Welcome to this course on introduction to risk management.
All types of organizations, face with the some form of risks, which may affect their
chance of success. Understanding the risks, and effectively managing these, will greatly
help the organizations, in achieving the long term success. Risk Management can be an important
tool, to eliminate potential problems in an organization. Even though the current version
of ISO 9001, does not specifically require the use of risk management, in the preventive
action clause, some of the industry specific standards require it specifically. For example,
the quality management standard for aviation industry, and healthcare industry, have risk
management requirement, included in the preventive action clause.
These are the topics covered in this course. First we will understand the definitions of
risk and risk management. Then we will look at five key steps for managing risks.
Companies face a number of internal and external factors, which make it uncertain, whether
the company will meet its objectives. These uncertain events, or conditions, are called
the risks. So far in this course, we thought that the risks always have a negative impact.
Lets be clear here, that the result of a risk, is not always negative.
Risks are uncertain events. These uncertain events could lead to positive or negative
results. Positive risks are known as opportunities. Organizations attempt to avoid, or reduce
the impacts of negative risks. However when it comes to the positive risks, organizations
would like to take maximum advantage of these opportunities.
This slide explains the difference between a risk, and an issue. While a risk is a future
uncertain event, an issue is an event which has already occurred.
The concepts of risk appetite, and risk tolerance, are related to the extent to which, an organization
is comfortable taking risk. Taking big risks could be lead to big losses, or big rewards.
While risk appetite is about the willingness to take risk, risk tolerance is about what
the organization can bear. As discussed on the previous slide, risk is
associated with reward. Organizations take risks to gain more rewards.
This is the definition of risk management, taken from wikipedia dot org. If you find
this definition confusing, then please proceed to the next slide. This same definition is
presented there, in form of a diagram. In risk management, you identify the potential
risks, then you assess them so that you know which of the identified risks are more critical
and which are less. Based on that assessment you give more priority to some risks and less
to others. You can not cover all risks since you have limited resources. With this priority
you put your resources on high priority risks. As we talked earlier a risk can be a negative
or positive risk. You attempt to minimize the impact of negative risks, monitor then
and keep them under control. However if it is a positive risk, or an opportunity, you
put your resources to maximize the opportunity. For risk management process to be effective,
these are some of the key principles, that should be considered. Since the organization
is spending resources, to manage risks, it should create value. Risk management should
be performed systematically, and be integral part of the organization's work processes.
As the organization matures, the types of risks or challenges change. The organization
should adopt to these changes, and improve the risk management process.
Risk management is applied in variety of fields such as project management, military, space,
medical, engineering, plant operation, safety and in financial portfolio management.
Key benefits of implementing risk management includes fewer shocks and unwelcome surprises;
effective use of resources, and reassuring stakeholders. Instead of being unprepared
for the threats and opportunities, that happen during the course of a project or business,
risk management can help plan and prepare for them. This preparedness helps organizations
in saving costs and time. Risk management process, can be divided into
these five key steps. It starts with having a risk management plan. The next step is to
identify the potential risks and prepare a list of all risks. This list of risks is then
analyzed, using qualitative, and quantitative techniques, to identify high priority, medium
priority and low priority risks. Response is planned for these risks, depending upon
the priority. Risks are then monitored and controlled. We will look at each of these
steps, in the following slides. Risk management plan specifies the management
intent, systems and procedures required for managing risks.
Risk management plan will provide the definitions of various risk related terms. Roles and responsibilities
related to risk, and tools and templates, are also included in it.
In a way risk management plan specifies how the next four steps listed on this slide are
executed in the organization. That is, how the organization will identify risks, how
these risks will be analyzed, how the risk response will be planned, and how the risks
will be monitored and controlled. Once the plan is in place, identify risks
is the first key step in actual management of risks. This is the process of identifying
the potential risks, their root cause, and the risk consequences.
Risk identification is a systematic process. It is a group effort, where subject matter
experts from various groups participate. The most common tool used in risk identification
process, is brain storming. In this, the subject matter experts from various groups meet together,
and list down all the potential risks. During brain storming, no identified risk is evaluated,
or criticized. The intent here is to list down as many possibles risks, in limited time.
Other tools such as Ishikawa diagram, flow diagram, and SWOT analysis may also be used.
Here the term SWOT, stands for Strengths, weaknesses, opportunities and threats.
The outcome of risk identification is a list of risks, or risk register. What is done with
the list of risks depends on the nature of the risk. A few low priority risks may be
kept simply as a list of red flag items, and periodically monitored. Some high priority
risks, may go through the rigorous process of assessment, analysis, mitigation and planning.
The next risk management process, that is analyze risks, helps in deciding that.
Organizations do not have resources to address all risks. After having the list of all potential
risks, the next logical step is to analyze and prioritize risks. Some risks may need
detailed action plan, and some may just need periodic monitoring. Organization may accept
some of the risks without any action. In this step, that is analyze risks, we will look
at how the risks are analyzed and prioritized. This is the process of quantifying the risk
events, documented in the previous step, so that the organization can focus on critical
risks. For risk analysis, qualitative and quantitative
analysis are conducted. Qualitative risk analysis is a subjective analysis, and is quick and
easy to perform. One tool to conduct the qualitative analysis is probability and impact matrix.
