a

Introduction to Risk Management

Welcome to this course on introduction to risk management.

All types of organizations, face with the some form of risks, which may affect their

chance of success. Understanding the risks, and effectively managing these, will greatly

help the organizations, in achieving the long term success. Risk Management can be an important

tool, to eliminate potential problems in an organization. Even though the current version

of ISO 9001, does not specifically require the use of risk management, in the preventive

action clause, some of the industry specific standards require it specifically. For example,

the quality management standard for aviation industry, and healthcare industry, have risk

management requirement, included in the preventive action clause.

These are the topics covered in this course. First we will understand the definitions of

risk and risk management. Then we will look at five key steps for managing risks.

Companies face a number of internal and external factors, which make it uncertain, whether

the company will meet its objectives. These uncertain events, or conditions, are called

the risks. So far in this course, we thought that the risks always have a negative impact.

Lets be clear here, that the result of a risk, is not always negative.

Risks are uncertain events. These uncertain events could lead to positive or negative

results. Positive risks are known as opportunities. Organizations attempt to avoid, or reduce

the impacts of negative risks. However when it comes to the positive risks, organizations

would like to take maximum advantage of these opportunities.

This slide explains the difference between a risk, and an issue. While a risk is a future

uncertain event, an issue is an event which has already occurred.

The concepts of risk appetite, and risk tolerance, are related to the extent to which, an organization

is comfortable taking risk. Taking big risks could be lead to big losses, or big rewards.

While risk appetite is about the willingness to take risk, risk tolerance is about what

the organization can bear. As discussed on the previous slide, risk is

associated with reward. Organizations take risks to gain more rewards.

This is the definition of risk management, taken from wikipedia dot org. If you find

this definition confusing, then please proceed to the next slide. This same definition is

presented there, in form of a diagram. In risk management, you identify the potential

risks, then you assess them so that you know which of the identified risks are more critical

and which are less. Based on that assessment you give more priority to some risks and less

to others. You can not cover all risks since you have limited resources. With this priority

you put your resources on high priority risks. As we talked earlier a risk can be a negative

or positive risk. You attempt to minimize the impact of negative risks, monitor then

and keep them under control. However if it is a positive risk, or an opportunity, you

put your resources to maximize the opportunity. For risk management process to be effective,

these are some of the key principles, that should be considered. Since the organization

is spending resources, to manage risks, it should create value. Risk management should

be performed systematically, and be integral part of the organization's work processes.

As the organization matures, the types of risks or challenges change. The organization

should adopt to these changes, and improve the risk management process.

Risk management is applied in variety of fields such as project management, military, space,

medical, engineering, plant operation, safety and in financial portfolio management.

Key benefits of implementing risk management includes fewer shocks and unwelcome surprises;

effective use of resources, and reassuring stakeholders. Instead of being unprepared

for the threats and opportunities, that happen during the course of a project or business,

risk management can help plan and prepare for them. This preparedness helps organizations

in saving costs and time. Risk management process, can be divided into

these five key steps. It starts with having a risk management plan. The next step is to

identify the potential risks and prepare a list of all risks. This list of risks is then

analyzed, using qualitative, and quantitative techniques, to identify high priority, medium

priority and low priority risks. Response is planned for these risks, depending upon

the priority. Risks are then monitored and controlled. We will look at each of these

steps, in the following slides. Risk management plan specifies the management

intent, systems and procedures required for managing risks.

Risk management plan will provide the definitions of various risk related terms. Roles and responsibilities

related to risk, and tools and templates, are also included in it.

In a way risk management plan specifies how the next four steps listed on this slide are

executed in the organization. That is, how the organization will identify risks, how

these risks will be analyzed, how the risk response will be planned, and how the risks

will be monitored and controlled. Once the plan is in place, identify risks

is the first key step in actual management of risks. This is the process of identifying

the potential risks, their root cause, and the risk consequences.

Risk identification is a systematic process. It is a group effort, where subject matter

experts from various groups participate. The most common tool used in risk identification

process, is brain storming. In this, the subject matter experts from various groups meet together,

and list down all the potential risks. During brain storming, no identified risk is evaluated,

or criticized. The intent here is to list down as many possibles risks, in limited time.

Other tools such as Ishikawa diagram, flow diagram, and SWOT analysis may also be used.

Here the term SWOT, stands for Strengths, weaknesses, opportunities and threats.

The outcome of risk identification is a list of risks, or risk register. What is done with

the list of risks depends on the nature of the risk. A few low priority risks may be

kept simply as a list of red flag items, and periodically monitored. Some high priority

risks, may go through the rigorous process of assessment, analysis, mitigation and planning.

The next risk management process, that is analyze risks, helps in deciding that.

Organizations do not have resources to address all risks. After having the list of all potential

risks, the next logical step is to analyze and prioritize risks. Some risks may need

detailed action plan, and some may just need periodic monitoring. Organization may accept

some of the risks without any action. In this step, that is analyze risks, we will look

at how the risks are analyzed and prioritized. This is the process of quantifying the risk

events, documented in the previous step, so that the organization can focus on critical

risks. For risk analysis, qualitative and quantitative

analysis are conducted. Qualitative risk analysis is a subjective analysis, and is quick and

easy to perform. One tool to conduct the qualitative analysis is probability and impact matrix.

