P. 1
Managerial Economics

Managerial Economics

|Views: 89|Likes:
Published by Jaishan Kashyap

More info:

Published by: Jaishan Kashyap on Jan 14, 2012
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

01/14/2012

pdf

text

original

Sections

  • Establishing the context
  • Identification
  • Objectives-based risk identificationOrganizations and project teams have
  • Assessment
  • Potential risk treatments
  • Risk avoidance
  • Risk reduction
  • Risk retention
  • Risk transfer
  • Create a risk-management plan
  • Implementation
  • Review and evaluation of the plan
  • Step 1: Prepare
  • Step 2: Identify Risks and Hazards
  • Step 3: Assess and Prioritize Risks
  • Step 4: Decide on Control Options
  • Step 5: Establish HandlingPlans
  • Step 6: Implement Handling Plans
  • Step 7: Monitor Handling Plans
  • Step 8-Institutionalize The Process
  • Self Assessment
  • CMMI Risk Management Goals
  • Specific Goals and Practices:
  • Generic Goals and Practices:
  • Risk Review
  • Procedures of Risk Management:
  • 1.AffinityDiagrams
  • How to use it
  • Affinity Diagram Example
  • Typographical Errors
  • 2.Brainstorming
  • How to do it
  • In structured brainstorming
  • In free-form (or unstructured) brainstorming
  • In silent brainstorming
  • 3. Risk Plotting
  • Example:
  • Risk statement:
  • Condition Present and Associated Risk Event Risk Statement
  • Example 1: Risk Statement
  • Example 2: Condition Present
  • Risk Events:
  • 1. RiskNav
  • 2. Risk Matrix
  • 3.Risk Radar
  • Enterprise risk management
  • Risk-management activities as applied to project management
  • Need for Bank Risk Management
  • The risks encountered in Bank Risk Management
  • Characteristics of Bank Risk Management Policies
  • Types of risk measurement approaches
  • Process of Project Risk Management
  • 1.Project Risk Assessment
  • 2.Project Risk Control
  • Summary Risk Profile (SRP)
  • Application of Risk Management Strategy
  • Components of Risk Management Strategy
  • What is risk assessment?
  • How to assess the risksin your workplace
  • Principles of sensible risk management
  • Risk Management Policy implementation
  • Purpose of Risk Management Policy
  • Properties required for effective risk management
  • Risk Process Orientation
  • 1.Process Improvement Life CyclePresenter:
  • 2.Risk Management Consolidated Training:
  • Detailed Risk Process;
  • 1.ESC Risk Management Process Training:
  • 2.ESC Risk Management Process Tool Training:
  • Facilitator Training
  • 1.Facilitation:
  • 2.ESC Risk Management Process Facilitator Training:
  • 3.Negotiation:
  • Importance of Risk Management Companies
  • Client Groups of Risk Management Companies
  • Services provided by the Risk Management Companies
  • RiskManagement Companies

RISK MANAGEMENT

Risk management is activity directed towards the assessing, mitigating (to an acceptable level) and monitoring of risks. In some cases the acceptable risk may be near zero. Risks can come from accidents, natural causes and disasters as well as deliberate attacks from an adversary. The main ISO standards on risk management include. In businesses, risk management entails organized activity to manage uncertainty and threats and involves people following procedures and using tools in order to ensure conformance with risk-management policies. The strategies include transferring the risk to another party, avoiding the risk, reducing the negative effect of the risk, and accepting some or all of the consequences of a particular risk. Some traditional risk management programs (e.g., health risk assessment) are focused on risks stemming from physical or legal causes (e.g. natural disasters or fires, accidents, ergonomics, death and lawsuits). Financial risk management, on the other hand, focuses on risks that can be managed using traded financial instruments.

In ideal risk management, a prioritization process is followed whereby the risks with the greatest loss and the greatest probability of occurring are handled first, and risks with lower probability of occurrence and lower loss are handled in descending order. In practice the process can be very difficult, and balancing between risks with a high probability of occurrence but lower loss versus a risk with high loss but lower probability of occurrence can often be mishandled. Intangible risk management identifies a new type of risk a risk that has a 100% probability of occurring but is ignored by the organization due to a lack of identification ability. For example, when deficient knowledge is applied to a situation, a knowledge risk materialises. Relationship risk appears when ineffective collaboration occurs. Processengagement risk may be an issue when ineffective operational procedures are applied. These risks directly reduce the productivity of knowledge workers, decrease cost effectiveness, profitability, service, quality, reputation, brand value, and earnings quality. Intangible risk management allows risk management to create immediate value from the identification and reduction of risks that reduce productivity. Risk management also faces difficulties allocating resources. This is the idea of opportunity cost. Resources spent on risk management could have been spent on more profitable activities. Again, ideal risk management minimizes spending while maximizing the reduction of the negative effects of risks.

PRINCIPLES OF RISK MANAGEMENT
The International Organization for Standardization identifies the following principles of risk management:
          

Risk management should create value. Risk management should be an integral part of organizational processes. Risk management should be part of decision making. Risk management should explicitly address uncertainty. Risk management should be systematic and structured. Risk management should be based on the best available information. Risk management should be tailored. Risk management should take into account human factors. Risk management should be transparent and inclusive. Risk management should be dynamic, iterative and responsive to change. Risk management should be capable of continual improvement and enhancement.

PROCESS
According to the standard ISO/DIS 31000 "Risk management -- Principles and guidelines on implementation" [2], the process of risk management consists of several steps as follows: Establishing the context 1. Identification of risk in a selected domain of interest 2. Planning the remainder of the process. 3. Mapping out the following:
o o o

the social scope of risk management the identity and objectives of stakeholders the basis upon which risks will be evaluated, constraints.

4. Defining a framework for the activity and an agenda for identification. 5. Developing an analysis of risks involved in the process. 6. Mitigation of risks using available technological, human and organizational resources. Identification After establishing the context, the next step in the process of managing risk is to identify potential risks. Risks are about events that, when triggered, cause problems. Hence, risk identification can start with the source of problems, or with the problem itself.

