Welcome to this course on introduction to
risk management.
All types of organizations, face with the
some form of risks, which may affect their
chance of success.
Understanding the risks, and effectively managing
these, will greatly help the organizations,
in achieving the long term success.
Risk Management can be an important tool,
to eliminate potential problems in an organization.
Even though the current version of ISO 9001,
does not specifically require the use of risk
management, in the preventive action clause,
some of the industry specific standards require
it specifically.
For example, the quality management standard
for aviation industry, and healthcare industry,
have risk management requirement, included
in the preventive action clause.
These are the topics covered in this course.
First we will understand the definitions of
risk and risk management.
Then we will look at five key steps for managing
risks.
Companies face a number of internal and external
factors, which make it uncertain, whether
the company will meet its objectives.
These uncertain events, or conditions, are
called the risks.
So far in this course, we thought that the
risks always have a negative impact.
Lets be clear here, that the result of a risk,
is not always negative.
Risks are uncertain events.
These uncertain events could lead to positive
or negative results.
Positive risks are known as opportunities.
Organizations attempt to avoid, or reduce
the impacts of negative risks.
However when it comes to the positive risks,
organizations would like to take maximum advantage
of these opportunities.
This slide explains the difference between
a risk, and an issue.
While a risk is a future uncertain event,
an issue is an event which has already occurred.
The concepts of risk appetite, and risk tolerance,
are related to the extent to which, an organization
is comfortable taking risk.
Taking big risks could be lead to big losses,
or big rewards.
While risk appetite is about the willingness
to take risk, risk tolerance is about what
the organization can bear.
As discussed on the previous slide, risk is
associated with reward.
Organizations take risks to gain more rewards.
This is the definition of risk management,
taken from wikipedia dot org.
If you find this definition confusing, then
please proceed to the next slide.
This same definition is presented there, in
form of a diagram.
In risk management, you identify the potential
risks, then you assess them so that you know
which of the identified risks are more critical
and which are less.
Based on that assessment you give more priority
to some risks and less to others.
You can not cover all risks since you have
limited resources.
With this priority you put your resources
on high priority risks.
As we talked earlier a risk can be a negative
or positive risk.
You attempt to minimize the impact of negative
risks, monitor then and keep them under control.
However if it is a positive risk, or an opportunity,
you put your resources to maximize the opportunity.
For risk management process to be effective,
these are some of the key principles, that
should be considered.
Since the organization is spending resources,
to manage risks, it should create value.
Risk management should be performed systematically,
and be integral part of the organization's
work processes.
As the organization matures, the types of
risks or challenges change.
The organization should adopt to these changes,
and improve the risk management process.
Risk management is applied in variety of fields
such as project management, military, space,
medical, engineering, plant operation, safety
and in financial portfolio management.
Key benefits of implementing risk management
includes fewer shocks and unwelcome surprises;
effective use of resources, and reassuring
stakeholders.
Instead of being unprepared for the threats
and opportunities, that happen during the
course of a project or business, risk management
can help plan and prepare for them.
This preparedness helps organizations in saving
costs and time.
Risk management process, can be divided into
these five key steps.
It starts with having a risk management plan.
The next step is to identify the potential
risks and prepare a list of all risks.
This list of risks is then analyzed, using
qualitative, and quantitative techniques,
to identify high priority, medium priority
and low priority risks.
Response is planned for these risks, depending
upon the priority.
Risks are then monitored and controlled.
We will look at each of these steps, in the
following slides.
Risk management plan specifies the management
intent, systems and procedures required for
managing risks.
Risk management plan will provide the definitions
of various risk related terms.
Roles and responsibilities related to risk,
and tools and templates, are also included
in it.
In a way risk management plan specifies how
the next four steps listed on this slide are
executed in the organization.
That is, how the organization will identify
risks, how these risks will be analyzed, how
the risk response will be planned, and how
the risks will be monitored and controlled.
Once the plan is in place, identify risks
is the first key step in actual management
of risks.
This is the process of identifying the potential
risks, their root cause, and the risk consequences.
Risk identification is a systematic process.
It is a group effort, where subject matter
experts from various groups participate.
The most common tool used in risk identification
process, is brain storming.
In this, the subject matter experts from various
groups meet together, and list down all the
potential risks.
During brain storming, no identified risk
is evaluated, or criticized.
The intent here is to list down as many possibles
risks, in limited time.
Other tools such as Ishikawa diagram, flow
diagram, and SWOT analysis may also be used.
Here the term SWOT, stands for Strengths,
weaknesses, opportunities and threats.
The outcome of risk identification is a list
of risks, or risk register.
What is done with the list of risks depends
on the nature of the risk.
A few low priority risks may be kept simply
as a list of red flag items, and periodically
monitored.
Some high priority risks, may go through the
rigorous process of assessment, analysis,
mitigation and planning.
The next risk management process, that is
analyze risks, helps in deciding that.
Organizations do not have resources to address
all risks.
After having the list of all potential risks,
the next logical step is to analyze and prioritize
risks.
Some risks may need detailed action plan,
and some may just need periodic monitoring.
Organization may accept some of the risks
without any action.
In this step, that is analyze risks, we will
look at how the risks are analyzed and prioritized.
This is the process of quantifying the risk
events, documented in the previous step, so
that the organization can focus on critical
risks.
