report 8 - risk management
DESCRIPTION
BS 183TRANSCRIPT
RISK MANAGEMENT
RISK Risk is part of life. Avoiding all risk would result in no achievement,
no progress and no reward. “The combination of the probability of an event and its
consequence.” Consequences can range from positive to negative. All organizations
have objectives at strategic, tactical and operational levels - anything that makes achieving these objectives uncertain is a risk. As our world becomes increasingly volatile and unpredictable, we must cope with greater uncertainty.
Risk Management Risk management is the identification, assessment, and prioritization
of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities.
Risks can come from uncertainty in financial markets, threats from project failures (at any phase in design, development, production, or sustainment life-cycles), legal liabilities, credit risk, accidents, natural causes and disasters as well as deliberate attack from an adversary, or events of uncertain or unpredictable root-cause.
Several risk management standards have been developed including the
a. Project Management Instituteb. National Institute of Standards and Technology, c. Actuarial societies, and d. ISO standards.
Methods, definitions and goals vary widely according to whether the risk management method is in the context of project management,
security, engineering, industrial processes, financial portfolios, actuarial assessments, or public health and safety.
Strategies to manage threats: a. Transferring the threat to another partyb. Avoiding the threatc. Reducing the negative effect or probability of the threatd. Accepting some or all of the potential or actual consequences of a
particular threat, and the opposites for opportunities
Ideal Risk ManagementIn ideal risk management, a prioritization process is followed
whereby the risks with the greatest loss (or impact) and the greatest probability of occurring are handled first, and risks with lower probability of occurrence and lower loss are handled in descending order.
Intangible Risk ManagementIntangible risk management identifies a new type of a risk that has a
100% probability of occurring but is ignored by the organization due to a lack of identification ability.
Relationship RiskRelationship risk appears when ineffective collaboration occurs.
Process-engagement riskProcess-engagement risk may be an issue when ineffective
operational procedures are applied. These risks directly reduce the productivity of knowledge workers, decrease cost-effectiveness, profitability, service, quality, reputation, brand value, and earnings quality.
WHY WE MANAGE RISKS
Almost all people and organizations strive to manage risk for three fundamental reasons:
(These three goals stem from the nature of risk itself, which we defined earlier as the possibility of a surprisingly bad, or a surprisingly good, event.)
1. To safeguard resources from surprising losses (safeguarding resources)- Safeguarding the resources which a person or organization
already possesses involves either reducing the surprising losses to which these resources are exposed or restoring them from losses that they experience.
2. To be prepared to seize surprising opportunities (preparing for opportunities)- Remember that risk can bring surprisingly favorable outcomes as
well as surprisingly unfavorable ones. People and organizations that safeguard their resources against the surprising losses that often come from unfavorable outcomes are in a better position to seize surprising opportunities than are those who have not protected what they already have.
3. To limit uncertainty, both in their minds and in the world (limiting uncertainty)- Those who practice effective risk management have a better grip
on their future. Effective risk management has enabled them to limit the range (particularly the downside range) of the consequences of any surprising events that may arise. This means they will be better able to carry out their plans—to achieve their personal and organizational objectives—despite the uncertainty of the events in the world in which they function.
- Uncertainty can be a state of mind as well as a condition of the objective, physical world.
METHODS/PROCESSES
1. Identify- Identify potential risks - Identify strengths, weakness, opportunities and threats
- Common risk identification methods:a. Objective-basedb. Scenario-basedc. Taxonomy-basedd. Common risk-checkinge. Risk-charting
- Source analysis: the target of risk management; can be internal or external
- Problem analysis: when either source or problem is known, the events that a source may trigger or the events that can lead to a problem can be investigated
- Identification of Values Exposed to Loss:a. Property – every conceivable property loss strikes either real
property or personal propertyb. Key person/s - these folks possess special talents,
knowledge, reputations, or other characteristics that make them outstandingly valuable to that organization
c. Freedom from Liability - ways in which any organization can be held responsible for harm that others suffer
- legislature or a court may determine, as a matter of public policy, that an organization should be financially responsible for particular types of losses even though the organization has not been directly at fault in causing those losses
- By tort- By a crime- By an action that is wrong against society
d. Net income - the amount by which its revenues exceed its expenses during the current accounting period
2. Assess- Assess the risk associated with each opportunity and threat and
map exposure
- Risk must be assessed in their potential severity of impact and the probability of occurrence
- Best educated opinions and available statistics are the primary sources of information
- Numerous different risk formulae exist, but perhaps the most widely accepted formula for risk quantification is: Rate (or probability) of occurrence multiplied by the impact of the event equals risk magnitude
-
3. Consider controls in place to address each risk
4. Reassess the risks and remap exposure in light of controls in place
5. Treat the risk - identify which risk treatment to be used and establish a risk management program
6. Monitor the risk
7. Report the movement of the risk
Principles1. Creates and protects value2. Be an integral pert of organizational processes3. Be part of the decision making4. Explicitly addresses uncertainty5. Be systematic, structured and timely6. Based on the best available information7. Be tailored8. Take into account human and cultural factors9. Be transparent and inclusive
10. Be dynamic, iterative and responsive to change11. Facilitate the continual improvement of organisations
Potential risk treatments1. Avoid- cease activity to eliminate risk2. Reduce- mitigate, corrective action to eliminate or reduce impact or
likelihood 3. Share- transfer, shift impact to another entity4. Retain- no corrective action
CREATING A RISK MANAGEMENT PLAN
A Risk Management Plan is a document that a project manager prepares to foresee risks, estimate impacts, and define responses to issues.
