7. Possibility of loss or injury.
The chance of loss; the degree of probability of such loss.
The possibility of financial loss.
A possibility of harm or damage against which something
is insured.
Risks can come from various sources including uncertainty
in financial markets, threats from project failures (at any
phase in design, development, production, and life-cycles),
credit risk, accidents, natural causes etc.
8.
9.
10.
11.
12. Risk management is the identification,
evaluation, and prioritization of risks
followed by coordinated and economical
application of resources to minimize,
monitor, and control the probability or
impact of unfortunate events or to
maximize the realization of
opportunities.
Risks can come from various sources
including uncertainty in financial
markets, threats from project failures
(at any phase in design, development,
production, and life-cycles), credit risk,
accidents, natural causes etc.
Risk management:
Coordinated
activities to direct
and control an
organisation with
regard to risk
13. There are two types of
events i.e. negative
events can be classified
as risks while positive
events are classified as
opportunities.
Several risk management
standards have been
developed including the
Project Management
Institute, the National
Institute of Standards
and Technology, societies,
and ISO standards.
A demonstrable risk
management system
incorporates
• Risk profiles
• Risk assessments
• Treatment plans
• Results of monitoring &
risk reviews
• Evidence of consultation &
communication
• Good documentation /
formal records
14. Definitions and goals vary widely according to whether the risk
management method is in the context of project management,
security, engineering, industrial processes, financial portfolios,
actuarial assessments, or public health and safety.
Adopting good risk management ensures that an organization can
undertake activities in the knowledge that
a) appropriate and adequate measures are in place to maximize
the benefits, and
b) appropriate and adequate measures are in place to minimizing
the negative or unanticipated effects of any of the risks or
opportunities that are presented in the course of achieving
organizational objectives.
15. Set of components that provide the foundations
and organizational arrangements for designing,
implementing, monitoring, reviewing and
continually improving risk management
throughout the organization.
16. Statement of the overall
intentions and direction of an
organization related to risk
management.
19. The principles and practices of risk management
can be applied across an entire organization, to
its many areas and levels, as well as to specific
issues, functions, projects & activities.
21. WHAT IS THE RISK
MANAGEMENT PROCESS?
The Risk Management Process consists of a series
of steps that, when undertaken in sequence,
enable continual improvement in decision-making.
22. Establish the context.
Identify the Risk.
Analyze the Risk.
Evaluate the risks.
Treat the risks.
Respond to the Risk.
Monitor the Risk.
23. ESTABLISH THE
CONTEXT:
Provides a five-step process to assist
with establishing the context within
which risk will be identified.
1-Establish the internal context
2-Establish the external context
3-Establish the risk management
context
4- Develop risk criteria
5- Define the structure for risk
analysis
24. As previously discussed, risk is the chance of something happening
that will impact on objectives.
As such, the objectives and goals of a business, project or activity
must first be identified to ensure that all significant risks are
understood.
This ensures that risk decisions always support the broader goals
and objectives of the business. This approach encourages long-term
and strategic thinking.
25. Is there an internal culture that needs to be
considered? For example, are staff Resistant to
change? Is there a professional culture that might
create unnecessary risks for the business?
What staff groups are present?
What capabilities does the business have in terms
of people, systems, processes, equipment and other
resources?
26. 2. ESTABLISH THE
EXTERNAL CONTEXT:
This step defines the overall environment in which a
business operates and includes an understanding of the
clients’ or customers’ perceptions of the business. An
analysis of these factors will identify the strengths,
weaknesses, opportunities and threats to the business in
the external environment.
27. A BUSINESS OWNER MAY ASK THE
FOLLOWING QUESTIONS WHEN
DETERMINING THE EXTERNAL
CONTEXT:
A business owner may ask the following questions when
determining the external context:
• What regulations and legislation must the business comply with?
• Are there any other requirements the business needs to comply
with?
• What is the market within which the business operates? Who are
the competitors?
• Are there any social, cultural or political issues that need to be
considered?
