This action might not be possible to undo. Are you sure you want to continue?
Risks can come from accidents, natural causes and disasters as well as deliberate attacks from an adversary. INTRODUCTION A prioritization process is followed whereby the risks with the greatest loss and the greatest probability of occurring are handled first, and risks with lower probability of occurrence and lower loss are handled in descending order. In practice the process can be very difficult, and balancing between risks with a high probability of occurrence but lower loss versus a risk with high loss but lower probability of occurrence can often be mishandled. Q: Risk management also faces difficulties allocating resources. This is the idea of opportunity cost. Resources spent on risk management could have been spent on more profitable activities. Again, ideal risk management minimizes spending while maximizing the reduction of the negative effects of risks. PRINCIPLES PROCESS The elements of the risk management process are summarised in Figure 3.1.
Establish the Context Identify the risks Risk Assesment Communicate and Consult Analyze the risks Evaluate the risks Monitor and Review
Treat the risks
such as journals or websites. Methods for identifying prospective risks include: 1.1. Brainstorming with staff or external stakeholders Researching the economic. As such. Once the context of the business has been defined. When considering risk management within a small business. in the case of the value of a lost building. Once risks have been identified. It’s easier to believe something if it has happened before. the business owner may be only interested in identifying financial risks as such the information collected will pertain only to that area of risk. 3. in the assessment process it is critical to make the best educated guesses possible in order to properly prioritize the implementation of the risk management plan. There are many sources of information about retrospective risk. These include: • hazard or incident logs or registers • audit reports • customer complaints • accreditation documents and reports • past staff or client surveys • newspapers or professional media. Q: Tips for developing risk criteria. Risk cannot be managed unless it is first identified. 3. Communication and consultation is ultimately one of the most important aspects of risk management and is integral to the entire risk management process. define the structure for risk analysis. 4. communication and consultation will be reflected in each step of the process described in this guide. it is important to first establish some boundaries within which the risk management process will apply. It is also easier to quantify its impact and to see the damage it has caused. legislative and operating environment Conducting interviews with relevant people and/or organisations Undertaking surveys of staff or clients to identify anticipated issues or problems . the next step is to utilise the information to identify as many risks as possible. develop risk criteria. they must then be assessed as to their potential severity of loss and to the probability of occurrence. external and risk management context. or impossible to know for sure in the case of the probability of an unlikely event occurring. These quantities can be either simple to measure. 2. and the easiest. Establish internal. 2. • Decide or define the acceptable level of risk for each activity • Determine what is unacceptable • Clearly identify who is responsible for accepting risk and at what level. Retrospective risk identification is often the most common way to identify risk. Therefore. political. For example.
Flow charting a process 6. risk analysis involves combining the consequence of a risk with the likelihood of the risk occurring: Risk = consequence x likelihood* This is known as the ‘risk analysis equation’. 5. The business owner must determine the level of risk that a business is willing to accept. or the likelihood of it occurring. Reviewing system design or preparing system analysis techniques 4. 2.As discussed in Section 3. Determine the consequences of a negative impact or an opportunity (these may be positive or negative).3. 3. Q: So how is the level of risk determined? Elements of risk analysis The elements of risk analysis are as follows: 1. . The result of a risk evaluation is a prioritized list of risks that require further action.5. Determine the likelihood of a negative consequence or an opportunity. either because the risk is at a low level and the cost of treating the risk will outweigh the benefit. Estimate the level of risk by combining consequence and likelihood. 4. During The risk analysis step will assist in determining which risks have a greater consequence or impact than others. ‘Acceptable’ means the business chooses to ‘accept’ that the risk exists. This will assist in providing a better understanding of the possible impact of a risk. Q: Risk acceptance Low or tolerable risks may be accepted. As previously introduced. Consider and identify any uncertainties in the estimates 5. and deciding whether these risks require treatment. Identify existing strategies and controls that act to minimise negative risk and enhance opportunities. This step is about deciding whether risks are acceptable or need treatment. in order to make a decision about committing resources to control the risk. This is also known as ALARP (as low as reasonably practicable). Risk evaluation involves comparing the level of risk found during the analysis process with previously established risk criteria. it is important to be able to determine how serious the risks are that the business is facing. to determine the level of risk. or there is no reasonable treatment that can be implemented.
