Fundamentals of Risk analysis

Risks can be defined as many things but at the root of every definition is the fact that risks represent uncertain outcomes. These outcomes can be either negative or positive. They can represent positive opportunities (opportunities for excellence) as well as negative threats. Risk management is a widely recognized discipline or practice that can be applied across many business boundaries. Risk management is concerned with the analysis of the impact of the changes that are uncertain, and reducing the probability or impact if they are deemed negative.

Risk management requires having practices in place to identify and then monitor risks; convenient access to dependable, current information about risks; the correct balance of control in place to deal with the risks; and decision-making processes that are supported by a framework of risk analysis and evaluation.

Levels of Risk

There are three levels of risk:

 Strategic: risks involved in ensuring business survival and long-term security or stability of the organization;

 Tactical: risks involved in managing interdependencies between stretegic and operational level;

 Operational: risks involved in management problems, when managers do not have required expierence, there are problems in relantionships beetwen them and so on.

Today, project and program management gives additional two levels of risk, they belong from structure of enterprise management and arguably could come between strategic and operational levels:

Program: risks involved in managing interdependencies between individual projects and the wider business environment

Projects: risks involved in making progress against project plans

Higher levels of risk feed into lower levels; strategic risks will have implications at all the other levels, while operational risks are localized and limited in scope.

A risk may appear initially on one level but subsequently have a major impact at a different level. If a risk grows outside agreed upon limits, it should be decided that it no longer represents, say, an operational risk and may now affect the project as a whole.
Depending on the scale of the change you are planning, you will have to analyze risks at one or more of these levels.

Types of Risk

Different organizations will face different types of risk. Some types or risk are as follows:

Strategic / Commercial Risks

Economic / Financial / Market Risks

Legal and Regulatory Risks

Organizational Management / People Issues

Political / Societal Factors

Environment Factors / Acts of God (force majeure)

Technical / Operational / Infrastructure Risks

What is Risk Management?

Risk Management is the practice used to prevent as many losses as possible and arranging methods of payment for the rest. Risk Management is a scientific approach to the problem of dealing with the pure risks faced by individuals and businesses (Lam & Kawamoto, 1997). Managers have full responsibility dealing with all risks facing the organization, including both speculative and pure risks. A risk manager is usually a highly trained individual who makes risk management their full time job or the responsibilities may be spread out within a risk management department. Risk Management is not just buying insurance for a company. It also involves dealing with both insurable and uninsurable risks and the choice of the appropriate techniques for dealing with them. The emphasis of risk management is not getting the most insurance for the euro spent, but to reduce the cost of handling risk by the most appropriate means. Insurance then, happens to be one of the several approaches for minimizing pure risks the firm faces.

What is Enterprise Risk Management?

Enterprise risk management is a systematic approach to managing risk. Risk, risk factors, and mitigation programs are considered on a business wide basis, internally and externally. Enterprise risk management assumes that shareholders are indifferent to arbitrary compartmentalization of risk. Enterprise risk management also assumes that risk factors generally have multiple effects and that to have any value, mitigation programs must consider all such effects (Lange, 1998). The ability to predict - and control - risk in all areas of the company is now an essential component of an effective business strategy. As a result, risk management has become one of the most complex strategic issues businesses face. That’s because a wellexecuted, broad-based risk management program enables companies to achieve their goals - by providing effective processes for addressing the events or actions that can impede their achievement. And, while the Risk Manager or CFO may be responsible for developing this program, the challenge of predicting and controlling risk actually extends throughout the entire organization.
Risk management has traditionally been the bailiwick of insurance companies. This leaves a huge gap, one that corporate risk managers are just beginning to address with a new approach called Enterprise Risk Management. Enterprise Risk Management encompasses the entire organization rather than being limited to the narrow field of insurable risks. Three driving forces are responsible for the changes occurring in enterprise-wide risk management.

The Risk Management Process of Enterprise

The risk management process consists of six steps which either a professional or non-professional risk manager can map to an organizations business decisions and corporate goals.

There is additional level between Determination of objectives and Identification of the risks – Assigning responsibility for the risk management plan. Generally staff members assigns this step when they determine the objectives of risk management program. It is more important to spotlight at this step if staff thirst time prepares the risk management program in the enterprise.

