Management of risk
Line 51: | Line 51: | ||
The following principles should be complied with by an organization in order for risk management to be effective. | The following principles should be complied with by an organization in order for risk management to be effective. | ||
− | '''Management of risk:''' | + | '''Management of risk:'''<ref>ISO 31000:2009 handbook, |
# '''Creates and protects value''' - Contributes to the demonstrable achievement of objectives and improvement of performance in, for example, security, environmental protection, project and program management. | # '''Creates and protects value''' - Contributes to the demonstrable achievement of objectives and improvement of performance in, for example, security, environmental protection, project and program management. |
Revision as of 13:12, 28 September 2015
Risk is part of all our lives. We need to take risks to grow and develop. Effectively managed risk in hospitals, airport security, construction sites, projects, programmes, portfolios and in so many more circumstances help societies achieve.
Management of risk involves identification, assessment, and prioritization of risks. Coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities.
Figure 1 shows what is involved in risk management. Identifying, analysing and evaluating risks are all part of risk assessment and will be further analysed in the risk assessment section.
Because risk is inherent in everything we do, risk professionals undertake roles that are very diverse. It includes roles in insurance, business, health and safety, corporate governance, engineering, planning and financial services to name a few.
In this article general methodologies and important principles of risk management will be outlined, risk assessment will be explained and programme risk management introduced. Benefits and limitations of risk management will be discussed before stating the conclusions.
Contents |
Introduction
Organizations of all types and sizes face internal and external factors and influences that make it uncertain whether and when they will achieve their objectives. Risk is the effect this uncertainty has on an organization's objectives. Risk can be managed by identifying it, analysing it and then evaluating whether the risk should be modified by risk treatment in order to satisfy their risk criteria. Constant communication and consultation with stakeholders is a key for the process to run smoothly as well as monitoring and reviewing the risk and making sure that the correct actions are taken to ensure that no further risk treatment is required.
Risk management can be applied to an entire organization, at its many areas and levels, at any time. It can also be applied to specific functions, projects and activities.
The practice of risk management is used within many sectors in order to meet diverse needs. Despite that wide range, adoption of consistent processes within a comprehensive framework can help to ensure that risk is managed effectively, efficiently and coherently across an organization. ISO 31000 is an international standard that describes a generic approach and provides the principles and guidelines for managing any form of risk in a systematic, transparent and credible manner and withing any scope and context. [1]
As can be seen in figure 1, the first step is to establish the context in order to figure out the individual needs, audiences, perceptions and criteria for each specific sector while applying risk management. Establishing the context will capture the objectives of the organization, the environment in which it pursues those objectives, its stakeholders and the dicersity of risk criteria. those factors will help reveal and assess the nature and complexity of its risks.
The international standard has stated that when risk management is implemented and maintained in accordance with ISO, it enables an organization to achieve the following objectives:
- Increase the likelihood of achieving objectives
- encourage proactive management
- Be aware of the need to identify and treat risk throughout the organization
- Improve the identification of opportunities and threats
- Comply with relevant legal and regulatory requirements and international norms
- Improve mandatory and voluntary reporting
- Improve governance
- Improve stakeholder confidence and trust
- Establish a reliable basis for decision making and planning
- Improve controls
- Effectively allocate and use resources for risk treatment
- Improve operational effectiveness and efficiency
- Enhance health and safety performance, as well as environmental protection
- Improve loss prevention and incident management
- Minimize losses
- Improve organizational learning
- Improve organizational resilience
Important principles
The following principles should be complied with by an organization in order for risk management to be effective.
Management of risk:Cite error: Closing </ref> missing for <ref> tag
Qualitative | Quantitative |
---|---|
risk-level | project level |
subjective evaluation of probability and impact | probabilistic estimates of time and cost |
quick and easy to perform | time consuming |
no special software or tools required | may require specalized tools |
Programme risk management
There are four defined steps in programme risk management. Identify step, assess step, plan step and implement step. In order for a programme to run as smoothly as possible, these four steps must be followed. Other factors play along these four steps, good and effective communication is the most important factor. Communication has to be good throughout each and every step. Let's take a better look at the four steps.
Identify step
In the beginning of programme management, the identification of uncertain events which can both be threats and opportunities takes place. The programme's objectives and scope, what assumptions have been made, who the stakeholders are and where the programme fits inside the organization as well as the environment should be understood. If those aspects are understood it enables the programme to search for risk methodically and take the correct actions should a response be needed at some point.
Actual risks should then be identified. Both threats to the programme objectives and opportunities to overachieve on outcomes and benefits.
Assess step
The assessment of risk can be broken down into two activities. Estimate the threats and the opportunities in terms of their probability impact and proximity on the one hand, and on the other hand to evaluate the net aggregated effect of the identified threats and opportunities on the programme. This is explained in detail in the Risk assessment section.
Plan step
Preparation of specific management response to the threats and opportunities that have been identified are the primary goal of the plan step. The objective is to remove or reduce the threats and to maximize the opportunities.
Implement step
Here it shall be ensured that the previously planned risk management actions are successfully implemented and monitored as to their effectiveness. Corrective actions should be taken where responses do not live up to expectations. It is an important factor that roles and responsibilities are allocated. Someone has to be responsible for the management and control of the risk. Key roles in that perspective are: Risk owner is responsible for the management and control of all aspects of the risks assigned to them. Managing, tracking and reporting the implementation of the selected actions to address the threats or to maximize the opportunities is included in that role. Risk actionee is responsible for the implementation of risk response actions. Support and take directions from the risk owner.
Tools
There are many tools used in risk assessment, sometimes it is recommended to use more than one tool in risk assessment. They all have their own focus areas. Lets take a better look at the most frequently used tools.
Hazard and operability study (HAZOP)
Failure mode effect analysis (FMEA)
Structured What-IF technique (SWIFT)
Fault Tree Analysis (FTA)
Benefits
The most notable potential benefits of a well-structured and efficiently run risk management are. [2]
- Improved strategic and business planning
- More effective use of resources
- An ability to quickly grasp new opportunities
- Fewer unwelcome surprises
- Enhanced communication
- Ability to reassure key stakeholders throughout the organization
- Continuous improvement
- robust contingency planning
For projects
Contingency in projects can make or break them. Too much contingency is uncompetitive and too little increases the chance of failure. Risk assessment helps set contingency levels. It aims to figure out the most probable level of risk and gives the confidence level of outcome targets.
For portfolios
For businesses
Limitations
Conclusions
References
Among strategies used to manage threats are.
- Transferring the threat to another party
- Avoid the threat
- Reducing both the negative effect and lowering the probability of the threat
- Accepting the potential negative consequences of a particular thread is the only option.
- For uncertain events with benefits (opportunities) the opposite is done.