Steps of the Risk Management

Process?
Step 1. Communicate and consult.
Step 2. Establish the context.
Step 3. Identify the risks.
Step 4. Analyze the risks.
Step 5. Evaluate the risks.
Step 6. Treat the risks.
Step 7. Monitor and review.

2
3
PREPARING RISK MGT. PLAN
1. Describe how you did each of the above risk
management steps.
A) How risks in the internal & external context
were identified
 internal and external stakeholders identified
 Method & Media used for Communicating &
consulting with stakeholders in identifying risks
B) risk Identified
 Discuss the methodologies and methods used to
identify risks.
 Present in risk statements (cause/s – event -
consequences)

4
STEP 1.COMMUNICATE AND CONSULT

-Communication and
consultation aims to identify
who should be involved in
assessment of risk (including
identification,analysis and
evaluation) and it should
engage those who will be
involved in the treatment,
monitoring and review of risk.

5
6
-As such, communication and consultation will be
reflected in each step of the process described
here.

-As an initial step, there are two main aspects that

should be identified in order to establish the
requirements for the remainder of the process.

-These are communication and consultation

aimed at:
A- Eliciting risk information
B-Managing stakeholder perceptions for
management of risk.
7
A- Eliciting risk information

-Communication and consultation may occur

within the organization or between the
organization and its stakeholders.

-It is very rare that only one person will hold all
the information needed to identify the risks
to a business or even to an activity or
project.

-It therefore important to identify the range of

stakeholders who will assist in making this
information complete.

8
B-MANAGING STAKEHOLDER PERCEPTIONS FOR
MANAGEMENT OF RISK

9
TIPS FOR EFFECTIVE COMMUNICATION AND
CONSULTATION

• Determine at the outset whether a

communication strategy and/or plan is
required

• Determine the best method or media for

communication and consultation

• The significance or complexity of the issue or

activity in question can be used as a guide as
to how much communication and
consultation is required: the more complex
and significant to the organization, the more
detailed and comprehensive the 10
requirement.
STEP 2. ESTABLISH THE CONTEXT

provides a five-step process to

assist with establishing the
context within which risk will
be identified.
1-Establish the internal context
2-Establish the external context
3-Establish the risk management
context
4- Develop risk criteria
5- Define the structure for risk
analysis
11
1- Establish the internal context

-As previously discussed, risk is the chance of

something happening that will impact on
objectives.
As such, the objectives and goals of a business,
project or activity must first be identified to
ensure that all significant risks are
understood.
This ensures that risk decisions always support
the broader goals and objectives of the
business. This approach encourages long-
term and strategic thinking.

12
In establishing the internal context, the
business owner may also ask themselves the
following questions:

- Is there an internal culture that needs to be

considered? For example, are staff Resistant
to change? Is there a professional culture
that might create unnecessary risks for the
business?
- What staff groups are present?
- What capabilities does the business have in
terms of people, systems, processes,
equipment and other resources?

13
2. ESTABLISH THE EXTERNAL CONTEXT

This step defines the overall environment in

which a business operates and includes an
understanding of the clients’ or customers’
perceptions of the business. An analysis of
these factors will identify the strengths,
weaknesses, opportunities and threats to the
business in the external environment.

14
A business owner may ask the following
questions when determining the external
context:
• What regulations and legislation must the
business comply with?
• Are there any other requirements the
business needs to comply with?
• What is the market within which the business
operates? Who are the competitors?
• Are there any social, cultural or political
issues that need to be considered?

15
Tips for establishing internal and external contexts

-Determine the significance of the activity in

achieving the organization's goals and
objectives
(Core purpose – to be a catalyst for socio economic
development of the country/region by providing safe,
reliable & affordable public transportation )
- Define the operating environment
- Identify internal and external stakeholders
and determine their involvement in the risk
management process.

16
3- ESTABLISH THE RISK MANAGEMENT
CONTEXT

- Before beginning a risk identification

exercise, it is important to define the limits,
objectives and scope of the activity or issue
under examination.

- For example, in conducting a risk analysis for

a new project, such as the introduction of a
new piece of equipment or a new product
line, it is important to clearly identify the
parameters for this activity to ensure that all
significant risks are identified.
17
Tips for establishing the risk management context

• Define the objectives of the activity, task or

function
• Identify any legislation, regulations, policies,
standards and operating procedures that
need to be complied with
• Decide on the depth of analysis required and
allocate resources accordingly
• Decide what the output of the process will
be, e.g. a risk assessment, job safety
analysis or a board presentation. The output
will determine the most appropriate structure
and type of documentation.

