Professional Documents
Culture Documents
Risk Management
What Is Risk Identification?
Imagine yourself as a project manager working on a new website for
your company. Even though the project is quite small, it's necessary for
you to carry out a thorough risk management analysis to ensure that the
website is delivered by an agreed deadline and at an agreed cost. Risk
management will ensure that the core functionalities of the website will
be delivered and that
the design standards will not be compromised.
Traditional approach
• Observe those past events that caused losses, and then find out
measures to prevent their occurence
• Modern approach
• Identify the possibility of losses or reasons for the occurrence of
the losses before the losses actually occur
• Modern approach
• Brainstorming- When objectives are stated clearly and
understood by the participants, a brainstorming session drawing
on the creativity of the participants can be used to generate a list
of risks
• Flowchart Method- d is used to graphically and sequentially
depict the activities of an operation or process to identify
exposures, perils and hazards.
• SWOT Analysis-a technique often used in the formulation of
strategy. The strengths and weaknesses are internal to the
company and include the company’s culture, structure, and
financial and human resources. The major strengths of the
company combine to formRisk analysis questionnaire and items
preview
• the core competencies that provide the basis for the company to
achieve a competitive advantage.
The risk management process on a project consists of four steps:
• Risk identification
• Risk assessment
• Risk response development, and
• Risk response control
Risk Exposure
Risk is everywhere and is part of all activities. We have all had to deal
with risk in our ownlives. In general terms, risk is the possibility of loss.
Sometimes, we discuss risk in terms ofexposure. Risk exposure is a
measure of possible future loss (or losses) which may result from an
activity or occurrence. In business, risk exposure is often used to rank
the probability of different types of losses and to determine which
losses are acceptable or unacceptable. These losses may include legal
liability, property loss or damage, unexpected employee turnover, or
changes inconsumer demand -- to name a few.
3. Liability Exposure
• Existence of legal system/contracts
• a firm has to act in accordance with the terms of the contract it
entered,otherwise it will suffer a loss
• different from asset exposures
• Liability exposure is only a pure risk
SWOT Analysis
Commonly used as a planning tool for analyzing a business, its
resources and its environment by looking at internal strengths
and weaknesses; and opportunities and threats in the external
environment.
Process Flowcharts
Focusing on project processes such as the schedule network
diagram, communications, information flows, decision making,
Intranet usages, documentation, e-mail, manufacturing, coding,
testing, etc., will inevitably disclose potential project threats.
Ishikawa Diagrams
The Ishikawa diagram (or fishbone diagram or also cause-and-
effect diagram) are diagrams, that show the causes of a certain
event. A common use of the Ishikawa diagram is in identifying
potential factors that might present unfavorable events or
conditions.
Brainstorming
The convenient practice of brainstorming can also aid in the
identification of project risks. Any possible condition or event that
might prevent reaching project goals should be presented without
evaluation. It is the combination of ideas that often generate new
ideas and views.
Assumption Analysis
Identification of different assumptions of the project and
determining their validity, further helps in identifying risks for the
project.
Expert Judgement
Individuals who have experience with similar project in the not
too distant past may use their judgment through interviews or
risk facilitation workshops
Risk Checklists
With project schedules becoming increasingly shorter, project
managers must find ways to identify project risks rapidly. One
means of accomplishing this is by developing a checklist of project
aspects that might present risks. This checklist should be very
generic and can be carried from project to project.
Affinity Diagram
A business tool used to organize ideas and data. The tool is
commonly used within project management and allows large
numbers of ideas to be sorted into groups for review and analysis.
Historical data to help assess risk is frequently available from the past
performance assessments and lessons learned of acquisition programs
and contractors. In many cases, MITRE staff will assist the government
in preparing performance information for a particular acquisition. The
AF has a Past Performance Evaluation Guide (PPEG) that identifies the
type of information to capture that can be used for future government
source selections [3]. This repository of information can help provide
background information of previous challenges and where they might
arise again—both for the particular type of development activity as well
as with the particular contractors.
There are numerous technical assessments for vendor products that can
be accessed to determine the risk and viability of various products. One
MITRE repository of evaluations of tools is the Analysis Toolshed that
contains guidance on and experience with analytical tools. Using
resources like these and seeking others who have tried products and
techniques in prototypes and experiments can help assess the risks for a
particular effort.
3. Moment of risk-listing out the specific conditions that cause the risk
to be more
likely to occur.
5. Secondary risk
Risk Exposure
The measure of potential future loss resulting from a specific activity or
event.
Identification
All stakeholders are asked to identify risk. This helps to improve
acceptance of an initiative as everyone is give opportunity to express all
the things that can go wrong. Sophisticated entities may also identify
risks by lookin databases of issues that occurred with similar programs,
strategies or projects.
