Risk Treatment
EigilVølund (Talk | contribs) |
EigilVølund (Talk | contribs) |
||
Line 19: | Line 19: | ||
The progression template includes five sections: ''Identification of Options'', ''Development of Action Plan'', '' Approval of Action Plan'', ''Implementation of Action Plan'' and ''Identification of Residual Risks''. (ENISA) | The progression template includes five sections: ''Identification of Options'', ''Development of Action Plan'', '' Approval of Action Plan'', ''Implementation of Action Plan'' and ''Identification of Residual Risks''. (ENISA) | ||
+ | |||
+ | ''The following segments will generalize and elaborate on the template created for cybersecurity, such as it can be used as a standardized guide for risk management and risk treatment in general project management.'' | ||
=== Identification of Options === | === Identification of Options === | ||
Line 75: | Line 77: | ||
* A written commitment to the policy by top level managers | * A written commitment to the policy by top level managers | ||
+ | If published to internal and external stakeholders to the organization, a such policy, will not only create overview of the plan, accountability, resource allocation etc. but also demonstrate commitment from the top level management. | ||
+ | Although, top level management ultimately is responsible for managing risks in the organization, all staff have responsibilities in their own areas. Successful risk management at personnel level can be achieved with systematic performance measurements and reporting. | ||
=== Identification of Residual Risk === | === Identification of Residual Risk === | ||
+ | Residual risks are risks that have not been covered by the risk management planning and implementation. These include unforeseen risks, untreated risks and risks that evolve from risk management itself, that have not been handled. Even if the risk have been purposely left, it is important to define and document it in as much detail as possible, so that all decision makers in the organization are informed of it. Although, the risk is residual at a certain point of time during the project, it might become necessary to handle it at another time. Without proper preparation the consequences of a former residual risk can be increasingly larger, while it might even have been avoided completely. | ||
− | + | === Comparison of ENISA template with PMI Standards === | |
− | + | ||
− | + | ||
− | + | ||
− | === Comparison of ENISA | + | |
However, the Project Management Institute has created some sub-categories under risk treatment, that can help a project manager in the process. The placement of a certain risk in a certain sub-category of risk treatment, is dependent on the analysis and evaluation made earlier. The four most important sub-categories are as follows: ''Avoidance'', ''Reduction'', ''Transfer'', ''Acceptance'' (PMI 31000). | However, the Project Management Institute has created some sub-categories under risk treatment, that can help a project manager in the process. The placement of a certain risk in a certain sub-category of risk treatment, is dependent on the analysis and evaluation made earlier. The four most important sub-categories are as follows: ''Avoidance'', ''Reduction'', ''Transfer'', ''Acceptance'' (PMI 31000). | ||
Line 99: | Line 100: | ||
;Acceptance | ;Acceptance | ||
:The risk is accepted. Examples where this choice is viable include when a risk is impossible to eliminate or when it is more costly to prepare for/eliminate the risk than the effect it would have. It could also simply be because the risk is considered a part of the total project risk. | :The risk is accepted. Examples where this choice is viable include when a risk is impossible to eliminate or when it is more costly to prepare for/eliminate the risk than the effect it would have. It could also simply be because the risk is considered a part of the total project risk. | ||
+ | |||
+ | == Limitations == | ||
+ | Risk management in general is a project managers best attempt at foreseeing the future. A risk treatment plan is a project manager trying to foresee the future and plan on how to tackle every imaginable problem. | ||
+ | It is impossible for a risk treatment plan to be 100% accurate, and this might be its biggest limitation. Although, it can be helpful and increase project success by decreasing its uncertainty, it can be a huge project in itself to set up a well made risk treatment plan. On top of the practical difficulty, it is also best suited for large organizations, since it most likely will be a costly affair to identify the potential risks, as well as create and implement action plans. For a smaller organization it is probably more cost effective to handle most risks head-on when they arise, and only plan for the most damaging or probable risks if any. | ||
+ | |||
+ | Another limitation is poor public knowledge on risk treatment. Risk management is a well defined and standardized process, however the last step - risk treatment - is not. The available public resources on risk treatment are either very specific or very briefly described, such as in ISO 21502, ISO 31000 and the PMI standards. | ||
+ | |||
+ | |||
+ | |||
== Annotated Bibliograhpy == | == Annotated Bibliograhpy == |
Revision as of 21:20, 20 February 2022
Risk treatment as a method is an under category of risk management. It is an assessment of what to do, if the uncertainties identified during risk management occur. In other words it is a pre-defined action plan of how to handle potential problems in a project. The implementation of risk treatment before or early in a project increases the probability of general project success, by reducing the impact of unforeseen problems throughout the project.
