Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Risk Management based on Best Practices and Standards
1. Dr. Fahim K Sufi,
PhD (Comp Sc), M Eng (Comp Sys), Dip (Mgmt), Grad Cert (Res Com), B (Comp Sc),
Cert IV (TAE), ITIL V3, TOGAF 9 (Certified), PRINCE2 (Registered Practitioner)
Sr Consultant ICT Affairs
Defence, Military, Cyber War
+971551924479 (UAE)| 0423237915 (AU) | +447839111901 (UK)
contact@fahimsufi.com
January, 2017
2. Dr. Fahim K Sufi
PhD (Comp Sc), M Eng (Comp Sys), Dip (Mgmt), Grad Cert (Res Com),
B (Comp Sc), Cert IV (TAE), ITIL V3, PRINCE2, TOGAF 9
Definition & Background
According to ISO Guide 73 Risk Management Vocabulary 2009 (page 3), Risk Management is a
holistic management process of systematic application of management policies, procedures and
practices to the activities of communicating, consulting, establishing the context and identifying,
analysing, evaluating, treating, monitoring and reviewing risk.
The alternative to risk management is risky management (AS/NZS 4360:2004 Companion P 7)
Risks are defined by the likelihood of an event occurring and direct the organisation’s operation in
relation to risk.
Increasingly Government & Private Enterprises are asked to document and demonstrate their risk
management policy and processes.
Risk Management involves management on
What could go wrong (i.e. Risks)
What impact would these have
What can be done to mitigate the risk
Who owns the mitigation plan
…
Risks Issues
A possible event that may or may not occur An event that has actually occurred
Based on conjecture & anticipation Based on responsiveness & realization
Includes presentation & mitigation steps Includes action & resolution steps
3. Benefits of Risk Management
Fewer surprises
Exploitation of opportunities
Improved planning, performance and effectiveness
Economy and efficiency
Improved stakeholders relationships
Improved information for decision making
Enhanced reputation
Director protection
Accountability, assurance and governance
Personal wellbeing
Dr. Fahim K Sufi
PhD (Comp Sc), M Eng (Comp Sys), Dip (Mgmt), Grad Cert (Res Com),
B (Comp Sc), Cert IV (TAE), ITIL V3, PRINCE2, TOGAF 9
4. Risk Management – a one page summary
Source: AS/NZS ISO 31000:2009 Risk Management – Principles and guidelines
Dr. Fahim K Sufi
PhD (Comp Sc), M Eng (Comp Sys), Dip (Mgmt), Grad Cert (Res Com),
B (Comp Sc), Cert IV (TAE), ITIL V3, PRINCE2, TOGAF 9
5. Risk management principles
It creates and protects value
Is an integral part of all organisational processes
It is part of decision making
It explicitly addresses uncertainty
It is systematic, structured and timely
It is based on the best available information
It is tailored
It takes human and cultural factors into account
It is transparent and inclusive
It is dynamic, iterative and responsive to change
It facilitates continual improvement of the organisation
Dr. Fahim K Sufi
PhD (Comp Sc), M Eng (Comp Sys), Dip (Mgmt), Grad Cert (Res Com),
B (Comp Sc), Cert IV (TAE), ITIL V3, PRINCE2, TOGAF 9
6. Risk Management Process
Establishing the context
• Internal context
• External context
• Risk management context
• Development of criteria
Communication&Consultation
Monitoring&Review
Risk Treatment
• Identifying options
• Assessment of options
• Preparation & implementation of treatment
plans
• Analysis & evaluation of residual risks
Risk Assessment
Risk Identification
• What can happen? When & Where? How & Why?
