ITSM

Risk Management
• In general terms, the word 'Risk' means an apprehension or a
threat of something unwanted happening.
• The word 'Risk ' has multiple usages.
• For example, it may refer to a chance or a probability (“risk of
exposure”), a consequence or impact (“the risk from smoking”),
or a perilous situation (“a hazardous waste plant creates a risk”).
• Interpretations of the word “risk” have evolved linguistically on
the basis of involuntary or voluntary events.
• For example, “danger” is often used to describe an involuntary
event, whereas “peril” may be used to describe a voluntary
event.
• Despite the widespread use of this word, there is no single
universal definition of the word.
 Risk Management
• Risk in the context of insurance business implies taking
wise investment decisions with correct reading of the
market situation to offset probable losses with gains.
• Usage of the word “risk” in the context of health and
environmental risks integrates two ideas; firstly that the
situation has the potential for detrimental consequences;
and secondly that there is some improbability associated
with the circumstances
 Risk Management
• There is an uncertainty of whether a hazardous event will
occur; when or where it will occur; who or what will be
affected; and the magnitude of the consequences.
• “Risk”, in this sense, includes both the possibility and the
character of the detrimental event.
• A statement of risk based solely on one aspect of risk, such
as the probability of occurrence, has been referred to as a
single dimensional risk.
• Financial or insurance risks are primarily single
dimensional risks, as are statements on health risks that
are restricted to the chance of occurrence.
 Types of Risks
• The basic factors of risk
management are:
• Risks under the pure risk
category would be easily
recognisable, noticeable and
damages are based on the action
of perils.
• However, it will be very difficult to
understand and analyse the
speculative risk.
• Static risks are those which are
on account of inherent physical
properties of elements. Some
elements would cause more
danger when they are kept under
cover.
 Types of Risks
• On the other hand, some elements would cause more losses
when they are kept uncovered. Even though they are stationary,
they are capable of causing losses.
• Dynamic risk is a loss increasing on account of some activity
being triggered as a chain of activities.
• There are certain fundamental risks which are built-in with the
perils.
• Wherever the fundamental risk exists, they would cause losses
and a study will have to be made on a particular risk basis.
• Whichever subject or whichever activity is taken for study, the
entire consideration should be made particularly to that risk.
• Risk management is necessary for each and everyone.
 Risk Management
• Understanding risk involves the governance function of risk
management.
• Risk management means reducing the threats posed by known
hazards, whilst simultaneously accepting unmanageable risks,
and maximizing any related benefits.
• Organizations face different types of risks in a specific and
unconnected manner.
• There are methods of “definition and control”, which are
collected in a systematic approach known as “Risk
Management”, which provides reasonable defense against the
possible verification of harmful events.
 Risk Management
• Risk Management can therefore be defined as “a group of actions
that are integrated within the wider context of a company
organization, which are directed toward assessing and
measuring possible risk situations as well as elaborating the
strategies necessary for managing them”.
• It is also defined as “The process of analyzing exposure to risk
and determining how to best handle such exposure.”
• Risk Management strategies can be targeted toward all or only
some of the “different types of potential risk”, that is, the
specific areas of possible uncertainty that affect the life of a
company or organization.
 Risk Management
• Company risks are normally classified within three large categories:
• Risks inherent to the external context (e.g.: emergence of
unfavorable laws and/or regulations; negative changes to market
conditions; technological innovations that favor competitors; etc.);
• Risks inherent to operative management (e.g.: non compliance
with contractual requirements; possible loss of market share;
possible loss of skills; possible physical damage to personnel;
possible environmental pollution; etc.);
• Risks inherent to financial management (e.g.: difficulty in
collecting accounts receivables; unfavorable changes in exchange
rates; imbalances in liquidity; etc.).
• Each of these risks may lead to direct and/or indirect damage to the
organisation, with economic implications that may also be
considerable in the short, medium and long term.
 Aim of Risk Management
• The basic aim of risk management is to arrive at the possible
quantum of loss and then take a decision towards avoidance.