28. 3- ESTABLISH THE RISK
MANAGEMENT CONTEXT:
Before beginning a risk identification exercise, it is
important to define the limits, objectives and scope of the
activity or issue under examination.
For example, in conducting a risk analysis for a new
project, such as the introduction of a new piece of
equipment or a new product line, it is important to clearly
identify the parameters for this activity to ensure that all
significant risks are identified.
29. Risk criteria allow a business to clearly define
unacceptable levels of risk. Conversely, risk criteria may
include the acceptable level of risk for a specific activity or
event. In this step the risk criteria may be broadly defined
and then further refined later in the risk management
process.
30. 5. DEFINE THE
STRUCTURE FOR RISK
ANALYSIS
Isolate the categories of risk that you want to
manage. This will provide greater depth and
accuracy in identifying significant risks.
The chosen structure for risk analysis will depend
upon the type of activity or issue, its complexity
and the context of the risks.
32. You can’t resolve a risk if you don’t know what
it is. There are many ways to identify risk. As
you do go through this step, you’ll want to
collect the data in a risk register.
Once the context of the business has been
defined, the next step is to utilize the
information to identify as many risks as
possible.
One way is brainstorming or even brainwriting,
which is a more structured way to get a group
to look at a problem.
Risk identification:
Involves identifying sources
of risk, areas of impact,
events and their causes and
consequences.
33. As noted earlier, you can tap your resources. That can be
your team, colleagues or stakeholders. Find those
individuals with relevant experience and set up
interviews so you can gather the information you’ll need
to both identify and resolve.
It doesn’t hurt to speak with that person in your
organization who is the glass is always half-empty type.
Their doom-and-gloom perspective can be surprisingly
helpful to see risks that might not be evident to everyone
else.
Look both forward and backwards. That is, imagine the
project in progress. Think of the many things that can go
wrong. Note them. Do the same with historical data on
past projects. Now your list of potential risk has grown
34. Once the context of the business has been defined, the
next step is to utilize the information to identify as
many risks as possible.
37. 1- Identifying retrospective risks
Retrospective risks are those that have previously
occurred, such as incidents or accidents. Retrospective risk
identification is often the most common way to identify
risk, and the easiest. It’s easier to believe something if it
has happened before. It is also easier to quantify its
impact and to see the damage it has caused.
38. As you’re identifying risk, you’ll want to make sure
you that your risk register isn’t filling up with risks
that are really outliers and not risks at all. Make
sure the risks are rooted in the cause of a problem.
Basically, drill down to the root cause to see if the
risk is one that will have the kind of impact on your
project that needs identifying.
When trying to minimize risk it’s good to trust your
intuition. This can point you to unlikely scenarios
that you just assume couldn’t happen. Remember,
don’t be overconfident. Use process to weed out risks
from non-risks.
39. There are many sources of information
about retrospective risk. These include:
• Hazard or incident logs or registers.
• Audit reports.
• Customer complaints.
• Accreditation documents and reports.
• Past staff or client surveys.
• Newspapers or professional media, such as journals or websites.
40. Prospective risks are often harder to identify. These are things that
have not yet happened, but might happen some time in the future.
Identification should include all risks, whether or not they are
currently being managed. The rationale here is to record all
significant risks and monitor or review the effectiveness of their
control.
41. • Brainstorming with staff or external stakeholders
• Researching the economic, political, legislative and operating
environment
• Conducting interviews with relevant people and/or organizations
• Undertaking surveys of staff or clients to identify anticipated
issues or problems
• Flow charting a process
• Reviewing system design or preparing system analysis techniques.
42. TIPS FOR EFFECTIVE RISK
IDENTIFICATION:
Select a risk identification methodology appropriate to the
type of risk and the nature of the activity
Involve the right people in risk identification activities
Take a life cycle approach to risk identification and
determine how risks change and evolve throughout this
cycle.
44. During the risk identification
step, a business owner may have
identified many risks and it is
often not possible to try to
address all those identified.
The risk analysis step will assist
in determining which risks have
a greater consequence or impact
than others.
