Risk management

Risk management is a structured approach to managing uncertainty related to a threat, a sequence of human activities including: risk assessment, strategies development to manage it, and mitigation of risk using managerial resources. The strategies include transferring the risk to another party, avoiding the risk, reducing the negative effect of the risk, and accepting some or all of the consequences of a particular risk. Some traditional risk managements are focused on risks stemming from physical or legal causes (e.g. natural disasters or fires, accidents, death and lawsuits). Financial risk management, on the other hand, focuses on risks that can e managed using traded financial instruments. The o !ective of risk management is to reduce different risks related to a preselected domain to the level accepted y society. "t may refer to numerous types of threats caused y environment, technology, humans, organi#ations and politics. $n the other hand it involves all means availa le for humans, or in particular, for a risk management entity (person, staff, organi#ation).

Contents

% Some e&planations ' Steps in the risk management process

o o o o

'.% (sta lish the conte&t '.' "dentification '.) *ssessment '.+ ,otential risk treatments

'.+.% -isk avoidance '.+.' -isk reduction '.+.) -isk retention '.+.+ -isk Transference

o o o

'.. /reate a risk management plan '.0 "mplementation '.1 -eview and evaluation of the plan

) 2imitations + *reas of risk management

o o

+.% (nterprise risk management +.' -isk management activities as applied to pro!ect management

. -isk management and usiness continuity 0 3eneral references 1 4otes 5 Further reading 6 See also %7 (&ternal links

Some explanations
"n ideal risk management, a prioriti#ation process is followed where y the risks with the greatest loss and the greatest pro a ility of occurring are handled first, and risks with lower pro a ility of occurrence and lower loss are handled in descending order. "n practice the process can e very difficult, and alancing etween risks with a high pro a ility of occurrence ut lower loss versus a risk with high loss ut lower pro a ility of occurrence can often e mishandled. "ntangi le risk management identifies a new type of risk 8 a risk that has a %779 pro a ility of occurring ut is ignored y the organi#ation due to a lack of identification a ility. For e&ample, when deficient knowledge is applied to a situation, a knowledge risk materialises. -elationship risk appears when ineffective colla oration occurs. ,rocess8engagement risk may e an issue when ineffective operational procedures are applied. These risks directly reduce the productivity of knowledge workers, decrease cost effectiveness, profita ility, service, quality, reputation, rand value, and earnings quality. "ntangi le risk management allows risk management to create immediate value from the identification and reduction of risks that reduce productivity. -isk management also faces difficulties allocating resources. This is the idea of opportunity cost. -esources spent on risk management could have een spent on more profita le activities. *gain, ideal risk management minimi#es spending while ma&imi#ing the reduction of the negative effects of risks.

Steps in the risk management process

Establish the context
(sta lishing the conte&t involves %. Identification of risk in a selected domain of interest '. Planning the remainder of the process. ). Mapping out the following:

o o o

the social scope of risk management the identity and o !ectives of stakeholders the asis upon which risks will e evaluated, constraints.

+. Defining a framework for the activity and an agenda for identification. .. Developing an anal sis of risks involved in the process. 0. Mitigation of risks using availa le technological, human and organi#ational resources.

Identification
*fter esta lishing the conte&t, the ne&t step in the process of managing risk is to identify potential risks. -isks are a out events that, when triggered, cause pro lems. :ence, risk identification can start with the source of pro lems, or with the pro lem itself.

Source anal sis -isk sources may e internal or e&ternal to the system that is the target of risk management. (&amples of risk sources are: stakeholders of a pro!ect, employees of a company or the weather over an airport. Problem anal sis -isks are related to identified threats. For e&ample: the threat of losing money, the threat of a use of privacy information or the threat of accidents and casualties. The threats may e&ist with various entities, most important with shareholders, customers and legislative odies such as the government.

;hen either source or pro lem is known, the events that a source may trigger or the events that can lead to a pro lem can e investigated. For e&ample: stakeholders withdrawing during a pro!ect may endanger funding of the pro!ect< privacy information may e stolen y employees even within a closed network< lightning striking a =oeing 1+1 during takeoff may make all people on oard immediate casualties. The chosen method of identifying risks may depend on culture, industry practice and compliance. The identification methods are formed y templates or the development of templates for identifying source, pro lem or event. /ommon risk identification methods are:

!b"ectives#based risk identification $rgani#ations and pro!ect teams have o !ectives. *ny event that may endanger achieving an o !ective partly or completely is identified as risk. Scenario#based risk identification "n scenario analysis different scenarios are created. The scenarios may e the alternative ways to achieve an o !ective, or an analysis of the interaction of forces in, for e&ample, a market or attle. *ny event that triggers an undesired scenario alternative is identified as risk 8 see Futures Studies for methodology used y Futurists. $axonom #based risk identification The ta&onomy in ta&onomy8 ased risk identification is a reakdown of possi le risk sources. =ased on the ta&onomy and knowledge of est practices, a questionnaire is compiled. The answers to the questions reveal risks. Ta&onomy8 ased risk identification in software industry can e found in />?@S("86)8T-80.

