Risk management

From apppm
Revision as of 14:34, 23 November 2014 by Saeh0803 (Talk | contribs)

Jump to: navigation, search

Contents

Abstract

I chose to write about risk management, because it is very interesting and important topic in each area. Actually everyone knows what a risk is; it is a part of our life. Each step or each decision we make, is full of risks, whether we notice it or not, but when we look at our professional life, then we have to take an action for each risk arise, because it has a negative effect and the effect can have consequences in terms of economic, professional reputation, environmental, safety and societal outcomes. This article focuses on for example how an organization or project handles its risks and which framework could be relevant or helpful for it. Now a day, the risk management is an important part of project, program and portfolio management. In order to end up a project successfully and deliver it on time and within budget, it is important to get an overview of the risks, which is associated to the project. Most of the projects fail due to the lack of risk management [1]. In many projects the risks are not proactively identified, analyzed and mitigated or even in some projects the risk is a part of project's planning process, the projects fail because the resources are not completely utilized to get the full advantage [2]. This article further talks about the risk and different level of risks in organization level and how to identify the projects risks by using some of standard guidelines for risk management such as ISO 31000, ISO 2700S, DS/ISO 31000 Risk management- Principles and guidelines and M_O_R principles, which is a standard risk management framework, which can be used by any organization on any projects regardless of its size. NOTE: This article might be similar to other articles; Risk analysis, risk register, Risk management strategy in project portfolios.

Defination

You can find different tools and definition for risk depending on the context in which it is used. A definition from Oxford English Dictionary sounds like “the possibility that something unpleasant or unwelcome will happen” [3]. This is more general and related more to your every day. In decision theory, Luce and Raiffa relate risk to make decisions under known probabilities of the states of nature [4] and Frank Knight define the risk in economic theory as “risk arises when the decision maker can assign probabilities to possible outcomes”. A well-known definition of the risk in the domain of project management considers the risk as “an uncertain event or condition that, if it occurs, has a positive (opportunity) or negative (threat) impact on project objectives” [5] Frank Knight defines the uncertainty and risk as “...Uncertainty must be taken in a sense radically distinct from the familiar notion of Risk, from which it has never been properly separated. … The essential fact is that "risk" means in some cases a quantity susceptible of measurement, while at other times it is something distinctly not of this character; and there are far-reaching and crucial differences in the bearings of the phenomena depending on which of the two is really present and operating. … It will appear that a measurable uncertainty, or "risk" proper, as we shall use the term, is so far different from an un-measurable one that it is not in effect an uncertainty at all." [6] To minimize the uncertainty and reduce the risks on the project, you may regularly look back to your risk analysis, because most of the projects fail due to lack of risk management, in many projects the risks are not proactively identified, analyzed and mitigated or even in some projects the risk is a part of projects planning process, The projects fail because they do not invest their resources completely and do not pay attention to it. Risk management is the most important part of the project planning process. It is a management tool, which project manager uses to analyses the risk factor within a project group or projects. Project group must be informed of the main risks and how they will deal with those risks. Often it requires extra resources to eliminate risks; these resources must allocate the project group. Many studies have pointed as well that the risk management has a big role in projects success [7]. The report by Jacob and Kwak highlights the positive contribution of risk management to improve the project selection, review and resource allocation of new product development projects. It used in many areas such as public debate, research, danger of disease, death or accidents, threatening environmental problems in terms of risk of climate changes, CO2 , pollution and so on. It is also used in many other projects such as customer needs and price, new technology and resources, construction and delivery projects, research projects and interests and other tasks.

What is risk

Risk is the uncertainty, which is associated with any kind of the action and projects in organization's context that must understand and effectively manage during the project's process and improve the results[9]. Different types of risk management definitions can be found and the choice of definition depends on how big a concept of risk is used in order to which risks are covered by the definition. There is not a complete tool or solution that fits in every project, creating a new or changes the existing risk management process according to the project's goal is always helpful and flexible process that will ultimately result in a solution to the individual organization or project. Risk is always based on imagination of how the project will be completed. It can be defined on the basis of an existing plan, for example, the project must be completed in 6 months. The risk of delay is bigger than if the project must be completed in one year. If the new technologies are a part of the project plan, that you have to use the new technologies is the risk bigger than use the known technologies. Therefor the risk is based on an existing plan; the same project may have very different risks, if you change the project’s plan. [10].


Benefit of risk management and why risk management

Three Levels of operational risk management

The risk management in an organization can be categorized in three levels of operation- [8].

  • Strategic level:

At strategic level, operational risk management relates to the vision of the business, expansion planned over a few couple of years, the product position and the target customers in the market. In other words, the strategic operational risk management relates to the implementation of the risk demands. It must be defined at the top management level and must be deployed in a top-down manner through all the levels of the organization.

