Blog

Risk scores

The Risk Register add-on for Atlassian JIRA lets you record project risks, and assess them according to impact and probability. Recently, one of our customers asked about assigning a "risk score" to each risk; that is, a numeric value representing the severity of the risk. This blog post explains how to achieve that with Risk Register.

First, we need to cover some background information about how the Risk Register add-on works. The add-on incorporates a "risk model", representing the way your organization maps impact and probability levels to risk exposure. The default risk model looks like this:

The default risk model in Risk Register for JIRA.

The default risk model in Risk Register for JIRA.

The cells of the risk model represent risk exposure, also known as risk severity, or simply the level of risk.

The risk model is highly configurable. You can change the number of rows and columns, change labels, and so on. Importantly, you can also change the names of the exposure levels; you do that on the 'Exposures' page, which looks like this by default:

Default exposures in Risk Register for JIRA.

Default exposures in Risk Register for JIRA.

You don't have to stick with the default exposures; you can add your own, change their names, re-arrange their ordering, and even change their colors.

It's here that we can implement our scoring approach, simply by labelling each exposure with a numeric value.

Labelling an exposure with a numeric value.

Labelling an exposure with a numeric value.

With all of our exposure re-named, we have an exposure table that looks like this:

Risk exposures, labelled with risk scores.

Risk exposures, labelled with risk scores.

Our risk model now reflects the mapping from impact and probability to corresponding risk scores:

The risk model, mapping impact and probability to risk scores.

The risk model, mapping impact and probability to risk scores.

Viewing the risk matrix for our project, we see how each of the risks appear in the cell that corresponds to their risk score:

The risk matrix, showing the scores for each of our project risks.

The risk matrix, showing the scores for each of our project risks.

The risk register, when viewed as a list, now looks like this, with risks shown in descending order by risk score:

The risk register, showing risk scores.

The risk register, showing risk scores.

It's not difficult to represent risk scores in Risk Register for JIRA. Simply by relabelling the exposure levels, we can present risk severity as numbers rather than as text labels. Is that something that you should be doing? Perhaps, if your organization is used to assessing risks using a numeric risk score, simply because of the familiarity that your teams may have with that way of representing risks. Consider though, that there's not much you can do with a risk score, that you can't do with a descriptive label. One might be tempted to add up all of the risk scores for a project, to get an overall risk exposure level for the project; but is that valuable? If one project has a score of 500, and another has a score of 300, does that mean that the first project is more risky than the second? Not necessarily; it might merely mean that fewer risks have been identified and assessed for the second project.

Every organization manages risk differently. Risk Register for JIRA is configurable enough to support various risk models, including one that uses risk scores to represent risk exposure.