Management of risk

From apppm
(Difference between revisions)
Jump to: navigation, search
 
(24 intermediate revisions by one user not shown)
Line 1: Line 1:
 +
''Developed by Arnar Gauti Gudmundsson''
  
[[File:ISS impact RiskManagement.jpeg|thumb|320px|]]
 
According to ISO 31000 the definition of "risk" is "the effect of uncertainty on objectives". Looking into that definition it is noted that the word "risk" does refer to positive possibilities as well as negative ones. This definition was revised under the ISO 31000:2009. Before revision the definition of the word "risk" was "chance or probability of loss". Meaning that only negative results could be associated with a risk.
 
  
'''Management of risk''' involves identification, assessment, and prioritization of risks. Coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities.
+
[[File:Image2.png|500px|thumb|right|Figure 1: Risk management process (based on ISO 31000: 2009) <ref>Carmen Nadia Ciocoiu and Razvan Catalin Dobrea (2010). The Role of Standardization in Improving the Effectiveness of Integrated Risk Management, Advances in Risk Management, Giancarlo Nota (Ed.), ISBN: 978-953-307-138-1, InTech, DOI: 10.5772/9893. Available from: http://www.intechopen.com/books/advances-in-risk-management/the-role-of-standardization-in-improving-the-effectiveness-of-integrated-risk-management</ref>]]
  
The term Risk management is really broad and can be used by individuals, families, firms, nations and so on. In this article risk management in general will be outlined with a special focus on risk management activities as applied to project management. That is one aspect inside of risk management called [[Project risk management]]
+
Risk is part of all our lives. We need to take risks to grow and develop. Effectively managed risk in hospitals, airport security, construction sites, projects, programmes, portfolios and in so many more circumstances help societies achieve.  
 +
 
 +
'''Management of risk''' involves identification, assessment, and prioritization of risks. Coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities.
 +
 
 +
Figure 1 shows what is involved in risk management. Identifying, analysing and evaluating risks are all part of risk assessment and will be further analysed in the risk assessment section.
 +
 
 +
Because risk is inherent in everything we do, risk professionals undertake roles that are very diverse. It includes roles in insurance, business, health and safety, corporate governance, engineering, planning and financial services to name a few.
 +
 
 +
In this article important principles of [https://en.wikipedia.org/wiki/Risk_management risk management] will be outlined, risk assessment will be explained in detail and risk assessment tools explained. Benefits and limitations of risk management will be discussed before stating the conclusions.
  
 
__TOC__  
 
__TOC__  
Line 11: Line 18:
 
=Introduction=
 
=Introduction=
  
ISO Guide 73:2009, ''Risk management - Vocabulary'' complements ISO 31000. According to ISO 73:2009 risk management is intended to be used by those engaged in managing risks, those who are involved in activities of ISO and IEC, and developers of national or sector-specific standards, guides, procedures and codes of practice relating to the management of risk. <ref>http://www.iso.org/iso/catalogue_detail?csnumber=44651</ref>
+
[https://en.wikipedia.org/wiki/Organization Organizations] of all types and sizes face internal and external factors and influences that make it uncertain whether and when they will achieve their objectives. Risk is the effect this uncertainty has on an organization's objectives. Risk can be managed by identifying it, analysing it and then evaluating whether the risk should be modified by risk treatment in order to satisfy their risk criteria. Constant communication and consultation with stakeholders is a key for the process to run smoothly as well as monitoring and reviewing the risk and making sure that the correct actions are taken to ensure that no further risk treatment is required.
  
Risks with great impacts and a high probability of happening are treated before risks with smaller impacts and lower possibility. This is called [[prioritization]]. There are several tools that can be used in the process of assessing risks. Those tools will be discussed in '''CHAPTER XX'''.  
+
Risk management can be applied to an entire organization, at its many areas and levels, at any time. It can also be applied to specific functions, projects and activities.  
  
When allocating resources, risk management faces some difficulties. Short term planning would recommend skipping risk management when starting a new project as the process itself costs manpower and is not directly involved in the project itself. While long term thinking would definitely recommend going through the processes of risk management. That is because it could save a lot of money and even lives if it prevents one unfortunate event to happen as it was accounted for in the process. The effect of negative effects of risks is minimized as well as spending in ideal risk management.
+
The practice of risk management is used within many sectors in order to meet diverse needs. Despite that wide range, adoption of consistent processes within a comprehensive framework can help to ensure that risk is managed effectively, efficiently and coherently across an organization. [https://en.wikipedia.org/wiki/ISO_31000 ISO 31000] is an international standard that describes a generic approach and provides the principles and guidelines for managing any form of risk in a systematic, transparent and credible manner and withing any scope and context. <ref>https://www.iso.org/obp/ui/#iso:std:iso:31000:ed-1:v1:en</ref>
  
==Methodology==
+
As can be seen in figure 1, the first step is to establish the context in order to figure out the individual needs, audiences, perceptions and criteria for each specific sector while applying risk management. Establishing the context will capture the objectives of the organization, the environment in which it pursues those objectives, its stakeholders and the dicersity of risk criteria. those factors will help reveal and assess the nature and complexity of its risks.
  
