"Applied Science, Faculty of"@en . "Civil Engineering, Department of"@en . "DSpace"@en . "UBCV"@en . "Nezafatkhah, Sadaf"@en . "2011-09-27T23:39:59Z"@en . "2011"@en . "Master of Applied Science - MASc"@en . "University of British Columbia"@en . "Described in this thesis is an approach for visualizing data associated with the risk management function for large capital expenditure projects. The thesis first explores the current use of data visualization in support of the analytical reasoning involved in the risk management process and then explores some additional images that facilitate the process of extracting information in response to specific analytical reasoning needs. Contributions include casting light on the state-of-the-art of the use of data visualization in support of risk management (i.e. visualization tools that exist) and setting out the kind of analytical reasoning that could be supported by the use of data visualization (i.e. target analytical reasoning based on which visualization tools should be developed). By identifying analytical reasoning tasks of interest, risk visualization tools can be structured to respond to them. A few visual representations of risk related data are proposed and their potential worth is judged by assessing how well they respond to the analytical reasoning tasks of interest. We found that one of the main challenges in representing multidimensional risk data for construction projects is the ability to visualize in a non-cluttered manner the large amount of information contained in the risk register of a full scale project. Therefore, it is important to equip images with interactive features in order to visualize subsets of information (by phase, by product, by participant, and by location.). We have concluded that with respect to the visualization tools suggested, although they respond to the analytic reasoning needs targeted, easily become cluttered when a large amount of information is to be visualized, thus limiting their application."@en . "https://circle.library.ubc.ca/rest/handle/2429/37663?expand=metadata"@en . "Visualizing Risk Management Data Associated with Capital Expenditure Projects by Sadaf Nezafatkhah B.Sc. (Civil Eng.), University of Science and Culture, 2003 M. Sc. (Civil Eng.), Amirkabir University of Technology , 2008 A THESIS SUBMITTED IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE DEGREE OF MASTER OF APPLIED SCIENCE in THE FACULTY OF GRADUATE STUDIES (Civil Engineering) THE UNIVERSITY OF BRITISH COLUMBIA (Vancouver) September 2011 \u00C2\u00A9 Sadaf Nezafatkhah, 2011 ii Abstract Described in this thesis is an approach for visualizing data associated with the risk management function for large capital expenditure projects. The thesis first explores the current use of data visualization in support of the analytical reasoning involved in the risk management process and then explores some additional images that facilitate the process of extracting information in response to specific analytical reasoning needs. Contributions include casting light on the state-of-the-art of the use of data visualization in support of risk management (i.e. visualization tools that exist) and setting out the kind of analytical reasoning that could be supported by the use of data visualization (i.e. target analytical reasoning based on which visualization tools should be developed). By identifying analytical reasoning tasks of interest, risk visualization tools can be structured to respond to them. A few visual representations of risk related data are proposed and their potential worth is judged by assessing how well they respond to the analytical reasoning tasks of interest. We found that one of the main challenges in representing multidimensional risk data for construction projects is the ability to visualize in a non- cluttered manner the large amount of information contained in the risk register of a full scale project. Therefore, it is important to equip images with interactive features in order to visualize subsets of information (by phase, by product, by participant, and by location.). We have concluded that with respect to the visualization tools suggested, although they respond to the analytic reasoning needs targeted, easily become cluttered when a large amount of information is to be visualized, thus limiting their application. iii Table of Contents Abstract .................................................................................................................................... ii Table of Contents ................................................................................................................... iii List of Tables ........................................................................................................................... v List of Figures ......................................................................................................................... vi Acknowledgements .............................................................................................................. viii Chapter 1: Introduction ......................................................................................................... 1 1.1. Thesis focus ................................................................................................................. 1 1.2. Motivation for consideration of role(s) data visualization could play in risk management .............................................................................................................................. 1 1.3. Objectives and focus of work ...................................................................................... 4 1.3.1. State of the art of risk visualization ................................................................... 4 1.4. Methodology and tests ................................................................................................. 6 1.5. Overview of thesis structure ........................................................................................ 6 1.6. Summary of thesis contribution and findings .............................................................. 7 Chapter 2: Review Related Literature .................................................................................. 8 2.1. Introduction .................................................................................................................. 8 2.2. Framework for analysis of risk visualization literature ............................................. 10 2.3. Dimensions of risk visualization tools ....................................................................... 11 2.3.1. Risk management stages (Explicitly)............................................................... 12 2.3.2. Performance measures (Explicitly) .................................................................. 14 2.3.3. Viewpoints (Implicitly) .................................................................................... 14 2.4. State of the art in risk visualization ............................................................................ 18 2.4.1. Investigated visualization tools ........................................................................ 18 iv 2.5. Results of evaluating visualization tools.................................................................... 40 Chapter 3: Risk Register Properties and Analytical Reasoning ...................................... 42 3.1. Introduction ................................................................................................................ 42 3.2. The concept of project risk register ........................................................................... 42 3.3. Contents of ideal and model risk register .................................................................. 44 3.4. Examples of risk register ........................................................................................... 50 3.5. Analytical reasoning needs for risk management and roles of data visualization .... 80 3.5.1. Introduction ...................................................................................................... 80 3.5.2. Analytical reasoning in risk identification ....................................................... 81 3.5.3. Analytical reasoning in risk assessment ......................................................... 88 3.5.4. Analytical reasoning in risk mitigation ............................................................ 90 Chapter 4: Potential Use of Visualization in Risk Management .................................... 109 4.1. Introduction ............................................................................................................. 109 4.2. Potential use of visualization in risk identification .................................................. 110 4.3. Potential use of visualization in risk assessment ..................................................... 125 4.4. Potential use of visualization in risk mitigation ....................................................... 129 4.5. Evaluation of the suggested visualization ................................................................ 134 Chapter 5: Conclusion ....................................................................................................... 138 5.1. Summary .................................................................................................................. 138 5.2. Recommendations for future works ......................................................................... 140 References ........................................................................................................................... 141 v List of Tables Table 2.1 Challenges in risk management vs. benefits in risk visualization .......................... 16 Table 2.3 Visualization technologies in practice ................................................................... 33 Table 3.1 Risk register 1 ......................................................................................................... 50 Table 3.2 Risk register 2 ........................................................................................................ 50 Table 3.3 Risk register in Primavera Pertmaster .................................................................... 53 Table 3.4 Risk register in Risk Aid ......................................................................................... 53 Table 3.5 Risk register in RRE ............................................................................................... 54 Table 3.6 Risk register in NHS org. ........................................................................................ 54 Table 3.7 Risk register in risk and issue management protocol. ............................................ 58 Table 3.8 Risk register used by Pattterson. ............................................................................. 58 Table 3.9 Summary of analytical reasoning ........................................................................... 94 Table 4.1 Rationale used for evaluating impact of risk events on performance measures ... 113 Table 4.2 A symbolic risk register ........................................................................................ 114 Table 4.3 Part of a risk register based on synthetic data ....................................................... 131 Table 4.4 Summary of the evaluation of the suggested visualization tools .......................... 136 vi List of Figures Figure 2.1 Risk visualization framework ................................................................................ 11 Figure 2.2 Risk drivers network diagramming ....................................................................... 13 Figure 2.3 Risk map showing risks with their residual and target positions .......................... 13 Figure 2.4 Threat diagram, risk diagram and threatment diagram for the two assets ............. 22 Figure 2.5 Topology of Needs-Areas-Resaerches .................................................................. 26 Figure 2.6 Visualizing clusters of solutions ............................................................................ 26 Figure 2.7 Design Structure Matrix (DSM) ............................................................................ 28 Figure 2.8 Bullet graph in Panopticon .................................................................................... 31 Figure 2.8 Bullet graph in Panopticon .................................................................................... 31 Figure 2.9 Horizon graphs in Panopticon ............................................................................... 32 Figure 3.1 Flow of analyses and plans from a project\u00E2\u0080\u0099s risk register ..................................... 43 Figure 3.2 Sample of probability-impact and risk ranking tables used in risk register .......... 46 Figure 3.3 Suggested content of risk register .......................................................................... 48 Figure 3.4 Single level risk taxonomy .................................................................................... 49 Figure 3.5 Risk register sample .............................................................................................. 51 Figure 3.6 Risk register sample .............................................................................................. 52 Figure 3.7 Risk register used in RiskAid ................................................................................ 53 Figure 3.8 Project risk summary in RiskAid .......................................................................... 54 Figure 3.9 Action plan 1 in RiskAid ....................................................................................... 54 Figure 3.10 Action plan 2 in RiskAid ..................................................................................... 55 Figure 3.11 Risk register in Pertmaster ................................................................................... 56 Figure 3.12 Risk scoring matrix used in Primavera Pertmaster.............................................. 58 Figure 3.13 Risk scores in Pertmaster risk register ................................................................. 58 vii Figure 3.14 Tornado diagram used in Pertmaster in worst case scenario ............................... 59 Figure 3.15 Probability-to-probability map used in RiskRadar .............................................. 60 Figure 3.16 Impact definition used in RiskRadar ................................................................... 60 Figure 3.17 Risk exposure to level map in Risk Radar ........................................................... 71 Figure 3.18 Risk exposure mapping in Risk Radar ................................................................ 71 Figure 3.19 Customize setting in RiskRadar Enterprise ......................................................... 73 Figure 3.20 Capability to roll up risks at parent and child project risks in RRE .................... 74 Figure 3.21 Details on risk data in RRE ................................................................................. 76 Figure 3.22 Risk mitigation description in RRE .................................................................... 77 Figure 3.23 RRE report detail ................................................................................................. 79 Figure 3.24 Comparing two mitigation actions ...................................................................... 91 Figure 3.25 Stacked bar chart to compare two alternatives (a), Kiviat chart to compare several risks (b) ....................................................................................................................... 91 Figure 4.1 Distribution of risk events by probability of occurrence and impact .................. 111 Figure 4.2 Visualizing risks and risk drivers in different views ........................................... 119 Figure 4.3 Table of risk details, multiple tree maps of risk drivers ...................................... 123 Figure 4.4 Risk drivers from product view at 2nd level of hierarchy ................................... 125 Figure 4.5 Impact of risks on performance measures ........................................................... 127 Figure 4.6 Impact of risks on performance measure a) risks with an overall impact of VL, L b) risks with an overall impact of M c) risks with an overall impact of H and VH .......... 128 Figure 4.7 Waterfall diagram ................................................................................................ 132 Figure 4.8 Evaluating the suggested visualization tools ....................................................... 135 viii Acknowledgements \u00E2\u0080\u009CWe can not direct the winds, but we can direct our sails.\u00E2\u0080\u009D Anonymous I would like to thank Professor Alan Russell, not only for his support and mentoring in this work, but also for helping me to equip and train myself to direct my sail in a path that leads me to my goals. There is no doubt that this work could not get completed without his patience, support, and insights. I would also like to thank Dr. Staub French for her sincere pieces of advice and for reading this work. I would like to thank my kind and supportive family for their continuous support and for training me strong enough to overcome challenges. I would like to thank my teachers for giving me the means by which I could reach this point and my kind friends for their emotional support. 1 Chapter 1: Introduction 1.1 Thesis focus The focus of this thesis is on visualization of risk management data associated with capital expenditure projects, with an underlying assumption being that thesis readers are familiar with the discipline of risk management. The primary goals of the thesis are two- fold: (i) to explore the current use of data visualization in support of the analytical reasoning involved in the risk management process; and (ii) to explore additional images that facilitate the process of extracting information in response to analytical reasoning needs. We seek to contribute to the development of a continuum of images that covers all phases of risk management (from risk identification to risk assessment and mitigation) in order to provide a seamless flow of information that helps participants in the risk management process extract information and important insights. Benefits of the approach include bringing all risk management participants together and giving them an opportunity to interchange information, better identify risk events, make more trustable assessments of risk in terms of likelihood of occurrence and impacts if the risk occurs, and provide better risk responses and risk management strategies. 1.2 Motivation for consideration of role(s) data visualization could play in risk management Risk management is an important task in large, complex infrastructure projects. Governments are currently faced with very sizeable demands for capital expenditure projects such as roads, bridges, hospitals, schools, water supply, and waste water treatment plants. They desire to construct these facilities within tight budgets (capital and lifecycle), in a timely manner and at a high level of quality. Success in doing so relies in part on effective risk management, which requires risk events, their properties and their drivers to be identified and appropriate risk mitigation strategies identified and adopted. 2 \u00E2\u0080\u009CRisk\u00E2\u0080\u009D is known to have implications of negative results from an uncertain event. As discussed in Chapter 2, risk is defined as an adverse event which is uncertain either aleatorically (relating to an intrinsically uncertain situation) or epistemically (relating to a measure of belief or more generally to a lack of complete knowledge), and it is defined to contain three elements: outcomes; possibility of occurrence (uncertainty); and a formula to relate the first two elements. An important component of risk management is risk identification. Typically, one or more risk identification workshops involving multiple discipline experts are required to develop a roster or register of risks along with relevant properties, including drivers, likelihood of occurrence, consequences should they occur, interaction with other risks, and potential mitigation strategies; workshops are also a means of communicating findings to decision makers. A very important component of the risk identification process is effectiveness of the communication amongst discipline experts and project participants. This is central to identifying relevant risks, describing accurately their properties, and judging or interpreting the significance of findings of the risk elicitation process. Data and multi- media visualization can assist with these tasks, in part through helping to develop a shared understanding of a project. As a result, the quality of the findings of a risk identification workshop can be enhanced, a major challenge with current risk identification processes which are mainly based on using spread-sheet based risk registers for both public and private infrastructure projects. Although risk registers provide a mechanism to record identified risks and to track them through a project\u00E2\u0080\u0099s lifecycle, the very lengthy spreadsheets that result are hard to interpret. It is difficult for managers to navigate such spreadsheets to identify relevant risks along with their properties such as drivers, likelihood of occurrence and potential mitigation strategies, it is hard to extract drivers, participants, and mitigation measures that are shared amongst two or more risks, and it can be challenging to generate flexible groupings of risks under categories such as financial, economic, environmental, technical, political, stakeholders and organizational (contractual) risks) and/or in terms of their consequences in time, scope, cost, quality, 3 reputation, environment and safety metrics in order to generate important insights and set priorities. Our focus in the current work is on exploring appropriate data visualizations that can be used during the whole project lifecycle in both public and private projects. However, our primary emphasis is on the front end stages of a project including project start-up when key decisions are be made (choice of procurement mode, bid or no bid, etc.). To allocate risk events to the party or parties best capable of handling them, it is essential to \u00E2\u0080\u0098get the risk profile right\u00E2\u0080\u009D in terms of identifying all potential risks along with their properties, including risk event drivers. To achieve this, it is important to characterize the various dimensions of a project (participant, product, process, and environmental) along with other context issues such as performance requirements (project objectives) and their ranking of importance. The complexity of this task is complicated by the scale of most capital expenditure projects, especially public sector ones. This characterization facilitates the identification of potential risk events and helps to position them in terms of time, space, participant responsible, product(s) affected, etc. Although some IT based approaches are designed to assist with the elicitation of expert knowledge, either by individual experts or in a group session such as a risk identification workshop, regarding risk drivers, risk events, likelihood of occurrence, risk event outcomes and potential risk mitigation strategies, they lack data visualization tools that reflect a structured way of thinking about risk management and which facilitates the interpretation of the large set of data that accompanies a project\u00E2\u0080\u0099s risk profile. When participants have a true understanding of risk events and their drivers, they can provide better estimates in the risk assessment stage and accordingly design more realistic contracts with better risk response strategies. Suitable visual images and supporting interaction infrastructure can help participants \u00E2\u0080\u009Cget the risk profile right\u00E2\u0080\u009D thereby contributing to several tasks that define the function of risk management. The type of commercially available software discussed in Chapter 3, while useful, does not offer assistance in assessing the multi- dimensional nature of construction projects, which constitutes the source of most risk drivers. Moreover, in such software, the impact of risk events is assessed on at most three performance measures, these being time, cost and technical performance. For major 4 capital projects, other measures of performance that may be impacted by the realization of risks include quality, reputation, scope, safety, and environment. The goal of the present research is to contribute to the development of a detailed specification of a data visualization environment in support of the risk management process. Dimensions of such an environment relate to the analytic reasoning supported, images and accompanying interaction features that support the reasoning involved, and the data encodings used. This thesis contributes toward realization of this goal by: \u00EF\u0082\u00B7 identifying key components of the analytical reasoning involved in risk management in order to show the type of information risk managers want to extract from risk management data; and, \u00EF\u0082\u00B7 suggesting images that respond to the analytical reasoning needs of participants. 1.3 Objectives and focus of work In this work, we are focused on the following objectives: \u00EF\u0082\u00B7 To provide a thorough overview of the state-of-the-art of the use of data visualization in support of risk management (Chapter 2); \u00EF\u0082\u00B7 To set out the kind of analytical reasoning that could be supported by the use of data visualization (Chapter 3); \u00EF\u0082\u00B7 To suggest potential visual representations of risk related data and how they respond to the analytical reasoning tasks identified (Chapter 4); and \u00EF\u0082\u00B7 To judge the potential worth of the visual representations suggested by assessing how they respond to specific analytical reasoning tasks (Chapter 4). 1.3.1 State-of-the-art of risk visualization In this thesis our focus is on idea generation and not producing a piece of software. For that purpose, we want to cast light on the current state-of-the-art of the use of data visualization for the risk management function in the early stages of a project\u00E2\u0080\u0099s lifecycle. Of particular interest is the visualization of multidimensional data by multiple discipline experts when they assemble to brain storm on risks as a function of project context. Thus, 5 we seek to understand the risk profile of a project and generate insights on interactions amongst drivers, risks and mitigation strategies, and the distribution of risks in various dimensions (e.g. time, space, participants, products, etc.). Our primary focus is to identify a continuum of images that can be used in risk identification, quantification (assessment), and mitigation workshops. Images that support multiple tasks are of more interest than those that can be used only in one specific stage of risk management. Further, emphasis is placed on examining collections of modelling objects (risks, drivers, mitigation strategies) as opposed to individual instances. To explore images with multiple applications, we have looked at the total risk management cycle (risk identification, assessment and mitigation) in a holistic manner instead of investigating only one particular stage. Within this holistic view, we have used an exploratory approach to determine the kind of visual images that seem to be the most appropriate for each stage in risk management. To assess the usefulness of the visualizations proposed, they should be tested based on their responsiveness to specific analytical reasoning tasks. For example, images proposed for the risk identification stage should support analytical reasoning by presenting high priority risk drivers that cause severe risk events. In risk assessment (judging likelihood of occurrence and performance dimensions impacted), images that represent interactions amongst risks in the same time frame, same location and that affect one activity (process) or one product, support analytical reasoning and help managers have a more realistic estimate of the consequences of a risk event. In the risk mitigation stage, images that show the degree of severity (exposure value) before and after applying mitigation actions to determine if resources have been allocated wisely are of importance. Visual representations that treat versioning and the way values (responsible party, time shifts, space shifts, and changes in risk severity) migrate over time after applying mitigation actions are of interest. Finally, all images should aid analytical reasoning tasks by showing patterns of data such as clusters, anomalies, and trends. 6 1.4 Methodology and tests From a review of the risk management literature, we seek the concerns of managers in terms of the information they want to extract from large risk registers. From an investigation of commercial software, we seek to identify the concerns of risk management personnel not currently addressed. Concerns of particular interest relate to analytical reasoning needs associated with risk identification, assessment and mitigation. Based on findings from the foregoing we then present possible visual representations that can be used to support analytical reasoning and pass judgment on their responsiveness to specific analytical reasoning tasks. 1.5 Overview of thesis structure The remainder of the thesis consists of 4 chapters. Chapter 2 overviews the literature describing risk management, risk visualization tools used by academia and practitioners, and benefits that risk visualization may bring. The visualization tools investigated are evaluated using an evaluation schema (Table 2.2) which states the purpose of the visualization, risk steps that are visualized, target audience, where the visualization can be used and tool(s) used to create the visualization. Images of the most important visualization tools are also provided. Our main concern in this chapter is to address the breadth of issues that should be treated. Some observations are offered on deficiencies in current risk management practices and where visualization can provide assistance. Chapter 3 examines the literature focused on the topic of the project risk register (i.e. what is suggested and what is done in practice), its important role in risk management, and the necessity of interpreting, visualizing and communicating its contents to project participants. We have defined what each property in current risk registers represents, what consensus exists on what the contents should be, how they are expressed, and therefore how they might be represented in visual form. Our interest is not in trying to determine what the best form/content of a risk register should be. Rather, knowing what the consensus view is on the essential contents of a risk register, attention can be directed at visualizing these data items. In this chapter we have also discussed the questions that 7 need to get asked to extract meaning from the risk register as it is built up and to assist in making decisions during risk workshops. In Chapter 4, we have made a point of seeking \u00E2\u0080\u0098pathways\u00E2\u0080\u0099 through aspects of the risk management function \u00E2\u0080\u0093 so the applications treated will be connected. Various applications that visual representation may have in different stages of risk management are discussed. Chapter 5 summarizes the research conducted, the contributions made, and describes potential future work. 1.6 Summary of thesis contributions/findings With the purpose of proposing a continuum of data visualization tools, in Chapter 4 we have suggested visualization tools that support analytical reasoning discussed in Chapter 3, but we have found that they do not work for subsets of risk data. We have suggested the following visualization tools: 1. Parallel Coordinate Plots, to visualize risk drivers in the four views of product, process, participant and environment; 2. Parallel Coordinate Plots, to visualize the impact of a group of risk events on multiple performance measures; and, 3. Waterfall Diagrams, to visualize mitigation actions in different phases of the project, risks that they address and their effectiveness in terms of reducing risk exposure. We have tested on a preliminary basis the suggested visualization tools with synthetic risk registers that we have developed for the evaluation purpose. We have found that the three suggested visualization tools get cluttered and become hard to read when a large amount of information needs to be shown. This finding shows that it is not an easy task to find individual images for each stage of risk management to visualize the large amount of information contained in risk registers for full scale projects. Therefore, it is important to equip images with interactive feature to visualize subsets of information (by phase, by participant, by location, etc.) 8 Chapter 2: Review of Related Literature 2.1 Introduction Extracting information from a large risk management database can be a significant challenge especially for large infrastructure projects where a very significant amount of information is created (Nelms et al., 2006). Although computer-based methodologies (e.g. Risk Easy (NOWECO, 2006), Risk Radar (ICE, 2006), PertMaster Project Risk (Pertmaster, 2006), and RiskCom (Hall et al, 2001)) assist in the management and re-use of risk knowledge and related information (Russell et al, 2007), a number of major challenges remains in interpreting the data in order to generate the insights essential for effective management. To this end, data visualization can assist with generating the insights desired through visual analytical reasoning. In this chapter, we examine the state-of-the-art in risk visualization to identify areas not covered by previous research, areas partially covered but requiring more research, and areas fully covered by previous research and not in need of more effort. To provide a complete picture of the state-of-the-art, we have reviewed the academic/ practitioner literature classified as follows: \u00EF\u0082\u00B7 Literature on risk visualization regardless of the area of application; \u00EF\u0082\u00B7 Literature on risk management in the context of the construction industry; \u00EF\u0082\u00B7 Computer science literature on visualizing risk data; and \u00EF\u0082\u00B7 Practitioner literature on risk visualization currently used in risk management software. In terms of relatedness to our work on risk data visualization, we have found the most relevant work in the computer science literature to be that of Eppler(2008); whereas, the risk management literature targeted at the construction industry was the least helpful. We also identified some literature on visualizing risk data in areas other than construction such as aerospace and finance, which proved helpful in the idea generation process. 