We will cover this tool in next few slides. On the other hand, Quantitative risk analysis

is the detailed analysis of the risk. It is not required to conduct quantitative analysis

for all risks, and is conducted when it is worth the time and effort required to conduct

it. Tools to conduct quantitative risk analysis include, expected monitory value analysis,

Monte Carlo analysis, and decision tree. These tools are not covered in this training course.

As discussed in the previous slide, the Probability and Impact Matrix, is a qualitative risk analysis

tool. This matrix has two aspects, the probability that the risk will actually happen, and the

potential impact if the risk happens. These two are classified from very unlikely, to

very likely. In the probability and impact matrix, the

risk probability, and the risk impact are assigned a score of 1 to 9. Where 1 is the

least, and 9 is the highest. A risk score is then calculated, by multiplying these two

numbers. Instead of assigning a score of 1 to 9, a score of 1 to 3, or a score of 1 to

5 may be used. These rules are defined in your risk management plan. In this course

we are using a score of 1 to 9. In this example, the group assigns a score

of 1 to the probability of risk, and a score of 9 to the impact value. This means that

the risk being discussed, has a very low chance of happening, but if it happens, the impact

will be very high. Since the score of 1 to 9 assigned to the

probability, and impact, are subjective, organization managing the risk creates some guidelines,

to ensure that these are consistent. This slide shows a sample table, for assigning

probability number. The next slide will show a sample impact table.

This is a sample table, to assign the risk impact number. The risk may impact cost, schedule,

scope or quality. Once we have assigned a risk probability number,

and an impact number, these are plotted on the probability and impact matrix. A simple

example of that is shown here. Let us look at the four boxes shown here. Risks towards

the top right corner, are of critical importance, since these are High impact and high probability

risks. These are your top priorities risks, that you must pay close attention to. Risks

in the bottom left corner are low impact, and low probability risks. You can often ignore

them. Risks in the top left corner, are of moderate importance, since these are Low impact,

and high probability risks. If these things happen, you can cope with them, and move on.

However, you should try to reduce the likelihood, that they'll occur. Risks in the bottom right

corner, are high impact, and low probability risks, and these are very unlikely to happen.

For these, you should do what you can to reduce the impact, and you should have contingency

plans in place, just in case they occur. This and the next slide, show examples of

probability and impact matrix. In this example, a score of 1 to 9 is assigned to the probability,

and the impact. This is an example of the probability and

impact matrix, where the probability, and the impact, are assigned a value between very

low, to very high. Once we have analyzed risks, the next step

in risk management, is to plan risk response, for each identified risk.

When planning a risk response, we attempt to reduce the impact and chance, of negative

risks, and enhance the impact and chance, of positive risks.

This slide shows the four risk responses, for negative risks, and the corresponding

responses for positive risks. In the next eight slides, we will look at each of these

responses. In risk avoidance, we completely eliminate

the possibility of the risk. An example might be to use a old and proven process, instead

of new and risky process. Risk can also be avoided by improved communication, providing

information, or acquiring an expert. If you can not avoid a risk completely, you

attempt to mitigate it. The purpose of risk mitigation is to reduce the size of the risk

exposure. This is done by either reducing the probability of the risk, or by reducing

the impact. The risk transfer strategy aims to pass ownership

for a particular risk to a third party. It is also important to remember that risk transfer

almost always involves payment of a risk premium. A Cost and benefit analysis might be done,

to ensure that the cost of transferring risk is justified.

Acceptance of a risk means that the probability, and or the severity, of the risk is low enough,

that we will do nothing about the risk, unless it occurs. There are two kinds of acceptance,

active and passive. Acceptance is passive, when nothing at all is done to deal with the

risk. Acceptance is active, when we decide to make a contingency plan, for what to do,

when the risk occurs. The next four slides, will deal with the risk

responses for positive risks, or opportunities. The first response to deal with the positive

risk is to exploit it. This response tries to remove any uncertainty, so that the opportunity

is certain to happen. The enhance response, focuses on the root

cause of the opportunity, and goes on to influence those factors, which will increase the likelihood

of the opportunity occurring. Sometimes exploiting a positive risk is not

possible, without collaboration. A partnership with a different group, department, or company

may be required, to exploit a positive risk Just like dealing with negative risks, we

may actively or passively accept a positive risk. Acceptance of a risk means that the

probability, and or the severity, of the risk is low enough, that we will do nothing about

the risk, unless it occurs. Once we have identified risks, analyzed then

and made a plan to deal with them, the next step is to monitor and control the risks.

A risk management program is never finished. Risk monitoring and control, should be ongoing

and continual. New risks will emerge, and existing risks will disappear. You have to

stay on top of it. While monitoring and controlling risks, unexpected

risks occur. These unexpected risks are the risks, which you did not identify in your

risk identification process. A workaround is created to deal with such risks.

Thank you for attending this course at QualityGurus.com.