Professional Documents
Culture Documents
Risk management is a structured approach to managing uncertainty related to a threat, a sequence of human activities including: risk assessment, strategies development to manage it, and mitigation of risk using managerial resources. The strategies include transferring the risk to another party, avoiding the risk, reducing the negative effect of the risk, and accepting some or all of the consequences of a particular risk. Some traditional risk managements are focused on risks stemming from physical or legal causes (e.g. natural disasters or fires, accidents, death and lawsuits). Financial risk management, on the other hand, focuses on risks that can e managed using traded financial instruments. The o !ective of risk management is to reduce different risks related to a preselected domain to the level accepted y society. "t may refer to numerous types of threats caused y environment, technology, humans, organi#ations and politics. $n the other hand it involves all means availa le for humans, or in particular, for a risk management entity (person, staff, organi#ation).
Contents
'.% (sta lish the conte&t '.' "dentification '.) *ssessment '.+ ,otential risk treatments
'.+.% -isk avoidance '.+.' -isk reduction '.+.) -isk retention '.+.+ -isk Transference
o o o
'.. /reate a risk management plan '.0 "mplementation '.1 -eview and evaluation of the plan
o o
+.% (nterprise risk management +.' -isk management activities as applied to pro!ect management
. -isk management and usiness continuity 0 3eneral references 1 4otes 5 Further reading 6 See also %7 (&ternal links
Some explanations
"n ideal risk management, a prioriti#ation process is followed where y the risks with the greatest loss and the greatest pro a ility of occurring are handled first, and risks with lower pro a ility of occurrence and lower loss are handled in descending order. "n practice the process can e very difficult, and alancing etween risks with a high pro a ility of occurrence ut lower loss versus a risk with high loss ut lower pro a ility of occurrence can often e mishandled. "ntangi le risk management identifies a new type of risk 8 a risk that has a %779 pro a ility of occurring ut is ignored y the organi#ation due to a lack of identification a ility. For e&le, when deficient knowledge is applied to a situation, a knowledge risk materialises. -elationship risk appears when ineffective colla oration occurs. ,rocess8engagement risk may e an issue when ineffective operational procedures are applied. These risks directly reduce the productivity of knowledge workers, decrease cost effectiveness, profita ility, service, quality, reputation, rand value, and earnings quality. "ntangi le risk management allows risk management to create immediate value from the identification and reduction of risks that reduce productivity. -isk management also faces difficulties allocating resources. This is the idea of opportunity cost. -esources spent on risk management could have een spent on more profita le activities. *gain, ideal risk management minimi#es spending while ma&imi#ing the reduction of the negative effects of risks.
o o o
the social scope of risk management the identity and o !ectives of stakeholders the asis upon which risks will e evaluated, constraints.
+. Defining a framework for the activity and an agenda for identification. .. Developing an anal sis of risks involved in the process. 0. Mitigation of risks using availa le technological, human and organi#ational resources.
Identification
*fter esta lishing the conte&t, the ne&t step in the process of managing risk is to identify potential risks. -isks are a out events that, when triggered, cause pro lems. :ence, risk identification can start with the source of pro lems, or with the pro lem itself.
Source anal sis -isk sources may e internal or e&ternal to the system that is the target of risk management. (&les of risk sources are: stakeholders of a pro!ect, employees of a company or the weather over an airport. Problem anal sis -isks are related to identified threats. For e&le: the threat of losing money, the threat of a use of privacy information or the threat of accidents and casualties. The threats may e&ist with various entities, most important with shareholders, customers and legislative odies such as the government.
;hen either source or pro lem is known, the events that a source may trigger or the events that can lead to a pro lem can e investigated. For e&le: stakeholders withdrawing during a pro!ect may endanger funding of the pro!ect< privacy information may e stolen y employees even within a closed network< lightning striking a =oeing 1+1 during takeoff may make all people on oard immediate casualties. The chosen method of identifying risks may depend on culture, industry practice and compliance. The identification methods are formed y templates or the development of templates for identifying source, pro lem or event. /ommon risk identification methods are:
!b"ectives#based risk identification $rgani#ations and pro!ect teams have o !ectives. *ny event that may endanger achieving an o !ective partly or completely is identified as risk. Scenario#based risk identification "n scenario analysis different scenarios are created. The scenarios may e the alternative ways to achieve an o !ective, or an analysis of the interaction of forces in, for e&le, a market or attle. *ny event that triggers an undesired scenario alternative is identified as risk 8 see Futures Studies for methodology used y Futurists. $axonom #based risk identification The ta&onomy in ta&onomy8 ased risk identification is a reakdown of possi le risk sources. =ased on the ta&onomy and knowledge of est practices, a questionnaire is compiled. The answers to the questions reveal risks. Ta&onomy8 ased risk identification in software industry can e found in />?@S("86)8T-80.
