INTRODUCTION TO RISK MANAGEMENT

Welcome to this course on introduction to risk management.

SLIDE 1: Risk

“A ship is safe in harbor, but that’s not what ships are for.”

All types of organizations face with the some form of risks, which may affect their chance of success.
Understanding the risks, and effectively managing these, will greatly help the organizations, in achieving the
long term success.

Risk Management can be an important tool, to eliminate potential problems in an organization. Even though
the current version of ISO 9001 does not specifically require the use of risk management, in the preventive
action clause, some of the industry specific standards require it specifically. For example, the quality
management standard for aviation industry, and healthcare industry, have risk management requirement,
included in the preventive action clause.

SLIDE 2: Topics Covered

1. What is Risk
2. What is Risk Management
3. Risk Management Steps
a. Plan Risk Management
b. Identify Risks
c. Analyze Risks
d. Plan Risk Responses
e. Monitor and Control Risks

These are the topics covered in this course. First we will understand the definitions of risk and risk
management. Then we will look at five key steps for managing risks.

SLIDE 3: What is Risk

Risk:

 An uncertain future event or condition which if happens affects the mission objective.
 It could have a positive or negative effect.

Companies face a number of internal and external factors, which make it uncertain, whether the company will
meet its objectives. These uncertain events, or conditions, are called the risks. So far in this course, we
thought that the risks always have a negative impact. Let’s be clear here, that the result of a risk is not always
negative.

SLIDE 4: What is Risk

Opportunity:

 Positive risks are called opportunities.

 You would like to take maximum advantage of these positive risks.

Risks are uncertain events. These uncertain events could lead to positive or negative results. Positive risks are
known as opportunities. Organizations attempt to avoid, or reduce the impacts of negative risks. However
when it comes to the positive risks, organizations would like to take maximum advantage of these
opportunities.

SLIDE 5: What is Risk

Issue:

 Risk is associated with future event, which has not happened yet.
 A risk which has already occurred is considered as an “issue”.

This slide explains the difference between a risk, and an issue. While a risk is a future uncertain event, an
issue is an event which has already occurred.

SLIDE 6: What is Risk

Risk Appetite:

 Amount and type of risk that an organization is prepared to seek, accept or tolerate

Risk Tolerances:

 Organization’s readiness to bear the risk after risk treatments in order to achieve its objectives

The concepts of risk appetite, and risk tolerance, are related to the extent to which, an organization is
comfortable taking risk. Taking big risks could be lead to big losses, or big rewards. While risk appetite is about
the willingness to take risk, risk tolerance is about what the organization can bear.

SLIDE 7: What is Risk

Why take risk?

 There is a balance between risk and rewards.

 Generally more risks lead to more rewards, but that is not true always. (You want more rewards with less
risk)

As discussed on the previous slide, risk is associated with reward. Organizations take risks to gain more
rewards.

SLIDE 8: What is Risk Management

Risk Management is the identification, assessment, and prioritization of risks (positive or negative) followed by
coordinated and economical application of resources to minimize, monitor, and control the probability and/or
impact of unfortunate events or to maximize the realization of opportunities.

This is the definition of risk management, taken from Wikipedia.org. If you find this definition confusing, then
please proceed to the next slide. This same definition is presented there, in form of a diagram.
SLIDE 9: What is Risk Management

Minimize Monitor Control

Identification
of Risks
Probability and/or impact of unfortunate events

Assessment Resources
of Risks Maximize

Realization of opportunities

Prioritization
of Risks

In risk management, you identify the potential risks, and then you assess them so that you know which of the
identified risks are more critical and which one is less. Based on that assessment you give more priority to
some risks and less to others. You cannot cover all risks since you have limited resources. With this priority
you put your resources on high priority risks. As we talked earlier a risk can be a negative or positive risk. You
attempt to minimize the impact of negative risks, monitor then and keep them under control. However if it is a
positive risk, or an opportunity, you put your resources to maximize the opportunity.

SLIDE 10: What is Risk Management

Risk Management Principles

 Create value
 Be an integral part of organizational processes
 Be part of decision-making process
 Be systematic and structured
 Be transparent
 Be responsive to change
 Be capable to continual improvement and enhancement
 Be continually or periodically re-assessed

For risk management process to be effective, these are some of the key principles that should be considered.
Since the organization is spending resources, to manage risks, it should create value. Risk management
should be performed systematically, and be integral part of the organization's work processes. As the
organization matures, the types of risks or challenges change. The organization should adapt to these
changes, and improve the risk management process.
SLIDE 11: What is Risk Management

Application of Risk Management

 Project Management
 Military
 Space
 Medical
 Engineering
 Plant Operation
 Safety
 Financial Portfolio

Risk management is applied in variety of fields such as project management, military, space, medical,
engineering, plant operation, safety and in financial portfolio management.