9 In reviewing the literature, we have concluded that visual tools such as hierarchical representation of risk events, causal network diagrams, heat map diagrams, tree maps, and line graphs that represent time series and bar charts, have been heavily emphasized. However, an interactive continuum of images applicable to an integrated approach to risk management has not received much attention in previous works. From a risk management perspective, traditional means of risk visualization such as fish bone diagrams, cause-effect network diagrams, scatter plots, stacked 3D graphs, dynamic maps and risk maps, although useful, are much less so when they are not equipped with interaction features and not linked to each other. This makes it difficult for users to: \u00EF\u0082\u00B7 Detect hidden patterns; \u00EF\u0082\u00B7 Compare the effectiveness of different risk response strategies; \u00EF\u0082\u00B7 See problems from multiple views or perspectives (product, process, participant and environment); \u00EF\u0082\u00B7 Interact with hierarchies of risk events and risk drivers \u00EF\u0082\u00B7 Drill down and jump between views; \u00EF\u0082\u00B7 Perform risk aggregations based on user interactions; \u00EF\u0082\u00B7 Perform time window analysis to identify changes in a time window; and \u00EF\u0082\u00B7 Visualize trends, clusters, outliers and potential correlations. Most risk visualization tools have been developed to visualize a specific step in the risk management process, or a specific performance measure from a specific point of view in the project. To assist in organizing the findings presented in this chapter, briefly reviewed are: the risk management steps of risk identification, assessment, mitigation, and monitoring; project performance measures of interest (e.g. time, cost, and environment) and, view points (cognitive, social and emotional) that relate to the users of risk management data and its visualization. They are identified and addressed in detail in Table 2.1. View points are challenges (e.g. dealing with information overload, biased comparisons and evaluations, etc.) in risk management that can be overcome in part or in whole by a visualization tool. 10 A summary of the visualization tools investigated and their strengths and weaknesses is presented in Table 2.2. Other representations of the literature review findings that show the dimensions that each tool visualizes are also provided. 2.2 Framework for analysis of the risk visualization literature To review existing risk data visualization tools, we adopted the framework suggested by Eppler (2008), which threats the five dimensions shown in Figure 2.1. We have used this risk visualization framework to charaterise available risk visualization tools with emphasis on the needs of the construction industry as follows: \u00EF\u0082\u00B7 The purpose for which the risk visualization tool is developed (why); \u00EF\u0082\u00B7 The content that the risk visualization tool represents (what); \u00EF\u0082\u00B7 Target audience of the risk visualization tool (for whom); \u00EF\u0082\u00B7 The occasions for which the risk visualization tool is going to be used (when); \u00EF\u0082\u00B7 The techniques used to visualize risk data (how). Our primary focus is on the items marked with an asterik in Figure 2.1. Specifically, we sought tools that assist in identifying, assessing, mitigating or monitoring risks. And within that focus, we sought tools that represent risk drivers and groups of risk events rather than those that just show individual risks and related properties. In terms of our target audience, we sought tools targeted for risk managers and risk analysts especially quantitative charts, qualitative diagrams or visual metaphors for use in risk identification and treatment workshops. 11 Figure 2.1 Risk visualization framework (source: Eppler, 2008) *: Asterisks denote topics of particular interest in the present work. \u00E2\u0080\u0093 adapted from: Eppler, M. J. and Aeschimann, M. (2008) Envisioning Risk: A Systematic Framework for Risk Visualization in Risk Management and Communication, Project Management Issues and Considerations (2009), http://www.maxwideman.com/issacons2/iac1215e/sld006.htmICA Working Paper 4/2008 2.3 Dimensions of risk visualization tools Most visualization tools found represent one or more of three types of information: (i) risk management stages, (ii) performance measures, and (iii) points of view. We discuss briefly each of the these types. 1. Why? 2. What? 3. For whom? 4. When? 5. How? Purposes: \u00EF\u0082\u00A7 Framework \u00EF\u0082\u00A7 Identification* \u00EF\u0082\u00A7 Assessment / quantification* \u00EF\u0082\u00A7 Strategy* \u00EF\u0082\u00A7 Mitigation* \u00EF\u0082\u00A7 Monitoring \u00EF\u0082\u00A7 Improvement Contents: \u00EF\u0082\u00A7 Individual risk \u00EF\u0082\u00A7 Group of risks* \u00EF\u0082\u00A7 Risk management steps or areas \u00EF\u0082\u00A7 Risk roles or responsibilities \u00EF\u0082\u00A7 Risk related information (i.e. causes) \u00E2\u0080\u0093 drivers* Target groups: \u00EF\u0082\u00A7 Risk managers / risk analysts* \u00EF\u0082\u00A7 Managers \u00EF\u0082\u00A7 Executives / board members \u00EF\u0082\u00A7 Auditors \u00EF\u0082\u00A7 Financial analysts / rating agencies \u00EF\u0082\u00A7 Regulators \u00EF\u0082\u00A7 Public / media Usage situations: \u00EF\u0082\u00A7 Report \u00EF\u0082\u00A7 Meeting \u00EF\u0082\u00A7 Presentation \u00EF\u0082\u00A7 Workshop* \u00EF\u0082\u00A7 Individually with PC \u00EF\u0082\u00A7 One-on-one conversation Formats: \u00EF\u0082\u00A7 Quantitative charts* \u00EF\u0082\u00A7 Qualitative diagrams* \u00EF\u0082\u00A7 Visual metaphors* \u00EF\u0082\u00A7 Maps 12 2.3.1 Risk management stages (Explicit) To characterise current risk visualization tools based on the stages of risk management they treat, we first discuss what would be useful to visualize for each stage: \u00EF\u0082\u00B7 Risk identification We seek visualization tools that can be used to assist in identifying the risk event (X), which occurs in one or more locations (Y) because of drivers (Z) in the form of components and their attributes at locations (Y). For risk identification, tools such as check lists, brainstorming, interviews, historical documentation reviews, cause/ effect and influence diagramming might be used (Russell et al. 2007). \u00EF\u0082\u00B7 Risk assessment Visualization tools of interest, are those that facilitate elicitation of properties such as likelihood (P) of the event (X) occurring, the performance criteria (C) impacted, and criteria outcomes (O) expressed quantitatively or qualitatively or a combination of both (Russell et al. 2007). We seek tools that help participants evaluate and prioritize risks correctly. Examples of images that can be used at this stage include risk driver network diagrams (Figure.2.2) which can assist in making rational estimates of the severity of risk events and their drivers, and risk maps (Figure.2.3) that show how impact values and likelihood of risk events migrate as result of mitigation actions. Other images include road maps and timeline diagrams that sequence risk-related activities chronologically (Eppler 2008). \u00EF\u0082\u00B7 Risk mitigation For the risk mitigation stage, we seek visualization tools such as risk driver network diagrams that show the residual risks that remain after taking a mitigation action, assist in identifying key factors that affect risk events and facilitate finding the best mitigation actions to control those factors. 13 Generally, visualization tools that can inform stakeholder groups about risks in an instructive and memorable way (e.g. metaphors) are of interest. Moreover, tools with a high level of interaction are of interest as they can facilitate learning and they surface new ideas. Figure 2.2 Risk driver network diagramming (Source: Eppler, 2008) Figure 2.3 Risk map showing two risks with their residual and target positions (Source: Eppler, 2008) 14 2.3.2 Performance measures (Explicit) Another dimension of a risk visualization tool is the performance measures that it visualizes. In construction projects, performance measures of interest (but not limited to) are cost, time, scope, safety, quality, environment and reputation. However, for almost all of the visualization tools investigated, cost and time are visualized because of their measurable nature. In visualizing cost, it can be divided into the two performance measures of capital cost and lifecycle cost. Almost all of the visualization tools examined show impact value in terms of cost without making a distinction between lifecycle and capital costs. 2.3.3 View points (Implicit) Risk visualization tools are typically designed to show explicitly data pertaining to a risk management stage and/ or a performance measure. In addition, however, an effective visualization tool should implicitly demonstrate a viewpoint dimension that deals with the cognitive, social and emotional challenges that accompanies risk management and the participants involved. An effective visualization tool is one that facilitates effective communication between experts and decision makers, facilitates group interaction, creates a shared understanding of project context amongst participants, accelerates navigation of the project context and risk register, and facilitates getting feedback from the project data available (Russell et al. 2007). Achieving these objectives is a challenge in complex industries such as construction where risks abound and various actors with different disciplines are involved. This is due to the cognitive, social and emotional challenges associated with managerial thinking, managerial communication and motivating and convincing other participants (Eppler, 2008). These challenges are elaborated upon in Table (2.1), which is adopted from Eppler\u00E2\u0080\u0099s (2008) work on strategic visualization. Cognitive challenges are an important issue for risk management in construction because of the significant amount of information of different types involved. According to Geisler (1998), representing data in visual formats \u00E2\u0080\u009Cmakes the human brain use more of its perceptual system for the initial processing of any data than relying completely on its 15 cognitive abilities\u00E2\u0080\u009D, thus facilitating the process of extracting information and/ or compressing large datasets. Moreover, graphical icons which are used in brain storming can help participants with different knowledge and backgrounds arrive at a common understanding of risk scenarios (Hogganvik et al. 2006), as they enable reframing and perspective switching (De Bono 1973) and prevent getting stuck in old views. Visualization tools can help avoid biased comparison and evaluation in risk management, and avoid focusing on negative outcomes which may lead to over cautious decisions, by helping participants keep details in mind, clarify expectations and questions, and avoid paralysis by analysis which can occur when too much data is available and there is a high emphasis on perfection. To overcome social challenges, visualization tools integrate different perspectives to provide a holistic representation of a project. Suitable visualizations of a multi- dimensional nature provide mutual understanding and coordination between people, facilitate navigation between views, and avoid incomplete communication and lack of information sharing which might hinder useful judgements (Morgan, 1986), leading in turn to incorrect decisions (Kim et al, 2005). In other words, by addressing social challenges, a risk visualization tool can help participants communicate better and reach a shared understanding. In terms of emotional challenges, data visualization can create a sense of involvement and engagement and facilitate convincing communication (Eppler et al, 2008). The involvement of diverse participants becomes more important in some cases such as environmental risks, which can be dealt with through active participation of the parties affected by design decisions (Al-khodmany, 1999). 16 Table 2.1 Challenges in risk management vs. benefits of risk visualization Characteristics of Risk Management Source Corresponding Strengths of Visualization Source Cognitive Challenges Cognitive Benefits Dealing with information overload Facilitating elicitation and abstraction Risk analysis creates a massive amount of information and un-structured datasets. There can be a significant number of risk categories (Fitzgerald 2004) with each category consisting of several individual risk events. It can be difficult to develop a roster of risks along with relevant properties, including drivers, likelihood of occurrence, consequences should they occur, and potential mitigation strategies. Nelms et al. (2006) \u00E2\u0080\u009CFeatures of a Risk Management Tool Applied to a Major Building Project\u00E2\u0080\u009D According to Eppler, Larkin and Simon (1987) and Tversky (2005) reported that using visualization increases human input channel capacity. Vessey (1991) mentioned the important role of visualization in solving complex problems by compressing information. Visualization is a meaningful tool to extract information from large datasets as a part of decision making process. Eppler et al. (2008) \u00E2\u0080\u009CVisual Strategizing\u00E2\u0080\u009D Stuck to old view points Enabling new perspective Different participants in a risk elicitation session have their own background and they view a project from their own perspective. Therefore, structured brainstorming is usually used in order to identify more, and possibly other, risks than possible from individuals of a homogeneous group. Hogganvik et.al. (2006), \u00E2\u0080\u009CGraphical approach to risk identification\u00E2\u0080\u009D Visual methods enable reframing and perspective switching (De Bono 1973). According to Buzan (2003), Morgan (1986) and Whyte et.al (2008), pictures are able to inspire creativity and imagination. According to Hogganvik et.al. (2006), graphical icons may help the participants in a brainstorming session to arrive at a common understanding of risk scenarios without wasting too much time. Eppler et.al. (2008), \u00E2\u0080\u009CVisual Strategizing\u00E2\u0080\u009D Biased Comparisons and evaluations Better, more exhaustive comparisons Traditional tools such as risk maps do not necessarily support higher level decisions and they might cause biased outcomes. Tversky (2005), believes that people have strong biases that override rationality when they make decisions on risk. They might focus on negative outcomes that may cause a great sense of risk aversion and make overcautious decisions. Vance, B. (2006) An antidote to bias http://findarticles.co m/p/articles/mi_m0 BJK/is_12_17/ai_n 26707579/ Many empirical studies such as those done by Bauer and Johnson-Laird (1993), Glenberg and Langston (1992), Larkin and Simon (1987), show the advantages of visual representations compared to verbal sequential representations. According to Lurie and Mason (2007), visualization makes it easier to keep details in mind when one wants to compare them. Eppler et.al. (2008) Visual Strategizing Paralysis by analysis Easier recall and sequencing Many project leadership decisions are risk based decisions. According to Bailey (2009), decision evaluation in risk management involves too much data and there is usually a great emphasis on perfection; however, according to Roberts (2010) confidence in identified risks, estimated risk probabilities and their consequences are usually subject to uncertainty. Fear of uncertainty can have a paralyzing effect on the project and may lead to carrying out extensive analysis in the hope that results of the analysis allay the decision makers fear of unknowns. Moreover, a significant amount of the data may be forgotten during decision making process (Porter 1996) Bailey, H. (2009) Risk Analysis Paralysis http://blog.palisade. com/blog/risk-and- decision-analysis- today/0/0/risk- analysis-paralysis Shepard and Cooper (1982) suggest visual recall compared to verbal recall as help in sequencing multiple streams of information. According to Roberts (2010), visualization is a helpful tool in clarifying expectations and questions to be answered in risk analysis. Visual recall helps participants communicate clearly with each other to better identify risks and estimate more accurately probability and consequences instead of using single point estimates. Effective communication helps participants develop a \u00E2\u0080\u0098correct\u00E2\u0080\u0099 view of the degree that uncertainty affects the accuracy of identified risks, their consequences and probabilities. Eppler et.al. (2008) \u00E2\u0080\u009CVisual Strategizing\u00E2\u0080\u009D Roberts L. (2010) \u00E2\u0080\u009CAnalysis Paralysis: a case of terminological in exactitude\u00E2\u0080\u009D Instructionist based approach planning Enabling learning based planning Planning is done based on information available at the beginning of the project and cause effect relationships remain undetected. Many uncertainties remain undetected when planning is done using an instructionist approach. Visualization helps important learning take place on cause-effect relationships that might otherwise go undetected and the proving or disproving of reasons for performance to date. T. Korde etal. (2005) \u00E2\u0080\u009CVisualization of construction\u00E2\u0080\u009D Non-efficient monitoring Aiding decision making process from project conception to completion Construction data are usually poorly organized, because it lacks proper grouping and sub-grouping. This may cause difficulties in associating related data or facts, which in turn causes problems in monitoring and controlling a project. T. Korde etal. (2005) \u00E2\u0080\u009CVisualization of construction\u00E2\u0080\u009D Exploration tools allow continuous interaction between users and graphic displays by offering scope for constant reformulation of search goals and parameters as new data are gained. So, information is continuously updated and it aids the decision making process from concept to completion of construction. T. Korde etal. (2005) \u00E2\u0080\u009CVisualization of construction\u00E2\u0080\u009D Slow and non-efficient communication Fast and efficient communication 17 Characteristics of Risk Management Source Corresponding Strengths of Visualization Source Information content of a dataset may be concealed or not easy to comprehend from its representation in tabular and text forms. Various attributes of the data of interest are mapped against certain features like color, size, shape, location or position thereby reducing the need for explicit selection, sorting and scanning operations with the data. Using such techniques enables the eye to quickly distinguish features of data before the brain begins to process it. T. Korde etal. (2005) \u00E2\u0080\u009CVisualization of construction\u00E2\u0080\u009D Social Challenges Social Benefits Diverging views in risk elicitation sessions Integrating different perspectives Participants with various backgrounds take part in risk elicitation sessions; therefore, there are different types of inputs from various members. Risks from each member\u00E2\u0080\u0099s point of view need to be elicited and aligned. Truth is more likely to come from a dialogue among people with different views; while individuals do not have the knowledge to act based on their own. DeMarco et.al (1997) \u00E2\u0080\u009CRisk Management Moving Beyond Process\u00E2\u0080\u009D Project context can be characterized through four views which are physical, process, organizational and environmental. A multi view approach helps to pull data from different views of construction personnel as the personnel think about various dimensions of the project differently. The challenge becomes to develop a system that makes navigation between views as intuitive as possible and to foresee how data can be combined from different views in order to give more transparency around risk issues and surface areas of disagreement. The integration of views allows for changes in the project context such as design, regulatory and scope changes to be reflected in the risk profile (Nelms et.al 2006). Linear planning/ Repcon Notes Nelms et.al (2006) \u00E2\u0080\u009CFeatures of a Risk Management Tool Applied to a Major Building Project\u00E2\u0080\u009D Incomplete communication Assisting mutual understanding Incomplete communication causes participants to have incomplete information and it leads to incorrect decisions. Lack of information sharing can hinder the right judgement. Ki Kim et.al. (2005) \u00E2\u0080\u009CAn Investigation of Risk Management Issues in the Context of Emergency Response Systems\u00E2\u0080\u009D Graphic metaphors provide a visual means to assure mutual understanding by making basic assumptions explicit (Morgan 1986). Eppler et.al. (2008) \u00E2\u0080\u009CVisual Strategizing\u00E2\u0080\u009D Emotional Challenges Emotional Benefits Lack of sense of involvement Creating involvement and engagement As the volume of available data grows, an advantage will occur to organizations that are able to more quickly make sense of their data. To do that, they need high human involvement and interpretation. Data Visualization in Business http://pkirs.utep.edu /cis4398/Data%20V isualization%20in% 20Business%20RD. htm Pictures can create involvement and they can engage people\u00E2\u0080\u0099s imagination (Buzan 1995, Huff 1990). Eppler et.al. (2008) \u00E2\u0080\u009CVisual Strategizing\u00E2\u0080\u009D Persuading different participants with different views Convincing Participants Since participants with different backgrounds participate in risk management, it is necessary to convince different participants as to the most realistic way to describe a risk. Visualization is suited for convincing communication and presentation purposes (Horn 1998). Eppler et.al. (2008) \u00E2\u0080\u009CVisual Strategizing\u00E2\u0080\u009D 18 2.4 State-of-the-art in risk visualization Not a great deal of research has been carried out on how to visualize risks. Some of the studies which discuss visualization of risk are summarized in Eppler (2008), where various techniques such as volume visualization in the field of finance, spider graphs and distribution diagrams as quantitative methods in risk management reports, and conceptual diagrams to add context information to quantitative charts and cartographic methods for natural risk exploration are discussed in detail. Eppler (2008) concluded that the \u00E2\u0080\u009Crisk visualization field still lacks systematic approaches that combine the rich area of visualization studies with the requirements of modern risk management\u00E2\u0080\u009D. Based on the risk visualization framework discussed in section 2.1 (why, what, for whom, when, and how), current visualization tools in academic and practitioner literature are examined and relevant findings summarized in Table 2.2 . 2.4.1 Investigated visualization tools Different types of visualization tools are used in the literature investigated (practitioners/ academia) in order to visualize risk. In what follows, we review several examples of existing visualization tools and evaluate them based on Eppler\u00E2\u0080\u0099s framework. \u00EF\u0082\u00B7 Visualization tools used in Riskonnect: Riskonnect is a web-based enterprise risk management system which is used by practitioners to provide a holistic or enterprise wide risk view. It can be used for the entire risk management cycle (risk identification, risk assessment and risk mitigation and monitoring) to visualize both qualitative and quantitative data. To develop a holistic risk profile, flexible labelling and various types of color-coding are used (i.e. color-coding based on position of risk in the risk profile which is a function of severity, effectiveness of control1, risk status2 and risk type). 1 current, target and inherent level of risk. 2 under consideration, accepted or mitigated 19 A dual window screen capability (e.g. risk map or risk profile) presents risks for two different versions-e.g. current vs. one of target, previous or inherent3 level of risk in one image, helping users to track severity and likelihood of each risk over history, or to see changes that should occur in likelihood and impact of risk event to reach the target level. Another example of a dual window screen in Riskonnect is the combination of color-coded risk profile and a hierarchical representation of risks that helps users navigate from each risk to its specific risk profile. In a qualitative view at the strategic level, drag and drop interactive tools can be used in a risk identification session to help senior managers express their realization of impact and probability of risk event. Managers can drag risk events to a point in a probability-impact diagram and explain their reasoning for such a positioning in a linguistic free-format. Color-coded network diagrams with color-coded bubbles that represent risks with colors representing the degree of correlation, triangles that represent risk indicators4 and arrows that represent relationships, are another visualization tool that is used in Riskonnect. As a cautionary note, Riskonnect is a web-based enterprise risk management (ERM) that does not appear to be heavily used in practice yet; we note this as we could not find reviews on its advantages and disadvantages from a users\u00E2\u0080\u0099 point of view. \u00EF\u0082\u00B7 RAG/ SEI risk statement/ Risk forms- In the academic literature, Kontio et al. (2004), have compared three visualization and documentation methods in a controlled experiment. This comparison was done as part of a search to provide a tool for practitioners to capture risk information, find an accurate way to document risks, and find the most cost effective methods for modeling risk without requiring the detail of traditional forms and yet not be as vague as documenting risks in just a few words 3 Inherent level of risk is defined as the level where no mitigation action is applied to the risk event. 