An introduction to Risk Management

1. Introduction to
Risk Management
Kannan Subbiah
Director, Operations
Knowledge Universe Technologies India
1

2. Objectives
 Understanding Risk
 Risk Management as a process
 Exercise
 Q&A
2

3. How to learn Risk Management?
 http://www.youtube.com/watch?v=laKprX-HP94&feature=related
3

4. What is a Risk?
A risk is ANYTHING that may affect the achievement of
an organization’s objectives.
It is the UNCERTAINTY that surrounds future events
and outcomes.
It is the expression of the likelihood and impact of an
event with the potential to influence the
achievement of an organization’s objectives.
4

5. Alternatively …
 Risk is a potential event with negative consequences that
had not happened yet
 Could also be an event with positive consequences
 A possibility of loss – not the loss itself
 A source of problem
 Find the root cause and not the leaves
 Something that makes the project special
 In the widest sense, everything is a risk
 Helps identify better ways of handling problems
5

6. Why do we need Risk Management?
The only alternative to risk management is crisis management --- and
crisis management is much more expensive, time consuming and
embarrassing.
JAMES LAM, Enterprise Risk Management, Wiley Finance © 2003
Without good risk management practices, government cannot
manage its resources effectively. Risk management means more
than preparing for the worst; it also means taking advantage of
opportunities to improve services or lower costs.
Sheila Fraser, Auditor General of Canada
6

7. How does Risk Management help?
 Increase risk awareness & understanding
 Allows intelligent “informed” risk-taking.
 Focuses efforts –helps prioritize.
 Is proactive…. not reactive – Prepare for risks
before they happen.
 Improve outcomes – achievement of objectives
 Enables accountability, transparency and
responsibility
 And maybe even mean survival
7

8. Key Terms
 Risk – Exposure to chance of hazard
 Risk Level – A measure to represent the significance of the risk
 Controls – Action(s) that could eliminate or reduce the risk
level
 Residual Risk – Risk level after implementing controls
 Risk Response – An action on the risk, whether to accept, or
not to accept
8

9. Exercise - I
 Think of a risk in your daily life
 Determine the probability of occurrence
 Make an assessment of an impact, if it occurs.
9

10. Who is involved?
 Customer
 End user
 Project Team
 Senior Management
 Related Project teams
 Vendors and suppliers
10

11. When?
 A continuous process
 Starts from proposal stage
 Ends on project completion
 Review stages
 Business case analysis
 Project approval
 Project planning
 Technology, Tools & Vendor selection
 Project status reviews
 Deployment and Maintenance
11

12. Risk Management Basics
 Risk (uncertainty) may affect the achievement of
objectives.
 Effective mitigation strategies/controls can reduce
negative risks or increase opportunities.
 Residual risk is the level of risk after evaluating the
effectiveness of controls.
 Acceptance and action should be based on residual
risk levels.
INHEREN
T
12

13. A Simple Framework
Step 1 Step 2 Step 3 Step 4 Step 5
Assess
Identify Evaluate
Establish Risks & Monitor
Risks & & Take
Objectives Controls & Report
Controls Action
Communicate, learn, improve
13

14. Risk Identification Techniques
 Brainstorming
 Interviewing
 Root cause analysis
 Checklists
 SWOT
14

15. Risk Management is critical to ALL levels of
decisions
UNCERTAINTY
Strategic Decisions
S trat
egi c eg ic
S trat
Decisions transferring
strategy into action
e
Pro g mm
ra mme gra
Pro
Decisions required for
implementation
Pro
jec l
t& ona
Op e ra ti
r atio & Ope
nal je ct
Pr o
Decisions can be categorized into three types. The amount of risk
(uncertainty) varies with the type of decisions. Most decisions
are concerned with implementation. The HM Treasury’s The Orange Book 15

16. Risk Environment
External Risk Environment
MOHLTC Extended
Extended
Enterprise
P ep
P
u b ti
la &
er
ns
gu ws
c
lic o n
t io
Internal
re La
MOHLTC
Risk Environment
i c c/
O Go
ol gi
P at e
rg ve
y
Or
r
a rn
Pa iz at
nito
ni a
tr
ga
S
za nc
rtn ion
s
ni s r
t io e
n
o
M i th e
tr ie
Es
er
M
na
-
O
l
t ab
s
e c
Co m al /
plian
F ina
li s
Le g
h
Evaluate
ncia
Outcomes
Capacity
Political
Communication Communication Communication
l
& Learning & Learning & Learning
T r c ou r na
Ide
an
A c ove
olo n
sfe ntabi c e
c hn a t i o
gy
G
nt
r P l i ty
T e or m
ay
ify
me
f
In
n
nt
Assess
&
In l
f orm na
atio ra tio
n Human O pe
Resources
io r
at de
ns
ct ol
pe eh
T h nom
E
e x ta k
co
e y
S
LHINs
Corporate Governance
Requirements
16

