TOPIC 4: RISK ANALYSIS
Sub-Topics
1. Meaning of Risk Analysis
2. Elements of Risk Analysis
3. Importance of Risk Analysis
4. Data Collection Methods
5. Process of Prioritizing Risks
MEANING OF RISK ANALYSIS
Risk analysis is the process that figures out how likely that a risk will arise in a project. It studies uncertainty and how it would impact the project in terms of schedule, quality and costs if in fact it was to show up. Two ways to analyze risk is quantitative and qualitative. But it’s important to know that risk analysis is not an exact science, it’s more like an art.
Risk analysis is the study of the underlying uncertainty of a given course of action and refers to the uncertainty of forecasted cash flow streams, the variance of portfolio or stock returns, the probability of a project’s success or failure, and possible future economic status.
Risk analysis at work place for example
The risk analysis activities will involve:
Identification of hazards present in the workplace and work environment;
Identification of hazards discovered in previous risk management;
Identification of potential consequences of the recognized hazards – risks, i.e. the potential causes of injury to workers, a work accident, an occupational disease or a work related disease. Several means can be used to support these activities. For instance:
Direct observation – walkthrough;
Interviews with workers and managers;
Checklists;
Deviation analysis;
Energy analysis;
Job safety analysis;
Previous risk assessment data;
Employee (satisfaction) survey
When to Use Risk Analysis
Risk analysis is useful in many situations:
When you’re planning projects, to help you anticipate and neutralize possible problems.
When you’re deciding whether or not to move forward with a project.
When you’re improving safety and managing potential risks in the workplace.
When you’re preparing for events such as equipment or technology failure, theft, staff sickness, or natural disasters.
When you’re planning for changes in your environment, such as new competitors coming into the market, or changes to government policy.
ELEMENTS OF RISK ANALYSIS
1. Risk Assessment
2. Risk Management
3. Risk Communication
1. Risk Assessment
• Risk assessment is defined as a report that analyzes the potential for bad things to happen and the actions which should be taken to keep them from happening or to minimize the risk
• The overall process of identifying all the risks to and from an activity and assessing the potential impact of each risk.
• The determination of the potential impact of an individual risk by measuring or otherwise assessing both the likelihood that it will occur and the impact if it should occur, and then combining the result according to an agreed rule to give a single measure of potential impact.
Risk assessment is all about measuring and prioritizing risks so that risk levels are managed within defined tolerance thresholds without being over controlled or forgoing desirable opportunities. Some risks are dynamic and require continual ongoing monitoring and assessment, such as certain market and production risks. Other risks are more static and require reassessment on a periodic basis with ongoing monitoring triggering an alert to reassess sooner should circumstances change.
Risk Assessment Process
i. Identify risks. The risk (or event) identification process precedes risk assessment and produces a comprehensive list of risks (and often opportunities as well), organized by risk category (financial, operational, strategic, compliance) and sub-category (market, credit, liquidity, etc.) for business units, corporate functions, and capital projects. At this stage, a wide net is cast to understand the universe of risks making up the enterprise’s risk profile. While each risk captured may be important to management at the function and business unit level, the list requires prioritization to focus senior management and board attention on key risks. This prioritization is accomplished by
performing the risk assessment.
ii. Develop assessment criteria. The first activity within the risk assessment process is to develop a common set of assessment criteria to be deployed across business units, corporate functions, and large capital projects. Risks and opportunities are typically
assessed in terms of impact and likelihood. Many enterprises recognize the utility of evaluating risk along additional dimensions such as vulnerability and speed of onset.
iii. Assess risks. Assessing risks consists of assigning values to each risk and opportunity using the defined criteria. This may be accomplished in two stages where an initial screening of the risks is performed using qualitative techniques followed by a more quantitative analysis of the most important risks.
iv. Assess risk interactions. Risks do not exist in isolation. Enterprises have come to recognize the importance of managing risk interactions. Even seemingly insignificant risks on their own have the potential, as they interact with other events and conditions,
to cause great damage or create significant opportunity. Therefore, enterprises are gravitating toward an integrated or holistic view of risks using techniques such as risk interaction matrices, bow-tie diagrams, and aggregated probability distributions.
