Risk is the potential of gaining or losing something of value.
The International Organization for Standardization publication ISO 31000 (2009) / ISO Guide 73:2002 definition of risk is the ‘effect of uncertainty on objectives’. In this definition, uncertainties include events (which may or may not happen) and uncertainties caused by ambiguity or a lack of information. It also includes both negative and positive impacts on objectives. Many definitions of risk exist in common usage, however this definition was developed by an international committee representing over 30 countries and is based on the input of several thousand subject matter experts.
Risk management is the identification, assessment, and prioritization of risks. The strategies to manage risks (uncertainties with negative consequences) typically include transferring the threat to another party, avoiding the threat, reducing the negative effect or probability of the threat, or even accepting some or all of the potential or actual consequences of a particular threat, and the opposites for opportunities (uncertain future states with benefits).
Method Of Risk Management
For the most part, these methods consist of the following elements, performed, more or less, in the following order.
- identify, characterize threats
- assess the vulnerability of critical assets to specific threats
- determine the risk (i.e. the expected likelihood and consequences of specific types of
- attacks on specific assets)
- identify ways to reduce those risks
- prioritize risk reduction measures based on a strategy
Risk Assessment
Risk assessment is the determination of quantitative or qualitative value of risk related to a concrete situation and a recognized threat (also called hazard). Quantitative risk assessment requires calculations of two components of risk (R):, the magnitude of the potential loss (L), and the probability (p) that the loss will occur. Acceptable risk is a risk that is understood and tolerated usually because the cost or difficulty of implementing an effective countermeasure for the associated vulnerability exceeds the expectation of loss.
Risk assessment consists of an objective evaluation of risk in which assumptions and uncertainties are clearly considered and presented. Part of the difficulty in risk management is that measurement of both of the quantities in which risk assessment is concerned – potential loss and probability of occurrence – can be very difficult to measure. The chance of error in measuring these two concepts is large. Risk with a large potential loss and a low probability of occurring is often treated differently from one with a low potential loss and a high likelihood of occurring. In theory, both are of nearly equal priority, but in practice it can be very difficult to manage when faced with the scarcity of resources, especially time, in which to conduct the risk management process.
Potential Risk Treatments
Once risks have been identified and assessed, all techniques to manage the risk fall into one or more of these four major categories:
- Avoidance (eliminate, withdraw from or not become involved)
- Reduction (optimize – mitigate)
- Sharing (transfer – outsource or insure)
- Retention (accept and budget)
Ideal use of these strategies may not be possible. Some of them may involve trade-offs that are not acceptable to the organization or person making the risk management decisions. Another source, from the US Department of Defense, Defense Acquisition University, calls these categories ACAT, for Avoid, Control, Accept, or Transfer. This use of the ACAT acronym is reminiscent of another ACAT (for Acquisition Category) used in US Defense industry procurements, in which Risk Management figures prominently in decision making and planning.
Risk avoidance
This includes not performing an activity that could carry risk. An example would be not buying a property or business in order to not take on the legal liability that comes with it. Another would be not flying in order not to take the risk that the airplane was to be hijacked. Avoidance may seem the answer to all risks, but avoiding risks also means losing out on the potential gain that accepting (retaining) the risk may have allowed. Not entering a business to avoid the risk of loss also avoids the possibility of earning profits. Increasing risk regulation in hospitals has led to avoidance of treating higher risk conditions, in favour of patients presenting with lower risk.
Risk reduction
Risk reduction or “optimization” involves reducing the severity of the loss or the likelihood of the loss from occurring. For example, sprinklers are designed to put out a fire to reduce the risk of loss by fire. This method may cause a greater loss by water damage and therefore may not be suitable. Halon fire suppression systems may mitigate that risk, but the cost may be prohibitive as a strategy.
Acknowledging that risks can be positive or negative, optimizing risks means finding a balance between negative risk and the benefit of the operation or activity; and between risk reduction and effort applied. By an offshore drilling contractor effectively applying HSE Management in its organization, it can optimize risk to achieve levels of residual risk that are tolerable.
