- Source analysis : Risk sources may be internal or external to the system that is the target of risk management. Examples of risk sources are: stakeholders of a project, employees of a company or the weather over an airport.
- Problem analysis : Risks are related to identified threats. For example: the threat of losing money, the threat of abuse of privacy information or the threat of accidents and casualties. The threats may exist with various entities, most important with shareholders, customers and legislative bodies such as the government.
- Objectives-based risk identification
- Scenario-based risk identification
- Taxonomy-based risk identification
- Common-risk Checking
- Risk Charting
Assessment
Once risks have been identified, they must then be assessed as to their potential severity of loss and to the probability of occurrence. The assessment process it is critical to make the best educated guesses possible in order to properly prioritize the implementation of the risk management plan.
There have been several theories and attempts to quantify risks. Numerous different risk formulae exist, but perhaps the most widely accepted formula for risk quantification is:
Rate of occurrence multiplied by the impact of the event equals risk
Potential risk treatments
Once risks have been identified and assessed, all techniques to manage the risk fall into one or more of these four major categories:
- Tolerate
- Treat
- Terminate
- Transfer
Another source, from the US Department of Defense; Defense Acquisition University, calls this ACAT, for Accept, Control, Avoid, and Transfer. The ACAT acronym is reminiscent of the term ACAT (for Acquisition Category) used in US Defense industry procurements.
- Risk avoidance
- Risk reduction
- Risk retention
- Risk transfer
Risk avoidance
Includes not performing an activity that could carry risk. An example would be not buying a property or business in order to not take on the liability that comes with it. Another would be not flying in order to not take the risk that the airplane were to be hijacked. Avoidance may seem the answer to all risks, but avoiding risks also means losing out on the potential gain that accepting (retaining) the risk may have allowed. Not entering a business to avoid the risk of loss also avoids the possibility of earning profits.
Risk reduction
Involves methods that reduce the severity of the loss. Examples include sprinklers designed to put out a fire to reduce the risk of loss by fire. This method may cause a greater loss by water damage and therefore may not be suitable. Halon fire suppression systems may mitigate that risk, but the cost may be prohibitive as a strategy.
Modern software development methodologies reduce risk by developing and delivering software incrementally. Early methodologies suffered from the fact that they only delivered software in the final phase of development; any problems encountered in earlier phases meant costly rework and often jeopardized the whole project. By developing in iterations, software projects can limit effort wasted to a single iteration.
Risk retention
Involves accepting the loss when it occurs. True self insurance falls in this category. Risk retention is a viable strategy for small risks where the cost of insuring against the risk would be greater over time than the total losses sustained. All risks that are not avoided or transferred are retained by default. This includes risks that are so large or catastrophic that they either cannot be insured against or the premiums would be infeasible. War is an example since most property and risks are not insured against war, so the loss attributed by war is retained by the insured. Also any amounts of potential loss (risk) over the amount insured is retained risk. This may also be acceptable if the chance of a very large loss is small or if the cost to insure for greater coverage amounts is so great it would hinder the goals of the organization too much.
Risk transfer
Means causing another party to accept the risk, typically by contract or by hedging. Insurance is one type of risk transfer that uses contracts. Other times it may involve contract language that transfers a risk to another party without the payment of an insurance premium. Liability among construction or other contractors is very often transferred this way. On the other hand, taking offsetting positions in derivatives is typically how firms use hedging to financially manage risk.
Some ways of managing risk fall into multiple categories. Risk retention pools are technically retaining the risk for the group, but spreading it over the whole group involves transfer among individual members of the group. This is different from traditional insurance, in that no premium is exchanged between members of the group up front, but instead losses are assessed to all members of the group.
Outsourcing is another example of Risk transfer where companies outsource IT,BPO,KPO etc. In IT, some companies will outsource only development work and product is made at offshore locations where as business requirements are handled at onshore/client site. This way, companies can concentrate more on business development rather than managing large group of IT development team.
No comments:
Post a Comment