For risk analysis, qualitative and quantitative
analysis are conducted.
Qualitative risk analysis is a subjective
analysis, and is quick and easy to perform.
One tool to conduct the qualitative analysis
is probability and impact matrix.
We will cover this tool in next few slides.
On the other hand, Quantitative risk analysis
is the detailed analysis of the risk.
It is not required to conduct quantitative
analysis for all risks, and is conducted when
it is worth the time and effort required to
conduct it.
Tools to conduct quantitative risk analysis
include, expected monitory value analysis,
Monte Carlo analysis, and decision tree.
These tools are not covered in this training
course.
As discussed in the previous slide, the Probability
and Impact Matrix, is a qualitative risk analysis
tool.
This matrix has two aspects, the probability
that the risk will actually happen, and the
potential impact if the risk happens.
These two are classified from very unlikely,
to very likely.
In the probability and impact matrix, the
risk probability, and the risk impact are
assigned a score of 1 to 9.
Where 1 is the least, and 9 is the highest.
A risk score is then calculated, by multiplying
these two numbers.
Instead of assigning a score of 1 to 9, a
score of 1 to 3, or a score of 1 to 5 may
be used.
These rules are defined in your risk management
plan.
In this course we are using a score of 1 to
9.
In this example, the group assigns a score
of 1 to the probability of risk, and a score
of 9 to the impact value.
This means that the risk being discussed,
has a very low chance of happening, but if
it happens, the impact will be very high.
Since the score of 1 to 9 assigned to the
probability, and impact, are subjective, organization
managing the risk creates some guidelines,
to ensure that these are consistent.
This slide shows a sample table, for assigning
probability number.
The next slide will show a sample impact table.
This is a sample table, to assign the risk
impact number.
The risk may impact cost, schedule, scope
or quality.
Once we have assigned a risk probability number,
and an impact number, these are plotted on
the probability and impact matrix.
A simple example of that is shown here.
Let us look at the four boxes shown here.
Risks towards the top right corner, are of
critical importance, since these are High
impact and high probability risks.
These are your top priorities risks, that
you must pay close attention to.
Risks in the bottom left corner are low impact,
and low probability risks.
You can often ignore them.
Risks in the top left corner, are of moderate
importance, since these are Low impact, and
high probability risks.
If these things happen, you can cope with
them, and move on.
However, you should try to reduce the likelihood,
that they'll occur.
Risks in the bottom right corner, are high
impact, and low probability risks, and these
are very unlikely to happen.
For these, you should do what you can to reduce
the impact, and you should have contingency
plans in place, just in case they occur.
This and the next slide, show examples of
probability and impact matrix.
In this example, a score of 1 to 9 is assigned
to the probability, and the impact.
This is an example of the probability and
impact matrix, where the probability, and
the impact, are assigned a value between very
low, to very high.
Once we have analyzed risks, the next step
in risk management, is to plan risk response,
for each identified risk.
When planning a risk response, we attempt
to reduce the impact and chance, of negative
risks, and enhance the impact and chance,
of positive risks.
This slide shows the four risk responses,
for negative risks, and the corresponding
responses for positive risks.
In the next eight slides, we will look at
each of these responses.
In risk avoidance, we completely eliminate
the possibility of the risk.
An example might be to use a old and proven
process, instead of new and risky process.
Risk can also be avoided by improved communication,
providing information, or acquiring an expert.
If you can not avoid a risk completely, you
attempt to mitigate it.
The purpose of risk mitigation is to reduce
the size of the risk exposure.
This is done by either reducing the probability
of the risk, or by reducing the impact.
The risk transfer strategy aims to pass ownership
for a particular risk to a third party.
It is also important to remember that risk
transfer almost always involves payment of
a risk premium.
A Cost and benefit analysis might be done,
to ensure that the cost of transferring risk
is justified.
Acceptance of a risk means that the probability,
and or the severity, of the risk is low enough,
that we will do nothing about the risk, unless
it occurs.
There are two kinds of acceptance, active
and passive.
Acceptance is passive, when nothing at all
is done to deal with the risk.
Acceptance is active, when we decide to make
a contingency plan, for what to do, when the
risk occurs.
The next four slides, will deal with the risk
responses for positive risks, or opportunities.
The first response to deal with the positive
risk is to exploit it.
This response tries to remove any uncertainty,
so that the opportunity is certain to happen.
The enhance response, focuses on the root
cause of the opportunity, and goes on to influence
those factors, which will increase the likelihood
of the opportunity occurring.
Sometimes exploiting a positive risk is not
possible, without collaboration.
A partnership with a different group, department,
or company may be required, to exploit a positive
risk
Just like dealing with negative risks, we
may actively or passively accept a positive
risk.
Acceptance of a risk means that the probability,
and or the severity, of the risk is low enough,
that we will do nothing about the risk, unless
it occurs.
Once we have identified risks, analyzed then
and made a plan to deal with them, the next
step is to monitor and control the risks.
A risk management program is never finished.
Risk monitoring and control, should be ongoing
and continual.
New risks will emerge, and existing risks
will disappear.
You have to stay on top of it.
While monitoring and controlling risks, unexpected
risks occur.
These unexpected risks are the risks, which
you did not identify in your risk identification
process.
A workaround is created to deal with such
risks.
Thank you for attending this course at QualityGurus.com.
