Risk Management Process

TOPIC 3: RISK MANAGEMENT PROCESS

Sub-Topics
Meaning of Terms
Strategies of Risk Management
Tactics to Mitigate Risks
Implementation Process of Risk Management
Effectiveness of the Risk Management Strategies
Risk Control
MEANING OF TERMS
Process a series of actions that you take in order to achieve a result.
Risk Management is the process of identifying, assessing and controlling threats to an organization’s capital and earnings.
The Risk Management Process is a framework for the actions that need to be taken. … It begins with identifying risks, goes on to analyze risks, then the risk is prioritized, a solution is implemented, and finally, the risk is monitored. In manual systems, each step involves a lot of documentation and administration
Risk Mitigation
Risk Mitigation, within the context of a project, can be defined as a measure or set of measures taken by a project manager to reduce or eliminate the risks associated with a project. Risks can be of various types such as technical risks, monetary risks and scheduling-based risks. The project manager takes complete authority of reducing the probability of occurrence of risks while executing a project.
Risk Transfer
Risk transfer involves passing the risk to a third party. This doesn’t change or eliminate the risk, it simply gives another party the responsibility to manage the risk. Examples of risk transfer include insurance, performance bonds, warranties, fixed price contracts, and guarantees
Risk Retention
Risk retention can be defined as accepting the benefit of gain or loss when the risk occurs. This strategy can be used when the cost of insuring risk is greater over time than total losses incurred.
Risk Sharing
Risk avoidance usually involves developing an alternative strategy that has a higher probability of success but usually at a higher cost associated with accomplishing a project task. Risk sharing involves partnering with others to share responsibility for the risk activities.
Risk Control
Project risk control and risk monitoring is where you keep track of about how your risk responses are performing against the plan as well as the place where new risks to the project are managed. You must remember that risks can have negative and positive impacts.
STRATEGIES OF RISK MANAGEMENT
Ideal use of these strategies may not be possible. Some of them may involve trade-offs that are not acceptable to the organization or person making the risk management decisions. Different strategies to mitigate risk: Avoid, Accept/Retention,
Reduce/Control, Sharing and Transfer.
1. Avoidance
In simple terms, this method of mitigation involves the removal of the cause of the risk and therefore the risk itself. Ideally any approach involving avoidance is best implemented by the consideration and adoption of an alternative course of action.Risk avoidance is the act of taking some sort of action or putting plans in place that will greatly reduce the likelihood of the risk event even happening, not just reducing its impact.
Risk avoidance strategies are directed to eliminating sources of risk or reducing substantially the likelihood of their occurrence.
Strategies for Risk Avoidance How do we become a risk avoidance based organization, and is that a desirable state.
 Understand the risk and impacts. An assessment of how the risk will impact only one area does not allow for good organizational decisions.
 Ensure the risks and impacts are in business terms, not just technical or BC terms. If there are no real business impacts, what is the actual risk?
 Update the risks and impacts. You should revisit your risk profile on a regular basis, at least annually.
 Identify the risks that have remediation in place. Assess the effectiveness of that remediation (is it appropriate to the risk impact, will it work, etc.?).
 Identify the risks that have no remediation in place. Document those risks and the reason why there is no remediation in place. This is where you must distinguish between choosing to accept a risk or to ignore it.
 Conscious management decision based on impact, probability, cost, etc. (management accepts the risk).
 No reason; the risk is identified, but no conscious decision has been made about how to handle it (management ignores the risk).
 Assess the criticality of the task. Consider why performing the task is important or why a risk remediation solution is appropriate.
 Calculate the financial benefits of the task. Directors must decide when the cost of the risk is greater than the cost of risk management and manage their plans accordingly.
 Assess the availability of resources. If resources (budget, time, etc.) are not available to fully remediate the risk, identify a solution that may reduce risk, even if it does not reduce it to the appropriate level. Something is better than nothing.
