You are on page 1of 24

Risk: Definition

 Effect of uncertainties on objectives (ISO


31000:2018)

Risk: Definition (ISO 9000:2015)


 effect of uncertainty
 An effect is a deviation from the expected
— positive or negative.
 Risk is often characterized by reference to
potential events and consequences or a
combination of these.
 Risk is often expressed in terms of a
combination of the consequences of an
event and the associated likelihood of
occurrence.
 The word “risk” is sometimes used when
there is the possibility of only negative
consequences.

Opportunity
 Positive risks is called opportunities.

 You would like to take maximum


advantage of these positive risks.

3
Issue
 Risk is associated with future event,
which has not happened yet.

 A risk which has already occurred is


considered as an “issue”.

Why Take Risk?


 There is a balance between risk and
rewards.

 Generally more risks lead to more


rewards. But that is not true always.

 You want more rewards with less risk

Risk Management
 Risk management is the identification,
assessment, and prioritization of risks
(positive or negative) followed by
coordinated and economical application
of resources to minimize, monitor, and
control the probability and/or impact of
unfortunate events or to maximize the
realization of opportunities.

6
Risk Management
minimize monitor control
Identification
of risks
probability and/or impact of unfortunate
events

Assessment
of risks Resources
maximize
Prioritization realization of opportunities
of risks

Risk Management Steps

Plan Risk Plan Risk Monitor and


Identify Risks Analyze Risks
Management Response Control Risks

1. Plan Risk Management

Plan Risk Plan Risk Monitor and


Identify Risks Analyze Risks
Management Response Control Risks

9
1. Plan Risk Management
 Define risk related terms
 Define roles and responsibilities
 Tools and template for risk management
 Planning includes how to:
 Identify risks
 Analyze risks
 Plan risk responses
 Monitor and control risks

10

2. Identify Risks

Plan Risk Plan Risk Monitor and


Identify Risks Analyze Risks
Management Response Control Risks

11

2. Identify Risks
 Risk identification is systematic, and
methodic process.
 It is best done in a group environment.
 Wide number of people participate in
this process including
 Management, Employees, Customer, Other
stake holders

12
2. Identify Risks
 Tools Used:
 Brainstorming is the most common
approach.
 Other tools include:
 Ishikawa Diagram (Cause and Effect)
 Flow Diagram
 SWOT Diagram (Strengths, Weaknesses,
Opportunities and Threats)
 FMEA (Failure Mode and Effects Analysis)

13

2. Identify Risks
Risk Register
 Output of Identify Risks process is a risk
register.
 This lists down all the risks identified
 In the next process these risks are
prioritised and action plan is created to
address these risks.

14

3. Analyze Risks

Plan Risk Plan Risk Monitor and


Identify Risks Analyze Risks
Management Response Control Risks

15
3. Analyze Risks
 Risks are analyzed to set priority
 Sets focus on high priority risks

16

3. Analyze Risks
Quantitative Risk
Qualitative Risk Analysis
Analysis

Quick and easy to Detailed and time


perform consuming

Subjective Analytic

Expected Monitory Value Analysis


Probability and Impact Matrix Monte Carlo Analysis
Decision Tree

17

3. Analyze Risks
Probability and Impact Matrix

 This is a qualitative risk analysis tool


 This evaluates
 Likelihood (probability) that a particular risk
will occur
 Potential impact on an objective if it occurs

18
Flashback
Failure Mode and Effects Analysis (FMEA)
 Risk Priority Number (RPN) is the
multiplication of:
 Severity
 Probability
 Detection

Probability and Impact Matrix


 Combination of:
 Impact (similar to severity)
 Probability

19

3. Analyze Risks
Probability and Impact Matrix
 Each risk is analyzed for probability and
Impact and is assigned
 a nine point rating: a score between 1 to 9
 a five point rating: Very Low, Low, Medium,
High, Very High
 or a score of 1 to 5
 a three point rating: Low, Medium, High
 or a score of 1 to 3
 Risk score = Probability x Impact