Source analysis Risk sources may be internal or external to the system that is the target of risk management. Examples of risk sources are: stakeholders of a project, employees of a company or the weather over an airport.

Problem analysis Risks are related to identified threats. For example: the threat of losing money, the threat of abuse of privacy information or the threat of accidents and casualties. The threats may exist with various entities, most important with shareholders, customers and legislative bodies such as the government.

When either source or problem is known, the events that a source may trigger or the events that can lead to a problem can be investigated. For example: stakeholders withdrawing during a project may endanger funding of the project; privacy information may be stolen by employees even within a closed network; lightning striking a Boeing 747 during takeoff may make all people onboard immediate casualties. The chosen method of identifying risks may depend on culture, industry practice and compliance. The identification methods are formed by templates or the development of templates for identifying source, problem or event. Common risk identification methods are:

Objectives-based risk identification Organizations and project teams have objectives. Any event that may endanger achieving an objective partly or completely is identified as risk.

Scenario-based risk identification In scenario analysis different scenarios are created. The scenarios may be the alternative ways to achieve an objective, or an

Based on the taxonomy and knowledge of best practices. .see Futures Studies for methodology used by Futurists. Taxonomy-based risk identification in software industry can be found in CMU/SEI-93-TR-6.  Risk charting (risk mapping) This method combines the above approaches by listing Resources at risk. Each risk in the list can be checked for application to a particular situation.  Common-risk checking In several industries lists with known risks are available.  Taxonomy-based risk identification The taxonomy in taxonomy-based risk identification is a breakdown of possible risk sources. or one can begin with the consequences and determine which combination of threats and resources would be involved to bring them about. Threats to those resources Modifying Factors which may increase or decrease the risk and Consequences it is wished to avoid. The answers to the questions reveal risks. a market or battle. Any event that triggers an undesired scenario alternative is identified as risk . a questionnaire is compiled. An example of known risks in the software industry is the Common Vulnerability and Exposures list found at http://cve. for example. Creating a matrix under these headings enables a variety of approaches.analysis of the interaction of forces in.mitre. Alternatively one can start with the threats and examine which resources they would affect. One can begin with resources and consider the threats they are exposed to and the consequences of each.org.

there have been several theories and attempts to quantify risks. Thus. they must then be assessed as to their potential severity of loss and to the probability of occurrence. The fundamental difficulty in risk assessment is determining the rate of occurrence since statistical information is not available on all kinds of past incidents. Furthermore. but perhaps the most widely accepted formula for risk quantification is: Rate of occurrence multiplied by the impact of the event equals risk Later research has shown that the financial benefits of risk management are less dependent on the formula used but are more dependent on the frequency and how risk assessment is performed. or impossible to know for sure in the case of the probability of an unlikely event occurring. Thus. Nevertheless. best educated opinions and available statistics are the primary sources of information. evaluating the severity of the consequences (impact) is often quite difficult for immaterial assets. in the case of the value of a lost building.Assessment Once risks have been identified. . risk assessment should produce such information for the management of the organization that the primary risks are easy to understand and that the risk management decisions may be prioritized. These quantities can be either simple to measure. Therefore. Asset valuation is another question that needs to be addressed. in the assessment process it is critical to make the best educated guesses possible in order to properly prioritize the implementation of the risk management plan. Numerous different risk formulae exist.

for Avoid. This use of the ACAT acronym is reminiscent of another ACAT (for Acquisition Category) used in US Defense industry procurements.In business it is imperative to be able to present the findings of risk assessments in financial terms. The Courtney formula was accepted as the official risk analysis method for the US governmental agencies. Another source. . Robert Courtney Jr. or Transfer. (IBM. Control. Potential risk treatments Once risks have been identified and assessed. from the US Department of Defense. 1970) proposed a formula for presenting risks in financial terms. The formula proposes calculation of ALE (annualised loss expectancy) and compares the expected loss value to the security control implementation costs (cost-benefit analysis). Accept. all techniques to manage the risk fall into one or more of these four major categories: [2]     Avoidance (eliminate) Reduction (mitigate) Transfer (outsource or insure) Retention (accept and budget) Ideal use of these strategies may not be possible. in which Risk Management figures prominently in decision making and planning. Defense Acquisition University. calls these categories ACAT. Some of them may involve trade-offs that are not acceptable to the organization or person making the risk management decisions.

any problems encountered in earlier phases meant costly rework and often jeopardized the whole project. Risk reduction Involves methods that reduce the severity of the loss or the likelihood of the loss from occurring. For example. For example. software projects can limit effort wasted to a single iteration. An example would be not buying a property or business in order to not take on the liability that comes with it. a company may outsource only its . By developing in iterations. Early methodologies suffered from the fact that they only delivered software in the final phase of development. [3] In this case companies outsource only some of their departmental needs. Halon fire suppression systems may mitigate that risk. Outsourcing could be an example of risk reduction if the outsourcer can demonstrate higher capability at managing or reducing risks. Modern software development methodologies reduce risk by developing and delivering software incrementally. Avoidance may seem the answer to all risks. Not entering a business to avoid the risk of loss also avoids the possibility of earning profits. Another would be not flying in order to not take the risk that the airplane were to be hijacked. sprinklers are designed to put out a fire to reduce the risk of loss by fire. but avoiding risks also means losing out on the potential gain that accepting (retaining) the risk may have allowed.Risk avoidance Includes not performing an activity that could carry risk. but the cost may be prohibitive as a strategy. This method may cause a greater loss by water damage and therefore may not be suitable.

This includes risks that are so large or catastrophic that they either cannot be insured against or the premiums would be infeasible. the purchase of an insurance contract is often described as a "transfer of risk. while handling the business management itself. managing the development team. Risk transfer In the terminology of practitioners and scholars alike. All risks that are not avoided or transferred are retained by default. War is an example since most property and risks are not insured against war. technically speaking. the manufacturing of hard goods. or customer support needs to another company. True self insurance falls in this category. or finding a physical location for a call center. Risk retention Involves accepting the loss when it occurs.software development. meaning that insurance may be described more accurately as a post-event compensatory . Also any amounts of potential loss (risk) over the amount insured is retained risk." However. Risk retention is a viable strategy for small risks where the cost of insuring against the risk would be greater over time than the total losses sustained. This way. the company can concentrate more on business development without having to worry as much about the manufacturing process. so the loss attributed by war is retained by the insured. the buyer of the contract generally retains legal responsibility for the losses "transferred". This may also be acceptable if the chance of a very large loss is small or if the cost to insure for greater coverage amounts is so great it would hinder the goals of the organization too much.

