Professional Documents
Culture Documents
Section 7 Three Slides On A Page - Risk 2022
Section 7 Three Slides On A Page - Risk 2022
Opportunity
Positive risks is called opportunities.
3
Issue
Risk is associated with future event,
which has not happened yet.
Risk Management
Risk management is the identification,
assessment, and prioritization of risks
(positive or negative) followed by
coordinated and economical application
of resources to minimize, monitor, and
control the probability and/or impact of
unfortunate events or to maximize the
realization of opportunities.
6
Risk Management
minimize monitor control
Identification
of risks
probability and/or impact of unfortunate
events
Assessment
of risks Resources
maximize
Prioritization realization of opportunities
of risks
9
1. Plan Risk Management
Define risk related terms
Define roles and responsibilities
Tools and template for risk management
Planning includes how to:
Identify risks
Analyze risks
Plan risk responses
Monitor and control risks
10
2. Identify Risks
11
2. Identify Risks
Risk identification is systematic, and
methodic process.
It is best done in a group environment.
Wide number of people participate in
this process including
Management, Employees, Customer, Other
stake holders
12
2. Identify Risks
Tools Used:
Brainstorming is the most common
approach.
Other tools include:
Ishikawa Diagram (Cause and Effect)
Flow Diagram
SWOT Diagram (Strengths, Weaknesses,
Opportunities and Threats)
FMEA (Failure Mode and Effects Analysis)
13
2. Identify Risks
Risk Register
Output of Identify Risks process is a risk
register.
This lists down all the risks identified
In the next process these risks are
prioritised and action plan is created to
address these risks.
14
3. Analyze Risks
15
3. Analyze Risks
Risks are analyzed to set priority
Sets focus on high priority risks
16
3. Analyze Risks
Quantitative Risk
Qualitative Risk Analysis
Analysis
Subjective Analytic
17
3. Analyze Risks
Probability and Impact Matrix
18
Flashback
Failure Mode and Effects Analysis (FMEA)
Risk Priority Number (RPN) is the
multiplication of:
Severity
Probability
Detection
19
3. Analyze Risks
Probability and Impact Matrix
Each risk is analyzed for probability and
Impact and is assigned
a nine point rating: a score between 1 to 9
a five point rating: Very Low, Low, Medium,
High, Very High
or a score of 1 to 5
a three point rating: Low, Medium, High
or a score of 1 to 3
Risk score = Probability x Impact
20
3. Analyze Risks
Probability and Impact Matrix Example
21
3. Analyze Risks
Sample Probability Table
Probability Probability Description
Category Number
22
3. Analyze Risks
Sample Impact Table
Project Objective Very Low Low Moderate High Very High
1 3 5 7 9
Cost Insignificant cost < 10% cost 10-20% cost 20-40% cost > 40% cost
impact impact impact impact impact
Schedule Insignificant < 5% schedule 5-10% schedule 10-20% schedule > 20% schedule
schedule impact impact impact impact impact
Scope Barely noticeable Minor areas Major areas Changes Product becomes
impacted impacted unacceptable to effectively
client useless
Quality Barely noticeable Minor functions Client must Quality reduction Product becomes
impacted approve quality unacceptable to effectively
reduction client useless
23
3. Analyze Risks
Probability and Impact Matrix
1 3 5 7 9
Probability
9 9 27 45 63 81
7 7 21 35 49 63
5 5 15 25 35 45
3 3 9 15 21 27
1 1 3 5 7 9
Impact
24
3. Analyze Risks
Probability and Impact Matrix
Very Low Medium High Very
Low High
Impact
25
26
27
4. Plan Risk Response
Responding to Risks
28
29
30
4. Plan Risk Response
Reduce the probability and/or impact of
the risk
Negative Risk
Examples: Avoid
Simplify the processes Mitigate
Develop prototype Transfer
Additional inspections
Accept
Lessons Learned from past
31
32
33
4. Plan Risk Response
Exploit: Make sure that positive risk
happens and make best use of the
opportunity Positive Risk
Exploit
Examples: Enhance
Put best team members and more
Share
resources
Accept
34
Examples: Exploit
Put best team members and more Enhance
resources
Share
Accept
35
Positive Risk
Examples:
Exploit
Forming team, Joint Venture or a
company with a third party. Enhance
Share
Accept
36
4. Plan Risk Response
Accept the opportunity when it happens
but not actively pursuing it
Positive Risk
Examples: Exploit
Probability and rewards are not Enhance
attractive.
Share
Accept
37
38
39
5. Monitor and Control Risks
Unexpected Risks
40
41
42
2022 – Changes in the BoK – 7A
Topics removed from the BoK
None
Topics added to the BoK
Risk-Based Thinking
Types of Risk Management
43
44
45
2022 – Changes in the BoK – 7C
46
47
48
Additional Topics in Section 7
Risk-Based Thinking
Types of Risk Management
Components of Risk Management Planning
Risk Management Evaluation (Auditing)
Risk Monitoring Techniques
Mitigation Planning
49
50
51
Types of Risk Management
Enterprise Risk Management
strategic, software, business, regulatory, medical, audit
Operational Risk Management
supplier, supply chain, safety, project, manufacturing,
operations, service, quality system
Product Risk Management
design, process, use, safety
52
Risk Management
Accept risk when benefits outweigh the cost.
Accept no unnecessary risk.
Anticipate and manage risk by planning.
Make risk decisions at the right time at the right level.
53
54
Enterprise Risk Management
Enterprise Risk Management Standards
ISO 31000:2018 – Risk Management
COSO - the Committee of Sponsoring Organizations provides a
framework of internal controls.
The five components of COSO internal control are risk assessment,
control activities, information and communication, control
environment, and monitoring activities.
Sarbanes–Oxley Section 404: Assessment of internal control
55
56
57
Additional Topics in Section 7
Risk-Based Thinking
Types of Risk Management
Components of Risk Management Planning
Risk Management Evaluation (Auditing)
Risk Monitoring Techniques
Mitigation Planning
58
59
60
Components of Risk Management
Planning
Risk Management Key Team Members
Risk Manager – Overall responsible for implementing the plan
Risk Owners – Responsible for individual risk actions
Management / Project Manages – Overall accountability
61
62
63
4 Types of Test of Controls
Inquiry (Least effective)
Document Review
Observation of the workplace
Reperform an activity (by the auditor)
64
65
66
Risk Monitoring Techniques
Complaint Tracking
Trending
Service reports
Customer surveys
Post-market surveillance*
67
Post-market Surveillance
This term is typically used by medical device companies to
ensure that the devices are safe and effective once on the
market.
FDA requires:
“Medical device manufacturers, as well as other firms involved in the
distribution of devices, must follow certain requirements and regulations once
devices are on the market. These include such things as tracking systems,
reporting of device malfunctions, serious injuries or deaths, and registering the
establishments where devices are produced or distributed.”
68
69
Post-market Surveillance
Mitigation: Reduce the probability
and/or impact of the risk
Negative Risk
Examples: Avoid
Simplify the processes Mitigate
Develop prototype
Additional inspections Transfer
Lessons Learned from past
Accept
70