session risk management plan. session outline business risk process risk decision making risk...
Post on 12-Jan-2016
224 Views
Preview:
TRANSCRIPT
Session
Risk Management Plan
Session Outline
Business Risk Process Risk Decision Making Risk Hazards & Threats Risk Types Contexts
This Session Weekly Activity: Free Gift Hemp Ltd manufactures and sells clothing
made out of hemp. As part of a promotion for their clothing, they offer customers a hemp tote bag with every purchase over $150.
Richard purchases a Grandpa shirt and some trousers costing $170.
When Richard tries to collect his free tote bag, none are available.
Advise Richard of his rights. What can he do?
What is Risk?
The potential for realization of unwanted, adverse consequences to human life, health, property, or the environment; estimation of risk is usually based on the expected value of the conditional probability of the event occurring times the consequence of the event given that it has occurred.
Fire
PropertyRisks
NaturalDisasters
Burglary andBusiness Swindles
Shoplifting
On-PremiseInjury
CompetitionfromFormer
Employees
Loss ofKey
Executives
EmployeeDishonesty
Bad Debts
ProductLiability
PersonnelRisks
CustomerRisks
Bankruptcy
The Wheel of Misfortune
Classifying Classifying Risk by Risk by Type of Type of AssetAsset
Risk Management
Risk management may be defined as a field of activity seeking to eliminate, reduce and generally control pure risks (such as from safety, fire, major hazards, security lapses, environmental hazards) and to enhance the benefits and avoid detriment from speculative risks (such as financial investment, marketing, human resources, IT strategy, commercial and business risks).
3 Risk Management Rules Three rules of risk management (Mehr and
Hedges) The first (and most important) of the three rules
is "Don't risk more than you can afford to lose." Although it does not necessarily tell us what
should be done about a given risk, it does tell us which risks about which something must be done; those with the potential for catastrophe losses.
Since these losses should not be retained, the first rule suggests that such risks should be avoided, reduced, or transferred.
3 Risk Management Rules The second rule, consider the odds, suggests
that risks characterized by a high frequency (high probability) should probably not be insured, mainly because of the high cost of transferring risks with a high loss frequency.
Finally, the third rule, don't risk a lot for a little, dictates that there should be a reasonable relationship between the cost of transferring risk and the value that accrues to the transferor.
It provides the guidance in two directions.
3 Risk Management Rules
First, risks should not be retained when the possible loss is large (a lot) relative to the premiums saved through retention (a little). On the other hand, there are instances in which the premium that is required to insure a risk is so high relative to the risk transferred. In these cases, the premiums (inc. excesses represent "a lot" while the possible loss is "a little.”
When the exposure represents “more than you can afford to lose”, a loss minimization strategy is appropriate. When the loss is not more than one can afford, maybe “consider the odds” and “don’t risk a lot for a little” strategies a better option.
Hazards and Threats Hazards or threats may be physical entities, conditions,
substances, activities or behaviours which are capable of causing harm.
Hazards and threats to an organization come in many forms. An organization may be damaged by cumulative effects of
many small incidents or by a spectacular but rare major incident.
Resulting damage could be to the health and safety of employees, to plant, equipment or an entire installation, to the environment, to products, or to financial assets.
Damage to intangible factors such as credibility, status and bargaining power may also result.
Hazards and Threats
Hazard A situation or event capable of potential harm (i.e.,
capable of causing personal or property damage) Vulnerability Vulnerability is an assessment of how well or how
poorly protected you are against an event or situation
Impact Assessment of interaction of hazard effects with
your vulnerabilities
Hazards and Threats
Threat The operationalization of vulnerability,
expected impact of a developing hazard, and the probability that impact will work against your vulnerabilities
Risk The probability that potential harm may
become actual Risk = Probability x Impact
Risk Types Pure Security/fraud Fire Environment Health & safety Quality assurance IT reliability Business interruption Earthquake Flood.
Speculative Investment/finance Product development Business strategies Marketing Political risk Socio-cultural risk Business process Re-engineering IT strategy.