The following methods are a part of the general methodology, these methods are usually performed in the order that they will be listed.
+
The international standard has stated that when risk management is implemented and maintained in accordance with ISO, it enables an organization to achieve the following objectives:
  
# identify and characterize threats
+
* Increase the likelihood of achieving objectives
# assess the vulnerability of critical assets to specific threats
+
* encourage proactive management
# determine the risk  
+
* Be aware of the need to identify and treat risk throughout the organization
# identify ways to reduce those risks
+
* Improve the identification of opportunities and threats
# prioritize risk reduction measures based on a strategy
+
* Comply with relevant legal and regulatory requirements and international norms
 +
* Improve mandatory and voluntary reporting
 +
* Improve governance
 +
* Improve stakeholder confidence and trust
 +
* Establish a reliable basis for decision making and planning
 +
* Improve controls
 +
* Effectively allocate and use resources for risk treatment
 +
* Improve operational effectiveness and efficiency
 +
* Enhance health and safety performance, as well as environmental protection
 +
* Improve loss prevention and incident management
 +
* Minimize losses
 +
* Improve organizational learning
 +
* Improve organizational resilience
 +
 
 +
 
 +
As well as helping organizations reach these objectives the standard is intended to meet the needs of a wide range of stakeholders. Stakeholders that are included are those responsible for developing risk management policy within their organization, those accountable for ensuring that risk is effectively managed within the organization as a whole or within a specific area, project or activity. Those who need to evaluate an organization's effectiveness in managing risk and developers of standards, guides, procedures and codes of practice that, in whole or in part, set out how risk is to be managed withing the specific context of these documents. Figure X shows the relationships between the risk management principles, framework and process.[[File: fig_1.png|500px|thumb|center|Figure 2: Relationships between risk management principles, framework and process]]
  
 
== Important principles ==
 
== Important principles ==
  
ISO has identified principles of risk management, some mentionable principles are.
+
The following principles should be complied with by an organization in order for risk management to be effective.
 +
 
 +
'''Management of risk:'''<ref>ISO 31000:2009 </ref>
 +
 
 +
# '''Creates and protects value''' - Contributes to the demonstrable achievement of objectives and improvement of performance in, for example, security, environmental protection, project and program management.
 +
# '''Integral part of all organizational processes''' - Risk management is not a stand-alone activity that is separate from the main activities and processes of the organization. It is part of the responsibilities of management and an integral part of all organizational processes, including strategic planning and all project and change management processes.
 +
# '''Part of decision making''' - Helps decision makers make informed choices, prioritize actions and distinguish among alternative courses of action.
 +
# '''Explicitly addresses uncertainty''' - Risk management explicitly takes account of uncertainty, the nature of that uncertainty, and how it can be addressed.
 +
# '''Systematic, structured and timely''' - A systematic, structured and timely approach to risk management contributes to efficiency and to consistent, comparable and reliable results.
 +
# '''Based on the best available information''' - The inputs to the process of managing risk are based on information sources such as historical data, experience, stakeholder feedback, observation, forecasts and expert judgement. Decision makers should however inform themselves of, and should take into account, any limitations of the data or modelling used or the possibility of divergence among experts.
 +
# '''Is tailored''' - It is aligned with the organization's external and internal context and risk profile.
 +
# '''Takes human and cultural factors into account''' - Recognizes the capabilities, perceptions and intentions of external and internal people that can facilitate or hinder achievement of the organization's objectives.
 +
# '''Is transparent and inclusive''' - For risk management to be relevant and up-to-date, appropriate and timely involvement of stakeholders and, in particular, decision makers at all levels of the organization has to be ensured. By doing so also allows stakeholders to be properly represented and to have their views taken into account in determining risk criteria.
 +
# '''Is dynamic, iterative and responsive to change''' - Continually senses and responds to change. As external and internal events occur, context and knowledge change, monitoring and review of risks take place, new risks emerge, some change, and others disappear.
 +
# '''Facilitates continual improvement of the organization''' - Organizations should develop and implement strategies to improve their risk management maturity alongside all other aspects of their organization.
 +
 