Moment Of Risk
Listing out the specific conditions that cause the risk to be more likely to
occur. For example, the risk of a type construction site may be
associated with a particular activity or construction stage.
Treatment
Risk treatment options include acceptance, mitigation, transfer, sharing
and avoidance. When a risk is mitigate the probability and impact
typically need to be re evaluated.
Secondary Risk
Evaluation of risks caused by treatments. For example, avoiding or
mitigating a risk can result in new risks.
Residual Risk
Calculating the probability and impact of remaining risk after treatment.
For example, the risk that remains after including secondary risk.
What is Risk Evaluation?
Risk evaluation is the process to determine the significance of each risk.
There are two ways to evaluate risks:
2. Probability/Impact Method
I normally use this technique with larger, more complex projects and
with teams that have experience with risk assessments.
Program Management
The Probability/Impact Method also helps in programs. I total the risk
scores within each project to calculate the Project Risk Score and
compare the scores between projects. This helps me understand which
projects have the greatest risk exposure and where I need the most
skilled people.
Risk control
Risk control is the set of methods by which firms evaluate potential
losses and take action to reduce or eliminate such threats. It is a
technique that utilizes findings from risk assessments, which involve
identifying potential risk factors in a company's operations, such as
technical and non-technical aspects of the business, financial policies
and other issues that may affect the wellbeing of the firm.
Loss reduction accepts the risk and seeks to limit losses when a
threat occurs. For example, a company storing flammable material
in a warehouse installs state-of-the-art water sprinklers for
minimizing damage in case of fire.
Business risk comes in a variety of tangible and intangible forms over the
course of the business life cycle. Some risks occur during the ordinary
course of corporate operations, while others are due to extraordinary
circumstances that are not easily identified. Regardless of a
company's business model, industry or level of earnings, business risks
must be identified as a strategic aspect of business planning.
Once risks are identified, companies take the appropriate steps to manage
them to protect their business assets. The most common types of risk
management techniques include avoidance, mitigation, transfer, and
acceptance.
Avoidance of Risk
The easiest way for a business to manage its identified risk is to avoid it
altogether. In its most common form, avoidance takes place when a
business refuses to engage in activities known or perceived to carry a risk
of any kind. For instance, a business could forgo purchasing a building for
a new retail location, as the risk of the venue not generating
enough revenue to cover the cost of the building is high.
Risk Mitigation
Businesses can also choose to manage risk through mitigation or
reduction. Mitigating business risk is meant to lessen any negative
consequence or impact of specific, known risks, and is most often used
when those risks are unavoidable. For example, an automaker mitigates
the risk of recalling a certain model by performing research and detailed
analysis of the potential costs of such a recall. If the capital required to pay
buyers for losses incurred through a faulty vehicle is less than the total
cost of the recall, the automaker may choose to not issue a recall.
Risk Acceptance
Risk management can also be implemented through the acceptance of
risk. Companies retain a certain level of risk brought on by specific projects
or expansion if the anticipated profit generated from the activity is far
greater than its potential risk. For example, pharmaceutical
companies often utilize risk retention or acceptance when developing
a new drug. The cost of research and developmentdoes not outweigh the
potential for revenue generated from the sale of the new drug, so the risk
is deemed acceptable.
Businesses face all kinds of risks, some of which can cause serious loss
of profits or even bankruptcy. But while all large companies have
extensive "risk management" departments, smaller businesses tend not
to look at the issue in such a systematic way.
So in this four-part series of tutorials, you’ll learn the basics of risk
management and how you can apply them in your business.
In this first tutorial, we’ll look at the main types of risk your business
may face. You’ll get a rundown of strategic risk, compliance risk,
operational risk, financial risk, and reputational risk, so that you
understand what they mean, and how they could affect your business.
Then we’ll get into the specifics of identifying and dealing with these
risks in later tutorials in the series.
1. Strategic Risk
Everyone knows that a successful business needs a comprehensive,
well-thought-out business plan. But it’s also a fact of life that things
change, and your best-laid plans can sometimes come to look very
outdated, very quickly.
This is strategic risk. It’s the risk that your company’s strategy becomes
less effective and your company struggles to reach its goals as a result. It
could be due to technological changes, a powerful new competitor
entering the market, shifts in customer demand, spikes in the costs of
raw materials, or any number of other large-scale changes.
It’s easy to say with hindsight, of course, but if Kodak had analyzed the
strategic risk more carefully, it would have concluded that someone else
would start producing digital cameras eventually, so it was better for
Kodak to cannibalize its own business than for another company to do
it.