v. Prioritize risks. Risk prioritization is the process of determining risk management priorities by comparing the level of risk against predetermined target risk levels and tolerance thresholds. Risk is viewed not just in terms of financial impact and probability, but also subjective criteria such as health and safety impact, reputational impact, vulnerability, and speed of onset.
vi. Respond to risks. The results of the risk assessment process then serve as the primary input to risk responses whereby response options are examined (accept, reduce, share, or avoid), cost-benefit analyses performed, a response strategy formulated, and risk response plans developed.
2. Risk Management
Risk management is the identification, evaluation, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability or impact of unfortunate events or to maximize the realization
of opportunities.
The Risk Management plan
A Risk Management Plan is like the song sheet which all musicians must be familiar with and execute to perfection. It is a subset of a project management plan, and it provides the foundation for risk management for a project. For large projects it can be a stand-alone document, but usually it would be included as a section of the project management plan.
The Risk Management Plan contains the following items.
i. Introduction. Risk management methodologies, organization, roles and responsibilities, tools, and anything else that doesn’t warrant its own space.
ii. Risk Register. This is where the value is created. The risk register, also called a risk log, is a list of important project risks which is created at the project planning stage. The most important risks to the project’s critical success factors are determined, which are
then categorized according to the Risk Breakdown Structure. It is not possible to ensure all risks are identified, and you can go overboard with identifying small insignificant risks, but the exercise ensures that project stakeholders are satisfied that the risks to the project have been considered. The risk register also contains the results of risk analysis, which prioritize risks by probability and impact, the two underlying factors.
iii. Stakeholder Risk Tolerance. Although not always requiring its own dedicated space, stakeholder risk tolerance should be investigated and carefully considered. If you can’t define and write down the risk tolerance of the stakeholders, maybe it’s time to have a chat with them. Communication is key here.
iv. Risk Breakdown Structure. This is an optional, categorized organization of the project risks.Organize risks into categories. For an engineering project, risk might be divided into technical, organizational, and external risks.
v. Risk Response Plans. Most of the time risk response plans are an additional column of the risk register. But the largest, more important risks usually require a written response and/or mitigation plan that needs a separate section.
vi. Monitoring and Control. It is important to re-visit the risks regularly throughout the project, and this section will define how often that will happen and what that will look like. For most projects, weekly is an appropriate timeline. Often revisiting the
risk register during a project is an easy task because risks are made obsolete (i.e. they can be labeled “did not occur”).
vii. Communications. I can easily think of many project issues over the years that weren’t really all that important on an absolute level, but made stakeholders unhappy because they were expecting something to have been different. That is, small issues blew up due to poor communication. Thus, potential risks need to be communicated with stakeholders, so that everyone is prepared for the risks as they arise. Managing stakeholder expectations is the central foundation of risk management, and thus communication is key. Any changes to the risk profile of the project (i.e. the risk register) need to be communicated to the relevant stakeholders, and the communications plan can lay out how that will be done
The Project Risk Register
A risk register (PRINCE2) is a document used as a risk management tool and to fulfil regulatory compliance acting as a repository for all risks identified and includes additional information about each risk, e.g. nature of the risk, reference and owner, mitigation measures.
Key elements of A Risk Register
i. Risk Identifier –A numerical Identifier for each risk
ii. Risk Description-A textual description of each risk-potentially links to extended Risk Analysis Documentation
iii. Risk Trigger-The trigger Condition that causes risk to occur
iv. Probability-An Assessment of the probability of the risk .Represented as a percentage
v. Impact-Presented as high, medium ,low rating impact -May link to detailed analysis such as cost estimate or impact assessment
vi. Score -Risk score –multiplying probability by impact based on numerical rating system.
vii. Ownership –the person accountable for the risk
viii. Mitigation-steps that are planned to mitigate the risk .This is also called ‘Treatment’
ix. Residual Risk –A textual description of the risk remaining after treatment including any secondary risk.
