Professional Documents
Culture Documents
Risk Identification
Product
Delivered
Late
The assessment of the probability and magnitude of the risk is carried out
then each identified risk is analyzed.
The analysis relies on the judgment and experience of the activity manager
The probability of risk can be rated very low (<10%), low (10-25%),
moderate (25%-50%), high (50%-75%), or very high (>75%).
Risk effects can be rated as catastrophic (expenditures greater than
income), serious, tolerable, or insignificant.
Methodologies of Risk Analysis
Probability and Impact Matrix
Based on Failure Modes and Effects Analysis (FMEA)
From 1950’s analysis of military systems
Define Probability Scale & Impact Scale
Rate each
risk on
scales
then plot
on matrix
Develop
mitigation
technique
for risks
above
tolerance
Output of Qualitative Risk Analysis
(Risk Register Update)
Relative ranking or priority list of risks Risks may be
listed by priority separately for cost, time, scope, and
quality since organizations may value one objective over
another.
Example:
Which business of fruit chips is more profitable if we have 1 ha land? Apple and jackfruit
chips?
Compare the productivity results
Decision Making under Uncertainty
Each course of action has several possible consequences and the person in charge
of making the decision does not know the probability of each of them.
Poor in information.
The decision is complicated because past experiences do not make it possible to
predict the future and there are many uncontrollable variables.
Anticipate conditions of uncertainty:
looking for more information
research
use of subjective probability
Decision Making under Risk
• The classification of risks into short, medium and long term helps to
identify risks as being related (primarily) to operations, tactics and
strategy, respectively This distinction is not clear-cut, but it can assist
with further classification of risks.
• In fact, there will be some short-term risks to strategic core processes and
there may be some medium-term and long-term risks that could impact
operational core processes.
Short term Risk
• Has the ability to impact the objectives, key dependencies, and core
processes with the impact being immediate.
• Cause disruption to operations immediately at the time the event
occurs.
• Predominantly hazard risks, although this is not always the case.
• Normally associated with unplanned disruptive events, but may also be
associated with cost control in the organization.
• Usually impact the ability of the organization to maintain efficient core
processes that are concerned with the continuity and monitoring of
routine operations.
Medium-term Risk
• Has the ability to impact the organization some time after the event occurs.
• The impact could occur between one and five years (or more) after the
event.
• Usually impact the ability of the organization to maintain the core
processes that are concerned with the development and delivery of
efficacious strategy.
• Related to strategy, but they should not be treated as being exclusively
associated with opportunity management.
• Has the potential to undermine strategy and the successful implementation
of strategy can destroy more value than risks to operations and tactics.
Purpose of Risk Classification System
• The COSO risk classification system is not always helpful and it contains
several weaknesses. For example, strategic risks may also be present in
operations and in reporting and compliance.
• Despite these weaknesses, the COSO framework is in widespread use,
because the reporting component of the COSO internal control framework
is specifically concerned with the accuracy of the reporting of financial
data and is designed to fulfil the requirements of the Sarbanes–Oxley Act
(.(a federal law that established sweeping auditing and financial
regulations for public companies in USA))
FIRM Risk Scorecard
• The four headings of the FIRM risk scorecard offer a classification system for
the risks to the key dependencies in the organization.
• The FIRM risk scorecard builds on the different aspects of risk, including
timescale of impact, nature of impact, whether the risk is hazard, control or
opportunity, and the overall risk exposure and risk capacity of the organization.
• The headings of the FIRM scorecard provide for the classification of risks as
being primarily Financial, Infrastructure, Reputational or Marketplace in nature.
The classification system also reflects the idea that ‘every organization should be
concerned about its finances, infrastructure, reputation and commercial success’.
• Financial and infrastructure risks are considered to be internal to the
organization, while reputational and marketplace risks are external to the
organization. Financial and marketplace risks can be easily quantified in
financial terms, whereas infrastructure and reputational risks are more difficult to
quantify.
• The FIRM risk scorecard can also be used as a template for the identification of
corporate objectives, stakeholder expectations and, most importantly, key
dependencies.
• The scorecard is an important addition to the currently available risk
management tools and techniques compiled by analyzing the way in which
each risk could impact the key dependencies that support each core process.
• Facilitates robust risk assessment by ensuring that the chances of failing to
identify a significant risk are much reduced.
Attributes of the FIRM Risk Scorecards
PESTLE Risk Classification System
• PESTLE is an acronym that stands for political, economic, sociological, technological,
legal and environmental risks.
• In some versions of the approach, the final E is used to indicate ethical considerations
(including environmental).
• This risk classification system is most applicable to the analysis of hazard risks and is
less easy to apply to financial, infrastructure and reputational risks..
• The PESTLE risk classification system is often seen as most relevant to the analysis of
external risks. the external context that is not wholly within the control of the
organization, but where action can be taken to mitigate the risks.
• The PESTLE risk classification system should be used in conjunction with an analysis
of the strengths, weaknesses, opportunities and threats (SWOT) facing the
organization.
• The PESTLE approach may be most applicable in the public sector, because the
external factors analyzed by the PESTLE approach are particularly relevant.
Thank You