Failure to adapt to a strategic risk led to bankruptcy for Kodak. It’s now
emerged from bankruptcy as a much smaller company focusing on
corporate imaging solutions, but if it had made that shift sooner, it could
have preserved its dominance.
2. Compliance Risk
Are you complying with all the necessary laws and regulations that
apply to your business?
Of course you are (I hope!). But laws change all the time, and there’s
always a risk that you’ll face additional regulations in the future. And as
your own business expands, you might find yourself needing to comply
with new rules that didn’t apply to you before.
For example, let’s say you run an organic farm in California, and sell
your products in grocery stores across the U.S. Things are going so well
that you decide to expand to Europe and begin selling there.
And finally, even if your business remains unchanged, you could get hit
with new rules at any time. Perhaps a new data protection rule requires
you to beef up your website’s security, for example. Or employee safety
regulations mean you need to invest in new, safer equipment in your
factory. Or perhaps you’ve unwittingly been breaking a rule, and have to
pay a fine. All of these things involve costs, and present a compliance
risk to your business.
3. Operational Risk
So far, we’ve been looking at risks stemming from external events. But
your own company is also a source of risk.
Operational risk refers to an unexpected failure in your company’s day-
to-day operations. It could be a technical failure, like a server outage, or
it could be caused by your people or processes.
In some cases, operational risk has more than one cause. For example,
consider the risk that one of your employees writes the wrong amount
on a check, paying out $100,000 instead of $10,000 from your account.
That’s a “people” failure, but also a “process” failure. It could have been
prevented by having a more secure payment process, for example
having a second member of staff authorize every major payment, or
using an electronic system that would flag unusual amounts for review.
In some cases, operational risk can also stem from events outside your
control, such as a natural disaster, or a power cut, or a problem with
your website host. Anything that interrupts your company’s core
operations comes under the category of operational risk.
While the events themselves can seem quite small compared with the
large strategic risks we talked about earlier, operational risks can still
have a big impact on your company. Not only is there the cost of fixing
the problem, but operational issues can also prevent customer orders
from being delivered or make it impossible to contact you, resulting in a
loss of revenue and damage to your reputation.
4. Financial Risk
Most categories of risk have a financial impact, in terms of extra costs or
lost revenue. But the category of financial risk refers specifically to the
money flowing in and out of your business, and the possibility of a
sudden financial loss.
For example, let’s say that a large proportion of your revenue comes
from a single large client, and you extend 60 days credit to that client
(for more on extending credit and dealing with cash flow, see our
earlier cash flow tutorial).
Having a lot of debt also increases your financial risk, particularly if a lot
of it is short-term debt that’s due in the near future. And what if interest
rates suddenly go up, and instead of paying 8% on the loan, you’re now
paying 15%? That’s a big extra cost for your business, and so it’s
counted as a financial risk.
5. Reputational Risk
There are many different kinds of business, but they all have one thing
in common: no matter which industry you’re in, your reputation is
everything.
Next Steps
So now you know about the main risks your business could face. We’ve
covered five types of business risk, and given examples of how they can
affect your business.
It’s not much use, for example, to say, “Our business is subject to
operational risk.” You need to get very granular, and go through every
aspect of your operations to come up with specific things that could go
wrong. Then you can come up with a strategy for dealing with those
risks.
We’ll cover all of that in the rest of the tutorials, so stay tuned for the
rest of the series on how to manage risk in your business. Next up is a
tutorial on measuring and evaluating different risks.
6 fundamental techniques of risk control
Avoidance
Avoidance is the best means of loss control. This is because, as the name
implies, you’re avoiding the risk completely. If your efforts at avoiding
the loss have been successful, then there is a 0% probability that you’ll
suffer a loss (from that particular risk factor, anyway). This is why
avoidance is generally the first of the risk control techniques that’s
considered. It’s a means of completely eliminating a threat.
Loss Prevention
Loss prevention is a technique that limits, rather than eliminates, loss.
Instead of avoiding a risk completely, this technique accepts a risk but
attempts to minimize the loss as a result of it. For example, storing
inventory in a warehouse means that it is susceptible to theft. However,
since there really is no way to avoid it, a loss prevention program is put
in place to minimize the loss. This program can include patrolling
security guards, video cameras, and secured storage facilities.
Loss Reduction
Loss reduction is a technique that not only accepts risk, but accepts the
fact that loss might occur as a result of the risk. This technique will seek
to minimize the loss in the event of some type of threat. For example, a
company might need to store flammable material in a warehouse.
Company management realizes that this is a necessary risk and decides
to install state-of-the-art water sprinklers in the warehouse. If a fire
occurs, the amount of loss will be minimized.
