Risk Management Overview

From apppm
(Difference between revisions)
Jump to: navigation, search
(References)
(Examples of good and bad risk management)
Line 141: Line 141:
 
'''Good:'''
 
'''Good:'''
 
*NASA - mission planning and real-time mission operations
 
*NASA - mission planning and real-time mission operations
*''Formula One racing'' - Is high-performance racer sport, where safety and risk management is taken very seriously. Resulting in a 20-year streak with no fatal incidents, until October 2014 <ref name="FOneArticle" />. Former Formula One driver Jackie Stewart did even say: **"''There is no doubt that Formula 1 has the best risk management of any sport and any industry in the world''" - Jackie Stewart
+
*''Formula One racing'' - Is high-performance racer sport, where safety and risk management is taken very seriously. Resulting in a 20-year streak with no fatal incidents, until October 2014 <ref name="FOneArticle" />. Former Formula One driver Jackie Stewart did even say: **"''There is no doubt that Formula 1 has the best risk management of any sport and any industry in the world''" - Jackie Stewart <ref name="FOneQoute">
  
 
=== Project management context ===
 
=== Project management context ===

Revision as of 16:00, 15 February 2018

Contents

Abstract

Projects are part of a dynamic and fast changeling world. Therefore there is a degree of uncertainty and unpredictability in projects. In order to minimize uncertainties and unforeseeable events related to a project, risks are identified and managed throughout the project lifecycle. A risk is an uncertain event that can have e negative effect on one or more objects in a project such as time, cost, performance or scope [1] [2].

In order to control and manage risks, the Risk Management Process (RMP) is used. RMP is divided into four main categories Identify risks, Assess risks, Treat risks and Monitor risks. However, RMP is a continuous process, which happens throughout the lifecycle of a project. [2] [3]

The different natures of risks can be categorized with D. Rumsfeld's Unknown-Knowns and assessed with the risk matrix (both residual- & inherent risk). When treating the risk the Risk managers can choose to Avoid, Reduce, Share or Accept the risk. The risks can be monitored by using a risk register, where risks and countermeasures can be mapped.

Risk management is an impotent tool to use in project management and helps managers get an overview of potential obstacles that can occur or prevent a team from achieving their goals. Risk management is highly impotent discipline and is therefore present in all projects, however, it's importance is often neglected. [2] [4]

This Wiki-article will describe the Risk Management Process, Risk Matrix, Rumsfeld's Unknown-Knowns, inherent- and residual risks. At last limitations and advantages of Risk Management will be discussed and a brief overview of other relevant reading material.

Please note that this article only covers the risk (threat) management of a project and does not look into opportunities management (risks with a positive effect).

Introduction

Risk definition

Risk can be defined as follows: "Risk is an uncertain event or condition that it occurs, has a positive or negative effect on one or more project objectives such as time, cost and quality, or effect of uncertainty on objectives" All activities in an organization involve risks. These risks can be managed by identifying it, analyzing it and then evaluating whether the risk should be modified by risk treatment in order to satisfy the organization's risk criteria. During this process, risk managers communicate with stakeholders and monitor the risk. The controls are modified in-order to ensure that the amount of risk treatment is minimized. [p. V][2]

Risk identification (RI) is the "process of finding, recognizing and describing risks" [p. 4][2]. RI involves the identification of risk sources, event, causes and potential consequences. The identification can involve historical data, theoretical analysis, expert opinions, and stakeholder needs [p. 4][2].

However identifications are only the first step, managers also need to analyze the risk to the most significant ones can be dealt with on an ongoing basis [p. 219][5].

Rumsfeld's Unknown-Knowns

The different nature of risks can be categorized with former US Defense Secretary, Donald Rumsfeld's definition. Rumsfeld categorizes risks as the following [6] :

  • Known-Knowns describes the things we know we know. An example could be the fact that we know that there are some risks in every project or maybe learning's from a previous project.
  • Known-Unknowns describes the things we know are uncertain. For example, the delays because of a third party fail to deliver on deadline or human errors administration wise or misunderstandings.
  • Unknown-Unknowns describes the things that we in no way could have seen or expected. This could be a sudden death, war or terrorist attack.
  • Unknown-Knowns describes the things we should have known, but we for various reason (mostly complexity) don't. An example could be when a terrorist attack happens on American solid, to some extent, this is an Unknown-Known for the CIA [p. 219-220][5].