2.Transference of Risks
Risk transfer is a common risk management technique where the potential loss from an adverse outcome faced by an individual or entity is shifted to a third party. To compensate the third party for bearing the risk, the individual or entity will generally provide the third party with periodic payments.
Strategies for Transference of Risks
i. Insurance policy
Insurance coverage is the amount of risk or liability that is covered for an individual or entity by way of insurance services. When an individual or entity is purchasing insurance, they are shifting financial risks to the insurance company. Insurance companies typically charge a fee – an insurance premium – for accepting such risks.
ii. Indemnification clause in contracts
Contracts can also be used to help an individual or entity transfer risk. Contracts can include an indemnification clause – a clause that ensures potential losses will be compensated by the opposing party. In simplest terms, an indemnification clause is a clause in which the parties involved in the contract commit to compensating each other for any harm, liability, or loss arising out of the contract.
iii. Reinsurance (Risk Transfer by Insurance Companies)
Although risk is commonly transferred from individuals and entities to insurance companies, the insurers are also able to transfer risk. This is done through an insurance policy with reinsurance companies. Reinsurance companies are companies that provide insurance to insurance firms
iv. Hedging
Hedging is a way to transfer risk. Traders often use hedging to protect against risks when liquidating their trading position would be difficult or impossible. This allows the trader to match the profit and loss reporting for the hedge (a tradable financial instrument) and hedged item (the non-tradable investment).
v. Use of Credit Derivatives
A credit derivative is a financial contract that allows parties to minimize their exposure to credit risk. … It allows the creditor to transfer to a third party the potential risk of a debtor defaulting.
vi. Use of Performance Bonds
A performance bond is issued to one party of a contract as a guarantee against the failure of the other party to meet obligations specified in the contract. It is also referred to as a contract bond. A performance bond is usually provided by a bank or an insurance company to make sure a contractor completes designated projects.
vii. Use of credit guarantee (Parent and Third-Party Guarantees)
Commitment by an export credit agency to reimburse a lender if the borrower fails to repay a loan. The lender pays a guarantee fee.
A credit guarantee scheme provides third-party credit risk mitigation to lenders through the absorption of a portion of the lender’s losses on the loans made to a borrower in case of default, typically in return for a fee.
viii. Collateral transfers
Collateral Transfer is the provision of assets from one party (the Provider) to the other party (the Beneficiary), often in the form of a Bank Guarantee. … The parties agree to enter into a Collateral Transfer Agreement (CTA) which governs the issuance of the
Guarantee.
ix. Use of warranties
A warranty is a contractual assurance from a seller to a buyer. It is a subsidiary or collateral provision to the main purpose of the agreement: the sale itself. A breach of warranty claim is an action for breach of contract and is subject to the normal legal requirements of proving loss.
3.Risk Retention /Acceptance
Risk retention is the practice of setting up a self-insurance reserve fund to pay for losses as they occur, rather than shifting the risk to an insurer or using hedging instruments. … A large deductible on an insurance policy is also a form of risk retention. By so doing, the risk of the organization is self-financed and managed.
Active Retention /Acceptance. The most common active acceptance strategy is to establish a contingency reserve, including amounts of time, money, or resources to handle the threat or opportunity. Some responses are designed for use only if certain
events occur. In this case, a response plan, also known as “Contingency Plan”, is developed by the project team that will only be executed under certain predefined conditions commonly called “triggers.” Passive Retention acceptance. Requires no action leaving the project team to deal with the threats or opportunities as they occur. Workaround is distinguished from contingency plan in that a workaround is a recovery plan that is implemented if the event occurs, whereas a contingency plan is to be implemented if a trigger event indicates that the risk is very likely to occur.
4.Risk Sharing
Also known as “risk distribution,” risk sharing means that the premiums and losses of each member of a group of policyholders are allocated within the group based on a predetermined formula.
