Risk management is the identification, assessment, and
prioritization of risks (defined in ISO 31000 as the effect of uncertainty on
objectives, whether positive or negative) followed by coordinated and
economical application of resources to minimize, monitor, and control the
probability and/or impact of unfortunate events or to maximize the realization
of opportunities. Risks can come from uncertainty in financial markets, threats
from project failures (at any phase in design, development, production, or
sustainment life-cycles), legal liabilities, credit risk, accidents, natural causes
and disasters as well as deliberate attack from an adversary, or events of
uncertain or unpredictable root-cause. Several risk management standards have
been developed including the Project Management Institute, the National
Institute of Standards and Technology, actuarial societies, and ISO standards.
Methods, definitions and goals vary widely according to whether
the risk management method is in the context of project management, security,
engineering, industrial processes, financial portfolios, actuarial assessments,
or public health and safety.
The strategies to manage threats (uncertainties with negative
consequences) typically include transferring the threat to another party,
avoiding the threat, reducing the negative effect or probability of the threat,
or even accepting some or all of the potential or actual consequences of a
particular threat, and the opposites for opportunities (uncertain future states
with benefits).
Certain aspects of many of the risk management standards have come
under criticism for having no measurable improvement on risk, whether the
confidence in estimates and decisions seem to increase. For example, it has
been shown that one in six IT projects becomes a 'Black Swan', with cost
overruns of 200% on average, and schedule overruns of 70%.
Introduction
A widely used vocabulary for risk management is defined by ISO
Guide 73, "Risk management. Vocabulary."
In ideal risk management, a prioritization process is followed
whereby the risks with the greatest loss (or impact) and the greatest
probability of occurring are handled first, and risks with lower probability of
occurrence and lower loss are handled in descending order. In practice the
process of assessing overall risk can be difficult, and balancing resources
used to mitigate between risks with a high probability of occurrence but lower
loss versus a risk with high loss but lower probability of occurrence can often
be mishandled.
Intangible risk management identifies a new type of a risk that
has a 100% probability of occurring but is ignored by the organization due to a
lack of identification ability. For example, when deficient knowledge is
applied to a situation, a knowledge risk materializes. Relationship risk
appears when ineffective collaboration occurs. Process-engagement risk may be
an issue when ineffective operational procedures are applied. These risks
directly reduce the productivity of knowledge workers, decrease
cost-effectiveness, profitability, service, quality, reputation, brand value,
and earnings quality. Intangible risk management allows risk management to
create immediate value from the identification and reduction of risks that
reduce productivity.
Risk management also faces difficulties in allocating resources.
This is the idea of opportunity cost. Resources spent on risk management could
have been spent on more profitable activities. Again, ideal risk management
minimizes spending (or manpower or other resources) and also minimizes the
negative effects of risks.
Method
·
For the most
part, these methods consist of the following elements, performed, more or less,
in the following order.
·
identify,
characterize threats
·
assess the
vulnerability of critical assets to specific threats
·
determine
the risk (i.e. the expected likelihood and consequences of specific types of
attacks on specific assets)
·
identify
ways to reduce those risks
·
prioritize
risk reduction measures based on a strategy
More from Dyman & Associates
Risk Management Projects:
