Risk Management

Risk management is the identification, evaluation, and prioritization of risks (defined in ISO 31000 as the effect of uncertainty on objectives) followed by coordinated and economical application of resources to minimize, monitor, and control the probability or impact of unfortunate events or to maximize the realization of opportunities.

Risks can come from various sources including uncertainty in international markets, threats from project failures (at any phase in design, development, production, or sustaining of life-cycles), legal liabilities, credit risk, accidents, natural causes and disasters, deliberate attack from an adversary, or events of uncertain or unpredictable root-cause. There are two types of events i.e. negative events can be classified as risks while positive events are classified as opportunities. Risk management standards have been developed by various institutions, including the Project Management Institute, the National Institute of Standards and Technology, actuarial societies, and ISO standards. Methods, definitions and goals vary widely according to whether the risk management method is in the context of project management, security, engineering, industrial processes, financial portfolios, actuarial assessments, or public health and safety.

Strategies to manage threats (uncertainties with negative consequences) typically include avoiding the threat, reducing the negative effect or probability of the threat, transferring all or part of the threat to another party, and even retaining some or all of the potential or actual consequences of a particular threat. The opposite of these strategies can be used to respond to opportunities (uncertain future states with benefits).

Method

For the most part, these methods consist of the following elements, performed, more or less, in the following order.

• Identify the threats
• Assess the vulnerability of critical assets to specific threats
• Determine the risk
• Identify ways to reduce those risks
• Prioritize risk reduction measures

Principles

The International Organization for Standardization (ISO) identifies the following principles of risk management:

Risk management should:

• Create value resources expended to mitigate risk should be less than the consequence of inaction
• Be an integral part of organizational processes
• Be part of decision-making process
• Explicitly address uncertainty and assumptions
• Be a systematic and structured process
• Be based on the best available information
• Be tailorable
• Take human factors into account
• Be transparent and inclusive
• Be dynamic, iterative and responsive to change
• Be capable of continual improvement and enhancement
• Be continually or periodically re-assessed

Response to Risks

Response to risks usually takes one of the following forms:

• Avoidance: A business strives to eliminate a particular risk by getting rid of its cause.
• Mitigation: Decreasing the projected financial value associated with a risk by lowering the possibility of the occurrence of the risk.
• Acceptance: In some cases, a business may be forced to accept a risk. This option is possible if a business entity develops contingencies to mitigate the impact of the risk, should it occur.

Risk Analysis Process

Risks analysis is a qualitative problem-solving approach that uses various tools of assessment to work out and rank risks for the purpose of assessing and resolving them. Here is the risk analysis process:

1. Identify existing risks

Risk identification mainly involves brainstorming. A business gathers its employees together so that they can review all the various sources of risk. The next step is to arrange all the identified risks in order of priority. Because it is not possible to mitigate all existing risks, prioritization ensures that those risks that can affect a business significantly are dealt with more urgently.

2. Assess the risks

In many cases, problem resolution involves identifying the problem and then finding an appropriate solution. However, prior to figuring out how best to handle risks, a business should locate the cause of the risks by asking the question, “What caused such a risk and how could it influence the business?”

3. Develop an appropriate response

Once a business entity is set on assessing likely remedies to mitigate identified risks and prevent their recurrence, it needs to ask the following questions: What measures can be taken to prevent the identified risk from recurring? In addition, what is the best thing to do if it does recur?

4. Develop preventive mechanisms for identified risks

Here, the ideas that were found to be useful in mitigating risks are developed into a number of tasks and then into contingency plans that can be deployed in the future. If risks occur, the plans can be put to action.