• It also takes a decision to transfer, hedge and insure and further
reinsure or it could be a combination of all these.
• The basic requirements in risk management study lie with the
identification of perils, which may affect the property in a situation
under certain severe circumstances.
• Thus without identifying the perils, which may cause loss, danger,
accident, harm, injury, etc., it will not be possible to move further
for quantification.
• Thus, identification and a detailed study of perils is the most
important basic factor of risk management.
 Risk Management Process
• Different organizations use different approaches to organize their
risk management activities.
• A commonly used approach is as follows:
 Risk Management Process: Planning
• Risk planning includes developing and documenting a structured,
proactive, and comprehensive strategy to deal with risk.
• Key to this activity is the establishment of methods and procedures
to do the following:
• Establishing an organization to take part in the risk management
process.
• Identify and analyze risks.
• Develop risk-handling plans.
• Monitoring or tracking risk areas.
• Assigning resources to deal with risks.
 Risk Management Process:
Assessment
• Risk assessment involves two primary activities, risk identification
and risk analysis.
• Risk identification begins early in the planning phase and continues
throughout the life of the project.
• The following methods are often used to identify possible risks:
• Brainstorming.
• Evaluations or inputs from project stakeholders.
• Periodic reviews of project data.
• Questionnaires based on taxonomy, the classification of product
areas and disciplines.
• Interviews based on taxonomy.
• Analysis of the Work Breakdown Structure (WBS).
• Analysis of historical data.
 Risk Management Process:
Assessment
• When identifying a risk it is essential to do so in a clear and concise
statement.
• It should include three components:
• Condition - A sentence or phrase briefly describing the situation or
circumstances that may have caused concern, anxiety, or
uncertainty.
• Consequence – A sentence describing the key negative outcomes
that may result from the condition.
• Context – Additional information about the risk to ensure others
can understand its nature, especially after the passage of time.
 Risk Management Process:
Assessment
• Another part of assessment is risk analysis.
• It is the procedure of examining each risk to refine the risk
description, isolate the cause, calculate the probability of
occurrence, and determine the nature and impact of possible
effects.
• The result of this process is a list of risks rated and prioritized
according to their probability of occurrence, severity of impact,
and relationship to other risk areas
 Risk Management Process: Handling

• Risk handling is the process that identifies, evaluates,

selects, and implements options for mitigating risks.
• There are two approaches that are used in handling risk.
• Employ options that reduce the risk itself. (It usually
involves a change in current conditions to lessen the
probability of occurrence.)
• Use options that reduce the negative impact to the project
if the risk condition should occur. (It is often employed
where risk probability is high.)
 Risk Management Process:
Monitoring
• The process of continually tracking risks and the effectiveness of
risk handling options to ensure risk conditions do not get out of
control is known as ‘Risk Monitoring’.
• This is achieved by identifying the baseline risk management
plans, understanding the risks and risk handling options,
establishing meaningful metrics, and evaluating project
performance against the established metrics, plans, and
expected results throughout the acquisition process.
• Continual monitoring also enables the identification of new
risks that may become apparent over time.
• It also discovers the interrelationships between various risks.
 Risk Management Process:
Documentation
• Risk documentation consists of recording, maintaining, and reporting
risk management plans, assessments, and handling information.
• It also includes recording the results of risk management activities,
providing a knowledge base for better risk management in later stages
of the project and in other projects.
• It is absolutely essential for the current, as well as future, projects.
• Documentation should include as a minimum the following
information:
• Risk management plans.
• Project metrics to be used for risk management.
• Identified risks and their descriptions.
• The probability, severity of impact, and prioritization of all known
risks.
 Risk Management Process:
Documentation
• Description of risk handling options selected for implementation.
• Project performance assessment results, including deviations from the
baseline plans.
• A record of all changes to the above documentation, including newly
identified risks, plan changes, etc.
 Risk Assessment
• Risks are events or conditions that may occur, and whose
occurrence, if it does take place, has a harmful or negative impact
on the achievement of the organization's business objectives.
