Risk Treatment
EigilVølund (Talk | contribs) |
EigilVølund (Talk | contribs) |
||
Line 26: | Line 26: | ||
<ref name=enisa> ENISA, European Union Agency for Cybersecurity. Threat and risk management, Risk Treatment. | <ref name=enisa> ENISA, European Union Agency for Cybersecurity. Threat and risk management, Risk Treatment. | ||
https://www.enisa.europa.eu/topics/threat-risk-management/risk-management/current-risk/risk-management-inventory/rm-process/risk-treatment </ref>. | https://www.enisa.europa.eu/topics/threat-risk-management/risk-management/current-risk/risk-management-inventory/rm-process/risk-treatment </ref>. | ||
− | |||
− | |||
''The following segments will generalize and elaborate on the template created for cybersecurity, such as it can be used as a standardized guide for risk management and risk treatment in general project management.'' | ''The following segments will generalize and elaborate on the template created for cybersecurity, such as it can be used as a standardized guide for risk management and risk treatment in general project management.'' |
Revision as of 22:54, 20 February 2022
Risk treatment is the fifth and final step of the risk management process. It is an important factor in project management, and should be developed integrated into any organization that is involved in projects. A risk treatment plan is a detailed plan that helps an organization select and implement actionable options on dealing with risks, whether they are threats or opportunities. Risk management is a cyclic five step process that establishes context, identifies, analyzes, evaluates and treats potential risks during a projects lifetime. Successful implementation of a risk treatment plan lowers uncertainty of a project, thereby increasing the overall chance for project success. Any project will face unforeseen challenges and risks that can have severe consequences, by preparing and implementing an actionable risk treatment plan, risk threats can be eliminated, reduced or at least be prepared for, and risk opportunities can be enhanced in gain or probability.
Although, a general step-by-step risk treatment standard is yet to be defined in detail, some industries have developed some guidelines. This is the case for the cybersecurity industry. The European Union Agency for Cybersecurity has developed a industry specific guideline on application of risk treatment, which can be used as an example for other industries. The example from Enisa is a five step process that includes: Identification of Options, Development of Action Plan, Approval of Action Plan, Implementation of Action Plan and Identification of Residual Risks.
OBS. EXPAND abstract on limitations when the section is fully written***
Contents |
Big Idea
Risk Management
Risk Management is a systematic process that assist decision-making within project management. It is an integral part of project success and should be integrated into the overall management structure. The process can be divided into five general steps excluding outlying support structures, the five steps progress in the following order: Establishing Context, Risk Identification, Risk Analysis, Risk Evaluation and Risk Treatment. Although, this is the general progression form, risk management is an agile tool, that requires the project manager to revisit earlier steps in the process throughout the project to mitigate potential risks created by the process itself and also unforeseen project risks. The five step process is visualized in Figure 1 [1].
Risk Treatment
Risk treatment is the vital final step, that helps the project manager efficiently and quickly handle the risks identified earlier in the risk management process. The objective in risk treatment is to have a detailed step-by-step action plan for as many imaginable future risks as possible. Since projects come in variations of an unlimited number, their purpose and challenges vary to the same degree. This variation makes standardization of the risk treatment process almost impossible, when the process needs to be tailored to the specific project and its risks [1].
OBS. will expand on the general form and definition of Risk treatment (need more references)
Threat vs. opportunity
Application
Successfully creating and implementing a risk treatment plan is a difficult achievement in any project. Definitions and sources on generalized application are so far lacking, because projects are such a wide definition. However, some specific industries that have begun to create an organized structure of a risk treatment plan and its progression. The cybersecurity industry is an example of this, although it is a new industry they are experts in handling risk. The European Union Agency for Cybersecurity has developed a progression template for risk treatment. With lacking general definitions, their template will be used as an example to learn from in other industries.
The progression template includes five sections: Identification of Options, Development of Action Plan, Approval of Action Plan, Implementation of Action Plan and Identification of Residual Risks [2].
The following segments will generalize and elaborate on the template created for cybersecurity, such as it can be used as a standardized guide for risk management and risk treatment in general project management.
Identification of Options
After a detailed risk assessment the first step is to identify appropriate alternative options to handle the risks. The impact of such risks vary in probability and size, but they are not necessarily negative. A risk can both be a threat and an opportunity, and management of both options vary accordingly.