 +
 
 +
=Risk assessment=
 +
 
 +
As figure 1 illustrates, risk assessment takes place after establishing the context. '''Risk assessment''' is the determination of [https://en.wikipedia.org/wiki/Quantitative quantitative] or [https://en.wikipedia.org/wiki/Qualitative qualitative] estimate of risk related to a concrete situation and a recognized hazard. Two components of risk are required for calculations in quantitative risk assessment. The magnitude of the potential loss (L) and the probability (p) that the loss will occur. If the countermeasure for handling a certain risk exceeds the value of the expected loss it is called acceptable risk. That kind of risk is understood and tolerated
 +
 
 +
==Risk assessment process==
 +
 
 +
===Risk identification===
 +
 
 +
For an organization to effectively manage its key risks and demonstrate whether they are in control a risk identification process must be in place. Risk identification is a key component of a robust framework. By going through the risk identification process an organization would be able to identify the following:<ref>https://www.lloyds.com/the-market/operating-at-lloyds/performance-framework-of-minimum-standards/risk-management/process_identification_assessment_control_and_mitigation</ref>
 +
 
 +
* Significant risks to the achievement of its business objectives.
 +
* All types of risks, associated major components and controls currently in place, from all sources, across the entire scope of the organisation's activities.
 +
* Risks around opportunities as well as threats, to increase the organization's chance of maximizing the benefit of those opportunities when they arise.
 +
 
 +
It would also ensure that the organization is aware of its major risks at any point in time.
 +
 
 +
To briefly summarize, it is a process that involves finding, recognizing, and describing the risks that could affect the achievement of an organization's objectives.<ref>http://www.praxiom.com/iso-31000-terms.htm</ref>
 +
 
 +
In this process questions such as: what can happen? when and where? how and why? should be answered in order to move to the next step in the risk assessment process, risk analysis.
 +
 
 +
===Risk analysis===
 +
 
 +
To successfully determine the level of risk, consequences have to be determined as well as the likelihood of an event. Risk analysis includes qualitative and quantitative assessments. <ref>http://www.pwc.com/us/en/issues/enterprise-risk-management/assets/risk_assessment_guide.pdf</ref>
 +
 
 +
'''Qualitative'''
 +
 
 +
A pre-defined rating scale is used to prioritize the identified project risks. The probability or likelihood and the impact on a project objectives should they occur gives the score for a certain risk. A qualitative risk analysis also includes the appropriate categorization of the risks. Source-based or effect-based.
 +
 
 +
'''Quantitative'''
 +
 
 +
A further analysis of the highest priority risks during which a numerical or quantitative rating is assigned in order to develop a probabilistic analysis of the project. Possible outcomes for the project are quantified and the probability of achieving specific project objectives is assessed. When there is uncertainty a quantitative approach can be used to make decisions. It also creates realistic and achievable cost, schedule or scope targets.
 +
 
 +
Quantitative risk analysis can only be successfully carried out if there is high-quality data, a well-developed project model, and a prioritized lists of project risks. That usually yields from performing a qualitative risk analysis. <ref>https://www.passionatepm.com/blog/qualitative-risk-analysis-vs-quantitative-risk-analysis-pmp-concept-1</ref>
 +
 
 +
 
 +
{| class="wikitable"
 +
|-
 +
! Qualitative
 +
! Quantitative
 +
|-
 +
| risk-level
 +
| project level
 +
|-
 +
| subjective evaluation of probability and impact
 +
| probabilistic estimates of time and cost
 +
|-
 +
| quick and easy to perform
 +
| time consuming
 +
|-
 +
| no special software or tools required
 +
| may require specalized tools
 +
|-
 +
|}
 +
 
 +
To summarize the concept: It is a process that is used to understand the nature, sources, and causes of the risks that an organization has identified and to estimate the level of risk. Also used to study impacts and consequences and to examine the controls that currently exist.<ref>http://www.praxiom.com/iso-31000-terms.htm</ref>
 +
 
 +
===Risk evaluation===
 +
 
 +
Risk evaluation is the process by which organizations, individuals and other social groups within society determine the acceptability of a given risk. If a risk is judged as unacceptable, adequate measures for risk reduction are required.
 +
 
 +
''Klinke'' and ''Renn''<ref>Klinke Andreas and Renn Ortwin. A New Approach to Risk Evaluation and Management: Risk-Based, Precaution-Based, and Discourse-Based Strategies. Risk Analysis, Vol. 22, No. 6, 2002. PP 1070  http://josiah.berkeley.edu/2007Fall/NE275/CourseReader/6.pdf</ref> talked about three major strategies in risk evaluation:
 +
 