Project Risk Management Plan
8.0 Risk management plan 8.1 Purpose 8.2 Roles and Responsibilities 8.3 Risk Management Strategies 8.4 Risk Management Process
8.4.1 Risk Identification 8.4.2 Risk Assessment (analysis) 8.4.3 Risk Control (reduction/response) 8.4.4 Risk Monitoring
8.5 Risk Documentation 8.6 Approvals
Purpose
Purpose Identifying, managing, and mitigating risk is an
imperative part of managing projects. If risks are not identified and steps are not taken to avoid or mitigate those risks, the project may incur significant delays, additional costs, or reduction in quality. This section describes why risk management is necessary for successfully managing projects and how this plan will address risk for this particular project.
Roles and Responsibilities
Roles and Responsibilities This section describes the roles and
responsibilities of all key project personnel in regards to risk management. Although the Project Manager may be ultimately responsible for managing risk, it is everyone’s job to work in support of the Project Manager is helping to identify, analyse, quantify, and develop mitigation and avoidance strategies.
Risk Management Strategy
Risk Management Strategy Risk management should not be approached
blindly as it is far too important to project success. There must be an established strategy in approaching a project’s risk management activities and this strategy should be based on a common understanding between all project participants. The strategy may be a general description of how the project will approach its risk management activities.
Risk Management Process
The risk management process begins by identifying hazards or threats and analysing them in terms of potential consequences, i.e. risk profiling. On the basis of the information and understanding gained, a risk assessment is then carried out with the following main steps:
risk estimation (Measuring the risk); risk evaluation (How big in a scale of risks?); risk decisions (Is the risk acceptable against specified criteria?), risk action/strategy (What combination of strategies should be
selected?). Risk strategy relates to a particular approach, or
combination of approaches, to one or more risks.
Risk Management Process Risk Management Process This section should outline the process the project
team will use to manage risks. There are many techniques and approaches to doing this but it is imperative that for a given project, there is a clearly defined and understood process. This consistency ensures that risk management activities are conducted in the most efficient and effective manner possible.
Risk Contexts
The context(s) in which risks are perceived to exist in and to which risk management responds set the scene for identifying and understanding relevant hazards and threats and analysing the corresponding risks.
The way to look at this is: at an organisational level (operational) and at an environmental level (strategic)
considering the internal and external aspects that would be affected.
Risk Contexts
Risk Management Contexts Inner context (specific
internal environment – system, inputs and transformation)
Organisational structures Resources Culture Power relations Risk perceptions Strategy Motivations
Outer context (general & industry environment)
Economies and markets. Public policy, regulation
and standards Social, historical and
political climate Physical conditions and
climate. Technology.
Risk Assessment Identify the risks
As many as possible All aspects of the business Why? - unidentified risks can’t be managed
Analyse the risks Find ones that have greatest impact/consequence Know business losses if not managed Provide quantitative estimates & qualitative
characteristics Likelihood x exposure x consequence
Evaluate the risks
Topic Example Video
The following video explains risk identification.
Take note of the key points. https://www.youtube.com/watch?
v=sctJTnJEz2c
Process Identification Unless a loss exposure is recognised it cannot be
managed. Loss exposure is described as a possible future
loss rather than a loss that has already happened. How to find them - to be able to identify possible
future loss, the organisation needs to undertake a Situation Analysis:
Strengths Weaknesses Opportunities Problems Threats Influences.
Business Risk
Business risk is the threat that an event or action will adversely affect an organization’s ability to achieve its business objectives and execute its strategies successfully.
This involves analysing the organisation and it’s various components as well the different environments including their specific elements to determine likely impacts to the organisation.
Managers take business risks in their attempt to convert resources into goods and services their customers demand (i.e., integrating the value chain while attempting to control/mitigate the uncertainties created by a complex set of stakeholder relationships and process interactions).