x. Accepted Probability-the remaining probability after treatment/mitigation
xi. Accepted impact –The remaining impact after treatment
Steps to complete the register:
1. Identify potential risks. See Examples of Risk Areas for potential sources of risk.
2. Identify the consequences to the activity if the risk were to materialize
3. Identify the likelihood and probability that the risk would result in adverse consequences. Use Risk Assessment Ranking Tool to rank identified risks. For those risks that have been ranked as medium, high or extreme, address with mitigating actions:
Medium: Mitigation actions to reduce the likelihood and seriousness should be identified and appropriate actions to be endorsed at a Divisional level.
High: If uncontrolled, a risk event at this level may have a significant impact on the operations of a cost centre or the organisation as a whole. Mitigating actions need to be very reliable and should be approved and monitored by the contract owner with reporting to the responsible Directors. Even with mitigating actions in place, the Executor (contract signatory) should be advised of identified or
potential risks which have been graded at this level.
Extreme: Activities and projects with unmitigated risks at this level should be avoided or terminated. Mitigation actions of these types of risks may outweigh the benefits of the activity to the organisation. This is because risk events graded at this level have the potential to have significant adverse effects to the budget holder or the organisation.
5. Identify if there are any controls currently in place to mitigate those risk
6. If not, develop and document Risk mitigation actions.
These could include:
Planned actions to reduce the likelihood a negative risk will occur and/or reduce the seriousness should it occur (What should you do now?)
Contingency actions – planned actions to reduce the immediate seriousness of a negative risk when it does occur. (What should you do when?)
Recovery actions – planned actions taken once a negative risk has occurred to allow you to move on. (What should you do after?)
Risk Transfer (eg. Through assignment of contractual responsibilities or insurance.
Actions necessary to ensure the realisation of opportunities (positive risks)
Importance of Registers
Risk registers also help to:
Identify potential behavioural trends or environmental issues,
Identify and capture risks that may be subject to legislation or business changes,
Demonstrate to others (regulators, investors, company stakeholders and others) that risks are being managed.
Design controls or mitigation measures to reduce or remove the risk(s) before they occur,
Document better safe work procedures
Achieve safety objectives, and drive continual improvements
Used for audits to check Compliance
Used for mobilizing Resources
Risk registers are so much more than just lists of issues. They are used to offer project or operational visibility, as well as house audit and safety compliance documentation all from within the one location.
3.Risk Communication
Risk communication is an integral part of the risk assessment process, which typically includes the processes of communication among the agencies and between the agencies and organizations responsible for site assessment and management.
Risk Communication is an important tool for disseminating information and understanding about a risk management decision. This understanding and information should allow stakeholders to make an informed conclusion about how the decision will
impact their interests and values.
Risk communication is useful in the following situations:
Explaining the chance of a risk impact (probability) and the predictability of the risk impact (stochastic);
Outlining the difference between risk (dependent on scenarios) and hazard
(found within a specific area);
Dealing with any long-term effects from the risk and risk management;
Improving the overall understanding of risk based terminology and concepts;
Delivering an understanding of how risk management decisions will impact lifestyles;
Creating a venue where uncertainties can be addressed and questions answered;
Improving the transparency and credibility of those implementing the risk management;
Dealing with conflicting interests and cultures of the various interested and affected parties;
DATA COLLECTION METHODS (Check Qualitative and Quantitative Data
Collection Methods)
Risk assessment is often performed as a two-stage process. An initial screening of the risks and opportunities is performed using qualitative techniques followed by a more quantitative treatment of the most important risks and opportunities lending themselves to quantification (not all risks are meaningfully quantifiable).
Qualitative assessment consists of assessing each risk and opportunity according to descriptive scales as described in the previous section.
Quantitative analysis requires numerical values for both impact and likelihood using data from a variety of sources.
The quality of the analysis depends on the accuracy and completeness of the numerical values and the validity of the models used. Model assumptions and uncertainty should be clearly communicated and evaluated using techniques such as sensitivity analysis.
