Risk Management
What is RISK?
n
nRisk can be considered “good”—that is, when the results are better than expected (higher returns)—or “bad”—that is, when the results are worse than expected (lower returns)
nStand-alone risk—risk of an investment if it was held by itself, or alone
n
n
nA probability distribution summarizes each possible outcome along with the chance, or probability, that the outcome will occur
We know that an investment is risky if more than one future outcome is possible—that is, there are two or more possible payoffs associated with the investment
Risk management
Risk management is the identification, evaluation, and prioritization of risks (defined in ISO 31000 as the effect of uncertainty on objectives) followed by coordinated and economical application of resources to minimize, monitor, and control the probability or impact of unfortunate events or to maximize the realization of opportunities.
Risks can come from various sources including uncertainty in international markets, threats from project failures (at any phase in design, development, production, or sustaining of life-cycles), legal liabilities, credit risk, accidents, natural causes and disasters, deliberate attack from an adversary, or events of uncertain or unpredictable root-cause.
There are two types of events i.e. negative events can be classified as risks while positive events are classified as opportunities. Risk management standards have been developed by various institutions, including the Project Management Institute, the National Institute of Standards and Technology, actuarial societies, and ISO standards.
Methods, definitions and goals vary widely according to whether the risk management method is in the context of project management, security, engineering, industrial processes, financial portfolios, actuarial assessments, or public health and safety.
Strategies to manage threats (uncertainties with negative consequences) typically include avoiding the threat, reducing the negative effect or probability of the threat, transferring all or part of the threat to another party, and even retaining some or all of the potential or actual consequences of a particular threat. The opposite of these strategies can be used to respond to opportunities (uncertain future states with benefits).
Certain risk management standards have been criticized for having no measurable improvement on risk, whereas the confidence in estimates and decisions seems to increase.
Risks vs. opportunities
Opportunities first appear in academic research or management books in the 1990s. The first PMBoK Project Management Body of Knowledge draft of 1987 doesn't mention opportunities at all.
Modern project management school does recognize the importance of opportunities. Opportunities have been included in project management literature since the 1990s, e.g. in PMBoK, and became a significant part of project risk management in the years 2000s, when articles titled “opportunity management” also begin to appear in library searches. Opportunity management thus became an important part of risk management.
Modern risk management theory deals with any type of external events, positive and negative. Positive risks are called opportunities. Similarly to risks, opportunities have specific mitigation strategies: exploit, share, enhance, ignore.
In practice, risks are considered “usually negative”. Risk-related research and practice focus significantly more on threats than on opportunities. This can lead to negative phenomena such as target fixation
Risk Managing Method
For the most part, these methods consist of the following elements, performed, more or less, in the following order:
Identify the threats
Assess the vulnerability of critical assets to specific threats
Determine the risk (i.e. the expected likelihood and consequences of specific types of attacks on specific assets)
Identify ways to reduce those risks
Prioritize risk reduction measures
The Risk management knowledge area, as defined by the Project Management Body of Knowledge PMBoK, consists of the following processes:
- Plan Risk Management - defining how to conduct risk management activities.
- Identify Risks - identifying individual project risks as well as sources.
- Perform Qualitative Risk Analysis - prioritizing individual project risks by assessing probability and impact.
- Perform Quantitative Risk Analysis - numerical analysis of the effects.
- Plan Risk Responses - developing options, selecting strategies and actions.
- Implement Risk Responses - implementing agreed-upon risk response plans. In the 4th Ed. of PMBoK, this process was included as an activity in the Monitor and Control process, but was later separated as a distinct process in PMBoK 6th Ed.
- Monitor Risks - monitoring the implementation. This process was known as Monitor and Control in the previous PMBoK 4th Ed., when it also included the “Implement Risk Responses” process.
Potential risk treatments
Once risks have been identified and assessed, all techniques to manage the risk fall into one or more of these four major categories:
- Avoidance (eliminate, withdraw from or not become involved)
- Reduction (optimize – mitigate)
- Sharing (transfer – outsource or insure)
- Retention (accept and budget)
- Ideal use of these risk control strategies may not be possible. Some of them may involve trade-offs that are not acceptable to the organization or person making the risk management decisions. Another source, from the US Department of Defense (see link), Defense Acquisition University, calls these categories ACAT, for Avoid, Control, Accept, or Transfer. This use of the ACAT acronym is reminiscent of another ACAT (for Acquisition Category) used in US Defense industry procurements, in which Risk Management figures prominently in decision making and planning.
Similarly to risks, opportunities have specific mitigation strategies: exploit, share, enhance, ignore.
* Reference: Wikipedia.
Comments
Post a Comment