Risk Management Overview
(→Risk Management Steps) |
(→Risk Management Steps) |
||
| Line 84: | Line 84: | ||
Risks and the effectiveness of controls and mitigation's should be evaluated throughout the project life cycle [p. 142]<ref name="HowToDoProjects" />. | Risks and the effectiveness of controls and mitigation's should be evaluated throughout the project life cycle [p. 142]<ref name="HowToDoProjects" />. | ||
| − | [[ | + | [[File:Risk_managment_process.jpg|right|thumb|500px|Risk Matrix <ref name="RiskMatrixPicture" />]] |
==Further Reading Material== | ==Further Reading Material== | ||
Revision as of 12:36, 10 February 2018
Contents |
Abstract
Projects are part of a dynamic and fast changeling world. Therefore there are a degree of uncertainty and unpredictability in projects. In-order to minimize uncertainties and unforeseeable events related to the project, risk are identified and managed throughout the project life cycle, Rumsfeld's Unknown-Knowns and Risk categorization (mitigate, control, monitor).
Risk management is impotent tool to use in project management, even-though the Risk management is only estimates of potential future situations. Risk identification help the manager get an overview of potential obstacles that can occur or prevent the team from achieving their goals. By identifying the risks, managers can map them and initiate appropriate measurements to counter them. Risk management is highly impotent discipline and is therefore present in most projects. [1]
The Risk Management Process is a continuous process, which can be divided in to divided in to five steps steps [1] [2]
The risks are identified and managed by using quantitative & qualitative tools. This Wiki-article will focus on Risk categorization, Risk Matrix, actions to take against identified risks and Rumsfeld's Unknown-Knowns. Furthermore describing inherent and residual risks, and parameters which a company can use to measure impact. At last limitations and advantages of Risk Management will be discussed. Furthermore this article will give a brief overview of other relevant reading material.
Please note that this article only covers the risk (threat) management of a project and does not look in to opportunities management (risks with positive effect).
Test [3] [4] [1] [5] [6] [7] [8] [9] [10] [2]
Introduction
Risk definition
Risk can be defined as follows: "Risk is an uncertain event or condition that if occurs, has a positive or negative effect on one or more project objectives such as time, cost and quality, or effect of uncertainty on objectives" All activities in a organization involve risks. These risks can be managed by identifying it, analyzing it and then evaluating whether the risk should be modified by risk treatment in order to satisfy the organization's risk criteria. During this process risk managers communicate with stakeholders and monitor the risk. The controls are modified in-order to ensure that the amount of risk treatment is minimized. [p. V][1]
Risk identification (RI) is the "process of finding, recognizing and describing risks" [p. 4][1]. RI involves the identification of risk sources, event, causes and potential consequences. The identification can involve historical data, theoretical analysis, expert opinions, and stakeholder needs [p. 4][1].
However identifications is only the first step, managers also need to analyze the risk so the most significant ones can be deltwith on a ongoing basis [p. 219][3].
Rumsfeld's Unknown-Knowns
The different nature of risks, can be categorized whit former US Defense Secretary, Donald Rumsfeld's destination. Rumsfeld categorizes risks as the following [7] :
- Known-Knowns describes the things we know we know. An example could be the fact that we know that there are some risks in every project or maybe learning's from a previous project.
- Known-Unknowns describes the things we know are uncertain. For example the delays because of third party fails to deliver on deadline or human errors administration wise or misunderstandings.
- Unknown-Unknowns describes the things that we in noway could have seen or expected. This could be a sudden death, war or terrorist attack.
- Unknown-Knowns describes the things we should have known, but we for various reason (mostly complexity) don't. An example could be when a terrorist attack happens on American solid, to some extent this is a Unknown-Known for the CIA [p. 219-220][3].
Risk Matrix
When the risk elements to be managed is identified, the next step is to ensure that either the likelihood is reduced or the impact of that activity occurring.
The risk matrix is one of the most used tools for risk evaluation. The matrix can be used to determine the size of a risk & whether or not a risk is sufficiently controlled.
The risk-matrix is compiled of two dimensions Probability (also called likelihood) and Severity (also called impact). Likelihood is the measure of how likely a given event is, and impact is the effect the risk can do. The combination of these two dimensions gives a collective risk rating in the matrix. Usually the risk-matrix consists of 3 different risk ratings: Low (Acceptable), Medium and high (Not acceptable), however some matrices also have a 4. level very high [5].
