Introduction: Risk management is activity directed towards the assessing, mitigating (to an acceptable level) and monitoring of risks.

In some cases the acceptable risk may be near zero. Risks can come from accidents, natural causes and disasters as well as deliberate attacks from an adversary. The main ISO standards on risk management include In businesses, risk management entails organized activity to Management in business and human organization activity is simply the act of getting people together to accomplish desired goals. Management comprises planning, organizing, staffing, leading or directing, and controlling an organization (a group of one or more people or entities) or effort for the purpose of accomplishing a goal. Resourcing encompasses the deployment and manipulation of human resources, financial resources, technological resources and natural resources uncertainty and threats and involves people following procedures and using tools in order to ensure conformance with risk-management policies. The strategies include transferring the risk to another party, avoiding the risk, reducing the negative effect of the risk, and accepting some or all of the consequences of a particular risk.

Sector. and plans to address them. Other types include Foreign exchange. Volatility. is an international-standard-setting body composed of representatives from various national standards organizations. Similar to general risk management. Financial risk management can be qualitative and quantitative. widely known as ISO (pronounced). financial risk management focuses on when and how to hedge using financial instruments to manage costly exposures to risk. Principles of risk management The International Organization for Standardization identifies the following principles of risk management: The International Organization for Standardization (Organisation internationale de normalisation). financial risk management requires identifying its sources.. particularly Credit risk and market risk. Inflation risks.Some traditional risk management programs (e. etc. natural disasters or fires. Shape.g. death and lawsuits). health risk assessment) are focused on risks stemming from physical or legal causes (e.g. Liquidity. ergonomics. As a specialization of risk management. Financial risk management is the practice of creating economic value in a firm by using financial instruments to manage exposure to risk. measuring it. accidents. Founded on 23 February 1947. the organization promulgates worldwide proprietary industrial and commercial .

Switzerland. y Risk management should explicitly address uncertainty. ISO acts as a consortium with strong links to governments. y Risk management should be based on the best available information. either through treaties or national standards.standards. In practice. . It is headquartered in Geneva. y Risk management should be transparent and inclusive. y Risk management should take into account human factors. While ISO defines itself as a non-governmental organization. y Risk management should be systematic and structured. y Risk management should create value. makes it more powerful than most non-governmental organizations. y Risk management should be dynamic. y Risk management should be part of decision making. iterative and responsive to change. its ability to set standards that often become law. y Risk management should be an integral part of organizational processes. y Risk management should be tailored.

Mapping out the following: y the social scope of risk management y the identity and objectives of stakeholders y the basis upon which risks will be evaluated. 6. Identification of risk in a selected domain of interest 2. 4. Developing an analysis of risks involved in the process. Defining a framework for the activity and an agenda for identification. 5. Mitigation of risks using available technological. Process According to the standard ISO/DIS 31000 "Risk management -.Principles and guidelines on implementation" the process of risk management consists of several steps as follows: Research Methodology : Establishing the context Establishing the context involves 1. Planning the remainder of the process. . human and organizational resources. 3. constraints.y Risk management should be capable of continual improvement and enhancement.

The threats may exist with various entities. cause problems. employees of a company or the weather over an airport. the next step in the process of managing risk is to identify potential risks. Hence. the threat of abuse of privacy information or the threat of accidents and casualties. the events that a source may trigger or the events that can lead to a problem can be investigated. Source analysis Risk sources may be internal or external to the system that is the target of risk management.Identification After establishing the context. When either source or problem is known. when triggered. customers and legislative bodies such as the government. most important with shareholders. risk identification can start with the source of problems. Risks are about events that. For example: the threat of losing money. privacy information may be stolen by employees even within a closed . Examples of risk sources are: stakeholders of a project. For example: stakeholders withdrawing during a project may endanger funding of the project. or with the problem itself. Problem analysis Risks are related to identified threats.

