Risk analysis

From apppm
(Difference between revisions)
Jump to: navigation, search
m
Line 1: Line 1:
 
==Abstract==
 
==Abstract==
  
This article is a subpart of [http://apppm.man.dtu.dk/index.php/Risk_management Risk Management] but will attempt to describe different approaches to analysing the risk when managing projects, portfolios and programs
+
:''main article: [http://apppm.man.dtu.dk/index.php/Risk_management Risk Management]''
 +
Since risk analysis is a subpart of risk management, several correlations will be present between the two.
 +
This article will attempt to describe different approaches to analysing the risk when managing projects, portfolios and programs.
  
Several tools will be mentioned and explained briefly, but (in order to allow the full use of the wiki) not be described in detail  
+
Several tools will be mentioned and explained briefly, but (in order to allow the full use of the wiki) not be described in detail.
==Definition==
+
According to the ISO Guide 73-2009, risk analysis is the “Process to comprehend the nature of risk and to determine the level of risk”
+
  
ISO 31000 describes risk analysis as the process which “provides an input to risk evaluation and to decisions on whether risks need to be treated, and on the most appropriate risk treatment strategies and methods”.
+
Risk analysis essentially chooses the most appropriate method(s) for calculating the given information and delivers a collective overview of the situation, as an artisan chooses the right tool for the job and produces the individual parts for the product. Using “known knowns” and “known unknowns” '' (from [http://apppm.man.dtu.dk/index.php/The_Cynefin_Framework the Cynefin framework]) '' along with estimates made by either extrapolation based on prior knowledge or by experts, the analysis generates a better understanding enabling the user to conduct a valid risk evaluation.
  
This process mentioned is the computational part of risk management where different aspects, variables and factors are used to estimate the risk involved with a specific feature, action, decision, condition ect. The outcome of this computation is a quantified number or percentage which can then be used as an evaluation criterion, determining either which option to select or if it is safe to proceed down the investigated path.
+
==Definition==
 +
Before defining risk analysis the understanding of risk as a term needs to be established. Risk is mostly defined as a probability of losing something of a specific value, mathematically speaking; the probability of the event occurring multiplied by the potential value-loss = the risk.
  
 +
In order to compute this risk the analysis must receive information on the probability and the value of the potential loss. Looking at the definition of risk analysis, the ISO Guide 73-2009 states that it is the ''“Process to comprehend the nature of risk and to determine the level of risk”'' and the ISO 31000 standard describes it as the process which ''“provides an input to risk evaluation and to decisions on whether risks need to be treated, and on the most appropriate risk treatment strategies and methods” ''.
 +
 +
Both are correct since the process mentioned is the computational part of risk management where different aspects, variables and factors are used to estimate the risk involved with a specific feature, action, decision, condition etc. The outcome of this computation is a quantified number or percentage which can then be used as an evaluation criterion, determining either which option to select or if it is safe to proceed down the investigated path.
  
 
==Main features of risk analysis==
 
==Main features of risk analysis==
Input:
+
There are three different analysis method groupings within risk analysis; Qualitative, Semi-quantitative and quantitative.
 +
 
 +
*Qualitative:
 +
 
 +
Qualitative analysis methods are based on opinions and estimates. They compute the risk scenario based on few numbers and many interpretations. Outcome of these methods are usually given in levels of significance like “high”, “medium” and “low” or other word scales which are not specifically determining any actual number.
 +
 
 +
*Semi-quantitative:
 +
 
 +
The outcomes of the semi-quantitative analysis methods are based on numeric ratings using evaluation scales for probability and consequence and usually combining them using a formula, resulting in a comparable value for the risk level.
 +
 
 +
*Quantitative:
 +
 
 +
The quantitative analysis uses estimates of probability and consequence values to generate an approximation of the risk involved, represented by one specific value. The specific values, depending on the method of gathering, from different analysis can then be combined into one overall risk factor.
 +
----
 +
As risk analysis works like a processor it needs to receive some information as input before it can calculate an output which depicts reality.
 +
 
 +
These input are:
 +
 
 
:Purpose
 
:Purpose
 
The purpose is the reason for analysing the risk; it assists with determining the boundaries of the analysis.
 
The purpose is the reason for analysing the risk; it assists with determining the boundaries of the analysis.
 +
 +
:Type of risk
 +
Choice of models depends on the type of risk in question.
 +
 +
:Information available
 +
Determines whether it is possible to conduct the analysis right away or information has to be gathered.
 +
 +
:Existing control features
  
 
:Consequences  
 
:Consequences  
 +
The consequences can be both positive and negative, and reflect the impact of events defined in the analysis
  
 
:Likelihood / Probabilities
 
:Likelihood / Probabilities
  
:Existing control features
+
:Risk criteria
  
 
:Effectiveness of existing control features
 
:Effectiveness of existing control features
Line 30: Line 60:
  
 
:Factors influencing any of the above
 
:Factors influencing any of the above
 +
Weights which scale the severity of the quantities are part of this input, as well as uncertainties and sensitivities.
  
