Introduction to risk management :
Since risk management is an inherent part of organizational activities and an event that can potentially create obstacles in the path of execution and goal achievement, understanding the contents of this field is crucial. Organizational risk management is a critical aspect of management and one of the ten knowledge areas that a manager should be proficient in. However, implementing a structured system for employing risk management processes is a challenging task that requires extensive study and research in this field.
- Organizational Risk Management : Organizational risk management includes processes, tools, and techniques that assist organizational managers in increasing the likelihood and intensity of positive risks while decreasing the likelihood and intensity of negative risks.
- Uncertainty : Uncertainty is a space that is unpredictable and immeasurable.
- Risk : Any event in the space of uncertainty that, if it occurs, can have a negative impact on one or more of the organization’s objectives (threat) and should be transformed into a positive impact (opportunity) through proper management.
Origin of Risks :
A set of conditions that exist within the organization and its environment and give rise to risks.
Key Points: The most common mistake in identifying organizational risks is the inability to differentiate between the origin of risks, risks themselves, and the effects of risks.
Using the following sentence can help us in identifying risks and their origins:
” Due to …, there may be a risk of … occurring, which, if it happens, will lead to … in the organization’s activities. “
Utilizing the Risk Breakdown Structure (RBS) aids in identifying the origins of risks.
Types of Risks :
- Known Unknowns: Risks that are known but the extent of their impact on the organization is uncertain.
- Unknown Unknowns: Risks that neither their existence nor their impact on the organization is clear.
The Role of Organizational Risk Management: What sets a successful organization apart from unsuccessful ones is how they manage problems and dilemmas that may potentially crisis the organization in the future. Our team teaches how to consider the right responses from the moment risks are recognized until the moment they occur.
Objectives of Organizational Risk Management Process:
1. Make appropriate decisions to reduce the damage caused by threats and increase the profits resulting from opportunities.
2. Ensure that risks do not exceed acceptable limits.
3. Ensure the achievement of organizational goals.
4. Communicate with stakeholders and team members about what leads to success or failure.
Risk Management Process According to Standards:
1. Plan Risk Management (Plan Risk Management): This process involves transparent and detailed planning for how risk management activities will be carried out for each organization. The main advantage is to ensure the appropriateness of the degree, type, transparency of risk management with risks, and the importance of the activity for the organization and other stakeholders.
In general, risk planning includes the following:
· Methodology, tools, and techniques used (Tools & Techniques, Methodology)
· Determining the roles and responsibilities of stakeholders (Roles and Responsibilities)
· Budget allocation (Budgeting)
· Timeframe for addressing risks (Timing)
· Stakeholders’ risk tolerance (Revised Stakeholders Tolerance)
· Reporting standards, formats, and update cycles (Reporting Format)
· Required follow-ups (Tracking)
2. Identify Risks (Identify Risks): The process of identifying the organization’s risks, as well as the risks of activities, and documenting their characteristics.
Methods of Risk Identification:
· Brainstorming: A group discussion technique.
· Delphi: Expert consultation and consensus method.
· Interviews: Conversations with partners, stakeholders, and relevant experts.
· SWOT Analysis: Examining strengths, weaknesses, opportunities, and threats.
· Cause and Effect Diagram: Shows how various factors can cause problems or potential effects.
The output of the risk identification process is the Risk Register, which includes a list of identified risks, potential response lists, and risk owners.
Remember that each organization is unique and may encounter new risks that have not been present in similar organizations. In such cases, it’s important to adapt and create risk identification strategies that suit the organization’s specific needs.
These processes are essential for effective risk management in any organization, and they form the foundation for developing a risk management plan that helps the organization navigate uncertainties and challenges successfully.
3. Qualitative Risk Analysis: Qualitative risk analysis is the process of prioritizing risks for further action or analysis based on the likelihood of occurrence and the potential impact of those risks. This analysis is typically done using a qualitative scale. One common tool for qualitative risk analysis is the Probability-Impact (P-I) matrix. In this matrix, the two dimensions, probability, and impact, are categorized qualitatively into different levels. The intersection of these two dimensions represents the level of risk significance.
It’s important to note that when a project has a set of risks that may occur, these risks can influence each other. The occurrence of one risk may increase or decrease the probability or impact of another risk. Even the occurrence of one risk can introduce new risks to the organization.
