Risk Mgmt V1 0c

Risk management
A management perspective

mercredi 28 avril 2010

Plan
What is risk ?
Risk Governance
Risk management
Risk and culture
Risk taxonomy
Risk Metrics
Wrap-up


Introduction
What is risk ?


A deﬁnition of risk

Pb(event) x impact


Risk has two meanings

In English, Risk is an umbrella
term, with two varieties:
opportunity which is a risk
with positive effects
threat which is a risk with
negative effects

Hillson(2001)

Risk is not uncertainty

Risk refers to situations where the decision-maker can
assign mathematical probabilities to the randomness
which he is faced with.
Uncertainty refers to situations when this randomness
"cannot" be expressed in terms of speciﬁc mathematical
probabilities.

Knight, Frank H. (1921)

Risk and uncertainty

The terms risk and uncertainty have become interchangeable,
and one can often be found in the description of the other.

Risk and uncertainty will be
deﬁned and used
accordingly as separate
issues of the same complex
phenomena, that of hazard
management.

Beck(1986)

Risk is formal

Risk can be considered as
a systematic way of dealing with hazards.
If it is assumed that there is uncertainty associated with
any prediction of a hazard occurring, then there is only
uncertainty because there is only ever a prediction of the
likely occurrence.

Beck(1986)

Uncertainty is not risk
By uncertain knowledge, (...) I do
not mean merely to distinguish
what is known for certain from
what is only probable.
uncertainty is present when there
is no scientiﬁc basis on which to
form any calculable probability
whatever.
We simply do not know.

Keynes(1937)

Risk and probability

The very assignment of numerical probabilities - even if
subjective - implies that it represents choice under
"risk"
These probabilities are merely expressions of what is
ultimately amorphous belief and thus may seem more
like "uncertainty".

Savage(1954)

Risk is about outcomes

Risk is the probability that an
event will occur.
In epidemiology, it is most
often used to express the
probability that a particular
outcome will occur following a
particular exposure.

Last JM, (2001)

What is the problem ?

Risk is an old concept, classically measured as a product
of outcome, usually negative, and a measure of
uncertainty, such as probability, balancing bad, but
unlikely, outcomes with less bad but more frequent ones.
The problems arise in deﬁning
what one means by an outcome and
how one assesses the probabilities.

Hudson(2003)

Risk Management

Risk
Utility

management RISK

0 time

A more complete deﬁnition

R! (E,A,!)
"

E : element at risk
Element (asset, process, system, etc.) or group of
elements that have an expected utility (u) for a given
period of time (Δt) in a ﬁnite space (s)
A : Hazard (real, foreseeable or perceived)
Event or sequence of events resulting from the
exploitation of a vulnerability (ψ) of an element at risk
(E) which can cause a dammage (δ) which results in a
reduction of the expected utility (u) for a given period of
time (Δt) in a ﬁnite space (s)
ψ : vulnerability
Fragility (relative) of an element at risk (E) to a hazard (A)


θ : resilience
Capacity of an element at risk (E) to overcome a hazard
(A) by minimizing damages (δ) or by using adversity as
a catalyst for improvement. It is linked to organisational
maturity
δ: damage (real, foreseen or perceived)
Reduction of the expected utility (u) of an element at
risk (E) by a hazard (A)
t : time
s: space


The risk triangle

Da
ma
ity

ge
bil

or
ra

Risk
lne

im
Vu

(E,t,s)
pa
ct
Ha z a rd or t hre at

Risk governance


Ecosystemic view
• A system formed by an ecological community and its environment that
functions as a unit.
• The interconnectedness of organisms (plants, animals, microbes) with
each other and their environment.

http://
www.neok12.com/
php/watch.php?