4 Risk indicators (not risks) are a means of tracking data inside the organization (e.g. fuel price is a means of tracking data inside or outside an organization and it has impact on risk such as fuel price volatility) 20 which leaves the true meaning of the risk vague and open to interpretation. The methods compared are Riskit Analysis Graphs (RAG), the Software Engineering Institute (SEI) risk statements, and risk forms. Three criteria used for comparison of the methods studied are accuracy, effectiveness and ease of use. Measures for these three criteria are as follows: Accuracy: By accuracy, Kontio et al. (2004) mean how well a technique captures the information produced in a session. Accuracy measures \u00E2\u0080\u009Cinformation produced\u00E2\u0080\u009D that reflects whether a technique requires more information to be discussed in the session. It also measures how well different techniques succeed in capturing the content of discussion in the documentation. The \u00E2\u0080\u009CInformation captured/ produced\u00E2\u0080\u009D ratio is used as a metric to compare methods from an accuracy perspective. Methods that capture all or most of discussion content were considered as better methods. Effectiveness: The ratio between effective time and number of risk items produced that supports how well a technique supports all essential aspects of risk documentation without unnecessary activities. This measure ranks methods based on pace of capturing information in a risk management session. Ease of use: this criterion was evaluated by using interview questionnaires to capture opinions, and video recording to measure time and undocumented risks. To compare the three tools based on the foregoing criteria, Kontio et al. (2004) performed an experimental study on students who were taking a \u00E2\u0080\u009Csoftware project\u00E2\u0080\u009D class and were asked to work through systematic risk management in major software projects which contain all typical software design and implementation phases. Results of their study showed that: - The competitive advantage of the Riskit method is its ease of use, its ability to prompt and capture more points during discussion, and perceived effectiveness. The trade off is that it is a time consuming method. It is suitable for projects with risks of high consequence, where more detailed discussion about risk is required. - Risk forms are accurate in capturing points made during discussion. They are suitable for less risky projects, where it is of interest to produce results fast and 21 capture relevant information accurately rather than to engage in detailed discussions. - SEI statements did not perform better in any of the evaluations and performed worst in areas of perceived effectiveness, usability and ability to capture information from discussion. However, they can be used when ease of use and cost-efficiency are of considerable importance. \u00EF\u0082\u00B7 Threat diagrams/ Risk diagrams/ Treatment diagrams: In a graphical approach presented in the academic literature by Hogganvik et al. (2006), a threat diagram is mentioned as a helpful tool in identifying, explaining and documenting security threats and helpful in quickly understanding the risk picture. In the same study, risk diagrams introduced as a tool for risk assessment, monitoring, improvement and treatment diagram are introduced as a tool to assess mitigation actions and see whether they bring risks to an acceptable level or not. Threat diagrams, as a qualitative fault tree with more than one top node, originated from the CORAS method (http://coras.sourceforge.net) to support risk identification based on structured brainstorming5. CORAS is a method for conducting security risk analysis and it provides detailed guidelines on how to use a customised language for threat and risk modelling to capture and model relevant information during stages of security analysis. Threat diagrams give a clear and easily understandable overview of the risk picture and make it easier to see what the threat is and how the threat works (threat scenario) and which vulnerabilities and assets are involved. Threats are placed on one side of the diagram and vulnerable assets are on the other side. Unwanted incidents sit between the affected assets and the threat scenario which is placed between threats and unwanted incidents. A threat diagram should be designed so that it gives information regarding: 5 The main idea of structured brainstorming is that since the participants represent different competences, backgrounds and interests, they will view the target from different perspectives and consequently they will identify more and possibly other risks than individuals from a more homogeneous group would have managed to do. 22 1. Threat scenarios and unwanted incidents that managers are most concerned about; 2. Who/ what initiate unwanted incidents? (threats/ risk event); and 3. What makes the unwanted incidents possible? (vulnerabilities/ drivers). A threat diagram is an input for risk estimation, where threat scenarios and unwanted incidents are assigned a probability and consequences. An example of a threat diagram is shown in Figure 2.4(a). Figure 2.4 (a) Threat diagram, (b) Risk diagram for the two most important assets, (c) Treatment diagram (Source: Hogganvik et al. 2006) (b) (a) (c) 23 Risk diagrams provide stakeholders with an overview and evaluation on the risks that need treatment. Finally, treatment diagrams are developed based on threat and risk diagrams to show at which stages what treatments should take place. Examples of risk diagrams and treatment diagrams are shown in Figures 2.4 (b) and 2.4 (c). Hogganvik et al. (2006) have evaluated the three tools described through an empirical study on clients in the business of vessel classification, telecom, energy and metal production. Results show that graphical models: -Facilitate active involvement of and effective communication amongst participants; -Facilitate understanding and remembering notions; and, - Make explicit the target of the analysis and risks to participants. For best results, other considerations for these graphical models include: a. Limiting the amount of information on the diagram (i.e. separate diagrams for threat type, scenario type or asset type); and, b. The ability to be adjusted by participants if they are involved early in the project. Once they are adjusted, diagrams can be updated continuously during the project. \u00EF\u0082\u00B7 Visualization tools used in Defect Detection and Prevention (DDP) Defect Detection and Prevention (DDP) is a lifecycle risk management decision support tool developed for NASA research and application with the principal goal of developing geospatial information products for decision support systems (DSS). Through risk management DSS capability, the tool provides assistance in the execution of a strategic program plan and provides guidance in the selection of projects. It also provides continual assessment of changes as the project develops. Several visualization tools are used in DDP, and we have found several of them helpful in the process of idea generation. Before discussing features of the visualization tools involved, we review the thought process guiding DDP: 1. Forming a Requirement Matrix to show weighted risk events (RE) which is composed of: - Establishing impact value of a risk event (RE) on program success should it occur, by scoring across all the goals (requirements). The impact on various 24 program goals is established using a non-linear scale of significance. The scale ranges from (0) for no impact to (1) for catastrophic impact. - Weighing RE by its likelihood of occurrence if no mitigation action is applied, so the product of likelihood of occurrence and impact weights for each risk event. - Deriving the relative criticality of every RE to the success of the program (pre- defined requirements) as a product of likelihood of occurrence and impact of each RE. - Defining and ranking requirements as carrying the greatest impact across all risks identified in the program. - Determining proper courses of action (mitigation actions) to manage the most significant active risks. This involves establishing the relative chance that a RE is not responded to by a planned set of SO. 2. Forming an effectiveness matrix that shows the effectiveness of solution options in either detecting or preventing its counterparty risk event (RE). When a set of solution options is developed, an effectiveness matrix is formed to show the probability that a SO fails to detect and prevent risk events. The matrix is formed through the following stages: - Specifying escape probabilities of different (SO) sets to REs, where escape probability involves the relative chance of not having an appropriate solution option defined. In that study, an inappropriate SO is defined as one that fails to detect and prevent the RE. - Determining net likelihood of escape when escape probabilities of all (SO)s are determined. In this study, net probability of escape is defined by multiplying escape probabilities from all SOs for each RE. 3. Obtaining the resultant severity for a RE as a product of impact of RE on requirements and escape probability for the combination of (SO)s considered. - Performing a sensitivity analysis, applying \u00E2\u0080\u009Cwhat-if\u00E2\u0080\u009D effectiveness value to assign a quantity to qualitative assessment of SO effectiveness. 25 - Using percentage of change in attainment of requirements as a metric to show marginal benefit gained from applying a given change in effectiveness of solution option. 4. Assessing benefits of solution options in terms of residual risk profile. The visualization tools used in DDP are as follow: - A weighted tree structure is used to document requirements and solution options as the two inputs for DDP. - Histograms are used to show the percentage of requirements not at risk. In such histograms, parent activities are given a weight of (1) and children are given weights as fractions of their parent activities, so that sum of weights of children activities will be (1). - Color-coded histograms are used to visualize solution options, so that height of a histogram indicates the effectiveness of the corresponding SO across all REs that the SO addresses, and its color shows the type of SO according to whether it is for alleviation, detection or prevention of risks. Effectiveness for various sets of solution options is determined based on the extent to which a risk is detected or prevented. - A stacked histogram of all active risks is used to show units of requirements lost before and after applying solution options. - Topology diagrams (Figure 2.5) are used to show Needs-Areas-Research, so that the top row shows practitioners, the middle row shows their needs and the bottom row shows the research carried out to respond those needs. Red lines connect practitioners to their needs and green lines connect researchers to the area they work in. 26 Figure. 2.5 Topology of Needs-Areas-Researchers (Source: Feather et al. 2006) - Images of clusters of (SO)s (Figure 2.6) are used to show how mitigation measures shown in each row (truncated in the source by Feather et al. 2006), correspond to clusters of solution options, shown in the columns. Since a cluster is comprised of multiple solutions, a mitigation action may be involved in none, some or all solutions in a cluster. In Figure 2.6, white means that the mitigation is not involved in any solution, grey means it is involved in some solutions and black means it responds to all solutions in the cluster. Figure. 2.6 Visualizing clusters of solutions (Source: Feather et al. 2006) 27 \u00EF\u0082\u00B7 Causal network visualization In the financial risk management literature such as Allen et al. (2004), causal network diagrams such as process maps and event trees are discussed as risk visualization tools. Process maps are visualization tools that are useful in identifying high risk process stages that need a manager\u00E2\u0080\u0099s attention (i.e. potential weak points of an operational process) in the whole risk management cycle. Although useful, process maps require managers to identify critical risk factors at a level of breakdown based on their subjective views which makes the results dependant on the manager\u00E2\u0080\u0099s knowledge. An event tree is a visualization tool that can be used to identify risk events, chronological dependencies (especially when lags exist between the occurrence of an event and its ultimate outcome) and evaluate impacts of risk events. Although useful, similar to process maps, they require managers to identify critical risk factors and a level breakdown based on their own subjective views. \u00EF\u0082\u00B7 Connectivity models Similar to causal network diagrams, we have found connectivity models like fish-bone and fault tree diagrams to be useful in visualizing risk data. Connectivity models can be used to identify risk events with more focus on causes rather than effects. A fish bone diagram is a qualitative visualization tool that can be used to visualize critical steps, the failure of which may spread through the whole procedure. This type of diagram is beneficial in finding root causes of risk events, but does not take into account quantitative risk visualization. Fault tree diagrams with both qualitative and quantitative capabilities are developed as a result of integrating an event tree with a fish bone diagram. They can be used to measure the extent of interdependency across the steps of a complex process. A fault tree diagram shows both the causal relationship between events and the probability of each scenario. \u00EF\u0082\u00B7 Tools for visualizing risks in planning and scheduling A design Structure Matrix (DSM) is suggested by Browing (2004) as a visualization tool that provides a means for representing key drivers of cost and schedule risk, documenting potential process failure modes and affected activities in enterprise. Browning (2004) has 28 mentioned product, process, organization and information as key systems underlying enterprises such as aircraft, buildings, computers, consulting, etc. As shown in Figure 2.7, the diagonal cells in the DSM represent system elements (i.e. work package in process view), and off-diagonal cells indicate logical dependency between activities barring other resource constraints. Reading down a column shows work package predecessors and reading across the rows indicates work package successors. Thus, a DSM displays dependant activities (such as activity 2 that depends on activity 1), independent activities (such as activities 3 and 4) and coupled activities (such as activities 5 and 6). Figure 2.7 Design Structure Matrix (DSM) (Source: Browing, 2004) Of particular interest are marks in the lower left triangle of the DSM, which show key drivers of cost and schedule risks. Such marks show that upstream activities (such as activity 2) depend on information created in downstream activities (such as activity 6). So, activity 2 will have to make an assumption about information it needs from activity 6. If the assumption is not correct, activity 2 may require rework when activity 6 is finished, which can cause large impacts on cost and schedule. So, a DSM helps managers quickly identify whether activities require re-sequencing or re-scheduling to minimize cost and schedule risk drivers (Browing, 2004). A DSM is a concise, visual format for representing processes. Its advantage is that it can reduce huge flowcharts to a single page. It helps everyone see how their activities affect a large process and see where information comes from and where it goes. They can see 29 why delaying activities that they depend on can force them to make assumptions which may cause rework later. Such visibility leads to improved process design from which risk assessment can be drawn. However, adding quantitative information to a DSM is useful in quantifying impacts of re-scheduling activities on time and cost performance measures. \u00EF\u0082\u00B7 Visualization tools used in Panopticon Panopticon software (http://www.panopticon.com/) provides a series of visualization tools to be used by financial institutions and telecom and energy firms to analyze, understand and comprehend data to detect fraud, monitor performance and analyze risk. It has been developed to turn data into information and action based on this information. Information of interest for financial institutions is the likelihood of making money, return on the investment and knowing all risks. Actions that take place are trading, providing risk reports and predicting the future. Financial institutions usually use Value at Risk (VaR), as a measure of potential loss in value of a risky asset or portfolio, over a defined period, for a given confidence interval. It provides investors information regarding the most they can lose on the investment within a reasonable bound. For example a VaR of $100M at one week and 95% confidence level means that there is only 5% chance that the value of the asset will drop more than $100M over a given week. Although VaR can be used by any entity, it is usually used by commercial and investment banks to capture potential loss in value of their traded portfolios from adverse market movements over a specified period. This can be compared to their available capital and cash reserves to ensure that losses can be covered without putting the firm in danger. (http://pages.stern.nyu.edu/~adamodar/pdfiles/papers/VAR.pdf). Risk data visualization tools in Panopticon help managers understand the use of capital versus exposure versus profit and loss on a global basis, with all the details available at the click of a mouse. Risk visualization is an important task in fast-paced financial services firms, where managers are required to understand the exposure to risk in order to ensure efficient capital utilization and avoid dangerous concentrations of risk across their entire business. In financial services, managers are concerned about VaR, so Panopticon provides visualization tools to monitor and analyze risk data quickly to answer questions like: 30 - What is VaR? - Where is VaR? - What is moving VaR? - Is there any concentration of risk that one should take action on, either internally (by office/region/portfolio) or externally (market/sector/counterparty/issuer/currency, and so on.) - Is this a one off or a common occurrence? Panopticon uses a variety of visualization tools including tree map, heat map, heat matrix, bullet graph, scatter plot, line graph, bar graph, stack graph, dot plot, pie chart and horizon graph. Discussed below are some of the more important images: - Scatter plots are useful tools for visualizing a large risk register, tables and risk reports that are difficult and time consuming to interpret. Data aggregation, while making it easier to understand risk reports and risk registers, masks outliers, correlations and trends, and makes them difficult or impossible to see. However, scatter plots are useful tools while looking for positive and negative correlations, trends and outliers in large statistical databases. - Bullet graphs are easy to interpret and convey much more information than traditional tools using substantially less screen real estate. They show information on a single quantitative measure and they are quicker to understand rather than radial measures. They are real time and respond instantly to changes. Examples of bullet graphs are shown in Figure 2.8. 31 Figure 2.8 Bullet graph in Panopticon Source:http://www.panopticon.com/data_visualizations/bullet_graph_bullet_chart_infor mation_visualisation_software.htm - Horizon graphs provide a space efficient way to overview a large number of time series in a limited rectangular space. Increasing the amount of data with which human analysts can effectively work is a large problem in visualization research. An example of such a problem is finding an effective presentation of multiple time series. The horizon graph was developed in response to that problem. The following steps are involved in developing a Horizon Graph: 1. First a line graph is drawn; 2. Then line graph is filled as shown in Figure 2.10(a); 3. As shown in Figure 2.10(b), the minus side is flipped into the same region as positive value; (mirroring the negative side doubles the data density compared to filled line chart) 4. As in Figure 2.10(c), a chart is divided to bands and bands are layered to create a nested form and half the height (Heer et al, 2009). With a two layered band, a horizon graph doubles the data density compared to the previous stage. In Panopticon software, three layers are used which increases the data density even more. Finally, bands are collapsed to consume less space. Revenue Profit Avg Order Size New Customer Cust Satisfaction 0 100 200 2000 0.0 0 0% 20%10% 420 800 1600 4.02.0 Text Label Performance Measure Qualitative Scale Comparative Measure Background shades indicate qualitative ranges like bad, satisfactory and good Profit 0% 10% 32 Figure 2.9 Horizon graphs in Panopticon (a) Filled line chart (b) \u00E2\u0080\u009CMirrored\u00E2\u0080\u009D chart. (c) two-band horizon graph. (Source: Heer et al, 2009) To visualize time series, line graphs, bar charts and horizon graphs can be shown in a multi-screen format (e.g. bullet graphs, bar charts, tree maps and line graphs). As stated previously, Table 2.2 provides a summary of the visualization tools that have been proposed, explored and adopted in practice. 33 Table 2.2 Visualization technologies in practice Source Why What For Whom When How Visualization Tool Evaluation Comment http://www.riskon nect.com/ -Risk identification -Risk assessment -Risk mitigation -Risk monitoring -risk database -categorization risks -relationships, roles & responsibilities -Risk impacts on organization -Risk interactions Risk owners Across the entire system Quantitative Qualitative Riskonnect6 -Dual window screen -Color coded risk profile with possibility to navigate - Color-coded network diagram (risk influence diagramming technique) - Hierarchical representation -Dash boards -Holistic or enterprise wide risk view -Interdependencies or interrelation of risks -Central repository for risks and risk related information. Visualization & Formalization Risk Information, Kontio et al (2004) Identification (analysis & control) risks Risk related information Risk scenarios Project managers and risk management process owner. Risk identification session Qualitative VISIO/ Draw Riskit Analysis Graph on Blank flipchart/ magnetic laminated plastic frame used on whiteboard -Accuracy -Effectiveness -Ease of use -Risks are valued through utility loss - Well defined conceptual model is used to document risk information graphically. - Different symbols are used to model different aspects of risk in Riskit Analysis Graph. (risk factor, risk event, risk outcome, risk reaction, risk effect) Risk related information (in a condition-consequence pair) SEI risk statements (condition /risk factor-transition /risk event-consequence /risk effect) Risk related information Risk Form Graphical approach to risk identification, Hogganvik et al (2006) Identify risks scenarios, security threats and vulnerabilities. Identify threat, threat scenario and involved assets system users, developers and decision makers Brainstorming sessions Qualitative: Graphical language supporting risk identification based on structured brainstorming Threat diagram originated in CAROS method: -Empirical study on various clients -Effective Communication -Easy to understand & remember notions Multi-view approach is applied due to structured brainstorming. Risk assessment, monitoring & improvement Magnitude of risk (which is based on likelihood and consequences) Risk Diagrams (L/M/S). Programmatic Risk Balancing7 Requirement Visualization Requirements (inputs) At introduction of Weighted tree structure Histogram Weighted tree structure, stacked and color-coded histograms are Requirement Matrix is formed to determine the most critical risk 6 ERM: web based enterprise risk management system 7 Generally, it visualizes risk related information and residual risk profiles at each lifecycle stage 34 Source Why What For Whom When How Visualization Tool Evaluation Comment Tralli (2002) Visualization Solution Options Solution Options (Input) Program manager projects Tree structure Color coded Histogram used in a lifecycle risk management decision support software-Defect Detection and Prevention (DDP) events. Impact value of RE on program success (pre-defined) is defined, then REs are weighted by their likelihood of occurrence. Finally, most critical REs are derived from impact & likelihood. Effectiveness matrix is formed to specify the net likelihood RE will remain undetected by SO. Determine proper response to manage risk based on impact of RE on requirements and escape probability of SO. Assessment of Risk Event Risks Risk drivers Risk impacts Risk owner Quantitative/ Qualitative Tree structure Colour histogram Mitigation Risks Risk drivers Risk impacts Residual risks Quantitative/ Qualitative Tree structure Colour histogram Global risk (2010), http://www3.wefo rum.org/docs/WE F_GlobalRisks_R eport_2010.pdf Risk identification Risk assessment Risk related information Public/ media Web Quantitative Network Diagram (Risk and its consequences) Drilling down (probability, severity and risk profile) Risk Interconnection Map (RIM) ---- Visualizing spatial data uncertainty using animation, Ehlschlaeger (1996) Risk Identification Risks resulted by using coarse data Decision makers (exploring route in early stages) Scientific Community: in latter phases Early and late stages of project. Qualitative (Dynamic map) Animation instead of static maps and slides (2D animation + elevation contours, with the goal of understanding change between images) Colors indicate cost of each route Statistical & Spatial characteristics must match error model so that animation not be misleading. Animation is produced by stringing together a series of realizations, where amount of change from one realization to another shows amount of uncertainty in spatial data Modelling & Visualizing Multiple Spatial Uncertainties, Davis (1996) Risk Identification (multiple spatial uncertainties) Individual Risks Decision Maker: Risk Manager/ Analysts Qualitative (Map-Multiple representations of uncertainty) -Static Viz.: map pairs (M-L8 & Std deviation), combo of two maps9, incorporation of fuzzy info to produce worst case scenario 10 Map comparisons: limited ability to demonstrate variability in a theme. -In Dynamic Viz., hue (green, red) is used as a metric for certainty factor (max likelihood). -Variability of each pixel (std deviation) is shown on time axis. 8 Maximum Likelihood summary of data, only focuses on most likely values (e.g. pixel with value 1, certainty 0.85, soil type 3) while ignores results almost as likely that describe more dangerous situations (value 0.2 (more dangerous), certainty 0.8, soil type 4) 9 Changing focus of a particular object to represent uncertainty: decrease color saturation, changing the hue, fog or texture change (e.g. lowest variability values and lowest stability slope). 10 Incorporation of fuzzy information into static visualization in order to take into account less likely scenarios that can be more dangerous, so data that could be thrown away in Boolean processing are used. 35 Source Why What For Whom When How Visualization Tool Evaluation Comment -Dynamic Viz.11: Visualization of implication of variance (ex. changing slope stability from safe to unsafe) instead of static display of std deviation. Combo of maps: helps to focus the data on one type of analysis, but eliminates much of info content. Dynamic Viz.: can be evaluated through cross comparison of decisions made based on various Viz. techniques. -All possible realizations of max likelihood model based on variance data are shown by animation. -Steady pace of animation (spend equal time on likely and unlikely scenarios) can be improved by making them follow variance curve. -Fuzzy analysis retains info that almost fits into a specified class, but uncertainty is implicit in the results and needs interactive manipulation. Risk Identification Individual Risks Non- specialist decision maker Qualitative Static table or graph that shows average level of data uncertainty e.g. Classification of Error Matrix Lack of incorporation of uncertainty information to data display. Risk Identification (spatial data uncertainty) Individual Risks Non- specialist decision maker\ (Executives) Qualitative (e.g. map of maximum likelihood and map of each pixel\u00E2\u0080\u0099s standard deviation) Statistic graphic variables: e.g. -changing focus of object -using color variable Lack of information density -Combining two maps: focus data for special analysis -Bivariate combo -Incorporating Fuzzy information to static visualization helps in developing \u00E2\u0080\u009Cworst case scenario\u00E2\u0080\u009D map. Map showing liquefaction susceptibility of San Mateo County, California\u00E2\u0080\u009D, Perkins,J. B.(1987) Risk Assessment Risk Rating Quantify potential damage Risk Specialists Line Management Public Risk Prevention Workshop To generate damage estimate Qualitative (ground- shaking intensity maps) Static Map Ease of use and understanding by user -It shows three types of construction and damage associated with each building type for a given area. \u00E2\u0080\u009CCan-it-really-be- that-dangerous?\u00E2\u0080\u009D, Husdal (2001) http://www.husd al.com/2001/10/ 31/can-it-really- be-that- dangerous- -Risk Monitoring -Risk Assessment Risk Rating Quantify potential damage Risk Specialists Line Management Public Weekly drought assessment named as: US drought monitor Qualitative (Static Risk Map FEMA\u00E2\u0080\u0099s HAZUS map) -Static Map -Yellow-orange-red map -Perceptibility of visual attributes given to data. -Yellow-orange-red map is used to overcome challenges for red- green color blind 11 representation of full range of realizations 36 Source Why What For Whom When How Visualization Tool Evaluation Comment issues-in- visualization-of- risk-and- vulnerability/ ones, and to also use in greyscale copies. \u00E2\u0080\u009CGuide to enterprise risk management\u00E2\u0080\u009D, Protiviti (2006) Risk assessment- Assess multiple interrelated events Risk related information- risk drivers Objectives of risk assessment: Executive Managers, board of director, Risk Manager or Risk Analysts Workshop & presentation Qualitative (Model of interrelationship among events for a risk category.) Cause effect network diagram \u00E2\u0080\u009CUnderstanding market, credit, and operational risk: the value at risk approach\u00E2\u0080\u009D, Allen et al (2004) Risk Identification (Effect oriented) -High risk steps in operational process -Factors and events that affect each risk step Risk Managers Managers Qualitative Process Map (Causal Network) Challenge: -Mapping data on events Draw backs: It\u00E2\u0080\u0099s subjective nature/ Lack of focus on macro-level inter- dependencies./Lack of quantitative analysis on likelihood of each external link/ Risk Identification and evaluation of its impacts (Effect oriented) Sequence of actions that may lead to undesirable outcome. Risk Managers Managers Qualitative Event Tree (Causal Network) Useful in identifying chronological dependencies Draw backs: -Subjective nature Risk Identification (Cause oriented) Risk Relation & Information (Connections b/w components in a process.) Risk Managers Managers Qualitative Fishbone analysis (Connectivity model) Emphasis: find where failure in critical step may spread through procedure. Drawback: -Probability of risk events is not assessed. -Subjective nature. Risk Identification (Cause oriented) Risk Relation & Information (Link b/w errors & steps in production process) Risk Managers Managers Quantitative Fault Tree Analysis (Connectivity Models) Produced from combining event tree and fishbone diagram. Its strength is measuring extend of interdependency across steps of a complex process. 37 Source Why What For Whom When How Visualization Tool Evaluation Comment \u00E2\u0080\u009CAnalyzing the Systems Underlying an Enterprise\u00E2\u0080\u009D, Browing, (2004) Risk Identification Risks Risk drivers (process failure modes and their impact on other activities) Risk Managers and Executives Workshop & presentation Qualitative (can be extended to quantitative12) -How delay in activities they depend on can force them to make assumption which may cause reworks -Such visibility leads to improved process design from which risk assessment can be drawn Design Structure Matrix13 is a square matrix with corresponding rows and columns. -diagonal cells: system elements (e.g. activities in process view) -off diagonal cells represent dependency of one element to another - off diagonal cells show dependent, independent and interdependent activities are shown. -Adding quantitative information to the DSM and using simulation can quantify the impacts of process configuration changes on cost and schedule risk. -DSM provides a concise visual format for representing process. -Participants can quickly see how their activities affect large process -4 systems: product (output), process (network of wp), organization (structure of people who execute process system) and information systems (where data reading other systems are managed). -Marks on lower left triangle in DSM, shows drivers of cost and schedule risks (possibility to return to beginning of the project). The more populated the triangle, the bigger risk impacts on cost and schedule. -It shows how changing sequence of activities reduces impact of risk event on time & cost. Gahegan (2000), Voser (1997) Identify wild fire risk, making potential drought related risks apparent -exploring spatial relationships -dependency between variables Plot variables against each other removing location information Focus on relationships independent of location Scatter-plot -Helps risk analyst to explore relationship between variables -Spatial analyst visualizes in 3 dimensions Songer Hays (2003) Tree map, scatter plot, histograms Korde et.al. (2005) Risk identification Risk assessment Mitigation Assignment of risk -number of risk related information (drivers) -distribution of environmental drivers in time, space -assignment of responsibility to their management -Risk Manager -Risk Analyst Qualitative -Stacked 3D graphs -Tower shaped column in a time/ location cell is used to show how many risk drivers we have at a specific time and specific location. -Different colors and shapes are used to show risk owners -Precise information could be shown in small information box -Distribution of total number of drivers according to time & space are shown on side walls, different colors show different Vertical axis from origin shows no. of total drivers Other 2 vertical axis at the end of their respective horizontal axis show no. of drivers by responsibility integrated across time and space. So, user can easily see variety of information in one view. 12 Marks in lower left corner of DSM represent key drivers of cost & schedule risk, as there is a chance of having return to the beginning of project. Upstream activities depend on information created down stream, so they need to make an assumption which cause reworks if the assumptions are not correct. It is the managers\u00E2\u0080\u0099 goal to bring sub-diagonal marks close to diagonal in order to reduce their impact. Moreover, impacts that process configuration change may have on cost & schedule risk can be quantified. 13 N-square diagram with the addition of time basis 38 Source Why What For Whom When How Visualization Tool Evaluation Comment organizational drivers and the total is shown in heavy black line Korde et.al. (2005) Risk Identification Risk drivers and their attributes -Risk Manager -Risk Analyst Qualitative (Hierarchical structure are shown for total drivers and those owned by specific organization) Magic Eye View Technique -Besides no. of drivers in every cell of time and location, identity of drivers is shown on surface of hemisphere. Korde et.al. (2005) Risk Identification Identify change orders that can happen in same time, space and by same project participants. -Risk Assessment (Quantifying risk impacts) Quantitative -Color coded 3D graph14. -Different granularities are allowed in terms of time, location and project participants Coarse time measurement (month) Three locations (onsite, offsite, both) So, user can select between locations as in some cases such as congestion or productivity loss, offsite changes do not contribute to problem. http://www.pano pticon.com/data _visualizations Risk identification Risk Assessment Positive and negative correlations, trends and outliers in large statistical databases Managers in financial and telecom services Panopticon software Quantitative (size and location)/ Qualitative (color) Multi-screen scatter-plot (x: exposure usage%, y: 1&10 day VaR limit utilization%) -Easy to set up -Highly customizable -Can be equipped with filtering capabilities to help user be concentrated on some data Facilitates: 1.exploring and discovering new truths in data 2.quickly identifying anomalies and taking corrective action 3. See risks at other hierarchical stages in multi-screen Risk Assessment Risk Monitoring Inf. on a single PM Quantitative scale Comparative measure for reference purpose Quantitative Bullet graph Small footprints, easier to understand than radial forms -Visualizes large info. In small space -No linkage is provided among performance measures Risk Identification Risk Assessment Risk Monitoring Risk importance (size) Risk severity (color) Hierarchical relation (location) Quantitative (size: importance and color: urgency)/ Qualitative (location) Tree map Good for large, hierarchical datasets -Enables user to: comprehend size, color and grouping quickly; easily filter out less interesting data; focus on crucial outliers, and act quickly based on patterns and trends -Good for comparing more than ten data items Risk Identification Risk Assessment Risk Monitoring Real time data Historical data Risk severity (color) Hierarchical relation Quantitative (color)/ Qualitative (location) Heat map (simplified tree map) -Enables user to: comprehend color and group quickly; filter out less interesting data; focus on crucial outliers, and act quickly based on patterns and trends 14 Vertical axis shows cost of change order, and the two horizontal axis show time and change order ID, colors represent change orders happened in one month. 