Any event that triggers an undesired scenario alternative is identified as risk . Taxonomy-based risk identification in software industry can be found in CMU/SEI-93-TR-6. . Any event that may endanger achieving an objective partly or completely is identified as risk. industry practice and problem or event. The chosen method of identifying risks may depend on culture. for example.see Futures Studies for methodology used by Futurists. a questionnaire is compiled. The answers to the questions reveal risks. The scenarios may be the alternative ways to achieve an objective. Scenario-based risk identification In scenario analysis different scenarios are created. or an analysis of the interaction of forces in. Based on the taxonomy and knowledge of best practices. lightning striking a Boeing 747 during takeoff may make all people onboard immediate casualties. Common risk identification methods are: Objectives-based risk identification Organizations and project teams have objectives. Taxonomy-based risk identification The taxonomy in taxonomy-based risk identification is a breakdown of possible risk sources. The identification methods are formed by templates or the development of templates for identifying source. a market or battle.

in the case of the value of a lost building. or impossible to know for sure in the case of the probability of an unlikely event occurring. or one can begin with the consequences and determine which combination of threats and resources would be involved to bring them about. Alternatively one can start with the threats and examine which resources they would affect. Assessment Once risks have been identified. Threats to those resources Modifying Factors which may increase or decrease the risk and Consequences it is wished to avoid. they must then be assessed as to their potential severity of loss and to the probability of occurrence. in the assessment process it is critical to . Creating a matrix under these headings enables a variety of approaches. Therefore. These quantities can be either simple to measure.Common-risk checking In several industries lists with known risks are available. Each risk in the list can be checked for application to a particular situation. One can begin with resources and consider the threats they are exposed to and the consequences of each. Risk charting (risk mapping) This method combines the above approaches by listing Resources at risk.

NEED OF RISK MANAGEMENT Financial institutions face new challenges arising from the rapid growth of derivatives. It is an asymmetric bet. etc.make the best educated guesses possible in order to properly prioritize the implementation of the risk management plan. The 2008 financial crisis was a shock for individual investors in part because of financial innovations involving a number of structured financial products such as Credit Default Swaps (CDS). Although the 2008 financial crisis might suggest that financial risks are sometimes able to get ahead of the world's ability to manage them. as well as a "shadow" banking network made up of investment banks and the new regulatory framework. synthetic CDOs. demand for financial risk management professionals is on the rise. It looks similar to an insurance policy in which the premium you pay is a fraction of the compensation . Collateralized Debt Obligations (CDO). CDS are bilateral contracts which transfer defined credit risk from one party to another. The number of Financial Risk Manager (FRM) exam takers posted an annual average growth of 43 percent over the past three years. financial innovations. The CDS buyer makes a series of payments periodically to another in return for compensation in the event of a bond default. the mix of mathematical models and computing power in risk management.

They never get to the gate. management and the end users are convinced that they must have and will receive the perfect solution right out of the gate. Successful practitioners reduce scope to something that's manageable for the first release and defer the rest for subsequent releases. CDOs are similar to a mutual fund that purchases various mortgage bonds including subprime mortgages for people with weak credit. This is why there's a whole Risks and ." In other words. scope of risk management Every failing project I've seen has had an informal scope of "the sun. By the same token. Risks and Feasibility To compensate for high risks. however. I always tighten scope. generating a pooled vehicle within a pooled vehicle. insurance firms cannot handle systemic risk because only government can take on that kind of risk. You won't be able to do this until everyone understands what's at stake.made by your insurance firm in case of bankruptcy. Unfortunately. the moon. the CDS is also a speculative bet against the market. the sky and the stars. So the first thing to do is figure out what the risks are.

I helped an extremely high risk. disengaged. And they were right to predict failure. high visibility project to succeed when all the observers were predicting failure. more autonomy. we were able to make a bunch of tactical moves: y We educated management about the risks and feasibility associated with the constraints they were imposing. The only things they had going for them were a well-defined business process and the fact that millions of dollars in management fees were suddenly at stake if the project didn't meet the deadline. a scope straight from a management strategic planning fantasy. This project had a disconnected and hostile end-user community. all the signs were there. We demanded and got more money. When everyone understands and agrees with the three types of risk and the resultant project feasibility as negotiated with the executive sponsor. and reduced interference from all the casual observers. an arbitrary and hard deadline. part-time developers.Feasibility section in AgileSpec. it's time to discuss scope limitation. a vendor trying to do things via long distance. and a brand new project manager with no experience in software project management. So what did we do? With sudden backing from the absolute top of the organization. . A while back.

y We held a ton of meetings. trainer. y We dragged the vendor on-site more times than they thought was reasonable. focuses on risks that can be managed using traded financial instruments. . PDR and PER in a dedicated office space with a big conference room.y We co-located the implementation team. y We recruited a set of end users that were already involved with the definition of the business process. Objectives of Study:  Financial risk management on the other hand. y We used Shell Method because we knew this project would be audited.