Modern software development methodologies reduce risk by developing and delivering software incrementally. Early methodologies suffered from the fact that they only delivered software in the final phase of development; any problems encountered in earlier phases meant costly rework and often jeopardized the whole project. By developing in iterations, software projects can limit effort wasted to a single iteration.
Outsourcing could be an example of risk reduction if the outsourcer can demonstrate higher capability at managing or reducing risks. For example, a company may outsource only its software development, the manufacturing of hard goods, or customer support needs to another company, while handling the business management itself. This way, the company can concentrate more on business development without having to worry as much about the manufacturing process, managing the development team, or finding a physical location for a call center.
Risk sharing
Briefly defined as “sharing with another party the burden of loss or the benefit of gain, from a risk, and the measures to reduce a risk.”
The term of ‘risk transfer’ is often used in place of risk sharing in the mistaken belief that you can transfer a risk to a third party through insurance or outsourcing. In practice if the insurance company or contractor go bankrupt or end up in court, the original risk is likely to still revert to the first party. As such in the terminology of practitioners and scholars alike, the purchase of an insurance contract is often described as a “transfer of risk.” However, technically speaking, the buyer of the contract generally retains legal responsibility for the losses “transferred”, meaning that insurance may be described more accurately as a post-event compensatory mechanism. For example, a personal injuries insurance policy does not transfer the risk of a car accident to the insurance company. The risk still lies with the policy holder namely the person who has been in the accident. The insurance policy simply provides that if an accident (the event) occurs involving the policy holder then some compensation may be payable to the policy holder that is commensurate to the suffering/damage.
Some ways of managing risk fall into multiple categories. Risk retention pools are technically retaining the risk for the group, but spreading it over the whole group involves transfer among individual members of the group. This is different from traditional insurance, in that no premium is exchanged between members of the group up front, but instead losses are assessed to all members of the group.
Risk retention
Involves accepting the loss, or benefit of gain, from a risk when it occurs. True self-insurance falls in this category. Risk retention is a viable strategy for small risks where the cost of insuring against the risk would be greater over time than the total losses sustained. All risks that are not avoided or transferred are retained by default. This includes risks that are so large or catastrophic that they either cannot be insured against or the premiums would be infeasible. War is an example since most property and risks are not insured against war, so the loss attributed by war is retained by the insured. Also any amounts of potential loss (risk) over the amount insured are retained risk. This may also be acceptable if the chance of a very large loss is small or if the cost to insure for greater coverage amounts is so great it would hinder the goals of the organization too much.
Risk probability and impact assessment
Risk probability and impact assessment is determining what the most likely impact will be if a risk event occurs and what the most likely probability is for the event to occur. A typical table of five consequences terms (insignificant–catastrophic) is compared against five likelihood terms (remote–highly likely). The various intersecting cells are denoted with their risk level (e.g. 3B or 4E matrix of consequence/probability).
‘Probability’ is the expression in a quantitative or mathematic sense such as 0.36 or 36%. Whereas ‘likelihood’ is the expression in a qualitative or descriptive sense, such as ‘high’ and ‘very low’
Diagrams can help teams analyze risks. The Ishikawa diagram can be used to break down risk areas into finer levels of detail, enabling the project team to have a greater understanding of the potential list of risks that should be reviewed. In addition to the Ishikawa diagram, WBS charts, OBS charts, SBS charts and Gantt charts depict different aspects of a project and allow the team to focus on different areas of potential risks.
The Delphi method is a refinement of expert judgment. When doing the risk assessment, we take the best guess of someone who has worked on similar projects and can, therefore, ‘estimate’ (guess!) the likely risks to the project.
Borrowed from strategic planning, SWOT analysis allows a project manager to determine any risk to their project from either external or internal factors or sources.
Risks may be treated, but if they are not, then there remains a potential that they will occur. Often a risk occurrence is greatly increased by an event. Understanding this process or the life of each risk allows you to understand when the risk needs to be treated.
The expected monetary value (EMV) of a risk is simply the cost impact multiplied by the likelihood when the likelihood is expressed as a percentage, that is: EMV = Likelihood x Impact
Furthermore, EMV is an indication of the level of risk; it is a tool for ranking priority of effort. EMV should not be thought of as a dependable method for calculating the appropriate level of contingency to cover that risk.