 
:Interrelations / Interdependence
 
:Interrelations / Interdependence
 +
The network of relational aspects between different risks
  
:Type of risk
 
  
:Information available
+
Output:
 +
----
 +
:Assessment of the risk with the following aspects
  
:Risk criteria
+
::Description of methods used and known control features impact on the risk
  
Output:
+
::Combined Likelihood / probability depending on the description of original risk
:Combined Likelihood / probability
+
  
:Consequences
+
::Consequences of different scenarios
  
:Confidence in:
+
:Description of confidence in:
::Risk level
+
::The assessment of the risk (the result of the analysis)
  
::Sensitivity of result to preconditions and assumptions
+
::The sensitivity of the result to preconditions and assumptions
  
 
::Information Uncertainty
 
::Information Uncertainty
Line 64: Line 96:
  
 
==Different models used when analysing risk==
 
==Different models used when analysing risk==
 +
The following models are all described in Annex B of the ISO 31010 standard.
 +
 
:'''[http://en.wikipedia.org/wiki/Brainstorming Brainstorming]:'''
 
:'''[http://en.wikipedia.org/wiki/Brainstorming Brainstorming]:'''
 +
Brainstorming is a very intuitive method which uses associations and connections made by possibly several people around a central subject to uncover problematic and opportunistic aspects affecting the subject. This qualitative information is then used to gather as much quantitative information as possible in order to complete the further analysis.
  
 
----
 
----
 
:'''[http://en.wikipedia.org/wiki/Structured_interview Structured] or [http://en.wikipedia.org/wiki/Semi-structured_interview semi-structured] interviews:'''
 
:'''[http://en.wikipedia.org/wiki/Structured_interview Structured] or [http://en.wikipedia.org/wiki/Semi-structured_interview semi-structured] interviews:'''
 +
The structured or semi-structured interview can be used for gathering information from numerous sources. These interviews do not have to be done face to face since questionnaires are also considered within this model.
  
 
----
 
----
 
:'''[http://en.wikipedia.org/wiki/Delphi_method Delphi technique]:'''
 
:'''[http://en.wikipedia.org/wiki/Delphi_method Delphi technique]:'''
 +
The Delphi technique is essentially a brainstorming process where the participants are kept anonymous but are able to see the collected work of all participating in the process. It is used to reach some kind of consensus around the subject in question.
  
 
----
 
----
 
:'''Check-lists:'''
 
:'''Check-lists:'''
 +
Check-lists are built from previous experiences and often list known risks, control features and/or hazards gathered through prior assessments or lessons learned.
  
 
----
 
----
 
:'''[http://en.wikipedia.org/wiki/Hazard_analysis Preliminary hazard analysis (PHA)]:'''
 
:'''[http://en.wikipedia.org/wiki/Hazard_analysis Preliminary hazard analysis (PHA)]:'''
 +
PHA is used when there is little information available and as the name states normally in the beginning of e.g. a project, in order to uncover potential hazards influencing the further development.
  
 
----
 
----
Line 166: Line 205:
  
 
==Links==
 
==Links==
'''Only the following links are internal in the APPPM-wiki, All others are to Wikipedia.org and may be replaced when the APPPM-pages has been written, and added to this list:'''
+
'''Only the following links are internal in the APPPM-wiki, All others are to Wikipedia.org and may be replaced when the APPPM-pages has been written, and added to this list.
 +
 
 +
Once all links are internal, this section can be deleted.'''
  
 
[http://apppm.man.dtu.dk/index.php/Risk_management Risk Management]
 
[http://apppm.man.dtu.dk/index.php/Risk_management Risk Management]
 +
 +
[http://apppm.man.dtu.dk/index.php/The_Cynefin_Framework the Cynefin framework]
  
 
[http://apppm.man.dtu.dk/index.php/Monte_Carlo_Simulation_of_Risk Monte Carlo simulation]
 
[http://apppm.man.dtu.dk/index.php/Monte_Carlo_Simulation_of_Risk Monte Carlo simulation]

Revision as of 12:20, 24 November 2014

Contents

Abstract

main article: Risk Management

Since risk analysis is a subpart of risk management, several correlations will be present between the two. This article will attempt to describe different approaches to analysing the risk when managing projects, portfolios and programs.

Several tools will be mentioned and explained briefly, but (in order to allow the full use of the wiki) not be described in detail.

Risk analysis essentially chooses the most appropriate method(s) for calculating the given information and delivers a collective overview of the situation, as an artisan chooses the right tool for the job and produces the individual parts for the product. Using “known knowns” and “known unknowns” (from the Cynefin framework) along with estimates made by either extrapolation based on prior knowledge or by experts, the analysis generates a better understanding enabling the user to conduct a valid risk evaluation.

Definition

Before defining risk analysis the understanding of risk as a term needs to be established. Risk is mostly defined as a probability of losing something of a specific value, mathematically speaking; the probability of the event occurring multiplied by the potential value-loss = the risk.

