Module 3 - Risk Management

Identification, assessment & measurement of risk

Risk identification is the process of determining risks that could potentially prevent
an organisation from achieving its objectives. It includes documenting and
communicating the concern.

The objective of risk identification is the early and continuous identification of

events that, if they occur, will have negative impacts on the project's ability to
achieve performance or capability outcome goals. They may come from within the
project or from external sources

Risk identification is the process of identifying and assessing threats to an

organization, its operations, and its workforce. One of the risk management
approaches, which is consisting of most common elements, could be described as
below:

1. Set responsibilities

2. Set risk appetite

3. Identify risks

4. Assess risks

5. Respond to risks

6. Monitor and review the process and adapt if necessary.

7. Start Again.
Risk assessment is a term used to describe the overall process or method where
you:

• Identify hazards and risk factors that have the potential to cause harm
(hazard identification).
• Analyze and evaluate the risk associated with that hazard (risk analysis, and
risk evaluation).
• Determine appropriate ways to eliminate the hazard, or control the risk
when the hazard cannot be eliminated (risk control).
• A risk assessment is a thorough look at your workplace to identify those
things, situations, processes, etc. that may cause harm, particularly to
people.
• After identification is made, you analyze and evaluate how likely and severe
the risk is. When this determination is made, you can next, decide what
measures should be in place to effectively eliminate or control the harm from
happening.

Risk assessment is a straightforward and structured method of ensuring the risks

to the health, safety and wellbeing of employees and stakeholders are suitably
eliminated, reduced or controlled

The main purpose of risk assessments are:

✓ To identify health and safety hazards and evaluate the risks presented within
the workplace
✓ To evaluate the effectiveness and suitability of existing control measures
 ✓ To ensure additional controls are implemented wherever the remaining risk
is considered to be anything other than low.
✓ To priorities further resources if needed to ensure the above.

Risk Measurement

Risk Measurement is a broad term denoting any activity aiming to quantify

numerical measures and risks to an organization. The risks in scope for
measurement are normally thought to have been isolated in the Risk Identification
process

Measurement Approaches
Depending on the risk type being measured there is a large variety of quantification
methodologies and tools. Quantitative Risk Management and Quantitative Risk
Model both are important depending on the situation

Risk measures are statistical measures that are historical predictors of risk and
volatility, and they are also major components in modern management

✓ Risk measures are statistical measures that are historical predictors of

investment risk and volatility.
✓ Risk measures are also major components in modern management for
assessing performance.
Framework of risk management systems-

The Risk Management Framework provides a process that integrates security,

privacy, and cyber, supply chain risk management activities into the system
development life cycle. The risk-based approach to control selection and
specification considers effectiveness, efficiency, and constraints due to applicable
laws, directives, Executive Orders, policies, standards, or regulations.

Managing organizational risk is paramount to effective information privacy

programs. The approach can be applied to new and old systems, and within any
type of organization regardless of size or sector.

The framework is a design to access all the layers of the organization, understand
the goals of each project, and monitor all operating systems to identify and analyze
any possible risks. It is integrated with systems in the organization. A risk
management framework is used to provide key security information to businesses
so they can create successful risk management and justification strategies

The important steps in the framework are

1. Prepare
2. Select
3. Implement
4. Assess
5. Authorize
6. Monitor
Concepts of risk appetite and risk response

Risk appetite a description of the amount and types of risk that an organization
wishes to take in order to achieve its desired objectives. It usually starts with a
broadly written organizational-wide statement and then provides a series of more
refined statements for certain situations. It represents a balance between the
potential benefits of innovation and the threats, that change inevitably brings.

Risk appetites are unique to each and every organization because they are based
on specific strategies and attributes that influence organizational behaviours. A
risk appetite statement should communicate the following:

✓ Corporate Values: What risks is the organization unwilling to take and what
risks should be avoided?
✓ Strategy: What risks are inherent to the strategy?
✓ Stakeholders: How much and what kind of risk can they take on?
✓ Capacity: How much risk can the organization absorb?

Factors that influence risk appetite

Risk appetite, an integral component of enterprise risk management, can be
influenced by a wide variety of factors, including the following:

➢ culture of an organization;
➢ industry an organization is in;
➢ competitors;
➢ types of initiatives pursued; and
➢ current industry position and/or financial strength.
For organizations seeking to determine their risk appetite scale, it's important to
consider the probability of the risk and its impact. Once risk probability and impact
are used to drive an organization's risk priorities and focus, risk appetite can be
evaluated through analysis of the following parameters:

➢ Acceptable risk boundaries and actions. What exactly is the organization

willing to do within the "acceptable" risk appetite level?

➢ Risk exposure. Based on a desired set of actions and outcomes, does the risk
exposure increase, decrease or stay the same? The level of risk exposure
influences the risk appetite for any specific project or approach, and possibly
the overall direction an organization takes.

➢ Analysis of long-term objectives. Organizations should ultimately line up risk

appetite considerations with the longer-term objectives of the organization
and where it should be headed to accomplish strategic goals.

Risk Response

The risk response involves determining ways to reduce or eliminate any threats to
the project, and also the opportunities to increase their impact. Project managers
should work to eliminate the threats before they occur. Similarly, the project
managers should work to ensure that opportunities occur. Likewise, the project
manager is also responsible to decrease the probability and impact of threats and
increase the probability and impact of opportunities.
For the threats that cannot be mitigated, the project manager needs to have a
robust contingency plan and also a response plan if contingencies do not work.

It is not required to eliminate all the risks of the project due to resource and time
constraints. A project manager should review risk throughout the project. Planning
for risks is iterative. Qualitative risk, quantitative risk, and risk response planning
do not end ones you begin work on the project.

Risk Response Strategies

There are four possible risk response strategies for negative risks:

➢ Avoid – eliminate the threat to protect the project from the impact of the
risk. An example of this is cancelling the project.
➢ Transfer – shifts the impact of the threat to as third party, together with
ownership of the response. An example of this is insurance.
➢ Mitigate – act to reduce the probability of occurrence or the impact of the
risk. An example of this is choosing a different supplier.
➢ Accept – acknowledge the risk, but do not take any action unless the risk
occurs. An example of this is documenting the risk and putting aside funds
in case the risk occurs.

There are also four possible risk responses strategies for positive risks, or
opportunities:

✓ Exploit – eliminate the uncertainty associated with the risk to ensure it

occurs. An example of this is assigning the best workers to a project to
reduce time to complete.
✓ Enhance – increases the probability or the positive impacts of an
opportunity. An example of this adding more resources to finish early.
✓ Share – allocating some or all of the ownership of the opportunity to a third
party. An example of this is teams.
✓ Acceptance – being willing to take advantage of the opportunity if it arises
but not actively pursuing it. An example of this is documenting the
opportunity and calculating benefit if the opportunity occurs.
Strategic & Operational risks

Strategic risks arise when a business strategy fails to deliver the expected
outcomes, affecting the firm’s development and growth. Such risks can be
created due to a technological change, an evolving competitive landscape, or
changes in customer demands.

Some examples of strategic risk include:

• Consumer demand shifts

• Technological changes
• Regulatory changes
• Senior management turnover
• Merger integration
• Stakeholder pressure
• Competitive pressure

Operational risks can arise from inadequate or failed internal procedures,

employee errors, cybersecurity events, or external events. Operational risk
management (ORM) is critical to remove roadblocks to the execution of strategic
plans. Risk assessments are often performed as part of ORM to get a better idea of
how the ORM program is performing.
Operational risk points to an unexpected failure in the daily operations of a
company. The reason behind such failure can either be technical issues or human
error. In few cases, the operational risk can occur for more than one reason.

In few cases, the operational risk can occur due to events outside of anyone’s
control like a natural disaster, trouble with the website host, or a power outage.
No matter the operational risk, it can interfere with the business’s daily operations,
and it requires a solution.

