Академический Документы
Профессиональный Документы
Культура Документы
SLIDE 1: Risk
“A ship is safe in harbor, but that’s not what ships are for.”
All types of organizations face with the some form of risks, which may affect their chance of success.
Understanding the risks, and effectively managing these, will greatly help the organizations, in achieving the
long term success.
Risk Management can be an important tool, to eliminate potential problems in an organization. Even though
the current version of ISO 9001 does not specifically require the use of risk management, in the preventive
action clause, some of the industry specific standards require it specifically. For example, the quality
management standard for aviation industry, and healthcare industry, have risk management requirement,
included in the preventive action clause.
1. What is Risk
2. What is Risk Management
3. Risk Management Steps
a. Plan Risk Management
b. Identify Risks
c. Analyze Risks
d. Plan Risk Responses
e. Monitor and Control Risks
These are the topics covered in this course. First we will understand the definitions of risk and risk
management. Then we will look at five key steps for managing risks.
Risk:
An uncertain future event or condition which if happens affects the mission objective.
It could have a positive or negative effect.
Companies face a number of internal and external factors, which make it uncertain, whether the company will
meet its objectives. These uncertain events, or conditions, are called the risks. So far in this course, we
thought that the risks always have a negative impact. Let’s be clear here, that the result of a risk is not always
negative.
Opportunity:
Risks are uncertain events. These uncertain events could lead to positive or negative results. Positive risks are
known as opportunities. Organizations attempt to avoid, or reduce the impacts of negative risks. However
when it comes to the positive risks, organizations would like to take maximum advantage of these
opportunities.
Issue:
Risk is associated with future event, which has not happened yet.
A risk which has already occurred is considered as an “issue”.
This slide explains the difference between a risk, and an issue. While a risk is a future uncertain event, an
issue is an event which has already occurred.
Risk Appetite:
Amount and type of risk that an organization is prepared to seek, accept or tolerate
Risk Tolerances:
Organization’s readiness to bear the risk after risk treatments in order to achieve its objectives
The concepts of risk appetite, and risk tolerance, are related to the extent to which, an organization is
comfortable taking risk. Taking big risks could be lead to big losses, or big rewards. While risk appetite is about
the willingness to take risk, risk tolerance is about what the organization can bear.
As discussed on the previous slide, risk is associated with reward. Organizations take risks to gain more
rewards.
Risk Management is the identification, assessment, and prioritization of risks (positive or negative) followed by
coordinated and economical application of resources to minimize, monitor, and control the probability and/or
impact of unfortunate events or to maximize the realization of opportunities.
This is the definition of risk management, taken from Wikipedia.org. If you find this definition confusing, then
please proceed to the next slide. This same definition is presented there, in form of a diagram.
SLIDE 9: What is Risk Management
Assessment Resources
of Risks Maximize
Realization of opportunities
Prioritization
of Risks
In risk management, you identify the potential risks, and then you assess them so that you know which of the
identified risks are more critical and which one is less. Based on that assessment you give more priority to
some risks and less to others. You cannot cover all risks since you have limited resources. With this priority
you put your resources on high priority risks. As we talked earlier a risk can be a negative or positive risk. You
attempt to minimize the impact of negative risks, monitor then and keep them under control. However if it is a
positive risk, or an opportunity, you put your resources to maximize the opportunity.
Create value
Be an integral part of organizational processes
Be part of decision-making process
Be systematic and structured
Be transparent
Be responsive to change
Be capable to continual improvement and enhancement
Be continually or periodically re-assessed
For risk management process to be effective, these are some of the key principles that should be considered.
Since the organization is spending resources, to manage risks, it should create value. Risk management
should be performed systematically, and be integral part of the organization's work processes. As the
organization matures, the types of risks or challenges change. The organization should adapt to these
changes, and improve the risk management process.
SLIDE 11: What is Risk Management
Project Management
Military
Space
Medical
Engineering
Plant Operation
Safety
Financial Portfolio
Risk management is applied in variety of fields such as project management, military, space, medical,
engineering, plant operation, safety and in financial portfolio management.
Key benefits of implementing risk management includes fewer shocks and unwelcome surprises; effective use
of resources, and reassuring stakeholders. Instead of being unprepared for the threats and opportunities, that
happen during the course of a project or business, risk management can help plan and prepare for them. This
preparedness helps organizations in saving costs and time.
Risk management process, can be divided into these five key steps. It starts with having a risk management
plan. The next step is to identify the potential risks and prepare a list of all risks. This list of risks is then
analyzed, using qualitative, and quantitative techniques, to identify high priority, medium priority, and low
priority risks. Response is planned for these risks, depending upon the priority. Risks are then monitored and
controlled. We will look at each of these steps, in the following slides.