Contents |
Big Idea
Risk Management
Risk Management is a systematic process that assist decision-making within project management. It is an integral part of project success and should be integrated into the overall management structure. The process can be divided into five general steps excluding outlying support structures, the five steps progress in the following order: Establishing Context, Risk Identification, Risk Analysis, Risk Evaluation and Risk Treatment. Although, this is the general progression form, risk management is an agile tool, that requires the project manager to revisit earlier steps in the process throughout the project to mitigate potential risks created by the process itself and also unforeseen project risks. The five step process is visualized in Figure 1. (PMI 31000:2018)
Risk Treatment
Risk treatment is the vital final step, that helps the project manager efficiently and quickly handle the risks identified earlier in the risk management process. The objective in risk treatment is to have a detailed step-by-step action plan for as many imaginable future risks as possible. Since projects come in variations of an unlimited number, their purpose and challenges vary to the same degree. This variation makes standardization of the risk treatment process almost impossible, when the process needs to be tailored to the specific project and its risks.
%%%% SKRIV MERE
Threat vs. opportunity
Application
Successfully creating and implementing a risk treatment plan is a difficult achievement in any project. Definitions and sources on generalized application are so far lacking, because projects are such a wide definition. However, some specific industries that have begun to create an organized structure of a risk treatment plan and its progression. The cybersecurity industry is an example of this, although it is a new industry they are experts in handling risk. The European Union Agency for Cybersecurity has developed a progression template for risk treatment. With lacking general definitions, their template will be used as an example to learn from in other industries.
The progression template includes five sections: Identification of Options, Development of Action Plan, Approval of Action Plan, Implementation of Action Plan and Identification of Residual Risks. (ENISA)
The following segments will generalize and elaborate on the template created for cybersecurity, such as it can be used as a standardized guide for risk management and risk treatment in general project management.
Identification of Options
After a detailed risk assessment the first step is to identify appropriate alternative options to handle the risks. The impact of such risks vary in probability and size, but they are not necessarily negative. A risk can both be a threat and an opportunity, and management of both options vary accordingly.
The identification and assessment of the options for risk treatment, can in generally be perceived as a form of cost/benefit analysis. Many things needs to be considered when choosing treatment options, whether tangible or intangible and compared to the overall risk management context i.e. align with the purpose and success criteria of the project, and in the end the choice depends on whether the costs outweigh the potential benefits (or the other way around). The available resources can effect and/or limit the choice options, and in that case, it is important for the project manager to prioritize which options should be pursued and implemented early on.
Treatment of risk opportunities
There are several ways a project manager can attempt to increase the potential or probability of an identified risk opportunity, these include but are not limited to:
- Pursue actions that are likely to create or maintain the opportunity result.
- Actions that increase probability of the risk.
- Actions that increase the gain from the risk.
- Share/transfer risk to a third-party that can contribute with resources that increases probability or gain.
- Retain the positive residual risks.
Treatment of risk threats
The treatment of risks are similar in nature to opportunity treatment, however with the opposite association, the treatments options for threats include but are not limited to:
- Avoidance of a threat by pursuing or stopping/diverting/postponing actions that are likely to remove the cause of the threat.
- Actions that reduce the probability of the threat.
- Actions that reduce the severity/damage of the threat.
- Share/transfer parts of or the entire threat to a third-party. This could result in turn create new risks in form of bad management from the other risk "shareholder".
- Retain the risk and/or its residual risks.
Development of Action Plan
When it has been identified if the risk is a threat or an opportunity and it has been chosen which treatment options to pursue, the project manager can start the development of an action plan. The action plan describes, in detail, how the treatment options will be implemented.
A well made action plan is extensive and should contain detailed description of the implementation from start to finish. It should include which specific options should be started/maintained/stopped etc. in a prioritized order with a specific time plan. What the resource requirements are, including raw materials, staff etc. Description of everyone involved and their responsibilities, including both external and internal managers, staff, stakeholders etc.
Finally, and potentially the most important factor, a description of performance indicators and how these are reported/monitored. Continuous performance data is vital for successful implementation of a risk treatment plan. It gives the project manager knowledge on whether the treatment is working or not, and therefore the ability to act should it be necessary.
Approval of Action Plan
Only in rare cases the project manager and the top management will be the same person. When this is not the case, it is important for the project manager to keep in continuous contact with the top management of the organization and keep them informed. Communication is key in project management, and risk treatment is not an exception. This will also help ensure continuous support and correct allocation of resources throughout the projects life-cycle, as well as help spread information to the entire organization, which can increase chances of successful implementation.
Implementation of Action Plan
A risk treatment plan will spread over various departments in an organization. Therefore, it is important that the plan defines how risk management is to be handled in all the affected departments, to ensure efficient implementation. The most commonly relevant departments include: development process, business and strategic planning and change management. In these departments (as well as other relevant departments in the specific project) it is extra important to embed risk management and treatment directly into their policies.