  • Tactical level

At tactical level, the set of operational risk management tools and controls helps to reduce the number and intensity of the events. It provide the risk manager with a second line of defence. The effect of the risk responses deploys at tactical level, such as loss, fines and near misses reductions Tactical operational risk management emphasizes on loss prevention and risk reduction techniques, process control, loss data analysis, key risk indicators, risk self-assessments and business expansion plans are some of the vast array of tools and techniques that have been developed to reduce the frequent occurrence of the risk elements and to reduce their impact on the overall project. Financial service industry is the most developed aspect of operational risk management, today.

  • Dynamic level

Dynamic level provides a natural reduction of the operational incidents by redesigning all those processes that were prone to errors, removing any unnecessary tasks and useless controls, standardizing the procedures and improving the productivity. Dynamic risk management targets the operational efficiency and process design. Work flows are redesigned in this level to improve the work speed by eliminating the errors. Staff Operational risk management must spread over all these three levels, in order to be more effective and efficient

How to develop a risk analysis

Risk can develop in two different ways [11]:

  • By using the standard risk guidelines such as ISO 31000, which managers can go step by step and identify the risks and analyse the situation of each phase and take an action for each risk, that have negative impact on each situation. In this step more leaders must participate in order to reduce the impact of risks and take care of each situation.
  • By using more general analysis or guidelines to define the project's goals and reduce the risks without managing it and less management participation.

In the first option many standard guidelines and analysis can be used such as ISO 31000, IEC/ISO 311010, and ISO 73-2009 and many others. The International Organization for Standard (ISO ) risk management provides principles, general guidelines; framework and a process for managing the risks- It can be used by any project, organization regardless of its size. ISO 31000 summarizes all the central activities and main points, which an organization might go through to manage their risks effectively and increase their chance to reach their goals. It doesn’t contain any specific techniques in order to use, but it mentions that an organization must follow risk identification tools and techniques, that match the projects and its goals. Another ISO standard application is ISO/IEC 31010, Risk Management, which contains of some risk assessment techniques and steps that gives an understanding of the risks, which can have a negative impact on an organization’s achievement of its goals and the adequacy and effectiveness of controls already in place. Risk assessment helps decision makers to take the correct decisions, for example which tools and techniques must be used to treat the risks and how to choose the best opportunities. The following techniques described on ISO 31010

  • Risk identification
  • Risk analysis - consequence analysis
  • Risk analysis– qualitative, semi-quantitative or quantitative probability estimation
  • Risk analysis – assessing the effectiveness of any existing controls
  • Risk evaluation
  • communication and consultation, and monitoring and review

Each step has described in detail on ISO 31010. Compare to M_O_R, and then M_O_R is much extensive application, which provides a detailed guidance on how to implement risk management. It is also a framework for how to make informed decisions about risks respectively strategic, program, project and operational level in order to identify, assess and manage the key risks in order to deliver the expected advantages [12]. It describes deeply both what needs to be done through some principles, activities and roles and how to begin the activities. In some ways, ISO31000 and M_O_R are very similar and use some common definition and methods. M_O_R is designed for practical application of risk management techniques and based on 4 core concepts: principles, approach, process and embedding and review, while ISO31000 is designed more to assess how completely the risk management techniques have been applied [13], The difference is that ISO3100 based on framework, principles and process. It prescribe how an organization should implement risk management and manage the risk by using any tools, that suits its goal and organization, while M_O_R allows it to customize its approach within the guidelines to suit its operating environment and process. Both are useful tools and can be used for managing the risks.

An example of how to identify your project’s risks

caption

To identify the projects risk, you can start with brainstorming, the first step is to list the main categories such as technologies, goal, stakeholder, communication, cost, environmental, resources, reliability, which is indicated with blue color in below figure. The next is to identify the risks, which is associated to the main categories. By brainstorm the risks, you can find 50-100 risks, depending to the projects size, therefore the third step is to estimate what the potential impact could be by using the Risk Matrix.

caption

Each high priority or high impact risk should be assigned to a group member after their experience and skills, so they could study and evaluate the risks. Cost risks might for example assign to someone in the finance department than one from IT- department. The new technology might assign to someone from IT- department. The project manager should be assign for all the risks process, the most important part of risk process is the schedule with deadline and the risks list, which should only edit, added, re-prioritized and control by the project manager during the project. To reduce the risks, the project manager should communicate the risks list to all the project stakeholders regularly, at least once a week. All the changes should be registered to the risk map and at the end of the project the results can be used to do a retrospective. What did you learn from it, what should be different in next project and how to control the risks from the beginning?

Personal tools
Namespaces

Variants
Actions
Navigation
Toolbox