A good risk management plan should contain a schedule for control implementation and responsible persons for those actions. The insurance policy simply provides that if an accident (the event) occurs involving the policy holder then some compensation may be payable to the policy holder that is commensurate to the suffering/damage. a personal injuries insurance policy does not transfer the risk of a car accident to the insurance company. a risk concerning the image of the organization should have top management decision behind it whereas IT management would have the authority to decide on computer virus risks. Create a risk-management plan Select appropriate controls or countermeasures to measure each risk. but instead losses are assessed to all members of the group. Risk retention pools are technically retaining the risk for the group. . Some ways of managing risk fall into multiple categories. This is different from traditional insurance. For example. Risk mitigation needs to be approved by the appropriate level of management. but spreading it over the whole group involves transfer among individual members of the group.mechanism. For example. For example. in that no premium is exchanged between members of the group up front. an observed high risk of computer viruses could be mitigated by acquiring and implementing antivirus software. The risk management plan should propose applicable and effective security controls for managing the risks. The risk still lies with the policy holder namely the person who has been in the accident.

which should be documented in a Statement of Applicability. and actual loss results will necessitate changes in the plan and contribute information to allow possible different decisions to be made in dealing with the risks being faced. Review and evaluation of the plan Initial risk management plans will never be perfect. to evaluate whether the previously selected security controls are still applicable and effective. Mitigation of risks often means selection of security controls. experience. which should document the decisions about how each of the identified risks should be handled. the stage immediately after completion of the Risk Assessment phase consists of preparing a Risk Treatment Plan. Implementation Follow all of the planned methods for mitigating the effect of the risks. Purchase insurance policies for the risks that have been decided to be transferred to an insurer.According to ISO/IEC 27001. reduce others. Practice. which identifies which particular control objectives and controls from the standard have been selected. and why. and . avoid all risks that can be avoided without sacrificing the entity's goals. Risk analysis results and management plans should be updated periodically. There are two primary reasons for this: 1. and retain the rest.

For example. information risks are a good example of rapidly changing business environment. Identify and Distribute Objectives and Requirements 1d.2. Identify and Notify Stakeholders 1c. Step 1: Prepare     1a. to evaluate the possible risk level changes in the business environment. Obtain Buy-In from Program Manager 1b. Identify Risk/Hazard Taxonomies .

Group-Related Risks 2e. Assemble Stakeholders for Risk Assessment 2b. . Identify and Get Consensus on Probability 3c. Assign Plan OPRs for Avoided. Conduct Risk Identification 2d. Identify Handling Bands Step 4: Decide on Control Options      4a. Transferred. Taxonomies. Identify Risks to be Avoided. Identify Handling Options Within Each Risk Band 4b. Identify Time Window when Risk Could Occur 3d. Consolidate Related Risks and Write Step 3: Assess and Prioritize Risks       3a. Probability. or Mitigated 4d. and Process 2c. Review Objectives. Identify and Get Consensus on Impact/Severity 3b. Reassess Any Existing Risks in Database 3e. and Time 3f.Step 2: Identify Risks and Hazards      2a. Identify Risks to be Assumed or Watched 4c. Transferred. Establish or Update Risk Database . Prioritize Risks by Impact. or Mitigated 4e.

Manager Review and Approval of Handling Plans 5c. Update Risk Database for Handling Process and Retirement Step 8 . Retire Risks When Handling Plans Completed 7d.Institutionalize The Process 8a. Periodically Review Handling Plan Results 7b. Handling Plan Funded.Step 5: Establish Handling Plans    5a. Finalize Risk Management Plan and Management Infrastructure 6b. and Handling 6c. Implement Handling as Authorized. Develop Draft Handling Plans and Resources 5b. Provide Reporting on Handling Results and Progress Step 7: Monitor Handling Plans     7a. and Integrated Step 6: Implement Handling Plans     6a. Directed. Funded. Mechanism to Monitor Triggers. Stop or Modify Handling Plans and Resources 7c. Plan the Process 8c. Provide Resources 8d. Train People . Assign Responsibility 8e. and Scheduled 6d. Cues. Establish an Organizational Policy 8b.

Monitor and Control the Process 8i. The first part of the survey deals with specific goals and their associated specific practices.2: Define Risks Parameters SP 1. The extent to which your process meets these generic goals and practices indicates your level of process capability. Identify and Involve Relevant Stakeholders 8h.8f.3: Establish a Risk Management Strategy . Review Status with Higher Level Management Self Assessment RiskManagementProcessSelf-Assessment: If your organization or project has implemented a risk management process. Your process must meet all of these specific goals and practices. this survey can help you decide how well the process meets the CMMI goals and specific practices. Manage Configurations 8g.1: Determine Risk Sources and Categories SP 1. CMMI Risk Management Goals Specific Goals and Practices:  SG 1: Prepare for Risk Management o o o SP 1. The second part of the survey deals with generic goals and their associated generic practices. Objectively Evaluate Adherence 8j.

10: Review Status with Higher Level Management .1: Develop Risk Mitigation Plans SP 3.4: Assign Responsibility GP 2.1: Establish an Organizational Policy GP 2.1: Identify Risks SP 2.3: Provide Resources GP 2.2: Plan the Process GP 2. Categorize.1: Perform Base Practices  GG 2: Institutionalize a Managed Process o o o o o o o o o o GP 2.9: Objectively Evaluate Adherence GP 2.2: Implement Risk Mitigation Plans Generic Goals and Practices:  GG 1: Achieve Specific Goals o GP 1.6: Manage Configurations GP 2. and Prioritize Risks  SG 3: Mitigate Risks o o SP 3.8: Monitor and Control the Process GP 2.7: Identify and Involve Relevant Stakeholders GP 2. SG 2: Identify and Analyze Risks o o SP 2.2: Evaluate.5: Train People GP 2.