In order to compute this risk the analysis must receive information on the probability and the value of the potential loss. Looking at the definition of risk analysis, the ISO Guide 73-2009 states that it is the “Process to comprehend the nature of risk and to determine the level of risk” and the ISO 31000 standard describes it as the process which “provides an input to risk evaluation and to decisions on whether risks need to be treated, and on the most appropriate risk treatment strategies and methods” .

Both are correct since the process mentioned is the computational part of risk management where different aspects, variables and factors are used to estimate the risk involved with a specific feature, action, decision, condition etc. The outcome of this computation is a quantified number or percentage which can then be used as an evaluation criterion, determining either which option to select or if it is safe to proceed down the investigated path.

Main features of risk analysis

There are three different analysis method groupings within risk analysis; Qualitative, Semi-quantitative and quantitative.

  • Qualitative:

Qualitative analysis methods are based on opinions and estimates. They compute the risk scenario based on few numbers and many interpretations. Outcome of these methods are usually given in levels of significance like “high”, “medium” and “low” or other word scales which are not specifically determining any actual number.

  • Semi-quantitative:

The outcomes of the semi-quantitative analysis methods are based on numeric ratings using evaluation scales for probability and consequence and usually combining them using a formula, resulting in a comparable value for the risk level.

  • Quantitative:

The quantitative analysis uses estimates of probability and consequence values to generate an approximation of the risk involved, represented by one specific value. The specific values, depending on the method of gathering, from different analysis can then be combined into one overall risk factor.


As risk analysis works like a processor it needs to receive some information as input before it can calculate an output which depicts reality.

These input are:

Purpose

The purpose is the reason for analysing the risk; it assists with determining the boundaries of the analysis.

Type of risk

Choice of models depends on the type of risk in question.

Information available

Determines whether it is possible to conduct the analysis right away or information has to be gathered.

Existing control features
Consequences

The consequences can be both positive and negative, and reflect the impact of events defined in the analysis

Likelihood / Probabilities
Risk criteria
Effectiveness of existing control features
Causes of risk
Sources of risk
Factors influencing any of the above

Weights which scale the severity of the quantities are part of this input, as well as uncertainties and sensitivities.

Interrelations / Interdependence

The network of relational aspects between different risks


Output:


Assessment of the risk with the following aspects
Description of methods used and known control features impact on the risk
Combined Likelihood / probability depending on the description of original risk
Consequences of different scenarios
Description of confidence in:
The assessment of the risk (the result of the analysis)
The sensitivity of the result to preconditions and assumptions
Information Uncertainty
Information Availability
Information Quality
Information Quantity
Ongoing relevance of information
Limitations

Benefits of analysing risk

Different models used when analysing risk

The following models are all described in Annex B of the ISO 31010 standard.

Brainstorming:

Brainstorming is a very intuitive method which uses associations and connections made by possibly several people around a central subject to uncover problematic and opportunistic aspects affecting the subject. This qualitative information is then used to gather as much quantitative information as possible in order to complete the further analysis.


Structured or semi-structured interviews:

The structured or semi-structured interview can be used for gathering information from numerous sources. These interviews do not have to be done face to face since questionnaires are also considered within this model.


Delphi technique:

The Delphi technique is essentially a brainstorming process where the participants are kept anonymous but are able to see the collected work of all participating in the process. It is used to reach some kind of consensus around the subject in question.


Check-lists:

Check-lists are built from previous experiences and often list known risks, control features and/or hazards gathered through prior assessments or lessons learned.


Preliminary hazard analysis (PHA):

PHA is used when there is little information available and as the name states normally in the beginning of e.g. a project, in order to uncover potential hazards influencing the further development.


Hazard and operability study (HAZOP):

Hazard analysis and critical control points (HACCP):

Toxicity assessment:

Structured “What-If” Technique (SWIFT):

Scenario analysis:

Business impact analysis (BIA):

Root cause analysis (RCA):

Failure modes and effects analysis (FMEA) / failure modes and effects and criticality analysis (FMECA):

Fault tree analysis (FTA):

Event tree analysis (ETA):

Cause-consequence analysis:

Cause-and-effect analysis:

Layers of protection analysis (LOPA):

Decision tree analysis:

Human reliability assessment (HRA):

Bow tie analysis:

Reliability centered maintainance:

Sneak analysis (SA) / sneak circuit analysis (SCI):

Markov analysis:

Monte Carlo simulation:

Bayesian statistics andBayes Nets:

FN curves:

Risk indices:

Consequence/probability matrix:

Cost/benefit analysis (CBA):

Multi-criteria decision analysis (MCDA):

Reference

ISO Guide 73-2009 – Risk Management Vocabulary

ISO 31000 - Risk management - Principles and guidelines

ISO 31010 - Risk management

International Journal of Project Management 32 (2014) - Vahid Khodakarami , Abdollah Abdi - Project cost risk analysis: A Bayesian networks approach for modelling dependencies between cost items

Links

Only the following links are internal in the APPPM-wiki, All others are to Wikipedia.org and may be replaced when the APPPM-pages has been written, and added to this list.

Once all links are internal, this section can be deleted.

Risk Management

the Cynefin framework

Monte Carlo simulation

Personal tools
Namespaces

Variants
Actions
Navigation
Toolbox