SLIDE 12: What is Risk Management

Potential Benefits of Risk Management

Better decision-making through a good

understanding of risks and their likely impact
Fewer Effective use Reassuring
surprises of resources stakeholders

Key benefits of implementing risk management includes fewer shocks and unwelcome surprises; effective use
of resources, and reassuring stakeholders. Instead of being unprepared for the threats and opportunities, that
happen during the course of a project or business, risk management can help plan and prepare for them. This
preparedness helps organizations in saving costs and time.

SLIDE 13: Risk Management Steps

1. Plan Risk Management

2. Identify Risks
3. Analyze Risks
4. Plan Risk Response
5. Monitor and Control Risks

Risk management process, can be divided into these five key steps. It starts with having a risk management
plan. The next step is to identify the potential risks and prepare a list of all risks. This list of risks is then
analyzed, using qualitative, and quantitative techniques, to identify high priority, medium priority, and low
priority risks. Response is planned for these risks, depending upon the priority. Risks are then monitored and
controlled. We will look at each of these steps, in the following slides.

SLIDE 14: Risk Management Steps

Plan Risk Management

Risk management plan specifies the management intent, systems and procedures required for managing risks.
SLIDE 15: Plan Risk Management

 Terms and Definitions

 Roles and Responsibilities
 Tools and Templates

Risk management plan will provide the definitions of various risk related terms. Roles and responsibilities
related to risk, and tools and templates, are also included in it.

SLIDE 16: Plan Risk Management

How to do these?

 Risk identification
 Risk analysis
 Risk response
 Risk monitoring

In a way risk management plan specifies how the next four steps listed on this slide are executed in the
organization. That is, how the organization will identify risks, how these risks will be analyzed, how the risk
response will be planned, and how the risks will be monitored and controlled.

SLIDE 17: Risk Management Steps

Identify Risks

Once the plan is in place, identify risks is the first key step in actual management of risks. This is the process
of identifying the potential risks, their root cause, and the risk consequences.

SLIDE 18: Identify Risks

 Risk identification is a systematic and methodical process.

 It is best done in a group environment.
 Wide number of people participate in this process including management, employees, customer, other
stakeholders

Risk identification is a systematic process. It is a group effort, where subject matter experts from various
groups participate.

SLIDE 19: Identify Risks

Tools Used:

 Brainstorming is the most common approach.

 Other tools include:
 Ishikawa Diagram (Cause and Effect)
  Flow Diagram

 SWOT Diagram (Strengths, Weaknesses, Opportunities and Threats)

The most common tool used in risk identification process, is brain storming. In this, the subject matter experts
from various groups meet together, and list down all the potential risks. During brain storming, no identified risk
is evaluated, or criticized. The intent here is to list down as many possible risks, in limited time. Other tools
such as Ishikawa diagram, flow diagram, and SWOT analysis may also be used. Here the term SWOT, stands
for Strengths, Weaknesses, Opportunities and Threats.

SLIDE 20: Identify Risks

Risk Register

 Output of identify risks process is a risk register.

 This lists down all the risks identified.
 In the next process, these risks are prioritized and action plan is created to address these risks.

The outcome of risk identification is a list of risks, or risk register. What is done with the list of risks depends on
the nature of the risk. A few low priority risks may be kept simply as a list of red flag items, and periodically
monitored. Some high priority risks may go through the rigorous process of assessment, analysis, mitigation
and planning.

The next risk management process, that is analyzing risks, helps in deciding that.

SLIDE 21: Risk Management Steps

Analyze Risks

Organizations do not have resources to address all risks. After having the list of all potential risks, the next
logical step is to analyze and prioritize risks. Some risks may need detailed action plan, and some may just
need periodic monitoring. The organization may accept some of the risks without any action. In this step, that is
analyzing risks, we will look at how the risks are analyzed and prioritized.

SLIDE 22: Analyze Risks

 Risks are analyzed to set priority

 Sets focus on high priority risks

This is the process of quantifying the risk events, documented in the previous step, so that the organization
can focus on critical risks.

SLIDE 23: Analyze Risks

Qualitative Quantitative
Risk Analysis Risk Analysis

Quick and Detailed

Easy to and Time
Perform Consuming

Subjective Analytics

Qualitative Quantitative
Expected Monitory Value Analysis
Tools:
Probability and Impact Matrix Monte Carlo Analysis
Decision Tree

For risk analysis, qualitative and quantitative analysis are conducted. Qualitative risk analysis is a subjective
analysis, and is quick and easy to perform. One tool to conduct the qualitative analysis is probability and
impact matrix. We will cover this tool in next few slides. On the other hand, quantitative risk analysis is the
detailed analysis of the risk. It is not required to conduct quantitative analysis for all risks, and is conducted
when it is worth the time and effort required to conduct it. Tools to conduct quantitative risk analysis include,
expected monitory value analysis, Monte Carlo analysis, and decision tree. These tools are not covered in this
training course.

