STEP 1-RISK PLANNING: (Risk Management Plan, etc.)
STEP 2-RISK ASSESSMENT/IDENTIFICATION/ANALYSIS
(RISK IDENTIFICATION: Life-Cycle Cost Analysis,
Plan/WBS Plan Decomposition, Schedule
Analysis, Lessons Learned Files, Expert
Judgement, Baseline Cost Estimates, etc.)
(RISK ANALYSIS: Techniques, Risk ratings,
Ordinal Probability Scales, Monte Carlo
STEP 3- (RISK HANDLING)
STEP 4- (RISK MONITORING: Earned Value, Program
Metrics, Schedule performan monitoring,
Technical Performance Measurement (TPM),
lessons Learned, etc.)
Risk Management is a practice with processes, methods, and tools for managing risks in a project. It provides a disciplined environment for proactive decision making to
? assess continuously what could go wrong (risks)
? determine which risks are important to deal with
? implement strategies to deal with those risks
A successful risk management practice is one in which risks are continuously identified and analyzed for relative importance. Risks are mitigated, tracked, and controlled to effectively use program resources. Problems are prevented before they occur and personnel consciously focus on what could affect product quality and schedules.
There will be a cultural shift from "fire-fighting" and "crisis management" to proactive decision making that avoids problems before they arise. Anticipating what might go wrong will become a part of everyday business, and the management of risks will be as integral to program management as problem or configuration management
What are the consequences or negative results of not doing risk management?
Management will not have insight into what could go wrong-consequently more resources will be spent correcting problems that could have been avoided sooner, catastrophic problems (surprises) may occur without warning (and with no recovery possible), decisions will be made without complete information or adequate knowledge of future consequences, the overall probability of successful completion of the program is reduced, and your program will always be in a crisis.
The risk management process provides a framework for identifying risks and deciding what to do about them. Of course, just making a laundry list of all possible risks is not enough. It is easy to quickly become overwhelmed by the huge list of risks the organization faces.
But not all risks are created equal. Risk management is not just about identifying risks; it is about learning to weigh various risks and making decisions about which risks deserve immediate attention.
Risk management is not a task to be completed and shelved. It is a process that, once understood, should be integrated into all aspects of your organization's management.
? Establish the context - It's important to begin a risk management program by setting goals and identifying any potential barriers or impediments to the implementation of the program. In the goal setting exercise, ask, "What are we trying to accomplish by integrating risk management into our operations?" Some common goals for company risk management efforts include: reducing injuries, avoiding costly claims, preserving the company's reputation in the community, freeing up resources for mission-critical activities, and ensuring adequate risk financing.
? Acknowledge and identify risks - we will categorize risks according to four major categories of company assets: People, Property, Income and Goodwill. There are many ways to undertake risk identification; the key is using a framework or strategy that allows you to identify all major risks facing your company. you will have had the chance to identify the important risks to these critical assets.
? Evaluate and prioritize risks - The third step in the process helps you keep things in perspective and establish a list of action items in priority order. The risk of an asteroid crashing into your organization's annual Black Tie Event is remote, so it probably makes more sense to work on a more likely risk - that someone could slip and hurt himself or herself on a waxed dance floor.
? Select appropriate risk management strategies and implement your plan - We'll discuss four risk management techniques that can be used individually or in combination to address virtually every risk facing your company.
? Monitor and update the risk management program - Companies are dynamic organizations that constantly face new challenges and opportunities. Risk management techniques and plans should be reviewed periodically to make certain that they remain the most appropriate strategy given the organization's needs and circumstances.
Four basic risk management techniques are: avoidance, modification, retention and sharing. Let's take a closer look at each.
Avoidance - Whenever an organization cannot offer a service while ensuring a high degree of safety, it should choose avoidance as a risk management technique. Do not offer programs that pose too great a risk. In some cases avoidance is the most appropriate technique because a company simply doesn't have the financial resources required to fund adequate training, supervision, equipment, or other safety measures. Always ask, "Is there something we could do to deliver this program/conduct this activity safely?" If you answer "yes," risk modification may be the more practical technique.
Modification - Modification is simply changing an activity to make it safer for all involved. Policies and procedures are examples of risk modification. An organization concerned about the risk of using unsafe drivers may add DMV record checks to its screening process, or an annual road test for all drivers. An organization concerned about the lack of male and female chaperones for an overnight camping trip may decide to host a day-long hike and picnic instead.
Retention - There are two ways to retain risk. The first is by design. A company may decide that other available techniques aren't suitable and it will therefore retain the risk of harm or loss. Companies make conscious decisions to retain risk every day. For example, when a company purchases liability insurance and elects a $1,000 deductible or self-insured retention, it's retaining risk. This can be a rational and appropriate approach to managing risk. Where organizations get into trouble is when risk is retained unintentionally. The unintentional retention of risk can be the result of failing to understand the exclusions of an insurance policy, insufficient understanding of the scope of risk an organization faces or simply because no one has taken the time to consider the risk and how it can be addressed.
Sharing - Risk sharing involves sharing risk with another organization through a contract. Two common examples are insurance contracts that require an insurer to pay for claims expenses and losses under certain circumstances, and service contracts whereby a provider (such as a transportation service or caterer) agrees to perform a service and assume liability for potential harm occurring in the delivery of the service.