Risk Matrix

Risk Matrix [7]

When the risk elements to be managed is identified, the next step is to ensure that either the likelihood is reduced or the impact of that activity occurring.

The risk matrix is one of the most used tools for risk evaluation. The matrix can be used to determine the size of a risk & whether or not a risk is sufficiently controlled.

The risk-matrix is compiled of two dimensions Probability (also called likelihood) and Severity (also called impact). Likelihood is the measure of how likely a given event is, and impact is the effect the risk can do. The combination of these two dimensions gives a collective risk rating in the matrix. Usually, the risk-matrix consists of 3 different risk ratings: Low (Acceptable), Medium and high (Not acceptable), however, some matrices also have a 4. level very high [7].

The horizontal and vertical scale can have different values or tags, however, in this case, both impact and probability have a scale from 1-5. An example of a risk rating could have a probability of 3 (possible) and an impact of 2 (Minor) would have a collective risk ration of medium [p. 223][5].

The numeric scale of 1-5 can be hard for managers to visualize and use, therefore more subjective values like unlikely and likely is often used, as seen in the table below.

Objectively description of numeric scale
Scale (1-5) Likelihood (Subjective values) Impact (Subjective values)
1 Highly unlikely No impact
2 Unlikely Minor
3 Possible Medium
4 Likely Major
5 Very likely Extensive


It is important to notice that the risk matrix is only used to rank risks, and not as a decision tool itself. How to treat the individual risk the matrix does not answer - other tools and a deeper analysis should be used for this. The tool, however, can be used to prioritize and categorize the risks.

Residual - & Inherent risks

Identified risks can be categorized into two different categories, depending on, if controls fail or not. The residual risk is the identified risk as it is today, with the controls in place. An example could be the risk of "financial loss if the bank is robbed", however, we have a control in place and hired security people. The inherent risk is the risk we face if the controls for the residual risk fail. For instance, all the security people get food poisoning, and the bank's protection is therefore gone. Naturally the Impact/Probability for the inherent risk should be grater or equal to the ratings in the residual [2] [8].

Risk Management Process (RMP)

Risk Management Process [9]

The risk management process can be divided into four main categories Identify risks, Assess risks, Treat risks and Monitor risks.

Identify risks

The first process is "Identify risks", here potential risk events and their characteristics that can have a negative effect on the project is identified. The identification of risk is a repeatable process since new risks can change through its life or new risks are discovered. The identification process can consist of a variety of different stakeholders, project management team, experts, senior managers etc.

Assess risks

The second process is "Assess risks", which is used to measure and prioritize risks. In the assessment of risks the probability of each risk occurring & the corresponding impact for the project, if the risk does occur. The probability and impact are then used to prioritize the risks. This process is also repetitive throughout the project. The #Risk Matrix, as described earlier, can be used for accessing the risks.

Treat risks/Control

The third process is "Treat risks", here actions to reduce risks, are developed and determined. The treatment of risks can consist of adding additional resources (manpower, budget) into the schedule. However, the treatment should be customized to fit the individual risk and be as realistic and cost-effective as possible. The process also includes measures to avoid, mitigate or deflect the risk. Another possibility is to develop contingency plans which can be used if the risk occurs [p. 138][1].

Risk Treatment consists of a range of options for mitigating the risk, assessing options, and preparations for implementing action plans. As mentioned earlier the highest risks should be addressed first and so on and forth. Of course, the cost of treating the risk should be evaluated and compared whit potentially loss by risk. Depending on the type and nature of the risk, the following options are available [10]:

  • Avoid - The risk is avoided by stopping to proceed with the activity that introduced the risk. Instead, an alternative activity that still meets business objectives is chosen or a less risky approach or process.
  • Reduce - The likelihood or effect of the risk is reduced to an acceptable level. However in regards to time and expense, it is desirable to eliminate the risk [5].
  • Share or Transfer - The risk is transferred away from the risk-owner. For instance by outsourcing the activities that the risk is tied to, making contracts with service providers or buying a insurance that covers that risk.
  • Accept - The risk is simply accepted, risks with very low impact and likelihood can often be accepted. A risk can also be accepted if the cost of the treatment outweighs the benefit. By accepting the risk no further action is taken to treat the risk, the risk is of cause still monitored and evaluated on an ongoing basis, do to potentially changes [10].