Common#risk Checking "n several industries lists with known risks are availa le. (ach risk in the list can e checked for application to a particular situation. *n e&ample of known risks in the software industry is the /ommon Aulnera ility and (&posures list found at http:@@cve.mitre.org. Risk Charting This method com ines the a ove approaches y listing -esources at risk, Threats to those resources >odifying Factors which may increase or reduce the risk and /onsequences it is wished to avoid. /reating a matri& under these headings ena les a variety of approaches. $ne can egin with resources and consider the threats they are e&posed to and the consequences of each. *lternatively one can start with the threats and e&amine which resources they would affect, or one can egin with the consequences and determine which com ination of threats and resources would e involved to ring them a out.

%ssessment
$nce risks have een identified, they must then e assessed as to their potential severity of loss and to the pro a ility of occurrence. These quantities can e either simple to measure, in the case of the value of a lost uilding, or impossi le to know for sure in the case of the pro a ility of an unlikely event occurring. Therefore, in the assessment process it is critical to make the est educated guesses possi le in order to properly prioriti#e the implementation of the risk management plan. The fundamental difficulty in risk assessment is determining the rate of occurrence since statistical information is not availa le on all kinds of past incidents. Furthermore, evaluating the severity of the consequences (impact) is often quite difficult for immaterial assets. *sset valuation is another question that needs to e addressed. Thus, est educated opinions and availa le statistics are the primary sources of information. 4evertheless, risk assessment should produce such information for the management of the organi#ation that the primary risks are easy to understand and that the risk management decisions may e prioriti#ed. Thus, there have een several theories and attempts to quantify risks. 4umerous different risk formulae e&ist, ut perhaps the most widely accepted formula for risk quantification is: Rate of occurrence multiplied y the impact of the event equals risk 2ater research has shown that the financial enefits of risk management are less dependent on the formula used ut are more dependent on the frequency and how risk assessment is performed. "n usiness it is imperative to e a le to present the findings of risk assessments in financial terms. -o ert /ourtney Br. ("=>, %617) proposed a formula for presenting risks in financial terms. The /ourtney formula was accepted as the official risk analysis method for the ?S governmental agencies. The formula proposes calculation of *2( (annualised loss e&pectancy) and compares the e&pected loss value to the security control implementation costs (cost8 enefit analysis).

Potential risk treatments

$nce risks have een identified and assessed, all techniques to manage the risk fall into one or more of these four ma!or categories:C%D

%voidance (eliminate) Reduction (mitigate) $ransference (outsource or insure) Retention (accept and udget)

"deal use of these strategies may not e possi le. Some of them may involve trade8offs that are not accepta le to the organi#ation or person making the risk management decisions. *nother source, from the ?S Eepartment of Eefense, Eefense *cquisition ?niversity, calls these categories %C%$, for *void, /ontrol, *ccept, or Transfer. This use of the */*T acronym is reminiscent of another */*T (for *cquisition /ategory) used in ?S Eefense industry procurements, in which -isk >anagement figures prominently in decision making and planning. Risk avoidance "ncludes not performing an activity that could carry risk. *n e&ample would e not uying a property or usiness in order to not take on the lia ility that comes with it. *nother would e not flying in order to not take the risk that the airplane were to e hi!acked. *voidance may seem the answer to all risks, ut avoiding risks also means losing out on the potential gain that accepting (retaining) the risk may have allowed. 4ot entering a usiness to avoid the risk of loss also avoids the possi ility of earning profits. Risk reduction "nvolves methods that reduce the severity of the loss or the likelihood of the loss from occurring. (&amples include sprinklers designed to put out a fire to reduce the risk of loss y fire. This method may cause a greater loss y water damage and therefore may not e suita le. :alon fire suppression systems may mitigate that risk, ut the cost may e prohi itive as a strategy. >odern software development methodologies reduce risk y developing and delivering software incrementally. (arly methodologies suffered from the fact that they only delivered software in the final phase of development< any pro lems encountered in earlier phases meant costly rework and often !eopardi#ed the whole pro!ect. =y developing in iterations, software pro!ects can limit effort wasted to a single iteration. $utsourcing could e an e&ample of risk reduction if the outsourcer can demonstrate higher capa ility at managing or reducing risks. C'D "n this case companies outsource only some of their departmental needs. For e&ample, a company may outsource only its software development, the manufacturing of hard goods, or customer support needs to another company, while handling the usiness management itself. This way, the company can concentrate more on usiness development without having to worry as much a out the manufacturing process, managing the development team, or finding a physical location for a call center. Risk retention