20

3. Analyze Risks
Probability and Impact Matrix Example

 If the risk has low probability and is


assigned a score of 1
 If the impact is significant and is
assigned an Impact value of 9

 Risk score = Probability x Impact = 1 x 9


=9

21
3. Analyze Risks
Sample Probability Table
Probability Probability Description
Category Number

Very High 9 Risk event expected to occur


High 7 Risk event more likely than not to occur
Probable 5 Risk event may or may not occur
Low 3 Risk event less likely than not to occur
Very Low 1 Risk event not expected to occur

22

3. Analyze Risks
Sample Impact Table
Project Objective Very Low Low Moderate High Very High
1 3 5 7 9
Cost Insignificant cost < 10% cost 10-20% cost 20-40% cost > 40% cost
impact impact impact impact impact
Schedule Insignificant < 5% schedule 5-10% schedule 10-20% schedule > 20% schedule
schedule impact impact impact impact impact
Scope Barely noticeable Minor areas Major areas Changes Product becomes
impacted impacted unacceptable to effectively
client useless
Quality Barely noticeable Minor functions Client must Quality reduction Product becomes
impacted approve quality unacceptable to effectively
reduction client useless

23

3. Analyze Risks
Probability and Impact Matrix
1 3 5 7 9
Probability

9 9 27 45 63 81

7 7 21 35 49 63

5 5 15 25 35 45

3 3 9 15 21 27

1 1 3 5 7 9

Impact

24
3. Analyze Risks
Probability and Impact Matrix
Very Low Medium High Very
Low High

Very Medium Medium High High High


High
Probability

High Low Medium Medium High High

Medium Low Medium Medium Medium High

Low Low Low Medium Medium Medium

Very Low Low Low Low Medium


Low

Impact

25

4. Plan Risk Response

Plan Risk Plan Risk Monitor and


Identify Risks Analyze Risks
Management Response Control Risks

26

4. Plan Risk Response

Plan Risk Plan Risk Monitor and


Identify Risks Analyze Risks
Management Response Control Risks

27
4. Plan Risk Response
Responding to Risks

 How to decrease the possibility of


 Negative risk affecting the objectives
 How to increase the possibility of
 Positive risk helping the objective

28

4. Plan Risk Response

Negative Risk Positive Risk


Avoid Exploit
Mitigate Enhance
Transfer Share
Accept Accept

29

4. Plan Risk Response


Avoid the risk
Negative Risk
Examples:
Avoid
 Plan is changed to avoid the risk
 Adopting a proven approach instead of a Mitigate
new approach Transfer
 Improving team communication
Accept

30
4. Plan Risk Response
Reduce the probability and/or impact of
the risk
Negative Risk

Examples: Avoid
 Simplify the processes Mitigate
 Develop prototype Transfer
 Additional inspections
Accept
 Lessons Learned from past

31

4. Plan Risk Response


Transfer the risk to a third party
Negative Risk
Examples:
Avoid
 Insurance
 Performance warranty Mitigate
 Subcontract Transfer
Accept

32

4. Plan Risk Response


Accept the risk if:
 no action is feasible or
 the probability and/or impact is too small.
Negative Risk
Avoid
 Two types of acceptance: Mitigate
 Passive Acceptance: No plan created to
deal with these Transfer
 Active Acceptance: Contingency plan is Accept
created and risks are monitored

33
4. Plan Risk Response
Exploit: Make sure that positive risk
happens and make best use of the
opportunity Positive Risk
Exploit
Examples: Enhance
 Put best team members and more
Share
resources
Accept

34

4. Plan Risk Response


Enhance: Increase the probability and/or
impact of the risk
Positive Risk

Examples: Exploit
 Put best team members and more Enhance
resources
Share
Accept

35

4. Plan Risk Response


Share the opportunity with a third party

Positive Risk
Examples:
Exploit
 Forming team, Joint Venture or a
company with a third party. Enhance
Share
Accept