 +
# Risk-based approaches, including numerical thresholds (quantitative safety goals, exposure limits, standards, etc.)
 +
# Reduction activities derived from the application of the precautionary principle (examples are ALARA, as low as reasonably achievable, BACT, best available control technology)
 +
# Standards derived from discursive processes such as roundtables, deliberative rule making, mediation, or citizen panels.
 +
 
 +
A brief summarize of the concept: It is a process that is used to compare risk analysis results with risk criteria in order to determine whether or not a specified level of risk is acceptable or tolerable. <ref>http://www.praxiom.com/iso-31000-terms.htm</ref>
 +
 
 +
 
 +
==Risk assessment tools==
 +
There are many tools used in risk assessment, sometimes it is recommended to use more than one tool in risk assessment. They all have their own focus areas. Lets take a better look at the most frequently used tools.
 +
 
 +
===[https://en.wikipedia.org/wiki/Hazard_and_operability_study Hazard and operability study (HAZOP)]===
 +
 
 +
Was initially developed to analyse chemical systems, but has been extended to other types of systems and complex operations. It is a technique to identify risks to people, equipment, environment and/or organizational objectives. The technique is qualitative and uses guide words which question how the design intention or operating conditions might not be achieved in the design, process, procedure or system. Lastly, it identifies failure modes of a process, system or procedure, their causes and consequences.
 +
 
 +
HAZOP guide words and meanings: <ref>https://cdn.auckland.ac.nz/assets/ecm/documents/Hazard-Operability-Studies.pdf</ref>
 +
 
 +
{| class="wikitable"
 +
|-
 +
! Guide word
 +
! Meaning
 +
|-
 +
| NO OR NOT
 +
| Complete negation of the design intent
 +
|-
 +
| MORE
 +
| Quantitative increase
 +
|-
 +
| LESS
 +
| Quantitative decrease
 +
|-
 +
| AS WELL AS
 +
| Qualitative modification/increase
 +
|-
 +
| PART OF
 +
| Qualitative modification/increase
 +
|-
 +
| REVERSE
 +
| Logical opposite of the design intent
 +
|-
 +
| OTHER THAN
 +
| Complete substitution
 +
|-
 +
|}
 +
 
 +
===[https://en.wikipedia.org/wiki/Structured_What_If_Technique Structured What-IF technique (SWIFT)]===
 +
 
 +
Originally developed as a simpler alternative to HAZOP. It uses standard 'what-if' type phrases in combination with the prompts to investigate how a system, plan item, organization or procedure will be affected by deviations from normal operations and behaviour. It is normally applied at a more of a system level with a lower level of detail than HAZOP.
 +
 
 +
The SWIFT tool is easy to use and has a simple template. The template and an example of an event are for example: <ref>http://activeriskcontrol.com/tools-and-templates/</ref>
 +
 
 +
{| class="wikitable"
 +
|-
 +
! What if
 +
! Answer
 +
! Likelihood
 +
! Consequences
 +
! Recommendations
 +
|-
 +
| Brakes on a car stop working
 +
| Car won't be able to brake
 +
| Low
 +
| Possible crash
 +
| Get brakes checked on regular basis
 +
|}
 +
 
 +
===[https://en.wikipedia.org/wiki/Fault_tree_analysis Fault Tree Analysis (FTA)]===
 +
 
 +
Fault tree analysis is a technique for identifying and analysing factors that can contribute to a specified undesired event (called the "top event"). Causal factors are deductively identified, organised in a logical manner and represented pictorially in a tree diagram which depicts causal factors and their logical relationships to the top event. A fault tree may be used qualitatively to identify potential causes and pathways to a failure (the top event) or quantitatively to calculate the probability of the top event, given knowledge of the probabilities of causal events.
 +
 
 +
The following figures will:
 +
 
 +
Show the symbols used in FTA and show an example of a fault tree:
 +
 
 +
[[File:FTA1.png|900px|thumb|left|Figure 3: Symbols in FTA <ref>http://conceptdraw.com/solution-park/resource/images/solutions/fault-tree-analysis-diagrams/Design-elements-Fault-tree-analysis-solution-Sample.png</ref>]]
 +
[[File:FTA2.png|1000px|thumb|right|Figure 4: Example of a fault tree <ref>http://reliawiki.com/images/thumb/e/ea/10.5.png/450px-10.5.png</ref>]]
 +
 