45. What is risk analysis?
Risk analysis involves combining the possible
consequences, or impact, of an event,
with the likelihood of that event occurring. The
result is a ‘level of risk’. That is:
Risk = consequence x likelihood
46. The elements of risk analysis are as follows:
1. Identify existing strategies and controls that act to minimize
negative risk and enhance opportunities.
2. Determine the consequences of a negative
impact or an opportunity (these may be positive or negative).
3. Determine the likelihood of a negative consequence or an
opportunity.
4. Estimate the level of risk by combining consequence and likelihood.
5. Consider and identify any uncertainties in the estimates.
47. Three categories or types of analysis can be used to determine level
of risk:
• Qualitative
• Semi-quantitative
• Quantitative.
The most common type of risk analysis is the qualitative method.
The type of analysis chosen will be based upon the area of risk being
analyzed.
48.
49.
50.
51.
52. • Risk analysis is usually done in the context of existing controls –
take the time to identify them
• The risk analysis methodology selected should, where possible, be
comparable to the significance and complexity of the risk being
analyzed, i.e. the higher the potential consequence the more rigorous
the methodology
• Risk analysis tools are designed to help rank or priorities risks. To
do this they must be designed for the specific context and the risk
dimension under analysis.
53. Okay, you’ve got a lot of potential risks listed in your risk
register, but what are you going to do with them? The next
step is to determine how likely each of those risks are to
happen. This information should also go into your risk
register.
When you assess project risk you can ultimately and
proactively address many impacts, such as avoiding
potential litigation, addressing regulatory issues,
complying with new legislation, reducing your exposure
and minimizing impact.
55. EVALUATE THE RISKS:
Risk evaluation involves
comparing the level of risk found
during the analysis process with
previously established risk
criteria, and deciding whether
these risks require treatment.
The result of a risk evaluation is a
prioritized list of risks that require
further action.
This step is about deciding
whether risks are acceptable or
need treatment.
56. Not all risks are created equally. You need to evaluate the risk to know
what resources you’re going to assemble towards resolving it when and
if it occurs. Some risks are going to be acceptable. You would grind the
project to a halt and possibly not even be able to finish it without first
prioritizing the risks.
Having a large list of risks can be daunting. But you can manage this
by simply categorizing risks as high, medium or low. Now there’s a
horizon line and you can see the risk in context. With this perspective,
you can begin to plan for how and when you’ll address these risks.
Some risks are going to require immediate attention. These are the
risks that can derail your project. Failure isn’t an option. Other risks
are important, but perhaps not threatening the success of your project.
You can act accordingly.
57.
58. Risk acceptance
A risk may be accepted for the following reasons:
• The cost of treatment far exceeds the benefit, so that
acceptance is the only option (applies particularly to lower
ranked risks)
• The level of the risk is so low that specific treatment is not
appropriate with available resources
• The opportunities presented outweigh the threats to such
a degree that the risks justified
• The risk is such that there is no treatment available, for
example the risk that the business may suffer storm
damage.
60. TREAT THE RISKS:
Risk treatment is about
considering options for treating
risks that were not considered
acceptable or tolerable at Step 5.
Risk treatment involves
identifying options for treating
or controlling risk, in order to
either reduce or eliminate
negative consequences, or to
reduce the likelihood of an
adverse occurrence. Risk
treatment should also aim to
enhance positive outcomes.
61. Options for risk treatment:
Identifies the following options that may assist in the
minimization of negative risk or an increase in the impact of
positive risk.
1- Avoid the risk
2- Change the likelihood of the occurrence
3- Change the consequences
4- Share the risk
5- Retain the risk
62. MONITOR AND REVIEW:
Monitor and review is an
essential and integral step in the
risk management process.
A business owner must monitor
risks and review the effectiveness
of the treatment plan, strategies
and management system that
have been set up to effectively
manage risk.
63. Risks need to be monitored periodically to ensure changing
circumstances do not alter the risk priorities. Very few risks
will remain static, therefore the risk management process
needs to be regularly repeated, so that new risks are
captured in the process and effectively managed.