Risk management plan specifies the management intent, systems and procedures required for managing risks.
SLIDE 15: Plan Risk Management
Risk management plan will provide the definitions of various risk related terms. Roles and responsibilities
related to risk, and tools and templates, are also included in it.
How to do these?
Risk identification
Risk analysis
Risk response
Risk monitoring
In a way risk management plan specifies how the next four steps listed on this slide are executed in the
organization. That is, how the organization will identify risks, how these risks will be analyzed, how the risk
response will be planned, and how the risks will be monitored and controlled.
Identify Risks
Once the plan is in place, identify risks is the first key step in actual management of risks. This is the process
of identifying the potential risks, their root cause, and the risk consequences.
Risk identification is a systematic process. It is a group effort, where subject matter experts from various
groups participate.
Tools Used:
The most common tool used in risk identification process, is brain storming. In this, the subject matter experts
from various groups meet together, and list down all the potential risks. During brain storming, no identified risk
is evaluated, or criticized. The intent here is to list down as many possible risks, in limited time. Other tools
such as Ishikawa diagram, flow diagram, and SWOT analysis may also be used. Here the term SWOT, stands
for Strengths, Weaknesses, Opportunities and Threats.
Risk Register
The outcome of risk identification is a list of risks, or risk register. What is done with the list of risks depends on
the nature of the risk. A few low priority risks may be kept simply as a list of red flag items, and periodically
monitored. Some high priority risks may go through the rigorous process of assessment, analysis, mitigation
and planning.
The next risk management process, that is analyzing risks, helps in deciding that.
Analyze Risks
Organizations do not have resources to address all risks. After having the list of all potential risks, the next
logical step is to analyze and prioritize risks. Some risks may need detailed action plan, and some may just
need periodic monitoring. The organization may accept some of the risks without any action. In this step, that is
analyzing risks, we will look at how the risks are analyzed and prioritized.
This is the process of quantifying the risk events, documented in the previous step, so that the organization
can focus on critical risks.
Qualitative Quantitative
Risk Analysis Risk Analysis
Subjective Analytics
Qualitative Quantitative
Expected Monitory Value Analysis
Tools:
Probability and Impact Matrix Monte Carlo Analysis
Decision Tree
For risk analysis, qualitative and quantitative analysis are conducted. Qualitative risk analysis is a subjective
analysis, and is quick and easy to perform. One tool to conduct the qualitative analysis is probability and
impact matrix. We will cover this tool in next few slides. On the other hand, quantitative risk analysis is the
detailed analysis of the risk. It is not required to conduct quantitative analysis for all risks, and is conducted
when it is worth the time and effort required to conduct it. Tools to conduct quantitative risk analysis include,
expected monitory value analysis, Monte Carlo analysis, and decision tree. These tools are not covered in this
training course.
As discussed in the previous slide, the Probability and Impact Matrix, is a qualitative risk analysis tool. This
matrix has two aspects, the probability that the risk will actually happen, and the potential impact if the risk
happens. These two are classified from very unlikely, to very likely.
SLIDE 25: Analyze Risks
In the probability and impact matrix, the risk probability, and the risk impact are assigned a score of 1 to 9.
Where 1 is the least and 9 is the highest. A risk score is then calculated, by multiplying these two numbers.
Instead of assigning a score of 1 to 9, a score of 1 to 3, or a score of 1 to 5 may be used. These rules are
defined in your risk management plan. In this course, we are using a score of 1 to 9.
In this example, the group assigns a score of 1 to the probability of risk, and a score of 9 to the impact value.
This means that the risk being discussed has a very low chance of happening, but if it happens, the impact will
be very high.
Since the score of 1 to 9 assigned to the probability, and impact, are subjective, organization managing the risk
creates some guidelines, to ensure that these are consistent. This slide shows a sample table, for assigning
probability number. The next slide will show a sample impact table.
SLIDE 28: Analyze Risks
Project
Very Low (1) Low (3) Moderate (5) High (7) Very High (9)
Objective
Insignificant < 10% Cost 10-20% Cost > 40% Cost
Cost 20-40% Cost Impact
Cost Impact Impact Impact Impact
Insignificant < 5%
5-10% Schedule 10-20% Schedule > 20% Schedule
Schedule Schedule Schedule
Impact Impact Impact
Impact Impact
Product
Changes
Barely Minor Areas Major Areas becomes
Scope Unacceptable to
Noticeable Impacted Impacted Effectively
Client
Useless
Minor Client must Quality Reduction Product become
Barely
Quality Functions Approve Quality Unacceptable to Effectively
Noticeable
Impacted Reduction Client Useless
This is a sample table, to assign the risk impact number. The risk may impact cost, schedule, scope or quality.