Business Risk ModelTM
Environmental RiskCompetitor Sensitivity Shareholder relations Capital availability
Catastrophic loss Sovereign/political Legal Regulatory Industry Financial markets
Process RiskOperations risk
Customer satisfactionHuman resources
Product developmentEfficiencyCapacity
Performance gapCycle timeSourcing
Obscelescence/shrinkageCompliance
Business interruptionProduct/service failure
EnvironmentalHealth and safety
Trademark/brand name erosion
Empowerment riskLeadership
Authority/limitOutsourcing
Performance incentivesChange readinessCommunications
Information processing/Technology riskAccessIntegrity
RelevanceAvailability
Infrastructure
Integrity riskManagement fraud
Employee fraudIllegal acts
Unauthorized useReputation
Financial riskInterest rate
CurrencyEquity
CommodityFinancial instrument
Cash flowOpportunity costConcentration
DefaultConcentration
SettlementCollateral
Price
Liquidity
Credit
Process RiskOperations risk
Customer satisfactionHuman resources
Product developmentEfficiencyCapacity
Performance gapCycle timeSourcing
Obscelescence/shrinkageCompliance
Business interruptionProduct/service failure
EnvironmentalHealth and safety
Trademark/brand name erosion
Empowerment riskLeadership
Authority/limitOutsourcing
Performance incentivesChange readinessCommunications
Information processing/Technology riskAccessIntegrity
RelevanceAvailability
Infrastructure
Integrity riskManagement fraud
Employee fraudIllegal acts
Unauthorized useReputation
Financial riskInterest rate
CurrencyEquity
CommodityFinancial instrument
Cash flowOpportunity costConcentration
DefaultConcentration
SettlementCollateral
Price
Liquidity
Credit
Information for Decision-making RiskOperational
PricingContract commitment
Performance measurementAlignment
Regulatory reporting
FinancialBudget and planning
Accounting informationFinancial reporting evaluation
TaxationPension fund
Investment evaluationRegulatory reporting
StrategicEnvironmental scanBusiness portfolio
ValuationPerformance measurement
Organization structureResource allocation
PlanningLife-cycle
Information for Decision-making RiskOperational
PricingContract commitment
Performance measurementAlignment
Regulatory reporting
FinancialBudget and planning
Accounting informationFinancial reporting evaluation
TaxationPension fund
Investment evaluationRegulatory reporting
StrategicEnvironmental scanBusiness portfolio
ValuationPerformance measurement
Organization structureResource allocation
PlanningLife-cycle
Source: The Economist Intelligence Unit Limited 1998
Business Risk
Identify tasks with risks. The overall project risk is the sum of the individual risks associated with product development plus the risk associated with the market for the product.
Work Breakdown Structure (WBS) at each level Each task/component is reviewed and ranked in
terms of potential risks All risks racked up for risk matrix. Some risks disappear when intensities are
dimensioned, other are ranked high and addressed with contingency planning.
Risk Identification
Risk Identification Risk identification is the process of understanding
what potential events might hurt or enhance a particular project.
This section describes in detail how risks will be identified and what risk identification consists of.
Risk identification tools and techniques include: Brainstorming
The Delphi Technique
Interviewing
SWOT analysis
Risk Breakdown Structure
IT Project
Business Technical OrganizationalProject
Management
Competitors
Suppliers
Cash flow
Hardware
Software
Network
Executivesupport
User support
Team support
Estimates
Communication
Resources
Risk Identification Breakdown
Components Elements
Risk Analysis
A detailed examination including: risk assessment, risk evaluation, and risk management
alternatives, performed to understand the nature of unwanted,
negative consequences (i.e. to human life, health, property, or the environment); an analytical process to provide information regarding undesirable events;
the process of quantification of the probabilities and expected consequences for identified risks.
Assessing Business Risk
Although techniques vary, most risk assessment programs accomplish three tasks: Identification of the risks that might affect
the success of the firm’s business strategy Determination of why, how, and where the
risks originate (outside the firm or within the business processes)
Measurement of the severity, likelihood, and financial impact of the risk.