Risk Evaluation
• Compare against criteria, Set priorities, Make decisions for
treatment
Risk Analysis
• Causes & Sources of risk, Positive & negative consequences,
Likelihood of consequences occurring, Existing controls & their
effectiveness
Revised from AS/NZS ISO 31000:2009
Dr. Fahim K Sufi
PhD (Comp Sc), M Eng (Comp Sys), Dip (Mgmt), Grad Cert (Res Com),
B (Comp Sc), Cert IV (TAE), ITIL V3, PRINCE2, TOGAF 9
7. Communication & Consultation
Task
Focused
(controls)
People
Focused
(emotes)
Introverted
(measured pace
& tends to ask)
Extroverted
(rapid page &
tends to tell)
Analysts: thorough,
focused on high quality,
deliberate
Lets do it right first time
Driver: focus on
results & business, direct,
clear, concise
Get the job done
Expressive:
enthusiastic, feeds off
energy of others
Show me the next big
idea
Amiable: values
people & team, support
over the long-term
Lets talk about the
impact on our people
Communication & Consultation Preferences
LevelofInfluence
Level of Interest
Involve
&
Consult
Collaborate
& Empower
ConsultInform
Stakeholder identification
Dr. Fahim K Sufi
PhD (Comp Sc), M Eng (Comp Sys), Dip (Mgmt), Grad Cert (Res Com),
B (Comp Sc), Cert IV (TAE), ITIL V3, PRINCE2, TOGAF 9
8. Establishing the context
External Factors Internal Factors
Politics Poor processes and procedures
Economics Inadequate or inappropriate human resources
Socio-cultural factors Low quality service or produce offerings
Technology Malevolent cultures
Legal obligations Unsuitable management of leadership practice
Ecology and environmental factors Inappropriate value sets
Actions of established competitors Outmoded corporate paradigms
Relationships between the organization and its
clients and suppliers
Lack of infrastructure and technology
New and unknown competitors Poor communication
Competitive substitute services or products …
…
This is all about defining the external and internal parameters to be taken into account when managing
risk, and setting the scope and risk criteria for risk management policy.
Dr. Fahim K Sufi
PhD (Comp Sc), M Eng (Comp Sys), Dip (Mgmt), Grad Cert (Res Com),
B (Comp Sc), Cert IV (TAE), ITIL V3, PRINCE2, TOGAF 9
9. Risk Identification
Every Enterprise should identify sources of risk, areas of impacts, events (including changes in circumstances)
and their causes and their potential consequences. The aim of this step is to generate a exhaustive list of risks
based on those events that might create, enhance, prevent, degrade, accelerate or delay the achievement of
business objectives.