Strategies for Sharing Risk
i. Diversification means to put a little money in a lot of places so that the demise of one investment doesn’t wipe out the investor. That strategy has a direct corollary in business risk. In this strategy, a business or project leader allocates resources so that a problem or disruption has minimal impact on other aspects of the business.
ii. Outsourcing means taking the business unit or function, removing it from the organization itself, and subsequently contracting another entity to do the work. In many cases, when you outsource services, you are also outsourcing risk. This is especially true when the outsourced function is already far outside the businesses core competency
iii. Forming risk-sharing partnerships or/and teams
A risk sharing partnership is a business partnership in which consequential costs and benefits are distributed amongst all participating partners
iv. Using unique purpose companies e.g Special Purpose Vehicles
A Special Purpose Vehicle, also called a Special Purpose Entity (SPE), is a subsidiary created by a parent company to isolate financial risk. Its legal status as a separate company makes its obligations secure even if the parent company goes bankrupt
v.Enbracing Joint ventures
A joint venture (JV) is a business arrangement in which two or more parties agree to pool their resources for the purpose of accomplishing a specific task. This task can be a new project or any other business activity. In a joint venture (JV), each of the participants is responsible for profits, losses, and costs associated with it. However, the venture is its own entity, separate from the participants’ other business interests.
IMPLEMENTATION PROCESS OF RISK MANAGEMENT
Step 1: Identify the Risk
The first step is to identify the risks that the business is exposed to in its operating environment. There are many different types of risks – legal risks, environmental risks, market risks, regulatory risks, and much more. It is important to identify as many of these risk factors as possible. In a manual environment, these risks are noted down manually. If the organization has a risk management solution employed all this information is inserted directly into the system. The advantage of this approach is that
these risks are now visible to every stakeholder in the organization with access to the system.
Step 2: Analyze the Risk
Once a risk has been identified it needs to be analyzed. The scope of the risk must be determined. It is also important to understand the link between the risk and different factors within the organization. To determine the severity and seriousness of the risk it
is necessary to see how many business functions the risk affects. There are risks that can bring the whole business to a standstill if actualized, while there are risks that will only be minor inconveniences in analyzed. In a manual risk management environment,
this analysis must be done manually. When a risk management solution is implemented one of the most important basic steps is to map risks to different documents, policies, procedures, and business processes.
Step 3: Evaluate or Rank the Risk
Risks need to be ranked and prioritized. Most risk management solutions have different categories of risks, depending on the severity of the risk. A risk that may cause some inconvenience is rated lowly, risks that can result in catastrophic loss are rated the highest. It is important to rank risks because it allows the organization to gain a holistic view of the risk exposure of the whole organization. The business may be vulnerable to several low-level risks, but it may not require upper management intervention. On the other hand, just one of the highest-rated risks is enough to require immediate intervention.
Step 4: Treat the Risk
Every risk needs to be eliminated or contained as much as possible. This is done by connecting with the experts of the field to which the risk belongs to. In a manual environment, this entails contacting each and every stakeholder and then setting up
meetings so everyone can talk and discuss the issues. In a risk management solution, all the relevant stakeholders can be sent notifications from within the system. The discussion regarding the risk and its possible solution can take place from within the
system. Upper management can also keep a close eye on the solutions being suggested and the progress being made from within the system. Instead of everyone contacting each other to get updates, everyone can get updates directly from within the risk management solution.
Step 5: Monitor and Review the Risk
Not all risks can be eliminated – some risks are always present. Market risks and environmental risks are just two examples of risks that always need to be monitored. Under manual systems monitoring happens through diligent employees. These professionals must make sure that they keep a close watch on all risk factors. Under a digital environment, the risk management system monitors the entire risk framework of the organization. If any factor or risk changes, it is immediately visible to everyone. Computers are also much better at continuously monitoring risks than people.
Monitoring risks also allows your business to ensure continuity.
TACTICS OF MITIGATING RISKS
Tactics are the methods that you choose to use in order to achieve what you want in a particular situation
1. Identify the risks early on in your project.
• Review the lists of possible risk sources as well as the project team’s experiences and knowledge.