36
4. Plan Risk Response
Accept the opportunity when it happens
but not actively pursuing it
Positive Risk

Examples: Exploit
 Probability and rewards are not Enhance
attractive.
Share
Accept

37

5. Monitor and Control Risks

Plan Risk Plan Risk Monitor and


Identify Risks Analyze Risks
Management Response Control Risks

38

5. Monitor and Control Risks


 Regularly review the identified risks and
ensure that these are still relevant
 Identify new risks
 Remove risks that are not relevant
 Risk audits may be conducted to ensure
that the plan is being implemented and
is effective.

39
5. Monitor and Control Risks
Unexpected Risks

 Use workarounds to deal with


unexpected risks to reduce the impact
 Workaround should be documented for
future reference
 Workarounds are unplanned responses
to the risks that were not identified or
expected

40

2022 – Changes in the BoK – 7


 Risk Management
 Definitions
 5 Steps in Risk Management
1. Planning for Risk Management
2. Identifying Risks
3. Risk Assessment
4. Risk Control (Negative and Positive Risks)
5. Monitor and Control Risks
Plan Risk Plan Risk Monitor and
Identify Risks Analyze Risks
Management Response Control Risks

41

2022 – Changes in the BoK – 7A

42
2022 – Changes in the BoK – 7A
 Topics removed from the BoK
 None
 Topics added to the BoK
 Risk-Based Thinking
 Types of Risk Management

43

2022 – Changes in the BoK – 7B

44

2022 – Changes in the BoK – 7B


 Topics removed from the BoK
 None
 Topics added to the BoK
 Components of Risk Management Planning

45
2022 – Changes in the BoK – 7C

46

2022 – Changes in the BoK – 7C


 Topics removed from the BoK
 None
 Topics added to the BoK
 Risk Management Evaluation (Auditing)
 Risk Monitoring Techniques
 Mitigation Planning

47

Additional Topics in Section 7


 Risk-Based Thinking
 Types of Risk Management
 Components of Risk Management Planning
 Risk Management Evaluation (Auditing)
 Risk Monitoring Techniques
 Mitigation Planning

48
Additional Topics in Section 7
 Risk-Based Thinking
 Types of Risk Management
 Components of Risk Management Planning
 Risk Management Evaluation (Auditing)
 Risk Monitoring Techniques
 Mitigation Planning

49

Risk Based Thinking


 “Risk Based Thinking” is a new term in ISO 9001:2015
 “Preventive Actions” requirement in the previous version of the standard has
been replaced with “Risk Based Thinking” in the 2015 version of the standard.
 There is no requirement to formally implement risk management.
 Some of the ISO 9001:2015 requirements related to risk-based thinking:
 Leaders to promote risk-based thinking.
 Identify risks during the planning stage
 Actions are taken proportionate to the impact on the conformity
 Analyze the effectiveness of actions taken to address risks
 Update risks identified during the planning

50

Additional Topics in Section 7


 Risk-Based Thinking
 Types of Risk Management
 Components of Risk Management Planning
 Risk Management Evaluation (Auditing)
 Risk Monitoring Techniques
 Mitigation Planning

51
Types of Risk Management
 Enterprise Risk Management
 strategic, software, business, regulatory, medical, audit
 Operational Risk Management
 supplier, supply chain, safety, project, manufacturing,
operations, service, quality system
 Product Risk Management
 design, process, use, safety

52

Risk Management
 Accept risk when benefits outweigh the cost.
 Accept no unnecessary risk.
 Anticipate and manage risk by planning.
 Make risk decisions at the right time at the right level.