• Risk assessment covers the following aspects:
• Risk Identification and Categorization – the process of identifying
the company’s exposure to uncertainty classified as Strategic /
Business / Operational.
• Risk Description – the method of systematically capturing and
recording the company’s identified risks in a structured format.
• Risk Estimation – the process for estimating the cost of likely
impact either by quantitative, semi-quantitative or qualitative
approach.
• Risk identification is an important step in risk assessment. The
other steps are risk description and risk estimation.
Risk Identification and Categorization

• Key characteristics by which risks can be identified are:

• Risks are adverse consequences of events or changed
conditions.
• Their occurrence may be identified by the happening of
trigger events.
• Their occurrence is uncertain and may have different
extents of likelyhood
Risk Identification and Categorization
Risk Identification and Categorization
• The nature of the risk identification phase depends on how risk
has been defined.
• Whatever the definition, a risk arises in the presence of values
or asset elements that represent a stake for the company or
organization; where certain qualities must be maintained for the
entity to function properly.
• Identifying potentially critical assets is therefore the first step,
and a part of all risk analysis methods.
• The second step, which depends on how risk has been defined,
involves looking for: threats that may damage these assets, and
vulnerabilities that could be exploited, or damage that may
affect these assets and the circumstances in which this damage
may occur.
 Risk Description
• Risk description helps in understanding the nature and quantum of
risk and its likely impact and possible mitigation measures.
• Risk descriptions for each of the risks identified in the risk matrix
are to be documented and recorded in a structured format in each
area where the risk is identified.
• The objective of risk description is to display the identified risks in
a structured format, for example, by using a table.
• The risk description table can be used to facilitate the description
and assessment of risks.
• The use of a well designed structure is necessary to ensure a
comprehensive risk identification, description and assessment
process.
 Risk Description
• By considering the consequence and probability of each of the risks
set out in the table, it should be possible to prioritize the key risks
that need to be analyzed in more detail.
• Identification of the risks associated with business activities and
decision making may be categorized as strategic, project tactical,
operational.
• It is important to incorporate risk management at the conceptual
stage of projects as well as throughout the life of a specific project.
 Risk Estimation
• Risk estimation can be quantitative, semi-quantitative or qualitative
in terms of the probability of occurrence and the possible
consequence.
• In this process, the consequences of the risk occurrences have to be
quantified to the maximum extent possible, using quantitative,
semi-quantitative or qualitative techniques
• Process of risk quantification for the company has to be qualitative,
supported by quantitative impact analysis.
• To apply this approach, the chain of adverse consequences, which
may occur in case the identified risk materializes, should be
enlisted.
• For each of the chains of adverse consequences, the cost impact
needs to be calculated and attributed to the particular risk.
 Risk Analysis
• Risk analysis is the process of systematically identifying and
assessing the potential threats and uncertainties that occur
when trying to achieve a certain goal, and then finding a
reasonable strategy for most efficiently controlling these risks.
• This technique helps to analyse the related vulnerabilities of a
project to these threats.
• Risk analysis also helps to define preventive measures to reduce
the probability of these factors from occurring and identify
countermeasures to successfully deal with these constraints
when they develop to avert possible negative effects on the
competitiveness of the company.
 Risk Evaluation
• When the risk analysis process has been completed, it is necessary
to compare the estimated risks against risk criteria which the
organisation has established.
• The risk criteria may include associated costs and benefits, legal
requirements, socio-economic and environmental factors, concerns
of stakeholders, etc.
• Risk evaluation therefore, is used to make decisions about the
significance of risks to the organisation and whether each specific
risk should be accepted or treated.
• Risk evaluation deals with estimating probability and impact of
individual risks, taking into account any interdependencies or other
factors outside the immediate scope under investigation.
 Risk Reporting and Communication
• Risk reporting and communication is an essential component of
risk management.
• We have more look in to reporting and communication in risk
management.
– Internal Reporting
– External Reporting
 Internal Reporting
• Different levels within an organization need different information from
the risk management process.