SLIDE 24: Analyze Risks

Probability and Impact Matrix

 This is a qualitative risk analysis tool

 This evaluates:
 Likelihood (probability) that a particular risk will occur
 Potential impact on an objective if it occurs

As discussed in the previous slide, the Probability and Impact Matrix, is a qualitative risk analysis tool. This
matrix has two aspects, the probability that the risk will actually happen, and the potential impact if the risk
happens. These two are classified from very unlikely, to very likely.
SLIDE 25: Analyze Risks

Probability and Impact Matrix

 Each risk is analyzed for probability and impact and is assigned

 A nine-point rating: a score between 1-9
 A five-point rating: Very Low, Low, Medium, High, Very High (or a score of 1-5)
 A three-point rating: Low, Medium, High (or a score of 1-3)
 Risk Score = Probability × Impact

In the probability and impact matrix, the risk probability, and the risk impact are assigned a score of 1 to 9.
Where 1 is the least and 9 is the highest. A risk score is then calculated, by multiplying these two numbers.
Instead of assigning a score of 1 to 9, a score of 1 to 3, or a score of 1 to 5 may be used. These rules are
defined in your risk management plan. In this course, we are using a score of 1 to 9.

SLIDE 26: Analyze Risks

Probability and Impact Matrix Example

 If the risk has low probability, it is assigned a score of 1

 If the impact is significant, it is assigned an impact value of 9
 Risk Score = Probability × Impact (1 × 9 = 9)

In this example, the group assigns a score of 1 to the probability of risk, and a score of 9 to the impact value.
This means that the risk being discussed has a very low chance of happening, but if it happens, the impact will
be very high.

SLIDE 27: Analyze Risks

Sample Probability Table

Probability Category Probability Number Description

Very High 9 Risk event expected to occur
High 7 Risk event more likely than not to occur
Probable 5 Risk event may or may not occur
Low 3 Risk event less likely than not to occur
Very Low 1 Risk event not expected to occur

Since the score of 1 to 9 assigned to the probability, and impact, are subjective, organization managing the risk
creates some guidelines, to ensure that these are consistent. This slide shows a sample table, for assigning
probability number. The next slide will show a sample impact table.
SLIDE 28: Analyze Risks

Sample Impact Table

Project
Very Low (1) Low (3) Moderate (5) High (7) Very High (9)
Objective
Insignificant < 10% Cost 10-20% Cost > 40% Cost
Cost 20-40% Cost Impact
Cost Impact Impact Impact Impact
Insignificant < 5%
5-10% Schedule 10-20% Schedule > 20% Schedule
Schedule Schedule Schedule
Impact Impact Impact
Impact Impact
Product
Changes
Barely Minor Areas Major Areas becomes
Scope Unacceptable to
Noticeable Impacted Impacted Effectively
Client
Useless
Minor Client must Quality Reduction Product become
Barely
Quality Functions Approve Quality Unacceptable to Effectively
Noticeable
Impacted Reduction Client Useless

This is a sample table, to assign the risk impact number. The risk may impact cost, schedule, scope or quality.

SLIDE 29: Analyze Risks

Probability and Impact Matrix

Low High
Impact; Impact;
High High
Probability Probability
 Probability

Low High
Impact; Impact;
Low Low
Probability Probability

 Impact

Once we have assigned a risk probability number, and an impact number, these are plotted on the probability
and impact matrix. A simple example of that is shown here. Let us look at the four boxes shown here. Risks
towards the top right corner are of critical importance, since these are high impact and high probability risks.
These are your top priorities risks that you must pay close attention to. Risks in the bottom left corner are low
impact, and low probability risks. You can often ignore them. Risks in the top left corner are of moderate
importance, since these are Low impact, and high probability risks. If these things happen, you can cope with
them, and move on. However, you should try to reduce the likelihood that they'll occur. Risks in the bottom
right corner are high impact, and low probability risks, and these are very unlikely to happen. For these, you
should do what you can to reduce the impact, and you should have contingency plans in place, just in case
they occur.
SLIDE 30: Analyze Risks

Probability and Impact Matrix

1 3 5 7 9

 Probability
9 9 27 45 63 81
7 7 21 35 49 63
5 5 15 25 35 45
3 3 9 15 21 27
1 1 3 5 7 9

 Impact

This and the next slide, show examples of probability and impact matrix. In this example, a score of 1 to 9 is
assigned to the probability, and the impact.

SLIDE 31: Analyze Risks

Probability and Impact Matrix

Very Low Low Medium High Very High

 Probability

Very High Medium Medium High High High

High Low Medium Medium High High
Medium Low Low Medium Medium High
Low Low Low Low Medium Medium
Very Low Low Low Low Low Medium

 Impact

This is an example of the probability and impact matrix, where the probability, and the impact, is assigned a
value between very low, to very high.