Goodwill is an asset that is difficult, if not impossible, to quantify. For a company organization a more descriptive word might be "reputation." Every company understands that its reputation is key to fundraising, volunteer recruitment, staff retention, and overall good organizational health.
Damage to a company's reputation can be devastating, and many companies with otherwise strong programs would have a hard time recovering from a "hit" to their reputation.
In many cases, damage to reputation occurs in the wake of a crisis, such as a scandal involving malfeasance or widely publicized client injury.
In some cases there may be guilt by association if a company or company partner comes under fire. Even an incident of tax evasion by a major donor could have repercussions for a company organization
RISK PLANNING PROCESS
Business Objectives include the Vision, Mission, Purpose, Long Range Objectives, and similar drivers of the organization. Each organization will have its own distinctive set of Business Objectives, and public, not-for-profit and private sectors may have very different Business
Industry-Specific scenarios, Approaches, and Models are ways that organizations have chosen to deal with business risk and uncertainty. These methods vary greatly from industry to industry. Within industries, there are often some "best practice" approaches that have become de facto standards. Organizations may use one or one hundred different models to describe risk. For example, in banking, the VAR (Value at Risk) portfolio pricing model or similar is just one of the common components for financial institutions dealing in securities and derivatives.
Recognition and Appreciation of Business Risk is a process the organization uses to make use of their models, etc. to elicit specific information about business risk and its consequences. Risk Committees and Risk Managers are two of the ways this process is included in the structure of the organization. The most successful organizations ensure that there is a common understanding between the strategic planners, risk management, the business leadership, and the internal auditors (often by having all participate on the same committee).
The Strategic Planning Process is the process of converting the Business Objectives and the Appreciation of Business Risk into a set of strategic objectives, scenarios, plans, or the like to serve as guidance for the organization over some planning horizon greater than one year. In successful organizations, there is communication of the plan with the chief internal auditor and staff to aid in developing a relevant audit universe.
The Audit Universe is a collection of all the processes, programs, projects, and other units of the organization that are relevant to the strategic plan and have sufficient importance and/or significance to plan achievement.
The Audit Universe is a compilation of the possible subjects for internal auditing. It is not necessary to consider that all subjects must be covered. Those of least importance might be replaced in future periods by those of higher importance - or some may lose relevance as the strategic plan unfolds.
The Annual Business Plan is a subset of the Strategic Plan that seeks to allocate resources to near-term objectives of the coming year. Because the plan is a portion of the Strategic Plan that is being implemented in the immediate future, successful organizations have found it important that the business planners communicate with the internal audit planners in order to synchronize the audit effort with the current business plan. Business plans are usually reviewed periodically throughout the period being planned. Status of the plan or changes as a result of these reviews is also communicated to the internal audit so that corresponding adjustments are made.
RISK ASSESSMENT /IDENTIFICATION ANALYSIS
The old planning adage goes something like this, "When you are up to your armpits in alligators, it is hard to remember that your goal was to drain the swamp." Managers often spend so much time dealing with the significant risks in the present that they find it difficult to deal with risk in a longer time horizon. While we focus on the plans for draining the swamp, the alligators will have us for breakfast! On the other hand, if we do not have some resources devoted to dredging the swamp, the alligators will never go away. How then can we discover the "right" mix of plans over time that will help our organizations achieve their goals?
We have developed a new thinking model for addressing business risk and business opportunity over multiple time horizons. Using this model, organizations have begun to reshape their planning and control systems to be more effective in supporting the organization's goals and objectives.
Managers put assets at risk to achieve objectives. This relationship is a fundamental planning problem for managers. Managers must plan, organize, direct, and control the optimum mix of assets to achieve their objectives given the risks that are present. This is true for government, not-for-profit, as well as for-profit enterprises. It is not enough to assemble the right stuff to do the job, managers also must consider how risks will affect the assets. The assets can include human resources, intellectual property, intangible good will, as well as the more usual financial and physical assets.
Structured planning is an effective internal control system. Through planning, managers anticipate the inherent risks in their activities and set up methods to mitigate the effects of these risks. Inherent risks, also known as business risks, exist in all activities. The inherent risk of any activity is a function of the mix of assets and the nature of the activity. For example, a cash teller operation has a degree of business risk within the activity. The assets employed could be:
? Physical assets (building, furnishings, etc.)
? Financial assets (the cash)
? Human assets (teller)
? Intangible assets (policies and procedures, information, etc.)
The biggest inherent risk in a cash teller operation is the loss of the cash asset. We can mitigate some of the business risk by installing security devices (cameras, guards, bandit barriers) and changing the physical asset mix. Still other business risks could be mitigated by installing an automated teller machine in place of the human teller asset. Management can mitigate other inherent risks by limiting the cash on hand and by installing effective policies and procedures.
What the final asset mix might be in our cash teller operation has a lot to do with which risks we want to mitigate and at what cost. Our overall business objectives are a third factor to consider as well. In our teller example, if we want to make every customer contact a selling opportunity, then the automated teller machine is probably less effective than a human teller/salesperson.
Risk and Opportunity
A key concept in our model is that risk and opportunity are part of a continuum of variation. This is not new: people have associated risk and reward together for some time. However, looking at risk from a systems perspective demonstrates why this is so. Risk is the potential of negative results (less than expected), and opportunity is the potential for positive results (greater than expected). Both are variation from system plans. The results of negative risk are usually not desirable. ...
The 8500+ word solution is an extensive survey of information regarding risk management.