USING CAUSE-EFFECT ANALYSIS TO IMPROVE THE MANAGEMENT, CONTROL &

REPORTING OF RISK

Andrew Moore, Director TMC Limited,

Interim Risk Manager, BAE Systems, EuroDASS Project

Introduction

Traditional risk reporting usually consists of a list of the top 10 risks / opportunities, with their actions,
prioritised by probability and impact assessments, quantitative analyses and/or the immanence of
occurrence. The list uses the contents of a Risk Register that represents the bottom-up view of the
most severe specific risk events currently faced by the project or business. Cause-Effect analysis,
based on a comparison of the risk register contents with a top down view provided by senior
management, can provide an enhanced validation, control and monitoring capability, which improves
the efficacy of the risk management process. The analysis follows the causal threads that can lead to
risks arising and identify proactive actions to prevent the risks occurring. This approach enables
senior managers to keep a closer watch on the ‘pulse’ of their business. It has been implemented on a
major avionics project and recently earned a BAE Systems Bronze Chairman' s Award for Innovation.

This paper illuminates the concept with appropriate theory and illustrates it from the experiences of the
large, BAE Systems led, international defence project on which it has been trialed. It outlines the
progress to date and uses elements from the training course developed for the project to demonstrate
the approach using a simple example project ' Building a house'that does not compromise security.

The Project

The Defensive Aids Systems Suite (DASS) is being designed and produced to protect the European
Fighter Aircraft from missiles and other (mainly electronic) threats. The equipment is fitted to the
aircraft in wingtip pods. Four partner companies are involved in the project, BAE Systems Avionics
Limited (UK) as lead contractor and system design authority, Elettronica (Italy) as subsystem design
authority, Indra (Spain) as production partner and EADS (Germany) as second source production
partner. The product is known as EuroDASS.

The project is using concurrent engineering techniques because of the time constraints imposed by the
commitment of the aircraft to NATO. Flight trials of pre-production models are currently underway
while the initial series production has commenced. The advanced design pushes current state-of-the-
art technology to its limits. It is a large project (some 300 people working on it in BAE Systems
alone) and requires detailed communication and co-ordination between the international partners.
Taken together, these factors make it a high-risk project that requires effective risk management to
ensure that it remains under control.

The project had suffered a number of unexpected delays when a programme of risk management
improvement was started in October 2002. At that time, a number of disconnected risk registers were
held in various media (mainly in Word documents and Excel spreadsheets) in different parts of the
project. Risks were a part of the monthly progress report but only actioned and updated irregularly
because of the severe time pressures on project staff. The management approach was mainly reactive
rather than proactive in that the aim was to recover from risks rather than prevent them occurring. The
level of contingency held was to fund the recovery from those risk events that actually occurred. It
was thought to be sufficient but was not justified by the specific risks held in the various registers. In
part, this was due to the risks not being directly related to their requirements context, i.e. the effect that
a risk might have on the objectives of the project were not clearly expressed or understood.

Risk Management Improvement

The aim was to implement up-to-date Risk Management processes that followed the guidance
provided by the BAE Systems Operational Framework and its Lifecycle Guide to Risk Management
(Issue 5 published in November 2003). It would use a risk register implemented on a database tool
containing data that identified the requirements context of each risk and justified the contingency held
by the project. From the start, the implementation plan was to incorporate Cause-Effect analysis and
reporting.

Identifying and reporting on the Effects of risks, links individual risks to their overall effect on the
requirements / objectives of the project. It also focuses attention on recovering from risks that have
occurred i.e. it is reactive.

Identifying and reporting on the Causes of risks, links risks with a common cause that may be
susceptible to a unified strategy or a high-level mitigation action. It focuses attention on mitigating
risks before they occur by acting on the Cause. Showing the link between Cause and Effect identifies
areas where it may be possible to break that link and prevent risks occurring. These approaches to
action are both proactive.

Identifying the Cause and the Effect areas of each individual risk can also be used to provide a
mechanism to compare the top-down view of risk on a project with the bottom-up view provided in the
risk register.

It was planned to implement the risk management improvement package progressively over about 12
months. The detail of the Cause-Effect part of the implementation is described later, but first, what
have we done? Where are we now?

Implementation Progress

In late 2002, a workshop was held with the Project Operations Board (directors from each of the 4
partner companies) to kick off the process and carry out the initial top-down work. The output of the 2
x half-day session was a list of some 130 ‘worries’ separated into causes and effects and grouped
under about 25 headings. The severity of each high level cause on each effect was estimated crudely
on a 5 point scale to provide a prioritised, top-down model of the risk to the project.

Early in 2003, the Project Management Group (the first line senior managers of the project from each
partner company) reviewed the model and carried out an initial review of the individual risks in the
high level, EuroDASS risk register against it. Significant coverage gaps were immediately apparent,
with the individual risks in the register only covering a small percentage of the top-down perception of
risk to the project.

A number of workshops were held to identify the missing risks to create a more comprehensive picture
for action. The risks were transferred to an EuroDASS level risk register held on a home grown
Access based tool and a more detailed register of the BAE Systems owned risks on the commercial
product, Predict! Risk Controller.

