Business Opportunities Report: “Risk Analysis”
PRESENTERS: Ralph Deiparine Monique Sim Kara Dacayan Mike Faustino
January 12, 2012
Combined with the decrease in the potential customer base. unexpected changes in costs from those budgeted and the amount of specialization of the software planned.I. a team identifies the controls that could mitigate the risk. and unit sales that are less than forecast.
After identifying and categorizing risks. specialization risk can be significant for a software firm. security holes. Facilitated Risk Analysis Process FRAP analyzes one system. Reference class forecasting was developed to increase accuracy in risk analysis. Risks that affect revenues can be: unanticipated competition. and privacy invasions. This technique also helps to define preventive measures to reduce the probability of these factors from occurring and identify countermeasures to successfully deal with these constraints when they develop to avert possible negative effects on the competitiveness of the company. Unexpected development costs also create risk that can be in the form of more rework than anticipated. What is Risk Analysis? a. Narrow specialization of software with a large amount of research and development expenditures can lead to both business and technological risks since specialization does not necessarily lead to lower unit costs of software. application or segment of business processes at time and assumes that additional efforts to develop precisely quantified risks are not cost effective because: Such estimates are time consuming Risk documentation becomes too voluminous for practical use Specific loss estimates are generally not needed to determine if controls are needed. One of the more popular methods to perform a risk analysis in the computer field is called facilitated risk analysis process (FRAP) b. After probabilities of scenarios have been calculated with risk analysis. privacy. the process of risk
. Definition Risk analysis is a technique to identify and assess factors that may jeopardize the success of a project or achieving a goal. Three of the most important risks a software company faces are: unexpected changes in revenue. intellectual property right problems. The decision for what controls are needed lies with the business manager. The team's conclusions as to what risks exist and what controls needed are documented along with a related action plan for control implementation.
Certain aspects of many of the risk management standards have come under criticism for having no measurable improvement on risk. development. industrial processes. The strategies to manage risk typically include transferring the risk to another party. and assess threats Assess the vulnerability of critical assets to specific threats
. avoiding the risk. • • Identify. production. compute the value of additional information and to use the results in part of a larger portfolio management problem. monitor. whether positive or negative) followed by coordinated and economical application of resources to minimize. legal liabilities. definitions and goals vary widely according to whether the risk management method is in the context of project management. or public health and safety. or sustainment lifecycles). characterize. and ISO standards. Method For the most part. whether the confidence in estimates and decisions seem to increase. performed. security. and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities. credit risk. natural causes and disasters as well as deliberate attack from an adversary. and prioritization of risks (defined in ISO 31000 as the effect of uncertainty on objectives. in the following order. more or less. or events of uncertain or unpredictable root-cause. What is Risk Management? Risk management is the identification. actuarial assessments. Risks can come from uncertainty in financial markets. Methods. the National Institute of Science and Technology. financial portfolios. Several risk management standards have been developed including the Project Management Institute. accidents. assessment. Methods like applied information economics add to and improve on risk analysis methods by introducing procedures to adjust subjective probabilities.
II. these methods consist of the following elements. engineering. actuarial societies. project failures (at any phase in design.management can be applied to help manage the risk. or even accepting some or all of the potential or actual consequences of a particular risk. reducing the negative effect or probability of the risk.
the gain should exceed the pain Be an integral part of organizational processes Be part of decision making Explicitly address uncertainty and assumptions Be systematic and structured Be based on the best available information Be tailorable Take into account human factors Be transparent and inclusive Be dynamic.resources expended to mitigate risk should generally exceed the consequence of inaction.e.• • •
Determine the risk (i. or (as in value engineering). iterative and responsive to change Be capable of continual improvement and enhancement Be continually or periodically re-assessed
• • • • • • • • • • •
. Principles of risk management The International Organization for Standardization (ISO) identifies the following principles of risk management: Risk management should: • Create value . the expected consequences of specific types of attacks on specific assets) Identify ways to reduce those risks Prioritize risk reduction measures based on a strategy
They will also help you to decide whether the strategies you could use to control risk are cost-effective. How to Use the Tool: Here we define risk as 'the perceived extent of possible loss'. What are the steps in Risk Analysis? A. new competitors appear. •Procedural – from failures of accountability.III. etc. We use this approach formally in decision making with Decision Trees. To carry out a risk analysis. •Operational – from disruption to supplies and operations. But formal risk analysis and risk management can help you to assess these risks and decide what actions to take to minimize disruptions to your plans. internal systems and controls.