18
4. Develop risk criteria

Risk criteria allow a business to clearly

define unacceptable levels of risk.
Conversely, risk criteria may include the
acceptable level of risk for a specific activity
or event. In this step the risk criteria may be
broadly defined and then further refined later
in the risk management process.

19
Tips for developing risk criteria

• Decide or define the acceptable level of risk for each activity

• Determine what is unacceptable
• Clearly identify who is responsible for accepting risk and at what level.

20
5. DEFINE THE STRUCTURE FOR RISK
ANALYSIS
Isolate the categories of risk that you want to manage. This will provide greater
depth and accuracy in identifying significant risks.
The chosen structure for risk analysis will depend upon the type of activity or
issue,
its complexity and the context of the risks.

21
STEP 3. IDENTIFY THE RISKS

Risk cannot be managed

unless it is first identified.
Once the context of the
business has been defined,
the next step is to utilize the
information to identify as
many risks as possible.

22
The aim of risk identification is to identify
possible risks that may affect, either
negatively or positively, the objectives of the
business and the activity under analysis.
Answering the following questions identifies
the risk:

23
There are two main ways to identify risk:

1- Identifying retrospective risks

Retrospective risks are those that have

previously occurred, such as incidents or
accidents. Retrospective risk identification is
often the most common way to identify risk,
and the easiest. It’s easier to believe
something if it has happened before. It is
also easier to quantify its impact and to see
the damage it has caused.

24
There are many sources of information about retrospective risk. These include:

• Hazard or incident logs or registers

• Audit reports
• Customer complaints
• Accreditation documents and reports
• Past staff or client surveys
• Newspapers or professional media, such as
journals or websites.

25
2-Identifying prospective risks

Prospective risks are often harder to identify.

These are things that have not yet happened,
but might happen some time in the future.

Identification should include all risks, whether

or not they are currently being managed. The
rationale here is to record all significant risks
and monitor or review the effectiveness of
their control.

26
Methods for identifying prospective risks include:

• Brainstorming with staff or external

stakeholders
• Researching the economic, political,
legislative and operating environment
• Conducting interviews with relevant people
and/or organizations
• Undertaking surveys of staff or clients to
identify anticipated issues or problems
• Flow charting a process
• Reviewing system design or preparing
system analysis techniques.

27
TIPS FOR EFFECTIVE RISK IDENTIFICATION

Select a risk identification methodology

appropriate to the type of risk and the nature
of the activity
Involve the right people in risk identification
activities
Take a life cycle approach to risk identification
and determine how risks change and evolve
throughout this cycle.

28
risk identification tools

•C H E C K L I ST
•F LOW C H A R T
•R I S K I N S P E C T I O N
•H A Z OP
•H A Z A N
•FAU LT T R E E ME T H O D
•H A Z A R D IN D I C E S
 COMMON RISK IDENTIFICATION METHODS

. Objectives-based risk identification[citation needed] - Organizations and project

teams have objectives. Any event that may endanger achieving an objective
partly or completely is identified as risk.

Scenario-based risk identification - In scenario analysis different scenarios are

created. The scenarios may be the alternative ways to achieve an objective, or
an analysis of the interaction of forces in, for example, a market or battle. Any
event that triggers an undesired scenario alternative is identified as risk – see
Futures Studies for methodology used by Futurists.

Taxonomy/catalog/classification-based risk identification - The taxonomy in

taxonomy-based risk identification is a breakdown of possible risk sources.
Based on the taxonomy and knowledge of best practices, a questionnaire is
compiled. The answers to the questions reveal risks.[6]
Common risk identification methods

Common-risk checking[citation needed] - In several industries, lists with

known risks are available. Each risk in the list can be checked for
application to a particular situation.[7]

Risk charting [8] - This method combines the above approaches by

listing resources at risk, threats to those resources, modifying
factors which may increase or decrease the risk and consequences
it is wished to avoid. Creating a matrix under these headings enables
a variety of approaches. One can begin with resources and consider
the threats they are exposed to and the consequences of each.
Alternatively one can start with the threats and examine which
resources they would affect, or one can begin with the
consequences and determine which combination of threats and
resources would be involved to bring them about.
CAUSE-EFFECT DIAGRAM
Known under various different names:
Cause-Effect diagram
Fishbone Diagram
Ishikawa (Kaoru Ishikawa - who invented in the sixties)
CAUSE-EFFECT DIAGRAM
(ISHIKAWA)

