Download - Presentation manage risk
2
A- Eliciting risk information
-Communication and consultation may occur within the organization or between the organization and its stakeholders.
-It is very rare that only one person will hold all the information needed to identify the risks to a business or even to an activity or project.
-It therefore important to identify the range of
stakeholders who will assist in making this information complete.
3
B-Managing stakeholder perceptions for management of risk
4
Tips for effective communication and consultation
• Determine at the outset whether a communication strategy and/or plan is required
• Determine the best method or media for communication and consultation
• The significance or complexity of the issue or activity in question can be used as a guide as to how much
communication and consultation is required: the more complex and significant to the organization, the more detailed and comprehensive the requirement.
5
Step 2. Establish the context
provides a five-step process to assist with establishing the context within which risk will be identified.
1-Establish the internal context 2-Establish the external context 3-Establish the risk management
context
4- Develop risk criteria 5- Define the structure for risk
analysis
SWOT
• A widely used framework for organizing and using data and information gained from situation analysis
• Encompasses both internal and external environments
• One of the most effective tools in the analysis of environmental data and information
SWOT description
• A SWOT analysis generates information that is helpful in matching an organization’s or a group’s goals, programs, and capacities to the social environment in which they operate
• It is an instrument within strategic planning
• When combined with a dialogue, it is a participatory process
SWOT
• Factors affecting an organization can usually be classified as:
• Internal factors– Strengths (S) – Weaknesses (W)
• External factors– Opportunities (O) – Threats (T)
Strengths
Opportunities
Weaknesses
Threats
SWOT: internal factors
• Strengths– Positive tangible and intangible attributes, internal
to an organization. They are within the organization’s control
• Weaknesses– Factors that are within an organization’s control
that detract from its ability to attain the core goal. In which areas might the organization improve?
SWOT: external factors• Opportunities
– External attractive factors that represent the reason for an organization to exist and develop. What opportunities exist in the environment which will propel the organization?
– Identify them by their “time frames”
• Threats– External factors, beyond an organization’s control, which could
place the organization’s mission or operation at risk. The organization may benefit by having contingency plans to address them should they occur
– Classify them by their “seriousness” and “probability of occurrence”
11
1- Establish the internal context
-As previously discussed, risk is the chance of something happening that will impact on objectives.
As such, the objectives and goals of a business, project or activity must first be identified to ensure that all significant risks are understood.
This ensures that risk decisions always support the broader goals and objectives of the business. This approach encourages long-term and strategic thinking.
12
• In establishing the internal context, the business owner may also ask themselves the following questions:
- Is there an internal culture that needs to be considered? For example, are staff Resistant to change? Is there a professional culture that might create unnecessary risks for the business?
- What staff groups are present?- What capabilities does the business have in terms of people,
systems, processes, equipment and other resources?
13
2. Establish the external context
• This step defines the overall environment in which a business operates and includes an understanding of the clients’ or customers’ perceptions of the business. An analysis of these factors will identify the strengths, weaknesses, opportunities and threats to the business in the external environment.
14
A business owner may ask the following questions when determining the external context:
• What regulations and legislation must the business comply with?
• Are there any other requirements the business needs to comply with?
• What is the market within which the business operates? Who are the competitors?
• Are there any social, cultural or political issues that need to be considered?
15
• Tips for establishing internal and external contexts
-Determine the significance of the activity in achieving the organization's goals and objectives
- Define the operating environment- Identify internal and external stakeholders and determine their
involvement in the risk management process.
16
3- Establish the risk management context
- Before beginning a risk identification exercise, it is important to define the limits, objectives and scope of the activity or issue under examination.
- For example, in conducting a risk analysis for a new project, such as the introduction of a new piece of equipment or a new product line, it is important to clearly identify the parameters for this activity to ensure that all significant risks are identified.
17
Tips for establishing the risk management context
• Define the objectives of the activity, task or function • Identify any legislation, regulations, policies, standards and
operating procedures that need to be complied with • Decide on the depth of analysis required and allocate
resources accordingly • Decide what the output of the process will be, e.g. a risk
assessment, job safety analysis or a board presentation. The output will determine the most appropriate structure and
type of documentation.