53

Enterprise Risk Management


 Enterprise Risk Management
 strategic, software, business, regulatory, medical, audit
 Examples:
 Strategic Planning – SWOT Analysis
 Compliance with regulatory requirements
 Physical and IT threats/issues (breach)
 Financial frauds/compliance

54
Enterprise Risk Management
 Enterprise Risk Management Standards
 ISO 31000:2018 – Risk Management
 COSO - the Committee of Sponsoring Organizations provides a
framework of internal controls.
 The five components of COSO internal control are risk assessment,
control activities, information and communication, control
environment, and monitoring activities.
 Sarbanes–Oxley Section 404: Assessment of internal control

55

Operational Risk Management


Operational Risk Management
 supplier, supply chain, safety, project, manufacturing,
operations, service, quality system
 Examples:
 Supply chain issues – Timeliness, Quality, Cost, Safety
 Poor quality, not following processes, lack of quality management
system, carelessness and frauds, technology
 Natural catastrophes and business discontinuities

56

Product Risk Management


Product Risk Management
 design, process, use, safety
 Examples:
 Failure to meet customer expectations
 Failure to meet code, and legal requirements
 Poorly designed products leading to liability issues
 Safety issues in use

57
Additional Topics in Section 7
 Risk-Based Thinking
 Types of Risk Management
 Components of Risk Management Planning
 Risk Management Evaluation (Auditing)
 Risk Monitoring Techniques
 Mitigation Planning

58

Components of Risk Management


Planning
 Objective
 Risk Criteria
 Stakeholder identification
 Team member’s roles and responsibilities

59

Components of Risk Management


Planning
 Set the Project or Enterprise Objective
 What is the purpose of the project or organization?
 Risk Criteria
 How much risk the organization is willing to take?
 Stakeholder Identification
 Engage stakeholders in risk identification, prioritization and
risk responses.

60
Components of Risk Management
Planning
 Risk Management Key Team Members
 Risk Manager – Overall responsible for implementing the plan
 Risk Owners – Responsible for individual risk actions
 Management / Project Manages – Overall accountability

61

Additional Topics in Section 7


 Risk-Based Thinking
 Types of Risk Management
 Components of Risk Management Planning
 Risk Management Evaluation (Auditing)
 Risk Monitoring Techniques
 Mitigation Planning

62

Risk Management Evaluation


Auditing and Testing of Controls
 The purpose of an audit is to ensure compliance
 The purpose of testing of controls is to assess the
effectiveness of internal controls in detecting and
preventing risks.
 If internal controls are less effective, the auditor might need to increase
the level of testing/samples in the audit.

63
4 Types of Test of Controls
 Inquiry (Least effective)
 Document Review
 Observation of the workplace
 Reperform an activity (by the auditor)

64

Additional Topics in Section 7


 Risk-Based Thinking
 Types of Risk Management
 Components of Risk Management Planning
 Risk Management Evaluation (Auditing)
 Risk Monitoring Techniques
 Mitigation Planning

65

Risk Monitoring Techniques


 Risk Monitoring is to keep track of the status of risks
and the effectiveness of the risk responses.

Plan Risk Analyze Plan Risk Monitor and


Identify Risks
Management Risks Response Control Risks

66
Risk Monitoring Techniques
 Complaint Tracking
 Trending
 Service reports
 Customer surveys
 Post-market surveillance*

67

Post-market Surveillance
 This term is typically used by medical device companies to
ensure that the devices are safe and effective once on the
market.
 FDA requires:
 “Medical device manufacturers, as well as other firms involved in the
distribution of devices, must follow certain requirements and regulations once
devices are on the market. These include such things as tracking systems,
reporting of device malfunctions, serious injuries or deaths, and registering the
establishments where devices are produced or distributed.”

68

Additional Topics in Section 7


 Risk-Based Thinking
 Types of Risk Management
 Components of Risk Management Planning
 Risk Management Evaluation (Auditing)
 Risk Monitoring Techniques
 Mitigation Planning

69
Post-market Surveillance
Mitigation: Reduce the probability
and/or impact of the risk
Negative Risk

 Examples: Avoid
 Simplify the processes Mitigate
 Develop prototype
 Additional inspections Transfer
 Lessons Learned from past
Accept

70

You might also like