Risk Management Overview Risk Management Overview

Risk Management A risk is defined as an uncertain event or condition that, if it occurs, has an effect on business operations and/or objectives. A risk has a cause and, if it occurs, an impact.

Risk Management Risk management is the act or practice of dealing with risk. It includes: planning for risk, assessing (identifying and analyzing) risks, developing risk response strategies, and monitoring risks to determine how risks have changed. Proper risk management is proactive rather than reactive. Therefore, proper risk management will attempt to reduce the likelihood of an event and/or the magnitude of its impact.

Contingency Planning /Disaster Recover Contingency Planning / Disaster Recovery differs from Risk Management in that Risk Management is proactive in mitigating the risk prior to the risk occurring. Contingency Planning / Disaster Recovery is a reactive planning for what to do once a risk occurs.

Risk Management Without mitigation, risks will introduce chaos and failure even into a well-planned and managed organization. A risk mitigation plan should be developed and implemented. A contingency plan should be included for high risks with a triggering circumstance or measure defined to invoke it. Management must choose which risks will have mitigation and contingency strategy plans developed and implemented for them.

Risk Management When stating a risk, a three-part structured description of a risk should include:  the cause,  the risk, and  the effect or impact. The three elements of the risk meta-language can be summarized as: “As a result of, an may occur, which would lead to. “

Risk Example As a result of the lack of sufficiently skilled HR resources, due to untimely turnover and/or retirement, the payroll cycle cannot be run, which would lead to significant delays in the staff receiving their paychecks.

Risk Management Steps Risk Identification Risk Analysis / Assessment Risk Prioritization Risk Response Planning Risk Mitigation Risk Monitoring and Controlling

Risk Identification & Assessment Risk Identification and Assessment involves determining the risks that affect the business operations and objectives, categorizing the identified risks into defined key business functions, and in a structured manner providing an analysis to refine the risk description, isolating the cause, and determining the effects.

Risk Identification & Assessment Once a risk is identified you must then assess the risk based on the Risks; Likelihood of occurrence, Severity or impact, Level of control that you have to prevent the risk from occurring.

STEP 1 – ESTABLISH THE CONTEXT The first step in the risk management process is focused on the environment in which your organisation operates. You need to consider this environment so that you can establish the boundaries in which risks must be managed and guide your decisions on managing risks.

To do this, you need to: consider the outcomes you want to achieve in your activity consider the environment in which your organisation operates identify internal and external stakeholders develop risk evaluation criteria.

Considering the outcomes to be achieved First of all, make yourself aware of what your organisation does and the nature and extent of the activity you are planning. Anything which poses a risk to what your organisation is trying to do needs to be considered. You need a broad view of the activity at this stage, so that you focus on the main issues.

Considering the environment Look at the relationship between the activity and its environment. Think about all the things which might support or impair your ability to manage the risks faced by your organisation. These could be related to social, economic, legal, technological or environmental factors. You may or may not be able to control these factors. For example, there may be legislation which impacts on your activity. While you cannot control what the legislation says, you can control how you comply with this legislation.

Identifying stakeholders Stakeholders are individuals who may affect, or be affected by, any of your decisions on risk management. – They could be employees, managers, volunteers, unions, financial and insurance organisations, customers, government, suppliers and service providers. Different stakeholders have different needs, concerns and opinions and it is essential that you consult and communicate with them during the risk management process.

Developing risk evaluation criteria Risk criteria are used to rank risks and decide whether they are acceptable or not. Consider the level of risks your organisation is willing to accept from its environment. The criteria may be affected by legal requirements, and the perceptions of external and internal stakeholders. You might change this criteria when you identify particular risks and choose particular risk analysis techniques.

Example For example, you may decide that one criterion for deciding whether a risk is acceptable or not is that the cost of managing the risk must be less than the financial loss if the risk occurred.

Documenting Step 1 – “Establish the context” If you are analysing a major risk, you should document the full range of environmental factors which you have considered. These are: the activity the intended outcomes of the activity critical factors in the environment stakeholders risk evaluation criteria.

Case study One Work through Case Study One.

Types of Risk Physical: involving personal injuries, environmental and weather conditions and the physical assets of your organisation, such as equipment and vehicles Financial involving theft, fraud, loans, membership fees, insurance costs, damages claims or penalties and fines Legal involving the responsibilities imposed by federal, state and local Government laws as well as laws derived from custom and judicial precedent

Types of Risk Ethical or moral / Cultural: involving actual or potential harm to the reputation or beliefs of an individual or organisation. Environmental: potential damage to the local or global environment

Selecting methods to identify risks When you undertake this step to identify risks, it is essential that those you consult are knowledgeable about the activity you are reviewing. Where the activity is complex, it may be best to work with a group. You can use one or more of the following methods to identify risks:

Internal methods of identifying risks: Look at the records of previous activities. Examine the results of personal, local or overseas experience. Arrange interviews and discussions with stakeholders. Distribute surveys and questionnaires to stakeholders. Conduct audits and physical inspections. Directly observe the activity. Analyse specific scenarios.

