risks.
  2. Risk Cost. Information about risk cost, including expected loses, cost of residual risks and mitigation plans is also a risk attribute.
  3. Mitigation and Response Plans. The same mitigation and response plans can be used in different risks. Therefore, it is easier to record them in a separate list. The references to these mitigation and response plans are an attribute of a risk. One risk may have multiple mitigation and response plans that can be executed sequentially. When mitigation or response plan is assigned to the risk, it could include such attributes as probabilities and impact reduction due to mitigation efforts, dates when plans were executed, and action plan if it is specific for the risk.