risk management overview risk management overview

Risk Management OverviewRisk Management Overview

RiskRisk Management Management

A risk is defined as an uncertain event or condition that, if it occurs, has an effect on business operations and/or objectives. A risk has a cause and, if it occurs, an impact.

RiskRisk Management Management

Risk management is the act or practice of dealing with risk. It includes:

planning for risk, assessing (identifying and analyzing) risks, developing risk

response strategies, and monitoring risks to determine how risks have changed. Proper risk management is proactive rather than reactive.

Therefore, proper risk management will attempt to reduce the likelihood of an event and/or the magnitude of its impact.

Contingency Planning /Disaster Contingency Planning /Disaster RecoverRecover

Contingency Planning / Disaster Recovery differs from Risk Management in that Risk Management is proactive in mitigating the risk prior to the risk occurring.

Contingency Planning / Disaster Recovery is a reactive planning for what to do once a risk occurs.

Risk ManagementRisk Management

Without mitigation, risks will introduce chaos and failure even into a well-planned and managed organization.

A risk mitigation plan should be developed and implemented.

A contingency plan should be included for high risks with a triggering circumstance or measure defined to invoke it.

Management must choose which risks will have mitigation and contingency strategy plans developed and implemented for them.


When stating a risk, a three-part structured description of a risk should include: the cause, the risk, and the effect or impact.

The three elements of the risk meta-language can be summarized as:

“As a result of <definite cause>, an <uncertain event or risk> may occur, which would lead to <effect on operations / objectives>. “

Risk ExampleRisk Example

As a result of the lack of sufficiently skilled HR resources, due to untimely turnover and/or retirement, the payroll cycle cannot be run, which would lead to significant delays in the staff receiving their paychecks.

Risk Management StepsRisk Management Steps

Risk Identification

Risk Analysis / Assessment

Risk Prioritization

Risk Response Planning

Risk Mitigation

Risk Monitoring and Controlling

Risk Identification & AssessmentRisk Identification & Assessment

Risk Identification and Assessment involves determining the risks that affect the business operations and objectives,

categorizing the identified risks into defined key business functions,

and in a structured manner providing an analysis to refine the risk description, isolating the cause, and determining the effects.

Risk Identification & AssessmentRisk Identification & Assessment

Once a risk is identified you must then assess the risk based on the Risks;

Likelihood of occurrence, Severity or impact, Level of control that you have to prevent the

risk from occurring.

STEP 1 – ESTABLISH THE CONTEXT

The first step in the risk management process is focused on the environment in which your organisation operates.

You need to consider this environment so that you can establish the boundaries in which risks must be managed and guide your decisions on managing risks.

To do this, you need to:To do this, you need to:

consider the outcomes you want to achieve in your activity

consider the environment in which your organisation operates

identify internal and external stakeholdersdevelop risk evaluation criteria.

Considering the outcomes to be achieved

First of all, make yourself aware of what your organisation does and the nature and extent of the activity you are planning.

Anything which poses a risk to what your organisation is trying to do needs to be considered.

You need a broad view of the activity at this stage, so that you focus on the main issues.

Considering the environment

Look at the relationship between the activity and its environment. Think about all the things which might support or impair your ability to manage the risks faced by your organisation.

These could be related to social, economic, legal, technological or environmental factors. You may or may not be able to control these factors.

For example, there may be legislation which impacts on your activity. While you cannot control what the legislation says, you can control how you comply with this legislation.

Identifying stakeholders Stakeholders are individuals who may affect, or be

affected by, any of your decisions on risk management. – They could be employees, managers, volunteers,

unions, financial and insurance organisations, customers, government, suppliers and service providers.

Different stakeholders have different needs, concerns and opinions and it is essential that you consult and communicate with them during the risk management process.

Developing risk evaluation criteria

Risk criteria are used to rank risks and decide whether they are acceptable or not.

Consider the level of risks your organisation is willing to accept from its environment.

The criteria may be affected by legal requirements, and the perceptions of external and internal stakeholders.

You might change this criteria when you identify particular risks and choose particular risk analysis techniques.

ExampleExample

For example, you may decide that one criterion for deciding whether a risk is acceptable or not is that the cost of managing the risk must be less than the financial loss if the risk occurred.

Documenting Step 1 – “Establish the context”

If you are analysing a major risk, you should document the full range of environmental factors which you have considered. These are:

the activity the intended outcomes of the activity critical factors in the environment stakeholders risk evaluation criteria.

Case study OneCase study One

Work through Case Study One.

Types of RiskTypes of Risk Physical: involving personal injuries,

environmental and weather conditions and the physical assets of your organisation, such as equipment and vehicles

Financial involving theft, fraud, loans, membership fees, insurance costs, damages claims or penalties and fines

Legal involving the responsibilities imposed by federal, state and local Government laws as well as laws derived from custom and judicial precedent

Types of RiskTypes of Risk

Ethical or moral / Cultural: involving actual or potential harm to the reputation or beliefs of an individual or organisation.

Environmental: potential damage to the local or global environment

Selecting methods to identify Selecting methods to identify risksrisks

When you undertake this step to identify risks, it is essential that those you consult are knowledgeable about the activity you are reviewing. Where the activity is complex, it may be best to work with a group.

You can use one or more of the following methods to identify risks:

Internal methods of identifying Internal methods of identifying risks:risks:

Look at the records of previous activities. Examine the results of personal, local or overseas

experience. Arrange interviews and discussions with

stakeholders. Distribute surveys and questionnaires to

stakeholders. Conduct audits and physical inspections. Directly observe the activity. Analyse specific scenarios.