We will cover this tool in next few slides. On the other hand, Quantitative risk analysis
is the detailed analysis of the risk. It is not required to conduct quantitative analysis
for all risks, and is conducted when it is worth the time and effort required to conduct
it. Tools to conduct quantitative risk analysis include, expected monitory value analysis,
Monte Carlo analysis, and decision tree. These tools are not covered in this training course.
As discussed in the previous slide, the Probability and Impact Matrix, is a qualitative risk analysis
tool. This matrix has two aspects, the probability that the risk will actually happen, and the
potential impact if the risk happens. These two are classified from very unlikely, to
very likely. In the probability and impact matrix, the
risk probability, and the risk impact are assigned a score of 1 to 9. Where 1 is the
least, and 9 is the highest. A risk score is then calculated, by multiplying these two
numbers. Instead of assigning a score of 1 to 9, a score of 1 to 3, or a score of 1 to
5 may be used. These rules are defined in your risk management plan. In this course
we are using a score of 1 to 9. In this example, the group assigns a score
of 1 to the probability of risk, and a score of 9 to the impact value. This means that
the risk being discussed, has a very low chance of happening, but if it happens, the impact
will be very high. Since the score of 1 to 9 assigned to the
probability, and impact, are subjective, organization managing the risk creates some guidelines,
to ensure that these are consistent. This slide shows a sample table, for assigning
probability number. The next slide will show a sample impact table.
This is a sample table, to assign the risk impact number. The risk may impact cost, schedule,
scope or quality. Once we have assigned a risk probability number,
and an impact number, these are plotted on the probability and impact matrix. A simple
example of that is shown here. Let us look at the four boxes shown here. Risks towards
the top right corner, are of critical importance, since these are High impact and high probability
risks. These are your top priorities risks, that you must pay close attention to. Risks
in the bottom left corner are low impact, and low probability risks. You can often ignore
them. Risks in the top left corner, are of moderate importance, since these are Low impact,
and high probability risks. If these things happen, you can cope with them, and move on.
However, you should try to reduce the likelihood, that they'll occur. Risks in the bottom right
corner, are high impact, and low probability risks, and these are very unlikely to happen.
For these, you should do what you can to reduce the impact, and you should have contingency
plans in place, just in case they occur. This and the next slide, show examples of
probability and impact matrix. In this example, a score of 1 to 9 is assigned to the probability,
and the impact. This is an example of the probability and
impact matrix, where the probability, and the impact, are assigned a value between very
low, to very high. Once we have analyzed risks, the next step
in risk management, is to plan risk response, for each identified risk.
When planning a risk response, we attempt to reduce the impact and chance, of negative
risks, and enhance the impact and chance, of positive risks.
This slide shows the four risk responses, for negative risks, and the corresponding
responses for positive risks. In the next eight slides, we will look at each of these
responses. In risk avoidance, we completely eliminate
the possibility of the risk. An example might be to use a old and proven process, instead
of new and risky process. Risk can also be avoided by improved communication, providing
information, or acquiring an expert. If you can not avoid a risk completely, you
attempt to mitigate it. The purpose of risk mitigation is to reduce the size of the risk
exposure. This is done by either reducing the probability of the risk, or by reducing
the impact. The risk transfer strategy aims to pass ownership
for a particular risk to a third party. It is also important to remember that risk transfer
almost always involves payment of a risk premium. A Cost and benefit analysis might be done,
to ensure that the cost of transferring risk is justified.
Acceptance of a risk means that the probability, and or the severity, of the risk is low enough,
that we will do nothing about the risk, unless it occurs. There are two kinds of acceptance,
active and passive. Acceptance is passive, when nothing at all is done to deal with the
risk. Acceptance is active, when we decide to make a contingency plan, for what to do,
when the risk occurs. The next four slides, will deal with the risk
responses for positive risks, or opportunities. The first response to deal with the positive
risk is to exploit it. This response tries to remove any uncertainty, so that the opportunity
is certain to happen. The enhance response, focuses on the root
cause of the opportunity, and goes on to influence those factors, which will increase the likelihood
of the opportunity occurring. Sometimes exploiting a positive risk is not
possible, without collaboration. A partnership with a different group, department, or company
may be required, to exploit a positive risk Just like dealing with negative risks, we
may actively or passively accept a positive risk. Acceptance of a risk means that the
probability, and or the severity, of the risk is low enough, that we will do nothing about
the risk, unless it occurs. Once we have identified risks, analyzed then
and made a plan to deal with them, the next step is to monitor and control the risks.
A risk management program is never finished. Risk monitoring and control, should be ongoing
and continual. New risks will emerge, and existing risks will disappear. You have to
stay on top of it. While monitoring and controlling risks, unexpected
risks occur. These unexpected risks are the risks, which you did not identify in your
risk identification process. A workaround is created to deal with such risks.
Thank you for attending this course at QualityGurus.com.