Risk framework

646 views

Published on

A Framework for Risk Management
Risk management is the identification, assessment and prioritization of the risk followed by coordinated and economical application of the resources to minimize, monitor and control the probability and/or impact of an action or event identified as a risk.
So we work on risk identification, assess the possible impact of the risk, quantify the risk by calculating RPN (Risk Priority Number), find out monetary value, find out the current control, identify residual risk (by revisiting RPN), determine monetary value, classify risk based on residual RPN, work on "RMS" Risk Management Strategy", prepare "RTP" risk treatment plan (how to handle risk), risk monitoring and closing the risk.

Additionally, it is advisable that you also visit and subscribe Advance Innovation Group Blog (http://advanceinnovationgroup.com/blog) for more Lean Six Sigma Projects, Case Studies on Lean Six Sigma, Lean Six Sigma Videos, Lean Six Sigma Discussions, Lean Six Sigma Jobs etc.

0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
646
On SlideShare
0
From Embeds
0
Number of Embeds
36
Actions
Shares
0
Downloads
38
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Risk framework

  1. 1. Risk Management Framework
  2. 2. www.sdgc.com SDG Confidential & Proprietary Introduction What is Risk? Risk may be defined as “the threat or probability of an action or event, that may adversely affect an organization's ability to achieve its objectives”. What is Risk Management? Risk management is the identification, assessment and prioritization of risk followed by coordinated and economical application of resources to minimize, monitor and control probability and/or impact of action or event identified as risk.
  3. 3. www.sdgc.com SDG Confidential & Proprietary The Risk Framework Risk Identification Assess the Possible Impact Quantify the Risk - Risk Priority Number Determine Monetary Value Determine the Current Control Identify Residual Risk (Revisit RPN) Determine Monetary Value Classify Risk Based on Residual RPN Risk Management Strategy Risk Treatment Plan Risk Monitoring & Closure
  4. 4. www.sdgc.com SDG Confidential & Proprietary Risk Identificatio n Assess the Possible Impact Sev Occ Det RPN Determ ine Monet ary Value Determine Current Controls Sev Occ Det Resid ual RPN Deter mine Monet ary Value Classify Risk Based on Residu al RPN Risk Manageme nt Strategy Risk Treatment Plan Respon sibility Date Laptop not working SSO ID requested without BGC is complete Risk shall be identified by identifying any activity that may impact organization’s business, reputation, profitability, operations, effectiveness, productivity, etc. Risk Identification
  5. 5. www.sdgc.com SDG Confidential & Proprietary Assess the Possible Impact Impact of Risk on end desired result shall be assessed by respective process owners. Risk Identificatio n Assess the Possible Impact Sev Occ Det RPN Determ ine Monet ary Value Determine Current Controls Sev Occ Det Resid ual RPN Deter mine Monet ary Value Classify Risk Based on Residu al RPN Risk Manageme nt Strategy Risk Treatment Plan Respon sibility Date Laptop not working Project delivery timeline may be impacted SSO ID requested without BGC is complete Breach of compliance
  6. 6. www.sdgc.com SDG Confidential & Proprietary Quantify the Risk - Severity For every risk event the severity of impact that the risk may have on the desired output shall be identified & captured in the Risk Template. Risk Identificatio n Assess the Possible Impact Sev Occ Det RPN Determ ine Monet ary Value Determine Current Controls Sev Occ Det Resid ual RPN Deter mine Monet ary Value Classify Risk Based on Residu al RPN Risk Manageme nt Strategy Risk Treatment Plan Respon sibility Date Laptop not working Project delivery timeline may be impacted 10 SSO ID requested without BGC is complete Breach of compliance 9 Note: To be rated on a scale of 1 -10, where 1 would mean least severe & 10 extremely severe.
  7. 7. www.sdgc.com SDG Confidential & Proprietary Quantify the Risk - Occurrence Periodicity of occurrence of identified Risk shall be determined & captured. Risk Identificatio n Assess the Possible Impact Sev Occ Det RPN Determi ne Moneta ry Value Determine Current Controls Sev Occ Det Resid ual RPN Deter mine Monet ary Value Classify Risk Based on Residu al RPN Risk Manageme nt Strategy Risk Treatment Plan Respon sibility Date Laptop not working Project delivery timeline may be impacted 10 10 SSO ID requested without BGC is complete Breach of compliance 9 5 Note: To be rated on a scale of 1 -10, where 1 would mean least occurring & 10 would mean very frequently occurring.