Separation
Separation is a risk control technique that involves dispersing key
assets. This ensures that if something catastrophic occurs at one
location, the impact to the business is limited to the assets only at that
location. On the other hand, if all assets were at that location, then the
business would face a much more serious challenge. An example of this
is when a company utilizes a geographically diversified workforce.
Duplication
Duplication is a risk control technique that essentially involves the
creation of a backup plan. This is often necessary with technology. A
failure with an information systems server shouldn’t bring the whole
business to a halt. Instead, a backup or fail-over server should be readily
available for access in the event that the primary server fails. Another
example of duplication as a risk control technique is when a company
makes use of a disaster recovery service.
Diversification
Diversification is a risk control technique that allocates business
resources to create multiple lines of business that offer a variety of
products and/or services in different industries. With diversification, a
significant revenue loss from one line of business will not cause
irreparable harm to the company’s bottom line.
Risk control is a key component in any sound company strategy. It’s
necessary to ensure long-term organization sustainability and
profitability
Application of Risk Management
As well as the popular ISO standards, FERMA has also produced its own
risk management standard, which offers guidance for the whole
processes, from identifying risks, right through to transferring some of
that risk to another party.
What’s involved with accessing Risk management standards?
Risk management standards are produced by a number of different
organisations worldwide. In order to access their risk management
standards, you will have to visit the websites of these associations, or
get in contact with them some other way. For example, the FERMA risk
management standards are available on the FERMA website, and have
been translated into a number of different languages, for ease of access.
▪ Different Types/Kind
• The ISO 31000 risk management standards framework includes:
ISO 31000:2018 – Principles and Guidelines on Implementation
ISO/IEC 31010:2009 – Risk Management – Risk Assessment Technique
ISO Guide 73:2009 – Risk Management – Vocabulary
ISO 31000
• Help organizations increase the likelihood of achieving objectives
• Improve the identification of opportunities and threats
• Effectively allocate and use resources for risk treatment
• Internationally recognized benchmark
• Provide principles for effective management and corporate
governance
ISO/IEC 31010:2009
• Risk Management – Risk Assessment Technique
Risk identification
Qualitative Analysis
Quantitative Analysis
Decision Making Tree
Risk Resolution
ISO/IEC 31010:2009
• Risk Management – Risk Assessment Technique
Risk identification
Qualitative Analysis
Quantitative Analysis
Decision Making Tree
Risk Resolution
Risk identification
Risk identification is the process that leads to risk assessment.
Using many techniques like the
SWOT Analysis
PESTLE Analysis
Delphi technique
Interviewing
Brainstorming etc.
Qualitative Analysis
A qualitative assessment takes into consideration less tangible factors
and is based more on gut reaction than on hard facts and data.
Quantitative Analysis
Quantitative risk assessment assigns numbers to risks based on various
risk reports and data generated.
Risk Resolution
It is a process by which drastic risks can be either diverted or
controlled, and in experienced cases even foreseen.
Summary:
The standards that are designed to help and guide the organization with
a number of different strands of Risk Management. From identifying
risk to transferring some of the risk to another party and promote the
mitigation of risk through best practice.
A. Definition of Risk
Risk is defined by the class already with the universal term agreed upon.
As such, risk refers to the
factors or the cause/effect of factors that change the certainty in
achieving an objective.
B. Evolution of Risk
The traditional model of risk management pertained to risk assessment
and analysis, evaluation, and treatment and response. This classical
method of assessing risk is deeply rooted in past experiencesand
history. As time passed, this method began showing signs of being
outdated especially with the state of the markets today. The financial
collapse of 2008 was a major example of the failure of standard risk
assessment methods. As companies evolve, so does the risks involved. A
primary driving element behind the evolution of companies is
technology. The drastic momentum of technological development had
given companies sheer volumes of opportunities, but each said
opportunity also tends to drag in its own unique risks. A major
technological trend that companies are currently adopting is the
transition to cloud connectivity which brought an entirely new method
in handling data. With the increased precedence on the evolution of
technology-driven risk while incorporating recent examples of major
risk assessment failures, measures were gradually taken not only on the
company level such as the trend of hiring Chief Risk Officers and risk
management departments as well as Chief Information Security Officers
concerning cybersecurity but also on the federal level which brought on
directives for increased supervision and regulation.
D. Crisis Management
It is defined as the process by which an organization deals with a
sudden emergency situation. Compared with risk management which is
by nature preventive, crisis management involves reacting to negative
events during and after they have occurred.
The types of crises could either be self-inflicted, such as workplace
crime or accidents, or caused by external forces in the form of natural
disasters, terrorism, etc. As a response, an organization usually would
implement a continuity plan during and in an aftermath of a crisis. This
is done by conducting a risk analysis and running simulations.
Risk Management
Management or Business Studies
Finance or Economics
Science
Statistics
Engineering
Law