So, the risk management process is as follows:

1. Determination of the objectives of the risk management program. Deciding precisely what it is that the organization expects its risk management program to do. One primary objective of the risk management effort is to preserve the operating effectiveness of the organization. The first step is to decide your organization's purpose for creating a risk management program. Your purpose may be to reduce the costs of insurance or to reduce the number of program-related injuries to staff members. By determining its intention before initiating risk management planning, the enterprise can evaluate the results to determine its effectiveness.

2. Assign responsibility for the risk management plan. The second step is to designate an individual (or team) to be responsible for developing and implementing the enterprise’s risk management program. While the team is principally responsible for the risk management plan, a successful program requires the integration of risk management within all levels of your organization. Operations staff and board members should help the risk management team (or individual) in identifying risks and developing suitable loss control and intervention strategies.

3. Acknowledge and identify risk. Risks are about events that, when triggered, will cause problems. Hence, risk identification can start with the source of problems, or with the problem itself.

 Source analysis Risk sources may be internal or external to the system that is the target of risk management.

 Problem analysis Risks are related to fear. For example: the fear of losing money, the fear may exist with various entities, most important with shareholder, customers.

When either source or problem is known, the events that a source may trigger or the events that can lead to a problem can be investigated.

The chosen method of identifying risks may depend on culture, industry practice and compliance. The identification methods are formed by templates or the development of templates for identifying source, problem or event. Common risk identification methods are:

 Objectives-based Risk Identification Organizations and project teams have objectives. Any event that may endanger achieving an objective partly or completely is identified as risk.

 Scenario-based Risk Identification In scenario analysis different scenarios is created. The scenarios may be the alternative ways to achieve an objective, or an analysis of the interaction of forces in, for example, a market or battle. Any event that triggers an undesired scenario alternative is identified as risk.

 Taxonomy-based Risk Identification The taxonomy in taxonomy-based risk identification is a breakdown of possible risk sources. Based on the taxonomy and knowledge of best practices, a questionnaire is compiled.

 Common-risk checking in several industries lists with known risks is available. Each risk in the list can be checked for an enterprise to a particular situation.

4. Evaluate and prioritize risk. Evaluation means measuring the potential size of the loss and the probability that it is likely to occur. The evaluation requires ranking of priorities as critical risks, important risks, or unimportant risks.

5. Consideration of alternatives and selection of the risk treatment device, examines various approaches used to deal with risks and the selection of the technique that should be used for each one. Alternatives for managing or controlling risks include avoidance and reduction. Risk financing mechanisms include risk retention and risk transfer or risk shifting. Risk treatment devices are used in deciding which technique to use to deal with a given risk; the risk manager considers the size of the potential loss, its probability, and the resources that would be available to meet the loss if it should occur:

The four basic strategies for controlling risk are:

 Risk Avoidance – eliminating a specific tread, usually by eliminating the cause. An example would be not buying a property or business in order to not take on the liability that comes with it. Avoidance may seem the answer to all risks, but avoiding risks also means losing out on the potential gain that accepting (retaining) the risk may have allowed. Not entering a business to avoid the risk of loss also avoids the possibility of earning the profits.

 Risk Reduction. Change the activity so that the chance of harm occurring and impact of potential damage are within acceptable limits. Managers try to reduce the expected monetary value of risk event by reducing the probability of occurrence, reducing the risk event value or both.

 Risk Retention. Involves accepting the loss when it occurs. True self insurance falls in this category. Risk retention is a viable strategy for small risks where the cost of insuring against the risk would be greater over time than the total losses sustained. All risks that are not avoided or transferred are retained by default. This includes risks that are so large or catastrophic that they either cannot be insured against or the premiums would be infeasible.

 Risk Sharing. Consider sharing the risk with another organization. Examples of risk sharing include mutual aid agreements with other nonprofits, purchasing insurance, and sharing responsibility for a risk with another service provider through a contractual arrangement.

6. Implementation of the decision is the decision to retain a risk. When an organization decides to retain a risk they establish policies and procedures to reduce or eliminate the probability/frequency of occurrence and the severity of the impact.

7. Evaluate, review and revise the plan as needed are essential to the program for two reasons. Within the risk management process the business environment changes; new risks arise and old ones disappear. Techniques appropriate last year may not be this year and so constant attention to risk is required. Mistakes sometimes occur. Hopefully, through evaluation and review, the manager is able to review decisions and discover mistakes before they become too costly.

