Risk Treatment
EigilVølund (Talk | contribs) |
EigilVølund (Talk | contribs) |
||
Line 1: | Line 1: | ||
− | |||
− | |||
Risk treatment as a method is an under category of risk management. It is an assessment of what to do, if the uncertainties identified during risk management occur. In other words it is a pre-defined action plan of how to handle potential problems in a project. The implementation of risk treatment before or early in a project increases the probability of general project success, by reducing the impact of unforeseen problems throughout the project. | Risk treatment as a method is an under category of risk management. It is an assessment of what to do, if the uncertainties identified during risk management occur. In other words it is a pre-defined action plan of how to handle potential problems in a project. The implementation of risk treatment before or early in a project increases the probability of general project success, by reducing the impact of unforeseen problems throughout the project. | ||
− | + | == Big Idea == | |
+ | [[File:RiskTreatment.png|right|thumb|300px|Figure 1: Risk Management Process]] | ||
− | ''' | + | === Risk Management === |
+ | Risk Management is a systematic process that assist decision-making within project management. It is an integral part of project success and should be integrated into the overall management structure. The process can be divided into five general steps excluding outlying support structures, the five steps progress in the following order: ''Establishing Context'', ''Risk Identification'', ''Risk Analysis'', ''Risk Evaluation'' and ''Risk Treatment''. Although, this is the general progression form, risk management is an agile tool, that requires the project manager to revisit earlier steps in the process throughout the project to mitigate potential risks created by the process itself and also unforeseen project risks. The five step process is visualized in '''''Figure 1'''''. (PMI 31000:2018) | ||
− | + | === Risk Treatment === | |
+ | Risk treatment is the vital final step, that helps the project manager efficiently and quickly handle the risks identified earlier in the risk management process. The objective in risk treatment is to have a detailed step-by-step action plan for as many imaginable future risks as possible. Since projects come in variations of an unlimited number, their purpose and challenges vary to the same degree. This variation makes standardization of the risk treatment process almost impossible, when the process needs to be tailored to the specific project and its risks. | ||
− | + | %%%% SKRIV MERE | |
− | + | Threat vs. opportunity | |
− | |||
− | == | + | == Application == |
− | + | Successfully creating and implementing a risk treatment plan is a difficult achievement in any project. Definitions and sources on generalized application are so far lacking, because projects are such a wide definition. However, some specific industries that have begun to create an organized structure of a risk treatment plan and its progression. The cybersecurity industry is an example of this, although it is a new industry they are experts in handling risk. The European Union Agency for Cybersecurity has developed a progression template for risk treatment. With lacking general definitions, their template will be used as an example to learn from in other industries. | |
− | + | The progression template includes five sections: ''Identification of Options'', ''Development of Action Plan'', '' Approval of Action Plan'', ''Implementation of Action Plan'' and ''Identification of Residual Risks''. (ENISA) | |
+ | === Identification of Options === | ||
+ | After a detailed risk assessment the first step is to identify appropriate alternative options to handle the risks. The impact of such risks vary in probability and size, but they are not necessarily negative. A risk can both be a threat and an opportunity, and management of both options vary accordingly. | ||
− | + | The identification and assessment of the options for risk treatment, can in generally be perceived as a form of cost/benefit analysis. Many things needs to be considered when choosing treatment options, whether tangible or intangible and compared to the overall risk management context i.e. align with the purpose and success criteria of the project, and in the end the choice depends on whether the costs outweigh the potential benefits (or the other way around). The available resources can effect and/or limit the choice options, and in that case, it is important for the project manager to prioritize which options should be pursued and implemented early on. | |
− | == | + | ==== Treatment of risk opportunities ==== |
+ | There are several ways a project manager can attempt to increase the potential or probability of an identified risk opportunity, these include but are not limited to: | ||
+ | * Pursue actions that are likely to create or maintain the opportunity result. | ||
+ | ** Actions that increase probability of the risk. | ||
+ | ** Actions that increase the gain from the risk. | ||
+ | * Share/transfer risk to a third-party that can contribute with resources that increases probability or gain. | ||
+ | * Retain the positive residual risks. | ||
+ | |||
+ | ==== Treatment of risk threats ==== | ||
+ | The treatment of risks are similar in nature to opportunity treatment, however with the opposite association, the treatments options for threats include but are not limited to: | ||
+ | * Avoidance of a threat by pursuing or stopping/diverting/postponing actions that are likely to remove the cause of the threat. | ||
+ | ** Actions that reduce the probability of the threat. | ||