Examples of Operational Risk

• Cybersecurity events (e.g., data breaches)

• Fraud
• Inadequate or failed internal processes
• Human error
• Inadequately-trained staff
• System downtime or failure
• Breakdown of process controls
• External events (e.g., earthquakes or pandemics)

Strategic Risk Operational Risk

Risks arising from consequences of
strategic
decisions Losses arising from business operations
Arise from strategic positioning of
company in Arise from inadequate or failed internal
its environment processes
Risks include not enhancing old
products and Risks include fraud, quality control failures and
producing ‘incorrect’ new products lack of production
Identified and assessed at senior
management
level. Managed by risk management Identified at operational level. Managed by
strategy internal control systems
Assessing severity & probability of risk events
Risk impact assessment is the process of assessing the probabilities and
consequences of risk events if they are realized. The results of this assessment are
then used to prioritize risks to establish a most-to-least-critical importance ranking.
Ranking risks in terms of their criticality or importance provides insights to the
project's management on where resources may be needed to manage or mitigate
the realization of high probability/high consequence risk events.

Severity is the amount of damage or harm a hazard could create and it is often
ranked on a four point scale as follows:

➢ Catastrophic - : Operating conditions are such that human error,

environment, design deficiencies, element, subsystem or component failure,
or procedural deficiencies may commonly cause death or major system loss,
thereby requiring immediate cessation of the unsafe activity or operation.
➢ Critical - : Operating conditions are such that human error, environment,
design deficiencies, element, subsystem or component failure, or procedural
deficiencies may commonly cause severe injury or illness or major system
damage thereby requiring immediate corrective action.
➢ Marginal - : Operating conditions may commonly cause minor injury or illness
or minor systems damage such that human error, environment, design
deficiencies, subsystem or component failure, or procedural deficiencies can
be counteracted or controlled without severe injury, illness, or major system
damage.
➢ Negligible - Operating conditions are such that personnel error,
environment, design deficiencies, subsystem or component failure, or
procedural deficiencies will result in no, or less than minor, illness, injury, or
system damage.
Probability
Probability is the likelihood of the hazard occurring and it is often ranked on a
scale:

➢ Frequent - : Likely to occur often in the life of an item

➢ Probable - : Will occur several times in the life of an item
➢ Occasional - : Likely to occur sometime in the life of an item.
➢ Remote - : Unlikely but possible to occur in the life of an item.
➢ Improbable - : So unlikely, it can be assumed an occurrence may not be
experienced.

The probability is the likelihood of an event occurring and the consequences, to

which extent the project is affected by an event, are the impacts of risk. By
combining the probability and impact, the Level of Risk can be determined. There
are various aspects of the project that can be affected by a risk event, such as cost,
safety, operation, quality, etc

The probability assessment involves estimating the likelihood of a risk occurring.

The impact assessment estimates the effects of a risk event on a project objective.
These impacts can be both positive and negative; i.e., opportunities and threats.
The project objectives are numerous, e.g. the schedule, cost, quality and scope. For
each identified risk, the impact and probability are assessed.

Interviews and meeting with experienced project participants, stakeholders, and

experts in the subject are the basis for the impact and probability assessment.
These impacts and probabilities are rated and their level assessed. The risks which
receive high ratings are investigated further or an appropriate response is planned.
The low rated risks do not require an immediate action, but should be noted for
monitoring
TARA framework for risk responses by management –
TARA - Threat Assessment & Remediation Analysis

This model then defines 4 scenarios depending on whether these variables have
High or Low values. Its name is an acronym for the Strategies proposed in each
scenario:

✓ Transfer the Risk.

✓ Avoid the Risk.
✓ Reduce the Risk.
✓ Accept the Risk.
1. Transfer Strategy: Different parties should Share the Risk. When the Probability
is reduced, people are willing to share Risks.