Retain the risk After risks have been reduced or transferred. an observed high risk of computer viruses could be reduced by acquiring and implementing antivirus software.6. residual risk may be retained if it is at an acceptable level. Change the likelihood of the occurrence This option enhances the likelihood of beneficial outcomes and reduces the possibility of loss Change the consequences This will increase the size of gains and reduce the size of losses. For example. Q: Why risk mgmt plans should be updated periodically? There are two primary reasons for this: 1. A business owner should aim to choose. to evaluate the possible risk level changes in the business environment. prioritise and implement the most appropriate combination of risk treatments. Practice. and emergency and contingency plans. Risk Mgmt Plan The risk management plan should propose applicable and effective security controls for managing the risks. Risk analysis results and management plans should be updated periodically. Uncontrolled or inappropriate risk avoidance may lead to organisational risk avoidance. and 2. Initial risk management plans will never be perfect. Share the risk Part or most of a risk may be transferred to another party so that they share responsibility. and actual loss results will necessitate changes in the plan and contribute information to allow possible different decisions to be made in dealing with the risks being faced. For example. Risk avoidance should only occur when control measures do not exist or do not reduce the risk to an acceptable level. This may include business continuity plans. A good risk management plan should contain a schedule for control implementation and responsible persons for those actions. experience. . Avoid the risk One method of dealing with risk is to avoid the risk by not proceeding with the activity likely to generate the risk. It is often either not possible or cost-effective to implement all treatment strategies. to evaluate whether the previously selected security controls are still applicable and effective. information risks are a good example of rapidly changing business environment. resulting in missed opportunities and an increase in the significance of other risks. Risk treatment should also aim to enhance positive outcomes.
a risk is defined as a possible event or circumstance that can have negative influences on the enterprise in question. . A business owner must monitor risks and review the effectiveness of the treatment plan. ERM In enterprise risk management. Typical characteristic of risk officer is a healthy skepticism. strategies and management system that have been set up to effectively manage risk. Monitor and review Monitor and review is an essential and integral step in the risk management process. responsibilities. or the environment. A risk management plan at a business level should be reviewed at least on an annual basis. Plan should include risk management tasks. as well as external impacts on society. the resources (human and capital). determining a response strategy. risk management includes the following activities: • • • Planning how risk will be managed in the particular project. Assigning a risk officer . Maintaining live project risk database. In a financial institution.a team member other than a project manager who is responsible for foreseeing potential project problems. Risks need to be monitored periodically to ensure changing circumstances do not alter the risk priorities. which typically involves identifying particular events or circumstances relevant to the organization's objectives (risks and opportunities). assessing them in terms of likelihood and magnitude of impact. markets. Optionally a risk may have an assigned person responsible for its resolution and a date by which the risk must be resolved. therefore the risk management process needs to be regularly repeated. enterprise risk management is normally thought of as the combination of credit risk. the products and services. or the customers of the enterprise. Its impact can be on the very existence. market risk. interest rate risk or asset liability management. so that new risks are captured in the process and effectively managed. Each risk should have the following attributes: opening date. Risk-management activities as applied to project management In project management. An effective way to ensure that this occurs is to combine risk planning or risk review with annual business planning.7. and operational risk. short description. It provides a framework for risk management. and monitoring progress. title. probability and importance. Very few risks will remain static. activities and budget.
All risks can never be fully avoided or mitigated simply because of financial and practical limitations. Spending too much time assessing and managing unlikely risks can divert resources that could be used more profitably. This is especially true if other work is suspended until the risk management process is considered complete. LIMITATIONS If risks are improperly assessed and prioritized. . It is also important to keep in mind the distinction between risk and uncertainty. Unlikely events do occur but if the risk is unlikely enough to occur it may be better to simply retain the risk and deal with the result if the loss does in fact occur. time can be wasted in dealing with risk of losses that are not likely to occur. and effort spent for the risk management. Preparing mitigation plans for risks that are chosen to be mitigated. Each team member should have possibility to report risk that he foresees in the project.• • • Creating anonymous risk reporting channel. by who and how will it be done to avoid it or minimize consequences if it becomes a liability. Risk can be measured by impacts x probability. Unlikely events do occur but if the risk is unlikely enough to occur it may be better to simply retain the risk and deal with the result if the loss does in fact occur. The purpose of the mitigation plan is to describe how this particular risk will be handled – what. effectiveness of mitigation activities. Therefore all organizations have to accept some level of residual risks. when. Prioritizing too highly the risk management processes could keep an organization from ever completing a project or even getting started. SUMMARY Risk management is simply a practice of systematically selecting cost effective approaches for minimising the effect of threat realization to the organization. Summarizing planned and faced risks.
This action might not be possible to undo. Are you sure you want to continue?
We've moved you to where you read on your other device.
Get the full title to continue listening from where you left off, or restart the preview.