External methods of identifying risks: Employ professional consultants, e.g. lawyers, accounts and workplace health and safety officers. Employ industry specialists, e.g. marketers, business consultants and risk consultants. Consult associated professional organisations, e.g. Hoteliers’ Association. Conduct your own research using industry publications, newspapers and insurance tables. Although it is not always possible to have all the information you need, try to do the best you can with the time and money available.

Sources of risk Possible sources of risk are: human behaviour technology and technical issues occupational health and safety legal political property and equipment environmental financial/market natural events.

Definition of Risk A risk is an event (what can happen) that should be distinguished from the general sources of risk (how can the risk arise) and its impacts (what is the implication if it happens). The impacts of risk will be dealt with in later.

Risk Source of risk (How can a risk arise?) Example: Property and equipment Example: Human behaviour Risk event (What can happen?) Equipment breakdown Participants ignore warning signs

Risk variables Some risks cannot be controlled by the organisation. However, they may still be able to be managed and therefore should be identified.

Classify Risks Internal – those which are part of the organisation’s activity, e.g. risk of a client or participant being injured by the equipment used External – those which impact on the organisation or its activities, e.g. legislative change that requires pools to be fenced Random – those which are unpredictable, e.g. a lightning strike.

Consult widely Communicating and consulting with others is absolutely essential when you work through the process of identifying risks. There may be very few people who understand all of the elements of an activity. Therefore, you need to discuss potential risks with a wide range of people.

Step 2 Documenting At the end of Step 2 Identify the risks, you should have a full list of the potential risks you are facing and their source. This information is important to the next step of analysing the risk. Always keep copies of checklists or reports you have used when identifying risks.

Summary When you identify the potential risks of an activity, ask yourself the following questions: What are the best methods to identify risks which are likely to occur in this activity? Who should I consult to assist me in identifying risks? What sources of risk are relevant to this activity? What risks are likely to occur? Are the risks internal, external or random? What would be the perspective of both internal and external stakeholders on these risks?

Case study Work through case study 2

Risk Assessment / Analysis Likelihood 1 - Very Unlikely 2 - Somewhat Unlikely /50 Chance 4 - Highly Likely 5 - Nearly Certain

Risk Assessment / Analysis Severity 1 - Minor impact on operational cost, schedule, performance, etc. 2 - Moderate impact on operational cost, schedule, performance, etc. 3 - Significant impact on operations 4 - Very significant impact on operations 5 - Disastrous impact, operational failure

Risk Assessment / Analysis Level of Control 1 - Essentially avoidable through selected risk mitigation actions 2 - Highly controllable through organization actions 3 - Moderately controllable through organization actions 4 - Largely uncontrollable by the organization actions 5 - Uncontrollable by the organization

Risk Assessment / Analysis The initial assessment analysis for each risk is based on the cumulative value obtained from each assessment area, referred to as the Risk Significance. Each assessment area has a value of and a cumulative value of between The higher the assessment value the higher the risk. For example, a risk with a: 4 - High Likelihood of Occurrence 3 - Significant impact on operations 3 - Moderately controllable 10 Risk Significance Value

Risk Assessment / Analysis Generally risks with assessment values of 10 or higher would require further analysis including risk prevention or mitigating actions and possibly cost benefit analysis.

Risk Strategy The next step is the Risk Response Planning Process. This is the process that identifies, evaluates, selects, and implements strategies in order to set risk at acceptable levels given the operational constraints and objectives. Risk Response Planning Strategies include:

Risk Strategy Assumption - accepting the risk and its impact should it occur, best suited for low risk classifications Avoidance - Not willing to accept the risk. This generally involves eliminating the source of the risk by a change in concept, requirements, specification and/or practices to reduce the risk to an acceptable level

Risk Strategy Control - This option does not attempt to eliminate the source of the risk but seeks to reduce or mitigate the effect should the risk occur. It manages the effects of risk in a manner that reduces the likelihood and/or consequences of its occurrence on the project. Transfer - This option may reallocate risk from one part of the system or organization to another thereby reducing the overall risks probability of occurrence and impact.

Risk Management Scenario #1 Scenario A new academic networking curriculum has been developed and includes a 3 College consortium working through the network. Risk If a student(s) gains access to the operational systems at 1 of the 3 Colleges in the consortium, and changes or obtains sensitive operational data, the college may be subject to legal liability and lose credibility within the community.

Risk Management Scenario

Risk Management QUESTIONS?

Risk Management Scenario #2 Scenario All College Business Office functions and systems are located in one building. Risk If the college business office building becomes unavailable for a long duration due to (fire, flood, etc.) the will be a major disruption to the business operations of the College.

Risk Management Scenario #3 Scenario A new off campus center is built and all IT Servers are located on the Main Campus Risk If data communication lines are cut, due to local construction, there will be a disruption in operation business.

Risk Management Exercise Using the each of three scenario’s provided earlier define additional risks including the three elements of the risk meta-language: cause, event, and effect or impact. Conduct a risk analysis to obtain the significance for each risk and determine the risk strategy that will be used.