External methods of identifying External methods of identifying risks:risks:

Employ professional consultants, e.g. lawyers, accounts and workplace health and safety officers.

Employ industry specialists, e.g. marketers, business consultants and risk consultants.

Consult associated professional organisations, e.g. Hoteliers’ Association.

Conduct your own research using industry publications, newspapers and insurance tables.

Although it is not always possible to have all the information you need, try to do the best you can with the time and money available.

Sources of riskSources of risk

Possible sources of risk are: human behaviour technology and technical issues occupational health and safety legal political property and equipment environmental financial/market natural events.

Definition of RiskDefinition of Risk

A risk is an event (what can happen) that should be distinguished from

the general sources of risk (how can the risk arise) and its

impacts (what is the implication if it happens).

The impacts of risk will be dealt with in later.

RiskRisk

Source of risk

(How can a risk arise?) Example: Property and

equipment Example: Human behaviour

Risk event

(What can happen?)

Equipment breakdown

Participants ignore warning signs

Risk variables

Some risks cannot be controlled by the organisation. However, they may still be able to be managed and therefore should be identified.

Classify RisksClassify Risks

Internal – those which are part of the organisation’s activity, e.g. risk of a client or participant being injured by the equipment used

External – those which impact on the organisation or its activities, e.g. legislative change that requires pools to be fenced

Random – those which are unpredictable, e.g. a lightning strike.

Consult widelyConsult widely

Communicating and consulting with others is absolutely essential when you work through the process of identifying risks.

There may be very few people who understand all of the elements of an activity.

Therefore, you need to discuss potential risks with a wide range of people.

Step 2 DocumentingStep 2 Documenting

At the end of Step 2 Identify the risks, you should have a full list of the potential risks you are facing and their source.

This information is important to the next step of analysing the risk.

Always keep copies of checklists or reports you have used when identifying risks.

Summary

When you identify the potential risks of an activity, ask yourself the following questions:

What are the best methods to identify risks which are likely to occur in this activity?

Who should I consult to assist me in identifying risks?

What sources of risk are relevant to this activity? What risks are likely to occur? Are the risks internal, external or random? What would be the perspective of both internal

and external stakeholders on these risks?

Case studyCase study

Work through case study 2

Risk Assessment / AnalysisRisk Assessment / Analysis

Likelihood

1 - Very Unlikely

2 - Somewhat Unlikely

3 - 50/50 Chance

4 - Highly Likely

5 - Nearly Certain


Severity

1 - Minor impact on operational cost, schedule, performance, etc.

2 - Moderate impact on operational cost, schedule, performance, etc.

3 - Significant impact on operations

4 - Very significant impact on operations

5 - Disastrous impact, operational failure


Level of Control

1 - Essentially avoidable through selected risk mitigation actions

2 - Highly controllable through organization actions

3 - Moderately controllable through organization actions

4 - Largely uncontrollable by the organization actions

5 - Uncontrollable by the organization


The initial assessment analysis for each risk is based on the cumulative value obtained from each assessment area, referred to as the Risk Significance. Each assessment area has a value of 1 - 5 and a cumulative value of between 3 - 15. The higher the assessment value the higher the risk.

For example, a risk with a:

4 - High Likelihood of Occurrence

3 - Significant impact on operations

3 - Moderately controllable

10 Risk Significance Value


Generally risks with assessment values of 10 or higher would require further analysis including risk prevention or mitigating actions and possibly cost benefit analysis.

Risk StrategyRisk Strategy

The next step is the Risk Response Planning Process. This is the process that identifies, evaluates, selects, and implements strategies in order to set risk at acceptable levels given the operational constraints and objectives. Risk Response Planning Strategies include:


Assumption - accepting the risk and its impact should it occur, best suited for low risk classifications

Avoidance - Not willing to accept the risk. This generally involves eliminating the source of the risk by a change in concept, requirements, specification and/or practices to reduce the risk to an acceptable level


Control - This option does not attempt to eliminate the source of the risk but seeks to reduce or mitigate the effect should the risk occur. It manages the effects of risk in a manner that reduces the likelihood and/or consequences of its occurrence on the project.

Transfer - This option may reallocate risk from one part of the system or organization to another thereby reducing the overall risks probability of occurrence and impact.

Risk Management Scenario #1Risk Management Scenario #1

Scenario

A new academic networking curriculum has been developed and includes a 3 College consortium working through the network.

RiskIf a student(s) gains access to the operational systems

at 1 of the 3 Colleges in the consortium, and changes or obtains sensitive operational data, the college may be subject to legal liability and lose credibility within the community.

Risk Management ScenarioRisk Management Scenario


QUESTIONS?


Scenario

All College Business Office functions and systems are located in one building.

RiskIf the college business office building becomes unavailable for

a long duration due to (fire, flood, etc.) the will be a major disruption to the business operations of the College.


Scenario

A new off campus center is built and all IT Servers are located on the Main Campus

RiskIf data communication lines are cut, due to local construction,

there will be a disruption in operation business.

Risk Management ExerciseRisk Management Exercise

Using the each of three scenario’s provided earlier define additional risks including the three elements of the risk meta-language: cause, event, and effect or impact. Conduct a risk analysis to obtain the significance for each risk and determine the risk strategy that will be used.

risk management overview risk management overview

Documents

risk description

risk exampleas

risk managementwhen

proper risk management

risk managementrisk

risk management process

risk mitigation plan

risk response strategies