39 Source Why What For Whom When How Visualization Tool Evaluation Comment (location) -Good for comparing more than ten data items Risk Monitoring Real time data X & Y axes: quantitative Dataset type (color) Quantitative/ Qualitative (color) Line graphs -simple, intuitive information visualizations - Good for time when one time series crosses another -Enables user to Compare info about changes in data over time -Good for few datasets -Shows historical market risk (relative to BM or absolute) Change of large number of items through time Quantitative Height of curve (underlying value), color (severity) Horizon graphs -Way to overview a large number of time series in a limited rectangular space -Reduce space use by mirroring negative value and dividing the chart into bonds -Good to show large number of time series in one screen -Shows how a large number of items (risk events) have changed through time -Spot extraordinary behaviours -Facilitates making comparisons between item Risk Assessment Risk Monitoring Comparative data Categorized risk groups Real time data Historical data Quantitative (bar height)/ Qualitative (color) Bar charts -Different display options, -Easy to work into different information display -Easy to understand -Good to communicate important comparative information, -Comparing ten or fewer data items across a single quantitative variable. - Historical market risk Risk Assessment Risk Monitoring Quantitative changes to several data sets over time How each data point contributes to the total Sum of the values and individual items in one chart Quantitative (changes over time and contribution to the total) / Qualitative (color) Stacked chart Great for looking at revenue or gross profit/ loss figures over time across several product lines/ risks. -Good choice when you have up to ten or eleven time series -Good in conjunction with Treemap, Heatmap or Scatter plot tools -Shows how each component in the database has changed compared to the others - When it is required to show contribution to total Risk Identification Functions as part of the whole Quantitative / Qualitative Pie Chart -Most popular data vis. Tool in the world -Not effective visualization tool for large and hierarchical dataset Not useful for visualizing large and complex database such as those in construction projects 40 2.5 Results of evaluating visualization tools To summarize the evaluation of the visualization tools discussed in Table (2.2), we have developed the matrix shown in Figure (2.11) to show the dimensions that each visualization tool treats. In this figure, every row represents a visualization tool and every column shows the dimension that the tool visualizes. If a tool is designed to visualize a specific dimension, the corresponding cell in colored in black. If the tool visualizes one dimension as a by product, the cell is colored in grey. If visualization tool offers minor benefits on visualizing a dimension, the corresponding cell is hatched in black dots. If a dimension is not addressed by a visualization tool at all, the cell is blank or white. From Figure (2.11), the majority of the visualization tools investigated are designed to assist the risk identification stage. Some of them also facilitate visualizing other stages in the risk management process like risk assessment (qualification), mitigation and monitoring as by-products. The second largest group of tools is designed to visualize the risk mitigation and risk assessment stages, but with some use for risk monitoring. Some of the investigated tools are qualitative and use a ranking system to show impact values. Some quantitative tools convert the impact value of a risk event on all performance measures to one of cost. Thus, most quantitative tools provide a dollar value or the percentage of VaR without visualizing the impact of a risk event on other performance measures. Thus, in Figure (2.11) a void exists in the central part of the matrix that represents a lack of enough work in terms of visualizing performance measures other than cost. Even Riskonnect and Panopticon which provide both qualitative and quantitative visualizations in the form of interactive, interconnected images to model market risks, modeled all risk events based on their impact on cost. Clients using these two tools are mainly concerned about how their earnings per share are impacted by the risk event and/ or the dollar amount that is lost as result of the risk event being realized. Although clients of construction projects have similar concerns regarding cost, the multi-dimensional nature of construction projects in terms of cost, time, scope, safety, etc. poses additional problems for visualizing risk data. 41 In next chapter we discuss the data that is contained in an ideal risk register, some of which could be candidates for insightful data visualizations. Fig. 2.11 Evaluated visualization tools 42 Chapter 3: Risk Register Properties and Analytical Reasoning 3.1 Introduction The purpose of this chapter is three fold: a) To develop an in-depth understanding of the purpose of a project risk register and the contents of an \u00E2\u0080\u009Cideal or model\u00E2\u0080\u009D risk register. It is these contents that one wants to visualize in order to gather insights on a project\u00E2\u0080\u0099s risk profile in order to improve the risk management process; b) To examine the contents of risk registers used in practice; c) To explore the analytical reasoning that can be supported through risk data visualization. 3.2 The concept of project risk register Development of a risk register as a mean of recording identified risks, their severity and actions to be taken, is usually the starting point for applying risk management to a project. It can be a simple document, a spreadsheet, or a database system. It can play an important role in the successful delivery of a project, especially when updated on an ongoing basis throughout the total project lifecycle. Williams (1995) stated that a risk register serves two main roles. First, it serves as a repository of a corpus of knowledge and second, it can be used as a platform for initiating the analysis and plans that flow from it. For large projects, many of which are undertaken by a consortia rather than individual companies, few project members have a good overview of the whole project \u00E2\u0080\u0093 a risk register helps to address this issue. As shown in Figure 3.1 the flow of analysis and risk management plans starts from the project\u00E2\u0080\u0099s risk register, which provides data for cost, time and technical analysis when it is combined with deterministic and other aleatoric data. 43 Figure 3.1 Flow of analyses and plans from a project\u00E2\u0080\u0099s risk register (1: deterministic and aleatoric uncertainty data, 2: epistemic and major aleatoric uncertainty data); Source: Williams (1995) As discussed by Richter (2011), a risk register facilitates risk communication in a way that all participants better understand the messages contained in individual risks and their properties as well as collections of risks, thus helping to persuade receivers of messages to modify attitudes and providing two-way communication as a mean of resolving conflicts about risk properties and risk management strategies. If a risk register is designed correctly, it enables clear and concise communication between team members which in turns increases the likelihood of project success. A risk register enables new team members to be quickly brought up to speed on the project. Further, a risk register can help with any difficulties associated with risk allocation which may arise from the wrong belief that some parties think risk can be transferred to some one else and hence they do not have to pay attention to avoid risks through risk reduction actions or contingency plans (Chapman et al. 1998). Thus, participants who bear the risk as well as those assigned responsibility for mitigating the risk should be identified in a well- 44 designed risk register. An important step in risk management is to maintain a risk database in a way that it is easier to gain knowledge about the origin and drivers of risks. Such a step should be considered in both constructing the risk register and using appropriate visualization techniques to extract information from it. 3.3 Contents of an \u00E2\u0080\u009Cideal\u00E2\u0080\u009D or \u00E2\u0080\u009Cmodel\u00E2\u0080\u009D risk register In this section, through an examination of the literature, we explore the data that should be contained in an \u00E2\u0080\u009Cideal\u00E2\u0080\u009D or \u00E2\u0080\u009Cmodel\u00E2\u0080\u009D risk register. Findings from this literature review are then complemented in the following section by examining risk registers as they appear in currently available commercial software tools. Items that should be included in a risk register are as follows: First, a list of adverse events that might occur should appear, meaningfully phrased. The probability and distribution of adverse impacts should also be recorded in the risk register and their effects modeled in further analysis (Williams, 1995). Two types of uncertainty have been discussed in the literature: aleatoric and epistemic. The former demonstrates intrinsically uncertain situations and the latter relates to a general lack of complete knowledge. A risk register should contain all epistemic risks which reflect a lack of knowledge especially at the beginning of the project and a gradual resolution of those uncertainties along with major aleatoric risks. Another category of information that should be included in a risk register relates to management actions consisting of risk reduction actions which reduce the probability of risk occurrence and/ or contingency plans that reduce the consequences of a risk if it occurs. Such information stimulates thoughts on how to reduce the likelihood of a risk event occurring and its impact if it occurs. This information also reveals to the risk manager those risk items for which no risk reduction or contingency plan is assigned. In another classification, Williams (1994) suggested that details of a risk be classified under the four categories of event, impact, actions and contractual, as follows. Event is 45 the category that includes description of a risk and its estimated likelihood of occurrence, (initially classified as high, medium and low, and then later in quantitative terms). As part of the event description the risk owner should also be included in the risk register to identify the participant that feels the effect of risk and the participant who is responsible for its removal. The area of the project in which the risk may materialize should be identified, a risk identification number should be assigned, and the description should include a brief statements as to causes and consequences. Impact is the category that includes the project objectives (time, cost and other performance measures) that a risk affects. As a first pass, severity of the impact is classified linguistically (e.g. high, medium, low), based on a subjective yet informed assessment; later, impact can be defined quantitatively as time and analysis permits. Patterson et al. (2002) suggested that the probability (or likelihood) of a risk occurring, impact of the risk if it occurs, and exposure value which is the product of likelihood and impact, be documented in a risk register. Then, risks can be ranked based on a combination of their impact, probability and exposure value at a point in time. Furthermore, they can be tracked during the project lifecycle, so active and solved risks are distinguished at different stages of the project. Patterson (2001) has provided the tables shown in Figure 3.2 to allocate non-numeric values to the corresponding percentage values for likelihood and impact. Such tables are not designed to generate accurate values of probability and impact of risk within the project, but they give ranges of probability and impact values based on subjective judgment to show an overall perception that the user has for each identified risk. Such an approach can be useful for the preliminary screening of risks, especially when the number of risks is large and scarce management resources have to be assigned. 46 Figure 3.2 Sample of probability-impact and risk ranking tables used in risk register (Source: Patterson et al. 2002) Actions is the category in which risk reduction actions are described, targeted at the reduction of the probability of a risk occurring, and contingency plans to reduce the impact of a risk if it occurs. Contractual category shows the degree of risk transfer that might be affected - it should be categorized and recorded (Williams, 1994). Williams has highlighted the criticality of the link between a risk register and the contract, and suggested a new way of classifying risks based on which ones can be transferred to the tenderer or to the procurer. Once risks are identified, based on the level that is feasible (not desired) to transfer risks from procurer to tenderer, risks can be categorized in terms of legally unavoidable risks, quantifiable risks, epistemic risks, and actuarial risk. Unavoidable risks are those that cannot be transferred by their nature. Quantifiable risks are those that management feels comfortable assigning a numeric value to and for which contingency plans can be formulated. Epistemic risks are those risks the extent of which is not known until they actually happen, so they are less predictable than quantifiable risks. Such risks are covered only by a qualified transfer with a contingency. Actuarial risks are those with 47 low probability and high impact and they are generally expensive to be covered by a contingency (e.g. risk of nuclear power plant accident). Barry (1995) described a risk register as a comprehensive risk assessment system. Using that definition, a risk register constitutes a formal method for identifying, quantifying and categorizing risks and provides a means of developing cost-effective responses to control them. Some researchers such as Carter et al. (1995) provide a descriptive version of a risk register and stated that a risk register provides a database of risks which evolves from the beginning of a project. Since there are different types of forms and registers, they advised that risk registers be kept in electronic format so their maintenance is facilitated (Patterson et al., 2002). In research conducted on the application of a risk register in the Automotive Manufacturing Industry, Patterson et al. (2002) noticed that organizations developed their Risk Register based on their own needs. No instructions were reported for constructing a risk register in general-i.e. no \u00E2\u0080\u009Cgeneral\u00E2\u0080\u009D model was put forth. In Figure 3.3, Patterson et al. (2002), has summarized examples given by Williams (1995), Carter (1995) and Ward (1999) with respect to the types of information that can be stored in a risk register. According to Patterson (2002), there is a general consensus that a risk register should contain a description of a risk, its impact and likelihood or probability of occurrence and mitigation actions. Although, several researchers such as Williams (1994) and Carter et al. (1995) have pointed out the importance of a risk register, neither they nor Chapman and Ward (1997), Barry (1995) and Ward (1999) have provided directions on how best to design and construct a risk register. 48 Figure 3.3 Suggested content of risk register Source: Patterson et.al. (2002) Hillson (2003), has recommended using a Risk Breakdown Structure (RBS) (a hierarchical structuring of potential risk sources) in order to deal with the large amount of data/ information in risk management. A RBS helps participants understand how different risks are distributed on a project which aids effective risk management. A RBS defines the total risk exposure of a project based on a source-oriented grouping: e.g. external sources (market risk, risks arising from action of competitors, suppliers or regulators); and internal sources (people, processes or procedures) (Hillson, 2003). A risk taxonomy, which is a linear list of potential sources of risk, is an essential part of a RBS under which individual risks are arranged. An example of a single level risk taxonomy is given for a construction project in Figure 3.4. 49 Figure 3.4 Single level risk taxonomy: Patterson et.al. (2002) When risks are identified, they can be categorized based on sources. This allows areas of concentration of risk to be recognized which helps managers determine the most significant sources of risk. Although it is helpful to know the total number of risks caused by one specific source, it can be a misleading piece of information as it does not take into account the relative severity of risks from different sources. In order to overcome this problem, scores associated with probability (P) and impact (I) of a risk can be used. These numerical scores can be multiplied to give a combined value. Then the concentration of risks within a RBS can be assessed by comparing the total risk score which gives a more meaningful perspective than a simple total count of risks. Categorizing risks based on a RBS provides additional benefits for risk management. According to Hillson (2003), such a categorizing helps one understand the type of risk exposure on the project, reveals root causes of risk, reveals the most important sources of 50 risk, indicates areas of correlation between risks, helps managers concentrate risk responses on high risk areas, and allows managers to develop responses for root causes of a group of risks. Moreover, a RBS facilitates risk reporting. It helps one to roll up information and to prepare reports for senior management or drilldown into details and provide reports for the project team. Issacsons (2009) identified the following items as essential parts of the main body of a risk register: \u00EF\u0082\u00B7 Risk identification number \u00EF\u0082\u00B7 Risk category \u00EF\u0082\u00B7 Risk title and a brief description \u00EF\u0082\u00B7 Date that risk is reported or entered in risk register \u00EF\u0082\u00B7 Risks identified by space (location) \u00EF\u0082\u00B7 Possible causes of the risk \u00EF\u0082\u00B7 Triggers (signal that the risk is occurring) \u00EF\u0082\u00B7 Probability of occurrence (both pre-response, and post response) \u00EF\u0082\u00B7 Impact on the project (both pre-response, and post response) \u00EF\u0082\u00B7 Risk Level \u00EF\u0082\u00B7 When it might occur (period of high risk) \u00EF\u0082\u00B7 Planned prevention or mitigation options \u00EF\u0082\u00B7 Contingent response plan \u00EF\u0082\u00B7 Residual risk \u00EF\u0082\u00B7 Responsibility assigned \u00EF\u0082\u00B7 Potential resources that are required for mitigation 3.4 Examples of risk registers In this section, the contents of risk registers used by practitioners are investigated and results of the investigation are summarized in Tables 3.1 to 3.8. These tables provide a summary of the content of risk registers used in commercial software such as RiskAid, Pertmaster, RiskRadar as well as risk registers utilized by practitioners such as the 51 National Health Service of UK, the office of government commerce of UK and a risk register used by Patterson et al (2002). Generally speaking, all of the risk registers were developed to provide information on the following items: \u00EF\u0082\u00B7 Details of a risk which includes description of the risk, risk category and risk rating. \u00EF\u0082\u00B7 Person responsible for recording the risk, owning the risk and implementing a risk mitigation strategy. \u00EF\u0082\u00B7 Dates on which risks are identified and reviewed, due dates of action plans. \u00EF\u0082\u00B7 Likelihood of a risk to occur and its impact in case of occurrence. \u00EF\u0082\u00B7 Proposed mitigation plans, their estimated costs, benefits and effectiveness in mitigating risks. 52 Table 3.1 Ref: Federal Gov. Agency Table 3. 2 Ref: What is Risk Register Item class Item How expressed Comment Item class Item How expressed Comment Identification A. Number alphanumeric Identification A. Date alphanumeric Date that risks are identified or modified. Optional to add target and completion dates. B. Risk category linguistic B. Risk Type linguistic Business, project or stage risk. C. Description including cause & consequence Linguistic (free form) C. Description Linguistic Assessment D: Likelihood of occurrence Linguistic \u00E2\u0080\u0093 predefined choices Assessment D. Likelihood of occurrence Linguistic- predefined choices Low (<30%), Medium (31- 70%), High (>70%) E: Severity of occurrence Linguistic \u00E2\u0080\u0093 predefined choices E. Severity of effect Linguistic \u00E2\u0080\u0093 predefined choices F: Inherent risk (D x E) Linguistic \u00E2\u0080\u0093 predefined calc F: Inherent risk (D x E) Linguistic \u00E2\u0080\u0093 predefined calc G. Project specific or global Linguistic \u00E2\u0080\u0093 predefined choices H. Initial allocation under DBB Linguistic \u00E2\u0080\u0093 predefined choices? I. Quantified Means what? Treatment J. Risk expert Linguistic (name) Treatment K. Mitigation strategy (cost/benefit) How expressed Counter Measure Linguistic Express the contingency plan L. Project agreement reference How expressed Owner Linguistic Express individual responsible for managing the risk M: blank column Status Linguistic C-Current E-Ended Cost base N. Cost basis Check what this is Cost base N. Cost basis Check what this is O. Value Numeric O. Value Numeric? P. Blank column P. Blank column?? Probability Q. 0% to 100% Number Likelihood? Probability Q. 0% to 100% Number Likelihood? R. Rationale for probability assumption How expressed? R. Rationale for probability assumption How expressed? Impact S. Impact: best Numeric Seemingly only cost Impact S. Impact: best Numeric? Seemingly only cost? T. Impact: most likely Numeric Seemingly only cost T. Impact: most likely Numeric? Seemingly only cost? U: Impact: worst Numeric Seemingly only cost U: Impact: worst Numeric? Seemingly only cost? V. Mean of impact estimates Numeric V. Mean of impact estimates Numeric W. Rationale for best, most likely, worst assumptions Linguistic \u00E2\u0080\u0093 free form? W. Rationale for best, most likely, worst assumptions Linguistic \u00E2\u0080\u0093 free form? Consequence Consequence X. Retained Make a choice between X, Y, Z? Y. Shared Y. Shared Z. Transferred Z. Transferred 53 Table 3.3 Ref: PERTMASTER Table 3.4 Ref: RiskAid Item class Item How Expressed Comment Item class Item How Expressed Comment Identification A. Number Alphanumeric Identification A. Number Numeric B. Risk Type Threat/ Opportunity B. Description Linguistic (Causes/ consequences) C. Title Linguistic (free form) Ex. Weather affecting ground C. Risk Expert Linguistic Pre- mitigation D. Probability (0- 100)% Linguistic- predefined choices Choices: VL/L/M/H/VH D. Date Numeric E: Impact on Schedule Linguistic \u00E2\u0080\u0093 predefined choices Choices: VL/L/M/H/VH E: Type Linguistic-predefined Technical/ Human/ Politico- Economic F: Impact on Cost Linguistic \u00E2\u0080\u0093 predefined choices Choices: VL/L/M/H/VH F: Category Linguistic-predefined Project/ Consortium/ External G. Impact on Performance Linguistic \u00E2\u0080\u0093 predefined choices Choices: VL/L/M/H/VH Pre-mitigation G. Probability Range of probability is positioned in heat map diagram N/VL/L/M/H/VH/ Definite, limits can be set by user H. Score Numeric (based on D, E, F, G) H. Impact on cost Positioning in heat map diagram Mitigation I: Response Linguistic I. Impact on Schedule Positioning in heat map diagram N/VL/L/M/H/VH/ Definite limits can be set by user J: Title Linguistic (name) J: Rationale for impact assumption Linguistic-free form ex. Specialty in skill/ difficulty in replacing K: Total Cost K: Rationale for probability assumption Linguistic-free form ex. Being a member of dangerous sport team Post- Mitigation L: Probability (0- 100%) Linguistic \u00E2\u0080\u0093 predefined choices Choices: VL/L/M/H/VH Post Mitigation L: Probability Range defined from None to Definite extremes. M: Impact on Schedule Linguistic \u00E2\u0080\u0093 predefined choices Choices: VL/L/M/H/VH M. Impact on cost Numeric N/VL/L/M/H/VH/ Definite, limits can be set by user N: Impact on Cost Linguistic \u00E2\u0080\u0093 predefined choices Choices: VL/L/M/H/VH N: Impact on Schedule Numeric N/VL/L/M/H/VH/ Definite limits can be set by user O: Impact on Performance Linguistic \u00E2\u0080\u0093 predefined choices Choices: VL/L/M/H/VH Action O: Type Linguistic- Predefined Preventative (reduce the chance: avoid, transfer, insure, diversify)/ Limiting (reduce impact: contractual cases, alternative solutions) P. Score Numeric (based on D, E, F, G) P: Cure Probability Linguistic- Predefined N/VL/L/M/H/VH/ Definite limits can be set by user Details Q: Owner Linguistic (free form) Q: Cure Reasons Linguistic-free form Why action should take place? R: Description Linguistic (free form) Weather R: When? Linguistic-predefined During contract/ S: Cause Linguistic (free form) Rain Season S: Title Linguistic-free form T: Effect Linguistic (free Loss of productivity T: Description Linguistic-free form 54 Table 3.3 Ref: PERTMASTER Table 3.4 Ref: RiskAid Item class Item How Expressed Comment Item class Item How Expressed Comment form) U: Manageability Linguistic (free form) Easy/ Moderate/ Hard U: Risk Expert Linguistic (Name) V: Status Linguistic (free form) Proposed V: Chance of action being needed Linguistic Pre- defined Range can be defined from None to Definite W: Proximity Linguistic (free form) Overdue X: Chance of action curing cost and delay Linguistic Pre- defined Range can be defined from None to Definite X: Start and End Dates Numeric Y: Cure probability reasoning Linguistic free-form Z: Approved Linguistic (Y/N) \u00CE\u00B1 : Progressed Numeric (%) \u00CE\u00B2: Cost Numeric $ Days Table 3.5 Ref:: RRE Table 3.6 Ref: NHS Org Item class Item How Expressed Comment Item class Item How Expressed Comment Identification A. Number alphanumeric Risk Form A: Risk No. Numeric B. ID Date Numeric Risk Identification Date B: Risk Area C. Priority Numeric What out of what. Multiple risks may have same ranking. C: Risk Description D. Classification Linguistic- predefined choices Ex. Unclassified D: Impact on person/ trust Linguistic-predefined Death/ Extensive Injuries/ Medical treatment required/ First aid treatment/ Minimal financial loss E. Risk Originator Linguistic- predefined choices Who specifies risk E: Unfavorable publicity Linguistic-predefined Remote/ Unlikely/ Possible/ Likely/ Probable F. Risk Owner Linguistic- predefined choices Peron responsible for managing risk (point of contact) F: No. of person affected Numeric-predefined G. Risk Title Linguistic-free form G: Clinical complaint Numeric-predefined Remote/ Unlikely/ Possible/ Likely/ Probable H: Risk Description including cause, effect and context of risk Linguistic -free form H: Consequences Linguistic/ Numeric- predefined (based on D, E, F, G) Catastrophic (5), major (4), moderate (3), minor (2), insignificant (1) Assessment E: Probability Linguistic \u00E2\u0080\u0093 predefined choices Near Certain (0.9)/ Highly likely (0.7)/ likely (0.5)/ unlikely (0.3)/ remote (0.1) I: Likelihood Numeric-predefined Numbers represent likelihood as none, possible, likely, highly likely, certain F: Impact on technical Numeric/ Linguistic \u00E2\u0080\u0093 predefined (0-5) OR (VL-VH) are predefined in linguistic free form J: Risk Rating Numeric- based on H and I 55 Table 3.5 Ref:: RRE Table 3.6 Ref: NHS Org Item class Item How Expressed Comment Item class Item How Expressed Comment choices G: Impact on schedule Numeric/ Linguistic \u00E2\u0080\u0093 predefined calc (0-5) OR (VL-VH) are predefined in linguistic free form Action form K: Action Description Linguistic-free form H. Impact on cost Numeric/ Linguistic \u00E2\u0080\u0093 predefined choices (0-5) OR (VL-VH) are predefined in numeric(%) free form L: Adequacy of Control Linguistic-predefined Adequate/ inadequate I: Impact on other parameters Numeric \u00E2\u0080\u0093 predefined choices ? M: Start Date Numeric-free form J: Risk Exposure Numeric (Probability x impact)-all impacts combined together N: Due Date Numeric-free form K: Risk level Linguistic- predefined L/M/H defined based on risk exposure rates O: Cost Numeric-free form L: Level Trend Arrows Up/ down/ horizontal M: Risk level Position risk in heat map Risk level through time Total no. of risk in each probability impact bin at 4 time frames: at the time of analysis/ near, mid and far future N: Status Linguistic- predefined Monitor/ Mitigate/ Transfer O: Early Impact Numeric-from calendar Earliest date you expect may impact the project P: Late Impact Numeric-from calendar Latest date you expect may impact the project Q: Days to Impact Numeric No. of days to earliest date that risk may become a problem R: Impact Horizon Linguistic- predefined Past/ near (now to x days)/ mid (to y days)/ far (beyond) S: Last Updated Numeric-from calendar T: Next Updated Numeric-from calendar Triggers U: Internal description Linguistic- 56 Table 3.5 Ref:: RRE Table 3.6 Ref: NHS Org Item class Item How Expressed Comment Item class Item How Expressed Comment (drivers) predefined V: External description Linguistic-free form X: Rule Linguistic- predefined Ex. Greater than/ changes from Y: Trigger Value or Date Numeric-free form Z: Current Value Numeric-free form Attributes \u00CE\u00B1: Type Linguistic- predefined \u00CE\u00B2: Source Linguistic- predefined Internal/ External \u00CE\u00B3: Control Linguistic- predefined \u00CE\u00B4: Critical Path tick Does the risk affect an activity on critical path \u00CE\u00B5: Phase Linguistic- predefined Lifecycle phase that risk affects \u00CE\u00B6: Program Area Linguistic-free form Ex. Engineering \u00CE\u00B7: Focus Area Linguistic-free form \u00CE\u00B8: WBS Specification Ref Numeric-free form Activity that spawned the risk \u00CE\u00B9: Milestone Linguistic- predefined Select a milestone from dropdown Cost \u00CE\u00BA: Occurrence cost \u00CE\u00BB: Factored Cost \u00CE\u00BC: Mitigation Cost \u00CE\u00BD: Factored Cost \u00CE\u00BE: Opportunity Cost \u00CE\u00BF: Factored Cost Mitigation \u00CF\u0080: Mitigation description Linguistic-free form \u00CF\u0081: Mitigation Plan Time-Impact diagram Process of mitigation \u00CF\u0082 : Due date of each stage Numeric-free form \u00CF\u0083 : Description of each stage Linguistic-free form Mitigation Window \u00CF\u0084: Mitigation step no Numeric 57 Table 3.5 Ref:: RRE Table 3.6 Ref: NHS Org Item class Item How Expressed Comment Item class Item How Expressed Comment \u00CF\u0085:. Mitigation title Linguistic-free form \u00CF\u0086: Mitigation description Linguistic-free form \u00CF\u0087: Point of contact Linguistic- predefined \u00CE\u00A8: Start, due, and date completed Numeric \u00CF\u0089: Projected probability \u00CF\u008A :Projected impact on cost, time, performance, other Numeric- predefined \u00CF\u008B :Risk exposure Numeric Result of probability and combination of impacts \u00CF\u008C :Risk level Linguistic- predefined Risk Mitigation options \u00CF\u008D: Risk mitigation option checkbox tick Avoidance/ transfer/ control/ assumption/ research Risk mitigation option description Linguistic-free form Root Cause Window \u00CF\u008D: Underlying causes of the issue Linguistic-free form 58 Table 3.7 Ref: Risk & Issue Management Protocol (Ogc.gov.uk) Numeric-free form Comment Table 3.8 Ref: Patterson et al. (2002) Numeric-free form Comment Risk Identification A: Risk ID Linguistic-free form Risk Register Report A: Risk No. Numeric-free form B: Risk owner Linguistic-free form B: Risk Area Linguistic-predefined Area within the project that risk occurs C: Risk owner Linguistic-free form C: Risk description Linguistic-free form Risk Assessment D: Impact on target D: Probability Linguistic-predefined From VL to VH/ translation by numeric and non- numeric values E: Impact on service E: Impact on time Linguistic-predefined F: Impact on reputation F: Impact on cost Linguistic-predefined G: Likelihood G: Impact (total) Linguistic-predefined H: Current score Numeric-result of D, E, F, G- Status is represented by colors H: Severity Linguistic-function of D & G I: Status of control program Color coding score cells Red: little/ no mitigation work Amber: partial mitigation Green: Mitigation fully implemented I: Risk Ranking Numeric Visual (Pie chart) Output: Oval divided to number of risks ranked/ ranking presented in corresponding slice J: Previous month risk score J: Trend indicator Arrow K: Quantified impact K: Evaluated by Numeric-predefined Mitigation L: Control actions L: Risk Owner Linguistic-free from M: Indicator Linguistic-free form Information/ metrics that indicate whether a risk is emerging- clickable heat map M: Risk Reduction/ mitigation plans Linguistic-free from N: Responsibility Linguistic-free form/ predefined Individuals responsible for owning control plans- clickable heat map N: Notes Linguistic-free from O: Action by Linguistic-free form/ predefined Individuals responsible for implementing control actions- clickable heat map O: On risk register Check box 59 Table 3.7 Ref: Risk & Issue Management Protocol (Ogc.gov.uk) Numeric-free form Comment Table 3.8 Ref: Patterson et al. (2002) Numeric-free form Comment P: Due date Numeric-from calendar clickable heat map P: Risk solved Linguistic-predefined Yes/ No Q: Required risk Color \u00E2\u0080\u0093coded score cells Red/ Amber/ Green: reflect severity of risk after ctrl actions implemented Q: Link to Risk Owner form R: Link to Risk reduction/ mitigation plan form Risk Assessment Tool S: Overall project risk Numeric (total severity value/ no. of risks) T: Assessment the overall risk to project Linguistic-predefined Identify riskiness of project/ track them over the time: to see how well risks are mitigated over time U: Percentage of risks requiring attention Numeric (Sum of active risks x 100) V: No. of active risks Alphanumeric-free form List and track no. of active risks in a life span of project X: Severity of risk in project lifespan Risk severity vs. risk no diagram Active risks: above horizon What areas need more attention due to high risks (ID: represents areas) 60 Some important features of the risk registers summarized in Tables 3.1 to 3.8 are discussed in more detail in what follows. The risk register used by Patterson et al. (2002) is shown in Figure 3.5. It consists of an electronic Visual Basic Code Risk Assessment Tool which can be divided into two parts. In the first part, information on individual risks, their description, associated probability, impact value, identification number and areas of the project in which they happen are given. Then, the second part of the assessment tool provides a risk assessment based on the severity values of the individual risks. Patterson et al. (2002) have suggested the following contents for a risk register: \u00EF\u0082\u00B7 The area of the project in which the risk may materialize; \u00EF\u0082\u00B7 Risk Identification Number; \u00EF\u0082\u00B7 Brief description of the risk; \u00EF\u0082\u00B7 Probability value; \u00EF\u0082\u00B7 Impact value (on time and cost); \u00EF\u0082\u00B7 Total impact value (combination of impact values in terms of time and cost); \u00EF\u0082\u00B7 Severity value (combination of probability and total impact value); \u00EF\u0082\u00B7 Ranking of the risk within the project (ranked risks are those with a high severity that are active in the project); \u00EF\u0082\u00B7 Track of the risk (i.e. has the risk increased, remained the same, or decreased in severity since the previous month); \u00EF\u0082\u00B7 Phase or time by which risk should be evaluated; \u00EF\u0082\u00B7 Risk owner; \u00EF\u0082\u00B7 Brief description of risk reduction/ mitigation plans that have been developed; \u00EF\u0082\u00B7 Whether the risk is active on the register; \u00EF\u0082\u00B7 Whether the risk has been solved. 