 GG 3: Institutionalize a Defined Process o o Establish a Defined Process Collect Improvement Information  GG 4: Institutionalize a Quantitatively Managed Process o o Establish Quantitative Objectives for the Process Stabilize Sub process Performance  GG 5: Institutionalize an Optimizing Process o o Ensure Continuous Process Improvement Correct Root Causes of Problems Risk Review Guidelines for Risk Management Process Review: Risk Management identifies potential problems before they occur so that risk-handling activities may be planned and invoked as needed across the life of the product or project to mitigate adverse impacts on achieving objectives. .

Brainstorming 3. This is the opposite of a cause and effect diagram. Affinity diagrams can help you:  Organize and give structure to a list of factors that contribute to a problem. .PROCEDURES Procedures of Risk Management: 1. An affinity diagram starts with specific ideas and helps you work toward broad categories. Risk Statements 1. which starts with the broad causes and works toward specifics. Use an idea-generation technique to identify all facets of the problem. Affinity Diagrams 2. Generate ideas. Affinity Diagrams An affinity diagram is a technique for organizing verbal information into a visual pattern. You can use either technique to explore all aspects of an issue. Write the problem or issue on a blackboard or flipchart. Use index cards or sticky-back notes to record the ideas. Risk Plotting 4.  How to use it Identify the problem. Identify key areas where improvement is most needed.

Create an affinity diagram. You can continue to group the cards until your definition of "group" becomes too broad to have any meaning. As part of a first step. Use questions like "Which other ideas are similar?" and "Is this idea somehow connected to any others?" to help you group the ideas together. Create affinity cards. For each group. create an affinity card.Cluster your ideas (on cards or paper) into related groups. Draw outlines of the groups with the affinity cards at the top of each group. The resulting hierarchical structure will give you valuable insight into the problem. Put all of the individual ideas in a group under their affinity card. Now try to group the affinity cards under even broader groups. a card that has a short statement describing the entire group of ideas. Lay out all of the ideas and affinity cards on a single piece of paper or a blackboard. they conducted a brainstorming session that produced the following list of factors that influenced errors. . Affinity Diagram Example A publication team wanted to reduce the number of typographical errors in their program's documentation. Cluster related affinity cards.

Computers Printers Lighting Comfort Font Grammar Draft Copy Technical Jargon Computer Skill No Feedback Typing Skill Typewriters Desk Height Interruptions Slang Punctuation Final Copy Unreasonable Deadlines Noise Proofreading Skill Chair Height Time of Day Handwriting Spelling Distribution Editing Skill No Measurement .

it does not involve analysis.The following diagram helped them to focus on areas for further analysis. Typographical Errors 2.   Generate a variety of ideas in a short time Produce new and creative ideas . Brainstorming Brainstorming is used solely for generating ideas.

" A complete round of passes ends the brainstorming session The advantage of structured brainstorming is that each person has an equal chance to participate. Before you start. In structured brainstorming     Solicit one idea from each person in sequence Participants who don't have an idea at the moment may say "pass. In free-form (or unstructured) brainstorming  Participants simply contribute ideas as they come to mind .  Write the problem or topic on a blackboard or flipchart where all participants can see it    Write all ideas on the board and do as little editing as possible Number each idea for future reference Use one of the following brainstorming techniques: structured brainstorming freeform brainstorming. regardless of rank or personality  The disadvantage of strucutred brainstorming is that it lacks spontaneity and can be somwhat rigid.How to do it The goal of brainstorming is to generate ideas. or silent brainstorming. make sure everyone in your group understands the importance of postponing judgements until after the brainstorming session is completed.

If this list is too long. An ideal approach is to combine these two methods. The result of a brainstorming session is a list of ideas. . The advantage of silent brainstorming is that it prevents individuals from making disruptive "analysis" comments during the brainstorming session. The atmosphere is very relaxed.  The disadvantage of free-form brainstorming is that the less assertive or lowranking participants may not contribute.   Collect the papers and post them for all to see. Begin the session with a few rounds of structured brainstorming and finish up with a period of unstructured brainstorming. Silent brainstorming is best used in combination with other brainstorming techniques. the group can boil it down using one of the decision-making tools such as an affinity diagram.  The disadvantage of silent brainstorming is that the group loses the synergy that comes from an open session. The advantage of free-form brainstorming is that participants can build off each other's ideas. In silent brainstorming  Have participants write ideas individually on sticky-back notes or small slips of paper.

Risk Statement Example:  Requirement reads: "Use Common Operational Picture (COP) in DII COE Release 1.Low Priority 4.3.Establish impact scale on x-axis .5 when needed .Establish probability scale on y-axis .Medium Priority Green .5"  Identified risk: availability of DII COE version 1.Priority regions are set by the risk assessors Red .Highest Priority Yellow . Risk Plotting .

Example 1: Risk Statement  "A large part of the software must now be written in C++. They are a statement of the Condition Present and the Associated Risk Event (or events). A risk statement provides the clarity and descriptive information required for a reasoned and defensible assessment of the risk's occurrence probability and areas of impact. it is an event that has occurred or is presently occurring.Risk statement:   IF DII COE version 1. Associated Risk Events are future events that might occur because of the Condition Present. A well-written risk statement contains two components. THEN Program xyz release 1 will experience a day for day schedule slip Condition Present and Associated Risk Event Risk Statement Writing the Risk Statement: Identified risks are described and communicated to management in the form of risk statements.5 is more than 1 month late. the time required to train the development team in C++ will extend the project's schedule by 3 months". the Condition Present is itself an event.  Here. In a risk statement. . the Associated Risk Event is {the time required to train the development team in this language will extend the project's schedule by 3 months}. the Condition Present is {A large part of the software must now be written in C++}.