By July 2003 the risk register content was sufficiently mature to commence reporting of the ‘Top 10’
risks and a month later the first Cause-Effect analyses were carried out and reported on. In August the
approach earned the BAE Systems Chairman’s Bronze Award for Innovation. Training courses for 2
management levels have now been prepared and are being given to selected delegates. The approach
to risk and the content of the courses are based on the premise that it is easier to nip a problem in the
bud than when it has grown into something significant, known as the ‘Ability to be Managed’.

The ‘Ability to be Managed’

The success of a business depends on the leadership of its senior management and the capabilities,
skills and determination of its staff. Their performance will be defined by the level to which the
context in which they are working limits the business’ ‘Ability to be Managed’. Many businesses are
culturally averse to allowing effective and efficient management. Thus their ‘Ability to be Managed’
has to be developed, requiring a potentially significant change in the way they work. There are 3 key
elements to this:

Champion Success – Identify the criteria that define success at meeting the project / business
objectives / requirements and focus on achieving them.
Correlate Tolerances – ensure that the risks do not go beyond the worst that the project / business
can tolerate, including taking cognisance of the different levels of tolerance to risk at different
stages of a project’s lifecycle.
Control Risk – the main subject of this paper.

Control Risk

Early in the life of a project, risk management action should be focused on eliminating the causes of
risks and preventing the linking between causes and effects. This work relies on the lessons learned
from previous projects with similar elements. At this point the ‘Ability to be Managed’ is quite high
and investment in the project and risk reduction is low. Those risks that are not eliminated at this early
stage reach a point after which they can no longer be eliminated and have to be managed. This is a
clear discontinuity in the management needs of the risks, named ‘The Boundary of Incident’.

After this point the risks need to be managed to try to prevent them from occurring and reduce the
impact they would have if they did occur. This has to be based on understanding the project / business
plans and anticipating what could potentially go wrong with them. If this management is unsuccessful
the risk could occur, crossing ‘The Boundary of Impact’, leading to a second clear discontinuity of the
management needs of the risks. The only preparation that can be made for this change is to plan for it,
plan how you will recover from the risk impact if it occurs. After the event the plan to re-stabilise
must be implemented.

These concepts are illustrated in Figure 1.

Increasing Effectiveness of Risk Management

Actions - i.e. of

Creating Increased Costs & Disruption

from Risk & Risk Management Activity
The Boundary The Boundary
of Incident of Impact
Knowledge Understanding Understanding the
from Plans for the future potential Impacts &
History & where they could how to re-stabilise
go wrong
Eliminate Pre-Impact Recovery
the Cause Planning & Preparation
Management of
Risk Cause Post-Impact
Prevent
Cause-Effect Linking Recovery Action
Management of
Cause-Effect Linking
Time

Figure 1 – Controlling risk and the ‘Ability to be Managed’

Implementing Cause – Effect Analysis on an example project (Build a House)

A list of general worries about the project can be created at any point of the project’s lifecycle using
various techniques (brainstorm, questionnaire, interviews, lessons from previous projects etc). The list
in Figure 2 was based on the point in the life of the project when the building work was about to start.
Some of the worries follow from a failure to eliminate the causes of risk at an earlier stage, others
follow from the current point in the lifecycle. The initial list contains several similar worries that can
be grouped under a single heading.
Worries High level worries

Skill levels of workers Resource skill

Availability of plumbers Resource availability
Availability of electricians Resource availability
Availability of plasterers Resource availability
Late delivery of Bricks Supplier delays
Late delivery of sand & cement Supplier delays
Late delivery of prefabricated elements Supplier delays
Late delivery of timber Supplier delays
Changes/additions to design Requirements
Clarification of design Requirements
Late ordering of materiel Work planning
Planning permission Permissions
Building inspections Permissions
Funding Funding
Cost Cost
Delays Programme/Schedule
Weather Weather
Contractor going into administration Supplier viability
Surveying errors Surveying errors
Subsoil problems Subsoil problems
Archaelogical remains Archaelogical remains
Access to services Access to services
Quality of building Quality
Figure 2 – Build a house project – the List of Worries

The list of High Level Worries can be ordered into Causes and Effects, although some will seem to
have attributes of both. From this a Cause – Effect matrix can be constructed (Figure 3) with greyed
out areas showing where worries had been initially assessed as both a Cause and an Effect.
s
ain
lay lity

s
rem
i

ce
ilab

s
s

rs
ge y

m
se

rvi
o
bili
iss ng

ble
ki l l

pla ts
va

al
r
au

se
r
Wo emen

s
i

We mme

vi a

gic
Su rce a
Re rce s

de

nn

Arc il pro
ion
/C

to
elo
yi n
Su er
lier

lier
Pro g

ss
s

in
gra
ir
u
sou

ath

o
rve

ha
ue

qu

rm
so

pp

pp
rk

nd

bs

ce
Iss

Re

Re

Pe

Su
Su
Fu

Ac

Effects Totals
Resource Skill 3 1 5 9
Resource availability 3 3 2 2 5 15
Supplier delays 3 5 5 13
Funding 5 3 3 3 3 3 20
Quality 5 4 2 2 2 3 4 4 26
Cost 3 3 5 3 3 3 5 3 3 3 34
Programme 5 5 5 2 5 3 3 5 5 5 5 5 5 58
Totals 10 8 8 19 19 9 15 12 9 23 9 15 11 8