SLIDE 32: Risk Management Steps

Plan Risk Response

Once we have analyzed risks, the next step in risk management, is to plan risk response, for each identified
risk.

SLIDE 33: Plan Risk Response

Responding to Risks

 How to decrease the possibility of negative risk affecting the objectives

 How to increase the possibility of positive risk helping the objectives

When planning a risk response, we attempt to reduce the impact and chance, of negative risks, and enhance
the impact and chance, of positive risks.
SLIDE 34: Plan Risk Response

Negative Positive
Risk Risk

Avoid Exploit

Mitigate Enhance

Transfer Share

Accept Accept

This slide shows the four risk responses, for negative risks, and the corresponding responses for positive risks.
In the next eight slides, we will look at each of these responses.

SLIDE 35: Plan Risk Response

Avoid: Avoid the Risk

Examples:

 Plan is changed to avoid the risk

 Adopting a proven approach instead of a new approach
 Improving team communication

In risk avoidance, we completely eliminate the possibility of the risk. An example might be to use an old and
proven process, instead of new and risky process. Risk can also be avoided by improved communication,
providing information, or acquiring an expert.

SLIDE 36: Plan Risk Response

Mitigate: Reduce the probability and/or impact of the risk

Examples:

 Simplify the processes

 Develop prototype
 Additional inspections

If you cannot avoid a risk completely, you attempt to mitigate it. The purpose of risk mitigation is to reduce the
size of the risk exposure. This is done by either reducing the probability of the risk, or by reducing the impact.
SLIDE 37: Plan Risk Response

Transfer: Transfer the risk to a third party

Examples:

 Insurance
 Performance Warranty

The risk transfer strategy aims to pass ownership for a particular risk to a third party. It is also important to
remember that risk transfer almost always involves payment of a risk premium. A cost and benefit analysis
might be done, to ensure that the cost of transferring risk is justified.

SLIDE 38: Plan Risk Response

Accept: Accept the risk if no action is feasible or if the probability and/or impact is too small

Two types of acceptance:

 Passive Acceptance – No plan created to deal with these

 Active Acceptance – Contingency plan is created and risks are monitored

Acceptance of a risk means that the probability, and or the severity, of the risk is low enough, that we will do
nothing about the risk, unless it occurs. There are two kinds of acceptance, active and passive. Acceptance is
passive, when nothing at all is done to deal with the risk. Acceptance is active, when we decide to make a
contingency plan, for what to do, when the risk occurs.

SLIDE 39: Plan Risk Response

Exploit: Make sure that positive risk happens and make best use of the opportunity

Example:

 Put best team members and more resources

The next four slides, will deal with the risk responses for positive risks, or opportunities. The first response to
deal with the positive risk is to exploit it. This response tries to remove any uncertainty, so that the opportunity
is certain to happen.

SLIDE 40: Plan Risk Response

Enhance: Increase the probability and/or impact of the risk

Example:

 Put best team members and more resources

The enhance response, focuses on the root cause of the opportunity, and goes on to influence those factors,
which will increase the likelihood of the opportunity occurring.
SLIDE 41: Plan Risk Response

Share: Share the opportunity with a third party

Example:

 Forming team, joint venture or a company with a third party

Sometimes exploiting a positive risk is not possible, without collaboration. A partnership with a different group,
department, or company may be required, to exploit a positive risk.

SLIDE 42: Plan Risk Response

Accept: Accept the opportunity when it happens but not actively pursuing it

Example:

 Probability and rewards are not attractive.

Just like dealing with negative risks, we may actively or passively accept a positive risk. Acceptance of a risk
means that the probability, and/or the severity, of the risk are low enough, that we will do nothing about the
risk, unless it occurs.

SLIDE 43: Risk Management Steps

Monitor and Control Risks

Once we have identified risks, analyzed then and made a plan to deal with them, the next step is to monitor
and control the risks.

SLIDE 44: Monitor and Control Risks

 Regularly review the identified risks and ensure that these are still relevant
 Identify new risks
 Remove risks that are not relevant
 Risk audits may be conducted to ensure that the plan is being implemented and is effective

A risk management program is never finished. Risk monitoring and control, should be on-going and continual.
New risks will emerge, and existing risks will disappear. You have to stay on top of it.

SLIDE 45: Monitor and Control Risks

Unexpected Risks

 Use workarounds to deal with unexpected risks to reduce the impact

 Workaround should be documented for future reference

Workarounds are unplanned responses to the risks that were not identified or expected

While monitoring and controlling risks, unexpected risks occur. These unexpected risks are the risks, which
you did not identify in your risk identification process. A workaround is created to deal with such risks.