0 is delivered. furthermore. the current designs of the systems being upgraded may be inadequate to support the interoperability requirements of users.0 (v1.The Condition Present acts as the departure point from which one or more Associated Risk Events may originate.0 will require. A2.}  A3 = {The systems being upgraded may design functionality that is significantly less in scope than v1. the schedule required to deliver the architecture is highly compressed and not synchronized to the major funding and review milestones of the systems being upgraded to comply to this architecture. Example 2: Condition Present  {Version 1.}  A2 = {Once v1. Example 2 illustrates how three risk events A1.0 architecture.} . and A3 originate from a single condition.0) of the enterprise system architecture is not yet defined.} Risk Events:  A1 = {Milestone funding and review schedules for each system being upgraded will slip by more than 3 months due to the time required for them to properly apply and demonstrate compliance to the v1.

and display risks at a project or enterprise level. FAA. government. probability. prioritize. and the mitigation/management status).S. monitor. This tool provides three dimensions of information graphically (risk priority. where the more important risks get higher numbers and the gaps between the numbers correspond to the relative strengths of the differences. and other MITRE sponsors. Formally. analyze. technical). The risk priority is a weighted average of the timeframe (how soon the risk will occur). . probability of occurrence. RiskNav RiskNav is a well-tested tool developed by MITRE to facilitate the risk process and help program managers manage their risk space. and visualize risk information in a collaborative fashion. and the impact (cost. RiskNav®. this scoring model originates from the concept of linear utility.TOOLS AND TECHNIQUES 1. ESC. This score provides a most-to-least critical rank order of the risks. RiskNav is currently deployed throughout the intelligence community. RiskNav uses a weighted average model that computes an overall score for each identified risk. is designed to capture. schedule. originally produced for the U. analyze. RiskNav lets you collect.

prioritize. Risk Matrix Risk Matrix is a software application that can help you identify. creating what is known as the Baseline Risk Assessment Process. . MITRE created it a few years ago to support a risk assessment process developed by the Air Force's Electronic Systems Center (ESC).Screenshot of RiskNav Analysis Inputs and Computed Risk Scores <> 2. MITRE and ESC have expanded and improved the original process. and manage key risks on your program.

and long-form reports can be easily generated to share project risk information with all members of the development team. A set of standard short. the basic principles can be applied to any project that needs to manage risks. prioritize. 3. The number of risks in each . and communicate project risks in a flexible and easy-to-use form. Each risk can have a user-defined risk management plan and a log of historical events.Although the process and application were developed for use at ESC. as well as specialized functions for prioritizing and retiring project risks. Risk Radar provides standard database functions to add and delete risks. Risk Radar Risk Radar is a risk management database to help project managers identify.

.probability/impact category by time frame can be displayed. which allows the user to drill down through the data to uncover increasing levels of detail. Risk Radar allows the user the flexibility of using automatic sorting in addition to manually moving risks up and down in setting priority rank.

Unlikely events do occur but if the risk is unlikely enough to occur it may be better to simply retain the risk and deal with the result if the loss does in fact occur. Risk can be measured by impacts x probability. . Prioritizing too highly the risk management processes could keep an organization from ever completing a project or even getting started. This is especially true if other work is suspended until the risk management process is considered complete. Spending too much time assessing and managing unlikely risks can divert resources that could be used more profitably. time can be wasted in dealing with risk of losses that are not likely to occur. It is also important to keep in mind the distinction between risk and uncertainty.LIMITATIONS If risks are improperly assessed and prioritized.

and operational risk. See value at risk. or the environment. risk management is the technique for measuring. In the more general case. a risk is defined as a possible event or circumstance that can have negative influences on the enterprise in question. credit risk and operational risk and also specifies methods for calculating capital requirements for each of these components. every probable risk can have a pre-formulated plan to deal with its possible consequences (to ensure contingency if the risk becomes a liability). as well as external impacts on society. the products and services. markets.AREAS OF RISK MANAGEMENT As applied to corporate finance. Enterprise risk management In enterprise risk management. The Basel II framework breaks risks into market risk (price risk). the resources (human and capital). a project manager can estimate: . interest rate risk or asset liability management. enterprise risk management is normally thought of as the combination of credit risk. Its impact can be on the very existence. In a financial institution. or cost accrual ratio. market risk. monitoring and controlling the financial or operational risk on a firm's balance sheet. From the information above and the average cost per employee over time. or the customers of the enterprise.

the passengers' meals being served at slightly the wrong time). Rs where Rs = P * S): o Sorting on this value puts the highest risks to the schedule first.  the probable increase in time associated with a risk (schedule variance due to risk. That is to re-iterate the concern about external cases not being equivalent in the list immediately above. Risk-management activities as applied to project management In project management. o This is slightly misleading as schedule variances with a large P and small S and vice versa are not equivalent.  the probable increase in cost associated with a risk (cost variance due to risk. as illustrated in the equation above. Risk in a project or process can be due either to Special Cause Variation or Common Cause Variation and requires appropriate treatment. estimated by multiplying employee costs per unit time by the estimated time lost (cost impact. This is intended to cause the greatest risks to the project to be attempted first so that risk is minimized as quickly as possible. the cost associated with the risk if it arises. risk management includes the following activities: . see concerns about schedule variance as this is a function of it. C where C = cost accrual ratio * S). (The risk of the RMS Titanic sinking vs. Rc where Rc = P*C = P*CAR*S = P*S*CAR) o o sorting on this value puts the highest risks to the budget first.

title. . and effort spent for the risk management.  Summarizing planned and faced risks. Typical characteristic of risk officer is a healthy skepticism. probability and importance. short description.  Creating anonymous risk reporting channel.  Preparing mitigation plans for risks that are chosen to be mitigated. Each risk should have the following attributes: opening date. Planning how risk will be managed in the particular project. Each team member should have possibility to report risk that he foresees in the project. effectiveness of mitigation activities. activities and budget. responsibilities.  Maintaining live project risk database.a team member other than a project manager who is responsible for foreseeing potential project problems. Plan should include risk management tasks. by who and how will it be done to avoid it or minimize consequences if it becomes a liability.  Assigning a risk officer . Optionally a risk may have an assigned person responsible for its resolution and a date by which the risk must be resolved. when. The purpose of the mitigation plan is to describe how this particular risk will be handled – what.