+ | ** Actions that reduce the severity/damage of the threat. | ||
+ | * Share/transfer parts of or the entire threat to a third-party. This could result in turn create new risks in form of bad management from the other risk "shareholder". | ||
+ | * Retain the risk and/or its residual risks. | ||
+ | |||
+ | === Development of Action Plan === | ||
+ | When it has been identified if the risk is a threat or an opportunity and it has been chosen which treatment options to pursue, the project manager can start the development of an action plan. The action plan describes, in detail, how the treatment options will be implemented. | ||
+ | |||
+ | A well made action plan is extensive and should contain detailed description of the implementation from start to finish. | ||
+ | It should include which specific options should be started/maintained/stopped etc. in a prioritized order with a specific time plan. | ||
+ | What the resource requirements are, including raw materials, staff etc. | ||
+ | Description of everyone involved and their responsibilities, including both external and internal managers, staff, stakeholders etc. | ||
+ | |||
+ | Finally, and potentially the most important factor, a description of performance indicators and how these are reported/monitored. | ||
+ | Continuous performance data is vital for successful implementation of a risk treatment plan. It gives the project manager knowledge on whether the treatment is working or not, and therefore the ability to act should it be necessary. | ||
+ | |||
+ | |||
+ | === Approval of Action Plan === | ||
+ | |||
+ | |||
+ | === Implementation of Action Plan === | ||
+ | |||
+ | === Identification of Residual Risk === | ||
+ | |||
+ | |||
+ | |||
+ | However, the Project Management Institute has created some sub-categories under risk treatment, that can help a project manager in the process. The placement of a certain risk in a certain sub-category of risk treatment, is dependent on the analysis and evaluation made earlier. The four most important sub-categories are as follows: ''Avoidance'', ''Reduction'', ''Transfer'', ''Acceptance'' (PMI 31000). | ||
+ | |||
+ | ;Avoidance | ||
+ | :The risk is avoided by not pursuing whatever is the cause of the risk. | ||
+ | |||
+ | ;Reduction | ||
+ | :The risk is reduced by taking mitigative actions to reduce the probability of occurrence. | ||
+ | |||
+ | ;Transfer | ||
+ | :The risk is eliminated by transferring it to a third-party. Examples of third-parties are insurance and outsourcing to other companies. | ||
+ | |||
+ | ;Acceptance | ||
+ | :The risk is accepted. Examples where this choice is viable include when a risk is impossible to eliminate or when it is more costly to prepare for/eliminate the risk than the effect it would have. It could also simply be because the risk is considered a part of the total project risk. | ||
== Limitations == | == Limitations == | ||
Line 41: | Line 92: | ||
Project Management Institute, Inc. (PMI). (2021). A Guide to the Project Management Body of Knowledge (PMBOK ® Guide) – 7th Edition and The Standard for Project Management. Project Management Institute, Inc. (PMI). Retrieved from | Project Management Institute, Inc. (PMI). (2021). A Guide to the Project Management Body of Knowledge (PMBOK ® Guide) – 7th Edition and The Standard for Project Management. Project Management Institute, Inc. (PMI). Retrieved from | ||
https://app.knovel.com/hotlink/toc/id:kpSPMAGPMP/guide-project-management/guide-project-management | https://app.knovel.com/hotlink/toc/id:kpSPMAGPMP/guide-project-management/guide-project-management | ||
+ | |||
+ | ENISA, European Union Agency for Cybersecurity. Threat and risk management, Risk Treatment. | ||
+ | https://www.enisa.europa.eu/topics/threat-risk-management/risk-management/current-risk/risk-management-inventory/rm-process/risk-treatment |
Revision as of 17:12, 20 February 2022
Risk treatment as a method is an under category of risk management. It is an assessment of what to do, if the uncertainties identified during risk management occur. In other words it is a pre-defined action plan of how to handle potential problems in a project. The implementation of risk treatment before or early in a project increases the probability of general project success, by reducing the impact of unforeseen problems throughout the project.
Contents |
Big Idea
Risk Management
Risk Management is a systematic process that assist decision-making within project management. It is an integral part of project success and should be integrated into the overall management structure. The process can be divided into five general steps excluding outlying support structures, the five steps progress in the following order: Establishing Context, Risk Identification, Risk Analysis, Risk Evaluation and Risk Treatment. Although, this is the general progression form, risk management is an agile tool, that requires the project manager to revisit earlier steps in the process throughout the project to mitigate potential risks created by the process itself and also unforeseen project risks. The five step process is visualized in Figure 1. (PMI 31000:2018)
Risk Treatment
Risk treatment is the vital final step, that helps the project manager efficiently and quickly handle the risks identified earlier in the risk management process. The objective in risk treatment is to have a detailed step-by-step action plan for as many imaginable future risks as possible. Since projects come in variations of an unlimited number, their purpose and challenges vary to the same degree. This variation makes standardization of the risk treatment process almost impossible, when the process needs to be tailored to the specific project and its risks.