A risk management plan at a business level should be
reviewed at least on an annual basis. An effective way to
ensure that this occurs is to combine risk planning or risk
review with annual business planning.
66. All your hard work identifying and evaluating risk is for naught if you don’t
assign someone to oversee the risk. In fact, this is something that you should do
when listing the risks. Who is the person who is responsible for that risk,
identifying it when and if it should occur and then leading the work towards
resolving it?
That determination is up to you. There might be a team member who is more
skilled or experienced in the risk. Then that person should lead the charge to
resolve it. Or it might just be an arbitrary choice. Of course, it’s better to assign
the task to the right person, but equally important in making sure that every risk
has a person responsible for it.
Think about it. If you don’t give each risk a person tasked with watching out for it,
and then dealing with resolving it when and if it should arise, you’re opening
yourself up to more risk. It’s one thing to identify risk, but if you don’t manage it
then you’re not protecting the project.
68. The International Risk Management Standard AS/NZS ISO
31000:2009 (the Standard) provides the principles and guidelines for
risk management.
According to the Standard, “the success of risk management will
depend on the effectiveness of the management framework
providing the foundations and arrangements that will embed it
throughout the organization at all levels.”
69. Within the Standard the expressions, ‘risk management’ and
‘managing risks’, are both used.
In general terms:
• risk management refers collectively to the principles, framework
and process for managing risks effectively, and
• managing risks refers to the application of these principles,
framework and process to particular risks.
70. ISO 31000 is applicable to all organizations, regardless of
type, size, activities and location, and covers all types of
risk. It was developed by a range of stakeholders and is
intended for use by anyone who manages risks, not just
professional risk managers.
71. ISO 31000 helps organizations develop a risk management strategy
to effectively identify and mitigate risks, thereby enhancing the
likelihood of achieving their objectives and increasing the protection
of their assets.
Its overarching goal is to develop a risk management culture where
employees and stakeholders are aware of the importance of
monitoring and managing risk. Its overarching goal is to develop a
risk management culture where employees and stakeholders are
aware of the importance of monitoring and managing risk.
72. ISO 31000:2018 provides more strategic guidance than ISO
31000:2009 and places more emphasis on both the involvement of
senior management and the integration of risk management into the
organization.
This includes the recommendation to develop a statement or policy
that confirms a commitment to risk management, assigning
authority, responsibility and accountability at the appropriate levels
within the organization and ensuring that the necessary resources
are allocated to managing risk.
The revised standard now also recommends that risk management
be part of the organization’s structure, processes, objectives, strategy
and activities.
73. Risk management can be applied to an entire organization, at its
many areas and levels, at any time, as well as to specific functions,
projects and activities.
When implemented and maintained in accordance with this
International Standard, the management of risk enables an
organization to, for example:
⎯ increase the likelihood of achieving objectives;
⎯ encourage proactive management;
⎯ be aware of the need to identify and treat risk throughout the
organization;
⎯ improve the identification of opportunities and threats;
⎯ comply with relevant legal and regulatory requirements and
international norms;
⎯ improve mandatory and voluntary reporting;
74. ⎯ improve governance;
⎯ improve stakeholder confidence and trust;
⎯ establish a reliable basis for decision making and planning;
⎯ improve controls;
⎯ effectively allocate and use resources for risk treatment;
⎯ improve operational effectiveness and efficiency;
⎯ enhance health and safety performance, as well as environmental
protection;
⎯ improve loss prevention and incident management;
⎯ minimize losses;
⎯ improve organizational learning; and
75. ⎯ improve organizational resilience. ⎯ establish a reliable basis for
decision making and planning;
⎯ improve controls;
⎯ effectively allocate and use resources for risk treatment;
⎯ improve operational effectiveness and efficiency;
⎯ enhance health and safety performance, as well as environmental
protection;
⎯ improve loss prevention and incident management;
⎯ minimize losses;
⎯ improve organizational learning; and
⎯ improve organizational resilience.