Machine Method Material

Major
Defect

Energy Personnel Environment

 CAUSE-EFFECT DIAGRAM
(ISHIKAWA)
Usually most effective when done in groups

Start from the right

The "Four-M" categories are typically used as a starting
point: "Materials", "Machines", "Manpower", and
"Methods”.
The subdivision into ever increasing specificity
continues as long as the problem areas can be further
subdivided.
The practical maximum depth of this tree is usually about
four or five levels.
When the fishbone is complete, one has a rather
complete picture of all the possibilities about what
could be the root cause for the designated problem.
BOEHM’S TOP 10 RISKS & COUNTERMEASURES (1/4)
Personnel Shortfalls
 Staffing with top talent; job matching; team-building; morale building; cross-
training; pre-scheduling key people.
Unrealistic Schedules and Budgets
 Detailed, multi-source cost & schedule estimation; design to cost; incremental
development; software reuse; req. scrubbing.
BOEHM’S TOP 10 RISKS & COUNTERMEASURES (2/4)

Developing the wrong software functions

 Organizational analysis; mission analysis;
operational concept formulation; user surveys;
prototyping; early users’ manuals.
Developing the wrong user interface
 Prototyping; scenarios; task analysis.
Gold-plating
 Requirements scrubbing; prototyping; cost-benefit
analysis; design to cost
BOEHM’S TOP 10 RISKS & COUNTERMEASURES (3/4)

Continuing stream of requirements changes

 High change threshold; information-hiding; incremental
development (defer changes to later increments).
Shortfalls in externally-performed tasks
 Reference-checking; pre-award audits; award-fee contracts;
competitive design or prototyping; team-building.
Shortfalls in externally-furnished components
 Benchmarking; inspections; reference checking; compatibility
analysis.
BOEHM’S TOP 10 RISKS & COUNTERMEASURES (4/4)

Real-time performance shortfalls

 Simulation; benchmarking; modeling; prototyping;
instrumentation; tuning.
Straining computer science capabilities
 Technical analysis; cost-benefit analysis; prototyping;
ref. checking.
RISK IDENTIFICATION: OUTPUT
Risk register. It contains:
List of identified risks
List of potential responses
Other information about risks

(actually more information will be added to the

risk register, as we continue with the
description of the risk management activities)
Writing the Risk Statement: Identified risks are described and
communicated to management in the form of risk statements. A risk
statement provides the clarity and descriptive information required for a
reasoned and defensible assessment of the risk's occurrence probability
and areas of impact. A well-written risk statement contains two
components. They are a statement of the Condition Present and the
Associated Risk Event (or events).
Example 1: Risk Statement
"A large part of the software must now be written in C++; the time required
to train the development team in C++ will extend the project's schedule
by 3 months".

40
Condition Present and Associated Risk Event Risk Statement -
The Condition Present is {A large part of the software must now
be written in C++};
the Associated Risk Event is {the time required to train the
development team in this language will extend the project's
schedule by 3 months}.
In a risk statement, the Condition Present is itself an event; it is an
event that has occurred or is presently occurring. Associated
Risk Events are future events that might occur because of the
Condition Present.
The Condition Present acts as the departure point from which one
or more Associated Risk Events may originate. Example 2
illustrates how three risk events A1, A2, and A3 originate from a
single condition.

41
Example 2: Condition Present
{Version 1.0 (v1.0) of the enterprise system architecture is not yet defined;
furthermore, the schedule required to deliver the architecture is highly
compressed and not synchronized to the major funding and review
milestones of the systems being upgraded to comply to this
architecture.}

Risk Events:

A1 = {Milestone funding and review schedules for each system being

upgraded will slip by more than 3 months due to the time required for
them to properly apply and demonstrate compliance to the v1.0
architecture.}

A2 = {Once v1.0 is delivered, the current designs of the systems being

upgraded may be inadequate to support the interoperability
requirements of users.}

A3 = {The systems being upgraded may design functionality that is

42
significantly less in scope than v1.0 will require.}
STEP 4. ANALYZE THE RISKS
During the risk identification
step, a business owner may
have identified many risks
and it is often not possible
to try to address all those
identified.
The risk analysis step will
assist in determining which
risks have a greater
consequence or impact than
others. 43
What is risk analysis?