What Is a Stakeholder?
• Stakeholders are those who have a stake or claim in some aspect of a company’s products, operations, markets, industry and outcomes– Customers – Investors– Employees – Suppliers– Government agencies – Communities
• Stakeholders can influence and are influenced by businesses
Topic 2• Identify risks
Family Goals& Objectives
Overall Categories of Risk
Legal Risk Price Risk
Environmental Risk
5 D’s Risk- Death- Disability- Disagreement- Divorce- Disaster
Production Risk
Human Resources
Risk
Financial Risk
Relationship/Public
Relations Risk
11
ESTABLISH THE CONTEXT
IDENTIFY RISKS
ANALYSE RISKS
EVALUATE RISKS
TREAT RISKS
CO
MM
UN
ICAT
E A
ND
CO
NSU
LT
MO
NIT
OR
AN
D R
EVIE
W
RIS
K A
SSES
SMEN
T
Identify risks• Topic 1- Invite relevant parties to assist in the
identification of risks
• Topic 2- Research risks that may apply to scope
• Topic 3 - Use tools and techniques to generate a list of risks that apply to the scope, in consultation with
relevant parties• Reference: AS/NZS 4360
Today's Topic
Topic 1
• Invite relevant parties to assist in the identification of risks
Who can assist in identifying Risk ?Business Stakeholders !
Government Employees
Business
Community
Consumers
Owners
Who Are Business Stakeholders?
Primary and Secondary Stakeholders•Primary stakeholders are those stakeholders that have a direct stake in the organization and its success
•Secondary stakeholders are those that have a public or special interest stake in the organization
Class Activity
• Choose an organisation of your choice ?• Identify major stakeholders who can assist the
management in identifying the Risk ?
Organization
Class Activity
Who Are Stakeholders ?
Step 3. Identify the risks
• Risk cannot be managed unless it is first identified. Once the context of the business has been defined, the next step is to utilize the information to identify as many risks as possible.
• The aim of risk identification is to identify possible risks that may affect, either negatively or positively, the objectives of the business and the activity under analysis. Answering the following questions identifies the risk:
Topic 2
• Research risks that may apply to scope
• There are two main ways to identify risk: 1- Identifying retrospective risks
Retrospective risks are those that have previously occurred, such as incidents or accidents. Retrospective risk identification is often the most common way to identify risk, and the easiest. It’s easier to believe something if it has happened before. It is also easier to quantify its impact and to see the damage it has caused.
• There are many sources of information about retrospective risk. These include:
• Hazard or incident logs or registers • Audit reports • Customer complaints • Accreditation documents and reports • Past staff or client surveys • Newspapers or professional media, such as journals or
websites.
2-Identifying prospective risks
• Prospective risks are often harder to identify. These are things that have not yet happened, but might happen some time in the future.
• Identification should include all risks, whether or not they are currently being managed. The rationale here is to record all significant risks and monitor or review the effectiveness of their control.
Topic 3
• Use tools and techniques to generate a list of risks that apply to the scope, in consultation with relevant parties
• Methods for identifying prospective risks include:
• Observation• Generate ideas require creativity • Brainstorming with staff or external stakeholders • Researching the economic, political, legislative and operating
environment- PEST Analysis • Conducting interviews with relevant people and/or
organizations • Undertaking surveys of staff or clients to identify anticipated
issues or problems • Flow charting a process- Fish bone diagram • Reviewing system design or preparing system analysis
techniques.
Risks identificationthrough:
Observation
• Class Exercise
What do you see?
Are they moving?
Risk Identification tool : Observation
Observation – viewing or witnessing workplace hazards – is one of two methods for collecting
data
Observation: Some Suggested Tools
1. Checklists
2. Scaled Ratings
3. Interval Observations
4. Narrative comments
Observation As A Data Collection Tool to identify Risk
Observation as a tool means either:
• Conducting a real time assessment (“on the spot”)
OR • Drawing on your experiences (using recent
memories of a situation or workplace)
The Two Tests
Reliability and Validity
Reliability: how dependably or consistently an observation measures a characteristic.