The identification and assessment of the options for risk treatment, can in generally be perceived as a form of cost/benefit analysis. Many things needs to be considered when choosing treatment options, whether tangible or intangible and compared to the overall risk management context i.e. align with the purpose and success criteria of the project, and in the end the choice depends on whether the costs outweigh the potential benefits (or the other way around). The available resources can effect and/or limit the choice options, and in that case, it is important for the project manager to prioritize which options should be pursued and implemented early on [2].
Treatment of risk opportunities
There are several ways a project manager can attempt to increase the potential or probability of an identified risk opportunity, these include but are not limited to [2]:
- Pursue actions that are likely to create or maintain the opportunity result.
- Actions that increase probability of the risk.
- Actions that increase the gain from the risk.
- Share/transfer risk to a third-party that can contribute with resources that increases probability or gain.
- Retain the positive residual risks.
Treatment of risk threats
The treatment of risks are similar in nature to opportunity treatment, however with the opposite association, the treatments options for threats include but are not limited to [2]:
- Avoidance of a threat by pursuing or stopping/diverting/postponing actions that are likely to remove the cause of the threat.
- Actions that reduce the probability of the threat.
- Actions that reduce the severity/damage of the threat.
- Share/transfer parts of or the entire threat to a third-party. This could result in turn create new risks in form of bad management from the other risk "shareholder".
- Retain the risk and/or its residual risks.
Development of Action Plan
When it has been identified if the risk is a threat or an opportunity and it has been chosen which treatment options to pursue, the project manager can start the development of an action plan. The action plan describes, in detail, how the treatment options will be implemented.
A well made action plan is extensive and should contain detailed description of the implementation from start to finish. It should include which specific options should be started/maintained/stopped etc. in a prioritized order with a specific time plan. What the resource requirements are, including raw materials, staff etc. Description of everyone involved and their responsibilities, including both external and internal managers, staff, stakeholders etc.
Finally, and potentially the most important factor, a description of performance indicators and how these are reported/monitored. Continuous performance data is vital for successful implementation of a risk treatment plan. It gives the project manager knowledge on whether the treatment is working or not, and therefore the ability to act should it be necessary [2].
Approval of Action Plan
Only in rare cases the project manager and the top management will be the same person. When this is not the case, it is important for the project manager to keep in continuous contact with the top management of the organization and keep them informed. Communication is key in project management, and risk treatment is not an exception. This will also help ensure continuous support and correct allocation of resources throughout the projects life-cycle, as well as help spread information to the entire organization, which can increase chances of successful implementation [2].
Implementation of Action Plan
A risk treatment plan will spread over various departments in an organization. Therefore, it is important that the plan defines how risk management is to be handled in all the affected departments, to ensure efficient implementation. The most commonly relevant departments include: development process, business and strategic planning and change management. In these departments (as well as other relevant departments in the specific project) it is extra important to embed risk management and treatment directly into their policies.
The risk treatment plan does not necessarily have to be general for all departments in the organization, it can be specialized for some or for each of the involved departments. However, every section has to align with the organization's overall risk management strategy.
To successfully implement a risk management or treatment plan it is necessary to have support and commitment at all levels of the organization. Support, awareness and commitment at top level management is vital for implementation, it helps streamline and execute the plan. Therefore, it can be helpful to appoint a senior manager to lead the initiatives across the organization, as well as involve all top level managers in the plan.
The organization should also in detail define and document a policy for risk management. This policy should include but is not limited to:
- Main objectives and logic behind the risk management.
- Links between the treatment plan and the organizations over all strategic plans.
- Which types of risk the organization are willing to pursue and to what extent, as well as the balance between threats and opportunities.
- Specific options that will be used to manage/treat risks,
- Who is accountable for each risk.
- The available resources for those handling the risks.
- Specific performance measures for risk treatment and how they will be monitored/reported.
- A written commitment to review risk management on a continuous basis.
- A written commitment to the policy by top level managers
If published to internal and external stakeholders to the organization, a such policy, will not only create overview of the plan, accountability, resource allocation etc. but also demonstrate commitment from the top level management.
Although, top level management ultimately is responsible for managing risks in the organization, all staff have responsibilities in their own areas. Successful risk management at personnel level can be achieved with systematic performance measurements and reporting [2].