"nvolves accepting the loss when it occurs. True self insurance falls in this category. -isk retention is a via le strategy for small risks where the cost of insuring against the risk would e greater over time than the total losses sustained. *ll risks that are not avoided or transferred are retained y default. This includes risks that are so large or catastrophic that they either cannot e insured against or the premiums would e infeasi le. ;ar is an e&ample since most property and risks are not insured against war, so the loss attri uted y war is retained y the insured. *lso any amounts of potential loss (risk) over the amount insured is retained risk. This may also e accepta le if the chance of a very large loss is small or if the cost to insure for greater coverage amounts is so great it would hinder the goals of the organi#ation too much. Risk $ransference >any sectors have for a long time regarded insurance as a transfer of risk. This is not correct. "nsurance is a post event compensatory mechanism. That is, even if an insurance policy has een effected this does not mean that the risk has een transferred. For e&ample, a personal in!uries insurance policy does not transfer the risk of a car accident to the insurance company. The risk still lies with the policy holder namely the person who has een in the accident. The insurance policy simply provides that if an accident (the event) occurs involving the policy holder then some compensation may e paya le to the policy holder that is commensurate to the suffering@damage. Fthe rest needs to e su stantially alteredD >eans causing another party to accept the risk, typically y contract or y hedging. "nsurance is one type of risk transfer that uses contracts. $ther times it may involve contract language that transfers a risk to another party without the payment of an insurance premium. 2ia ility among construction or other contractors is very often transferred this way. $n the other hand, taking offsetting positions in derivatives is typically how firms use hedging to financially manage risk. Some ways of managing risk fall into multiple categories. -isk retention pools are technically retaining the risk for the group, ut spreading it over the whole group involves transfer among individual mem ers of the group. This is different from traditional insurance, in that no premium is e&changed etween mem ers of the group up front, ut instead losses are assessed to all mem ers of the group.

Create a risk management plan

Select appropriate controls or countermeasures to measure each risk. -isk mitigation needs to e approved y the appropriate level of management. For e&ample, a risk concerning the image of the organi#ation should have top management decision ehind it whereas "T management would have the authority to decide on computer virus risks. The risk management plan should propose applica le and effective security controls for managing the risks. For e&ample, an o served high risk of computer viruses could e mitigated y acquiring and implementing antivirus software. * good risk management plan should contain a schedule for control implementation and responsi le persons for those actions. *ccording to "S$@"(/ '177%, the stage immediately after completion of the -isk *ssessment phase consists of preparing a -isk Treatment ,lan, which should document the decisions

a out how each of the identified risks should e handled. >itigation of risks often means selection of Security /ontrols, which should e documented in a Statement of *pplica ility, which identifies which particular control o !ectives and controls from the standard have een selected, and why.

Implementation
Follow all of the planned methods for mitigating the effect of the risks. ,urchase insurance policies for the risks that have een decided to e transferred to an insurer, avoid all risks that can e avoided without sacrificing the entityGs goals, reduce others, and retain the rest.

Review and evaluation of the plan

"nitial risk management plans will never e perfect. ,ractice, e&perience, and actual loss results will necessitate changes in the plan and contri ute information to allow possi le different decisions to e made in dealing with the risks eing faced. -isk analysis results and management plans should e updated periodically. There are two primary reasons for this: %. to evaluate whether the previously selected security controls are still applica le and effective, and '. to evaluate the possi le risk level changes in the usiness environment. For e&ample, information risks are a good e&ample of rapidly changing usiness environment.