Risk management and BCP are often mistakenly seen as rivals or overlapping practices. impact assessments. However. business continuity planning (BCP) was invented to deal with the consequences of realised residual risks. the BCP process goes beyond risk management's preemptive approach and moves on from the assumption that the disaster will realize at some point. In fact these processes are so tightly tied together that such separation seems artificial. cost estimates etc). .RISK MANAGEMENT AND BUSINESS CONTINUITY Risk management is simply a practice of systematically selecting cost effective approaches for minimising the effect of threat realization to the organization. risk management covers several areas that are vital for the BCP process. For example. The necessity to have BCP in place arises because even very unlikely events will occur if given enough time. Therefore. All risks can never be fully avoided or mitigated simply because of financial and practical limitations. Whereas risk management tends to be preemptive. Risk management also proposes applicable controls for the observed risks. the risk management process creates important inputs for the BCP (assets. Therefore all organizations have to accept some level of residual risks.

and currency risk.All these risk management processes play a significant role behind the growth of an organization in the long term. Credit risk management: Deals with the risk related to the probability of nonpayment from the debtors 5. such as interest rate risk. Operational risk management: Operational risk management deals with technical failures and human errors 2. an effort is carried out to numerically ascertain the possibilities of the different adverse financial circumstances to handle the degree of loss that might occur from those circumstances . 4. Commercial enterprises apply various forms of risk management procedures to handle different risks because they face a variety of risks while carrying out their business operations. Effective handling of risk ensures the successful growth of an organization. Market risk management: Deals with different types of market risk. Various types of risk management can be categorized into the following: 1. equity risk. Quantitative risk management: In quantitative risk management. Financial risk management: Financial risk management handles non-payment of clients and increased rate of interest 3. commodity risk.

liquidity risk. political risk. Currency risk management: Deals with changes in currency prices 10. credit risk. credit. legal risk. In other words. 13. for example. Bank risk management: Deals with the handling of different types of risks faced by the banks. Enterprise risk management: Handles the risks faced by enterprises in accomplishing their goals 11. which take into account the set risk tolerance degrees of a department. and liquidity risk at the same time or on a simultaneous basis. Commodity risk management: Handles different types of commodity risks. Nonprofit risk management: This is a process where risk management companies offer risk management services on a non-profit seeking basis 9. operational risk and reputational risk 8.6. Integrated risk management: Integrated risk management refers to integrating risk data into the strategic decision making of a company and taking decisions. Technology risk management: It is the process of managing the risks associated with implementation of new technology . it is the supervision of market. Project risk management: Deals with particular risks associated with the undertaking of a project 12. market risk. such as price risk. quantity risk and cost risk 7.

bank risk management is needed by the bank managers for the following reasons:  Creation of benchmarks for calculation of reward-risk ratios. Bank Risk Management gives an idea of future risks and also promotes prudent risk taking behavior. Need for Bank Risk Management Repeated financial disasters faced by financial. Apart from regulatory requirements. Investment of capital is then directed to options with high reward risk ratios. Software risk management: Deals with different types of risks associated with implementation of new softwares Bank Risk Management: Bank Risk Management is used mostly in the financial sector.  Estimation of the probable losses. This leads to wise risk taking decision by investors as the risk monitoring part is already put in place. Bank Risk Management involves market risk as well as credit risk management. non-financial and government bodies have created the need for bank risk management policies. The risks encountered in Bank Risk Management  Performance risk-This occurs in case where employees are not properly monitored.14. . Banks also learn to handle their available liquidity well.

fluctuation in exchange rates. But violation of prescribed regulations in the capital market attracts heavy penalty. Banks that are involved in trading go in for   Intra day risk management on selective areas Regular measurement of the overall risks faced by the bank Regulators are however. This leads to a change in the net value of assets of the bank  Operational risk-This arises due to the failure of banks to properly execute their various operational procedures. . Bank risk management policies despite their worthiness are resource intensive. The economic theory of risk management states that the risk of a particular portfolio is usually not determined by a simple addition of the component risks.  Market risk-Change in market conditions leads to change in the net asset value of banks. So managers do a cost benefit analysis whenever portfolio composition changes. equity rates change as also oscillating interest rates Characteristics of Bank Risk Management Policies One of the characteristics of bank risk management policies is that it needs to be updated on a regular basis. They demand considerable time and money. Untimely collection of revenues. inability in meeting the set guidelines and the like fall in this category. The factors here are mostly changes in prices of finished products. Credit risk-Sometimes the associates are unable to honor their payment obligations. more interested at knowing the overall risks as compared to the individual portfolio items. Another characteristic of bank risk management policy is that it is usually not carried out in a decentralized fashion.

Project risk management deals with different types of uncertainties and constraints related to a project (known as project risks). A project risk is a probable origin of variation from the plan of the project and it may have a positive or negative influence on the project. Project Risk Management: Project risk management focuses on the management of various types of risks related to a project. avoided here.Types of risk measurement approaches  Value at risk analysis: Here we use the distribution on asset return for the purpose of estimation.  Scenario analysis: A prediction is made regarding the change in the value of a portfolio. The resultant estimated figure is the estimated loss. A detailed analysis of the types of risk measurement approaches entails description of intricate analytical methods. there are two principal phases of project risk management and they are assessment of risk and risk control. Project risks can be minimized with the help of eliminating or decreasing them. Efforts are always on to minimize the threats and maximize the opportunities. There are . Project risks having negative characteristics are known as threats and project risks bearing positive characteristics are known as opportunities. Nevertheless. The process of project risk management is carried out in a number of steps.

 Analysis of risk: Risk analysis can be quantitative or qualitative in nature. However. the manner in which the project risks may influence the project performance in terms of expenses. Project Risk Assessment The process of project risk assessment can be further categorized into the following:  Identification of risk: The project risks are identified by examining the whole project plan. Risk control is always dependent on a proper risk assessment. it is determined that which risks require total elimination. the earlier it is performed. time period or satisfaction of the necessity of the customer is ascertained. which risks require continuous supervision and monitoring and which risks are not so important to supervise. if risk control measures are not undertaken. Assessment of risk may be carried out at any point of time within the duration of the project. there is no use of performing a risk assessment. Process of Project Risk Management The process of project risk management can be elaborated as follows: 1. On the other hand. . the better it is for the organization. In this process.two main phases of project risk management and they are risk assessment and control of risk.  Prioritization of risk: According to this process.

