Risk management process: Difference between revisions
Ceopediabot (talk | contribs) m (→Establishing the context: typos fixed: et al → et al.) |
(LinkTitles) |
||
Line 26: | Line 26: | ||
[[Image:Risk_management_process.jpg|right|thumb|400px|frame|Risk management process (D. Cooper et al., 2005, p. 15)]] | [[Image:Risk_management_process.jpg|right|thumb|400px|frame|Risk management process (D. Cooper et al., 2005, p. 15)]] | ||
===Objectives=== | ===Objectives=== | ||
The top management expects that all risks will be identified and treated before they happen. Therefore, the most important objectives are: | The [[top management]] expects that all risks will be identified and treated before they happen. Therefore, the most important objectives are: | ||
* reporting current and incoming risks, | * reporting current and incoming risks, | ||
* consolidation of risks and opportunities (as two sides of the same coin), | * consolidation of risks and opportunities (as two sides of the same coin), |
Revision as of 01:20, 23 May 2020
Risk management process |
---|
See also |
Risk management process is a sequence of activities which aim at reducing the risks to acceptable level. This includes identification, analysis, evaluation, treatment and monitoring of risks and risk related activities. The ISO 31000 standard defines risk management process as systematic application of management policies, procedures and practices to the activities of communicating, consulting, establishing the context, and identifying, analysing, evaluating, treating, monitoring and reviewing risk.
Risk management process can be applied to project management, financial management, quality management and others areas. It is a universal approach to risks. Therefore, it is recommended to implement one risk management process in whole enterprise which will be able to serve for different functional areas.
The risk management process consists of several steps. There are different descriptions of that process in the literature. The most comprehensive is version proposed by D. Cooper described below. The ISO 31000:2009 uses this process description in its risk management model (framework).
Establishing the context
Objectives
The top management expects that all risks will be identified and treated before they happen. Therefore, the most important objectives are:
- reporting current and incoming risks,
- consolidation of risks and opportunities (as two sides of the same coin),
- effective information system,
- transparency of decision process,
- possibility of monitoring risk related actions,
- many warnings, no surprises
Stakeholders
The key stakeholders are:
- top management
- business units
- staff
- business partners
- customers, users
- regulatory bodies
- local community and society
Key elements
Depending on the area under investigation, the object of analysis should be divided into parts. In case of project, the key elements will be work packages in work breakdown structure. In case of quality management the key elements are related to process or product being analysed.
Identifying the risks
What can happen?
The first step of identification is determining what can happen to the key elements. In order to establish possible situations it is convenient to use tools such as: brain storming, experience analysis, check-lists, surveys, etc. The typical sources of information are: data from earlier projects, lessons learned, good practices, literature on the subject, audit reports, experiments.
How can it happen?
Apart from what can happen, the research team should also identify how it can happen. The understanding of causes and ways is essential for dealing with risks. It is not enough to treat the risk. Usually the best option is treating the causes.
Analysing the risks
Likelihood
The likelihood is determined on quantitative scale (if data is available) or qualitative scale. The typical levels of likelihood are:
- rare
- unlikely
- moderate
- likely
- certain
Consequences
The consequences should be evaluated in many aspects, among others: costs, time, reliability, politics, social, integrity, employees, health and security, information security, environment, legislation, reputation. The scale is usually qualitative:
- insignificant
- minor
- moderate
- major
- catastrophic
Level of risk
- Acceptable level of risk is the level of likelihood and consequences that is regard as usual risk related to normal operation.
- Increased level of risk is not comfortable for the team, enterprise or project, but it will not lead to defeat.
- Unacceptable level of risk is the level above which the risk can be too dangerous for the enterprise or project. The unacceptable level should never be exceeded.
Evaluation of the risks
Evaluate risks
The current level of risk is determined based on likelihood and consequences. The greater the product of those two, the greater the risk level. The risk level can be also shown on risk management matrix.
Rank risks
The risks can be ranked based on the evaluation. The most important risks should be dealt first.
Reaction
Identify options
The typical options in risk treatment are:
- risk avoidance
- hazard prevention
- risk reduction
- risk sharing
- risk retention
- acceptance of residual risk
Select the best responses
The best response depends on level of risk, impact how difficult is to remove causes, etc. The response should decrease risk level by decreasing the likelihood or consequences. The economy of risk response should be taken into account. There is no need to eliminate all risks. It would be too expensive and very difficult.
Develop risk treatment plan
Risk treatment plan is required for risks that were not eliminated. In case of risk appearance there should be a plan describing how to treat the risk to minimise the bad results.
Implement
When the risk appears there is no time to read the plans. Implementation should include training and other actions.
Communication and consulting
The risk assessment team should consult with different departments of the enterprise in order to identify all the risks and find the best way of treating them. The communication should happen on every step of risk management process.
Monitoring and review
The monitoring and review is a set of activities that should identify problems in risk assessment and help return to earlier steps if needed.
References
- Cooper D., Grey S., Raymond G., Walker P., Project Risk Management Guidelines, Wiley & Sons, Chichester 2005
- ISO 31000:2009 Risk Management - Principles and Guidelines, Geneva:ISO
- Olsson, R. (2007). In search of opportunity management: Is the risk management process enough?. International Journal of Project Management, 25(8), 745-752.
- Tummala, R., & Schoenherr, T. (2011). Assessing and managing risks using the supply chain risk management process (SCRMP). Supply Chain Management: An International Journal, 16(6), 474-483.
Author: Slawomir Wawak