 +
 
 +
 
 +
 
 +
 
 +
==Other mentionable tools==
 +
 
 +
* [https://en.wikipedia.org/wiki/Failure_mode_and_effects_analysis Failure mode and effect analysis (FMEA)]
 +
* [http://www2.mitre.org/work/sepo/toolkits/risk/procedures/brainstorming.html Brainstorming]
 +
* [https://en.wikipedia.org/wiki/Structured_interview Structured or semi-structured interviews]
 +
* [https://en.wikipedia.org/wiki/Delphi_method Delphi method]
 +
* [http://www.safetyrisk.net/risk-assessment-checklist/ Check-lists]
 +
* [https://en.wikipedia.org/wiki/Hazard_analysis Primary hazard analysis]
 +
* [https://en.wikipedia.org/wiki/Hazard_analysis_and_critical_control_points Hazard analysis and critical control points (HACCP)]
 +
* [http://www.dantes.info/Tools&Methods/Environmentalassessment/enviro_asse_era.html Environmental risk assessment]
 +
* [https://en.wikipedia.org/wiki/Event_tree_analysis Event tree analysis]
  
* Create value
 
* Be part of decision making process
 
* Be a systematic and structured process
 
* Take human factors into account
 
* Be continually or periodically re-assessed
 
  
 
=Benefits=
 
=Benefits=
  
 +
The most notable potential benefits of a well-structured and efficiently run risk management are. <ref>http://irisintelligence.com/risk-management-explained/why-manage-risk.html</ref>
 +
 +
* Improved strategic and business planning
 +
* More effective use of resources
 +
* An ability to quickly grasp new opportunities
 +
* Fewer unwelcome surprises
 +
* Enhanced communication
 +
* Ability to reassure key stakeholders throughout the organization
 +
* Continuous improvement
 +
* robust contingency planning
 +
 +
These benefits can be achieved if risk management is run effectively. As figure 1 shows, communication and consultation as well as monitoring and reviewing are key factors for a successful risk management.
 +
 +
=Limitations=
 +
 +
There are of course limitations to risk management, otherwise organizations would never experience failure as they would have answers to everything if the risk management process had been done properly.
 +
 +
The first limitation is regarding prioritizing, by prioritizing the risk management processes too highly could keep an organization from ever completing a project or even getting started.
 +
 +
Second is regarding if risks are improperly assessed and prioritized, time can be wasted in dealing with risk of losses that are not likely to occur. Spending too much time assessing and managing unlikely risks can divert resources that could be used more profitably. It is inevitable that unlikely events will occur at some point. If the risk is unlikely enough to occur sometimes it may even be better to simply retain the risk and deal with the consequences.
 +
 +
Third is about qualitative risk assessment, it is subjective and lacks consistency.
 +
 +
Subjective assessments are often influenced by past experience. This is a dangerous shortcoming of the process, because one thing we have learned over the years is that the past is not always a reliable indicator of what to expect in the future
  
 +
To summarize, an assessment process that subjects all risks to the same analytical grid has shortcomings that need to be recognized. If very little happens as a result of an organization's risk assessment process, it is a clear sign that alternative approaches should be considered.<ref>http://corporatecomplianceinsights.com/the-limitations-of-traditional-risk-assessments/</ref>
  
  
 +
=Conclusions=
  
 +
I think it is safe to say that risk management is very important for every organization in order to maximize the probability of achieving their objectives. There is a wide range of tools that can be used in different circumstances in risk management. Every organization should find the proper tools and perform risk management no matter their size. As stated in the limitation section, risk management can also have its flaws. Communication strategies as well as constantly reviewing and monitoring the process are the most likely ways to prevent these flaws to occur.
  
  
  
 +
=References=
  
  
 
<references/>
 
<references/>

Latest revision as of 16:12, 18 December 2018

Developed by Arnar Gauti Gudmundsson


Figure 1: Risk management process (based on ISO 31000: 2009) [1]

Risk is part of all our lives. We need to take risks to grow and develop. Effectively managed risk in hospitals, airport security, construction sites, projects, programmes, portfolios and in so many more circumstances help societies achieve.

Management of risk involves identification, assessment, and prioritization of risks. Coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities.

Figure 1 shows what is involved in risk management. Identifying, analysing and evaluating risks are all part of risk assessment and will be further analysed in the risk assessment section.

Because risk is inherent in everything we do, risk professionals undertake roles that are very diverse. It includes roles in insurance, business, health and safety, corporate governance, engineering, planning and financial services to name a few.

In this article important principles of risk management will be outlined, risk assessment will be explained in detail and risk assessment tools explained. Benefits and limitations of risk management will be discussed before stating the conclusions.

Contents


[edit] Introduction

Organizations of all types and sizes face internal and external factors and influences that make it uncertain whether and when they will achieve their objectives. Risk is the effect this uncertainty has on an organization's objectives. Risk can be managed by identifying it, analysing it and then evaluating whether the risk should be modified by risk treatment in order to satisfy their risk criteria. Constant communication and consultation with stakeholders is a key for the process to run smoothly as well as monitoring and reviewing the risk and making sure that the correct actions are taken to ensure that no further risk treatment is required.