In some circumstances, risk can be transferred wholly or in part to a third party,

so that if an adverse event occurs, the third party suffers all or most of the loss. A
common example of risk transfer is insurance. Businesses arrange a wide range of
insurance policies for protection against possible losses. This strategy is also
sometimes referred to as sharing.

Risk sharing - An organisation might transfer its exposures to strategic risk by

sharing the risk with a joint venture partner or franchisees.

2. Avoid Strategy: When Probability and Impact are High, Risk should be avoided.
In these situations, you should not even analyze potential gains.
An organisation might choose to avoid a risk altogether. However, since risks are
unavoidable in business ventures, they can be avoided only by not investing (or
withdrawing from the business area completely). The same applies to not-for-
profit organisations: risk is unavoidable in the activities they undertake.

An organisation might choose to avoid a risk altogether. However, since risks are
unavoidable in business ventures, they can be avoided only by not investing (or
withdrawing from the business area completely). The same applies to not-for-
profit organisations: risk is unavoidable in the activities they undertake.

3. Reduce Strategy: To reduce exposure to the Risk and contain potential effects.
In this scenario your main Goal is not to have a large exposure to the Risk. The
strategy is to reduce the risk, either by limiting exposure in a particular area or
attempting to decrease the adverse effects should that risk actually crystallize.
Examples of risk reduction include:
Risk minimization: This is where controls are implemented that may not prevent
the risk occurring but will reduce its impact if it were to arise.
Risk pooling: When risks are pooled, the risks from many different transactions of
items are pooled together. Each individual transaction or item has its potential
upside and its downside. For example, each transaction might make a loss or a
profit by treating them all as part of the same pool. The risks tend to cancel each
other out, and are lower for the pool as a whole than for each item individually.

4. Accept Strategy: If the Impact and the Odds are low, you can Accept a Risk.

In these scenarios, you should only worry about the Outcome, not Risks.
The final strategy is to simply accept that the risk may occur and decide to deal
with the consequences in that particularly situation. The strategy is appropriate
normally where the adverse effect is minimal. For example, there is nearly always
a risk of rain; unless the business activity cannot take place when it rains then the
risk of rain occurring is not normally insured against.
 Monitoring of risks management strategies

Risk monitoring is the process which tracks and evaluates the levels of risk in an
organisation. As well as monitoring the risk itself, the discipline tracks and evaluates
the effectiveness of risk management strategies. The findings which are produced
by risk monitoring processes can be used to help to create new strategies and
update older strategies which may have proved to be ineffective

The purpose of risk monitoring is to keep track of the risks that occur and the
effectiveness of the responses which are implemented by an organisation.
Monitoring can help to ascertain whether proper policies were followed, whether
new risks can now be identified or whether previous assumptions to do with these
risks are still valid.

Risk monitoring is an important business practice that helps businesses identify,

evaluate, track, and mitigate the risks present in the business environment. Risk
management is practiced by the business of all sizes; small businesses do it
informally, while enterprises codify it.

The risk monitoring process is a framework for the actions that need to be taken.
There are five basic steps begins with identifying risks, goes on to analyze risks,
then the risk is prioritized, a solution is implemented, and finally, the risk is
monitored.
 Each step involves a lot of documentation and administration

✓ Identify the Risk

✓ Analyze the Risk
✓ Evaluate or Rank the Risk
✓ Treat the Risk
✓ Monitor and Review the Risk

The monitoring process usually takes place once the risk action plan has been
implemented. As soon as the plan is in place, the monitoring phase may begin, to
assess the effects that the plan has on the risks in question. However, monitoring
may also take place even if no formal plan has been put into place yet, for instance
monitoring the risk of a concern may occur whilst the risk management team
discusses what their preferred course of action would be, should the risk actually
occur.

Risk monitoring is important because it helps to highlight whether strategies are

effective or not. Risk monitoring can impact upon the management of
organizational risk because it can lead to the identification of new risks. Strategies
may also need to be changed or updated depending on the findings of risk
monitoring strategies.