Validity: depends on the purpose of the analysis. Does your observation give an accurate and complete picture?
Maximizing Observation
AAD – Appropriate, Adequate and Documented
1. Use Appropriate samples of performance.2. Is your sample Adequate? Is there enough
content to make a reasoned assessment? 3. Document the assessment.
• Be Creative for Risk Identification
Improving Creativity to identify Risk
• Left- and Right-Brain Functions-• Class activity
Creative Decision-Making& Risk Identification
• Model of Decision-Making
Source: Reprinted with permission of the Free Press, a Division of Macmillan, Inc., from David Braybrooke and Charles C. Lindbloom. A Strategy of Decision, copyright © 1963 by
The Free Press of Glencoe.
• Brainstorm ideas for • identifying Risk
Brainstorming
• Brainstorming is a lateral thinking process.• Brainstorming encourages open and random
thinking and communications
Brainstorming
• Brainstorming emphasizes right-brain activity.– Rules for brainstorming:
• Put judgment and evaluation aside temporarily.• Turn imagination loose, and start offering the results.• Think of as many ideas as you can.• Seek combination and improvement.• Record all ideas in full view.• Evaluate at a later session.
• Conduct PEST Analysis to Identify Risks
PEST Analysis SUMMARY
Political (incl. Legal)
Economic Sociocultural Technological
Environmental regulations and protection
Economic growth Income distribution Government research spending
Tax policies Interest rates & monetary policies
Demographics, Population growth rates,
Age distribution
Industry focus on technological effort
International trade regulations and restrictions
Government spending Labor / social mobility New inventions and development
Contract enforcement lawConsumer protection
Unemployment policy Lifestyle changes Rate of technology transfer
Employment laws Taxation Work/career and leisure attitudes
Entrepreneurial spirit
Life cycle and speed of technological obsolescence
Government organization / attitude
Exchange rates Education Energy use and costs
Competition regulation Inflation rates Fashion, hypes (Changes in) Information Technology
Political Stability Stage of the business cycle
Health consciousness & welfare, feelings on
safety
(Changes in) Internet
Safety regulations Consumer confidence Living conditions (Changes in) Mobile Technology
• Conduct Interview with expert To identify risks
Conduct Interviews with Experts
Talk with people in the industry who understand the value chain, the
markets and the customers.
Data Collection Tool 2: Interviewing
Main types of interview for data collection:
1. the informal conversational interview2. the interview guide approach3. the standardized open-ended interview4. the fixed-response interview
• Conduct surveys to identify risks
Surveys• Survey is the first step of market research. A survey collects information
from a specific group of people or data on a specific subject: Forms of survey Includes :• Face to face -Personal interview• Telephone• Mail • Focus group and group interview
Cause & Effect/Fishbone/Ishikawa Diagramto identify Risks
Cause & Effect Diagram Also known as a fishbone diagram (looks like a fish spine) & as
the Ishikawa diagram (Japanese designer of this tool) Used to identify the potential causes for an effect (problem) in
the process Identifies and organizes potential areas for improvement
activities
Fishbone Diagram (cause and effect)
Largest Influence
2nd Largest InfluenceLeast Influence
3rd Largest Cause
Factors and/or categories of factors
Effect
CauseCause
Cause
Cause
Cause
Cause
Cause
Cause
Cause
• System analysis to identify risks
Risk Identification ProcessSystem Approach
PMI – Project Risk Management Risk Identification Process Sanjeev, Vivek, Manjuwww.perotsystems.com
Summary –Risk Identification
• Reference :http://www.madrid.org/cs/StaticFiles/Emprendedores/Analisis_Riesgos/pages/pdf/metodologia/3IdentificaciondelosRiesgos_en.pdf
Tips for effective risk identification
• Select a risk identification methodology appropriate to the type of risk and the nature of the activity
• Involve the right people in risk identification activities• Take a life cycle approach to risk identification and determine
how risks change and evolve throughout this cycle.