61 Figure 3.5 Risk register sample (Source: Patterson et al., 2002) Another example of a risk register published by Richter (2011) is shown in Figure 3.6. Components of this risk register are quite similar to those recommended by academia (see Figure 3.3). Richter (2011) outlined the importance of recording the date in a risk register as it is a living document (dates on which risks are identified and modified). Further, Richter (2011) has mentioned three categories of risks as business (B), project (P) or stage (S). Business risks are defined as those risks that relate to the delivery of desired benefits; project risks relate to managing the project in terms of time and resources, and stage risks are those risks associated with a specific phase. 62 Figure 3.6 Risk register sample (Richter 2011) 63 Another example of a risk register is provided by RiskAid, a risk management software tool. Risk information treated is shown in Figure 3.7. Figure 3.7 Risk register used in RiskAid Source: Risk Reasoning Ltd. (2009) http://www.riskreasoning.co.uk/ RiskAid also provides a summary which can be used to give an idea of the costs and delays if actions are and are not taken. 64 Figure 3.8 Project risk summary (Source: Risk Reasoning Ltd. 2009 http://www.riskreasoning.co.uk/filer.cfm?file=RiskAid_Enterprise_Brochure) Complementing the risk register shown in Figure 3.7 is the action plan extracted from RisAid as shown in Figure 3.9. Figure 3.9 Action plan (Source: Risk Reasoning Ltd. 2009 http://www.riskaid.co.uk/E_gatekeeper.cfm?FileID=140) Other displays are also used in order to communicate an individual\u00E2\u0080\u0099s responsibility with respect to risk management along with notes and alerts that need their attention. Information on this page is filtered and limited to items relevant to a specific individual. 65 Figure 3.10 Action plan (Source: Risk Reasoning Ltd. 2009 http://www.riskaid.co.uk/E_gatekeeper.cfm?FileID=140) Another risk register investigated is the one used in Primavera Pertmaster. As shown in Figure 3.11 the Primavera risk register is composed of qualitative and quantitative parts. In the qualitative part, information about a risk such as risk Id, type of risk (threat or opportunity), and risk title is shown. Further a mitigation strategy is described and risks are assessed both before and after applying the mitigation strategy. Other details such as risk owner, risk description, causes and effects of a risk, status and degree of manageability of a risk are contained in the risk register. Figure 3.11 shows a sample of the qualitative risk register used. 66 Figure 3.11 Risk register in Pertmaster (Source: http://www.westsoft.dk/Files/Filer/konferencer/Primavera_brugerm_290508/Pertmaster.pdf) 67 For quantitative risk analysis, the impact of a risk event on the performance measures of time and cost is taken into account regardless of possible impacts the risk event may have on other performance measures such as quality, scope, safety, environment, and reputation. Time and cost distribution graphs are drawn to estimate the likelihood of completing a project by a pre-defined date or budget. Tornado diagrams are used to show tasks that can highly affect the performance measures of time and cost. Managers can then distinguish those tasks that highly affect time and cost and based on tornado diagram, they can prioritize risk events, an important outcome of the risk management function. Since management resources are scarce, managers can not manage all risk events at the same level- they need to allocate more resources to high priority risks. Usually risk events are prioritized based on their exposure value (product of impact value and probability); however, a high degree of subjectivity can be involved in estimating the impact value of risk events. So, when a manager seeks to make a decision based on the exposure values, they should be able to assess its reasonableness. Therefore, the whole process of deriving that value should be visible to the user. To make this procedure explicit, risk events can be grouped by the tasks that they affect, with the sensitivity of tasks with respect to time and cost shown in Tornado diagrams. Thus, a Tornado diagram can be used to help in prioritizing risk events when risk events are mapped to tasks. Risk Scoring Matrix- Risk events are entered into a risk scoring matrix in the risk register (Figure 3.12) and they are scored from very low to very high, based on probability of occurrence and their impact value on the three measures of \u00E2\u0080\u009Ccost\u00E2\u0080\u009D, \u00E2\u0080\u009Cschedule\u00E2\u0080\u009D and \u00E2\u0080\u009Cperformance\u00E2\u0080\u009D. Scores are shown in the qualitative section of the risk register (Figure 3.11), where the impact value of every risk event is derived based on a subjective view. Risk events with the highest priority are those that affect tasks because of their high sensitivity to time or cost where sensitivity of events is shown through a tornado diagram (Figure 3.12). S-curves and probabilistic cash flow are other images used in the quantitative part of the risk register. S-Curves are used to determine if mitigation strategies are useful to save 68 money. Using S-curves, the user can compare pre-mitigated results with the original and post-mitigated results. Figure 3.12 Risk scoring matrix used in Primavera Pertmaster (Source: Primavera Pertmaster http://www.westsoft.dk/Files/Filer/konferencer/Primavera_brugerm_290508/Pertmaster.pdf) Figure 3.13 Risk scores in Pertmaster risk register (Source: Primavera Pertmaster http://www.westsoft.dk/Files/Filer/konferencer/Primavera_brugerm_290508/Pertmaster.pdf) 69 Figure 3.14 Tornado diagram used in Pertmaster in worst case scenario (Source: Primavera Pertmaster http://www.westsoft.dk/Files/Filer/konferencer/Primavera_brugerm_290508/Pertmaster.pdf) One of the most comprehensive versions of risk registers investigated in the current work is the one used in Risk Radar Enterprise (RRE), a Microsoft Access database risk management application. Risk Radar was developed by American System (a privately held IT service provider) to help project managers and their teams identify, analyze, track, report, and mitigate risk events in a project and increase risk visibility across the organization. The application is certified by Navy Marine Corps Intranet (NMCI). (http://www.2asc.com/Services/ProfessionalTechnicalITServices/RiskManagement/Risk ManagementTools.htm) RiskRadar provides a dynamic tool through which a number of risks in each cell of the probability-impact (heat map) diagram is shown in time frames (past-near future, mid future and long future). Although, it is important to know the number of risks of high, 70 medium or low probability, it is more important to characterize risks by their future impact and impact horizon. To estimate risk exposure value, the probability of risk occurrence and its impact value if it occurs are defined as per following tables: Figure 3.15 Probability-to-probability map used in RiskRadar (Source: RiskRadar 3.3 User Manual 2003) Figure 3.16 Impact definition used in RiskRadar (Source: RiskRadar 3.3 User Manual 2003) To prioritize risks, risk exposure is calculated as a product of probability assigned to each risk event and the largest impact it may have on any of the three aspects defined in the project (cost, time or performance). For example, if one risk has an impact of 0, 0 and 2 on cost, schedule and technical performance of the project respectively, the risk exposure will be derived as the product of probability and the largest impact (2). Consistent use of numerical risk values during the project lifecycle provides a consistent risk ranking methodology that enables the most important risks to be kept on top of the list during the project life cycle. However, both probability and impact values listed in Figures 3.15 and 3.16 are assigned to risk events based on a subjective view which may cause difficulty in gathering consistent results from different participants. Moreover, when the user comes 71 back to check the reasonableness of results, they cannot evaluate the degree of confidence in these numbers as the tacit knowledge used to record estimates is not recorded. In Figure 3.17, three levels of risk are defined based on Risk Exposure in Risk Radar as: Figure 3.17 Risk exposure to level map (Source: RiskRadar 3.3 User Manual 2003) Since risk exposure is calculated as the product of probability and impact, it is more useful to visualize risk level, risk exposure value, probability and impact value of each risk event on a heat map matrix, a 5x5 example of which is shown in Figure 3.18. Figure 3.18 Risk exposure mapping (Source: RiskRadar 3.3 User Manual 2003) Red is assigned to unacceptable risks, amber represents risks that can be accepted if some additional management approach is applied, and green shows risks which have minimum impact. Risk level varies over the life of the project; therefore, it is important to know the trend of such variation as the project evolves. Figure 3.19 extracted from the American System website shows how risk analysis settings can be customized by the user. 72 Clickable heat maps and the ability to roll-up risks at different levels as shown Figure 3.20 are two capabilities provided in Risk Radar Enterprise. More detailed information about risks can be viewed by clicking on the number of risks presented in each cell of the heat map. 73 Figure 3.19 Customize setting in RiskRadar Enterprise Source: American System (2010) http://www.2asc.com/NR/rdonlyres/BB407D38-1AD5-4AA5-8020- D89B2E1DB357/0/RRE_Overview.pdf 74 Figure 3.20 Capability to roll up risks at parent and child project risks Source: American System (2010) http://www.2asc.com/NR/rdonlyres/BB407D38-1AD5-4AA5-8020- D89B2E1DB357/0/RRE_Overview.pdf 75 In Risk Radar Enterprise, information about risk identification, risk assessment, triggers, attributes and cost are summarized in a separate window, as shown in Figure 3.21. Some information in this window is presented in linguistic form (mostly predefined and some free form), and some in numeric format. Risk exposure is the only piece of information that is shown in a visual format. The information shown in predefined linguistic form can be visualized more easily compared to the information shown in free form (e.g. risk title, description, and external triggers). In Risk Radar Enterprise, details about mitigation strategies are summarized as shown in Figure 3.22(a), where, a brief description of risk is followed by mitigation description, required mitigation steps, step title, due dates, and status (completed/ not completed). There is a clickable icon named \u00E2\u0080\u009Caction\u00E2\u0080\u009D which accesses more details on a mitigation step, as shown in Figure 3.22(b). Finally, as shown in Figure 3.23, Risk Radar Enterprise allows user to customize reports through selecting details and data field of interest. 76 Figure 3.21 Details on risk data Source: American System (2010) http://www.2asc.com/NR/rdonlyres/BB407D38-1AD5-4AA5-8020- D89B2E1DB357/0/RRE_Overview.pdf 77 Figure 3.22(a) Risk mitigation (description and required steps) 78 Figure 3.22(b) Risk mitigation (description of each step) Source: American System (2010) http://www.2asc.com/NR/rdonlyres/BB407D38-1AD5-4AA5-8020-D89B2E1DB357/0/RRE_Overview.pdf 79 Figure 3.23 RRE report detail Source: American System (2010) http://www.2asc.com/NR/rdonlyres/BB407D38-1AD5-4AA5-8020-D89B2E1DB357/0/RRE_Overview.pdf 80 3.5 Analytical reasoning needs of risk management and roles of data visualization 3.5.1 Introduction Project participants think in different ways about a project, because of differences in experience and knowledge. Analytical reasoning is used in project and construction management in order to gain an understanding and generate insights from the perspective of various project participants. Analytical reasoning facilitates exploring causal relations between project conditions and project performance (Russell et al. 2009) and communicating findings to an audience. The focus of this section is on the analytical reasoning needs of risk management, especially with respect to the front end steps of risk management (e.g. identification, quantification, mitigation) with an eye to identifying opportunities for visual analytics to help with understanding the contents of a risk register and communicating important insights. Some commentary is also offered on potential approaches for visualizing data with a more detailed elaboration provided in Chapter 4. Chiu et al. (2010) have defined a visual analytic environment as a \u00E2\u0080\u009Ccomputerized information system which enables users to create their own scenes composed of one or more pre-coded visual representations and an interface that assists users to interact (filter, sort, zoom, highlight, coordinate, etc.) with data and a palette of pre-coded images designed to facilitate analytical reasoning\u00E2\u0080\u009D. In the following subsections, we have identified some of the analytical reasoning needs associated with risk management under the main headings of risk identification, risk assessment and risk mitigation. We observe that our interest is with the messages contained within a collection of risk events in a project\u00E2\u0080\u0099s risk register, as opposed to reasoning about individual risk events. A summary of findings is presented in Table 3.9. 81 3.5.2 Analytical reasoning in risk identification In multi-dimensional projects, individual risk events are likely to have different drivers reflecting the various perspectives of product, process, participant and environment. Accordingly, risk events may have different types of adverse outcomes. Thus, a risk manager should look at these four perspectives in order to identify driver(s) of a risk event and their relation with adverse outcomes. When drivers are identified, the interaction amongst drivers that cause one risk event and drivers of other risk events that exist in a common time frame or in a common location should be taken into account, because of the potential for interaction amongst risks. In addition, every risk event may affect different performance measures (i.e. time, cost, quality, scope, safety, environment and reputation), not all of which can be measured in the common unit of cost and time. To develop a deep appreciation of a project\u00E2\u0080\u0099s risk profile at an overall level as well as with subsets of risk management data, analytical reasoning directed at questions that deal with the issues that follow should be conducted: - At the global level \u00EF\u0082\u00B7 Causal pathways from risk drivers to risk events form a basis for the strategic selection of how, where and when to undertake risk treatment action. It is important to identify points at which treatment action can be effectively applied to break the pathway and prevent adverse events or identify measures that facilitate managing (mitigating or transferring) adverse outcomes (Australian Government, Department of Health and Ageing, 2005). Possible combinations of causal links between risk drivers and adverse outcomes are as follow: \u00EF\u0082\u00A7 One risk driver results in a single adverse outcome. \u00EF\u0082\u00A7 One risk driver results in multiple adverse outcomes. \u00EF\u0082\u00A7 Multiple risk drivers result in a single adverse outcome. \u00EF\u0082\u00A7 Multiple risk drivers result in multiple adverse outcomes. 82 A topology diagram (Figure 2.5) is occasionally used as a visual representation to show relationships (one-to-many, many-to-one, one-to-one and many-to-many) between drivers and risk events where drivers and risk events are shown by squares on two parallel axes. Such diagrams add value as they help managers quickly identify drivers that cause a risk event and see risk events that are caused by multiple drivers. However, all drivers related to a risk event may not have the same level of priority with respect to generating a risk. For example, two drivers may exist in building a coffer dam on a river: positioning a pier in the river (product driver/ primary driver); and the river at flood level (environmental driver). Square size of visual mark or color saturation could be used as metrics to show the relative importance of drivers, for each risk event, and line weight could be used as a metric to show the linkage between a driver and a risk event. As a draw back, topology diagrams may suffer from labeling and scaling issues that may occur when overlaps happen on lines that link risk events and drivers and datasets are large. To help avoid this, risks could be investigated in different time frames and/ or locations, etc. \u00EF\u0082\u00B7 An important task in the risk management function is to prioritize risk events. Prioritization is usually done based on a manager\u00E2\u0080\u0099s subjective view according to the two criteria of: the impact that the risk event may cause on pre-defined project objectives which are described in terms of various performance measures, and the probability of occurrence of that risk event. To evaluate the level of risk impact (e.g. L/M/H), use is generally made of an expert\u00E2\u0080\u0099s tacit knowledge. How to capture aspects of this knowledge (e.g. specific drivers in terms of the four views of product, process, participant, environmental) becomes important in terms of identifying potential root causes of an event, targeting mitigation measures to reduce or eliminate the risk itself or the consequences should it occur, and setting priorities for addressing risks. 83 To evaluate probability of occurrence of every risk event, use can be made of the drivers identified. Those risk events that occur as result of multiple drivers or drivers which are hard to control, might have a high probability of occurrence; hence, they may have higher priority compared to other risk events. It is important to find those drivers that are common to multiple risk events. Removal of such drivers, if feasible can be an effective means of mitigating some or all the risk events. Thus, to have a rational approach to prioritize events based on their impacts and probability of occurrence, it is beneficial to identify components (product, process, participant and environmental) both contributing to the risk event and affected by the risk event if it occurs. In the following part, analytical reasoning of interest is discussed in the context of the foregoing four project views. From a process perspective, it is useful to identify work packages that every risk affects, and to visualize risks based on the affected work packages to: 1. Rank risks based on the impact of risks on products, participants and locations within the affected work package; 2. Rank risks based on sensitivity of project cost and time to changes in the affected work package cost and time; 3. Rank work packages based on exposure value of the risk events within that work package; Once risks that affect work packages are identified, they can be prioritized based on the impact the affected work packages have on project objectives. For example, those risks that affect work packages on the critical path will be given higher priority for time-driven projects where meeting a tight deadline is more important to project success than meeting a budget. Tree-maps can be used, to show the distribution of risk events in the hierarchy of work packages. On the top level of the tree map hierarchy, risks can be grouped based on phases or time frames in which 84 they happen, which provides a big picture of number of risk events and their impact values at different points of time. To elaborate a bit more in the process view, managers may wish to prioritize risk events in every work package, based on their impact(s) on all performance measures (not only on time, but also on cost, reputation, scope, safety, quality and environment). To have a rational assessment of the risk events, it is useful to show products, participants, and locations that are affected by the risk events in every work package in a matrix view. Once the impact of every affected component is assessed in terms of the performance measures of interest, the total impact of all the risk events for that work package could be calculated for each performance measure. Since impact values on all performance measures can be transformed to equivalent cost (at least in theory), the impact of a risk event on all performance measures can be summed together using a monetary measure. Tornado diagrams and spider plots can be used to show sensitivity of project cost to changes in work package cost. Once the risk events are categorized based on the work package(s) that they affect and Tornado diagrams and spider plots are drawn to rank work packages based on their role in determining the total project cost, risks that affect highly ranked work packages in Tornado graphs will be given higher priority due their large impacts. Work packages in the Tornado diagram could be clickable, so details of the risks that affect every work package would be shown on demand in detail. Once risks are prioritized based on all performance measures, it is useful to show them in each project phase or specific time frames. Risks that exist in each time frame could then be ranked based on their exposure values. As a result, a different heat map diagram could be generated for each time frame to facilitate prioritization of active risks, distinguish risks initiated in each time frame and omit risks that are no longer active. Looking at risk prioritization in each time frame facilitates resource allocation in that time frame. 85 Visualizing risk events in every work package not only facilitates ranking the risk events based on their impacts, but also helps in ranking the work packages based on the exposure value of the risks that affect them. It is useful to label work packages with the number of risk events that affect them, their individual impact values and in an ideal case the total impact value of all risk events corresponding to that work package (i.e. aggregate across all risk events at the work package level). Then, similar to heat-map diagrams, work packages can be prioritized based on the total exposure value (product of probability and impact value) of all risk events that affect each work package. Thus, managers will be able to identify quickly the most critical work packages and if necessary allocate more resources to them. Network diagrams and tree-maps can be used to show ranking of work packages based on their risk exposure. Similar to visualizing distribution of risks by work packages, it would be useful to show the distribution of risk drivers in a work package hierarchy to identify and manage those drivers that contribute to many risks or cause risks with large exposure values. From a product perspective, it is useful to show the products or their constituent parts (e.g. bridge or piers and superstructure) that are affected by a risk event, or are the driver of risk event. It would be useful to attach different risk events and their exposure values to each product, and then color-code products based on their exposure values. This would enable critical products which are affected by risks with high exposure values to be quickly identified. Managers could then decide to replace critical products with less risky ones if feasible to do so, or provide appropriate contract terms (e.g. transfer some risks by outsourcing procurement of that product). To show products and their constituent parts which are affected by every risk event, color-coded tree-maps could be used to show the number of risks and exposure value of risks that affect 86 every product. Such a tee-map would help managers rank products based on the impact of the risks that affect them. From a participant perspective, risks could be classified based on risk owner, participant affected by the risk and participant who is responsible for risk mitigation or decision making. It would be useful to have a clickable color-coded organizational chart of the project, so that by clicking on each participant, risks that are owned by that participant pop out. In this way bearer(s) of risks would be visible to the manager in an organizational chart, and participants could be prioritized and color-coded based on the exposure of the risks that they bear. It would help managers quickly identify those participants who are overloaded with risks, to distribute risks equally among other participants or to decide on outsourcing or using alternative procurement modes.. For example, if an owner is responsible for a large number of risks, P3 procurement might be chosen to transfer significant risks to the concessionaire. Such a clickable color-coded organizational chart might also provide a tool to check whether risks are assigned to the right participant or not. Visualizing distribution of risks by participants helps managers see relationships between participants (i.e. Are they equal in the consortium? Are they sharing risk? Or are they unequal in a contractor/ subcontractor relationship with one largely bearing the risk?), thus providing a visual representation of the bearer(s) of risk (Williams, 1993). Similar to the two previous views, grouping risks based on the affected participants facilitates the ranking of risks based on their impacts on participants. It would also be useful to show the distribution of risk drivers in terms of the hierarchy of participants, so that those participants who cause many risks or cause risks with large exposure values can be identified and managed. From an environmental perspective, risks and drivers could be grouped by the location at which they occur. Grouping risks based on their location would help participants better remember risks and have them in mind when the project reaches 87 a specific location. It would also help participants to distinguish the most critical locations in the project which are threatened by multiple and potentially high severity risks. It would also be useful to show the distribution of risk drivers in terms of a hierarchy of locations (assuming there is one), so that those locations that cause many risks or cause risks with large exposure values could be identified and managed. In an ideal case, tree-maps for all four views could be linked to each other and shown in a multi-screen view. So, once a risk event that affects work package X is selected in the process perspective, affected products, participants and locations are shown in the three other views. Once clusters of risk events that occur in one or more of a common time frame or location, affect a common product or are owned by a common participant are identified, their drivers can be highlighted on corresponding tree-maps to show whether they are shared amongst the risk events in the cluster. At the individual work package level, analytical reasoning of general interest includes: \u00EF\u0082\u00B7 For each risk event, what are all the drivers from the four views? From an overview perspective, all of the drivers of a risk event in the four views could be shown in one image. This would increase the certainty regarding that all relevant drivers have been identified. \u00EF\u0082\u00B7 Are there any other risks caused by the identified drivers? How severe are those risks? Those drivers that cause multiple risk events or high level risks need more attention. \u00EF\u0082\u00B7 What is the root cause of the risk event? Some of the current risk registers, such as the one used by Risk Radar Enterprise have explained the root cause of risk event linguistically in free format. \u00EF\u0082\u00B7 What is the alert that shows a risk is emerging? (e.g. Exposure value becomes greater than X) \u00EF\u0082\u00B7 What is the risk status? (e.g. Mitigated, Transferred, Execute Contingency, Retired, Watch, Monitor, Avoid) 88 From a process perspective, analytical reasoning of interest includes: \u00EF\u0082\u00B7 Which work packages contribute to risk events? Are they on a critical path? Can they be removed? What is the likelihood that such driver(s) occur? \u00EF\u0082\u00B7 Which work packages/ phase does a risk event affects Is a milestone date affected by a risk event From a product perspective, analytical reasoning of interest includes: \u00EF\u0082\u00B7 Are there any products that contribute to an individual risk? \u00EF\u0082\u00B7 Which products are affected by an individual risk event? What are its constituent parts? From a participant perspective, analytical reasoning of interest includes: \u00EF\u0082\u00B7 For every individual risk event, which participant(s) act as driver(s)? \u00EF\u0082\u00B7 Who should bear the risk? If more than one participant needs to bear the risk, are they at an equal level in consortium and share the risk or at unequal level (e.g. prime contractor / sub-contractor level) so that one can tolerate more risk compared to others? Which participants are highly critical in the project due to the high risks they should bear, and should be taken care of? \u00EF\u0082\u00B7 Who is responsible for mitigating an individual risk event? From an environmental perspective, analytical reasoning of interest includes: \u00EF\u0082\u00B7 Which locations cause risks? \u00EF\u0082\u00B7 Which locations are affected by an individual risk event? \u00EF\u0082\u00B7 What are the environmental component risk drivers for each risk event? \u00EF\u0082\u00B7 Which environmental components act as risk drivers for multiple risk events? 