. One way of putting figures to risk is to calculate a value for it as: Risk = Probability of event x Cost of event Doing this allows you to compare risks objectively. illness. failures in distribution. factors outside your control could delay your project. fraud. Introduction Almost everything we do in today's business world involves a risk of some kind: customer habits change. Threats may be: •Human – from individuals or organizations. or damage to reputation in the market. etc. follow these steps: 1. Identify Threats: The first stage of a risk analysis is to identify threats facing you. B. organization. etc. loss of access to essential assets. death. Different people will have different views of the impact of a particular risk – what may be a small risk for one person may destroy the livelihood of someone else. •Reputational – from loss of business partner or employee confidence.
etc. •Others This analysis of threat is important because it is so easy to overlook important threats. This gives you a value for the risk. Risk may be managed in a number of ways: • By using existing assets: Here existing resources can be used to counter risk. government policy. 2. the next step is to work out the likelihood of the threat being realized and to assess its impact. •Natural – threats from weather. you can start to look at ways of managing them.
•Financial – from business failure. jobs taking too long. etc. foreign influence. technical failure. Often. who might have different perspectives. improvements to accountability and internal controls. etc. Manage Risk: Once you have worked out the value of risks you face.
Estimate Risk: Once you have identified the threats you face. stock market. natural disaster. etc.
think through the systems. to see if any apply.
•See if you can see any vulnerability within these systems or •Ask other people. it may be better to accept the risk than to use excessive resources to eliminate it. and to multiply this by the amount it will cost you to set things right if it happens. interest
insufficient product or service quality. disease. changes in responsibilities. there is no point in spending more to eliminating a risk than the cost of the event if it occurs. One approach to this is to make your best estimate of the probability of the event occurring.•Project – risks of cost over-runs. etc. structures. This may involve improvements to existing methods and systems. run through a list such as the one above. •Political – from changes in tax regimes. etc. One way of trying to capture them all is to use a number of different approaches: •Firstly. public opinion. it is important to choose cost effective approaches – in most cases. and analyze risks to any part of those.
. accident. organizations or structures you operate. When you are doing this. •Technical – from advances in technology.
Contingency plans also form a key part of Business Continuity Planning (BCP) or Business Continuity management (BCM). such as requiring employees to travel separately or limiting the number of employees on any one aircraft. C. These might involve formal reviews of the risk analysis. may have catastrophic effects. with the minimum of project control if you find yourself in a crisis management situation.•
By contingency planning: You may decide to accept a risk. For example. Accordingly. This can also include insuring the risk: Here you pay someone else to carry part of the risk – this is particularly important where the risk is so great as to threaten your or your organization's solvency. it may be worth carrying out regular reviews. The company could be severely strained or even ruined by such a loss. suppose many employees of a company are travelling together on an aircraft which crashes. many companies have procedures to follow in the event of such a disaster. while highly unlikely.
. Contingency plans are often devised by governments or businesses who want to be prepared for events which. killing all aboard.
Review: Once you have carried out a risk analysis and management exercise. but choose to develop a plan to minimize its effects if it happens. A good contingency plan will allow you to take action immediately. or may involve testing systems and plans appropriately. The plan may also include standing policies to mitigate a disaster's potential impact. What is a Contingency Plan? A contingency plan is a plan devised for an exceptional risk which is impractical or impossible to avoid. By investing in new resources: Your risk analysis should give you the basis for deciding whether to bring in additional resources to counter the risk.