Business Risk Analysis
Risk Assessment List the possible losses you could experience
in operating as an international business? Explain the basis for your reasoning and how
it will affect your business
Topic Example Video
The following video explains how to undertake a risk assessment.
Take note of the key points. http://www.youtube.com/watch?v=jZlu-O1s9So
Business Risk Analysis
Risk Likelihood Rate the probability of each listed loss occurring. For example,
rate something certain of occurring as 1, anything less than certain as between 0 and 1, and something that you consider as certainly not occurring as 0.
This score can be converted to a percentage. Review the list you have made above and decide whether or not
the risks are acceptable enough to allow you to proceed.
Risk Likelihood DescriptorsRATING
DESCRIPTION
LIKELIHOOD OF OCCURANCE
1 Rare Highly unlikely, but it may occur in exceptional circumstances. It could happen, but probably never will.
2 Unlikely Not expected, but there’s a slight possibility it may occur at some time
3 Possible The event might occur at some time as there is a history of casual occurrence at this, or similar, organisations
4 Likely There is a strong possibility the event will occur as there is a history of frequent occurrence at this, or similar, organisations
5 Frequent/Almost Certain
Very likely. The event is expected to occur in most circumstances as there is a history of regular occurrence at this, or similar, organisations
Adapted from : http://www.scu.edu.au/risk_management/index.php/4
Risk Consequences/Impacts
Topic Example Video
The following video explains what is a risk assessment matrix.
Take note of the key points. http://www.youtube.com/watch?
v=Mz6DtCMVEVw
Probability/Impact Matrix A probability/impact matrix or chart lists the
relative probability of a risk occurring on one side of a matrix or axis on a chart and the relative impact of the risk occurring on the other.
List the risks and then label each one as high, medium, or low in terms of its probability of occurrence and its impact if it did occur.
Can also calculate risk factors: Numbers that represent the overall risk of
specific events based on their probability of occurring and the consequences to the project if they do occur.
Risk Assessment Matrix
Topic Example Video
The following video discusses evaluating risks.
Take note of the key points. https://www.youtube.com/watch?
v=9SOSEiodf68
Level of Risk
Risk Rating DescriptorsRATING
DESCRIPT. REQUIRED ACTION
L Low Acceptable. Unlikely to require specific application of resources. Manage by routine procedures. Monitor and Review
M Moderate Acceptable. Unlikely to cause much damage and/or threaten the efficiency and effectiveness of the program/activity. Treatment plans to be developed and implemented by operational managers. Manage by specific response or response procedures
H High Generally not acceptable. Likely to cause some damage, disruption or breach of controls. Senior management attention needed and management responsibility specified. Treat plans to be developed and report to senior management.
E Extreme Not Acceptable. Likely to threaten the survival or continued functioning of the program/organisation either politically or financially. Immediate action required. Must be managed by senior management with a detailed treatment plan report to Executive level staff.
Adapted from : http://www.scu.edu.au/risk_management/index.php/4
Risk Analysis Calculator
Download a Free Risk Score Calculator from: http://www.safetyrisk.com.au/risk-assessment-form-
templates/ You will need to consider also the: exposure level and consequence or level of impact when calculating a score. Use the risk calculator for each risk you have identified.
Topic Example Video
The following video discusses the problems in assessing risk.
Take note of the key points. http://www.youtube.com/watch?
v=PA9rqNBZWIw
Risk Treatment Risk treatment is about
considering options for treating risks that were not considered acceptable or tolerable.
Risk treatment involves identifying options for treating or controlling risk, in order to either reduce or eliminate negative consequences, or to reduce the likelihood of an adverse occurrence. Risk treatment should also aim to enhance positive outcomes.
Risk Management Strategies Risk management strategies generally fall into one of
four broad categories: Avoidance: The conscious choice not to proceed with the
activity that creates the risk. Acceptance: Accepting a risk because the potential rewards
exceed the consequences of the risks when they are properly controlled
Transference: Reducing exposure to a risk by transferring it to third parties (e.g., insurance, hedging with financial instruments, outsourcing, etc.)