  8. 8. www.sdgc.com SDG Confidential & Proprietary Quantify the Risk - Detection Probability of detection of the identified risk shall be determined & captured. Risk Identificatio n Assess the Possible Impact Sev Occ Det RPN Determi ne Moneta ry Value Determine Current Controls Sev Occ Det Resid ual RPN Deter mine Monet ary Value Classify Risk Based on Residu al RPN Risk Manageme nt Strategy Risk Treatment Plan Respon sibility Date Laptop not working Project delivery timeline may be impacted 10 10 3 SSO ID requested without BGC is complete Breach of compliance 9 5 4 Note: To be rated on a scale of 1 -10, where 1 would mean easily detectable & 10 would mean Non detectable.
  9. 9. www.sdgc.com SDG Confidential & Proprietary Quantify the Risk - Risk Priority Number Multiply the Severity (Sev), Occurrence (Occ) and Detection (Det) to get the Risk Priority Number (RPN). Risk Identificatio n Assess the Possible Impact Sev Occ Det RPN Determi ne Moneta ry Value Determine Current Controls Sev Occ Det Resid ual RPN Deter mine Monet ary Value Classify Risk Based on Residu al RPN Risk Manageme nt Strategy Risk Treatment Plan Respon sibility Date Laptop not working Project delivery timeline may be impacted 10 10 3 300 SSO ID requested without BGC is complete Breach of compliance 9 5 4 180 Note: Higher the value of RPN, higher the probability of risk impacting the desired result.
  10. 10. www.sdgc.com SDG Confidential & Proprietary Determine Monetary Value Risk Identificatio n Assess the Possible Impact Sev Occ Det RPN Determi ne Moneta ry Value Determine Current Controls Sev Occ Det Resid ual RPN Deter mine Monet ary Value Classify Risk Based on Residu al RPN Risk Manageme nt Strategy Risk Treatment Plan Respon sibility Date Laptop not working Project delivery timeline may be impacted 10 10 3 300 SSO ID requested without BGC is complete Breach of compliance 9 5 4 180 Every risk shall be captured in terms of monetary impact that is associated with it. These can be Cost of replacement, Cost of lost opportunities, Cost of poor quality, Cost of correction and corrective action, Cost of prevention and preventive action, Cost of repair/rework etc.
  11. 11. www.sdgc.com SDG Confidential & Proprietary Determine the Current Control Current Controls that are in place for avoiding, reducing or transferring the impact/occurrence of the risk event shall be determined. Risk Identificatio n Assess the Possible Impact Sev Occ Det RPN Determi ne Moneta ry Value Determine Current Controls Sev Occ Det Res idu al RP N Deter mine Monet ary Value Classify Risk Based on Residua l RPN Risk Managem ent Strategy Risk Treatment Plan Respon sibility Date Laptop not working Project delivery timeline may be impacted 10 10 3 300 Replacement system can be arranged SSO ID requested without BGC is complete Breach of compliance 9 5 4 180 Documented process in place to ensure that the request is sent only after BGC is cleared (green).
  12. 12. www.sdgc.com SDG Confidential & Proprietary Identify Residual Risk (Revisit RPN) Reassign the Severity (Sev), Occurrence (Occ) and Detection (Det) values after the implementation of the current controls. The New RPN derived as a result is known as Residual Risk (RPN). Risk Identificatio n Assess the Possible Impact Sev Occ Det RPN Determi ne Moneta ry Value Determine Current Controls Sev Occ Det Res idu al RP N Deter mine Monet ary Value Classify Risk Based on Residua l RPN Risk Managem ent Strategy Risk Treatment Plan Respon sibility Date Laptop not working Project delivery timeline may be impacted 10 10 3 300 Replacement system can be arranged 6 2 3 36 SSO ID requested without BGC is complete Breach of compliance 9 5 4 180 Documented process in place to ensure that the request is sent only after BGC is cleared (green). 9 5 3 135
  13. 13. www.sdgc.com SDG Confidential & Proprietary Determine Monetary Value Monetary Value shall be recalculated after determination of current control. Risk Identificatio n Assess the Possible Impact Sev Occ Det RPN Determi ne Moneta ry Value Determine Current Controls Sev Occ Det Res idu al RP N Deter mine Monet ary Value Classify Risk Based on Residua l RPN Risk Managem ent Strategy Risk Treatment Plan Respon sibility Date Laptop not working Project delivery timeline may be impacted 10 10 3 300 Replacement system can be arranged 6 2 3 36 SSO ID requested without BGC is complete Breach of compliance 9 5 4 180 Documented process in place to ensure that the request is sent only after BGC is cleared (green). 9 5 3 135