Risk analysis involves combining the possible

consequences, or impact, of an event,

with the likelihood of that event occurring. The

result is a ‘level of risk’. That is:

Risk = consequence x likelihood

44
Elements of risk analysis

The elements of risk analysis are as follows:

1. Identify existing strategies and controls that

act to minimize negative risk and enhance
opportunities.
2. Determine the consequences of a negative
impact or an opportunity (these may be
positive or negative).
3. Determine the likelihood of a negative
consequence or an opportunity.
4. Estimate the level of risk by combining
consequence and likelihood.
5. Consider and identify any uncertainties in
the estimates.
45
Types of analysis

Three categories or types of analysis can be

used to determine level of risk:
• Qualitative
• Semi-quantitative
• Quantitative.

- The most common type of risk analysis is the

qualitative method. The type of analysis chosen
will be based upon the area of risk being
analyzed.

46
Tips for effective risk analysis

• Risk analysis is usually done in the context

of existing controls – take the time to identify
them
• The risk analysis methodology selected
should, where possible, be comparable to
the significance and complexity of the risk
being analyzed, i.e. the higher the potential
consequence the more rigorous the
methodology
• Risk analysis tools are designed to help rank
or priorities risks. To do this they must be
designed for the specific context and the risk
dimension under analysis.
47
Risk analysis

is a process that is used to understand the nature,

sources, and causes of the risks that you have identified
and to estimate the level of risk. It is also used to study
impacts and consequences and to examine the controls
that currently exist. How detailed your risk analysis ought
to be will depend upon the risk, the purpose of the
analysis, the information you have, and the resources
available
STEP 5. EVALUATE THE RISKS

Risk evaluation involves comparing

the level of risk found during the
analysis process with previously
established risk criteria, and
deciding whether these risks require
treatment.
The result of a risk evaluation is a
prioritized list of risks that require
further action.
This step is about deciding whether
risks are acceptable or need
treatment.
54
Risk acceptance

A risk may be accepted for the following

reasons:

• The cost of treatment far exceeds the benefit,

so that acceptance is the only option (applies
particularly to lower ranked risks)
• The level of the risk is so low that specific
treatment is not appropriate with available
resources
• The opportunities presented outweigh the
threats to such a degree that the risks
justified
• The risk is such that there is no treatment
available, for example the risk that the
business may suffer storm damage. 55
Risk criteria
Risk criteria are terms of reference and are used to evaluate the
significance or importance of an organization’s risks. They are used
to determine whether a specified level of risk is acceptable or
tolerable.

Risk criteria should reflect your organization’s values, policies, and

objectives, should be based on its external and internal context,
should
consider the views of stakeholders, and should be derived from
standards, laws, policies, and other requirements.
The level of risk is its magnitude. It is estimated by
considering and combining consequences and
likelihoods.

A level of risk can be assigned to a single risk or to a

combination of risks.

A consequence is the outcome of an event and has an

effect on objectives.

Likelihood is the chance that something might happen.

STEP 6. TREAT THE RISKS

Risk treatment is about

considering options for treating
risks that were not considered
acceptable or tolerable at Step 5.

Risk treatment involves identifying

options for treating or controlling
risk, in order to either reduce or
eliminate negative consequences,
or to reduce the likelihood of an
adverse occurrence. Risk
treatment should also aim to
enhance positive outcomes.

65
Options for risk treatment:

identifies the following options that may assist in

the minimization of negative risk or an increase in
the impact of positive risk.
1. avoid the risk,
2. reduce the risk,
3. remove the source of the risk,
4. modify the consequences,
5. change the probabilities,
6. share the risk with others,
7. simply retain the risk,
8. increase the risk in order to pursue an opportunity66
Tips for implementing risk treatments

• The key to managing risk is in implementing

effective treatment options
• When implementing the risk treatment plan,
ensure that adequate resources are
available, and define a timeframe,
responsibilities and a method for monitoring
progress against the plan
• Physically check that the treatment
implemented reduces the residual risk level
• In order of priority, undertake remedial
measures to reduce the risk.
67
STEP 7. MONITOR AND REVIEW

Monitor and review is an

essential and integral step in
the risk management process.
A business owner must monitor
risks and review the
effectiveness of the treatment
plan, strategies and
management system that have
been set up to effectively
manage risk.

68
Risks need to be monitored periodically to
ensure changing circumstances do not alter
the risk priorities. Very few risks will remain
static, therefore the risk management
process needs to be regularly repeated, so
that new risks are captured in the process
and effectively managed.
A risk management plan at a business level
should be reviewed at least on an annual
basis. An effective way to ensure that this
occurs is to combine risk planning or risk
review with annual business planning.
69
SUMMARY OF RISK MANAGEMENT
STEPS

70