You are on page 1of 18














1. Introduction 1

2. Risk Definition 2-3

2.1 Type of Risks 2

2.2 Characteristics of Risks 3

3. Risk Assessment and Identification 4

4. Management Risk 5

4.1 Risk Management Structure 6

4.2 Risk Management Tools 6

4.3 Function of Risk Management 7

5. Conclusion 7

5.1 Reference 7

Bibliographical 8

The purpose of this write-up is to provide a brief, readable guide to risk

assessment and risk identification. Risk is widely recognized as precisely
what it implies—a possibility. Within the context of risk analysis, it refers
to the possibility of injury, harm, or other adverse and unwanted effects.
Risks are commonplace in all of our lives.
Risk analysis, risk assessment, and risk management are relatively new
terms in public debate; however, they are practices with lengthy

According to historians, the first professional risk assessors were from

ancient Babylon (3200 B.C.); they were a special sect of people who
served as consultants offering advice on risky, uncertain, or difficult
decisions in life—such as marriage proposals or selecting building sites.
For more than a century now, risk assessment and risk management
have been everyday activities of banking, insurance, and business
operations in the world’s industrialized economies. Serious applications
in human health and safety emerged in the early decades of this
century; research on natural hazard risks and disaster management

Presently, risk analysis is being used to evaluate and manage the

potential of unwanted circumstances in a large array of areas: industrial
explosions; machine part and other mechanical and process failures;
workplace injuries; injury or death from diseases, natural causes,
lifestyles, and voluntarily
pursued activities; the impacts of economic development on
ecosystems; and financial market transactions—among others.




The vocabulary of risk management is defined in ISO Guide 73,

"Risk management. Vocabulary".

In ideal risk management, a prioritization process is followed

whereby the risks with the greatest loss and the greatest

probability of occurring are handled first, and risks with lower

probability of occurrence and lower loss are handled in descending

order. In practice the process can be very difficult, and balancing

between risks with a high probability of occurrence but lower loss

versus a risk with high loss but lower probability of occurrence can

often be mishandled.

Intangible risk management identifies a new type of a risk that has

a 100% probability of occurring but is ignored by the organization

due to a lack of identification ability. For example, when deficient

knowledge is applied to a situation, a knowledge risk materialises.

Relationship risk appears when ineffective collaboration occurs.

Process-engagement risk may be an issue when ineffective

operational procedures are applied. These risks directly reduce the

productivity of knowledge workers, decrease cost effectiveness,

profitability, service, quality, reputation, brand value, and earnings

quality. Intangible risk management allows risk management to

create immediate value from the identification and reduction of

risks that reduce productivity.

Risk management also faces difficulties allocating resources. This

is the idea of opportunity cost. Resources spent on risk

management could have been spent on more profitable activities.

Again, ideal risk management minimizes spending while

maximizing the reduction of the negative effects of risks.


1. Technical Risks:- These are performance risk associated with

the end items. From the perspective of the building organization

the concern is that system will not perform as required

2. Supportability Risks: Is that an otherwise acceptable system

will cost too much to operate and maintain over its like cycle in

terms of time, personnel and material resources.

3. Development Risk: A development effort always entails a

measure of risk because such efforts always involve aspects

that are new to the performing organization. The new aspects

as a minimum are limited to “reach” aspect of the end item. For

example, an experienced design and build team that is

extending the performance range for a single parameter of a

system probable has a minimal risk.

4. Communications Risk: One of the first risk situations facing

such a team is that it invariably requires additional staffing.

When new people are hired some of the negative aspects are

that the collective awareness of the nuances of the program is

diluted, and people start making decisions with less than

complete understanding of the nuance of the program, the

company or the customer.


RISK MANAGEMENT is the identification, assessment, and

prioritization of risks followed by coordinated and economical

application of resources to minimize, monitor, and control the

probability and/or impact of unfortunate events. Risks can come

from uncertainty in financial markets, project failures, legal

liabilities, credit risk, accidents, natural causes and disasters as

well as deliberate attacks from an adversary. Several risk

management standards have been developed including the Project

Management Institute, the National Institute of Science and

Technology, actuarial societies, and ISO standards.

Methods, definitions and goals vary widely according to whether

the risk management method is in the context of project

management, security, engineering, industrial processes, financial

portfolios, actuarial assessments, or public health and safety.