The horizontal and vertical scale can have different values or tags, however in this case both impact and probability have a scale from 1-5. An example of a risk rating could have a probability of 3 (possible) and a impact of 2 (Minor) would have a collective risk ration of medium [p. 223][3].
It is important to notice that the risk matrix is only used to rank risks, and not as a decision tool itself. How to treat the individual risk the matrix does not answer - other tools and a deeper analysis should be used for this. The tool however can be used to prioritize and categorize the risks.
HUSK AT LAV TABELLER MED RATINGS XXX
Residual - & Inherent risks
Identified risks can be categorized into two different categories, depending on, if controls fail or not. The residual risk is the identified risk as it is today, with the controls in place. An example could be the risk of "financial loss if bank is robed", however we have a control in place and hired security people. The inherent risk is the risk we face if the controls for the residual risk fail. For instance all the security people get food poisoning, and the banks protection is there for gone. Naturally the Impact/Probability for the inherent risk should be grater or equal to the ratings in the residual [1] [6].
Mitigation's aka. response controls
After the risks have been identified aproiate controls and mitigation's can be put in to place in order to minimize potential losses. Two approaches which can be used is corrective action and and contingency and reserves ... XXX? [p. 222][3].
Risk Management Steps
The risk management process can be divided in to three main categories identify risks. Assess risks and Treat risks.
- The first process is "Identify risks", here potential risk events and their characteristics that can have a negative effect on the project is identified. The identification of risk is a repeatable process since new risks can change through it's life or new risks is discovered. The identification process can consist of a variety of different stakeholders, project management team, experts, senior managers etc.
- The second process is "Assess risks", which is used to measure and priorities risks. In the assessment of risks the probability of each risk occurring & the corresponding impact for the project, if the risk does occur. The probability and impact is then used to prioritize the risks. This process is also repetitive throughout the project.
- The third process is "Treat risks", here actions to reduce risks, are developed and determined. The treatment of risks can consist of adding additional resources (manpower, budget) in to the schedule. However the treatment should be customized to fit the individual risk and be as realistic and cost-effective as possible. The process also include measures to avoid, mitigate or deflect the risk. Another possibility is to develop contingency plans which can be used if the risk occurs [p. 138][8].
Is is impotent to note that risks should be monitored, reviewed and controlled on an ongoing bases. The controlling of a risk is done by continuous tracking of identified risks while identifying and analyzing new risks. Risks and the effectiveness of controls and mitigation's should be evaluated throughout the project life cycle [p. 142][8].
Further Reading Material
Risk Management in Renewable Energy Projects
Risk and Opportunities Management
References
- ↑ 1.0 1.1 1.2 1.3 1.4 1.5 1.6 ISO, "31000 Risk management — Principles and guidelines", INTERNATIONAL STANDARD, (2009):.
- ↑ 2.0 2.1 Georgetown University, "RISK MANAGEMENT OVERVIEW", https://riskmanagement.georgetown.edu/overview, Visited 10-02-2018
- ↑ 3.0 3.1 3.2 3.3 3.4 H. Pearson, "Project Management", Pearson Education Limited, 4th. Edition (2010):.
- ↑ ISO, "31000 Risk Management for smes", ISO, (2015):. https://www.iso.org/iso/iso_31000_for_smes.pdf, Visited 07-02-2018
- ↑ 5.0 5.1 5.2 5.3 CGE Academy, "Risk matrices", https://www.cgerisk.com/knowledgebase/Risk_matrices, Visited 05-02-2018
- ↑ 6.0 6.1 Nasdaq, "ASSESSING RISKS: INHERENT OR RESIDUAL", http://www.bwise.com/blog/assessing-risks-inherent-or-residual/obj5382859, Visited 08-02-2018
- ↑ 7.0 7.1 Wikipedia, "There are known knowns", https://en.wikipedia.org/wiki/There_are_known_knowns, Visited 03-02-2018
- ↑ 8.0 8.1 8.2 J. Geraldi, C. Thuesen and J. Oehmen, "How to Do Projects", Dansk Standard, (2017):.
- ↑ Chartered Accountants, "Treat Risks", https://survey.charteredaccountantsanz.com/risk_management/midsize-firms/treat.aspx, Visited 09-02-2018
- ↑ D. Hillson, "Effective Opportunity Management for Projects: Exploiting Positive Risk", Taylor & Francis, (2003):.