1. What is the source of each risk?
2. What might happen that could:
1. Increase or decrease the effective achievement of objectives
2. Make the achievement of the objectives more or less efficient (financial, people, time)
3. Cause stakeholders to take action that may influence the achievement of objectives
4. Produce additional benefit
3. What would the effect on objective be?
4. When, where, why, how are these risks (both positive and negative) likely to occur?
5. Who might be involved or impacted?
6. What controls presently exist to treat this risk (maximize positive risks or minimize negative risks)?
7. What could cause the control not to have the desired affect on the risk?
The following points should also be considered during risk identification process:
Reliability of the information
Comprehensiveness of the list of risks
Requirement for additional research into specific risks
Adequate coverage of scope and objectives
Involvement of the right people
Dr. Fahim K Sufi
PhD (Comp Sc), M Eng (Comp Sys), Dip (Mgmt), Grad Cert (Res Com),
B (Comp Sc), Cert IV (TAE), ITIL V3, PRINCE2, TOGAF 9
10. Likelihood scale
Description Likelihood of Occurrence Indicative Frequency
Rare Event may only occur in exceptional & unlikely
circumstances
Once every thirty years
Unlikely The event may occur at some time, but unlikely Once every ten years
Moderate The event should occur at some time Once in three years
Likely The event will probably occur in most
circumstances
Once in six months
Almost certain The event is expected to occur in most
circumstances
Once a month or more frequently
In risk management context, Likelihood is used to refer to the change of something happening, whether defined,
measured, or determined objectively or subjectively, qualitatively or quantitatively, and described using general terms or
mathematically (e.g. Probability or frequency over a given period of time)
Dr. Fahim K Sufi
PhD (Comp Sc), M Eng (Comp Sys), Dip (Mgmt), Grad Cert (Res Com),
B (Comp Sc), Cert IV (TAE), ITIL V3, PRINCE2, TOGAF 9
11. Risk Consequence Criteria
Criteria Description
Availability The availability of existing facilities must be maximized by reducing the disruption to current business
operations as far as possible
Community
Relations
The highest standards of community consultation and liaison must be maintained
Economics The project must be clearly justifiable in economic terms, measured by profitability and rate of return
Environment The solution to the technical issues must be environmentally sound; an alternative solution should be available
Funding Avoid expenditure outside allocation budgets; maximize the use of special purpose grant funds
Industrial
relations
Optimize industrial relations by negotiation with staff representatives and use of appropriate enterprise
agreements
Probity Good corporate governance and transparent decision making are regulatory requirements
Quality The client requires equipment that is properly engineered and reliable
Safety Project delivery processes must ensure the highest standards of safety; contracts conditions must contain
appropriate clauses
Staff
development
The project delivery method and outcomes should enhance the core skills of the organization and the abilities
of the staff involved
Timing The project must be completed by the specified time
Consequence is outcome of an event affecting objectives. Consequence can be expressed qualitatively or
quantitatively. Consequences can be certain or uncertain and can have positive or negative effects on objectives.
Dr. Fahim K Sufi
PhD (Comp Sc), M Eng (Comp Sys), Dip (Mgmt), Grad Cert (Res Com),
B (Comp Sc), Cert IV (TAE), ITIL V3, PRINCE2, TOGAF 9
12. Consequence Types
Severity
Level
Business
Interruption
Environmental
Damage
Financial Human Reputation &
Image
Extreme Cessation of major business
critical services for more than
one week
Serious long-term or
widespread environmental
harm
Loss of above
$1.5m
Death Reputation of the organization
affected nationally and
internationally
Severe Cessation of major business
critical services for up to one
week
Significant environmental
harm with long term
recovery
Loss above
$750,000 to
$1.5m
Severe Injuries Embarrassment for the
organization, including adverse
media coverage
Major Major service delivery targets
no met for several weeks,
business critical services not
back in agreed time
Moderate harm with mid-
term recovery
Loss above
$100,000 to
$750,000
Injury
involving
hospitalization
and
rehabilitation
Customer & / community
concern, heavy local media
coverage
Moderate Local service delivery problems
for less than a month, business
critical services lost for agreed
minimum period
Transient environmental
harm
Loss above
$5,000 to
$100,000
Injury
requiring
medical
treatment and
some lost time
Issue raised by customers & /
local press
Minor Local issue resolved with
negligible impact on service,
business critical services lost
for less than agreed minimum
period
Brief pollution with
effective radiation
Loss up to
$5,000
Injury
requiring first
aid, but no
loss of time
Issue resolved prompt by day-
today management process
Dr. Fahim K Sufi
PhD (Comp Sc), M Eng (Comp Sys), Dip (Mgmt), Grad Cert (Res Com),
B (Comp Sc), Cert IV (TAE), ITIL V3, PRINCE2, TOGAF 9
13. Measuring the Level of Risk: Heat Map
Almost
Certain
Likely Moderate Unlikely Rare
Extreme HIGH HIGH SIGNIFICANT SIGNIFICANT SIGNIFICANT
Major HIGH SIGNIFICANT SIGNIFICANT SIGNIFICANT SIGNIFICANT
Serious SIGNIFICANT SIGNIFICANT SIGNIFICANT MODERATE MODERATE
Moderate SIGNIFICANT MODERATE MODERATE LOW LOW
Minor MODERATE MODERATE LOW LOW LOW
Likelihood label
ConsequencesLabel
Level of risk is the magnitude of a risk expressed in terms of combining Consequences and
their likelihood
Dr. Fahim K Sufi
PhD (Comp Sc), M Eng (Comp Sys), Dip (Mgmt), Grad Cert (Res Com),
B (Comp Sc), Cert IV (TAE), ITIL V3, PRINCE2, TOGAF 9
14. Risk Treatment
Risk treatment involves developing a range of options for mitigating the risk, assessing those
options, and then preparing and implementing action plans. The highest rated risks should be
addressed as a matter of urgency.