Common#risk Checking "n several industries lists with known risks are availa le. (ach risk in the list can e checked for application to a particular situation. *n e&le of known risks in the software industry is the /ommon Aulnera ility and (&posures list found at http:@@cve.mitre.org. Risk Charting This method com ines the a ove approaches y listing -esources at risk, Threats to those resources >odifying Factors which may increase or reduce the risk and /onsequences it is wished to avoid. /reating a matri& under these headings ena les a variety of approaches. $ne can egin with resources and consider the threats they are e&posed to and the consequences of each. *lternatively one can start with the threats and e&amine which resources they would affect, or one can egin with the consequences and determine which com ination of threats and resources would e involved to ring them a out.
%ssessment
$nce risks have een identified, they must then e assessed as to their potential severity of loss and to the pro a ility of occurrence. These quantities can e either simple to measure, in the case of the value of a lost uilding, or impossi le to know for sure in the case of the pro a ility of an unlikely event occurring. Therefore, in the assessment process it is critical to make the est educated guesses possi le in order to properly prioriti#e the implementation of the risk management plan. The fundamental difficulty in risk assessment is determining the rate of occurrence since statistical information is not availa le on all kinds of past incidents. Furthermore, evaluating the severity of the consequences (impact) is often quite difficult for immaterial assets. *sset valuation is another question that needs to e addressed. Thus, est educated opinions and availa le statistics are the primary sources of information. 4evertheless, risk assessment should produce such information for the management of the organi#ation that the primary risks are easy to understand and that the risk management decisions may e prioriti#ed. Thus, there have een several theories and attempts to quantify risks. 4umerous different risk formulae e&ist, ut perhaps the most widely accepted formula for risk quantification is: Rate of occurrence multiplied y the impact of the event equals risk 2ater research has shown that the financial enefits of risk management are less dependent on the formula used ut are more dependent on the frequency and how risk assessment is performed. "n usiness it is imperative to e a le to present the findings of risk assessments in financial terms. -o ert /ourtney Br. ("=>, %617) proposed a formula for presenting risks in financial terms. The /ourtney formula was accepted as the official risk analysis method for the ?S governmental agencies. The formula proposes calculation of *2( (annualised loss e&pectancy) and compares the e&pected loss value to the security control implementation costs (cost8 enefit analysis).
%voidance (eliminate) Reduction (mitigate) $ransference (outsource or insure) Retention (accept and udget)
"deal use of these strategies may not e possi le. Some of them may involve trade8offs that are not accepta le to the organi#ation or person making the risk management decisions. *nother source, from the ?S Eepartment of Eefense, Eefense *cquisition ?niversity, calls these categories %C%$, for *void, /ontrol, *ccept, or Transfer. This use of the */*T acronym is reminiscent of another */*T (for *cquisition /ategory) used in ?S Eefense industry procurements, in which -isk >anagement figures prominently in decision making and planning. Risk avoidance "ncludes not performing an activity that could carry risk. *n e&le would e not uying a property or usiness in order to not take on the lia ility that comes with it. *nother would e not flying in order to not take the risk that the airplane were to e hi!acked. *voidance may seem the answer to all risks, ut avoiding risks also means losing out on the potential gain that accepting (retaining) the risk may have allowed. 4ot entering a usiness to avoid the risk of loss also avoids the possi ility of earning profits. Risk reduction "nvolves methods that reduce the severity of the loss or the likelihood of the loss from occurring. (&les include sprinklers designed to put out a fire to reduce the risk of loss y fire. This method may cause a greater loss y water damage and therefore may not e suita le. :alon fire suppression systems may mitigate that risk, ut the cost may e prohi itive as a strategy. >odern software development methodologies reduce risk y developing and delivering software incrementally. (arly methodologies suffered from the fact that they only delivered software in the final phase of development< any pro lems encountered in earlier phases meant costly rework and often !eopardi#ed the whole pro!ect. =y developing in iterations, software pro!ects can limit effort wasted to a single iteration. $utsourcing could e an e&le of risk reduction if the outsourcer can demonstrate higher capa ility at managing or reducing risks. C'D "n this case companies outsource only some of their departmental needs. For e&le, a company may outsource only its software development, the manufacturing of hard goods, or customer support needs to another company, while handling the usiness management itself. This way, the company can concentrate more on usiness development without having to worry as much a out the manufacturing process, managing the development team, or finding a physical location for a call center. Risk retention