3.5.3 Analytical reasoning in risk assessment In the risk assessment stage, risk exposure is determined as the product of the probability of occurrence of a risk and impact should it occur. Once probability and impact of individual risks are known, risks can be ranked amongst all active risks based 89 on their exposure value. If there are multiple risks happening for a common component, interactions among them should be taken into account to provide a rational risk assessment. A general way to express interactions is to say that an effect is modified by another effect. To manage risks that occur in a common time frame, in a common location, or are owned by a common participant, resources should be efficiently allocated to them. Impact value of risk events with the effect of interaction In assessing the likelihood and impact of individual risks, possible interactions among risks should be identified. The impact or likelihood of a risk can be magnified if more than one risk happens at a same time; at the same location or the risks are allocated to the same participant. This leads to the need to conduct analytical reasoning about the potential for risks to be clustered and their severity to be affected. To develop insights on potential interactions amongst risks, it is useful to group risk events based on time frames, drivers (products, processes, participants and environment components) or locations. Then, risks in the same group of time, drivers or locations can be prioritized taking into account the potential for interactions amongst them. Synergic, additive, antagonistic, cumulative or aggregated effects The Department of Health and Ageing (Australian Gov., 2005), has provided a risk analysis framework in the context of gene technology and general public health to show a picture on how they identify, assess and address risks. They have mentioned possible interactions (synergic, additive, antagonistic, cumulative or aggregated) amongst risks. Synergic effects happens when the effect of each driver in combination with others is magnified compared to when their effects are considered separately from others (i.e. the whole is greater than the sum of the parts). Additive effects occur when different hazards (drivers) give rise to the same adverse outcome (risk event) and increase the negative impact. Cumulative effects occur when there may be a repeated exposure over time and the outcome worsens with each repetition. Antagonistic effects happen when an action (e.g. a risk event or mitigation measure) alters the characteristics of another action in an opposing way. As an example for the latter effect, a gene that is introduced to 90 increase production reduces growth rate (Department of Health and Ageing, Australian Gov., 2005). Residual risk \u00E2\u0080\u0093 analytical reasoning of interest includes: \u00EF\u0082\u00B7 Does the interaction among risks affect residual risks? Some risks are mitigated, some are shared and others are transferred. It is important to know how residual risks are changed when risks happen at the same time, owned by the same owner or caused by the same driver. 3.5.4 Analytical reasoning in risk mitigation \u00EF\u0082\u00B7 Managers are interested to allocate limited resources to those risks that have a high impact on project objectives and also have high potential to be mitigated. One approach is to select high ranked risks as shown in a heat map diagram and focus mitigation policies on them. However, it might not be a wise decision to allocate resources to highly ranked risks to achieve only a small reduction in exposure, when with the same resources we could reduce a significant percentage of other risks or even cancel out some lower ranked risks. Color-coded bar charts provide a means to reveal an unbalanced treatment of risks. For example, Feather et al. (2006) used a bar chart as shown in Figure 3.24 to reveal the total impact of risk in two situations, when mitigation is and is not applied. Such an image shows any unbalanced treatment of risks when excessive resources are used to reduce risk exposure a little, while other risks remain unaddressed. \u00EF\u0082\u00B7 Managers are often faced with making a choice between two or more mitigation actions. Stacked color-coded bar charts (Figure 3.25) can be used to show the effect that each action can have on mitigating risk. In such bar charts, the relative effect of an alternative mitigation strategy, (increasing or decreasing probability) is shown by colors (black and yellow) on the base bar chart which represent the effect of the first mitigation strategy. When managers are asked to choose among more than two mitigation strategies, Kiviat Charts (Feather et al, 2006) can be used to compare several strategies simultaneously, where each polygon shows one specific 91 mitigation strategy, and a spoke of each polygon represents the amount of risk remaining after a risk mitigation strategy is applied. Figure 3.24 Comparing two mitigation actions (Source: Feather et al. 2006) Figure 3.25 Stacked bar chart to compare two alternatives (a), Kiviat chart to compare several risks (b) (Source: Feather et al.(2006) \u00EF\u0082\u00B7 In risk management we seek risk mitigation strategies that can address multiple risk events. So, it is beneficial to find drivers that are shared amongst multiple risks, because by removing one or more of those drivers more than one risk can be reduced or removed. Similar to risk and driver relations, a topology diagram can be Risk exposure without mitigation Risk exposure with mitigation Alternative mitigation action increase probability Alternative mitigation action decrease probability (a) (b) 92 a helpful image to show the relationship between mitigation strategies and risks that can be one-to-one, one-to-many, many-to-one or many-to-many. By placing the cursor on each risk, their corresponding drivers and mitigation strategies could be highlighted. Each mitigation strategy could be shown by a clickable square, where the size of square can be used as a metric that represent the effectiveness of each mitigation strategy with respect to the risk. Further, by clicking on each mitigation strategy square, risk mitigation strategy data (e.g. participant responsible for mitigation, cost, benefit, required resources and due date) could pop out. The color of squares could be used as a metric to represent the type of mitigation strategy (e.g. preventing or contingency). Residual risks could also be visualized by color-coding risk events. For example, risks that are shown by squares could be colored in white, black and gray to show risks that are totally transferred, accepted as they are, or partially transferred. When risks are partially transferred, the residual risk exposure could be labeled on the risk. Topology diagrams could be shown for different time frames or different locations in order to enhance clarity of the image. \u00EF\u0082\u00B7 Managers are interested to know whether or not mitigation actions cause secondary risks. Secondary risks could be shown at a level lower to the mitigation strategy level in the topology diagram discussed previously. \u00EF\u0082\u00B7 We are also interested to know the resources required for each mitigation strategy. By making the topology diagram clickable, all information about a risk mitigation strategy (e.g. resources, controls required to manage risks effectively, policies and actions required to implement the strategy) could be popped out. \u00EF\u0082\u00B7 It is important to know how a mitigation strategy can reduce risk exposure. Risk map diagrams are useful images that show how a mitigation strategy for a risk event reduces probability and/or impact of the risk event and the region to which the risk is moved in the heat map diagram. Effective risk mitigation strategies are those that move risks from red zone (high impact and high probability) to the amber or to the green zone. \u00EF\u0082\u00B7 In each project, a variety of solutions exist to manage risk. Each solution may be composed of multiple mitigation strategies. Valuable mitigation strategies are those used in multiple solutions (Feather et al, 2006). It is important to know what 93 mitigation strategies exist in each solution. It is useful to cluster solutions and show mitigation strategies used in each cluster of solutions. As shown in Figure 2.6, each cluster of solutions can be shown as a column in a grid, where each row of the grid represents a mitigation strategy. The degree to which a mitigation strategy is involved in each cluster of solutions is shown by color saturation, so that black means mitigation is involved in all solutions, white means mitigation is not involved in any of solutions in the cluster and tones of gray indicate degree of involvement of a mitigation strategy in the solutions in each cluster (Feather, 2006). For effective risk management, such an image would contain more dark squares (black and dark grey) rather than bright squares (white and light grey), which means mitigation actions are used in the majority of solutions for every cluster. An image similar to Figure 2.6 can be used to show mitigation actions versus cluster of risk events (instead of cluster of solutions). Thus, color saturation would show the percentage of risk exposure that is reduced in each cluster of risk events, when a mitigation action is applied. For example, black squares would show that a mitigation action X, mitigates the exposure value in the risk cluster Y by (80- 100)%; white shows that a mitigation action X would reduce risk exposure by (10- 20)% and tones of gray show percentage between the two extremes. \u00EF\u0082\u00B7 To compare forecast and actual values of residual risk (i.e. what it actually cost if it occurred), color-coded bullet charts could be helpful. As stated previously, Table 3.9 provides a summary of the analytical reasoning of interest, and as well, includes where appropriate candidate visualizations. 94 Table 3.9 Summary of analytical reasoning No. Analytical reasoning of interest Reasoning supported Candidate visualization 1 Overview visualization 1.1 What is the total distribution of risk events by likelihood and impact? What is the distribution in terms of every performance measure (PM)? It is important to have an understanding of the general risk level in the project; however, in multi-dimensional decision making, it is also important to know project risk level in terms of every PM. A 2\u00C3\u00974 matrix can be used to show 8 heat-map diagrams, where the first cell shows the general risk level in the project (based on risk impact on all PM), the other cells show project risk level in terms of each PM. 1.2 What is the distribution of risk events by responsibility? Managers can: 1. Rank participant (bearer(s) of risk) by exposure of the risk they bear, so they can implicitly analyze bearers\u00E2\u0080\u0099 attitude towards taking the risk (risk prone, risk averse, neutral). 2. Quantify impact of individual risks on every participant (including risks inherent by subordinates) in terms of all performance measures (4). 3. Quantify impact of clusters of risks owned by a common participant, taking into account the effect of interactions and possible shared drivers. 4. Identify participants overloaded with risk (e.g. do all risks remain with the prime contractor? Then, prime contractor has an important role and the project may fail if the prime contractor ceases to exist). So, they can distribute risks equally amongst all participants or to decide on outsourcing or using alternative procurement modes. 5. Identify relationship between participants (i.e. are they equal in consortium? Are they largely sharing risk? Or are they unequal in a contractor/ subcontractor relationship with one largely bearing the risk?) 6. Control whether risks are assigned to the right party or not. Visualization Tools: 1. A color-coded organizational chart might be used to show level of risk owned by every participant. User can define the level of hierarchy at which they want to see organizational chart. Details of risks owned by each participant can be popped out in a window on demand. 2. Similar to (1.3), tree-maps can be used to show hierarchy of risk events owned by every participant. Level of hierarchy can be selected by user, position shows the participant (in hierarchy) that owns the risk, size shows relative importance of risk and color shows risk level. 1. Level 1/ Level 2/ Level 3 2. Tree-map: (1.3) 95 No. Analytical reasoning of interest Reasoning supported Candidate visualization 1.3 What is the distribution of risk events by time or phase? Where do dependencies can be dispensed with, to increase parallelism? Managers can: 1. Rank work packages (WP) based on their level of risk; 2. Quantify impact of an individual risk on every work package in terms of all performance measures (4). 3. Quantify impact of clusters of risks that share a WP, taking into account the effect of interactions and possible shared drivers. 4. Identify WP/ phases which are at high level of risk, to plan for them or distribute their risks among other WPs. 5. See risks in one phase/ time frame. Visualization Tools: 1. A color-coded network diagrams can be used to show risk level at each WP, where risks on every WP are shown on a dropdown window and more details about risks are popped out in a detail on demand window. 2. Tree maps can be used to show hierarchy of risks in process view, so that risks are positioned based on the work package that they affect in work package hierarchy. Size can show relative importance (exposure value) and color shows risk level (predefined). 3. Tree-maps can be equipped with interactive feature so that user selects a time frame and see the risk events in that specific time frame. Also more details on risks in every cell can be popped out in a detail on demand window. Tree-maps can be joined with bar-charts to show exposure value of all risk events in every cell. So manager can see most important risks both in tree maps and in bar charts. Once a risk is chosen in a tree-map, its position on the three matrices (1.6) can be highlighted. 1. Network diagram with Tornado Diagrams 2. Tree-map (Top-down and Bottom-up approaches) Level 1/ Level 2/ Level 3/ Level 4 Adapted from:http://www.panopticon.com 3. DSM (2.8) 1.4 What is the distribution of risk events by product? Managers can: 1. Rank products based on level of risk that they contain to find those with high level risks to transfer or mitigate risks in them, provide appropriate terms of contract for that product, etc. 2. Quantify impact of an individual risk on every product in terms of all performance measures (4). 3. Quantify impact of clusters of risks that share a product, taking into account the effect of interactions and possible shared drivers. Visualization Tools: Tree-map: (1.3) 96 No. Analytical reasoning of interest Reasoning supported Candidate visualization Similar to (1.3), tree-maps and bar charts can be used to show hierarchy of risks but in product view. 1.5 How risks are distributed in location? Managers can: 1. Rank locations based on level of risk that they contain to find those with high level risks to transfer or mitigate risks in them. 2. Quantify impact of an individual risk on every location in terms of all performance measures (4). 3. Quantify impact of clusters of risks that share a location, taking into account the effect of interactions and possible shared drivers. 4. Keep risks of a location in mind, when the project reaches to that location. Visualization Tools: 1. A color-coded static map can be used, where green, amber and red show low, moderate and high risk levels. However, such predictions are not accurate and uncertainty in data can be shown by white pixels. So, managers can see high risks locations in the project and simultaneously they can see which regions which have less accurate estimates. 2. Similar to (1.3), tree-maps and bar charts can be used to show hierarchy of risks but in environmental view. 1. Static Map Source: Husdal (2001) Source: Hengl (2006) 2. Tree-map: (1.3) 1.6 What are the risks distributed across different processes, products, participants, and locations. Once the hierarchy of risk events is known from the four views (1.2), (1.3), (1.4), and (1.5), visualizing risks across views helps managers: 1. Identify risks in common components across views (e.g. common product and common process) to investigate interactions amongst them to rationally assess the impact of clusters of risks in those common components; 2. Quickly find the most problematic areas across the views; 3. Rationally assess impact value of an individual risk event. (i.e. once cross views are linked to individual views, affected components in every view will be shown once a risk is selected in an individual view. Once the affected components are identified, risk impact on each of them can be quantified in terms of performance measures) Visualization Tools: Matrices, where colors show risk level which is defined based on exposure value. Details of risks in every cell can be popped up in a separate window on demand. To show one-to-many relationships, affected products, processes, participants and environments can be highlighted on the matrix in (1.6) and on tree-maps in (1.2) to (1.5), once risk is selected on a window on demand. Level1/ Level2/ Level3 Source: Adapted from http://www.panopticon.com 97 No. Analytical reasoning of interest Reasoning supported Candidate visualization Every matrix can be joined with two bar charts to show distribution of exposure values among components in row and in column of the matrix. 1.7 What are interactions amongst risks in a common cluster? Identifying clusters helps managers to: 1. Analyze interactions amongst risks in a cluster (risks are those that are owned by a common participant, happen at the same WP, affect the same product or occur in the same location), to assess impacts of risk clusters. Clusters of risks in each view can be selected in tree-maps shown in (1.2), (1.3), (1.4), (1.5). Clusters across views can be chosen from matrices in (1.6). Then interactions amongst risks in the same cluster need to be investigated for a rational risk assessment. 1.8 W h a t a r e c a u s a l p a t h w a y s f r o m t h e r i s k e v e n t t o t h e a f f e c t e d c o m p o n e n t s i n t h e 4 ( p r o d u c t , p r o c e s s , p a r t i c i p a n t a n d 1. Which risks affect only one component in a view (product, process, participant, environment) Risks with one-to-one pathways may need less attention especially if the have low impact on the component that they affect. When such risks are selected from the table in right hand window, only one component in the tree-maps (left hand side) will be highlighted. User can select level of hierarchy of interest as discussed in (1.3). Dual window: Adapted from:http://www.panopticon.com 2. Which risks affect multiple component in a view (product, process, participant, environment) Identifying one-to-many pathways helps managers identify affected components and assess level of risk impact on every component to rationally assess the total impact of that risk. Risks that affect many components need high attention and need to be tracked during the project lifecycle. When such risks are selected from the table in right hand window, all \u00E2\u0080\u009Cmany\u00E2\u0080\u009D components will be highlighted on the tree-maps in left hand side. User can select level of hierarchy of interest as discussed in (1.3). 3. Which components in any of the four views are affected by more than one risk events? How do these risks interact with each other? Identifying many-to-one pathways helps managers identify critical components in any of the four views that are affected by \u00E2\u0080\u009Cmany\u00E2\u0080\u009D risk events. Then, it becomes important to analyze interactions amongst \u00E2\u0080\u009Cmany\u00E2\u0080\u009D risks. When a component is selected from the tree-maps on the left window, many risks will be highlighted in the table in right hand window 4. Which risks are highly correlated (happen in form of clusters) and affect multiple components Identifying many-to-many pathways helps managers find cluster of risk events that are caused by a common driver, happen in a common time frame, or location, or product or are owned by a common participant. Once they occur, they affect multiple components in the four views. When such risks are selected from the table in right hand window, all risks in Process/ Product/ Participant/ Environment View 98 No. Analytical reasoning of interest Reasoning supported Candidate visualization (in cluster form)? the same cluster can be highlighted in the table. Also, affected components in tree-maps will be highlighted in the left hand tree-maps. 2. Driver visualization 2.1 What are risk drivers for the risk issue categories? When generic areas (Patterson et al. 2001) are defined in the risk register, it is useful to see risk drivers in every area to assign them to the right manager and to help all managers see risks that exist in every area. Once the tree-maps are formed based on hierarchy of project areas, risk drivers in every area can be shown on tree maps. Size of every cell shows number of risk drivers in that area and color can represent number of risks caused by drivers (predefined). 2.2 What are risk drivers at every participant? It is useful to know drivers of risk event in participant view, to know who should be given Tree-maps such as (1.2) can be used to visualize hierarchy of risk drivers in participant view. By comparing (1.2) and (2.2), causal relations between risks and drivers may be identified. (Images can be linked, so when one selects risks/ drivers from one, drivers/ risks are highlighted on the other image) 2.3 What are risk drivers at every work package? It is beneficial to know phases/ WP at which drivers arise. Those work packages that contain many risk drivers, should be studied to possibly be changed/ replaced with less risky work packages or appropriate procurements should be selected to transfer risks. Moreover, once work packages which are drivers of risks are identified, mitigation actions should planned to prevent those drivers. A tree map like (1.3), can be used to show hierarchy of risk drivers in process view. By comparing (1.3) and (2.3), managers can see whether risk events and risk drivers occur at the same WP, and if not they can see the lag between risk event and driver(s). Then, manager can select mitigation actions with a response time that fits the lag. By comparing (1.3) and (2.3), causal relations between risks and drivers may be identified. (Images can be linked, so when one selects risks/ drivers from one, drivers/ risks are highlighted on the other image) 99 No. Analytical reasoning of interest Reasoning supported Candidate visualization 2.4 What are drivers in every product? Once the products that are drivers of severe risks are identified, they can be replaced or if possible be removed. Tree maps similar to (1.4) can be used where instead of risk events, risk drivers are shown on every cell. By comparing (1.4) and (2.4), causal relations between risks and drivers may be identified. (Images can be linked, so when one selects risks/ drivers from one, drivers/ risks are highlighted on the other image) 2.5 What are drivers in every location? Tree maps similar to (1.5) can be used where instead of risk events, risk drivers are shown on every cell. By comparing (1.5) and (2.5), causal relations between risks and drivers may be identified. (Images can be linked, so when one selects risks/ drivers from one, drivers/ risks are highlighted on the other image) 2.6 What are the risk drivers distributed across different processes, products, participants, and locations. Similar to (1.6), matrices can be used to show risk drivers across views, and it helps managers investigate interactions amongst drivers. In many cases, a driver in one view (e.g. location A) will be removed, when it is moved to another component in another view (e.g. WP B). (i.e. a location like river is a risk driver when piers are planned to be built in June. If the work package is moved to another phase, river is not driver any more). So, matrices to large extent facilitate finding the right mitigation action. Matrix: (1.6) 2.7 What are drivers (in the 4 views) that cause every risk event? Any risk event may have more than one driver rooted in one or more views (product, process, participant, and environment). When managers are focused on one view, they can easily miss the drivers in other views, so a visual tool that shows all drivers in the four views in one image will be useful. Parallel coordinated graphs might be used to show linkage between drivers at every view and the risk events. Risk events at the top level of hierarchy can be shown on the axis in the center and risk drivers at the top level of hierarchy can be shown on the axes around it. Risks will be linked to their drivers once they are selected. Link lines can be color-coded based on level (high, medium, low) of the risk selected. If the driver on the axis is the root driver it is colored in red; otherwise, it is in black and user is required to drill down to see the hierarchical tree where route to the root driver is colored in red. As a disadvantage, such a diagram might be less readable when it is polluted. 100 No. Analytical reasoning of interest Reasoning supported Candidate visualization 2.8 What are schedule drivers? It is important to visualize how activities rely on information/ products of other work packages. Those activities at the front end of the project lifecycle, that rely on information produced in the back end are risk drivers as they may cause re-works and they may need to be re-scheduled. DSM is matrix that shows the logic between activities, so that columns show activities (Xi) that activity (Yi) relies on, and rows show activities (Yi) that activity (Xi) provides information for. The marks on the lower left triangle indicate activities that rely on the later activities and may cause re-work if they are carried out based on wrong assumptions. Once managers see them, they should reschedule activities and re-order rows and columns so that the lower left triangle becomes less populated. Source: Browning (2004) 2.9 C a u s a l p a t h w a y s f r o m d r i v e r t o r i s k e v e n t 1. Which risk drivers result a single risk event? What is the hierarchical relationship of that risk event with other risks? Identifying one-to-one pathways helps managers identify risk drivers that cause one risk event only. Such pathways can be identified in a dual window (1.8) or by comparing the tree-maps that show risk event (1.2) to (1.5) versus maps that show risk drivers (2.2) to (2.5). 1.Dual window: 2. Comparing tree-maps: Source:http://www.panopticon.com 2. Which drivers cause multiple risk events? Identifying one-to-many pathways help managers: 1. Identify drivers that cause multiple risk events. Managers are interested to remove such drivers to remove multiple risks. 2. Identify cluster of risk events that are caused by a single driver. In that sense, interaction among \u00E2\u0080\u009Cmany\u00E2\u0080\u009D risk events that are caused by \u00E2\u0080\u009Cone\u00E2\u0080\u009D driver assists in providing a rational risk assessment. Such pathways can be identified in a dual window (1.8) or by comparing the tree-maps that show risk event (1.2) to (1.5) versus maps that show risk drivers (2.2) to (2.5). 3. Which one risk event occurs as result of multiple drivers? Identifying many-to-one pathways help managers identify risk events that are caused by multiple drivers. In this case to find the root driver, it is important to study interactions amongst \u00E2\u0080\u009Cmany\u00E2\u0080\u009D drivers that cause \u00E2\u0080\u009Cone\u00E2\u0080\u009D risk. Such pathways can be identified in a dual window (1.8) or by comparing the tree-maps that show risk event (1.2) to (1.5) versus maps that show risk drivers (2.2) to (2.5). Process/ Product/ Participant/ Environment View 101 No. Analytical reasoning of interest Reasoning supported Candidate visualization 4. What are cluster of risk drivers that cause cluster of risk events? 4. Identifying many-to-many pathways helps managers identify clusters of risks that occur as result of clusters of drivers. These are risks/ drivers (in one or multiple views) that are highly correlated with each other but not under a common parent in hierarchical tree, so they can not be replaced by their parent risk/ driver. Such drivers that occur together, cause a cluster of risks to occur in form of a cluster. Once manager identified such pathways, interactions and interdependencies amongst drivers should be studied to find the root driver(s), and interactions amongst risks should be studied to have a rational risk assessment. Such pathways can be identified in a dual window (1.8) or by comparing the tree- maps that show risk event (1.2) to (1.5) versus maps that show risk drivers (2.2) to (2.5). In this case, once a risk event is selected in a tree-map, other risk events in the same cluster are highlighted on tree-maps (1.2) to (1.5) and drivers are highlighted on tree-maps (2.2) to (2.5). 3. Performance visualization 102 No. Analytical reasoning of interest Reasoning supported Candidate visualization 3.1 What is the impact of an individual risk event on all performance measures (cost, time, quality, scope, safety, reputation and environment). What is the range of possible outcomes? (other than the most likely outcomes) Making the impact value of risks on each PM visible and available, helps managers: 1. Evaluate the overall impact of the individual risk event in order to calculate risk premium to cover cost overruns, delays, etc. 2. Be confident in the answer and be able to assess reasonableness of the calculated premium 3. Facilitate communicating amongst parties. Visualization Tool: If amount of impact values are certain, they can be shown on every PM by: . 1. Bullet graphs provide both qualitative and quantitative visualization, so that they show quantity of every performance measure versus the maximum accepted exposure value. Three shades are provided in the graph to show low, medium and high level of risk. Details of performance measure and its reference point will be shown when cursor is moved on the bullet. 2. Once hierarchies of risks in the 4 views are shown in tree-maps in (1.2), (1.3), (1.4) and (1.5), a color-coded tableau can be used to show effected components (based on defined level of hierarchy) and show risk exposure and risk level in terms of every performance measure. In the last column, total exposure value is shown based on previous columns. If amount of impact values are uncertain, they can be shown by 1. Multiple estimates or a range of estimates (shown for cost and time). 2. White points can be used to show amount of uncertainty in the evaluated risk level in table discussed above. So, managers can see impacts of the risk event on all performance measures, while they can see which performance measures have less accurate performance measures. Certain Impacts 1. Source:http://www.panopticon.com 2. Uncertain Impacts Source: RiskAid (2009) 3.2 What is the risk level before and after mitigation action at the individual and cluster levels? It helps managers assess the effectiveness of mitigation actions in mitigating risks: Visualization Tools: 1. Pairs of tree-maps: Tree-maps in (1.2), (1.3), (1.4) and (1.5) show risks 1. 