Step 4. Analyze the risks
• During the risk identification step, a business owner may have identified many risks and it is often not possible to try to address all those identified.
• The risk analysis step will assist in determining which risks have a greater consequence or impact than others.
Types of RiskBusiness Related
• Financial – includes cash flow, budgetary requirements, tax obligations, creditor and debtor management, remuneration and other general account management concerns.
• Equipment – extends to equipment used to conduct the business and includes everyday use, maintenance, depreciation, theft, safety and upgrades.
• Organisational – relates to the internal requirements of a business, extending to the cultural, structural and human resources of the business.
• Security – includes the business premises, assets and people. Also extends to security of company information, intellectual property, and technology.
• Legal & regulatory compliance – includes legislation, regulations, standards, codes of practice and contractual requirements. Also extends to compliance with additional ‘rules’ such as policies, procedures or expectations, which may be set by contracts, customers or the social environment.
Types of RiskBusiness Related
• Reputation – entails the threat to the reputation of the business due to the conduct of the entity as a whole, the viability of products/services, or the conduct of employees or others associated with the business.
• Operational – covers the planning, daily operational activities, resources (including people) and support required within the a business that results in the successful development and delivery of products/services.
• Contractual – meeting obligations required in a contract including delivery, product/service quality, guarantees/warranties, insurance and other statuatory requirements, non-performance.
• Service delivery – relates to the delivery of services, including the quality of service provided, or the manner in which a product is delivered. Includes customer interaction and after-sales service.
Types of RiskBusiness Related
• Commercial – includes risks associated with market placement, business growth, product development, diversification and commercial success. Also to the commercial viability of products/services, extending through establishment, retention, growth of a customer base and return.
• Project – includes the management of equipment, finances, resources, technology, timeframes and people involved in the management of projects. Extends to internal operational projects, business development and external projects such as those undertaken for clients.
• Safety – including everyone associated with the business: individual, workplace and public safety. Also applies to the safety of products/services delivered by the business.
• Workplace safety - Every business has a duty of care underpinned by State and Federal legislation. This means that all reasonable steps must be taken to protect the health and safety of everyone at the workplace. Occupational health and safety is integrated with the overall risk management strategy to ensure that risks and hazards are always identified and reported. Measures must also be taken to reduce exposure to the risks as far as possible.
Types of RiskBusiness Related
• Stakeholder management – includes identifying, establishing and maintaining the right relationships with both internal and external stakeholders.
• Client-customer relationship – potential loss of clients due to internal and external factors.
• Strategic – includes the planning, scoping, resourcing and growth of the business.• Technology – includes the implementation, management, maintenance and
upgrades associated with technology. Extends to recognising critical IT infrastructure and loss of a particular service/function for an extended period of time. It further takes into account the need and cost benefit associated with technology as part of a business development strategy.
Classification of Risk
• Reference :http://www.madrid.org/cs/StaticFiles/Emprendedores/Analisis_Riesgos/pages/pdf/metodologia/3IdentificaciondelosRiesgos_en.pdf
Class Exercise
• Trainer will give you a scenario• Using the templates • Identify Risks • Assess Risks
Catastrophic
Major
Moderate
Minor
Insignificant
•Multiple fatalities•Widespread industrial action (months)•Majority of stakeholders severely disadvantaged (months)
•Single fatality•Sustained industrial action (weeks)•Multiple stakeholders severely disadvantaged (weeks)
•Multiple casualties requiring hospital attention•Consistent industrial dispute (weeks)•Multiple stakeholders significantly disadvantaged (weeks)
•Minor injuries requiring medical attention•Limited industrial action (days)•Minority of stakeholders experience disadvantage (days)
•Minor injury requiring first aid only•Isolated industrial unrest (days)•Stakeholders experience minimal disadvantage (days)
Measuring Consequence
Almost Certain
Likely