Individual Severity Assessment Group Severity Assessment - Priority

Severe 5 Priority 1
Medium 3 Priority 2
Low 1 Priority 3

Figure 3 – The Cause – Effect Matrix

Each Cause can then be examined against each Effect and an assessment made of the likely severity of
the risks resulting from that Cause on that Effect area. In this example, as in the EuroDASS Project, a
5-point severity scale was used. These can then be totalled for both the Causes and the Effects and a
priority assigned based on the total severity of each Cause, for mitigation action, and Effect, for
recovery action. On EuroDASS, all of this work was carried out by the POB to ensure that a true top-
down view was obtained.

The next step is to create a Cause – Effect linkage diagram so as to ensure that all the relationships on
which action may be needed are understood. Rather than reproduce the whole diagram, Figure 4 takes
just the top priority Causes and Effects from the Matrix. Additional links have been incorporated as
perceived necessary. This shows, for example, the traditional linking between Time, Cost and Quality
and how they influence each other. Because of this interlinking, the diagram shows no Ultimate
Effects

Requirements

Funding Work Planning Supplier viability

Programme

Quality

Key
Subsoil problems
Root Cause
Intermediate Cause Cost
Intermediate Effect

Figure 4 – The simple Linkage diagram of the top priority Causes and Effects

The diagram can now be used to guide action strategy at the level of this analysis. For example:

What can be done about the Supplier Viability for each supplier? – Treat the Cause.
What can be done to prevent the failure of an individual supplier affecting the build Programme or
the Quality of the final structure? – Treat the Cause – Effect link.
How should the Cost – Time – Quality triangle be balanced? – Treat the Effects

This work has resulted in a top-down view of the likely risks to the project and identified useful action
strategies that should be followed.

What do the risks in the Risk Register tell us?

The bottom-up risks in the register are initially unlikely to mirror all of the concerns of the senior
management’s top-down view because the viewpoint is different. An example of what might be found
is shown in the bottom-up Cause – Effect matrix, at Figure 5, which shows the number of risks in each
cell and the highest priority of any of those risks.

This shows that the team creating the bottom-up risks is less concerned about supplier viability (a top-
down worry) than supplier delays. They also perceive that there is greater risk associated with the
Access to Services than Subsoil Problems. This difference requires investigation. Is the bottom-up
team missing something or is the top-town team focusing on a previous project situation rather than
this one? Thus the two views can be compared and a truer picture determined.
 s
ain
lay lity

s
rem
i

ce
ilab

elo lems
es

pro rs
ty
s

rvi
rro
bili
us

iss ng
kill

nts
va

al
se
b
s
i

ge
Ca

gic
We mme

via
Su rce a
Re rce s

de

nn
ion
Wo eme

to
pla

yin
Su er
s/

lier

lier
Pro g

oil

ss
in
gra
ir
u
u

ath

rve

ha
ue

qu

rm
so
so
pp

pp
rk

bs
nd

ce
Arc
Iss

Re

Re

Pe

Su
Su
Fu

Ac
Effects
Resource Skill 1 1
Resource availability 4 1 5
Supplier delays 3 1 3 2 9
Funding 2 2 1 1 1 7
Quality 3 8 2 1 1 1 1 17
Cost 1 3 8 4 1 1 7 2 1 2 30
Programme 3 5 3 5 7 3 4 1 2 1 2 1 2 39

Number of risks in each cell as shown

Highest Priority of risks in the cell
Highest is Priority 1 Highest is Priority 2 Highest is Priority 3

Figure 5 - The Bottom-Up Cause – Effect matrix

Conclusion

The full benefits of implementing this approach in EuroDASS have yet to be realised, but already, the
improved disciplines now used have shown a benefit in the reduction of the overall perceived risk to
the project and a significant increase in the probability of meeting current milestones on time. In the
longer term, implementing this form of Cause – Effect analysis and reporting in addition to the
standard ‘top 10’ approach is expected to increase the efficacy of the risk management process as a
whole and will help to:
• Focus on ACTION (both Mitigation and Recovery) and its strategic direction
• Identify areas where the ‘Ability to be Managed’ can be improved
• Identify areas requiring immediate attention
• Identify most severe Causes of risks and their Effects
• Provide an ability to compare Top-Down and Bottom-Up analyses for ‘Gap Analysis’ and Risk
Register validation
• Facilitate communication and understanding between Partner Companies and between different
management levels within them.

In turn, this means that:

• Risks are much less likely to occur and those that do occur have a reduced impact and are recovered
from quickly
• Project milestones are more likely to be met and contingency funding may be reduced
• The product quality and performance are more likely to meet or exceed the client’s requirement
leading to an enhanced reputation for the business.