4 sets of 7 pairs of tree maps: For every view: 103 No. Analytical reasoning of interest Reasoning supported Candidate visualization and their impact (exposure) before mitigation. The same tree-maps can be used to show exposures after mitigation. So, for every selected cluster in any of the four views 7 pairs of tree-map will be available to compare pre and post mitigation exposure values in terms of every performance measure. Where every set of 7 pairs are repeated for every view. This helps managers see the effectiveness of mitigation action in reducing risk exposure and identify risk events that are not addressed by any mitigation. Moreover, the hierarchical nature of tree-maps helps the user see exposure value of events at lower levels of hierarchy which may be hided when only average values are investigated at top levels. To save space, one pair of tree-maps can be shown for every view, while different performance measures can be selected from the drop down and the exposure values on every risk event in the hierarchy will come up based on the selected performance measure. 2. Pairs of heat maps: In every selected cluster of risk events (or for total risks in the project), heat maps can be used to show number of risk events in every cell of heat-map. Risk levels can be shown based on risk impact on every performance measure and in general. For individual risk events, a pair of heat map can be used, where risk event is positioned on it before and after mitigation. Images can be equipped with interactive features so that user selects the timing of interest from calendar/ slide bar and see the heat map in the selected time horizon. 3. Pair of dashboards: For quantitative and qualitative measures, pair of dashboards can be used to show risk impacts before and after mitigation. 2, Heat-map pairs: For individual RE: 3. Dashboards Source: RiskAid (2009) 104 No. Analytical reasoning of interest Reasoning supported Candidate visualization 3.3 How the exposure values of risk events change over project life-cycle? Since exposure values change during project life-cycle, it is useful to track the exposure value during the project. 1. Line graphs: Once the exposure value of every risk is derived in terms of risk level (1, 2, 3, 4, 5), they can be visualized in form of line graph through project life cycle. 2. Stacked graph: Since line graphs might be populated with lines, stacked graphs might be used instead, where every stack shows risk level for an individual risk or one cluster of risks in terms of one PM and color shows risk level (high/ moderate/ low). So, in a good risk management, stacks should be tall and red at the beginning, but become smaller and greener as the project evolves. Stacked graphs can be used to show all risks in one cluster, so that every stack shows overall risk level of one risk in the selected cluster. Adapted from:http://www.panopticon.com O v e r a l l r i s k l e v e l Risk level of REi (part of a cluster) REi REj REk REl Cluster of risk R i s k l e v e l o f a s e l e c t e d R E o n P M i Risk level on PMi (cost) Individual Risk 105 No. Analytical reasoning of interest Reasoning supported Candidate visualization 3.4 What is the impact of a cluster of risk events? Once cluster of risk events are identified in tree maps shown in (1.3) to (1.5), and impact of individual risks within risk events is assessed in (3.1), impact of all the risks with in a cluster can be shown in one screen. Visualization Tool: Once cluster of risks are selected on tree maps (1.3) to (1.5): 1. Matrix of scatter plots can be shown on a second window to compare impact of risk events on pairs of performance measures (i,j). Such a matrix, is useful when limited number of risks exist in the cluster; otherwise, it takes a lot of space and put a lot of weight on the user to evaluate total risk impact based on all cells. 2. Star plot matrices (radar charts) can be used to show impact of every risk within the selected cluster on the 7 PMs. The area enclosed in every star plot shows the overall risk impact. Radar charts can be ordered in the matrix based on their enclosed area or based on one PM of interest. The matrix is useful when at least two PM are affected by the risk in each cell, and when number of risks in the cluster is so limited that the matrix does not take a lot of space. 3. Normalized star-coordinated plots (similar to star coordinated plots) can be used to show impact value of the selected risks on every performance measure; where initially, scopes are positioned equally from each other. Impacts on every PM are transformed to monetary measure according to the ratio of that PM to cost, and then the impact values are vector summed to calculate total impact of the risk event. Finally, a unique impact value is derived for every risk event, which is shown by a point that represents multiple dimensions. The plots support interactive features like scaling size (to show importance of one measure compared to the others) and scaling angles (to group performance measures). 1. 2. 3. 106 No. Analytical reasoning of interest Reasoning supported Candidate visualization 4 Mitigation visualization 4.1 What mitigation actions are planned for every risk event? What is the effectiveness of every mitigation action (at project level and at risk event level)? For cost benefit analysis, it is useful to see list of all mitigation actions and their effectiveness in terms of the exposure value that they reduce. Visualization Tool: Bar-chart graphs show exposure level of every risk event, before and after mitigation action. The exposure value mitigated by every mitigation action, is shown under that mitigation. Sum of the cells in each row represents the total exposure mitigated in every risk event. Sum of the cells in each column shows total exposure mitigated by one mitigation action. According to the space it uses, it is a useful tool to show small number of risks vs. small number of mitigation actions. Once mitigation action are selected, risk events could be highlighted on the tree-maps (1.3) to (1.5) and risk drivers that are addressed by mitigation action could be highlighted in (2.3) to (2.5). 4.2 What is the distribution of mitigation actions by participant? Distribution of mitigation actions by participants help managers 1. See the direction on action plans, and see how contingency should flow down the management structure. 2. Check whether the mitigation action can correctly address the drivers in (2.2) 3. Check how mitigations mitigate impact on the participant in (1.2) 4. Check whether the mitigation action is owned by the right person (one who has authority and ability to mitigate risk), or if multiple mitigation actions are assigned to one participant. 5. Once the owner of mitigation action is known, managers can easily see the participant and can ensure that decisions regarding the mitigation actions are accepted and acted upon. Visualization Tool: Once the distribution of risk events and risk drivers by participant are shown on tree-maps (1.2) and (2.2), it is useful to show distribution of mitigation actions on a similar tree-map. Tree-map (1.3) Mitigation Action Id 107 No. Analytical reasoning of interest Reasoning supported Candidate visualization 4.3 What is the distribution of mitigation actions by WP? Distribution of mitigation actions by work packages help managers: 1. Check if mitigation action has occurred at the right time (i.e. reduction actions should take place before the phase in which risk events occurs, contingency plans should be scheduled to occur at a phase after risk event). 2. See which WP is the most cost effective phase to apply mitigation action (By moving mitigation actions across project phases, the optimized NPV will be reached.). Visualization Tools: 1. Tree-map: once distribution of risk events and risk drivers by work package are shown on tree-maps (1.3) and (2.3), distribution of mitigation actions can be shown on a similar tree map. Comparing the three maps helps managers reach the above. 2. Water fall diagram might be useful as they show: distribution of mitigation actions by project phase, risk events affected by mitigation action, risk exposure before and after mitigation and residual risks. But they can be applied when mitigation actions and corresponding risk events happen in the same phase, and when number of risk events is not that big to widen the image. 1. Tree-map (1.3) 2. Water-fall diagram 4.4 . What is the distribution of mitigation actions by product? Once managers see distribution of risk events by product in (1.4) and distribution of drivers by product in (2.4), it is useful to see distribution of mitigation actions by product to control if all risks are correctly responded and if some risks are assigned more mitigations than required. Tree-map (1.3) 4.5 What is the distribution of mitigation actions by location? Tree-maps similar to (1.5) and (2.5) can be used to show distribution of mitigation actions by location. Comparing the three maps helps managers see if mitigation responds to right drivers and mitigate right risks. It also shows if in a location multiple mitigation actions occur at the same time which may lead to congestion. Tree-map (1.3) 4.6 What is the distribution of mitigation actions across views? Once drivers are shown across views (2.6), interactions amongst drivers can be analyzed to plan for suitable mitigation actions. Distribution of mitigation actions across views helps managers see mitigations that should occur at a common cross view (same WP and by same participant, or at same WP and same location). It should be controlled whether they cause problems such as congestion, responsibility overload, etc. Matrix: (1.6) 4.7 Do mitigation actions themselves cause new risks? Once mitigation actions are visualized in the four views, the possibility of creating secondary risks should also be investigated. Water fall diagrams might be useful; in spite of its limitations 108 No. Analytical reasoning of interest Reasoning supported Candidate visualization 4.8 How effective are they in mitigating risks? Visualizing such information helps managers see the effectiveness (benefit) of every mitigation action, and after comparing with cost decide on taking the action. Moreover, it shows risk events that are not affected by any mitigation plan, and those that are not properly mitigated. Visualization tool: 1. Waterfall diagrams (4.3), can be useful in visualizing effectiveness of mitigation actions. Area of mitigation boxes shows effectiveness of mitigation action (width: number of mitigated risks, height: mitigated exposure). Risks remained at the end can be derived by summing up all residual risks. 2. Once cluster of risk events are defined based on the tree-maps in (1.2), (1.3), (1.4), (1.5) or based on any matrices shown in (1.6), they can be shown on the horizontal axis of the matrix vs. mitigation actions on the vertical axis. Colors show effectiveness of mitigation actions in mitigating risk severity in every cluster. (e.g. black shows that mitigation action X can (80-100)% reduce risk exposure value in cluster Y, white shows mitigation action X can (0-20)% reduce risk exposure value in cluster Y, and tones of grey can be defined between black and white). Source: Feather et al. (2007) In a good risk management, the matrix is darker which shows selected mitigation actions can effectively reduce risk severity in the majority of clusters and optimum use is made of risk reduction sources 4.9 What is the effectiveness of mitigation actions on reducing the drivers? To evaluate effectiveness of mitigation actions, it is useful to visualize mitigated risk exposure value, number of mitigated risks and fraction of risk drivers before and after mitigation action. - Bar chart shows the exposure value which is mitigated by every mitigation action. - Line graph shows number of risks mitigated. - Fraction of drivers in product, process, participant and environmental views before and after mitigation are shown on outer and inner circles. 4.10 What is effectiveness of an individual mitigation plan through project life? A waterfall format shows how risk is mitigated by a mitigation plan during project life. So, manager can quickly see risk level at every point of time. Source: RRE overview (2010) 109 Chapter 4: Potential Use of Visualization in Risk Management 4.1 Introduction The purpose of this Chapter is two fold: a) To suggest visualization tools in support of the following analytical reasoning: \u00EF\u0082\u00B7 Risk identification: - What are the risks with high probability and high impact? - What are the drivers of the risk events with high probability and high impact? - What are the drivers of an individual risk event from the four views of process, product, participant, and environment? \u00EF\u0082\u00B7 Risk assessment - Where does the impact value of an individual risk event come from? - What is the impact value of a risk event on each performance measure (with more focus on risks with high impact and high probability)? \u00EF\u0082\u00B7 Risk mitigation - What mitigation actions are planned for the risk events with high probability and high impacts? - What is the distribution of mitigation actions by project phases? - Which risk events does an individual mitigation action address? (Those mitigation actions that address multiple high level risk events are of particular interest); - How effective is a mitigation action in reducing risk exposure? b) To evaluate the visualization tools suggested based on three general rules of thumb explained in Russell et al. (2009): - Does the suggested visual representation of data scale well? - Is it readable? - How many analytic reasoning tasks does the tool support? This may reduce the time needed to analyze multi-dimensional data. 110 - Does the visualization tool support interaction features to facilitate examining data from different perspectives and different levels of detail? - Can the visualization tool be designed in multiple images, so that one shows the big picture of data and others show more details? As part of our methodology we have created a synthetic risk register to test the suggested visualization tools. The main issue with most of the tools suggested is that they become cluttered and unreadable when they are used to visualize a large amount of information. Sections 4.2, 4.3 and 4.4 treat the visualization tools that we have suggested for risk identification, risk assessment and risk mitigation stages in support of the aforementioned analytical reasoning. They are then evaluated based on the rules of thumb set out in Russell et al. 2009 and tested with the synthetic risk register content: 4.2 Potential use of visualization in risk identification Once risks are prioritized based on their probability and impact, they can be usefully nested on a heat map similar to Figure 4.1. Heat maps facilitate identifying risk events with high probability and high impact values (red cells in Figure 4.1), which require high attention and need to be mitigated or removed. Amber cells show those risk events which are not as problematic as the red cells, but they require attention in order to avoid being moved to the red zone. Green cells show risks with low probability and low impact, and need less attention compared to the other two zones. To transform risks from the red and amber zones to the green zone, it is useful to investigate risk drivers (i.e. where a risk has come from) and respond to them correctly through preventative actions or contingency plans. We have examined two options to visualize drivers of risks: parallel coordinate plots, which are recommended in the data visualization literature such as in Grinstein (2001) as a way to visualize multidimensional data, and multiple tree-maps as an 111 alternative tool to visualize the distribution of risk drivers by product, process, participant and location. To keep the images readable and not cluttered, our main focus is to show those risks which are positioned in an individual cell of the heat map. Figure 4.1 Distribution of risk events by probability of occurrence and impact Source: Russell (CIVL 522 and BAPA 580 Lecture Notes) Parallel coordinate plots Parallel coordinate plots use parallel axes (Figure 4.2) instead of perpendicular ones where each axis represents a dimension of a multi-dimensional dataset (Grinstein, 2001). Once a cell is selected from Figure 4.1 (e.g. a red cell at the top right corner), risk events within that cell and their driver(s) could be shown on Figure 4.2, which works as follows: - The four peripheral axes show product, process, participant and environmental views; Linguistic Range Average VH 0.8 - 1.0 0.9 0.09 0.54 2.7 6.75 18.0 H 0.5 - 0.8 0.65 0.07 0.39 1.95 4.88 13.0 M 0.3 - 0.5 0.4 0.04 0.24 1.2 3.0 8.0 L 0.05 - 0.3 0.175 0.02 0.11 0.53 1.31 3.5 VL 0 - 0.05 0.025 0.003 0.02 0.08 0.19 0.5 Cost Linguistic VL L M H VH Outcome Range ($ mill) Average 0.1 0.6 3.0 7.5 20.0 Confidence level (likelihood/outcome): Likelihood 0 - 0.2 0.2 - 1.0 1.0 - 5.0 5.0 - 10.0 10.0 - 30.0 25 37 43 74 62 97 82 114 3 17 28 2 71 14 11 56 19 44 1 135 7840 6753 847 29 75 10 96 93 57 12 52 4 22 27 39 72 64 23 55 87 73 89 31156 20 38 4647 76 8 9 26 45 77 59 90 100 85 16 104103 32 41 65 42 18 33 34 68 79 83 88 65 21 30 51 70 91 63 H\u00C2\u00A0/\u00C2\u00A0H H\u00C2\u00A0/\u00C2\u00A0L L\u00C2\u00A0/\u00C2\u00A0H L\u00C2\u00A0/\u00C2\u00A0L Risk #: 96 Code:01.05.04.01 Description: Cofferdam flooded; river flow \u00E2\u0089\u00A5 50 yr max Impacts: cost, time, life Resp: Contractor 112 - Squares on each peripheral axis show risk drivers in the view that the corresponding axis represents (e.g. pier in the product view); - The central axis shows the risk events in an individual cell selected from Figure 4.1; - Every square on the central axis shows an individual risk event (squares are labeled with the risk Id); - Lines connect every square(s) on the central axis to the square(s) on the peripheral axes to show causal pathways (one-to-one, one-to-many, many-to- one and many-to-many) between risk event(s) and risk driver(s); - Color is a mean of distinguishing between risk events and it facilitates tracking every risk event regardless of its risk level (red, amber, green). Risks within a common cell of heat maps have the same color. To show how parallel coordinate plots work, we have created a synthetic risk register in Table 4.2. Table 4.1, shows the rationale that we have used to evaluate the impact of risks on each performance measure considered. Figure 4.2 shows how parallel coordinate plots can be used to show risk drivers in the four views. 113 Table 4.1 Rationale used for evaluating impact of risk events on performance measures (PM) Adapted from: Kerzner (2009), Making it Happen (2002) PM Risk level Time (linguistic) Capital cost (cost over- run to total project cost) Quality (O&M cost to total project cost) Reputation Scope (Percentage of change in scope) Safety (per week) Environment Time (time over-run to total project duration) Salmon Water quality N No impact 0 No change 0 No reduction in sepecies No contaminants VL Minimal impact (0-1)% (0-1)% Minor article in local media or on a website Many minor scopes change An individual injures slightly- and can get cured in an hr Lose (1-3)% of semen Contaminants that affect water color- non toxic 1% 1% L Additional resource required to meet a need date (1-5)% (1-5)% Headline article in local media All minor scopes and a few major scopes change An individual injure severely- and can get cured in less than 3 hrs Lose (3-5)% of semen Contaminants that affect water odor and color- non toxic 3% 3% M Minor slip in key milestones (5-7)% (5-7)% Minor article in national media Some major scopes changes An individual injure severely- needs to stay at hospital Lose (1-3)% of salmons Lose (3-5)% of semen Contaminants that affect water odor and color- might harm children and elder generation 5% 5% H Major slip in key milestones (7-10)% (7-10)% Headline article in national media Several major scopes changes An individual injure severely- lose a limb Lose (3-5)% of salmons Lose (5-10)% of semen Toxic contaminants that affect water odor and color- not suitable for drinking but serves other purposes (washing, irrigation) 7% 7% VH Can\u00E2\u0080\u0099t achieve key team & major program milestones 10% or more 10% or more Prolonged national media campaign or lobby group campaign Project is completely changed in scope An individual passes away because of injury Lose more than 10% of salmons and semen Highly toxic contaminant- not suitable for irrigation purposes, water vapor will contaminate the air. 10% 10% 114 Table 4.2 A Synthetic risk register R isk Id Risk Description Project area (Patterson 2001) Driver Impact of performance measure Mitigation action Product Process Participant Environm ent Tim e C ap. cost Q uality R eputation Scope Safety Environm ent 1275 To thrust a pier on June, river route should be diverted; salmons should be relocated, which may harm their insemination. Project Natural Salmons Pier (Foundation) -Thrusting a pier (cast in place) -Owner (charge for penalties) -Contractor River L L N H VL N H -Avoidance: Use cable stayed bridge without pier O w ner m ay tem porarily stop the w ork Penalties 4730 River route will be diverted to lands owned by first nations which may damage their farms. External Legislation First Nations Pier (Foundation) Fist nation representativ e Contractor River M M N M VL V L H -Transfer to contractor -Avoid by using a diversion tunnel It takes tim e to convince first nations Pay for dam ages D epends on w ater quality 2161 To divert the river, a coffer dam should be built, which may go with the flood. Project Deliverables Cost Pier (Foundation) Thrusting a pier (cast in place) Owner (charge for penalties) River H H L V H L H VH -Mitigate by heightening the coffer dam -Avoid by replacing a pier bridge with cable stayed one 115 R isk Id Risk Description Project area (Patterson 2001) Driver Impact of performance measure Mitigation action Product Process Participant Environm ent Tim e C ap. cost Q uality R eputation Scope Safety Environm ent 1322 Corrosion may happen in pier if the concrete coating is gone as result of not being well attached to concrete or when coating is gone as result of cavitations. This need regular inspections and maintenance. Project Deliverables Quality Pier (rebar- concrete) Operation Contractor River VL V L H L VL V L L 1. Mitigate by increasing the width of concrete coating on the rebar and enhancing the finishing quality. 2. Avoid by replacing a pier bridge with cable stayed one 1323 Separation may occur at the joint between pile cap and pile. Project Deliverables Quality Pier (rebar) Contractor River VL L H M N L L 1. Mitigate by increasing the penetration depth of rebar in concrete; 2. Avoid by replacing a pier bridge with cable stayed one 1324 Separation may occur at the joint between pile cap and superstructure. Project Deliverables Quality Pier (rebar) Contractor VL V L M V L N V L VL 1. Mitigate by increasing the penetration depth of rebar in concrete; 2. Avoid by replacing a pier bridge with cable stayed one 1325 Cavitations may occur in high flow Project Pier Operation Contractor River M H H H M M H 1. Mitigate by enhancing 116 R isk Id Risk Description Project area (Patterson 2001) Driver Impact of performance measure Mitigation action Product Process Participant Environm ent Tim e C ap. cost Q uality R eputation Scope Safety Environm ent velocities, if surface of the concrete is not smooth enough. This need regular inspections and maintenance. Deliverables Quality (concrete) If occurs during const If occurs during const quality of finishing the concrete surface; 2. Avoid by replacing a pier bridge with cable stayed one 2136 Geotechnical investigations show bedrock at the depth of 5m from river base at Pier 2. According to regional soil condition a layer of alluvial soil may exist at depth of 4, which may cause 3cm settlement in pier 2 if not identified before. Technical Design Geotechnical Pier (Foundation) Thrusting pier (onsite or pre-cast) Management of Geotech. team Underg round soil H V H H V H M M H 1. Mitigate by performing an in-depth geotechnical investigations/ inserting pile to a depth more than 4m. 2. Avoid by replacing a pier bridge with cable stayed one 1233 While the access road is under construction, new highway A (with large amount of traffic) can not be used and traffic jam may occur in the old narrow alternative highway B. (it is unsafe, old and narrow, which may slow traffic) Project Resources Facilities Access road Access road constructi on Highw ay B L V L N M VL H L Accept but reduce the construction time of the access road. M ay slow dow n the process of delivering m aterial M ay affect air pollution 117 R isk Id Risk Description Project area (Patterson 2001) Driver Impact of performance measure Mitigation action Product Process Participant Environm ent Tim e C ap. cost Q uality R eputation Scope Safety Environm ent 1243 To divert river a 10m diversion tunnel should be bored in the mountain; faults may be activated while boring and small earthquakes may occur that stop the boring process. Project Natural Fault Diversion tunnel (wall) Boring the tunnel Rocky mounta in H H V H H L V H VH Avoid by performing an in- depth study of the faults, and choosing the right place 2144 If walls of diversion tunnel are not waterproofed well, water will flow inside the fractions on the wall, wash the soil in fractions which may harm wall stability and tunnel may collapse. Technical Design Diversion tunnel (wall) River H V H H V H H V H VH Water-stop should be used 2145 If wall of the tunnel is rough due to low quality of finishing, cavitations may occur in high flow velocities. Technical Design Diversion tunnel (wall) River H V H V H H M V H VH Enhance quality of finishing of concrete surface. 2146 If mouth of tunnel is not designed well, large drag force will damage the tunnel. Technical Design Diversion tunnel (mouth) River H H H H L M VH Provide an appropriate design for tunnel mouth 2315 One TBM exists in the project, and if it stops working it takes 7 days to replace it with a new one. Technical Equipment Availability TBM Tunnel (main) Boring the tunnel TBM Company Rocky mounta in L L V L L N N N Set an appropriate contract with TBM provider. 4759 The highway passes the forest owned External Road Passing First nation Forest M M N H M N H Transfer the risk by 118 R isk Id Risk Description Project area (Patterson 2001) Driver Impact of performance measure Mitigation action Product Process Participant Environm ent Tim e C ap. cost Q uality R eputation Scope Safety Environm ent by the First Nations, and large amount of trees should be cut. While first nations may not allow cutting their trees. Legislation Cutting trees the Forest Im pact on trees outsourcing that part of the project to third party 2234 As an alternative, instead of passing through the forest, a 20km tunnel can be bored to not to cut trees. Water will leak inside the tunnel and tunnel will collapse if the fractions are not waterproofed well. Technical Construction Tunnel Tunnel (wall) Tunneling beneath the forest Underg round H H H V H M V H M Avoid by an in-depth study of the elevation of water level, drain water and water proof the tunnel. 2235 Since soil in the area is not cohesive, it may not resist and may cause the tunnel to collapse. Technical Construction Tunnel Tunnel (soil surrounding the tunnel) Tunneling beneath the forest Underg round H H H V H M V H M Appropriate soil stabilization techniques should be applied. (e.g. rock bolts with appropriate strength) 119 Figure 4.2 Visualizing risks and risk drivers in different views: a) three risks b) six risks c) eleven risks (a) (b) (c) 120 Analytical reasoning that the image supports includes the following: - What product(s) are the driver(s) for an individual risk? (e.g. pier, tunnel, road) - What process(es) are the risk driver(s) for an individual risk? (e.g. Thrusting a pier, which means forcing the pier to soil) - What participants(s) are the driver(s) for an individual risk? (e.g. Contractor, Owner) - At which location(s) are the driver(s) for an individual risk? (e.g. River, Forest, Underground) - Which drivers cause multiple risks and need high attention? (e.g. pier and river in Figure 4.2). - Which risk events happen as a result of multiple drivers? (e.g. RE 4730 is caused by two drivers in participant view: owner and contractor) Evaluating the visualization tool shows the following: - When a large number of risk events (e.g. 11) is shown on the central axis (Figure 4.2(c)), a parallel coordinate plots becomes less readable, because lines that show the linkage between risks and drivers overlap and they cannot be easily tracked. To make matters worse, as the number of risks increases, so do the number of risk driver components. - As shown in Figure 4.2(c), the plot suffers from a labeling problem, because it requires every square on the peripheral axes to be labeled with its name and squares on the central axis to be labeled with the risk Id; - For a few risk events (e.g. 3 risk events in Figure 4.2(a) and 6 risk events in Figure 4.2(b)), parallel coordinate plot shows risk drivers in the four views in a single image and it reduces the time required for investigating every view separately, but for multiple risk events, it becomes unreadable; - Even if the image is cluttered (Figure 4.2(c)), it facilitates identifying the drivers which cause multiple risk events (e.g. pier and river) ; - Parallel coordinate plots show risk drivers only at the top hierarchical level to keep the image readable; 121 - Drivers identified in one view (e.g. product view in Figure 4.2(c)) might be more in number than those identified in other views. This may cause the squares and lines on that view to be denser compared to another view, which makes the image less readable. To enhance readability, it is useful to equip the image with interaction features such as scaling. Thus, the user can drag the axis and see lines more clearly. Finally, parallel coordinate plots might be used to show a big picture of the linkage between a few risk events (e.g. less than five) and their drivers at the grandparent level. For multiple risk events and drivers at multiple levels of hierarchy, the diagram becomes cluttered and hard to read such as Figure 4.2(c). To enhance clarity, interactive features such as dragging and scaling the axis, or inclining the axes might be useful as they help separating lines from one another. Multiple tree-maps Multiple tree-maps are used in Panopticon to show risks that are distributed by locations at different levels of hierarchy (region, country, city, store and desk). Similarly, every cell of the heat map (Figure 4.1) can be linked to tree-maps to show the distribution of drivers of risks within that cell by product, process, participant and location. Multiple tree maps are shown in Figure 4.3 (adapted from Panopticon http://www.panopticon.com/) and they work as follows: - Figure 4.3(a) shows the list of risk events in the selected cells of the heat maps (Figure 4.1) and their details, (e.g. risk ID, risk owner, date on which risk is identified, risk exposure, etc.) are extracted from the risk register; - Tree-maps (Figure 4.3(b)) show the hierarchy of risk drivers in the process, product, participant and environmental views; - Users can select the hierarchical level in each tree-map using the slide bar on top of that map (i.e. level of detail can vary in each tree-map); - Every cell in each tree-map represents one driver at the selected level of hierarchy (i.e. levels 1,2,3); 122 - Once risks are classified to quantifiable, and non-quantifiable (i.e. epistemic and actuarial) (Williams, 1994), color can be used as a metric to show their driver. So that risk drivers that cause non-quantifiable risks and need to be covered by contingency plans are colored in red and drivers that cause quantifiable risks are colored in blue. For example for a driver such as river under flood conditions, preventative mitigation actions will not work, but they may need contingency plans; - Size of every cell on the tree-maps shows the number of risks which are caused by that driver (e.g. \u00E2\u0080\u009Criver\u00E2\u0080\u009D is a driver that causes 4 non-quantifiable risks and it is shown with a large red box on the tree-map, but \u00E2\u0080\u009Cthrusting a pier\u00E2\u0080\u009D is a controllable driver which causes 2 risks, and is shown with a smaller blue box); - When a risk is selected from the table in Figure 4.3(a), its drivers from the four views will be highlighted on the tree-maps in 4.3(b). 