Risk Management Processes

The following are risk management processes in general:

1. Risk Management Planning
2. Risk Identification
3. Risk Analysis
4. Risk Response / Treatment
5. Risk Monitoring and Review

Risk Management Planning

Organizational culture and attitude towards risks are factors that must be considered as part of risk management planning. This concept takes into account the fact that different organizations and individuals have varying levels of tolerance for risk. An appropriate method for describing risk tolerance is the utility theory.

Risk Management planning process should, at least, address the following:

1. Understanding the organization’s external and internal context through
   • PESTLE, BPEST and/or  OT analysis for external context
   • Organization’s strategic objectives, SW analysis, and governance structure for internal context
2. Establishing risk management policy
3. Establishing internal and external communication and reporting mechanism
4. Risk Management tools, categorization and measurement
5. Risk Management Process

Risk management policy:

Risk management policy is the outcome of the risk management planning process. It should, at least, include the following:

1. The organization’s rationale for managing risk
2. Purpose, audience, principles, benefits, objectives and relationship with objectives and other policies
3. Risk approach and methodology
4. Management commitment for the risk management process
5. Roles, responsibilities and accountabilities for the risk management process
6. Risk management budget
7. Sequence and timing of the risk management processes
8. Scoring metrics for risk analysis
9. Organization’s risk appetite, threshold and escalation procedure
10. Risk response reporting formats
11. Tracking method of risk activities
12. Variations and dispensations from the policy and the process for requests for this

Risk Categories

Risk categories are included in the Risk Management Plan. An industry may have a standard set of risk sources that should be considered in advance of the risk identification process. For example the Basel Committee on Banking Supervision, in its Basel II Accord, has identified three major types of risks for the banking industry: Credit Risk, Market Risk and Operational Risk. Operational risk is further divided into 7 level 1 event type categories:

1. Internal Fraud
2. External Fraud
3. Employment Practices and Workplace Safety
4. Clients, Products, & Business Practice
5. Damage to Physical Assets
6. Business Disruption & Systems Failures
7. Execution, Delivery, & Process Management

Risk Identification

Risk identification involves the identification of risk sources, events and their causes and their potential consequences. The following are some risk identification tools:

1. Brainstorming Sessions or Facilitated Workshops
2. Key Business Processes Analysis
3. Interviewing & Self Assessment
4. SWOT, Scenario or Value Chain Analyses
5. Internal Audits by External Consultants

Risk Register is the output of the risk identification process. It contains the identified risks, root causes, triggers, status, and potential responses etc.

Risk Analysis

Once risks have been identified, they must be analyzed to determine the causes and sources of risks, the likelihood of their occurrence (risk probability) and the consequences it could have on the project/organization (risk impact). Risk analysis can be qualitative or quantitative or a combination of both.

Qualitative Risk Analysis may involve the following activities:

1. Assessing the impact and likelihood of identified risks
2. Assign probability and impact to each risk
3. Ranking risk events in order of importance of risks
4. Determining which risks require additional analysis

Probability & Impact Matrix

This matrix is constructed using the risk scores of the identified risks, which is the product of probability times impact. It can then be determined if the risk is considered a low, moderate or high risk as seen in the figure.

Quantitative Analysis

There are number of tools to perform quantitative risk analysis. Some of them are:

1. Sensitivity Analysis
2. Probabilistic Analysis
3. Decision Tree Analysis
4. Expected Monetary Value
5. Monte Carlo Simulation
6. Probability Theory

Risk Evaluation:

Risk evaluation is compilation/calculation of risk profiles by appropriately combining/aggregating analysed risks (risks that are interlinked may be aggregated or grouped (such as common response/treatment risks), and compare levels of risk with the risk appetite.

Risk Response or Risk Treatment

Risk response/treatment involves a cyclical process of:

1. Selecting the most appropriate risk treatment through cost and benefit analysis
2. Deciding whether residual risk levels are tolerable
3. Assessing the effectiveness of that treatment

The following risk treatment options can be considered either individually or in combination:

1. Avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk
2. Taking or increasing the risk in order to pursue an opportunity (Risk Seeking)
3. Removing the risk source
4. Modifying the risk either by changing the likelihood or the consequences or both
5. Transferring or sometimes sharing the risk to another party or parties e.g. insurance, contracts etc.
6. Retaining the risk by informed choice e.g. residual risk

The strategies for contingent response are

1. Contingency plans
2. Financial reserves
3. Staffing reallocation reserve
4. Workarounds

Risk Monitoring and Review

Risk monitoring and review process should at minimum take into account the following:

1. Ensuring that controls are effective and efficient in both design and operation;
2. They are communicated and understood throughout the organization
3. Their implementation did not introduce any unacceptable additional risks (secondary risks)
4. Risk Control Self Assessment Exercise is carried out throughout the organization at planned intervals;
5. Analyzing and learning lessons from events (including near-misses), changes, trends, successes and failures;
6. Resolution of deficiencies is planned and carried out through corrective action plans
7. Detecting changes in the external and internal context, including changes to risk criteria and the risk itself which can require revision of risk treatments and priorities
8. Identifying emerging risks.

Risk Management processes are not strictly serial, where one process affects only the next. In fact, they are multidirectional and iterative which means processes can influence one another.

Related articles

• Project risk management (slideshare.net)

24.893379 67.028061