The strategies to manage risk include transferring the risk to

another party, avoiding the risk, reducing the negative effect of the

risk, and accepting some or all of the consequences of a particular


Certain aspects of many of the risk management standards have

come under criticism for having no measurable improvement on

risk even though the confidence in estimates and decisions

Risk assessments are conducted to estimate how much damage

or injury can be expected from exposures to a given risk agent and

to assist in judging whether these consequences are great enough

to require increased management or regulation. Depending on the

kind of hazard, the effects of primary concern might be workplace

injuries; reproductive and genetic abnormalities; diseases such as

cancer or other debilitating illnesses; or ecological effects such as

species extinction, loss of habitat, and other kinds of ecosystem


Risk assessments range widely in scope and complexity,

depending on the application: from simple screening analyses to

major analytical efforts that require years of effort and a substantial

budget. Contemporary risk assessments ordinarily rely on many

branches of science—on the methods and knowledge of

disciplines such as toxicology, epidemiology, other health and

environmental sciences, systems engineering, and related

technical areas.

The methods and sequence of steps involved in conducting a

risk assessment vary with the kind of risk and its possible
consequences. A more specific discussion of these elements for

several key risk assessment areas follows in a later section. In its

most general form, however, the process consists of a source

assessment, an exposure assessment, an effects assessment,

and is normally concluded by an integrative risk characterization.

Source assessment seeks to identify and evaluate the sequences

of events through which an exposure to a risk agent could arise. In

risk assessments of engineering systems, for example, this can be

a particularly extensive and detailed exercise—such as evaluating

the possibility that a pump in a manufacturing operation might fail,

leading through a series of steps to increased levels of toxic

substances on the shop floor. Alternatively, this kind of analysis

might be aimed at finished products, whose physical features

along with typical use patterns could result in safety hazards.

Exposure assessment seeks to determine the number and kinds

of people exposed to a risk agent, along with the magnitude,

duration, and timing of their exposures. An example is estimating

the fate and distribution of a toxic chemical released from a

manufacturing facility and providing a description of the

characteristics of the exposure of human populations along the

path of the chemical. Depending on the needs of the analysis, the

evaluation might focus on current, past, or future exposures.

Effects assessment determines the extent of adverse effects

likely to result from given levels of exposure to a risk agent. For

resource and efficiency reasons, this kind of analysis is usually

conducted in stages. The initial analytical step is to determine if

exposures to a risk agent at any level could cause adverse effects

—for example, whether exposures to a particular industrial

chemical could cause cancer or seriously impair nervous system

function. Then, if such a conclusion is drawn, a more detailed

study is conducted to determine what quantitative relationship

(dose–response) exists between the level of exposure and the

incidence of adverse effects.

Risk characterization is the concluding step of a risk assessment.

This is an important integrative task, which involves assembling

the prior analysis components into a bottom-line picture of the

nature and extent of the risk. The principal topics include the kinds

of health effects likely to arise, the risk’s potency (i.e., the severity

of the adverse effects), the populations affected, the likelihood of

exposure, and the risk’s ultimate magnitude (i.e., potency adjusted

for the likelihood of exposure). Risk characterizations are usually

the principal means through which a risk assessment’s findings are

communicated to risk managers, policy makers, journalists, and

the public. In the past, risk characterizations have frequently

consisted of brief descriptions of potential adverse effects and

affected populations, along with a single numerical estimate of the

level of risk that would summarize whether humans would

experience any of the various forms of toxicity or other effects

associated with the risk agent. (Often this figure has been in the

form of a plausible upper bound on risk, deliberately prepared to

provide a conservative estimate that minimizes the chance of

underreporting the actual level of risk.) More recently, however,

this “short form” approach to risk characterization has been

criticized. It is now generally acknowledged that characterizations

need to provide deeper insight into how risk estimates and findings

are generated (including a discussion of the assumptions that

underlie the calculations). In addition, characterizations should

consider a range of plausible risk estimates (which could result

from the use of plausible alternative assumptions or differing

models of exposure and dose–response relationships) and should

more clearly discuss

the uncertainties and limitations in the empirical data on which the

risk assessment is based.


After establishing the context, the next step in the process of

managing risk is to identify potential risks. Risks are about events

that, when triggered, cause problems. Hence, risk identification

can start with the source of problems, or with the problem itself.

• Source analysis. Risk sources may be internal or external to the

system that is the target of risk management.

Examples of risk sources are: stakeholders of a project,

employees of a company or the weather over an airport.

• Problem analysis. Risks are related to identified threats. For

example: the threat of losing money, the threat of abuse of privacy

information or the threat of accidents and casualties. The threats

may exist with various entities, most important with shareholders,

customers and legislative bodies such as the government.

When either source or problem is known, the events that a source

may trigger or the events that can lead to a problem can be

investigated. For example: stakeholders withdrawing during a project

may endanger funding of the project; privacy information may be

stolen by employees even within a closed network; lightning striking a

Boeing 747 during takeoff may make all people onboard immediate


The chosen method of identifying risks may depend on culture,

industry practice and compliance. The identification methods are

formed by templates or the development of templates for identifying

source, problem or event. Common risk identification methods are:

• Objectives-based risk identification. Organizations and project

teams have objectives. Any event that may endanger achieving an

objective partly or completely is identified as risk.

