Risk, risk management, types of risk and their solution explained in detail

RISK

Risk is a measure of the probability and consequence of not achieving a defined project goal.

Risk has three primary components:

• An event (an unwanted change)

• A probability of occurrence of that event

• Impact of that event (amount at stake)

 Sources of Risk

Risks to a project can be classified by their cause, as one of the following types 

 External

These may be associated with global conditions in political and regulatory areas and markets. Generally, external sources of risk encompass factors which are beyond the control of the project team and/or the organisation(s) involved. These may include legislative requirements with regard to safety or the protection of consumers or the environment. Such regulations govern the operation of companies and enterprises, non-compliance with which lead to legal obstacles, or unofficial political demonstrations that can harm an organisation’s project operations and reputation.

 Internal

Internal sources of risk are within the control of the project team an/or the organisation(s) involved. These include risks arising as a result of project design or human behaviour. Corporate dispute, communication failure and technology failure, can all harm the project. Human performance, skills availability, capability and motivation are essential factors thatcontribute to the success of the project. The project leader should have the skills to exercise consistent risk management in order to keep the project on track.

These types of risk can be further broken into 4 categories as:

• Technical

• Management

• Safety

• Business

 Risk Managment

Risk management is an organized means of identifying and measuring risk and developing, selecting, and managing options for handling these risks. Several tools are available to assist in the management of risk in technical areas. These tools can help the project manager to understand the danger signals that may indicate that the project is off track, and prioritize corrective actions as necessary.

According to the Project Management Institute Body of Knowledge (PMBOK) [3], there are three definitions of risk management:

• Risk management is the formal process by which risk factors are systematically identified, assessed, and provided for

• Risk management is a formal, systematic method of managing that concentrates on identifying and controlling areas or events that have a potential for causing unwanted change

• Risk management, in the project context, is the art and science of identifying, analyzing, and responding to risk factors throughout the life of a project and in the bestinterest of its objectives.

Risk Management Process

• Risk Identification

• Risk Quantification

• Risk Response

• Risk Control

RISK MANAGEMENT STEPS

The risk management steps

1. Establishing goals and context (i.e. the risk environment),

2. Identifying risks,

3. Analysing the identified risks,

4. Assessing or evaluating the risks,

5. Treating or managing the risks,

6. Monitoring and reviewing the risks and the risk environment regularly, and

7. Continuously communicating, consulting with stakeholders and reporting

Establish goals and context

The purpose of this stage of planning enables to understand the environment in which the

respective organization operates, that means to thoroughly understand the external environment and the internal culture of the organization. The analysis is undertaken through:

− establishing the strategic, organizational and risk management context of the organization,

and

− identifying the constraints and opportunities of the operating environment.

.

Identify the risks

Using the information gained from the context, particularly as categorized by the SWOT and

PEST frameworks, the next step is to identify the risks that are likely to affect the achievement of the goals of the organization, activity or initiative. It should be underlined that a risk can be an opportunity or strength that has not been realized

Key questions that may assist your identification of risks include:

− For us to achieve our goals, when, where, why, and how are risks likely to occur?

− What are the risks associated with achieving each of our priorities?

− What are the risks of not achieving these priorities?

− Who might be involved (for example, suppliers, contractors, stakeholders)?

The appropriate risk identification method will depend on the application area (i.e. nature of

Activities and the hazard groups), the nature of the project, the project phase, resources available,

Regulatory requirements and client requirements as to objectives, desired outcome and the required level of detail.

The use of the following tools and techniques may further assist the identification of risks:

− Examples of possible risk sources,

− Checklist of possible business risks and fraud risks,

− Typical risks in stages of the procurement process,

− Scenario planning as a risk assessment tool

 Analyse the risk

Risk analysis involves the consideration of the source of risk, the consequence and likelihood

To estimate the inherent or unprotected risk without controls in place. It also involves identification of the controls, an estimation of their effectiveness and the resultant level of risk with controls in place (the protected, residual or controlled risk). Qualitative, semi-quantitative and quantitative techniques are all acceptable analysis techniques depending on the risk, the purpose of the analysis and the information and data available.

2.4 Evaluate the risk

Once the risks have been analysed they can be compared against the previously documented

And approved tolerable risk criteria. When using risk matrices this tolerable risk is generally

Documented with the risk matrix. Should the protected risk be greater than the tolerable risk then the specific risk needs additional control measures or improvements in the effectiveness of the existing controls.

The decision of whether a risk is acceptable or not acceptable is taken by the relevant

Manager

. A risk may be considered acceptable if for example:

− The risk is sufficiently low that treatment is not considered cost effective, or

− A treatment is not available, e.g. a project terminated by a change of government, or

− A sufficient opportunity exists that outweighs the perceived level of threat.

If the manager determines the level of risk to be acceptable, the risk may be accepted with no

Further treatment beyond the current controls. Acceptable risks should be monitored and

Periodically reviewed to ensure they remain acceptable. The level of acceptability can be

Organizational criteria or safety goals set by the authorities.

Treat the risk

An unacceptable risk requires treatment. The objective of this stage of the risk assessment

Process is to develop cost effective options for treating the risks. Treatment options (cf. Fig. 5),

Which are not necessarily mutually exclusive or appropriate in all circumstances, are driven by

Outcomes that include:

− Avoiding the risk,

− Reducing (mitigating) the risk,

− Transferring (sharing) the risk, and

− Retaining (accepting) the risk.

Monitoring the risk

It is important to understand that the concept of risk is dynamic and needs periodic and formal

Review The currency of identified risks needs to be regularly monitored. New risks and their impact on the organization may to be taken into account.

This step requires the description of how the outcomes of the treatment will be measured.

Milestones or benchmarks for success and warning signs for failure need to be identified.

The review period is determined by the operating environment (including legislation), but as a

General rule a comprehensive review every five years is an accepted industry norm. This is on the basis that all plant changes are subject to an appropriate change process including risk assessment.

The review needs to validate that the risk management process and the documentation is still valid. The review also needs to consider the current regulatory environment and industry practices which may have changed significantly in the intervening period.

The organisation, competencies and effectiveness of the safety management system should

Also be covered. The plant management systems should have captured these changes and the review should be seen as a ‘back stop’.

The assumptions made in the previous risk assessment (hazards, likelihood and consequence),

The effectiveness of controls and the associated management system as well as people need to be

Monitored on an on-going basis to ensure risk are in fact controlled to the underlying criteria.

For an efficient risk control the analysis of risk interactions is necessary.