 Risk transfer: In this way. Project Risk Control Project risk control involves the following steps:  Avoidance of risk: A plan is chalked out as to how project risks can be eliminated or avoided.  Risk mitigation: A number of measures are taken beforehand for minimizing the impact of risk. risk is transferred by buying insurance policies.  Contingency plan: For risks that are regarded as important.2. .  Measure and control: Observing the outcomes of the risks that have been detected and handling them to a favorable or productive end. a contingency plan is prepared in advance before those risks occur.  Risk acceptance: Certain risks are accepted because they are regarded as small and do not influence the performance of the company to a significant degree.

The principles of risk management can be applicable for a number of situations. a number of risks can be averted easily. which is backing it up should recognize the real and probable threats to the productive delivery of a project and ascertain the functions that are necessary to reduce or get rid of the risks. . A graphical analysis demonstrates risks according to probability and the degree of influence accompanied by the consequences of mitigation functions taken into consideration. The risk strategy and the plan. One important issue is the suitable conveyance of risk information specifically where escalation is necessary. Summary Risk Profile (SRP) The summary risk profile or SRP is an elementary device to enhance risk visibility. The location of the risk tolerance line is dependent on the company and the project. The graph has to be modified according to the risk register at fixed intervals. Risk management strategy acts as a major device for the higher management of a company because with the formulation of a risk management strategy. It is basically represented in the form of a chart containing information. which is usually obtained from a risk register. Risk management strategy delineates a technique for analyzing and handling various types of risks.RISK MANAGEMENT STRATEGY A risk management strategy delineates in what manner the risks are going to be handled. The risk plan should have the capacity to consolidate or co-ordinate with the project plan. The SRP is frequently delineated in the form of a probability/impact matrix. Every risk usually has a figure or any other indicator and substantiating details.

. However. This offers the base that backs up the risk management process.  Risk Management: This involves the functions of formulating. Components of Risk Management Strategy Following are the principal components of Risk Management Strategy:  Risk Analysis: This process includes the detection and description of risks along with the analysis of influence and resultant action. The official documentation of details is a significant factor in risk management strategy. risk management and risk analysis are interconnected and accomplished repetitively. supervising. and regulating the operations that would deal with the risks.Application of Risk Management Strategy The risk management strategy can be utilized to analyze a company's preparation for handling risk. These two stages should be handled distinctly to assure that decisions are taken prudently on the basis of crucial details.

It helps you focus on the risks that really matter in your workplace – the ones with the potential to cause real harm. In many instances. could cause harm to people. but you are required to protect people as far as ‘reasonably practicable’. in your work. . there are other methods that work well.STEPS OF RISK ASSESSMENT A risk assessment is an important step in protecting your workers and your business. so that you can weigh up whether you have taken enough precautions or should do more to prevent harm.is protected.your workforce . as well as complying with the law. particularly for more complex risks and circumstances. For most. What is risk assessment? A risk assessment is simply a careful examination of what. cheap and effective measures to ensure your most valuable asset . straightforward measures can readily control risks. This is not the only way to do a risk assessment. we believe this method is the most straightforward for most organisations. or cupboard drawers are kept closed to ensure people do not trip. Workers and others have a right to be protected from harm caused by a failure to take reasonable control measures. However. that means simple. for example ensuring spillages are cleaned up promptly so people do not slip. This guide tells you how to achieve that with a minimum of fuss. The law does not expect you to eliminate all risk.

3. You probably already know whether.Accidents and ill health can ruin lives and affect your business too if output is lost. you have employees who move heavy loads and so could harm their backs. In many organisations. If you are not confident. If you run a small organisation and you are confident you understand what’s involved. If so. you could ask a health and safety adviser to help you. Identify the hazards Decide who might be harmed and how Evaluate the risks and decide on precaution Record your findings and implement them Review your assessment and update if necessary Don’t overcomplicate the process. How to assess the risks in your workplace Follow the five steps in this leaflet: 1. you can do the assessment yourself. 5. insurance costs increase or you have to go to court. You are legally required to assess the risks in your workplace so that you put in place a plan to control the risks. You don’t have to be a health and safety expert. machinery is damaged. get help from someone who is competent. 4. or where people are most likely to slip or trip. check that you have taken reasonable precautions to avoid injury. If you work in a larger organisation. you . for example. 2. the risks are well known and the necessary control measures are easy to apply. In all cases.

an open drawer etc.  the risk is the chance. you are responsible for seeing that the assessment is carried out properly. together with an indication of how serious the harm could be.should make sure that you involve your staff or their representatives in the process. high or low. But remember. . working from ladders. that somebody could be harmed by these and other hazards. such as chemicals. electricity. When thinking about your risk assessment. They will have useful information about how the work is done that will make your assessment of the risk more thorough and effective. remember:  a hazard is anything that may cause harm.

they also have to exercise responsibility 2. with a focus on reducing real risks – both those which arise more often and those with serious consequences o o Enabling innovation and learning not stifling them Ensuring that those who create risks manage them responsibly and understand that failure to manage real risks responsibly is likely to lead to robust action o Enabling individuals to understand that as well as the right to protection. Sensible risk management is about: o o Ensuring that workers and the public are properly protected Providing overall benefit to society by balancing benefits and risks. Sensible risk management is not about: o o o o Creating a totally risk free society Generating useless paperwork mountains Scaring people by exaggerating or publicising trivial risks Stopping important recreational and learning activities for individuals where the risks are managed o Reducing protection of people from risks that cause real harm and suffering .SENSIBLE RISK MANAGEMENT Principles of sensible risk management 1.