ISO-risk diagrams graphically indicate all the likelihood and consequences (impacts) that have the same or constant risk factor (RF) risks, where RF is defined as:
RF = Probability + Consequences – (Probability x Consequences)
(where both probability and consequences are scaled to be between zero and one.)
Monte-Carlo analysis is a statistical simulation technique for analyzing complex systems. The important part of Monte-Carlo analysis is the difference that results from considering this estimation variability and associated risks
A Tornado diagram is an output of a Monte-Carlo modeling tool and is simply a graph of the relative sensitivities of the output to the various inputs to that output. The sensitivities are drawn as horizontal lines, with the biggest stacked on the top, the next biggest underneath and so on down to the smallest.
Identify the risks
The following are ways that you and your team can identify project risks. Remember to consider positive risks, or opportunities, that could arise.
Call the project team together for the purpose of identifying risks. Have a facilitator and a recorder so that everyone has a voice and all risks are captured.
Review the major phases of the project plan with an eye toward risks.
Review lessons learned from past similar projects, looking at what went wrong on those projects and determining if that could happen in your current project. Also look at what went particularly well, and see if any of those were surprises that might be a positive risk for your project.
Do a SWOT analysis to examine strengths, weaknesses, opportunities, and threats to the project. This is another good way to look at positive as well as negative risks.
Consider risk categories including technical, external, organizational, and project management factors. Technical aspects might include project requirements and the complexity or reliability of technology being used in the project. External factors might include subcontractors and suppliers, the weather, customer needs, the market, and regulatory changes. Organizational risks might include dependence on other projects, multiple demands for the same resources by different projects, competition for funding, or changing strategic priorities. Project management risks can include the accuracy of the work and cost estimates or methods for collecting status and tracking costs.
Consider the project triangle (scope, time, and money) along with other project drivers for risks. What might affect scope and activities? What can happen to key milestones and the project finish date? The project budget and expenses? Resource availability and performance? Quality?
Score the risks
After you’ve captured the risks, it’s time to score them as to probability and impact. For each risk, enter either a number or percentage that represents the likelihood of this risk to be realized.
Also for each risk, enter a number that represents the importance or impact this risk would have if it happened. You can make the scale be whatever seems most useful to you, as long as you apply it consistently to all risks. Multiply the two numbers, and you have your risk score.
Prioritize the risks
Order the risks from highest to lowest risk scores to help you see where you need the most focus in your risk management plan. As you scan your list of prioritized risks, you’ll probably see natural groupings:
Risks with the higher scores call for a planned response.
Risks with moderate scores call for a case-by-case decision as to whether they warrant a planned response.
Risks with low scores are not likely to need a planned response, but they are worth revisiting occasionally throughout the life of the project to see whether conditions have changed to give them a higher priority.
Develop the risk management plan
With your scored and prioritized risks, you now have the basis for developing the risk management plan for your project. For each of the risks that you’ve decided that your team needs to manage, determine the following possible responses:
Avoid the risk. If the risk incurred isn’t worth being part of the project, then eliminate it. For example, it might be wiser to replace a task or resource that carries an unacceptably high risk with a suitable alternative.
Transfer the risk to someone else’s responsibility, for example, another department or a vendor. Other examples include insurance or warranties. The cost of transferring the risk needs to be less than what you’d experience if you retained responsibility for the risk.
Create a contingency plan to prevent the risk from happening, or to mitigate or minimize the effect of the risk if it happens. This is the part of your risk management plan that’s likely to take the most effort, because you’re creating an alternative plan along with trigger points that determine when the contingency plan is activated.
Accept the risk. For some high-priority risks, it’s more cost-effective to “take the risk” than to avoid, transfer, or mitigate it.
Note that the plan for a single risk can include one or more of these responses. For example, you might do what you can to prevent the risk from happening, but you might also have a plan for what you’d do if it happens anyway.
When deciding which of the approaches to take, consider the costs in terms of money, time, and effort. You want to strike a healthy balance between moving forward with your project and avoiding, preventing, or planning for important risks.