The risk treatment plan does not necessarily have to be general for all departments in the organization, it can be specialized for some or for each of the involved departments. However, every section has to align with the organization's overall risk management strategy.
To successfully implement a risk management or treatment plan it is necessary to have support and commitment at all levels of the organization. Support, awareness and commitment at top level management is vital for implementation, it helps streamline and execute the plan. Therefore, it can be helpful to appoint a senior manager to lead the initiatives across the organization, as well as involve all top level managers in the plan.
The organization should also in detail define and document a policy for risk management. This policy should include but is not limited to:
- Main objectives and logic behind the risk management.
- Links between the treatment plan and the organizations over all strategic plans.
- Which types of risk the organization are willing to pursue and to what extent, as well as the balance between threats and opportunities.
- Specific options that will be used to manage/treat risks,
- Who is accountable for each risk.
- The available resources for those handling the risks.
- Specific performance measures for risk treatment and how they will be monitored/reported.
- A written commitment to review risk management on a continuous basis.
- A written commitment to the policy by top level managers
If published to internal and external stakeholders to the organization, a such policy, will not only create overview of the plan, accountability, resource allocation etc. but also demonstrate commitment from the top level management.
Although, top level management ultimately is responsible for managing risks in the organization, all staff have responsibilities in their own areas. Successful risk management at personnel level can be achieved with systematic performance measurements and reporting.
Identification of Residual Risk
Residual risks are risks that have not been covered by the risk management planning and implementation. These include unforeseen risks, untreated risks and risks that evolve from risk management itself, that have not been handled. Even if the risk have been purposely left, it is important to define and document it in as much detail as possible, so that all decision makers in the organization are informed of it. Although, the risk is residual at a certain point of time during the project, it might become necessary to handle it at another time. Without proper preparation the consequences of a former residual risk can be increasingly larger, while it might even have been avoided completely.
Comparison of ENISA template with PMI Standards
However, the Project Management Institute has created some sub-categories under risk treatment, that can help a project manager in the process. The placement of a certain risk in a certain sub-category of risk treatment, is dependent on the analysis and evaluation made earlier. The four most important sub-categories are as follows: Avoidance, Reduction, Transfer, Acceptance (PMI 31000).
- Avoidance
- The risk is avoided by not pursuing whatever is the cause of the risk.
- Reduction
- The risk is reduced by taking mitigative actions to reduce the probability of occurrence.
- Transfer
- The risk is eliminated by transferring it to a third-party. Examples of third-parties are insurance and outsourcing to other companies.
- Acceptance
- The risk is accepted. Examples where this choice is viable include when a risk is impossible to eliminate or when it is more costly to prepare for/eliminate the risk than the effect it would have. It could also simply be because the risk is considered a part of the total project risk.
Limitations
Risk management in general is a project managers best attempt at foreseeing the future. A risk treatment plan is a project manager trying to foresee the future and plan on how to tackle every imaginable problem. It is impossible for a risk treatment plan to be 100% accurate, and this might be its biggest limitation. Although, it can be helpful and increase project success by decreasing its uncertainty, it can be a huge project in itself to set up a well made risk treatment plan. On top of the practical difficulty, it is also best suited for large organizations, since it most likely will be a costly affair to identify the potential risks, as well as create and implement action plans. For a smaller organization it is probably more cost effective to handle most risks head-on when they arise, and only plan for the most damaging or probable risks if any.
Another limitation is poor public knowledge on risk treatment. Risk management is a well defined and standardized process, however the last step - risk treatment - is not. The available public resources on risk treatment are either very specific or very briefly described, such as in ISO 21502, ISO 31000 and the PMI standards.
Annotated Bibliograhpy
Project Management Institute, Inc. (PMI). (2019). Standard for Risk Management in Portfolios, Programs, and Projects. Project Management Institute, Inc. (PMI). Retrieved from https://app.knovel.com/hotlink/toc/id:kpSRMPPP01/standard-risk-management/standard-risk-management
DS/ISO 21502:2020
DS/ISO 31000:2018
Project Management Institute, Inc. (PMI). (2021). A Guide to the Project Management Body of Knowledge (PMBOK ® Guide) – 7th Edition and The Standard for Project Management. Project Management Institute, Inc. (PMI). Retrieved from https://app.knovel.com/hotlink/toc/id:kpSPMAGPMP/guide-project-management/guide-project-management
ENISA, European Union Agency for Cybersecurity. Threat and risk management, Risk Treatment. https://www.enisa.europa.eu/topics/threat-risk-management/risk-management/current-risk/risk-management-inventory/rm-process/risk-treatment