Mitigation: Reducing the likelihood or economic consequence of risk by controlling the processes that cause it (i.e., geographic dispersion of assets reduces the impact of the occurrence of a single risk event on a company)
Risk Management Decisions
There are several ways that risk management decisions should be made. The two major risk management techniques include, risk control which focuses on minimising the risk of loss to which an organisation is exposed and risk financing which concentrates on arranging the availability of funds to meet the losses that do occur.
Risk Control Avoidance Reduction
Risk Financing Retention Transfer.
Risk Management Options Avoidance
Deferment
Reduction
Withdraw; do not enter market; cease activity.
Wait and see; defer decisions and actions.
Improve prevention and control measures; target risks and apply remedial programs to reduce risks to as low as reasonably practicable.
Retention
Transfer
Sharing
Limitation
Mitigation
Captive (internal) insurance and/or bearing the risk (part of risk financing).
External insurance via premiums (part of risk financing).
Joint ventures with other organizations.
Limit scale or scope of presence or activities.
Damage limitation.
Risk Management Options
Positive Risks Response Strategies
Risk acceptance At times, opportunities simply fall on your lap and you
choose to accept them. This is called accepting a positive risk. It also means you are acknowledging that you’d rather not Exploit, Share, or Enhance the risk.
Accepting is a strategy that is applicable to both Negative and Positive Risks.
Identifying positive risks and responding to them is a recurring process. This is one of the golden rules to follow while managing risks
Risk treatments – Hierarchy of Control
Consider existing controls: Engineering controls (Fumehood, equipment guards) Administrative controls (Signage, training, SOPs, others) Personal Protective Equipment
Existing control will not change the severity but only likelihood Severity & likelihood is based on a matrix and the respective criteria
specified Risk rating is the product of severity by likelihood
Refer to acceptability criteria on the recommended action for different risk rating
For medium & high risk, additional controls will be required
Risk Controls
Top Ten Risk Item Tracking Top Ten Risk Item Tracking is a qualitative risk
analysis tool that helps to identify risks and maintain an awareness of risks throughout the life of a project.
Establish a periodic review of the top ten project risk items.
List the current ranking, previous ranking, number of times the risk appears on the list over a period of time, and a summary of progress made in resolving the risk item.
Describe risk: A statement covering what could go wrong with the task. What - if analysis
Description of Risk
Description of Risk
Risk Register The main output of the risk identification process is
a list of identified risks and other information needed to begin creating a risk register.
A risk register is: A document that contains the results of various risk
management processes and that is often displayed in a table or spreadsheet format.
A tool for documenting potential risk events and related information.
Risk events refer to specific, uncertain events that may occur to the detriment or enhancement of the project.
Topic Example Video
The following video explains how to develop a project risk register.
Take note of the key points. https://www.youtube.com/watch?
v=D3S6kpBlDbk
Risk Register Contents
An identification number for each risk event. A rank for each risk event. The name of each risk event. A description of each risk event. The category under which each risk event
falls. The root cause of each risk.
Risk Register Contents (cont’d)
Triggers for each risk; triggers are indicators or symptoms of actual risk events.
Potential responses to each risk. The risk owner or person who will own or
take responsibility for each risk. The probability and impact of each risk
occurring. The status of each risk.
Sample Risk Register
No. Rank Risk Description Category RootCause
Triggers PotentialResponses
RiskOwner
Probability Impact Status
R44 1
R21 2
R7 3
Next Session Weekly Activity: Risk Action Plan An action plan provides milestones for updating progress as
well as ongoing reporting. Managers need to know what is to be accomplished, how it will be accomplished, by whom and within what timeframe. Before an action plan can be enacted it needs to be developed. Thinking about risk analysis, management and control tasks, undertake the following activities:
Specify tasks Sequence tasks Determine resource needs Establish a task schedule Assign responsibility for each task Describe the expected results Specify methods of monitoring these results.
Incorporate these activities into an action plan.
top related