Quantitative Risk Analysis:
Quantitative risk analysis is the numerical assessment of the impact of identified risks on the overall objectives of the organization. It is performed after the qualitative risk analysis and prioritization of risks. Quantitative analysis focuses on risks that have been prioritized during the qualitative analysis phase. This analysis provides a more precise understanding of how various risks can affect the organization.
Methods of Quantitative Analysis:
1. Decision Tree: This technique illustrates how to make a decision between strategic capital investment options when the environment is uncertain.
2. Sensitivity Analysis: Sensitivity analysis helps determine which risks have a stronger impact on the organization’s activities. By changing parameters in a model, the importance and sensitivity of risks become apparent.
3. Simulation: Simulation is a technique that involves converting the real world into a model using assumptions. The goal is to understand the behavior of a system or process under different scenarios by altering various variables. The Monte Carlo simulation is one of the most well-known simulation methods based on basic principles of statistical sampling.
These quantitative methods provide organizations with a more detailed understanding of the potential risks they face, allowing for better decision-making and risk management strategies.
4. Plan Risk Responses: The Plan Risk Responses process involves determining various options and actions to exploit opportunities and reduce threats related to the organization’s objectives. This process focuses on addressing the prioritized risks and allocates resources, including budget, time, and management plans if necessary.
Negative Risk Response Strategies (Threats):
1. Escalate : When addressing a risk is beyond the authority and responsibility of the project manager, it should be escalated to higher levels within the organization. In this case, the matter is taken out of the project team’s hands but may still be tracked in the risk register.
2. Avoid : This strategy seeks to identify the best way to avoid risks if possible. Many risks can be avoided through clear requirements, gathering additional information, improving communication, allocating the appropriate time, and allocating adequate budget.
3. Transfer : In this strategy, risks are transferred to a third party through agreements, which involve the transfer of commitment and responsibility for the risks. The key condition for transferring risks is that the cost of transferring them should be lower than the cost of their potential occurrence.
4. Mitigate : Mitigation involves taking a series of actions to reduce the likelihood of a risk occurring or to reduce the negative impact of a risk if it does occur.
5. Accept : If none of the above strategies are feasible, the acceptance strategy is chosen. This means that there is nothing we can do before the risk occurs. However, we can consider measures to reduce the damages resulting from its occurrence.
Positive Risk Response Strategies (Opportunities):
1. Escalate : Opportunities that are beyond the authority of the project team may be escalated to higher levels in the organization.
2. Exploit : Taking actions to ensure that opportunities are realized. However, it’s ideal to realize all identified opportunities.
3. Share : Sharing opportunities with partners or stakeholders to make the most of them.
4. Enhance : Increasing the probability and impact of opportunities occurring.
5. Ignore : For some opportunities, even though they may have a positive impact on the organization, no effort is made to realize them.
It’s important to note that in dealing with certain risks, it may be necessary to use a combination of strategies as a single strategy may not be sufficient. The choice of strategy should depend on the specific risk, its impact, and the organization’s risk tolerance.
5. Implementation of Risk Responses: The Implementation of Risk Responses process ensures that the accepted responses are executed, resulting in the reduction of threat risks and the enhancement of opportunity risks.
6. Monitor Risks: The Monitor Risks process involves implementing risk response plans, tracking identified risks, supervising remaining risks, identifying new risks, and assessing the effectiveness of the risk management process throughout the project.
In this phase, you need to answer questions such as:
· Are the assumptions still valid?
· Has the importance level of risks changed?
· Are the employed policies adequate?
· Are backup reserves readily available in terms of time, cost, and other objectives?
· Can revisions be made regarding issues such as choosing alternative strategies, executing contingency plans, and making adjustments to the risk management plan?
Agile Risk Management in Organizations:
Organizational activities with many variables inherently involve uncertainties and high risks. To address this issue and reduce uncertainties, agile organizations have adopted the approach of incremental product delivery and the use of cross-functional teams. Through this approach, they can share the knowledge gained at each stage with each other to improve future processes.
While the topic has been summarized here, more comprehensive discussions and detailed insights can be found in subsequent articles.
Please feel free to ask if you have more specific questions or if there’s anything else I can assist you with.
Topic: Risk Management Based on Global Standards