• Brainstorm all potential risks.
• Brainstorm all missed opportunities if project is not completed.
• Make clear who is responsible for what risk.
2. Communicate about risks
 Pay attention to risk communication and solicit input at team meetings to ensure that your team perceives that risk management is important for the project.
 Focus your communication efforts with the project sponsor or principal on the big risks and make sure you don’t surprise the boss or the customer.
 Make sure that the sponsor makes decisions on the top risks, because some of them usually exceed the mandate of the project manager.
3.Consider opportunities as well as threats when assessing risks.
While risks often have a negative connotation of being harmful to projects, there are also “opportunities” or positive risks that may be highly beneficial to your project and organization. Make sure you create time to deal with the opportunities in your project.
Chances are that your team will identify a couple of opportunities with a high pay-off that may not require a big investment in time or resources. These will make your project faster, better and more profitable.
4.Prioritize the risks
 Some risks have a higher impact and probability than others. Therefore, spend time on the risks that cause the biggest losses and gains. To do so, create or use an evaluation instrument to categorize and prioritize risks.
 The number of risks you identify usually exceeds the time capacity of the project team to analyze and develop contingencies. Therefore, the process of prioritization helps the project team to manage those risks that have both a high impact and a high probability of occurrence.
5.Fully understand the reason and impact of the risks.
 Traditional problem solving often moves from problem identification to problem solution. However, before trying to determine how best to manage risks, the project team must identify the root causes of the identified risks.
 Risk occurs at different levels. If you want to understand a risk at an individual level, think about the effect that it has and the causes that can make it happen. The project team will want to ask questions including:
What would cause each risk?
How will each risk impact the project? (i.e., costs? lead time? product quality? total project?)
 The information you gather in a risk analysis will provide valuable insights in your project and the necessary input to find effective responses to optimize the risks.
6.Develop responses to the risks.
 Completing a risk response plan adds value to your project because you prevent a threat occurring or minimize the negative effects. To complete an assessment of each risk you will need to identify:
 What can be done to reduce the likelihood of each risk?
 What can be done to manage each risk, should it occur?
 What can be done to ensure opportunities are not missed?
7.Develop the preventative measure tasks for each risk.
 It’s time to think about how to prevent a risk from occurring or reducing the likelihood for it to occur. To do this, convert into tasks, those ideas that you had identified that would help to reduce or eliminate risk likelihood.
9. Develop the contingency plan for each risk.
 Should a risk occur, it’s important to have a contingency plan ready. Therefore, should the risk occur, you can quickly put these plans into action, thereby reducing the need to manage the risk by crisis.
9. Record and register project risks.
 Maintaining a risk log enables you to view progress and make sure that you won’t forget a risk or two. It’s also a communication tool to inform both your team  members, as well as stakeholders, about what is going on.
 If you record project risks and the effective responses you have implemented, you will be creating a track record that no one can deny, even if a risk happens that derails the project.
10. Track risks and their associated tasks.
 Tracking tasks is a day-to-day job for each project manager. Integrating risk tasks into that daily routine is the easiest solution. You may carry out risk tasks to identify or analyze risks or to generate, select and implement responses. The daily effort of integrating risk tasks keeps your project focused on the current situation of risks and helps you stay on top of their relative importance.
EFFECTIVENESS OF RISK MANAGEMENT STRATEGIES
Effective of risk management Strategies requires:
 Clear expectations from ‘the top’
 Appropriate capability (skills, resources, support)
 Sound relationships with stakeholders
 Integration of necessary risk management practices into the day-to-day activities and accountabilities of the management team
 A commitment to continually learn and improve.
Considerations in Determining Mitigation Strategies
i. Understand the users and their needs.