Hazard: Negating the possibility of an exposure from turning into a financial loss and Uncertainty: Dealing with unpredictable and sudden changes Here. . we also note that. Its occurrence adversely affects an organization's ability to attain its set goals. The remaining risk profile needs to be strategically managed. Risk Management Policy implementation Risk: Risk is an unforeseen event. risk appetite means an organization's decision of risk acceptance in the path of attainment of its set goals.RISK MANAGEMENT POLICY Risk Management Policy devices a back up plan for mitigating the negative effects arising out of unforeseen events. Risk can be broadly classified into three categories. insurance policies and contracts. They are as follows: Opportunity: Bringing in the prevailing situations to one's advantage. This is done through waivers. Risks can sometimes be partially phased out to capable third parties.

Resources are scarce and can be put to alternative uses. making process It also leads to a better management of the prevailing uncertainties.Purpose of Risk Management Policy The purpose of risk management policy is manifold. one can make a new opportunities well-informed and well-balanced choice. while accepting new opportunities. Some of them are listed below. So. on account of risk management policy implementation. Properties required for effective risk management       Accountability Leadership Reinforcement Strategy Effective communication and Risk management framework . minimizes the probable losses of the Improved decision organization. Risk Optimization of use of management policy devices techniques for the optimum use of available resources this resource. Risk management policy teaches how to make a cost benefit Prudent acceptance of analysis. Improved decision making.

The policy is thus kept flexible and can adjust to changing market conditions. the Risk Management Policy program is the process of continuous evaluation. Last but not the least. .The above-mentioned characteristics are required for the establishment and also for the smooth execution of risk management policies. The management policy begins by identifying the problem areas or risks faced by an organization. Financial risk management also comes under the purview of Risk Management Policy. It then formulates strategies or plans to effectively face them. The idea is to predict the risks and formulate an action plan beforehand. Proper implementation demands that the process is carried out on a shared responsibility basis. Risk Management Policy is put in place by organizations to ensure their smooth march to success. they may lead to disruptions in the day to day working of the organization. Continuous evaluation keeps the process updated. Implementation requires smooth coordination among the different departments of an organization. Since risks are unforeseen events. Now comes the implementation stage of the policies formulated.

Detailed Risk Process. etc. and Others that are designated by the Program Manager. . The training provides a working knowledge of the ESC Risk Management Process. and the integrated digital environment. cost.. ESC Risk Management Process Training: This training provides a detailed overview of the ESC Risk Management Process and is intended for: Members of Risk Management IPTs.g. analyzing. Testing. use of architecture. and provide an overview of risk management implementation. Process Improvement Life Cycle Presenter: This session describes the life cycle context that the risk management process will operate in.RISK MANAGEMENT TRAINING Risk Process Orientation 1.). Risk Management Consolidated Training: Risk management at ESC and the ESC EN Risk Management process used in identifying. 1. Members of Program Teams.). he discuss the use of tools in risk management. Configuration. spiral development. assessing. schedule. technical etc. Mike reviews current acquisition environments. controlling and managing program risks (e. identification and role of stakeholders and the single manager in the life cycle. 2. ESC business activities. Program Functional Leads (Engineering.

program and domain expertise through participation in risk assessments. ESC Risk Management Process Tool Training: This training provides an overview of the use of productivity tools in support of the ESC Risk Management Process. Configuration. The training provides a working an overview of tool use and demonstration of the following productivity tools: Risk Matrix. This training is intended for: Members of Risk Management IPTs. and RiskNav. Members of Program Teams. Facilitator Training 1.2. Program Functional Leads (Engineering.  A trained facilitator with experience gains domain knowledge from subject matter experts through participation in risk assessments. . and Others that are designated by the Program Manager.  A subject matter expert with domain knowledge gains the ability to effectively communicate that experience to others with facilitation training and participation in risk assessments. Testing. Risk Radar. Facilitation: A facilitator brings prior program experience and environment knowledge to risk assessments.). etc.  A new employee can obtain on-the-job training in facilitation.

.2. The training will provide these individuals with an overview of training and facilitization techniques. ESC Risk Management Process Facilitator Training: This training is intended for individuals who are to provide Risk Management implementation/facilitation at the SPO/Program level. and a detailed exercise in facilitating risk assessment and risk review meetings. Negotiation: Training in Negotiation and Dispute Resolution is also recommended. 3. a sample implementation approach.

By virtue of being able to deal with the diverse risk-related problems with a certain degree of efficiency the services of the risk management companies are highly sought after by most of the enterprises that are into some kind of commercial activity or the other. The best risk management companies are also able to deal with the various problems of their clients. Client Groups of Risk Management Companies The risk management companies normally provide their services to the following entities:    Business organizations Individual clients Governmental bodies . Importance of Risk Management Companies The risk management companies are extremely important in the present day financial world. The risk management companies offer top quality services that are related to the field of risk management and have diverse client groups.RISK MANAGEMENT COMPANIES The risk management companies are amongst the most precious business organizations nowadays as they are able to identify the risks and also reduce the possibilities of the risks. as nowadays it has become really important to locate the risks and to try and minimize the potentiality of the risks.

The services of the risk management companies enable their clients to perform their functions in a smoother manner. Key Risk Management Services Inc. electronic evidence and data recovery Business intelligence and investigations Forensic accounting and litigation consulting Background screening The risk management companies are well known for providing top quality services to the clients. There are certain risk management companies that are able to provide all the necessary services by themselves in contrast to those risk management companies that deal with only specific services. However. which means that there are certain services at which they are the best of the lot.Services provided by the Risk Management Companies The following services are provided by the risk management companies that are operating in the global market:      Security services Technology services. Risk Management Services Company Risk Management Services. Risk Management Companies      Professional Risk Management Services Inc. LLC The Risk Management Association . these companies have specific strengths.

Atlantic Risk Management Risk and Insurance Management Society           Cardinal Risk Management Alternatives Global Risk Management Global Risk Management Group The Risk Management Group Information Risk Management Plc KPMG Neural Technologies Limited Pinnacle Risk Management. Inc. Inc. IRIS Integrated Risk Management Risk Management Associates. .       Public Risk Management Association Public Agency Risk Managers Association Corporate Risk Management Inc Risk Management Strategies LLC Diversified Risk Management Inc.

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->