Risk management plans includes risk strategies:
A- Avoid RiskC-Control/Mitigate Risk
RATE OF OCCURENCE
IMPACT
RISK MAGNITUDE
A-Accept RiskT-Transfer risk
1. Select appropriate controls or countermeasures to measure each risk.2. Risk mitigation needs to be approved by the appropriate level of
management. 3. Risk management plan should propose applicable and effective
security controls for managing the risks. 4. After the completion of the risk assessment phase, preparing a Risk
Treatment Plan should be done immediately, which should document the decisions about how each of the identified risks should be handled.
5. Implementation Implementation follows all of the planned methods for mitigating the effect of the risks.
6. Review and evaluation of the plan
NOTE: Initial risk management plans will never be perfect.
Risk analysis results and management plans should be updated periodically. There are two primary reasons for this:
to evaluate whether the previously selected security controls are still applicable and effective
to evaluate the possible risk level changes in the business environment.
LIMITATIONS Prioritizing the risk management processes too highly could keep an
organization from ever completing a project or even getting started. It is also important to keep in mind the distinction between risk and
uncertainty. Risk can be measured by
If risks are improperly assessed and prioritized, time can be wasted
in dealing with risk of losses that are not likely to occur. Unlikely events do occur but if the risk is unlikely enough to occur it
may be better to simply retain the risk and deal with the result if the loss does in fact occur.
RELATED CONCEPTS
Composite Risk IndexThe formula can also be re-written in terms of a Composite Risk
Index, as follows:
Composite Risk Index = Impact of Risk event x Probability of Occurrence
Scales of Impact of Risk Event1 to 5Scales of Probability of Occurrence1 to 5
Composite Index = will range from 1-25Overall Risk Assessment
17-25 High9-16 Medium1-8 Low
Both the above factors can change in magnitude depending on the adequacy of risk avoidance and prevention measures taken and due to changes in the external business environment.
Positive Risk Management- an approach that recognizes the importance of the human factor and
of individual differences in propensity for risk taking.
1. It recognizes that any object or situation can be rendered hazardous by the involvement of someone with an inappropriate IMPACTS PROBABILITY
disposition towards risk; whether too risk taking or too risk averse.
2. It recognizes that risk is an inevitable and ever present element throughout life.
3. It recognizes that every individual has a particular orientation towards risk.
4. Positive Risk Management recognizes that risk taking is essential to all enterprise, creativity, heroism, education, scientific advance – in fact to any activity and all the initiatives that have contributed to our evolutionary success and civilization.
Every organization has roles better suited to risk takers and roles better suited to the risk averse. The task of management is to ensure that the right people are placed in each job.
Positive Risk Management relies on the ability to identify individual differences in propensity for risk taking.
The Five Factor Model (FFM) of personality has been shown to have relevance across many different cultures, to remain consistent over adult working life and to be significantly heritable.
o Eysenck (1973) reports that personality influences whether we focus on what might go wrong or on potential benefits
o Nicholson et al. (2005) report that higher extroversion is related to greater risk tolerance;
o McCrae and Costa (p1997) link personality to tolerance of uncertainty, innovation and willingness to think outside the box;
o Kowert,( 1997) links personality to adventurousness, imagination, the search for new experiences and actively seeking out risk.
Risk management and business continuity
Risk management is simply a practice of systematically selecting cost-effective approaches for minimizing the effect of threat realization to the organization. All risks can never be fully avoided or mitigated.
Whereas risk management tends to be preemptive, business continuity planning (BCP) was invented to deal with the consequences of realized residual risks.
Risk management covers several areas that are vital for the BCP process. However, the BCP process goes beyond risk management's preemptive approach and assumes that the disaster will happen at some point.
Risk communication
Problems for risk communicators involve:- how to reach the intended audience- to make the risk comprehensible and relatable to other risks- how to pay appropriate respect to the audience's values related to
the risk,- how to predict the audience's response to the communication
A main goal of risk communication is to improve collective and individual decision-making.
“When you take risks you learn that there will be times when you succeed and there will be times when you fail, and both
are equally important”
RISK MANAGEMENT TEAM
Caguimbal
Nogoy
Timbal
Viado