Identification of Residual Risk
Residual risks are risks that have not been covered by the risk management planning and implementation. These include unforeseen risks, untreated risks and risks that evolve from risk management itself, that have not been handled. Even if the risk have been purposely left, it is important to define and document it in as much detail as possible, so that all decision makers in the organization are informed of it. Although, the risk is residual at a certain point of time during the project, it might become necessary to handle it at another time. Without proper preparation the consequences of a former residual risk can be increasingly larger, while it might even have been avoided completely [2].
Comparison of ENISA template with PMI Standards and ISO 31000
The international standards for
Limitations
Risk management in general is a project managers best attempt at foreseeing the future. A risk treatment plan is a project manager trying to foresee the future and plan on how to tackle every imaginable problem. It is impossible for a risk treatment plan to be 100% accurate, and this might be its biggest limitation. Although, it can be helpful and increase project success by decreasing its uncertainty, it can be a huge project in itself to set up a well made risk treatment plan. On top of the practical difficulty, it is also best suited for large organizations, since it most likely will be a costly affair to identify the potential risks, as well as create and implement action plans. For a smaller organization it is probably more cost effective to handle most risks head-on when they arise, and only plan for the most damaging or probable risks if any.
Another limitation is poor public knowledge on risk treatment. Risk management is a well defined and standardized process, however the last step - risk treatment - is not. The available public resources on risk treatment are either very specific or very briefly described, such as in ISO 21502, ISO 31000 and the PMI standards [3] [1] [4]
The limited standardized knowledge could be due to the competitive nature of many organizations, i.e. not sharing how they handle and plan risk treatment is a competitive advantage, or because projects are so individual and specialized that it is difficult to create a generalized step-by-step guide across industries.
Annotated Bibliograhpy
OBS. This section will be described in more detail later
- Project Management Institute, Inc. (PMI). (2019). Standard for Risk Management in Portfolios, Programs, and Projects. Project Management Institute, Inc. (PMI).
- Retrieved from: https://app.knovel.com/hotlink/toc/id:kpSRMPPP01/standard-risk-management/standard-risk-management
- fasdfasd
- International Organization for Standardization (2020), DS/ISO 21502:2020, Project-, programme and portfolio management - Guidance on project management.
- Retrieved from: https://sd.ds.dk/Viewer?ProjectNr=M351700&Status=60.60&Inline=true&Page=1&VariantID=
- General standards on risk management. This standard gives brief definition of general risk management terms used in this article, such as risk management and risk treatment.
- International Organization for Standardization (2018), DS/ISO 31000:2018, Risk management - Guidelines
- Retrieved from: https://sd.ds.dk/Viewer?ProjectNr=M296412&Status=60.60&Inline=true&Page=1&VariantID=41
- General standards on risk management. This standard gives brief definition of general risk management terms used in this article, such as risk management and risk treatment.
- ENISA, European Union Agency for Cybersecurity. Threat and risk management, Risk Treatment.
- This website provides a detailed guideline on the application of a risk treatment plan in the cybersecurity industry. It is used throughout this article as an example of a generalized progression on implementation of risk treatment in any organization and/or indunstry.
References
- ↑ 1.0 1.1 1.2 1.3 International Organization for Standardization (2018), DS/ISO 31000:2018, Risk management - Guidelines, Retrieved from https://sd.ds.dk/Viewer?ProjectNr=M296412&Status=60.60&Inline=true&Page=1&VariantID=41
- ↑ 2.0 2.1 2.2 2.3 2.4 2.5 2.6 2.7 ENISA, European Union Agency for Cybersecurity. Threat and risk management, Risk Treatment. https://www.enisa.europa.eu/topics/threat-risk-management/risk-management/current-risk/risk-management-inventory/rm-process/risk-treatment
- ↑ International Organization for Standardization (2020), DS/ISO 21502:2020, Project-, programme and portfolio management - Guidance on project management, Retrieved from https://sd.ds.dk/Viewer?ProjectNr=M351700&Status=60.60&Inline=true&Page=1&VariantID=
- ↑ Project Management Institute, Inc. (PMI). (2019). Standard for Risk Management in Portfolios, Programs, and Projects. Project Management Institute, Inc. (PMI). Retrieved from https://app.knovel.com/hotlink/toc/id:kpSRMPPP01/standard-risk-management/standard-risk-management