123 Figure 4.3 Table of risk details (right hand window), Risk drivers distributed by work packages, products, participants and environmental components (left hand window). Adapted from: http://www.panopticon.com/demo_gallery/view-urls.php?id=99 124 Figure 4.3 supports the following analytic reasoning: - For a selected group of risks (e.g. those in a selected cell of the heat map in Figure 4.1), which products (what) are the risk drivers? (e.g. pier) - For a selected group of risks, which work packages are the risk drivers? - For a selected group of risks, which participants (who) are the risk drivers? (e.g. owner) - For a selected group of risks, which locations are the risk drivers? (e.g. river) - What is the causal pathway between the risk event and the driver(s) o One to one: Once a risk is selected from the table (Figure 4.3(a)), one driver will be highlighted in each tree-map in Figure 4.3(b). o Many-to-one: Once a risk is selected from the table (Figure 4.3(a)), multiple drivers will be highlighted in each tree-map in Figure 4.3(b). o One-to-many: Once a driver is selected from the tree-maps (Figure 4.3(b)), multiple risk events will be highlighted in the table (Figure 4.3(a)). o Many-to-many: Once a risk is selected from the table (Figure 4.3(a)), multiple drivers will be highlighted in the four tree-maps (Figure 4.3(b)) and other risks that are caused by that driver will be highlighted on the table (Figure 4.3(b)). Evaluating the visualization tool proposed leads to the following observations: - The use of tree-maps to show risk drivers of the risk events in Table 4.2 enhances readability. - Figure 4.4 shows risk drivers from the product view, where the size of each cell shows the number of risk events caused by that driver and color shows whether the driver is controllable or not. We have found that the number of risk events caused by a parent driver is not necessarily equal to the sum of the number of risk events caused by its children. For example, a pier may fail in operation as result of corrosion. Corrosion in rebar can occur if the rebar is not well embedded in the concrete (i.e. rebar is the driver). From another point of view, if the surface of concrete is not smooth enough, the concrete cover on the rebar will be damaged as a result of cavitation and the rebar will become exposed to corrosion (i.e. concrete is the driver). 125 Therefore corrosion is addressed twice by both rebar and concrete drivers. Summing the number of risk events caused by drivers at the child level (e.g. rebar and concrete) does not necessarily result in the correct number of risk events caused by the driver at the parent level (e.g. pier). Therefore, the number of risks caused by the driver cannot be shown by size. Figure 4.4 Distribution of risk drivers by product at the 2nd level of hierarchy of risk drivers -Since the tool shows drivers from multiple views in one image, it reduces the time needed for investigating drivers in every individual view. -The visualization tool supports interaction features to facilitate examining data at different levels of detail. Once the user selects the top level of hierarchy from the slide bar, they are able to see the big picture of drivers and then they can drill down to a lower level of detail. 4.3 Potential use of visualization in risk assessment Risks are prioritized based on probability of occurrence and their impact value. Risk impact which is derived from the impact of a risk event on different performance measures can be expressed qualitatively (with predefined levels of none, very low, low, high, and very high) or quantitatively (with the outcome cost, when impacts on all performance measures are expressed in a monetary measure). Once the probability and the impact of every risk event are known, risks are nested in a heat map similar to 8 126 Figure 4.1. As shown in Figure 4.1, the risks in a common cell are not equal in terms of their impact. Impacts can range from $10M to $13M, so it is useful to visualize impact value of the individual risks (in a common cell) on every performance measure (cost, time, quality, reputation, scope, safety, and environment), then evaluate their total impact. Visualization tools such as bullet graphs (http://www.panopticon.com/) have been used by others to show the impact value of an individual risk event (not all the risk events in a common cell of the heat map) on multiple performance measures. To show the impact of a group of risk events, we have suggested parallel coordinate plots which work as follow: - The top row shows a group of risk events (e.g. risks within a cell of the heat map) and user can select amongst them; - Performance measures are shown on the axes, where each PM has a specific dimension; - Performance measures are weighted relative to cost based on their importance regarding project objectives (e.g. reputation, safety and quality are given larger weights compared to others), to evaluate the overall risk impact based on all performance measures; - Squares on every axis show the impact levels, which are defined as none, very low, low, moderate, high and very high according to the rationale explained in Table 4.1. - Once a risk event is selected from the list on the top row, its impact on every performance measure could be shown on the corresponding axis; - A line connects risk impact on one PM to the risk impact on another PM; - A connected line facilitates tracking every risk event. 127 Figure 4.5 Impact of risks on performance measures Figure 4.5 supports the following analytical reasoning needs: - What is the total impact of an individual risk event? Once the impacts of an individual risk event on the weighted performance measures are shown, it will be easier to derive the overall impact; - Once the total impact of a risk event is calculated, it is useful to know where the impact number has come from (e.g. Risk event 2144 is ranked as VH, because of its very high impact on cost, safety, reputation and environment which are given large weights). - Which performance measures are highly affected compared to others? (e.g. cost, reputation, quality, environment are highly affected compared to time) Evaluation of Figure 4.5 shows the following: - Figure 4.5, shows that parallel coordinate plot gets cluttered with lines and becomes less readable when a large number of risks is visualized; - A parallel coordinate plot can be used to show the impact of a small group of risk events: 128 Figure 4.6 Impact of risks on performance measure a) risks with an overall impact of VL, L b) risks with an overall impact of M c) risks with an overall impact of H and VH (a) (b) Dense Lines (c) 129 - Axes can be scaled based on the weight assigned to each performance measure. Thus, reputation axis will get three times longer than cost axis. In that sense, the point that shows high impact of risk on reputation (with weight 3) is not at the same column as the point that shows high impact of risk on cost (with weight 1); - Once the axes are scaled, they take a lot of space; whereas much of the space will remain unused; - When distribution of risk impacts on the performance measures are skewed, (e.g. the majority of risk events have VH impact on Reputation), only a small amount of that axis (e.g. reputation) will be used in the resulting plot if it is linearly scaled; - If the aforementioned case happens, it will be hard to see what is happening in the dense cluster of lines (Figure 4.6(c)). To solve the two second problems, all the axes in parallel coordinate plots should have the same scale or they should be normalized. Performance measures in Table 4.1 do not have a common dimension and it seems not to be possible to normalize dimensions of performance measures like reputation where levels of risk impact are defined linguistically (Table 4.1). Therefore, parallel coordinate plots are not a good fit to visualize the impact of risk events on multiple performance measures, unless they are used to visualize performance measures with similar scales. 4.4 Potential use of visualization in risk mitigation: Once risks are identified, assessed and prioritized, they need to be responded to in a way that risks in red cells of the heat map in Figure 4.1, are removed or transformed to less problematic areas (i.e. amber or green zones). 130 To visualize mitigation actions, risks that they address and the effectiveness of mitigation actions in terms of reducing impact and probability, we have suggested the use of water fall diagrams shown in Figure 4.7. To test applicability of the water fall diagram, we have created a risk register based on a synthetic set of data (Table 4.3) that shows mitigation actions, the phase in which they occur, risks that they address and risk exposure value before and after mitigation action. Figure 4.7 works as follows: - The diagram is ordered by project phases; - Risk events (on the top) are placed in the phase that they occur; - Every box shows an individual mitigation action; - Mitigation actions are placed in the phase that they are planned to occur; - Area of boxes is used as a metric to show effectiveness of each mitigation step. The width of each box shows the number of risks addressed by the mitigation action and its height shows the amount of risk exposure reduced (i.e. narrow and tall rectangles show mitigation actions that effectively reduce exposure in a few risks, but wide and short rectangles represent mitigation actions that reduce the exposure a little amount but for a large number of risk events). For effective risk management, one expects to see many wide and tall boxes to show mitigation actions that effectively reduce exposure in multiple risks; - Finally, the total value of residual risk events can be derived by summing the exposure values of the mitigated risk events; - Colors (red, amber, green) show the risk level. For effective risk management, it is expected that risks are red at the top and they turn to amber and green at the bottom of waterfall diagram. - Each box can be color-coded to show the type of mitigation action (preventative or contingency plan). 131 Table 4.3 Part of a risk register based on synthetic data Risk # Risk Phase in which risk Mitigation Mitigation Phase Cost Phase that risk Pre mitigated Post mitigated Descript is created Step Of Mitigation ($K) affects Exposure Exposure 1 Risk 1 Construction M1-1, M2-2 M1-1 Conceptual Design 10 Construction 5 3 2 Risk 2 Design, Construction M1-1 M1-2 Design 5 Construction 4 2.5 3 Risk 3 Construction M4-1 M2-1 Feasibility Study 3 Construction 3 1 4 Risk4 Conceptual design M1-2, M5-2 M2-2 Concept Design 4 Design 4 1 5 Risk 5 Operation M3-1 Feasibility Study Operation 2 2 6 Risk 6 Design M3-2 M3-2 Design 3 Construction 5 3 7 Risk 7 Construction M2-1, M3-1, M5-1 M4-1 Construction 7 Construction 4 1 8 Risk 8 Commissioning M4-2 M4-2 Commissioning 7 Commissioning 2 1 9 Risk 9 Construction, Operation M4-1, M6 M5-1 Design 8 Operation 3 1 10 Risk 10 Feasibility study M6 M5-2 Construction 6 Construction 4 3 11 Risk 11 Operation M6, M7 M6 Construction 10 Operation 5 2 12 Risk 12 Feasibility study M8 M7 Construction 3 Construction 3 1 13 Risk 13 Operation M10 M8 Design 5 Operation 3 1 14 Risk 14 Commissioning M4-1, M5-2 M9 Design 4 Commissioning 4 1 14 Risk 15 Design, Construction M9 M10 Operation 1 Construction 3 1 76 0.038 0.018 132 Figure 4.7- Waterfall diagrams Figure 4.7 Waterfall diagram 1.8% Shift before mitigation Shift after mitigation M ilestone #1 M ilestone #2 M ilestone #3 133 Figure 4.7 supports the following analytical reasoning: - What mitigation actions are planned in the project? - Which risks are addressed by an individual mitigation action? - How effective is every mitigation action in reducing risk exposure? (i.e. How many risks does it address? How much risk exposure does it reduce?) Figure 4.8 shows that in the investigated synthetic risk register, several mitigation actions are planned, but many of them address only one risk event and they do not effectively reduce risk exposure. - How are mitigation actions distributed through the project life cycle? - What is the process of mitigating an individual risk event? (e.g. risk event 7 with exposure value of 4 which occurs in the construction phase, will be mitigated to exposure value of 3 through mitigation action M2-1 in feasibility study. Then it is mitigated at two more steps, through M3-1 (in feasibility study) and through M5-1 (in the design phase), and finally it affects construction phase; - What is the total cost of the selected mitigation actions? - What is the total exposure value of residual risks? - Is there any unaddressed risk event? (e.g. risk event 5) - Is there any mitigation action which is positioned in the wrong phase? (e.g. risk 4 is created in conceptual design phase, it is mitigated in design and construction phases while it affects the project in design phase. So, if mitigation action M5-2 is a preventative one, it is not correct to position it in the construction phase.) Evaluating Figure 4.7 shows the following: - The visualization tool supports several analytical reasoning tasks; - The diagram is easy to read and understand; - It is easy to scale for a limited number of risk events, but if one wants to see all risks within a risk register a waterfall diagram requires a lot of space and cannot be easily scaled; 134 4.5 Evaluation of the suggested visualization tools In the current section, we have evaluated the visualization tools that we have suggested in sections 4.2, 4.3 and 4.4, based on their degree of effectiveness in terms of overcoming view point challenges which are discussed in Table 2.1. Results of this evaluation are summarized in Figure 4.8, where rows show challenges and columns show visualization tools. The degree to which visualization tool X overcomes challenge Y, is shown by black, grey or white cells. Figure 4.8 shows that the suggested visualization tools effectively overcome cognitive challenges but they are less effective in terms of solving social and emotional challenges. Further, in Table 4.3, we have ranked the suggested visualization tools to VL, L, M, H, and VH, based on their level of effectiveness in terms of overcoming viewpoint challenges. In Table 4.3, we have provided a brief summary of the suggested tools regarding the risk management stage that they affect, the degree to which they overcome viewpoint challenges, the analytical reasoning that they support, their advantages and disadvantages, and supportive interactive features that might be useful to partially solve the current disadvantages of these tools. 135 Figure 4.8 Evaluating the suggested visualization tools based on the degree they overcome viewpoint challenges 136 Table 4.3 Summary of the evaluation of the suggested visualization tools Visualization Tool Supported Stage Supported View Point(s) Supported Analytical Reasoning Pros Cons Supportive interactive features Parallel Coordinate Plots Risk Identification Cognitive (H) Social (H) Emotional (L) - Drivers of an individual RE from multiple views; - Causal pathways between RE and the driver(s); - Drivers of REs within a cluster. - Since drivers on the peripheral axes are dimensionless, the plot works. - It is useful tool to show links b/w risks and drivers once limited REs are selected. - It takes attention to those drivers that cause multiple REs. - It takes attention to REs that are caused by multiple drivers. - It effectively overcomes viewpoint challenges. - It is hard to read when multiple REs and/ or multiple drivers are shown; - It fails to show drivers at different hierarchical levels; - Once the diagram is skewed, the axes are not efficiently used; - Axes can be scaled to enhance readability - Axes can be inclined to enhance clarity by separating lines from each other -User can select/ deselect the axes. Multiple Tree- maps Risk Identification Cognitive (M) Social (M) Emotional (VL) Same as above - It is possible to drill down to see child drivers in the hierarchy - It helps to see drivers from different views at different levels of hierarchy on a common screen -It is not that effective in terms of overcoming viewpoint challenges. -Size can not be used to show no. of risks caused by the driver. -Slide bar can be used to choose level of hierarchy. Parallel Coordinate Plots Risk Assessment Cognitive (VH) Social (H) Emotional (M) - Impact of an individual and a cluster of REs on multiple PMs; - Weight of every PM; -Total impact of an individual RE - It takes attention to PM that are highly affected by multiple REs; - It takes attention to REs that have high impact on PMs with large weights; - It facilitates evaluating the overall - It is not a good fit for visualizing risk impact on multiple PMs, where each of them has its own scale and they can not be normalized. - It is hard to read when -Selecting PM with the same scale - To make the image readable at high levels of detail, it is helpful to provide features to 137 Visualization Tool Supported Stage Supported View Point(s) Supported Analytical Reasoning Pros Cons Supportive interactive features impact of RE (based on all PM); - It facilitates identifying the outliers (REs that have different trends in terms of affecting PM, and PMs that are affected differently compared to others) multiple REs and/ or multiple drivers are shown - When distribution of risk impacts on multiple PMs are highly skewed, a large fraction of lines will exist in a small part of the axis. It is hard to track lines in such a dense fraction. enable dragging the axes. Waterfall diagrams Risk Mitigation Cognitive (H) Social (H) Emotional (L) - Mitigation actions and their distribution in project phases; - Risks that are addressed by mitigation actions; -Effectiveness of mitigation actions in terms of reducing risk exposure and no. of REs they address. - The phase in which RE evolves; - The phase which RE impacts; - The phase in which RE is mitigated - Risk level (red, amber, green) at different points of the risk lifecycle. - Its helps in identifying the process that happens to RE from the time it is evolved until the end of project; - - For a large number of REs (more than 15), the diagram becomes wide -- For a large number of REs it will be hard to track lines. -User can select a limited no. of RE to see their mitigation actions. (e.g. risks in a cell of the heat map) 138 Chapter 5: Conclusion and Future Work 5.1 Summary In the current thesis, we sought to contribute to the development of a continuum of images that covers three phases of risk management (from risk identification to risk assessment and mitigation). We explored the current use of data visualization in support of the analytical reasoning involved in the risk management process, and we explored some additional images that facilitate the process of extracting information in response to analytical reasoning needs. However, we found that the images explored can become easily cluttered and less readable when they are overloaded with the large amount of information that accompanies risk registers for large scale projects. This observation highlights the important role of applying interactive features to the suggested tools. Our findings in the current work are summarized as follows: 1. We found that the majority of the investigated visualization tools which are currently used in the various stages of the risk management process are typically designed to explicitly show data pertaining to the risk identification stage rather than other risk management stages. Visualization tools that are designed for the risk assessment stage mainly show the impact of risks on the two performance measures of time and cost while not separating capital cost and lifecycle cost from each other. Risk impact on environment and reputation is considered in some of the tools examined; however, impacts on scope, safety and quality were not addressed in the tools studied. Regardless of the function of a visualization tool, its effectiveness in terms of facilitating communications, group interactions, creating a shared understanding and getting feedback from the project data available, is enhanced through addressing cognitive challenges. Visualization tools can help indirectly with social challenges and have minor benefits to emotional challenges. 139 2. Through examining the literature, we explored the data that is recommended to be contained in an \u00E2\u0080\u009Cideal\u00E2\u0080\u009D or \u00E2\u0080\u009Cmodel\u00E2\u0080\u009D risk register. Further, we have examined the content of risk registers which are already used in practice. We have found that the risk register content that is derived by putting together all risk registers which are used in practice covers almost all the items which are suggested to be included in an ideal risk register. Then we identified the analytical reasoning needs associated with risk management under the main headings of risk identification, risk assessment and risk mitigation, and the information that has to be extracted from an ideal risk register to meet these needs. According to the importance of prioritizing tasks in the risk management process, we have picked some analytical reasoning needs in each of the three stages of risk identification, risk assessment and risk mitigation that add value in terms prioritizing risk events. Further, we have explored visualization tools that respond to these analytical reasoning needs. In risk identification, we sought visualization tools that show drivers of a cluster of risk events from multiple views and show causal links between a risk event and its drivers. In the risk assessment stage, we sought visualization tools that show the impact of a cluster of risk events on multiple performance measures. In the risk mitigation stage, we sought visualization tools that show mitigation actions, risk events that they address and their effectiveness in terms of reducing exposure value of an individual risk event or multiple risk events. 3. Synthetic risk registers were developed to test how the suggested visualization tools assist with visualizing risk register information in support of the analytical reasoning needs identified. From another point of view, we have evaluated the suggested tools based on their effectiveness in terms of overcoming the view point challenges which are discussed in Chapter 2. 140 We concluded that, although the suggested visualization tools support the target analytical reasoning needs and they effectively overcome view point challenges, they become easily cluttered and hard to read when they are overloaded with a large amount of information (i.e. sizeable risk registers). Therefore, we have suggested supportive interactive features that can help with making the visualization tools more readable. 5.2 Recommendation for future work This research could be further developed in the following ways: 1. Equip the suggested visualization tools with interactive features and test their performance in terms of visualizing the content of an \u00E2\u0080\u009Cideal\u00E2\u0080\u009D risk register; 2. Develop more visualization tools that respond to the suggested analytical reasoning needs in each stage of risk management to cover areas less addressed or areas not addressed by current visualization tools (i.e. white cells in Figure 2.11); and, 3. Create a linkage between the visualization tools suggested for each stage of risk management to make a continuum of images that covers the whole risk management process. 141 Reference: Allen, L., Boudoukh J, Saunders A., (2004), \u00E2\u0080\u009CUnderstanding market, credit, and operational risk: the value at risk approach\u00E2\u0080\u009D, Wiley Blackwell Al-khodmany, 1999, \u00E2\u0080\u009CUsing visualization techniques for enhancing public participation in planning and design: process, implementation, and evaluation\u00E2\u0080\u009D Vance, B. (2006) American System (2010) [online] Available at http://www.2asc.com/NR/rdonlyres/BB407D38-1AD5-4AA5-8020- D89B2E1DB357/0/RRE_Overview.pdf Australian Government. Department of health and aging, Office of Gene Technology Regulator, (2005), \u00E2\u0080\u009CRisk Analysis Framework\u00E2\u0080\u009D Barry, L. J , (1995), \u00E2\u0080\u009CAssessing risk systematically\u00E2\u0080\u009D, J. of Risk Management, Vol. 42 , pp. 12\u00E2\u0080\u009317. Bailey, H. (2009), \u00E2\u0080\u009CRisk Analysis Paralysis\u00E2\u0080\u009D [online] Available at http://blog.palisade.com/blog/risk-and-decision-analysis-today/0/0/risk-analysis- paralysis Browning, T., (2004), \u00E2\u0080\u009CAnalyzing the Systems Underlying an Enterprise\u00E2\u0080\u009D, INCOSE Insight Volume 6, Issue 2 Chapman, C., and Ward, S., (1997), \u00E2\u0080\u009CProject risk management; processes, techniques and insights\u00E2\u0080\u009D, (1st ed.), John Wiley, Chichester, UK Carter R, Hancock T, Morin JM, Robins N., (1995), \u00E2\u0080\u009CIntroducing RIKSKMAN Methodology\u00E2\u0080\u009D, 1st ed. UK:NNC Blackwell Ltd. 142 Chiu C., Russell A. D., (2010), \u00E2\u0080\u009CDesign of a construction management data visualization environment: A top\u00E2\u0080\u0093down approach\u00E2\u0080\u009D, J. of Automation in Construction, Vol. 20, No.4, pp. 399-417 Davis, T. J., Keller P., (1996), \u00E2\u0080\u009CModeling and visualizing multiple spatial uncertainties\u00E2\u0080\u009D, J. of Computer and Geosciences, Vol. 23, No. 4, pp. 398-408 Data Visualization in Business [online] Available at http://pkirs.utep.edu/cis4398/Data%20Visualization%20in%20Business%20RD.h tm De Bono, E. , (1973), \u00E2\u0080\u009CLateral Thinking. Creativity Step by Step\u00E2\u0080\u009D,Harper Colophon, New York Ehlschlaerger, C. R., Shortridge A. M., Goodchild, M., (1997), \u00E2\u0080\u009CVisualizing spatial uncertainty data using animation\u00E2\u0080\u009D, J. of Computers in GeoSciences, Vol. 23, No. 4, pp. 387-395. Eppler, M., J., Platts K. W., (2009), \u00E2\u0080\u009CVisual Strategizing\u00E2\u0080\u009D, J. of Long Range Planning, No. 42, pp. 42-74 Eppler, M.J., Aeschimann, M., (2008), \u00E2\u0080\u009CEnvisioning Risk\u00E2\u0080\u009D, Institute for corporate communication, [online], Available at www.knowledgecommunication.org/pdf/envisioning-risk.pdf Feather, M. S., Cornford, S. L., Kiper, J. D., and Menzies, T. (2006), \u00E2\u0080\u009CExperiences using Visualization Techniques to Present Requirements, Risks to Them, and Options for Risk Mitigation\u00E2\u0080\u009D, In Proceedings of the International Workshop on Requirements Engineering Visualization (REV 06), pages 10\u00E2\u0080\u009310, Minnesota, USA. IEEE. 143 Gemmer, A., (1997), \u00E2\u0080\u009CRisk management: moving beyond process\u00E2\u0080\u009D, Computer, Vol. 30, Issue 5, pp. 33\u00E2\u0080\u009343 Global risk (2010), World Economic Forum, [online], Available at http://www3.weforum.org/docs/WEF_GlobalRisks_Report_2010.pdf Grinstein, G., Trutschl, M., & Cvek, U. (2001). \u00E2\u0080\u009CHigh-dimensional visualizations\u00E2\u0080\u009D. In Data mining conference KDD workshop 2001 (pp. 7\u00E2\u0080\u009319). New York: ACM Press Hogganvik, H., Stolen, K., (2006), \u00E2\u0080\u009CA Graphical approach to risk identification\u00E2\u0080\u009D, LNCS 4199, pp. 574 \u00E2\u0080\u0093 588 Hall, J. W., Cruickshank, C., and Godfrey, P. S. (2001). Software-supported risk management for the construction industry. Civil Engineering, 144, 42-48.AD Hillson, D., (2003), \u00E2\u0080\u009CUsing a Risk Breakdown Structure in project management\u00E2\u0080\u009D, J. of facilities management, VOL .2, NO.1, pp. 85\u00E2\u0080\u009397 Husdal (2001), \u00E2\u0080\u009CCan-it-really-be-that-dangerous?\u00E2\u0080\u009D[online] Available at http://www.husdal.com/2001/10/31/can-it-really-be-that-dangerous-issues-in- visualization-of-risk-and-vulnerability/ Heer J., Kong N., and Agrawala M., (2009), \u00E2\u0080\u009CSizing the horizon: the effects of chart size and layering on the graphical perception of time series visualizations\u00E2\u0080\u009D, In ACM CHI, pp. 1303\u00E2\u0080\u00931312 Issacson (2009) [online], Available at: Project Management Issues and Considerations http://www.maxwideman.com/issacons2/iac1215e/sld006.htm Kerzner, H., (2009), \u00E2\u0080\u009CProject Management: A systems approach to planning, scheduling and controlling\u00E2\u0080\u009D, Wiley 144 Kim, J., K. , Sharman, R. ,. Rao, H.R, (2005),\u00E2\u0080\u009DAn investigation of risk management issues in the context of emergency response systems\u00E2\u0080\u009D, Proc. of Eleventh Americas Conference on Information Systems (AMCIS), Association for Information Systems, Omaha, Nebraska, USA Kontio, J., Jokinen J., Rosendahl, E., (2004), \u00E2\u0080\u009CVisualization and Formalization Risk Information\u00E2\u0080\u009D, Proceedings of the 10th International Symposium on Software Metrics (METRICS\u00E2\u0080\u009904) Korde T, Chiu C., Russell, AD, (2005), \u00E2\u0080\u009CVisualization of construction\u00E2\u0080\u009D, 6th Construction Specialty Conference (CSCE), Montreal, Canada Morgan, G., (1986), \u00E2\u0080\u009C Images of Organisations\u00E2\u0080\u009D, Sage Publications, Beverly Hills, CA Nelms, C. E, De Zoysa, S., Russell, A. D, (2006), \u00E2\u0080\u009CApplication of an information and knowledge management methodology in analyzing risks in construction projects\u00E2\u0080\u009D, Proc. Of Joint int. conf. in computing and decision making in civil and building Eng. Pp. 3256-3265 Northwest Controlling Corporation Ltd (NOWECO). (2006). RiskEasy\u00C2\u00AE Risk Register risk management software.[online] Available at http://www.noweco.com/riskrege.htm Panopticon software[online] Available at http://www.panopticon.com Patterson F. D, Neailey, K., (2002), \u00E2\u0080\u009CA Risk Register Database System to aid the management of project risk\u00E2\u0080\u009D Perkins, J. B., (1987), The San Francisco Bay Area \u00E2\u0080\u0093 On Shaky Ground, Association of Bay Area Governments, Oakland, CA 145 PertMaster Project Analytics (PertMaster). (2006). PertMaster Project Risk. [online] Available at http://www.pertmaster.com/products/projectRisk.htm Primavera Pertmaster [online] Available at http://www.westsoft.dk/Files/Filer/konferencer/Primavera_brugerm_290508/Pert master.pdf Protiviti (2006), \u00E2\u0080\u009CGuide to enterprise risk management\u00E2\u0080\u009D, [online] Available at http://www.protiviti.com/_layouts/1033/Custom404.html [Accessed October 2010] Renn, O., (1998), \u00E2\u0080\u009CThree decades of risk research: accomplishments and new challenges\u00E2\u0080\u009D, J. of risk research, Vol.1, No.1, pp. 49-71 Richter (2011), \u00E2\u0080\u009C What is risk Register\u00E2\u0080\u009D, [online] Availabel at http://www.brighthub.com/office/project-management/articles/3247.aspx, Risk Reasoning Ltd. (2009), [online], Available at http://www.riskreasoning.co.uk RiskRadar 3.3 User Manual (2003), [online], Available at http://www.mitre.org/work/sepo/toolkits/risk/ToolsTechniques/files/RRUserManu al.pdf Risk Radar Enterprise, (2010), [online], Available at http://www.2asc.com/NR/rdonlyres/BB407D38-1AD5-4AA5-8020- D89B2E1DB357/0/RRE_Overview.pdf Risk Radar\u00C2\u00AE, Integrated Computer Engineering Inc (ICE), (2006), \u00E2\u0080\u009CEssential Software for Managing Project Risk\u00E2\u0080\u009D,[online] Available at http://www.iceincusa.com/Products.aspx?p=Products_RiskRadar 146 Russell, C.E. Nelms, (2007), \u00E2\u0080\u009CThe application of IT to support the elicitation of expert judgement in project risk management\u00E2\u0080\u009D, Construction Management and Economics, CME Conference Russell A. D., Chiu C, Korde T., (2009), \u00E2\u0080\u009CVisual representation of construction management data\u00E2\u0080\u009D, Vol. 18, No. 8, pp. 1045-1062 Russell (2011), CIVL 522 and BAPA 580 Lecture notes, UBC Riskonnect software, [online] Available at http://www.riskonnect.com/ Songer A. D., Hays, B., (2003), \u00E2\u0080\u009C A frame work for multi-dimensional visualization of project control data\u00E2\u0080\u009D, Proc. ASCE Construction Research Congress. Tralli, D. M., (2003), \u00E2\u0080\u009CProgrammatic Risk Balancing\u00E2\u0080\u009D, 2003 IEEE Aerospace Conference The Risk Register Working Group, (2002), \u00E2\u0080\u009CMaking it Happen\u00E2\u0080\u009D A Guide for Risk Managers on How to Populate a Risk Register, [online], Available at http://www.dhsspsni.gov.uk/guidance_on_register.pdf Vance B., (2006), \u00E2\u0080\u009CAn antidote to bias\u00E2\u0080\u009D[online] Available at http://findarticles.com/p/articles/mi_m0BJK/is_12_17/ai_n26707579/ Ward, S. , (1999) \u00E2\u0080\u009CAssessing and managing important risks\u00E2\u0080\u009D, Int. J. of Project Management;17:331\u00E2\u0080\u00936. Williams, T.M. (1995), \"Using the risk register to integrate risk management in project definition\", International Journal of Project Management 12, 17-22. Williams, T.M. (1993), \"Risk management infrastructures\", International Journal of Project Management 11 / 1, 5-10. Williams, T.M., (1994), \u00E2\u0080\u009CUsing a risk register to integrate risk management in project definition\u00E2\u0080\u009D, 12 (1), pp. 17-22 147 World Economic Forum (2010), [online], Available at http://www.weforum.org/documents/riskbrowser2010/risks/# [Accessed on October 2010] "@en . "Thesis/Dissertation"@en . "2011-11"@en . "10.14288/1.0063213"@en . "eng"@en . "Civil Engineering"@en . "Vancouver : University of British Columbia Library"@en . "University of British Columbia"@en . "Attribution-NonCommercial-NoDerivatives 4.0 International"@en . "http://creativecommons.org/licenses/by-nc-nd/4.0/"@en . "Graduate"@en . "Visualizing risk management data associated with capital expenditure projects"@en . "Text"@en . "http://hdl.handle.net/2429/37663"@en .