Possible
Unlikely
Rare
Risk is occurring now, or is extremely likely to happen within current circumstances
Balance of probability will occur
May occur but against short term probabilities
Could occur but not anticipated
Occurrence requires exceptional circumstance and/or over a long period of time
Measuring Likelihood
Risk Rating
Insignificant(1)
Minor(2)
Moderate(3)
Major(4)
Catastrophic(5)
Almost Certain(A) Significant High Extreme Extreme
Likely(B)
Significant
Medium Significant Significant High Extreme
Possible(C) Low Medium Significant High High
Unlikely(D) Low Low Medium Significant High
Rare(E) Low Low Medium Significant Significant
Consequence
Likelihood
Tolerable
IntolerableLevel of riske.g. ‘HIGH’
Increasing risk
Evaluation
Tolerable
IntolerableTreat immediately
Treat in the near future
Treat in the longer term
Monitor
The need for action
Risk Treatment
• Risk Treatment for Business• Risk Treatment for OHS
Treat the intolerable risks-Business
Treatment Options
Avoid ShareAccept ExploitReduce
•Extreme risk• Immediate occurrence•Prolonged duration•Poor/no controls•No feasible mitigation
•Below risk tolerance•Very low probability•Transient duration•Effective controls•Further mitigation not practicable
•Above risk tolerance•Possible•Critical duration•Need improved controls
•Further mitigation is practicable
•Lost opportunity•Possible•Critical duration•Need new direction•Benefit > cost
•Above risk tolerance•Possible•Critical duration•Controls adequate• Internal mitigation not practicable/ affordable
Stress Risk Assessment
W ork
O rganisation
R esources
R oles and relationships
I ndividual
E nvironment
D emands
• Topic 3-Analyze risks
• Four Rules of Risk Management.– Integrate risk management into planning.
It’s easier to integrate risk management early in the life cycle of any operation (training).
• Four Rules of Risk Management.
– Accept no unnecessary risks. The key word is “unnecessary”. An unnecessary risk is a risk that does not contribute meaningfully to the mission. Leaders who take unnecessary risks
are gambling.
• Four Rules of Risk Management.
– Make risk decisions at the proper level. The “ proper level” is the level where the decision maker has the maturity and experience to make a good decision. Normally, this would be the leader responsible for the mission. Decisions should be made at the lowest possible level as long as the decision maker has the experience and maturity to make a good decision.
• Four Rules of Risk Management.
– Accept risks if the benefit outweighs the cost. Army leaders are in the risk-taking business. There is always risk, and where there is risk, sooner or later there will be an accident, risk management minimizes these accidents.
• Levels of Risk Management.
–Hasty Risk Management.
–Deliberate Risk Management.
–In-depth Risk Management.
• Levels of Risk Management.
– Hasty Risk Management. A quick, often mental, consideration of the risk management process during an operational assessment.
• Levels of Risk Management.– Deliberate Risk Management. Application of the safety risk
management process using worksheets and the core elements of the process, e.g. operations analysis, preliminary hazard assessment (PHA), risk control options, training realism assessment (TRA), implementation procedures, and sustained monitoring.
• Levels of Risk Management.
– In-depth Risk Management. Working group application of more detailed qualitative and quantitative techniques, especially in the hazard identification, hazard assessment, and risk control options phases.
• Hazard Probability of a Risk.
– A risk assessment matrix is an effective tool that can be used to determine how risky an identified hazard is. Standard terms associated with risk assessment matrices include:
– Probability. How likely an is an event to occur.– Effect. Consequences if the event occurs.
• Key Definitions.
– Safety Risk Management - the application of systematic thinking to the problem of making job safer (enhancing protection) and more effective.
– Hazard - a condition with the potential of causing injury to personnel, damage to equipment or structures, loss of material, or reduction of ability to perform a prescribed function.
– Risk - an expression of possible loss over a specific period of time or number of operational cycles.
– Risk Assessment - the process of detecting hazards and systematically assessing their overall risk. It involves the first two steps of the Risk Management process.
– Risk Management - a process whereby management decisions are made and actions implemented to reduce the effects of identified hazards.
– Gambling - Making non-systematic risk decisions.
Assessment of quality of risk management
Management information
Governance structure
People
Risk management processesQuality of implementation
Approach to decision making
Corporate culture
Attitude of management
ILLUSTRATIVE
Risk Response Planning
• After identifying and quantifying risks, you must decide how to respond to them.