Both qualitative and quantitative techniques have advantages and disadvantages. Most enterprises begin with qualitative assessments and develop quantitative capabilities over time as their decision-making needs dictate.
Qualitative Risk Analysis
Qualitative risk analysis is the process of evaluating the potential losses from a given risk using a combination of known information about the situation, knowledge about the underlying process, and judgment about the information that is not known or well
understood. Some of the tools and techniques for qualitative risk analysis are:
Risk probability and impact assessment.
This method consists on the investigation about the likelihood that each specific risk will occur and the potential effect on an organizational objective or goal such as cost, delivery, quality or performance (negative effects for threats and positive effects for opportunities), defining it in levels, through interview or meeting with relevant stakeholders and documenting the results.
Probability and impact matrix.
Risks rating for further quantitative analysis using a probability and impact matrix. Rating rules should be specified by the organization in advance. Risk matrix can be used to score the enterprise’s ability to recognize sources of risk and its willingness and abilities to manage those risks. The statements regarding risk are numerically scored to identify areas on which to focus, opportunities to emphasize and leverage areas of strength.
Risk categorization.
To be done in order to determine the areas of the organization most exposed to the effects of uncertainty. Grouping risks by common root causes can help you to develop effective risk responses.
Risk urgency assessment. In some qualitative analyses the assessment of risk urgency can be combined with the risk ranking determined from the probability and impact matrix to give a final risk sensitivity rating. Example: a risk requiring a near – term responses may be considered more urgent to address.
SWOT (Strengths, Weaknesses, Opportunities and Threats) analysis. As you refine your understanding of risks, you can perform SWOT analysis to arrive at ways to mitigate these risks and manage them in the future. It consists of listing the strengths, weaknesses, opportunities and threats associated with your company’s ability to withstand or eliminate each risk.
ICOR (Improvements, Challenges, Opportunities and Risks) Analysis.
This approach melds risk management practices with the SWOT analysis to focus on the risks and benefits associated with a process change. The ICOR chart, adapted from a SWOT template, puts in plain view not only the improvements expected, but also any challenges that will be faced, any opportunities to be realized elsewhere and any risks involved with the activity.
Advantages of Qualitative Risk Analysis
1. Easy presentation – The results of the qualitative risk analysis can be presented graphically using a risk assessment matrix. A project manager can use a risk assessment matrix to communicate risk management strategy to team members or senior management.
2. Simple assessment methods – The project team doesn’t require a training to conduct the qualitative risk analysis, as it doesn’t rely on any complicated tools or software.
3. Easy prioritization – Since the qualitative risk analysis already classifies risks according to their likelihood and impact, it becomes easy to determine risks that an organization should focus on – the ones falling into the highest likelihood and impact categories.
4. No need to determine frequency – The qualitative risk analysis results don’t depend on the risk occurrence frequency, so the team performing the analysis can save time by not predicting the frequency and the exact timing of each risk.
5. No need to quantify the impact on costs and schedule – Since qualitative risk
analysis doesn’t quantify the risk impact on project costs and schedule, time is saved
during
6. Generally includes more in-depth supporting analyses he analysis.
Disadvantages of Qualitative Risk Analysis
Lack of standardized procedure and experienced practitioners
Guidelines for determination of tolerable risk need development and are yet to gain widespread acceptance
Uncertainty in estimating probabilities and life loss
The evaluation of risk and its result are subjective
It is possible that the reality is not defined correctly because of the subjective perspective of the author
The performance of risk management are hard to follow because of their subjectivity
A cost benefit analysis is not implemented, only a subjective approach of the author and that makes difficult the implementation of controls
Insufficient differentiation between major risks
Results depend on the quality of risk management team
New and complex terminology
Quantitative Risk Analysis
Quantitative Risk Analysis is the process for numerically analysing the effect of the identified risks on the objectives and targets of an organization. On the base of the results of the qualitative risk analysis the quantitative risk analysis is performed on risks
that have been prioritized and analyses the effects of those risks events and assigns a numerical rating to those risks. In the process of quantitative risk analysis the impacts to the whole organization will be made computable and will be computed for generating
a more elaborated total ranking.