Risk management can be applied to an entire organization, at its many areas and levels, at any time. It can also be applied to specific functions, projects and activities.

The practice of risk management is used within many sectors in order to meet diverse needs. Despite that wide range, adoption of consistent processes within a comprehensive framework can help to ensure that risk is managed effectively, efficiently and coherently across an organization. ISO 31000 is an international standard that describes a generic approach and provides the principles and guidelines for managing any form of risk in a systematic, transparent and credible manner and withing any scope and context. [2]

As can be seen in figure 1, the first step is to establish the context in order to figure out the individual needs, audiences, perceptions and criteria for each specific sector while applying risk management. Establishing the context will capture the objectives of the organization, the environment in which it pursues those objectives, its stakeholders and the dicersity of risk criteria. those factors will help reveal and assess the nature and complexity of its risks.

The international standard has stated that when risk management is implemented and maintained in accordance with ISO, it enables an organization to achieve the following objectives:

  • Increase the likelihood of achieving objectives
  • encourage proactive management
  • Be aware of the need to identify and treat risk throughout the organization
  • Improve the identification of opportunities and threats
  • Comply with relevant legal and regulatory requirements and international norms
  • Improve mandatory and voluntary reporting
  • Improve governance
  • Improve stakeholder confidence and trust
  • Establish a reliable basis for decision making and planning
  • Improve controls
  • Effectively allocate and use resources for risk treatment
  • Improve operational effectiveness and efficiency
  • Enhance health and safety performance, as well as environmental protection
  • Improve loss prevention and incident management
  • Minimize losses
  • Improve organizational learning
  • Improve organizational resilience


As well as helping organizations reach these objectives the standard is intended to meet the needs of a wide range of stakeholders. Stakeholders that are included are those responsible for developing risk management policy within their organization, those accountable for ensuring that risk is effectively managed within the organization as a whole or within a specific area, project or activity. Those who need to evaluate an organization's effectiveness in managing risk and developers of standards, guides, procedures and codes of practice that, in whole or in part, set out how risk is to be managed withing the specific context of these documents. Figure X shows the relationships between the risk management principles, framework and process.
Figure 2: Relationships between risk management principles, framework and process

[edit] Important principles

The following principles should be complied with by an organization in order for risk management to be effective.

Management of risk:[3]

  1. Creates and protects value - Contributes to the demonstrable achievement of objectives and improvement of performance in, for example, security, environmental protection, project and program management.
  2. Integral part of all organizational processes - Risk management is not a stand-alone activity that is separate from the main activities and processes of the organization. It is part of the responsibilities of management and an integral part of all organizational processes, including strategic planning and all project and change management processes.
  3. Part of decision making - Helps decision makers make informed choices, prioritize actions and distinguish among alternative courses of action.
  4. Explicitly addresses uncertainty - Risk management explicitly takes account of uncertainty, the nature of that uncertainty, and how it can be addressed.
  5. Systematic, structured and timely - A systematic, structured and timely approach to risk management contributes to efficiency and to consistent, comparable and reliable results.
  6. Based on the best available information - The inputs to the process of managing risk are based on information sources such as historical data, experience, stakeholder feedback, observation, forecasts and expert judgement. Decision makers should however inform themselves of, and should take into account, any limitations of the data or modelling used or the possibility of divergence among experts.
  7. Is tailored - It is aligned with the organization's external and internal context and risk profile.
  8. Takes human and cultural factors into account - Recognizes the capabilities, perceptions and intentions of external and internal people that can facilitate or hinder achievement of the organization's objectives.
  9. Is transparent and inclusive - For risk management to be relevant and up-to-date, appropriate and timely involvement of stakeholders and, in particular, decision makers at all levels of the organization has to be ensured. By doing so also allows stakeholders to be properly represented and to have their views taken into account in determining risk criteria.
  10. Is dynamic, iterative and responsive to change - Continually senses and responds to change. As external and internal events occur, context and knowledge change, monitoring and review of risks take place, new risks emerge, some change, and others disappear.
  11. Facilitates continual improvement of the organization - Organizations should develop and implement strategies to improve their risk management maturity alongside all other aspects of their organization.


