Risk Management

A. Definition

Risk is a possibility of negative impact happening, and an unknown event or a situation of uncertainty. 

According to ISO 9000, risk is the “effect of uncertainty on an expected result” and an effect is a positive or negative deviation from what is expected. The following two paragraphs will explain what this means. This definition recognizes that all of us operate in an uncertain world. Whenever we try to achieve something, there’s always the chance that things will not go according to plan. Sometimes we get positive results and sometimes we get negative results and occasionally we get both. Because of this, we need to reduce uncertainty as much as possible. Uncertainty (or lack of certainty) is a state or condition that involves a deficiency of information and leads to inadequate or incomplete knowledge or understanding. In the context of risk management, uncertainty exists whenever the knowledge or understanding of an event, consequence, or likelihood is inadequate or incomplete. While this definition argues that risk can be positive as well as negative, a note acknowledges that "the term risk is sometimes used when there is only the possibility of negative consequences".

Risk Management is a work process to eliminate or minimise potential impact such as loss money, extend schedule, or less performance caused by the risk or uncertainty. The Risk Management work process is the risk identification, assessment and analysis (probability, consequence, and impact), treatment classification (risk response), prioritisation, reporting, monitoring and controlling. A method of risk treatment classification (hedging) is an Avoidance (not to take: High probability and high impact); a Transfer (Financing, Insurance: Low probability and high impact); a Mitigation (Sharing, Contingency provision: High probability and low impact), and an Acceptance (Taking, Retention, and Unidentified Risk: Low probability and low impact)

Risk Assessment is a work process of an analysis and examining the risk items in terms of the probability of failure (PoF) and their consequences of failure (CoF) and impacts. Risk Analysis is a part of the Risk Assessment work process that evaluates and estimates the risk probabilities. 

Risk Classification (or Risk Response) is a risk treatment work process by an occurrence and impact. The Risk can be classified as a Risk Avoidance (High probability and high impact), an Acceptance (Taking, Retention, and Unidentified Risk, Low probability and low impact), a Mitigation (Sharing, Contingency provision, High probability and low impact), and a Risk Transfer (Financing or Insurance, Low probability and high impact).

B. Risk Classification (Risk Response)

Risk Avoidance means that a risk of business or project or activity is not taken. The Avoidance risk is a high probability of occurrence and high impact event.

Risk Acceptance means a taking risk with a possible opportunity. A probability of occurrence of an acceptance risk is a low and an impact is low too.

  • Risk Resilience is an ability to accommodate risk.
  • Risk Retention means that the risk is classified as a risk acceptance after a risk management work process is performed. (Refer to a Self Insurance)
  • Risk Assumption is to take a minor risk.
  • Residual Risk is an unidentified Risk after a risk management plan is initially set-up. 

Risk Mitigation is a systematic reduction of harmful, unpleasant, or bad situation to reduce of a risk impact, a loss money or extend schedule or less performance. The risk an occurrence is a high probability and impact is low. 

  • Risk Sharing is a risk management method (Risk Mitigation), share a risk with partner.
  • Risk Diversification is a risk allocation to all participants.
  • Risk Reduction is to reduce risk to a target level (Refer to the Risk Mitigation).

Risk Transfer is a risk management and control strategy that involves the contractual shifting of a risk from one party to another by purchasing insurance or transferring contractual liability.

  • Risk Financing is a contingency arrangement, provisional risk money.

C. Additional Definitions

Risk Register is a risk or opportunity management tool that is a record of information about the identified risks (or opportunities) used by the project manager and project risk people. The Risk Register provides a means of recording and quantifying the identified risks including the nature of the risk, risk owner, impact, mitigation plan and reference, etc. 

Risk Report is a summarise identified risks, assessment and analysis results, treatment classifications and an action plan for a management approval.

Risk Based Thinking refers to a coordinated set of activities and methods that organisations use to manage and control the many risks that affect its ability to achieve objectives. Risk based thinking replaces what the old standard used to call preventive action. Whilst risk based thinking is now an essential part of the new standard, it does not actually expect you to implement a formal risk management process nor does it expect you to document your organisation’s risk based approach. (Source: ISO)

ISO 31000 Risk Management: Risks affecting organizations can have consequences in terms of economic performance and professional reputation, as well as environmental, safety and societal outcomes. Therefore, managing risk effectively helps organizations to perform well in an environment full of uncertainty. ISO 31000:2009, Risk management – Principles and guidelines, provides principles, framework and a process for managing risk. It can be used by any organization regardless of its size, activity or sector

To be developed continuously...including guideline, template and standard formats

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.