Risk treatment options are not necessarily mutually exclusive or appropriate in all circumstances. The options
can include the following:
a) Avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk
b) Taking or increasing the risk in order to pursue an opportunity
c) Removing the risk source
d) Changing the likelihood
e) Changing the consequences
f) Sharing the risk with another party or parties (including contracts and risk financing)
g) Retaining the risk by informed decision
Image source: http://www.civildefence.govt.nz/resources/natural-hazard-risk-communication-toolbox/
Dr. Fahim K Sufi
PhD (Comp Sc), M Eng (Comp Sys), Dip (Mgmt), Grad Cert (Res Com),
B (Comp Sc), Cert IV (TAE), ITIL V3, PRINCE2, TOGAF 9
15. Risk Treatment Options with examples
Avoidance Choosing not to take on the risk by
avoiding the actions that cause the risk
My colleague is late for a meeting. I need to drop him to his office quickly. Driving in high
speed comes with the risk of having accident. Avoidance: Do not drive
Reduction Taking mitigation actions that reduce
the risk
My colleague is late for a meeting. I need to drop him to his office quickly. Driving in high
speed comes with the risk of having accident. Driving in high speed comes with the risk of
having accident. Reduction: Wear seat belts. Have traction control switched on…
Transfer Transferring all or part of the risk to a
third party. The two main types of
transfer are insurance and outsourcing.
My colleague is late for a meeting. I need to drop him to his office quickly. Driving in high
speed comes with the risk of having accident. Driving in high speed comes with the risk of
having accident. Transfer: Take a taxi. Hire a car. Take a bus…
Acceptance Risk acceptance, also termed as risk
retention, is choosing to face a risk. In
general, it is impossible to profit in
business or enjoy an active life without
choosing to take on risk.
My colleague is late for a meeting. I need to drop him to his office quickly. Driving in high
speed comes with the risk of having accident. Driving in high speed comes with the risk of
having accident. Acceptance: Drive in high speed, anyway…
Sharing Risk sharing is the distribution of risk to
multiple organizations or individuals.
My colleague is late for a meeting. I need to drop him to his office quickly. Driving in high
speed comes with the risk of having accident. Driving in high speed comes with the risk of
having accident. Sharing: Have car insurance…
Image Source: Traffic Safety Strategies: http://www.vtpi.org/tdm/tdm86.htm
Taking one or more Traffic Safety Strategies or risk treatment options
reduces consequence of the risk. This left over risk is often referred as
residual risk.
Risk Treatment
Dr. Fahim K Sufi
PhD (Comp Sc), M Eng (Comp Sys), Dip (Mgmt), Grad Cert (Res Com),
B (Comp Sc), Cert IV (TAE), ITIL V3, PRINCE2, TOGAF 9
16. Risk Register
Dr. Fahim K Sufi
PhD (Comp Sc), M Eng (Comp Sys), Dip (Mgmt), Grad Cert (Res Com),
B (Comp Sc), Cert IV (TAE), ITIL V3, PRINCE2, TOGAF 9
17. Risk Management Summary
Establishing
Context
Risk
Identification
Risk AnalysisRisk
Evaluation
Risk
Treatment
Monitoring & Review
Communication
& Consult
Principles
Frameworks
Dr. Fahim K Sufi
PhD (Comp Sc), M Eng (Comp Sys), Dip (Mgmt), Grad Cert (Res Com),
B (Comp Sc), Cert IV (TAE), ITIL V3, PRINCE2, TOGAF 9
18. Thank You
Please send your feedbacks and comments
to Dr. Fahim K Sufi at
contact@fahimsufi.com