Raunak Panchori Ashish Ghosh(29016
Risk management is the identification, assessment, and prioritization of risks (defined in ISO 31000 as the effect of uncertainty on objectives, whether positive or negative) followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities. Risks can come from uncertainty in financial markets, project failures, legal liabilities, credit risk, accidents, natural causes and disasters as well as deliberate attacks from an adversary. Several risk management standards have been developed including the Project Management Institute, the National Institute of Science and Technology, actuarial societies, and ISO standards. Methods, definitions and goals vary widely according to whether the risk management method is in the context of project management, security, engineering, industrial processes, financial portfolios, actuarial assessments, or public health and safety.
Types of Project Risk
Risk analysis is conducted in two significant ways — qualitative and quantitative risk analysis. These two type of risk analysis can be conducted simultaneously or in a chosen order, and even within a defined period gap. Sometimes, business managers and project leaders are unable to differentiate between these two approaches. It is vital to understand the basic defining difference between them. Understanding Qualitative Risk Analysis The objective of conducting a qualitative risk analysis is to acquire safety against recognized risks and to increase the alertness of management, team members, and all personnel who are vulnerable to them. This method of risk analysis is designed to identify issues that are looked upon as project management impediments, but have the potential to become definite risk factors.
to use the existing system for another year. An example is that if the project cannot meet end of financial year deadline. The purpose is to identify rectifying measures that can incorporated to restrict or remove the causes that have given rise to such risks and to ensure that these safety measures become a part of risk-related analytical protocol for future reference. The response is likely to be a contingency plan developed by the business.
Risk Management Plan
There are four stages to risk management planning. There are different sorts of risks and we need to decide on a project by project basis what to do about each type. an organization is able to create a very precise analytical interpretation that can clearly represent which risk-resolving measures have been most well-suited to various project needs. They are: ·
• • • •
Risk Identification Risks Quantification Risk Response Risk Monitoring and Control
Risk Identification In this stage. This makes the quantitative approach favored by many management teams since risk assessments can be clearly represented in the empirical forms like percentages or probability charts. we identify and name the risks. in order to protect against every defined risk. Understanding Quantitative Risk Analysis Quantitative risk analysis is more focused on the implementation of safety measures that have been established. the business area may need to retain their existing accounting system for another year. The best approach is a workshop with business and IT people to carry out the identification. Use a combination of brainstorming and reviewing of standard risk lists.
.A detailed qualitative analysis will also delve into the resources which are more susceptible to such risks. since it emphasizes using tools such as metrics.Business risks are ongoing risks that are best handled by the business. By using a quantitative approach.
etc. On the other hand if impact is high. Risk Quantification Risk need to be quantified in two dimensions.Generic risks are risks to all projects. Milestones not achieved.
Note that if probability is high. The impact of the risk needs to be assessed. and understand the risk. For simplicity.
. For example the risk that business users might not be available and requirements may be incomplete. Do something to remove it. Hence a risk might be defined as "The vendor not meeting deadline will mean that budget will be exceeded". rate each on a 1 to 4 scale. Each organisation will develop standard responses to generic risks. Use another supplier for example. A remote chance of a catastrophe warrants more attention than a high chance of a hiccup. etc.
There are four things you can do about a risk. By using a matrix. Business users not available. and impact is low.). it is a Medium risk. it is easy to remove duplicates. a priority can be established.). the larger the impact or probability. The larger the number. and probability low. Risks should be defined in two parts. The first is the cause of the situation (Vendor not meeting deadline. The second part is the impact (Budget will be exceeded. If this format is used. The strategies are:
Avoid the risk. The probability of the risk occurring needs to be assessed. it is High priority.
It is best to hold regular risk reviews to identify actions outstanding. remove risks that have passed. Risk Control The final step is to continually monitor risks to identify any change in the status. as well as external impacts on society. risk probability and impact. or if they turn into an issue. markets. risk management includes the following activities:
Planning how risk will be managed in the particular project. The actions should include what needs to be done. Make someone else responsible. Its impact can be on the very existence.•
Transfer the risk.
