Research Risk Breakdown Structure (RBS)¶
This page uses a two-step risk method:
The Risk Breakdown Structure framing is based on David Hillson’s project risk management method [1].
- Categorize risks in a Risk Breakdown Structure and link each risk to concrete project work.
- Score risks with a consistent formula to prioritize treatment.
Step 1: Categorize Risks (RBS + Work Link)¶
RBS Levels¶
- Level 1: Research Program Risk
- Level 2 Categories:
- RBS-A: Problem and Requirement Formalization
- RBS-B: Knowledge Baseline and Existing Work
- RBS-C: IR Design and Semantics
- RBS-D: Compiler and Technical Mapping
- RBS-E: Validation and Impact Evidence
Category-to-Work Mapping¶
| RBS Category | Scope | Linked Work | Purpose |
|---|---|---|---|
| RBS-A Problem and Requirement Formalization | Main question + stakeholder model | Milestone #1 Requirement Formalization | Validate scope, stakeholders, and clause interpretation quality |
| RBS-B Knowledge Baseline and Existing Work | SQ0 | Milestone #1 Requirement Formalization | Build reliable baseline and justify design choices |
| RBS-C IR Design and Semantics | SQ1 | Milestone #2 IR Design and Schema | Ensure legal intent is preserved in machine-readable form |
| RBS-D Compiler and Technical Mapping | SQ2 | Milestone #3 Compliance Compiler and Milestone #4 Integration and Enforcement | Translate IR into enforceable controls across target environments |
| RBS-E Validation and Impact Evidence | SQ3 + synthesis | Milestone #5 Evaluation and Synthesis | Validate usefulness, limits, and confidence of conclusions |
Categorized Risk Register¶
| Risk ID | RBS Category | Linked Question | Linked Work | Description | Trigger | Mitigation and Fallback Controls |
|---|---|---|---|---|---|---|
| R-MAIN-01 | RBS-A | Main question | M1, M2 | One or more high-impact clauses are not machine-checkable in CI/CD. | Legal ambiguity, unavailable technical evidence source, or context-heavy judgment. | Escalate to audit/compliance owner, apply compensating controls (manual gate, approval checkpoint, sampled evidence), mark as human-in-the-loop, and revisit formalization in next iteration. |
| R-SQ0-01 | RBS-B | SQ0 | M1 | Existing-solution survey misses relevant healthcare-specific implementations. | Narrow search strategy or low-quality source selection. | Define explicit inclusion criteria, run backward/forward citation checks, and validate shortlist with domain experts. |
| R-SQ1-01 | RBS-C | SQ1 | M2 | Meta-model attributes fail to preserve legal intent in technical form. | Over-simplification of clause semantics. | Add clause-to-attribute validation examples, include review by compliance stakeholders, and keep explicit traceability links. |
| R-SQ2-01 | RBS-D | SQ2 | M3, M4 | Mapping logic is environment-specific and hard to generalize. | Tight coupling to one target stack. | Separate core mapping logic from adapters, define target interface contract, and test on representative target variants. |
| R-SQ3-01 | RBS-E | SQ3 | M5 | Impact measurements are too context-specific to generalize. | Small sample size or short observation window. | Use mixed evidence (quantitative and expert review), state boundary conditions, and report residual uncertainty explicitly. |
Step 2: Score Risks¶
Scoring Model¶
- Likelihood (L): 1 (rare) to 5 (almost certain)
- Impact (I): 1 (minor) to 5 (critical)
- Risk Score = L x I
Priority Bands¶
- 1-5: Low
- 6-10: Medium
- 11-15: High
- 16-25: Critical
Scored Risk Register¶
| Risk ID | L | I | Score | Priority | Notes |
|---|---|---|---|---|---|
| R-MAIN-01 | 4 | 5 | 20 | Critical | Central dependency for value realization; manage early in M1/M2. |
| R-SQ0-01 | 3 | 3 | 9 | Medium | Reduces baseline quality if untreated. |
| R-SQ1-01 | 3 | 5 | 15 | High | Semantic failure cascades into mapping and auditability issues. |
| R-SQ2-01 | 4 | 4 | 16 | Critical | Direct threat to portability and practical adoption. |
| R-SQ3-01 | 3 | 4 | 12 | High | Weakens confidence and transferability of conclusions. |
Review Cadence¶
- Review risk category placement and scores at each sprint boundary.
- Update scores when new evidence changes likelihood or impact.
- Record accepted residual risks in thesis conclusion and recommendations.
References¶
[1] D. Hillson, “Using a Risk Breakdown Structure in project management,” Journal of Facilities Management, vol. 2, pp. 85–97, Jan. 2003, doi: 10.1108/14725960410808131.