[edit] Risk assessment

As figure 1 illustrates, risk assessment takes place after establishing the context. Risk assessment is the determination of quantitative or qualitative estimate of risk related to a concrete situation and a recognized hazard. Two components of risk are required for calculations in quantitative risk assessment. The magnitude of the potential loss (L) and the probability (p) that the loss will occur. If the countermeasure for handling a certain risk exceeds the value of the expected loss it is called acceptable risk. That kind of risk is understood and tolerated

[edit] Risk assessment process

[edit] Risk identification

For an organization to effectively manage its key risks and demonstrate whether they are in control a risk identification process must be in place. Risk identification is a key component of a robust framework. By going through the risk identification process an organization would be able to identify the following:[4]

  • Significant risks to the achievement of its business objectives.
  • All types of risks, associated major components and controls currently in place, from all sources, across the entire scope of the organisation's activities.
  • Risks around opportunities as well as threats, to increase the organization's chance of maximizing the benefit of those opportunities when they arise.

It would also ensure that the organization is aware of its major risks at any point in time.

To briefly summarize, it is a process that involves finding, recognizing, and describing the risks that could affect the achievement of an organization's objectives.[5]

In this process questions such as: what can happen? when and where? how and why? should be answered in order to move to the next step in the risk assessment process, risk analysis.

[edit] Risk analysis

To successfully determine the level of risk, consequences have to be determined as well as the likelihood of an event. Risk analysis includes qualitative and quantitative assessments. [6]

Qualitative

A pre-defined rating scale is used to prioritize the identified project risks. The probability or likelihood and the impact on a project objectives should they occur gives the score for a certain risk. A qualitative risk analysis also includes the appropriate categorization of the risks. Source-based or effect-based.

Quantitative

A further analysis of the highest priority risks during which a numerical or quantitative rating is assigned in order to develop a probabilistic analysis of the project. Possible outcomes for the project are quantified and the probability of achieving specific project objectives is assessed. When there is uncertainty a quantitative approach can be used to make decisions. It also creates realistic and achievable cost, schedule or scope targets.

Quantitative risk analysis can only be successfully carried out if there is high-quality data, a well-developed project model, and a prioritized lists of project risks. That usually yields from performing a qualitative risk analysis. [7]


Qualitative Quantitative
risk-level project level
subjective evaluation of probability and impact probabilistic estimates of time and cost
quick and easy to perform time consuming
no special software or tools required may require specalized tools

To summarize the concept: It is a process that is used to understand the nature, sources, and causes of the risks that an organization has identified and to estimate the level of risk. Also used to study impacts and consequences and to examine the controls that currently exist.[8]

[edit] Risk evaluation

Risk evaluation is the process by which organizations, individuals and other social groups within society determine the acceptability of a given risk. If a risk is judged as unacceptable, adequate measures for risk reduction are required.

Klinke and Renn[9] talked about three major strategies in risk evaluation:

  1. Risk-based approaches, including numerical thresholds (quantitative safety goals, exposure limits, standards, etc.)
  2. Reduction activities derived from the application of the precautionary principle (examples are ALARA, as low as reasonably achievable, BACT, best available control technology)
  3. Standards derived from discursive processes such as roundtables, deliberative rule making, mediation, or citizen panels.

A brief summarize of the concept: It is a process that is used to compare risk analysis results with risk criteria in order to determine whether or not a specified level of risk is acceptable or tolerable. [10]


[edit] Risk assessment tools

There are many tools used in risk assessment, sometimes it is recommended to use more than one tool in risk assessment. They all have their own focus areas. Lets take a better look at the most frequently used tools.

[edit] Hazard and operability study (HAZOP)

Was initially developed to analyse chemical systems, but has been extended to other types of systems and complex operations. It is a technique to identify risks to people, equipment, environment and/or organizational objectives. The technique is qualitative and uses guide words which question how the design intention or operating conditions might not be achieved in the design, process, procedure or system. Lastly, it identifies failure modes of a process, system or procedure, their causes and consequences.

HAZOP guide words and meanings: [11]

Guide word Meaning
NO OR NOT Complete negation of the design intent
MORE Quantitative increase
LESS Quantitative decrease
AS WELL AS Qualitative modification/increase
PART OF Qualitative modification/increase
REVERSE Logical opposite of the design intent
OTHER THAN Complete substitution

[edit] Structured What-IF technique (SWIFT)

Originally developed as a simpler alternative to HAZOP. It uses standard 'what-if' type phrases in combination with the prompts to investigate how a system, plan item, organization or procedure will be affected by deviations from normal operations and behaviour. It is normally applied at a more of a system level with a lower level of detail than HAZOP.

The SWIFT tool is easy to use and has a simple template. The template and an example of an event are for example: [12]

What if Answer Likelihood Consequences Recommendations
Brakes on a car stop working Car won't be able to brake Low Possible crash Get brakes checked on regular basis

[edit] Fault Tree Analysis (FTA)

Fault tree analysis is a technique for identifying and analysing factors that can contribute to a specified undesired event (called the "top event"). Causal factors are deductively identified, organised in a logical manner and represented pictorially in a tree diagram which depicts causal factors and their logical relationships to the top event. A fault tree may be used qualitatively to identify potential causes and pathways to a failure (the top event) or quantitatively to calculate the probability of the top event, given knowledge of the probabilities of causal events.