"nvolves accepting the loss when it occurs. True self insurance falls in this category. -isk retention is a via le strategy for small risks where the cost of insuring against the risk would e greater over time than the total losses sustained. *ll risks that are not avoided or transferred are retained y default. This includes risks that are so large or catastrophic that they either cannot e insured against or the premiums would e infeasi le. ;ar is an e&le since most property and risks are not insured against war, so the loss attri uted y war is retained y the insured. *lso any amounts of potential loss (risk) over the amount insured is retained risk. This may also e accepta le if the chance of a very large loss is small or if the cost to insure for greater coverage amounts is so great it would hinder the goals of the organi#ation too much. Risk $ransference >any sectors have for a long time regarded insurance as a transfer of risk. This is not correct. "nsurance is a post event compensatory mechanism. That is, even if an insurance policy has een effected this does not mean that the risk has een transferred. For e&le, a personal in!uries insurance policy does not transfer the risk of a car accident to the insurance company. The risk still lies with the policy holder namely the person who has een in the accident. The insurance policy simply provides that if an accident (the event) occurs involving the policy holder then some compensation may e paya le to the policy holder that is commensurate to the suffering@damage. Fthe rest needs to e su stantially alteredD >eans causing another party to accept the risk, typically y contract or y hedging. "nsurance is one type of risk transfer that uses contracts. $ther times it may involve contract language that transfers a risk to another party without the payment of an insurance premium. 2ia ility among construction or other contractors is very often transferred this way. $n the other hand, taking offsetting positions in derivatives is typically how firms use hedging to financially manage risk. Some ways of managing risk fall into multiple categories. -isk retention pools are technically retaining the risk for the group, ut spreading it over the whole group involves transfer among individual mem ers of the group. This is different from traditional insurance, in that no premium is e&changed etween mem ers of the group up front, ut instead losses are assessed to all mem ers of the group.
a out how each of the identified risks should e handled. >itigation of risks often means selection of Security /ontrols, which should e documented in a Statement of *pplica ility, which identifies which particular control o !ectives and controls from the standard have een selected, and why.
Implementation
Follow all of the planned methods for mitigating the effect of the risks. ,urchase insurance policies for the risks that have een decided to e transferred to an insurer, avoid all risks that can e avoided without sacrificing the entityGs goals, reduce others, and retain the rest.
&imitations
"f risks are improperly assessed and prioriti#ed, time can e wasted in dealing with risk of losses that are not likely to occur. Spending too much time assessing and managing unlikely risks can divert resources that could e used more profita ly. ?nlikely events do occur ut if the risk is unlikely enough to occur it may e etter to simply retain the risk and deal with the result if the loss does in fact occur. ,rioriti#ing too highly the risk management processes could keep an organi#ation from ever completing a pro!ect or even getting started. This is especially true if other work is suspended until the risk management process is considered complete. "t is also important to keep in mind the distinction etween risk and uncertainty. -isk can e measured y impacts & pro a ility.
the cost associated with the risk if it arises, estimated y multiplying employee costs per unit time y the estimated time lost (cost impact, C where C = cost accrual ratio * S). the pro a le increase in time associated with a risk ( schedule variance due to risk, Rs where -s H , I S):
o
Sorting on this value puts the highest risks to the schedule first. This is intended to cause the greatest risks to the pro!ect to e attempted first so that risk is minimi#ed as quickly as possi le. This is slightly misleading as schedule variances with a large , and small S and vice versa are not equivalent. (The risk of the ->S Titanic sinking vs. the passengersG meals eing served at slightly the wrong time).
the pro a le increase in cost associated with a risk ( cost variance due to risk, Rc where -c H ,I/ H ,I/*-IS H ,ISI/*-)
o o
sorting on this value puts the highest risks to the udget first. see concerns a out schedule variance as this is a function of it, as illustrated in the equation a ove.
-isk in a pro!ect or process can e due either to Special /ause Aariation or /ommon /ause Aariation and requires appropriate treatment. That is to re8iterate the concern a out e&tremal cases not eing equivalent in the list immediately a ove.
,lanning how risk management will e held in the particular pro!ect. ,lan should include risk management tasks, responsi ilities, activities and udget. *ssigning a risk officer 8 a team mem er other than a pro!ect manager who is responsi le for foreseeing potential pro!ect pro lems. Typical characteristic of risk officer is a healthy skepticism.
>aintaining live pro!ect risk data ase. (ach risk should have the following attri utes: opening date, title, short description, pro a ility and importance. $ptionally a risk may have an assigned person responsi le for its resolution and a date y which the risk must e resolved. /reating anonymous risk reporting channel. (ach team mem er should have possi ility to report risk that he foresees in the pro!ect. ,reparing mitigation plans for risks that are chosen to e mitigated. The purpose of the mitigation plan is to descri e how this particular risk will e handled J what, when, y who and how will it e done to avoid it or minimi#e consequences if it ecomes a lia ility. Summari#ing planned and faced risks, effectiveness of mitigation activities, and effort spent for the risk management.