• The higher management should:
• Know about the most significant risks facing the organization
• Know the possible effects on shareholder value of deviations to
expected performance ranges
• Ensure appropriate levels of awareness throughout organization
• Know how the organization will manage a crisis.
• Know the importance of stakeholder confidence in the organization
• Know how to manage communications with the investment community
where applicable
• Be assured that the risk management process is working effectively.
• Publish a clear risk management policy covering risk management
philosophy and responsibilities
 Internal Reporting
• Business Units should:
• Be aware of risks which fall into their area of responsibility, the
possible impacts these may have on other areas and the
consequences other areas may have on them.
• Have performance indicators which allow them to monitor the key
business and financial activities, progress towards objectives and
identify developments which require intervention (e.g. forecasts
and budgets)
• Have systems which communicate variances in budgets and
forecasts at appropriate frequency to allow action to be taken
• Report systematically and promptly to senior management any
perceived new risks or failures of existing control measures
 Internal Reporting
• Individuals working in an organization should:
• Understand their accountability for individual risks
• Understand how they can enable continuous improvement of risk
management response.
• Understand that risk management and risk awareness are a key
part of the organization's culture
• Report systematically and promptly to senior management any
perceived new risks or failures of existing control measures
 External Reporting
• A company needs to report to its stakeholders on a regular basis
setting out its risk management policies and the effectiveness in
achieving its objectives.
• Increasingly stakeholders look to organizations to provide evidence of
effective management of the organization's non-financial performance
in such areas as community affairs, human rights, employment
practices, health and safety and the environment.
• The formal reporting should address:
• The control methods – particularly management responsibilities for
risk management.
• The processes used to identify risks and how they are addressed by the
risk management systems.
• The primary control systems in place to manage significant risks.
• The monitoring and review system in place.
 Hazard
• An important factor of every safety process is hazard identification
and management.
• This is required by many related standards and shall be performed
for every project. It’s often a challenge to find all possible hazards in
advance but it’s possibly an even bigger challenge to manage all
hazards over a wide range of products and projects.
• It is therefore necessary to combine the results of several safety
assessment activities with field experience of already existing
systems.
• The solution to system safety is the management of hazards.
• Understanding hazard theory and the identification of hazards is
essential to effectively manage hazards.
 Hazard
• Hazard analysis provides the basic foundation for system safety.
• It is performed to identify hazards, their effects and causal factors. It is
further used to determine system risk, the significance of hazards and
to establish design measures that will eliminate or mitigate the
identified hazards and their associated risk.
• Hazard is a potentially damaging physical event, phenomenon or
human activity that may cause the loss of life or injury, property
damage, social and economic disruption or environmental degradation.
• Hazards could be, natural or induced by human processes.
• Hazards can be single, sequential or combined in their origin and
effects.
• Accordingly, hazard analysis entails the identification, study and
monitoring of a hazard to determine its potential, origin and
characteristics.
 Hazard Management
• For all hazards a hazard management process must be undertaken.
• Establishing the parameters of the process including the criteria by
which hazards will be assessed.
• Staff and contractors are to follow the hazard management model to
ensure all hazards are identified, assessed, controlled and evaluated for
effectiveness.
• The level of risk is to be determined through the risk assessment
process and recommended control measures implemented.
• Hazards management is the most tedious aspect of risk management.
• Hazards management could depend on various factors, it could be
hazards of operation, and it could be the design aspects or
maintenance aspects.
• It could be hazards of operators; or the skill of operation or training for
operations.
 Identification of hazards
• Hazards are required to be identified, assessed and controlled:
• When planning work processes
• Prior to purchase, hire, lease, commissioning or erection of plant or
substances.
• Whenever changes are made to the workplace, system or method of
work, plant or substances.
• Whenever new information becomes available regarding work
processes, plant or substances.
• Hazard identification is the most important step in the risk
management process.
• A hazard which is not identified cannot be controlled.
• Hazard identification must be conducted in close consultation with
the people performing the activity.
Thank you!!