Risk Management in Projects

Theoretically, every decision on a project should be subjected to some form of risk analysis. However, to repeat a formal assessment is impractical for all but significant project events and changes. In other circumstances it is sufficient for the project manager to have a “risk awareness” of any changes taking place. The effective management of risk includes both this informal awareness and a structured approach.

These steps can be grouped into four major categories:

Risk Identification. The analyst have to determine which risk are likely to affect the project. He should document the characteristics of each.

Risk Quantification – evaluating risks and risk interactions to assets the range of possible project outcomes.

Risk Response Development – defining enhancement steps for opportunities and responses to threats.

Risk Response Control: Responding to changes in risk over the course of the project.

The extent to which these activities need to be addressed depends upon the size and nature of the particular project under review. Also, these activities are not necessarily carried out sequentially.

Risk identification

Risk identification consists of determining which risk are likely to effect the project and documenting the characteristics of each. It is not one time event; it should be performed on a regular basis throughout the project.

Risk identification should address both internal and external risks. Internal risks are things that the project team can control or influence, such as staff assignments and cost estimates. External risks are things beyond the control or influence of the project team, such as market shifts or government actions. So, in the project context risk identification is also concerned with opportunities as well as threats.

Step 1: Identify sources of risk and categorie the possible risk events that may effect the project for better or worse. Common sources of risk could include:

 Product description

 Other planning outputs as work break-down structure, cost estimates and duration estimates, staffing plan, procurement management plan;

 Poorly defined or understood roles and responsibilities;

 Poor estimates;

 Insufficiently skilled staff.

Step 2: Potential risk events should be identified in addition to sources of risk when probability of occurrence or magnitude of loss is relatively large. Descriptions of potencialy risk events should include estimates of a) the probability that the risk event will occur, b) alternative possible outcomes, c) anticipated frequency.

Step 3: Identify risk symptoms, for example, poor morale may be an early warning signal of an impending schedule delay or cost overruns on early activities may be indicative of poor estimating.

Risk Quantification

Risk quantification involves evaluating risks and risk interactions to assets the range of possible project outcomes. It is primarily concerned with determining which risk events warrant response.

Step 4: Define inputs for risk quantification:

 View risk shareholders risk tolerances;

 Analysed sources of risk;

 Analysed risk events;

 Analysed cost estimates;

 Analysed activity estimates.

Step 5: Choose needed tools and techniques for risk quantification:

 Risk evaluation methods as NPV, IRR, PB, DPB, MIRR and others;

 Sensitivity and (or) scenario analysis;

 Monte Carlo analysis or other forms of simulation;

 Decision trees – diagrams, that depicts key iterations among decisions and associated chance Events as they are understood by the decision maker;

 Expert judgment.

Step 6: Get results of risk quantification and decide response:

 Opportunities to pursue, threads to respond to.

 Opportunities to ignore and threads to accept. The risk quantification process should also document a) those sources of risks and risk events that the project management team has consciously decided to accept or ignore and b) who made the decision to do so.

Risk Response Development

Risk response development involves defining enhancement steps for opportunities and responses to threats. Responses to threats generally fall into one of three categories:

 Avoidance - eliminating a specific tread, usually by eliminating the cause.

 Reduction – reducing the expected monetary value of a risk event by reducing the probability of occurrence.

 Acceptance – accepting the consequences.

Step 7: Choose needed tools and techniques for Risk response development:

 Procurement, for example, acquiring goods or services from outside the immediate project organization or exchanging one risk for another.

 Contingency planning – defines action steps to be taken if an identified risk event should occour.

 Insurance, such as bonding or others.

Step 8: Having results of risk quantification and needed tools and techniques of Risk response development you have to prepare:

 Risk management plan – it should document the procedures that will be used to manage risk throughout the project;

 Contingency plans – are pre-defined action steps to be taken if an identified risk event should occour.

 Needed reserves. A reserve is a provision in the project plan to mitigate costs and (or) schedule risk.

Risk Response Control

Responding to changes in risk over the course of the project. When changes occour, the basic cycle to identify, quantify, and respond is repeated. It is important to understand, that even the most thorough and comprehensive analysis cannot identify all risks and probabilities correctly; control and iteration are required.

Step 9: Iteration of additionaly risk identification, because sometimes potential risk events or sources of risks not previously identified may surface.

Step 10: If additionaly risk events or sources of risk identified, you have to make corrective actions and update the risk management plan.