Quantitative Techniques are:
1. Data gathering & representation techniques:
Interviewing: you can carry out interviews in order to gather an optimistic (low), pessimistic (high and most likely scenarios.
Probability distributions: continuous probability distributions are used extensively in modelling and simulations. These distributions may help us perform quantitative analysis. Discrete distributions can be used to represent uncertain events (an outcome of a test or possible scenario in a decision tree).
2. Quantitative risk analysis & modelling techniques: commonly used for event – oriented analysis:
Sensitivity analysis: For determining which risks may have the most potential impact on the organization. In sensitivity analysis one looks at the effect of varying the inputs of a mathematical model on the output of the model itself, examining the effect of the uncertainty of each risk to a specific objective, when all other uncertain elements are held at their baseline values. There may be presented through a tornado diagram.
Modelling & simulation: A risk simulation, which uses a model that translates the specific detailed uncertainties of the risks into their potential impact on the organization objectives, usually iterative. Monte Carlo is an example for a iterative simulation.
3.Cause and effect matrix helps identify critical steps in a process and the presence, or absence, of controls that prevent, mitigate or monitor adverse events. Numerical scores determine which activities create the greatest risk. Inputs into the process are
then scored to refine the areas of potential risk.
4.Failure mode and effects analysis (FMEA) helps evaluate the risk associated with steps in a process or with the steps in the implementation plan of any project. Potential failure modes and their potential resulting effects are identified and scored for severity
of impact to the organization. Potential causes are then identified and scored based on frequency or likelihood of occurrence. Finally, present controls are identified and scored based on the organization’s ability to prevent, mitigate or detect these failure modes. The three scores are then multiplied together to create a Risk Priority Number (RPN). Once the RPN has been calculated, the FMEA requires that an action plan be developed and responsibilities assigned to reduce the risk associated with the critical areas identified. Based on the RPN and the risk tolerance established by the organization, business decisions can be made to avoid or prevent the risk, reduce or
mitigate the risk, share the risk, or accept the risk. A formal cost / benefit analysis of these alternatives assists leadership in defining their response. Once the action plan has been completed, a recalculation of the RPN is performed to determine if the activity now falls within the risk tolerance or if additional actions are needed.
5.Cost Risk analysis: cost estimates are used as input values, chosen randomly for each iteration (according to probability distributions of these values), total cost will be calculated.
6.Schedule Risk Analysis: duration estimates & network diagrams are used as input values, chosen at random for each iteration (according to probability distributions of these values), completion date will be calculated. One can check the probability of completing the task by a certain date or within a certain cost constraint.
7.Expert Judgment: used for identifying potential cost & schedule impacts, evaluate probabilities, interpretation of data, identify weaknesses of the tools, as well as their strengths, defining when is a specific tool more appropriate, considering organization’s
capabilities & structure.
Advantages of Quantitative Risk Analysis
Risks are sorted by their financial impact, assets by their financial value
The results can be expressed in a specific management terminology
The evaluation and the results are based on objective methods
Security level is better determined based on the three elements: availability, integrity and confidentiality
A cost-analysis can be implemented for choosing the best suited measures
Management performance can be closely watched
Data accuracy improves as the organization gains experience
Dis-Advantages of Quantitative Risk Analysis
The methods of calculation are complex
Without an automatic tool the process can be really difficult to implement There are no standards and universally accepted information for implementing this method
The values of risk impacts are based on subjective opinions of people involved
The process handles a long time
The results are presented only in monetary values and are hard to understand by persons without experience
The process is very complex
Determining Impact
Through qualitative and quantitative risk analysis, you can define the potential risks by determining impacts to the following aspects of your project:
Activity resource estimates
Activity duration estimates
Schedule
Cost estimates
Budget
Quality
Procurements
IMPORTANCE OF RISK ANALYSIS
It enables the stakeholders put together a contingency plan that could help them plan better and subsequently accept, relocate or reduce the risks.
Avoid potential litigation
Address regulatory issues
Comply with new legislation
Reduce exposure
Get a clear picture of where your assets lie.
