Breaking Down Risk Management
According to Maria Lazarte of ISO.Org, “risk is the effect of uncertainty on an organization’s objectives.” In other words, risk is any factor that may expose a business to some form of danger. However, it must be noted that risks can also create opportunities if proper risk management procedures are in place.
What is Risk Management?
According to the UN, risk management “means applying a systematic approach to assessing and acting on risks in order to ensure that organizational objectives are achieved.” There are many types of risks and each one may require a unique approach. Therefore, a robust risk management process is vital to business survival, growth and success.
Understanding the Risk Management Process
As mentioned before, several types of risks exist. Some of these risks overlap in terms of how they are presented and the effect they may have; however, the established term definitions contain differences that should be respected in order to identify the right responses to the particular risk being faced at the specific time. Categories of risks include:
- Enterprise Risks
- Operational Risks
- Business Risk
- Security Risks
- Information Security Risks
- Project Risks
- Program Risks
- Portfolio Risks
- Employee Risks
This list is in no way exhaustive and the term used really depends on the situation and the speaker. Also, while there will be some overlap, the risk management procedures adopted by a business may look different for each of the above terms.
Project Risks versus Program Risks
A project differs from a program in that it is a singular event designed to create a solution for a problem or meet a business need. Projects have objectives that must be achieved, a completion deadline that is expected to be met and a budget that should ideally be adhered to. The scope of a project is often narrow and the project ceases to exist once the objectives are met (or the project is abandoned).
On the other hand, a program has a longer life span than a project as well as a broader scope. In fact, a single program may contain several projects and may be a part of a portfolio along with several other programs and projects. Note that a portfolio differs from a program in that it captures the organizational scope which is much larger than the program scope.
The project manager is responsible for project risks while the program manager is responsible for program risks. Depending on the nature of the project, the project manager may also report to the program manager. It is possible for poor risk management of a project to directly affect a program and vice versa, or for poor risk management at either level to directly affect the portfolio without directly impacting each other.
The Basic Risk Management Process
A basic risk management process involves four main steps. These are as follows:
- Identification: This involves identifying possible risks/threats. These should be identified at the start of a project or program and as they occur throughout the life of said project or program. New risks may arise at any time and old risks may disappear due to external and internal factors/changes.
- Analysis and Evaluation: This step includes assessing the likelihood of the identified risk occurring and the impact the business can expect. A simple risk map divides these into “high” or “low” but this is inadequate. At least high level, medium level and low level risks and their impact need to be identified.
- Response: Where a risk is realized, a solution (ideally a preplanned one) needs to be implemented in response to the risk.
- Monitoring and Evaluation: The solution/response needs to be monitored and evaluated with the appropriate action(s) being taken where action is required.
Some process tools and techniques include:
- Risk Management Plan
- Work Breakdown Structure (WBS)
- Critical Path Method (CPM)/Critical Path Analysis (CPA)
- Techniques for Risk Identification:
- Facilitated Workshops
- SWOT Analysis
- Event Inventories
- Loss Event Data
- Scenario Analysis
- Risk Surveys and Questionnaires
- Techniques for Risk Assessment:
- Risk Maps and Rankings
- Impact and Probability
For clarification, think of a tool as something necessary to carry out a task (example: a chart) while a technique can be viewed as systematic approach to carrying out said task. As such, tools are used to perform techniques. The line between a tool and a technique may be skewed at some points, however, so there is a “gray” area to consider.
Admittedly, risk management at any level is a complex process to manage. The main issue faced is the demand placed on the ability to make predictions, especially when there is no historical data to turn to. While it is not necessarily limited to this factor, the lack of historical data is predominantly seen when risk management is being done within a business innovation framework.
Luckily, businesses can overcome most of the challenges presented through proper data collection, storage and analysis whether this data represents “what was” (i.e. the past), “what is” (i.e. the present) or the “to be” (i.e. the expected future). The rest of the solution will rest in the ability to think creatively and to move beyond traditional approaches as the need arises. The willingness to operate in iterations will also have a tremendous effect on the business’ efforts.
See the following for more information:
Risk Management Definition:
Risk Management Tools and Techniques Articles: http://erm.ncsu.edu/library/categories/category/risk-management-tools-and-techniques
Enterprise Risk Management: Tools and Techniques for Effective Implementation: http://www.stjohns.edu/sites/default/files/documents/academics/tobin/enterprise_tools_and_techniques.pdf
Help at hand for risk management with ISO/TR 31004: http://www.iso.org/iso/home/news_index/news_archive/news.htm?refid=Ref1791