17. Categorizing Risk – Comprehensive
1. Political or Reputational Risk
2. Financial Risk
3. Service Delivery or Operational Risk
4. People / HR Risk
5. Information/Knowledge Risk
6. Strategic / Policy Risk
7. Stakeholder Satisfaction / Public Perception Risk
8. Legal / Compliance Risk
9. Technology Risk
10. Governance / Organizational Risk
11. Privacy Risk
12. Security Risk
13. Equity Risk
Slide 17
17

18. Risk Prioritization – likelihood and impact
Likelihood of a risk event occurring Risk Impact: Level of damage that can
occur when a risk event occurs
 Very High: Is almost certain to occur
 Very High: Threatens the success of the
project
 High: Is likely to occur
 High: Substantial impact on time, cost or
quality
 Medium: Is as likely as not to occur
 Medium: Notable impact on time, cost or
quality
 Low: May occur occasionally  Low: Minor impact on time, cost or quality
 Very Low: Negligible impact
 Very Low: Unlikely to occur
Slide 18
18

19. Third dimension for rating risks - proximity
 Immediate – now
 Less than 6 months
 Between 6-12 months
 Between 12 – 24 months
 Between 24 – 36 months
 More than 36 months
19

20. Risk rating
…Combining impact and likelihood
RISK PRIORITIZATION MATRIX
5
RISK
4 IxL
IMPACT
RISK
3 IxL
2
RISK
1 IxL
1 2 3 4 5
LIKELIHOOD
Slide 20
20

21. Risk reporting and communications
Risk Level Action and Level of Involvement Required
• Inform Chief Executive Officer and Board of Directors
Critical Risk
• Immediate action required
• Inform Chief Executive Officer
High Risk • Strategy Team involvement/attention is essential to manage risks
– provide report to Board as appropriate
• Management mitigation and ongoing monitoring required
Moderate Risk
• Inform relevant Strategy Team members
• Accept, but monitor risks
Low Risk
• Manage by routine procedures within the program and site
21

22. 22

23. Measure and report RM implementation progress
• Advanced capabilities to identify, measure, manage all risk exposures within
tolerances
Excellent • Advanced implementation, development and execution of ERM parameters
• Consistently optimizes risk adjusted returns throughout the organization
• Clear vision of risk tolerance and overall risk profile
• Risk control exceeds adequate for most major risks
Strong • Has robust processes to identify and prepare for emerging risks
• Incorporates risk management and decision making to optimize risk adjusted
returns
• Has fully functioning control systems in place for all of their major risks
• May lack a robust process for identifying and preparing for emerging risks
Adequate
• Performing good classical “silo” based risk management
• Not fully developed process to optimize risk adjusted returns
• Incomplete control process for one or more major risks
Weak • Inconsistent or limited capabilities to identify, measure or manage major risk
exposures
Source: Standard & Poor
23

24. The Cyclist and the Risk Manager
24

25. Exercise II – 15 minutes
 Identify risks that the cyclists faces in cycling to work.
 Report back.
25

26. Risks
Threats: Opportunities:
 Death  Exercise
 Head Injury  Sunlight
 Injury  Reputation
 Reputation  Financial
 Financial  Role model
 Damage to the bike  Environment
 Sunburn/frost bite
26

27. Mitigation Strategies for threats
 Death, head injury, other injury – helmet, bright clothes,
lights, bell, CANbike course, obeying traffic laws, positive
attitude, anger management course
 Reputation – great outfit, change of wrinkle-free clothes,
shower, time management
 Financial – high quality locks, “beater”, stopping at stop
signs
 Damage to the bike – regular maintenance, avoiding pot
holes
 Sunburn/frost bite – sunscreen, mittens, hats, token/change
 Dehydration- filled water bottle
27

28. Acknowledgements
 Practical approach to Risk Management - by Finance Management Institute,
Toronto Chapter.
 Introduction to Risk Management for Outsourcing projects - by Peter Kolb
28

29. Questions?
29