A risk response plan should include the strategy and action items to address the strategy. and operational risk. Perhaps a Vendor can be made responsible for a particularly risky part of the project. AREAS OF RISK MANAGEMENT Enterprise Risk Management In enterprise risk management. or the customers of the enterprise. Mitigate the risk. activities and budget. enterprise risk management is normally thought of as the combination of credit risk. who is doing it. Risk management activities as applied to project management In project management. and identify new risks. In a financial institution. Plans should include risk
management tasks. interest rate risk or asset liability management. the resources (human and capital). The risk might be so small the effort to do anything is not worthwhile.
Accept the risk. or the environment. market risk. draw up an agreement and get sign-off for the resource to be available.
. responsibilities. If the risk relates to availability of resources. and when it should be completed. the products and services. Take actions to lessen the impact or chance of the risk occurring. a risk is defined as a possible event or circumstance that can have negative influences on the enterprise in question.
typically costing more than US$1 billion per project.
Assigning a risk officer .
Risk management of Information Technology
Information technology is increasing pervasive in modern life in every sector.
the mitigation plan is to describe how this particular risk will be handled – what. seaports. Megaprojects include bridges.
Creating anonymous risk reporting channel.
Summarizing planned and faced risks. This relatively new term due to an increasing awareness that information security is simply one facet of a multitude of risks that are relevant to IT and the real world processes it supports.
Maintaining live project risk database. safety. Each team member should have Preparing mitigation plans for risks that are chosen to be mitigated. effectiveness of mitigation activities.a team member other than a project manager who is
responsible for foreseeing potential project problems. public buildings. Risk management for megaprojects Megaprojects (sometimes also called "major programs") are extremely large-scale investment projects. when.A number of methodologies have been developed to deal with this kind of risk. coastal flood protection schemes. Risk management is therefore particularly pertinent for megaprojects and special methods and special education have been developed for such risk management. probability and importance. Optionally a risk may have an assigned person responsible for its resolution and a date by which the risk must be resolved. aerospace projects. title. dams. short description. highways. The purpose of
possibility to report risk that he/she foresees in the project. Each risk should have the following attributes:
opening date. and defence systems.ISACA's Risk IT framework ties IT risk to Enterprise risk management. tunnels. wastewater projects. airports.
. power plants. railways. Megaprojects have been shown to be particularly risky in terms of finance. IT risk is a risk related to information technology. information technology systems. and effort
spent for the risk management. oil and natural gas extraction projects. and social and environmental impacts. Typical characteristic of risk officer is a healthy skepticism. by who and how will it be done to avoid it or minimize consequences if it becomes a liability.
Risk management also proposes applicable controls for the observed risks. Whereas risk management tends to be pre-emptive. risk management covers several areas that are vital for the BCP process. industrial and finance Risk Management and Business continuity Risk management is simply a practice of systematically selecting cost effective approaches for minimising the effect of threat realization to the organization. business continuity planning (BCP) was invented to deal with the consequences of realised residual risks.). Therefore all organizations have to accept some level of residual risks. For example. cost estimates etc. impact assessments. The technique is also used by organisations and regulators in mining. Therefore. However. defence. operational risk management is regulated by the safety case regime in many countries. the risk management process creates important inputs for the BCP (assets. and organisations such as the IADC (International Association of Drilling Contractors) publish guidelines for HSE Case development which are based on the ISO standard.Risk management techniques in petroleum and natural gas For the offshore oil and gas industry. diagrammatic representations of hazardous events are often expected by governmental regulators as part of risk management in safety case submissions. the BCP process goes beyond risk management's preemptive approach and assumes that the disaster will happen at some point. health. The necessity to have BCP in place arises because even very unlikely events will occur if given enough time. these are known as bow-tie diagrams. In fact these processes are so tightly tied together that such separation seems artificial. Further. aviation. All risks can never be fully avoided or mitigated simply because of financial and practical limitations.
. Risk management and BCP are often mistakenly seen as rivals or overlapping practices. Hazard identification and risk assessment tools and techniques are described in the international standard ISO 17776:2000.