The users/operational decision makers will be the decision authority for accepting and avoiding risks. Maintain a close relationship with the user community throughout the system engineering life cycle. Realize that mission accomplishment is paramount to the user community and acceptance of residual risk should be firmly rooted in a mission decision and primary mission. Seek out the experts and use them.
ii. Seek out the experts within and outside technical centers that exist to provide support in their specialty areas. They understand what’s feasible, what’s worked and been implemented, what’s easy, and what’s hard. They have the knowledge and experience essential to risk assessment in their area of expertise. Know our internal centers of excellence, cultivate relationships with them, and know when and how to use them.
iii. Recognize risks that recur. Identify and maintain awareness of the risks that are “always there” interfaces, dependencies, changes in needs, environment and requirements, information security, and gaps or holes in contractor and program office skill sets. .
iv. Encourage risk taking.
The point is that there are consequences of not taking risks, some of which may be negative. Help the customer and users understand that reality and the potential consequences of being overly timid and not taking certain risks in your program.
v. Recognize opportunities.
When considering alternatives for managing a particular risk, be sure to assess whether they provide an opportunistic advantage by improving performance, capacity, flexibility, or desirable attributes in other areas not directly associated with the risk.
vi. Encourage deliberate consideration of mitigation options.
Carefully analyze mitigation options and encourage thorough discussion by the program team. This is the form of the wisdom “go slow to go fast.”
Vii .Understand not all risks require mitigation plans.
Risk events assessed as medium or high criticality should go into risk mitigation planning and implementation. On the other hand, consider whether some low criticality risks might just be tracked and monitored on a watch list.
RISK CONTROL
Risk control is the stage where the actions to identify and implement safety measures to control risks are performed having in mind the protection of workers’ health and safety, as well as their monitoring over time
Risk control includes design, planning and implementing of safety control measures, as well as training and workers information
A. Designing safety control measures
The first step of risk control is the design of the safety control measures to eliminate risks. The risks that cannot be avoided or eliminated should be reduced to an acceptable level, i.e. the residual risk shall be minimized according to the ALARP (as low as reasonably practicable) principle. The residual risk should be controlled.
B. Implementing safety control measures
The safety control measures to be implemented should be based on up-dated technical and/or organisational knowledge, and good practices. Safety control measures implementation should be done using the following hierarchy order
 Prevention measures
 Protection measures
 Mitigation measures
Prevention measures
The aim of implementation of prevention measures is to reduce the likelihood of work accident or occupational disease occurrence. These include ;
 Information and training (awareness)
 Establish appropriate working procedures and supervision
 Management and proactive monitoring
 Routine maintenance and housekeeping procedures
 Reduce levels of hazardous materials. For instance provide effective ventilation through local or general exhaust ventilation systems.
 Substituting the risk by a less risky material, equipment or substance Protection measures
Implementation of Protection measures includes
 Enclose or isolate the risk through the use of guards, protection of machinery and parts, or remote handling techniques;
 Physical barriers (anti-drop networks, railings, packaging, acoustic, thermal or electrical barriers);
 Using organizational or administrative measures to diminish the exposure duration: job rotation of workers; timing the job so that fewer workers are exposed; Implementation of safety signs, for instance restricting entry to authorized persons.
 Use of Personnel Protective Equipment (PPE) to protect worker from the residual risk. The worker should participate in the selection of PPE and should be trained in its use.
Mitigation measures
The company needs to be prepared (emergency preparedness) and to have mitigation measures implemented.
 Emergency plan,
 Evacuation planning,
 Warning systems (alarms, flashing lights),
 Test of emergency procedures,
 Exercises and drills,
 Fire-extinguishing system, or
 Return-to-work plan.
C.Training and information
Managers must know the risk their workers are exposed to. Workers must know the risks they are exposed to. Providing information and Training courses to workers is a legal requirement for workers have the “Right to Know” – about the hazards they are exposed to, the harm they might cause, and precautions that could prevent these harmful effects.
Review and update
The risk management process should be reviewed and updated regularly, for instance every year, to ensure that the safety measures implemented are adequate and effective. The review of the risk management process should consider a variety of types of information and draw them from a number of relevant perspectives (e.g. staff, management, stakeholders).