Identifying potential threats.
Understanding the likelihood and impact of those threats.
Implement proactive processes to address and mitigate the impact.
PROCESS OF PRIORITIZING RISKS
Once the risks have been assessed and their interactions documented, it’s time to view the risks as a comprehensive portfolio to enable the next step – prioritizing for risk response and reporting to different stakeholders.
The term risk profile represents the entire portfolio of risks facing the enterprise. Some entities represent this portfolio as a hierarchy, some as a collection of risks plotted on a heat map.
Entities with more mature ERM programs and quantitative capabilities may aggregate individual risk distributions into a cumulative loss probability distribution and refer to that as the risk profile. Similar to assessing risks, ranking and prioritizing is often done
in a two-step process. First, the risks are ranked according to one, two, or more criteria such as impact rating
multiplied by likelihood rating or impact multiplied by vulnerability. Second, the ranked risk order is reviewed in light of additional considerations such as impact alone, speed of onset, or the size of the gap between current and desired risk level (risk tolerance threshold). If the initial ranking is done by multiplying financial loss by likelihood, then the final
prioritization should take qualitative factors into consideration. Hierarchies and Rolling Up and Drilling Down The simplest way to aggregate risks is to organize them according to a hierarchy.
This is often done in risk management systems where risks can be organized by organizational unit, risk type, geography, or strategic objective. The better systems allow users to roll up and drill down for analysis and reporting. This provides a complete
listing of the assessed risks but does not help with prioritizing. Risk Prioritization — the ranking of material risks on an appropriate scale, such as frequency and/or severity.
The process of risk prioritisation is affected by several factors including; risk attitude, risk sensitivity, resource availability, risk severity and risk manageability.
1.Risk Prioritisation by Attitude
An organisation’s risk attitude is made up of a combination of its risk appetite, risk tolerance and risk threshold. These three attributes are defined as:
Risk Appetite – The degree of uncertainty an entity is prepared to accept in pursuit of its objectives.
Risk Tolerance – The degree, amount, or volume of risk impact that an organisation or individual will withstand.
Risk Threshold – The level of uncertainty or impact at which a stakeholder will
have a specific interest. Below the risk threshold, the stakeholder will accept the risk. Above the risk threshold, the stakeholder will not accept the risk. Some of
the main risk areas around which organisational risk attitudes and thresholds are defined include: Finance, Health & Safety, Quality, Production/Performance,
Environment, Social, Legal.
2.Risk Prioritisation by Sensitivity
Sensitivity analysis is a method of determining which risks will have the most potential impact on a project. This is typically done by interrogating the uncertainty levels in each risk, and comparing them to the uncertainty levels of all other risks.
In doing so, one can determine the extent to which the uncertainty of a risk may affect the outcome of a project in relation to the uncertainty of all other risks.
Another way of looking at this is to consider sensitivity as a function of change in risk outcome with respect to change in risk input. This applies equally to the range of uncertainty in risk occurrence as it does to the range of uncertainty in risk impact.
3.Risk Prioritisation by Resource Availability
This is not something that Risk Managers should be doing by choice but, sometimes, it is unavoidable and risks need to be prioritised in this way.
Prioritisation by resource availability should normally only occur in the event of assessment and/or control needing to be carried out by specialist resources,
which are not readily available to the project.
This may include the use of human resources with specialist skills in assessing or controlling risks of a certain nature, or it may require the use of specialist materials or equipment needed to assess or control the risk.
In such cases, the affected risks will need to be placed on a monitoring list until such time that the required resources become available. If any changes in severity or manageability of the risk occur, the response plan may need to be revised to
deal with these changes.
4.Risk Prioritisation by Severity
All things being equal (in terms of risk attitude and resource availability) risks are most often prioritised by their severity. That is, the higher the probability of risk event occurrence and the higher the impact of the risk event, the higher the risk response priority.
Determining the severity of a risk is initially done qualitatively. In most cases this would involve using a Probability/Impact matrix to define the severity ranking of a risk by multiplying its probability rank with its impact rank.