Monitor risks

The fourth process is "Monitor risks", here actions to track and monitor risks are developed. One of the most common approaches to risk monitoring is to use a risk register, which is initiated at the start of a project and continually reviewed and updated. A risk register should as a minimum contain the following information:

  • Risk identification number (Used for identification of risks)
  • Risk Owner (Should be clearly defined and registered in the risk register)
  • Description of Risk (Makes it easier to communicate risk)
  • Results of assessment (Probability/Impact) and assessment date
  • Mitigating Actions (Actions to address the risk)
  • Date for next risk review [9].

It is impotent to note that risks should be monitored, reviewed and controlled on an ongoing base. The controlling of a risk is done by continuous tracking of identified risks while identifying and analyzing new risks. Risks and the effectiveness of controls and mitigations should be evaluated throughout the project life cycle [p. 142][3].

Example and relation to PM (name? xxx)

RMP in different industries

Risk management is relevant for all industries, however, the degree of importance and impact can vary a lot. Risk management is highly important in sectors like finance/banks, formula one, drilling oil & gas or space programs. Where big money can be lost, reputations ruined or even lives lost. Risk management is especially important in the following areas:

  • Construction
  • Medical procedures
  • Disaster and terrorism management
  • Tech companies
  • Oil and gas
  • Financial
  • Large government projects
  • Pharmaceutical sector

The parameters used to measure the impact can also vary a lot. For an R&D project, the impact measurements could be delays, financial and mistakes while a bank could use reputational, regulatory, and financial scales to measure the impact. The space program could be an operational risk such as the risk of burning up when astronauts are reentering the atmosphere. While financial institutions could lose reputation or customers if they have a security breach, like hacking or transferring the wrong amount of money from one customer to another.

Examples of good and bad risk management

Bad:

  • Volkswagen - Dieselgate: In 2015 it was discovered that car manufacturer VW was cheating in emissions test, which made their cars seem more eco-friendly. This resulted in a recall which costed around 6.7 billion euro and resulted in the company posting its first quarterly loss in 15 years. [11]
  • Samsung - Galaxy Note 7 smartphone explosions: When Samsung launched Galaxy Note 7 in August 2017, there was a fatal error with the batteries which caused them to explode, and Samsung was forced to recall 2 million devices with an estimated cost of 5.3 billion USD. [12]
  • Deutsche Bank -Fined 14 billion USD: Deutsche Bank was fined 14 billion USD, by the US for misselling mortgage securities in the US. The bank selected mortgages, packed them into bonds (RMBS) and sold on to investors.[13]

Good:

  • NASA - mission planning and real-time mission operations
  • Formula One racing - Is high-performance racer sport, where safety and risk management is taken very seriously. Resulting in a 20-year streak with no fatal incidents, until October 2014 [14]. Former Formula One driver Jackie Stewart did even say: **"There is no doubt that Formula 1 has the best risk management of any sport and any industry in the world" - Jackie Stewart Cite error: Closing </ref> missing for <ref> tag

[15] [2] [7] [8] [6] [1] [10] [3] [9] [16] [4] [17] [18] [12] [11] [13] [14] [19]

</references>

Further Reading Material

Wikipedia articles

Books

  • J. L. Jensen, "Risk & Return - The Economic Red Phone Explained", Springer International Publishing AG (2017)
  • Chapter 10 in: H. Pearson, "Project Management", Pearson Education Limited, 4th. Edition (2010)
  • ISO, "31000 Risk management — Principles and guidelines", International Standard, (2009)
  • Chapter 11 in: Project Management Institute, "A guide to the project management body of knowledge: PMBOK Guide", Project Management Institute, (2000)

Articles

  • N.T. Nassim, D.G. Goldstein and M.W. Spitznagel "The Six Mistakes Executives Make in Risk Management", Harvard Business School Publishing Corporation (2009)

Cite error: <ref> tags exist, but no <references/> tag was found
Personal tools
Namespaces

Variants
Actions
Navigation
Toolbox