The following figures will:

Show the symbols used in FTA and show an example of a fault tree:

Figure 3: Symbols in FTA [13]
Figure 4: Example of a fault tree [14]



[edit] Other mentionable tools


[edit] Benefits

The most notable potential benefits of a well-structured and efficiently run risk management are. [15]

  • Improved strategic and business planning
  • More effective use of resources
  • An ability to quickly grasp new opportunities
  • Fewer unwelcome surprises
  • Enhanced communication
  • Ability to reassure key stakeholders throughout the organization
  • Continuous improvement
  • robust contingency planning

These benefits can be achieved if risk management is run effectively. As figure 1 shows, communication and consultation as well as monitoring and reviewing are key factors for a successful risk management.

[edit] Limitations

There are of course limitations to risk management, otherwise organizations would never experience failure as they would have answers to everything if the risk management process had been done properly.

The first limitation is regarding prioritizing, by prioritizing the risk management processes too highly could keep an organization from ever completing a project or even getting started.

Second is regarding if risks are improperly assessed and prioritized, time can be wasted in dealing with risk of losses that are not likely to occur. Spending too much time assessing and managing unlikely risks can divert resources that could be used more profitably. It is inevitable that unlikely events will occur at some point. If the risk is unlikely enough to occur sometimes it may even be better to simply retain the risk and deal with the consequences.

Third is about qualitative risk assessment, it is subjective and lacks consistency.

Subjective assessments are often influenced by past experience. This is a dangerous shortcoming of the process, because one thing we have learned over the years is that the past is not always a reliable indicator of what to expect in the future

To summarize, an assessment process that subjects all risks to the same analytical grid has shortcomings that need to be recognized. If very little happens as a result of an organization's risk assessment process, it is a clear sign that alternative approaches should be considered.[16]


[edit] Conclusions

I think it is safe to say that risk management is very important for every organization in order to maximize the probability of achieving their objectives. There is a wide range of tools that can be used in different circumstances in risk management. Every organization should find the proper tools and perform risk management no matter their size. As stated in the limitation section, risk management can also have its flaws. Communication strategies as well as constantly reviewing and monitoring the process are the most likely ways to prevent these flaws to occur.


[edit] References

  1. Carmen Nadia Ciocoiu and Razvan Catalin Dobrea (2010). The Role of Standardization in Improving the Effectiveness of Integrated Risk Management, Advances in Risk Management, Giancarlo Nota (Ed.), ISBN: 978-953-307-138-1, InTech, DOI: 10.5772/9893. Available from: http://www.intechopen.com/books/advances-in-risk-management/the-role-of-standardization-in-improving-the-effectiveness-of-integrated-risk-management
  2. https://www.iso.org/obp/ui/#iso:std:iso:31000:ed-1:v1:en
  3. ISO 31000:2009
  4. https://www.lloyds.com/the-market/operating-at-lloyds/performance-framework-of-minimum-standards/risk-management/process_identification_assessment_control_and_mitigation
  5. http://www.praxiom.com/iso-31000-terms.htm
  6. http://www.pwc.com/us/en/issues/enterprise-risk-management/assets/risk_assessment_guide.pdf
  7. https://www.passionatepm.com/blog/qualitative-risk-analysis-vs-quantitative-risk-analysis-pmp-concept-1
  8. http://www.praxiom.com/iso-31000-terms.htm
  9. Klinke Andreas and Renn Ortwin. A New Approach to Risk Evaluation and Management: Risk-Based, Precaution-Based, and Discourse-Based Strategies. Risk Analysis, Vol. 22, No. 6, 2002. PP 1070 http://josiah.berkeley.edu/2007Fall/NE275/CourseReader/6.pdf
  10. http://www.praxiom.com/iso-31000-terms.htm
  11. https://cdn.auckland.ac.nz/assets/ecm/documents/Hazard-Operability-Studies.pdf
  12. http://activeriskcontrol.com/tools-and-templates/
  13. http://conceptdraw.com/solution-park/resource/images/solutions/fault-tree-analysis-diagrams/Design-elements-Fault-tree-analysis-solution-Sample.png
  14. http://reliawiki.com/images/thumb/e/ea/10.5.png/450px-10.5.png
  15. http://irisintelligence.com/risk-management-explained/why-manage-risk.html
  16. http://corporatecomplianceinsights.com/the-limitations-of-traditional-risk-assessments/
Personal tools
Namespaces

Variants
Actions
Navigation
Toolbox