%%%% SKRIV MERE
Threat vs. opportunity
Application
Successfully creating and implementing a risk treatment plan is a difficult achievement in any project. Definitions and sources on generalized application are so far lacking, because projects are such a wide definition. However, some specific industries that have begun to create an organized structure of a risk treatment plan and its progression. The cybersecurity industry is an example of this, although it is a new industry they are experts in handling risk. The European Union Agency for Cybersecurity has developed a progression template for risk treatment. With lacking general definitions, their template will be used as an example to learn from in other industries.
The progression template includes five sections: Identification of Options, Development of Action Plan, Approval of Action Plan, Implementation of Action Plan and Identification of Residual Risks. (ENISA)
Identification of Options
After a detailed risk assessment the first step is to identify appropriate alternative options to handle the risks. The impact of such risks vary in probability and size, but they are not necessarily negative. A risk can both be a threat and an opportunity, and management of both options vary accordingly.
The identification and assessment of the options for risk treatment, can in generally be perceived as a form of cost/benefit analysis. Many things needs to be considered when choosing treatment options, whether tangible or intangible and compared to the overall risk management context i.e. align with the purpose and success criteria of the project, and in the end the choice depends on whether the costs outweigh the potential benefits (or the other way around). The available resources can effect and/or limit the choice options, and in that case, it is important for the project manager to prioritize which options should be pursued and implemented early on.
Treatment of risk opportunities
There are several ways a project manager can attempt to increase the potential or probability of an identified risk opportunity, these include but are not limited to:
- Pursue actions that are likely to create or maintain the opportunity result.
- Actions that increase probability of the risk.
- Actions that increase the gain from the risk.
- Share/transfer risk to a third-party that can contribute with resources that increases probability or gain.
- Retain the positive residual risks.
Treatment of risk threats
The treatment of risks are similar in nature to opportunity treatment, however with the opposite association, the treatments options for threats include but are not limited to:
- Avoidance of a threat by pursuing or stopping/diverting/postponing actions that are likely to remove the cause of the threat.
- Actions that reduce the probability of the threat.
- Actions that reduce the severity/damage of the threat.
- Share/transfer parts of or the entire threat to a third-party. This could result in turn create new risks in form of bad management from the other risk "shareholder".
- Retain the risk and/or its residual risks.
Development of Action Plan
When it has been identified if the risk is a threat or an opportunity and it has been chosen which treatment options to pursue, the project manager can start the development of an action plan. The action plan describes, in detail, how the treatment options will be implemented.
A well made action plan is extensive and should contain detailed description of the implementation from start to finish. It should include which specific options should be started/maintained/stopped etc. in a prioritized order with a specific time plan. What the resource requirements are, including raw materials, staff etc. Description of everyone involved and their responsibilities, including both external and internal managers, staff, stakeholders etc.
Finally, and potentially the most important factor, a description of performance indicators and how these are reported/monitored. Continuous performance data is vital for successful implementation of a risk treatment plan. It gives the project manager knowledge on whether the treatment is working or not, and therefore the ability to act should it be necessary.
Approval of Action Plan
Implementation of Action Plan
Identification of Residual Risk
However, the Project Management Institute has created some sub-categories under risk treatment, that can help a project manager in the process. The placement of a certain risk in a certain sub-category of risk treatment, is dependent on the analysis and evaluation made earlier. The four most important sub-categories are as follows: Avoidance, Reduction, Transfer, Acceptance (PMI 31000).
- Avoidance
- The risk is avoided by not pursuing whatever is the cause of the risk.
- Reduction
- The risk is reduced by taking mitigative actions to reduce the probability of occurrence.
- Transfer
- The risk is eliminated by transferring it to a third-party. Examples of third-parties are insurance and outsourcing to other companies.
- Acceptance
- The risk is accepted. Examples where this choice is viable include when a risk is impossible to eliminate or when it is more costly to prepare for/eliminate the risk than the effect it would have. It could also simply be because the risk is considered a part of the total project risk.
Limitations
Annotated Bibliograhpy
Project Management Institute, Inc. (PMI). (2019). Standard for Risk Management in Portfolios, Programs, and Projects. Project Management Institute, Inc. (PMI). Retrieved from https://app.knovel.com/hotlink/toc/id:kpSRMPPP01/standard-risk-management/standard-risk-management
DS/ISO 21502:2020
DS/ISO 31000:2018
Project Management Institute, Inc. (PMI). (2021). A Guide to the Project Management Body of Knowledge (PMBOK ® Guide) – 7th Edition and The Standard for Project Management. Project Management Institute, Inc. (PMI). Retrieved from https://app.knovel.com/hotlink/toc/id:kpSPMAGPMP/guide-project-management/guide-project-management
ENISA, European Union Agency for Cybersecurity. Threat and risk management, Risk Treatment. https://www.enisa.europa.eu/topics/threat-risk-management/risk-management/current-risk/risk-management-inventory/rm-process/risk-treatment