• Scenario-based risk identification. In scenario analysis different

scenarios are created. The scenarios may be the alternative ways

to achieve an objective, or an analysis of the interaction of forces

in, for example, a market or battle. Any event that triggers an

undesired scenario alternative is identified as risk

• Taxonomy-based risk identification. The taxonomy in

taxonomy-based risk identification is a breakdown of possible risk

sources. Based on the taxonomy and knowledge of best practices,

a questionnaire is compiled. The answers to the questions reveal

risks. Taxonomy-based risk identification in software industry can

be found in CMU/SEI-93-TR-6.

• Common-risk checking. In several industries lists with known

risks are available. Each risk in the list can be checked for

application to a particular situation. An example of known risks in

the software industry is the Common Vulnerability and Exposures

list found at

• Risk charting. {Crockford, N., "An Introduction to Risk

Management, Cambridge, UK, Woodhead-Faulkner 2nd

edition1986 p. 18} This method combines the above approaches

by listing Resources at risk, Threats to those resources Modifying

Factors which may increase or decrease the risk and

Consequences it is wished to avoid. Creating a matrix under these

headings enables a variety of approaches. One can begin with

resources and consider the threats they are exposed to and the

consequences of each. Alternatively one can start with the threats

and examine which resources they would affect, or one can begin

with the consequences and determine which combination of

threats and resources would be involved to bring them about.

The basic structure recommended for risk management consists of
a risk manager who is responsible for the definition, structure,
implementation and co-ordination of a risk management approach
consistent with the program system engineering, test,
manufacturing and verification plans. The risk manager works on
the staff of the program manager. The risk management job is
comparable to that of configuration manager, data manager,
program management (PMS) and other staff level positions that do
not have a direct object product development role


The primary function for the risk management tools are to assist in
the assessment or risks, to assure that assessment address all
pertinent aspects of the program and to provide specific means of
overcoming the underlying bases for risks.
The key to assessing risks is to identify any and all aspect of the
program with some degree of newness.

Ownership Risk
Ownership risk is a concept of many dimensions and
interpretations. The most important aspect of ownership is a clear
mutual understanding of the responsibilities among partied to a
contract and/or the responsibilities among parties to a co-operation

Once risks have been identified, they must then be assessed as to

their potential severity of loss and to the probability of occurrence.

These quantities can be either simple to measure, in the case of

the value of a lost building, or impossible to know for sure in the

case of the probability of an unlikely event occurring. Therefore, in

the assessment process it is critical to make the best educated

guesses possible in order to properly prioritize the implementation

of the risk management plan.

The fundamental difficulty in risk assessment is determining the

rate of occurrence since statistical information is not available on

all kinds of past incidents. Furthermore, evaluating the severity of

the consequences (impact) is often quite difficult for immaterial

assets. Asset valuation is another question that needs to be

addressed. Thus, best educated opinions and available statistics

are the primary sources of information. Nevertheless, risk

assessment should produce such information for the management

of the organization that the primary risks are easy to understand

and that the risk management decisions may be prioritized. Thus,

there have been several theories and attempts to quantify risks.

Numerous different risk formulae exist, but perhaps the most

widely accepted formula for risk quantification is:

1. system engineering, An introduction to the design of large scale
system H.H. Goode & R.E Machol, McGraw, Hill, 1957
2. System Engineering Management Dedense systems
management college, 1989
3. System Engineering management, “B.J. Blanchard, John Wiley
& Sons Inc. 1991
4. Douglas Hubbard "The Failure of Risk Management: Why It's
Broken and How to Fix It" pg. 46, John Wiley & Sons, 2009
5. ISO/IEC Guide 73:2002 (2002). Risk management --
Vocabulary -- Guidelines for use in standards. International
Organization for Standardization.
6. ISO/DIS 31000 (2009). Risk management -- Principles and
guidelines on implementation. International Organization for
7. "Committee Draft of ISO 31000 Risk management" (PDF).
International Organization for Standardization.
8. Disaster Recovery Journal
9. Dorfman, Mark S. (2007). Introduction to Risk Management and
Insurance (9th Edition). Englewood Cliffs, N.J: Prentice Hall.
ISBN 0-13-224227-3.
10. Roehrig, P (2006) Bet On Governance To Manage Outsourcing
Risk. Business Trends Quarterly

1. Risk management, concepts and Guidance, “ Derhense systems

management college, FT Belvior.

2. Design to reduce technical risk,” AT&T Mcgaraw -Hill, 1993

3. Military standard, Engineering Management Mill – Std 499A, 1974