• Four main response strategies for negative risks:– Risk avoidance– Risk acceptance– Risk transference– Risk mitigation
• Revision
NextNext
The basic process steps are:
Establish the contextEstablish the context
Identify the risksIdentify the risks
Analyze the risksAnalyze the risks
Evaluate the risksEvaluate the risks
Treat the risksTreat the risks
• Environment - business, social, regulatory, cultural, competitive, financial and political situation.
• SWOT - organisation's strengths, weaknesses, opportunities and threats.
• Stakeholders - objectives and expectations of individuals, groups and organisations with a significant interest in the business.
Establish the contextEstablish the context
• To identify risk, you need to consider two key questions:
• Brainstorm ideas and group under appropriate risk headings.
• Consider the effects on people (staff, students and other people), information, physical assets and finances, reputation. Write the final list onto the table (risk assessment summary).
Identify the risksIdentify the risks
Risk Category (Check your Handouts)
Identify the risksIdentify the risks
Ask Simple Questions• What might happen? How might it happen? • Will it be serious if it happens? How likely is
it to happen? • And finally, what is the risk?
Analyze the risksAnalyze the risks
ProbabilityThe likeliness that an event will occur.• Almost Certain (Frequent)-occurs often.• Likely - Occurs several times.• Occasional) - occurs sporadically.• Possible (Seldom) – Unlikely, but could occur.• Unlikely – Probably won’t occur.
Analyze the risksAnalyze the risks
Consequences (Severity)Severity is the expected result of an event
(degree of injury, property damage or other mission impairing factors.
• Critical• Major• Moderate• Minor
Analyze the risksAnalyze the risks
Risk Assessment Matrix
Probability
Severity
Frequent
A
Likely
B
Occasional
C
Seldom
D
Unlikely
E Catastrophic
I
Critical
II
Marginal
III
Negligible
IV
E – Extremely High Risk H – High Risk M – Moderate Risk L – Low Risk
Assess the Risk
Likelihood Consequences
Risk
5 Impact Categories
• Minor• Disruptive• Serious• Critical• Catastrophic
General
• Likelihood definitions and examples
• Impact definitions against each impact category
• Matrix purpose designed for application to military activities
• Specified Risk Tolerance Thresholds
IMPACT
LIKELIHOOD Catastrophic Critical Serious Disruptive Minor
Almost Certain 1
Extreme2
Extreme5
High9
Substantial 16
Medium
Likely 3
High4
High8
Substantial14
Medium21
Low
Occasional6
Substantial7
Substantial12
Medium15
Medium23
Low
Rare10
Medium11
Medium13
Medium20
Low24
Low
Highly Improbable
17Low
18Low
19Low
22Low
25Low
Tolerance Thresholds
Risk Rating Authority
Extreme
High
Substantial
Medium
Low
Topic 4• Select and implement treatments
Potential risk treatments
• Once risks have been identified and assessed, all techniques to manage the risk fall into one or more of these four major categories:[9]
• Avoidance (eliminate, withdraw from or not become involved)
• Reduction (optimize - mitigate)• Sharing (transfer - outsource or insure)• Retention (accept and budget)
Step 3: Control of Risk THE HIERARCHY OF CONTROL:
• ELIMINATE (E)– Stop the process immediately
• SUBSTITUTE (S)– Use another product– Outsource the process
• ENGINEER (En)– Isolate the hazard (Is)– Install guarding around the hazard (G)
• ADMINISTRATE (A)– Document safe work procedures (SWP)– Provide training (T)– Perform inspections (I)
• PERSONAL PROTECTIVE EQUIPMENT (PPE)– The final frontier!!!
Hierarchy of Controls
Eliminate if possible, otherwise a combination of these in this order of preference:
1. Substitute2. Isolate risk3. Engineer out4. Information, instruction & training5. Provide Personal Protective equipment
Risk Control: Engineering
Risk Control Gone Wrong
Risk Control: Substitution
Sometimes you can’t win!