Governance structure
Executive Corporate
directors supports

Strategic Governance
comitee directs

Tactical Management
comitee manages

Operational Professionals


Role of the Board of
directors
Management Stockholders Employees

Board of
directors

Other
Lenders Suppliers stakeholders


Roles and responsibilities

Mission statement and
values
Sets culture and normative
framework
Arbitrage
Exercises authority


Subsidiarity
Responsability for actions must be alloted to the smallest
possible entity that can resolve it
Decision making as close as possible to the end-user
or customer
Act locally: responsabilize the actors
Empower local competencies and decentralize


Risk governance
Basic ethical principles


Due diligence

Organisations need to
demonstrate that they are
being diligent
They need to be able to
demonstrate that they have
in place formal processes to
ensure that risks are known
and managed


Precaution
When there is the possibility, event if unlikely, that hazards
may cause grave or irreversible dammages, the absence
of absolute scientific certitude can not become a pretext
to avoid taking actions to prevent the degredation of the
situation
Contrary to rational theory, precausion justifies taking
decisions in cases of incomplete information to avoid
irreversable damages.
It justifies non optimal solutions that may satisfy all
parties (minimum regrets)


Continuous improvement
Deming’s wheell approach
Recurrence feedback loops
Evolution of solutions aligned with
the availability of ressources


Evaluation
Must determine, a priori:
Objectives
Follow-up parameters
Control and corrective action plans
A space for all stakeholders to review information
Finality:
Create mecanisms that allow the conversion of data
into usefull planning information


Risk Management
Formal processes


IPMa process

Identify risks

IPMa
Prioritize
Mobiize
ressources
Audit


Qualitative or Quantitative ?
In the absence of solid historical data, all data is subjective.
Sources of historical data:
Past events, hazards and incidents in the organization
Data from similar organizations
Regulatory bodies
Gartner group, IDC, Forester Research and litterature
Standards (ITU, ISO, IEEE)


Scenario based risk mgmt
Using scenarios is the most ‘human sensitive’ approach to
risk management
it’s simpler to get people to tell you a story
What if ...
Then ...
This would result in ...
But, we could do ... to prevent it or to reduce it’s impacts.


Incidents are central
Using past incidents is a key to risk management
Quantitative data ﬁnds it’s source in historical data
It is a chance to improve
individuals has to feel that they can, and must, report
incidents
Management has to support this
A risk registry, or journal, serves this purpose


IPM process

Identify
Hazards
Vulnerabilities
Damages
Prioritize
Mobilize ressources


Cognitive processes
The cognitive operations of individual decision makers
involved on decisions about risk are (in order) :
Identify the scenarios to consider
Predict the consequences for each scenario and
estimate their likelyhood
Identify the variables susceptible to inﬂuence utility and
ajust them to account for the context
Evaluate the probabilities to assign to contexts that
have been retained
Apply a decisional strategy

L
i
Transfer Avoid
k risk risk
e
li
h
o Accept Mitigate
o risk risk
d

D a m a g e s


L
i Transfer
risk Avoid
k
risk
e
li
h Accept
risk Mitigate
o
risk
o
d
Tolerate risks

D a m a g e s


Biaises that may affect
decision makers
Errors in reasoning
Cognitive dissonances
Heuristics
Cultural variations
Limitis of vigilance


Methodologies

Several are available
All have their limitations
Choice of variables
Scientiﬁcity
Validity (internal and external)
Must consider maturity


Risk Management Framework
An integrated risk framework allows organisation to
integrate all the organisational, regulatory and scientiﬁc
requirements in a cyclical approach (continuous
improvement).
Should include:
Business processes

Standard Operating Procedures

A governance model

Risk awareness, education & training programs

Workﬂow management tool (software)

Change management
Implementing a RMF is a Change management problem
ﬁve (5) stages of change
Denial
Resistance
Decompensation
Resignation
Integration


How to facilitate change ?

Education, training
Setting normative factors
Rationalization
Consensus
Other (dictatorship, coersion,esoteric)


Risk and culture
Risk, culture, perception and subjectivity


Risk, culture and perception
According to one cultural theory, people choose what to fear
as a way to defend their way of life.
The theory hypothesizes that adherents of a hierarchical
culture will approve of technology, provided it is certiﬁed as
safe by their experts.
Competitive individualists will view risk as opportunity
and, hence, be optimistic about technology.
And egalitarians will view technology as part of the
apparatus by which corporate capitalism maintains
inequalities that harm society and the natural
environment. Widavsky (2002)

Difﬁculty to assess risk

Risk is not always easy to assess, since the probability of
occurrence and the consequence of occurrence are
usually not directly measurable parameters and must be
estimated by statistical or other procedures.
Risk constitutes a lack of knowledge of future events.
Typically, future events (or outcomes) that are favorable
are called opportunities, whereas unfavorable events are
called risks. Another element of risk is its cause.