Low High
Impact; Impact;
High High
Probability Probability
Probability
Low High
Impact; Impact;
Low Low
Probability Probability
Impact
Once we have assigned a risk probability number, and an impact number, these are plotted on the probability
and impact matrix. A simple example of that is shown here. Let us look at the four boxes shown here. Risks
towards the top right corner are of critical importance, since these are high impact and high probability risks.
These are your top priorities risks that you must pay close attention to. Risks in the bottom left corner are low
impact, and low probability risks. You can often ignore them. Risks in the top left corner are of moderate
importance, since these are Low impact, and high probability risks. If these things happen, you can cope with
them, and move on. However, you should try to reduce the likelihood that they'll occur. Risks in the bottom
right corner are high impact, and low probability risks, and these are very unlikely to happen. For these, you
should do what you can to reduce the impact, and you should have contingency plans in place, just in case
they occur.
SLIDE 30: Analyze Risks
1 3 5 7 9
Probability
9 9 27 45 63 81
7 7 21 35 49 63
5 5 15 25 35 45
3 3 9 15 21 27
1 1 3 5 7 9
Impact
This and the next slide, show examples of probability and impact matrix. In this example, a score of 1 to 9 is
assigned to the probability, and the impact.
Impact
This is an example of the probability and impact matrix, where the probability, and the impact, is assigned a
value between very low, to very high.
Once we have analyzed risks, the next step in risk management, is to plan risk response, for each identified
risk.
Responding to Risks
When planning a risk response, we attempt to reduce the impact and chance, of negative risks, and enhance
the impact and chance, of positive risks.
SLIDE 34: Plan Risk Response
Negative Positive
Risk Risk
Avoid Exploit
Mitigate Enhance
Transfer Share
Accept Accept
This slide shows the four risk responses, for negative risks, and the corresponding responses for positive risks.
In the next eight slides, we will look at each of these responses.
Examples:
In risk avoidance, we completely eliminate the possibility of the risk. An example might be to use an old and
proven process, instead of new and risky process. Risk can also be avoided by improved communication,
providing information, or acquiring an expert.
Examples:
If you cannot avoid a risk completely, you attempt to mitigate it. The purpose of risk mitigation is to reduce the
size of the risk exposure. This is done by either reducing the probability of the risk, or by reducing the impact.
SLIDE 37: Plan Risk Response
Examples:
Insurance
Performance Warranty
The risk transfer strategy aims to pass ownership for a particular risk to a third party. It is also important to
remember that risk transfer almost always involves payment of a risk premium. A cost and benefit analysis
might be done, to ensure that the cost of transferring risk is justified.
Accept: Accept the risk if no action is feasible or if the probability and/or impact is too small
Acceptance of a risk means that the probability, and or the severity, of the risk is low enough, that we will do
nothing about the risk, unless it occurs. There are two kinds of acceptance, active and passive. Acceptance is
passive, when nothing at all is done to deal with the risk. Acceptance is active, when we decide to make a
contingency plan, for what to do, when the risk occurs.
Exploit: Make sure that positive risk happens and make best use of the opportunity
Example:
The next four slides, will deal with the risk responses for positive risks, or opportunities. The first response to
deal with the positive risk is to exploit it. This response tries to remove any uncertainty, so that the opportunity
is certain to happen.
Example:
The enhance response, focuses on the root cause of the opportunity, and goes on to influence those factors,
which will increase the likelihood of the opportunity occurring.
SLIDE 41: Plan Risk Response
Example:
Sometimes exploiting a positive risk is not possible, without collaboration. A partnership with a different group,
department, or company may be required, to exploit a positive risk.
Accept: Accept the opportunity when it happens but not actively pursuing it
Example:
Just like dealing with negative risks, we may actively or passively accept a positive risk. Acceptance of a risk
means that the probability, and/or the severity, of the risk are low enough, that we will do nothing about the
risk, unless it occurs.
Once we have identified risks, analyzed then and made a plan to deal with them, the next step is to monitor
and control the risks.
Regularly review the identified risks and ensure that these are still relevant
Identify new risks
Remove risks that are not relevant
Risk audits may be conducted to ensure that the plan is being implemented and is effective
A risk management program is never finished. Risk monitoring and control, should be on-going and continual.
New risks will emerge, and existing risks will disappear. You have to stay on top of it.
Unexpected Risks
Workarounds are unplanned responses to the risks that were not identified or expected
While monitoring and controlling risks, unexpected risks occur. These unexpected risks are the risks, which
you did not identify in your risk identification process. A workaround is created to deal with such risks.