&imitations
"f risks are improperly assessed and prioriti#ed, time can e wasted in dealing with risk of losses that are not likely to occur. Spending too much time assessing and managing unlikely risks can divert resources that could e used more profita ly. ?nlikely events do occur ut if the risk is unlikely enough to occur it may e etter to simply retain the risk and deal with the result if the loss does in fact occur. ,rioriti#ing too highly the risk management processes could keep an organi#ation from ever completing a pro!ect or even getting started. This is especially true if other work is suspended until the risk management process is considered complete. "t is also important to keep in mind the distinction etween risk and uncertainty. -isk can e measured y impacts & pro a ility.

%reas of risk management

*s applied to corporate finance, risk management is the technique for measuring, monitoring and controlling the financial or operational risk on a firmGs alance sheet. See value at risk. The =asel "" framework reaks risks into market risk (price risk), credit risk and operational risk and also specifies methods for calculating capital requirements for each of these components.

Enterprise risk management

"n enterprise risk management, a risk is defined as a possi le event or circumstance that can have negative influences on the enterprise in question. "ts impact can e on the very e&istence, the resources (human and capital), the products and services, or the customers of the enterprise, as well as e&ternal impacts on society, markets, or the environment. "n a financial institution, enterprise risk management is normally thought of as the com ination of credit risk, interest rate risk or asset lia ility management, market risk, and operational risk. "n the more general case, every pro a le risk can have a pre8formulated plan to deal with its possi le consequences (to ensure contingency if the risk ecomes a liability). From the information a ove and the average cost per employee over time, or cost accrual ratio, a pro!ect manager can estimate:

the cost associated with the risk if it arises, estimated y multiplying employee costs per unit time y the estimated time lost (cost impact, C where C = cost accrual ratio * S). the pro a le increase in time associated with a risk ( schedule variance due to risk, Rs where -s H , I S):
o

Sorting on this value puts the highest risks to the schedule first. This is intended to cause the greatest risks to the pro!ect to e attempted first so that risk is minimi#ed as quickly as possi le. This is slightly misleading as schedule variances with a large , and small S and vice versa are not equivalent. (The risk of the ->S Titanic sinking vs. the passengersG meals eing served at slightly the wrong time).

the pro a le increase in cost associated with a risk ( cost variance due to risk, Rc where -c H ,I/ H ,I/*-IS H ,ISI/*-)
o o

sorting on this value puts the highest risks to the udget first. see concerns a out schedule variance as this is a function of it, as illustrated in the equation a ove.

-isk in a pro!ect or process can e due either to Special /ause Aariation or /ommon /ause Aariation and requires appropriate treatment. That is to re8iterate the concern a out e&tremal cases not eing equivalent in the list immediately a ove.

Risk management activities as applied to pro"ect management

"n pro!ect management, risk management includes the following activities:

,lanning how risk management will e held in the particular pro!ect. ,lan should include risk management tasks, responsi ilities, activities and udget. *ssigning a risk officer 8 a team mem er other than a pro!ect manager who is responsi le for foreseeing potential pro!ect pro lems. Typical characteristic of risk officer is a healthy skepticism.

>aintaining live pro!ect risk data ase. (ach risk should have the following attri utes: opening date, title, short description, pro a ility and importance. $ptionally a risk may have an assigned person responsi le for its resolution and a date y which the risk must e resolved. /reating anonymous risk reporting channel. (ach team mem er should have possi ility to report risk that he foresees in the pro!ect. ,reparing mitigation plans for risks that are chosen to e mitigated. The purpose of the mitigation plan is to descri e how this particular risk will e handled J what, when, y who and how will it e done to avoid it or minimi#e consequences if it ecomes a lia ility. Summari#ing planned and faced risks, effectiveness of mitigation activities, and effort spent for the risk management.

Risk management and business continuit

-isk management is simply a practice of systematically selecting cost effective approaches for minimising the effect of threat reali#ation to the organi#ation. *ll risks can never e fully avoided or mitigated simply ecause of financial and practical limitations. Therefore all organi#ations have to accept some level of residual risks. ;hereas risk management tends to e preemptive, usiness continuity planning (=/,) was invented to deal with the consequences of realised residual risks. The necessity to have =/, in place arises ecause even very unlikely events will occur if given enough time. -isk management and =/, are often mistakenly seen as rivals or overlapping practices. "n fact these processes are so tightly tied together that such separation seems artificial. For e&ample, the risk management process creates important inputs for the =/, (assets, impact assessments, cost estimates etc). -isk management also proposes applica le controls for the o served risks. Therefore, risk management covers several areas that are vital for the =/, process. :owever, the =/, process goes eyond risk managementGs preemptive approach and moves on from the assumption that the disaster will reali#e at some point.