  14. 14. www.sdgc.com SDG Confidential & Proprietary Classify Risk Based on Residual RPN Risk shall be classified as Critical, High, Medium, Low based on the residual RPN. Risk Identificatio n Assess the Possible Impact Sev Occ Det RPN Determi ne Moneta ry Value Determine Current Controls Sev Occ Det Res idu al RP N Deter mine Monet ary Value Classify Risk Based on Residua l RPN Risk Managem ent Strategy Risk Treatment Plan Respon sibility Date Laptop not working Project delivery timeline may be impacted 10 10 3 300 Replacement system can be arranged 6 2 3 36 Low SSO ID requested without BGC is complete Breach of compliance 9 5 4 180 Documented process in place to ensure that the request is sent only after BGC is cleared (green). 9 5 3 135 High Risk impact categorization is as follows: Critical: Residual RPN greater than or equal to 300. High: Residual RPN falls between 100 to 299. Medium: Residual RPN falls between 60 to 99. Low: Less than 60.
  15. 15. www.sdgc.com SDG Confidential & Proprietary Risk Management Strategy Risk management strategy to be used to handle the particular risk shall be identified under one of the four subgroups given below: Accept (the risk) : Acceptance involves making a conscious decision to accept the outcome should the risk event occur. Avoid (the risk) : The organization may avoid the risk by deciding to stop, postpone, cancel, divert or discontinue with an activity that may be the cause for that risk. Reduce (the risk) : Risk may be reduced by implementing controls to do so. Transfer (the risk) : Risk can also be transferred to a third party (insurance company or a sub-contractor etc.). Risk Identificatio n Assess the Possible Impact Sev Occ Det RPN Determi ne Moneta ry Value Determine Current Controls Sev Occ Det Res idu al RP N Deter mine Monet ary Value Classify Risk Based on Residua l RPN Risk Managem ent Strategy Risk Treatment Plan Respon sibility Date Laptop not working Project delivery timeline may be impacted 10 10 3 300 Replacement system can be arranged 6 2 3 36 Low SSO ID requested without BGC is complete Breach of compliance 9 5 4 180 Documented process in place to ensure that the request is sent only after BGC is cleared (green). 9 5 3 135 High Reduce
  16. 16. www.sdgc.com SDG Confidential & Proprietary Risk Treatment Plan The risk treatment plan shall outline the steps, controls etc implemented in accordance with the Risk Management Strategy chosen. Risk Identificatio n Assess the Possible Impact Sev Occ Det RPN Determi ne Moneta ry Value Determine Current Controls Sev Occ Det Res idu al RP N Deter mine Monet ary Value Classify Risk Based on Residua l RPN Risk Managem ent Strategy Risk Treatment Plan Respon sibility Date Laptop not working Project delivery timeline may be impacted 10 10 3 300 Replacement system can be arranged 6 2 3 36 Low Accept SSO ID requested without BGC is complete Breach of compliance 9 5 4 180 Documented process in place to ensure that the request is sent only after BGC is cleared (green). 9 5 3 135 High Reduce BGC clearing date to be mentioned on the SSO ID request form as a mandate field.
  17. 17. www.sdgc.com SDG Confidential & Proprietary Responsibility Responsibility for the particular risk treatment plan shall be assigned to identified individuals. Risk Identificatio n Assess the Possible Impact Sev Occ Det RPN Determi ne Moneta ry Value Determine Current Controls Sev Occ Det Res idu al RP N Deter mine Monet ary Value Classify Risk Based on Residua l RPN Risk Managem ent Strategy Risk Treatment Plan Respon sibility Date Laptop not working Project delivery timeline may be impacted 10 10 3 300 Replacement system can be arranged 6 2 3 36 Low SSO ID requested without BGC is complete Breach of compliance 9 5 4 180 Documented process in place to ensure that the request is sent only after BGC is cleared (green). 9 5 3 135 High Reduce BGC clearing date to be mentioned on the SSO ID request form as a mandate field. XYZ
  18. 18. www.sdgc.com SDG Confidential & Proprietary Risk Monitoring & Closure Process Owners to revisit the risk register once every month or sooner to review the residual RPN. Critical and high risks from all departments (HR, Admin, Technology etc) will need to be compiled and sent across to the PDQ team for consolidation every quarter. It will be presented for quarterly review by Ajay, Deepak, Nag, Kaushal and who so ever they feel needs to be a part of the review process, by PDQ. Once reviewed and actions identified PDQ will publish an organizational risk register to the relevant stakeholders every quarter.
  19. 19. www.sdgc.com SDG Confidential & Proprietary THANK YOU

×