Kerzner, H. (2003)

Risk tolerance
Risk tolerance looks at acceptable/unacceptable
deviations from what is expected.
In ﬁnancial investments, The extent to wish an investor is
willing to accept more risk in exchange for the possibility
of a higher return.


Risk appetite

Where do we feel we should allocate our limited time and
resources to minimise risk exposures?
What level of risk exposure requires immediate action?
What level of risk requires a formal response strategy to
mitigate the potentially material impact?
What events have occurred in the past, and at what level
were they managed?


Predictable outcomes
Many activities undertaken by organizations do not have
predictable outcomes
One can’t predict the return from a new project, for
example.

Occurrence of these types of events can only be described
in terms of a range of possible outcomes and the likelihood
or probability of each outcome.

The lack of predictability of outcomes is referred to as risk.
The concept of risk does not imply all possible outcomes are
adverse, only that the precise probabilities of the outcomes
are unknown.
Lewis(2003)

Distribution of outcomes

According to classical decision theory, risk is generally
understood to be the distribution of possible outcomes,
their likelihood, and their subjective values.
In project management, this deﬁnition can be applied to
time, cost, performance, and many other inﬂuential factors
in any project that impact these three concerns.

March and Shapira (1987) in Kwak(2005)

Reference points

The reference points that
people use to evaluate risky
prospects affect risk-taking.
In this respect, risk tolerance
is a subjective notion in the
absence of clear and uniform
communication and tools for
risk analysis.

Kahneman and Taversky (1979) and Taversky and Kahneman (1992) in Kwak(2005)

Risk taxonomy
Categories of organisational risks


Risk categories

There is an inﬁnite number of categories of risk
Depends on :
organisational culture
legislation
many other factors


Risk Taxonomy


What is needed ?
For each incident identiﬁed, information needs to be
collected about :
direct monetary losses caused by the incident
Annualized (or aligned on budgetary strategy)
indirect losses (reputation damage or lost business)
with an estimate of the monetary losses resulting
from these indirect losses.

Blakley, B., McDermott, E., Geer, D.(2001)

Risk register

Dates: As the register is a living document, it is important
to record the date that risks are identiﬁed or modiﬁed.
Optional dates to include are the target and completion
dates.
Description of the Risk: A phrase that describes the risk.

Project Management Institute Body of Knowledge (PMBOK)

Risk register
Risk type (business, project, stage): Classification of the
risk, business risks relate to delivery of achieved benefits,
project risks relate to the management of the project such
as timeframes and resources, stage risks are risks
associated with a specific stage plan.
Likelihood of Occurrence: Provides an assessment on
how likely it is that this risk will occur. Examples of
classifications are: L-Low (<30%), M-Medium (31-70%),
H-High (>70%).


Risk register

Severity of effect: Provides an assessment of the impact
that the occurrence of this risk would have on the project.
Counter Measures: Action to be taken to prevent, reduce
or transfer the risk. This may include production of
contingency plans.
Owner: Individual responsible for the ensuring this risk is
appropriately managed and counter measures are
undertaken.


Risk register

Status: Indicates whether this is a current risk or if risk can
no longer arise and impact the project. Example
classiﬁcations are: C-current or E-ended.
Other columns such as quantitative value can also be
added if appropriate.


Risk metrics


The use of metrics

From the governanced based
risk management perspective:
Risk assessment
Continuous improvement
Evaluation


Identifying variables

Metrics are about measurement
Attributing values to variables
Values depend on measurement scales
There are rules on how to use measurement scales
nominal, ordinal, interval, proportional


Example of measurement
scales


Scientiﬁcity and reliability

Scientiﬁc data must meet certain criterias
trust, repeatable, verifyable
We must be able to justify the choices we make
in data and in manipulation (formulas)


marcandre@leger.ca
http://www.leger.ca

Montreal, Quebec, Canada:+1(514)824-6302
Philadelphia, PA, USA:+1(215)543-6352
Paris, France: +33.(0)9.77.19.63.02

LinkedIn: http://www.linkedin.com/in/itriskmgr
Blog: http://crhoma.org/blogue

Risk Mgmt V1 0c

More Related Content

Similar to Risk Mgmt V1 0c

More from Marc-Andre Leger

Risk Mgmt V1 0c