These risks directly reduce the productivity of knowledge workers. The vocabulary of risk management is defined in ISO Guide 73. profitability. when deficient knowledge is applied to a situation. a knowledge risk materialises. This section provides an introduction to the principles of risk management. a prioritization process is followed whereby the risks with the greatest loss and the greatest probability of occurring are handled first.  Intangible risk management identifies a new type of risk a risk that has a 100% probability of occurring but is ignored by the organization due to a lack of identification ability. Relationship risk appears when ineffective collaboration occurs. For example. In practice the process can be very difficult. service. and balancing between risks with a high probability of occurrence but lower loss versus a risk with high loss but lower probability of occurrence can often be mishandled. . quality. and risks with lower probability of occurrence and lower loss are handled in descending order. and earnings quality.  In ideal risk management. Vocabulary". "Risk management. brand value. Process-engagement risk may be an issue when ineffective operational procedures are applied. decrease cost effectiveness. reputation.

This is the idea of opportunity cost." Risk is inherent with any project. has a positive or negative effect on a project's objectives. as well as mitigation strategies to help the project avoid being derailed should common problems arise. It also consists of the risk assessment matrix. to estimate the effectiveness. if it occurs. The risk management plan contains an analysis of likely risks with both high and low impact. and to create response plans to mitigate them. and project managers should assess risks continually and develop plans to address them. Limitations of the Study: A Risk Management Plan is a document prepared by a project manager to foresee risks. Intangible risk management allows risk management to create immediate value from the identification and reduction of risks that reduce productivity. . A risk is defined as "an uncertain event or condition that. Risk management plans should be periodically reviewed by the project team in order to avoid having the analysis become stale and not reflective of actual potential project risks.  Risk management also faces difficulties allocating resources.

Nevertheless. lessening its impact through intermediate steps Transfer risk. changing plans in order to prevent the problem from arising Mitigate risk. Projects may choose to: Accept risk. Furthermore. risk management plans include a risk strategy. Thus. there are four potential strategies. best educated opinions and available statistics are the primary sources of information. Asset valuation is another question that needs to be addressed. Thus.Most critically. simply take the chance that the negative impact will be y incurred y Avoid risk. outsource risk to a capable third party that can manage y y the outcome The fundamental difficulty in risk assessment is determining the rate of occurrence since statistical information is not available on all kinds of past incidents. with numerous variations. risk assessment should produce such information for the management of the organization that the primary risks are easy to understand and that the risk management decisions may be prioritized. evaluating the severity of the consequences (impact) is often quite difficult for immaterial assets. there have been several theories and attempts to quantify risks. Numerous different risk formulae . Broadly.

Robert Courtney Jr. The Courtney formula was accepted as the official risk analysis method for the US governmental agencies. all techniques to manage the risk fall into one or more of these four major categories: y Avoidance (eliminate) Reduction (mitigate) Transfer (outsource or insure) y y . The formula proposes calculation of ALE (annualised loss expectancy) and compares the expected loss value to the security control implementation costs (cost-benefit analysis). (IBM. Potential risk treatments Once risks have been identified and assessed. 1970) proposed a formula for presenting risks in financial terms.exist. but perhaps the most widely accepted formula for risk quantification is: Rate of occurrence multiplied by the impact of the event equals risk Later research has shown that the financial benefits of risk management are less dependent on the formula used but are more dependent on the frequency and how risk assessment is performed. In business it is imperative to be able to present the findings of risk assessments in financil terms.

from the US Department of Defense. Accept. calls these categories ACAT. Another source.y Retention (accept and budget) Ideal use of these strategies may not be possible. for Avoid. Control. or Transfer. . Defense Acquisition University. Some of them may involve trade-offs that are not acceptable to the organization or person making the risk management decisions.

Master your semester with Scribd & The New York Times

Special offer for students: Only $4.99/month.

Master your semester with Scribd & The New York Times

Cancel anytime.