Risk: Definition

❖ Effect of uncertainties on objectives (ISO

31000:2018)
 Risk: Definition (ISO 9000:2015)
❖ effect of uncertainty
❖ An effect is a deviation from the expected
— positive or negative.
❖ Risk is often characterized by reference to
potential events and consequences or a
combination of these.
❖ Risk is often expressed in terms of a
combination of the consequences of an
event and the associated likelihood of
occurrence.
❖ The word “risk” is sometimes used when
there is the possibility of only negative
consequences.
 Opportunity
❖ Positive risks is called opportunities.

❖ You would like to take maximum

advantage of these positive risks.
 Issue
❖ Risk is associated with future event,
which has not happened yet.

❖ A risk which has already occurred is

considered as an “issue”.
 Why Take Risk?
❖ There is a balance between risk and
rewards.

❖ Generally more risks lead to more

rewards. But that is not true always.

❖ You want more rewards with less risk

 Risk Management
❖ Risk management is the identification,
assessment, and prioritization of risks
(positive or negative) followed by
coordinated and economical application
of resources to minimize, monitor, and
control the probability and/or impact of
unfortunate events or to maximize the
realization of opportunities.
 Risk Management
minimize monitor control
Identification
of risks
probability and/or impact of unfortunate
events

Assessment
of risks Resources
maximize
Prioritization realization of opportunities
of risks
 Risk Management Steps

Plan Risk Plan Risk Monitor and

Identify Risks Analyze Risks
Management Response Control Risks
 1. Plan Risk Management

Plan Risk Plan Risk Monitor and

Identify Risks Analyze Risks
Management Response Control Risks
 1. Plan Risk Management
❖ Define risk related terms
❖ Define roles and responsibilities
❖ Tools and template for risk management
❖ Planning includes how to:
❖ Identify risks
❖ Analyze risks
❖ Plan risk responses
❖ Monitor and control risks
 2. Identify Risks

Plan Risk Plan Risk Monitor and

Identify Risks Analyze Risks
Management Response Control Risks
 2. Identify Risks
❖ Risk identification is systematic, and
methodic process.
❖ It is best done in a group environment.
❖ Wide number of people participate in
this process including
❖ Management, Employees, Customer, Other
stake holders
 2. Identify Risks
❖ Tools Used:
❖ Brainstorming is the most common
approach.
❖ Other tools include:
❖ Ishikawa Diagram (Cause and Effect)
❖ Flow Diagram
❖ SWOT Diagram (Strengths, Weaknesses,
Opportunities and Threats)
❖ FMEA (Failure Mode and Effects Analysis)
 2. Identify Risks
Risk Register
❖ Output of Identify Risks process is a risk
register.
❖ This lists down all the risks identified
❖ In the next process these risks are
prioritised and action plan is created to
address these risks.
 3. Analyze Risks

Plan Risk Plan Risk Monitor and

Identify Risks Analyze Risks
Management Response Control Risks
 3. Analyze Risks
❖ Risks are analyzed to set priority
❖ Sets focus on high priority risks
3. Analyze Risks
Quantitative Risk
Qualitative Risk Analysis
Analysis

Quick and easy to Detailed and time

perform consuming

Subjective Analytic

Expected Monitory Value Analysis

Probability and Impact Matrix Monte Carlo Analysis
Decision Tree
 3. Analyze Risks
Probability and Impact Matrix

❖ This is a qualitative risk analysis tool

❖ This evaluates
❖ Likelihood (probability) that a particular risk
will occur
❖ Potential impact on an objective if it occurs
 Flashback
Failure Mode and Effects Analysis (FMEA)
❖ Risk Priority Number (RPN) is the
multiplication of:
❖ Severity
❖ Probability
❖ Detection

Probability and Impact Matrix

❖ Combination of:
❖ Impact (similar to severity)
❖ Probability
 3. Analyze Risks
Probability and Impact Matrix
❖ Each risk is analyzed for probability and
Impact and is assigned
❖ a nine point rating: a score between 1 to 9
❖ a five point rating: Very Low, Low, Medium,
High, Very High
❖ or a score of 1 to 5
❖ a three point rating: Low, Medium, High
❖ or a score of 1 to 3
❖ Risk score = Probability x Impact
 3. Analyze Risks
Probability and Impact Matrix Example

❖ If the risk has low probability and is

assigned a score of 1
❖ If the impact is significant and is
assigned an Impact value of 9

❖ Risk score = Probability x Impact = 1 x 9

=9
 3. Analyze Risks
Sample Probability Table
Probability Probability Description
Category Number

Very High 9 Risk event expected to occur

High 7 Risk event more likely than not to occur
Probable 5 Risk event may or may not occur
Low 3 Risk event less likely than not to occur
Very Low 1 Risk event not expected to occur
 3. Analyze Risks
Sample Impact Table
Project Objective Very Low Low Moderate High Very High
1 3 5 7 9
Cost Insignificant cost < 10% cost 10-20% cost 20-40% cost > 40% cost
impact impact impact impact impact
Schedule Insignificant < 5% schedule 5-10% schedule 10-20% schedule > 20% schedule
schedule impact impact impact impact impact
Scope Barely noticeable Minor areas Major areas Changes Product becomes
impacted impacted unacceptable to effectively
client useless
Quality Barely noticeable Minor functions Client must Quality reduction Product becomes
impacted approve quality unacceptable to effectively
reduction client useless
 3. Analyze Risks
Probability and Impact Matrix
1 3 5 7 9
Probability

9 9 27 45 63 81

7 7 21 35 49 63

5 5 15 25 35 45

3 3 9 15 21 27

1 1 3 5 7 9

Impact
 3. Analyze Risks
Probability and Impact Matrix
Very Low Medium High Very
Low High

Very Medium Medium High High High

Probability

High

High Low Medium Medium High High

Medium Low Medium Medium Medium High

Low Low Low Medium Medium Medium

Very Low Low Low Low Medium

Low

Impact
 4. Plan Risk Response

Plan Risk Plan Risk Monitor and

Identify Risks Analyze Risks
Management Response Control Risks
 4. Plan Risk Response

Plan Risk Plan Risk Monitor and

Identify Risks Analyze Risks
Management Response Control Risks
 4. Plan Risk Response
Responding to Risks

❖ How to decrease the possibility of

❖ Negative risk affecting the objectives
❖ How to increase the possibility of
❖ Positive risk helping the objective
4. Plan Risk Response

Negative Risk Positive Risk

Avoid Exploit
Mitigate Enhance
Transfer Share
Accept Accept
 4. Plan Risk Response
Avoid the risk
Negative Risk
Examples:
Avoid
❖ Plan is changed to avoid the risk
❖ Adopting a proven approach instead of a Mitigate
new approach Transfer
❖ Improving team communication
Accept
 4. Plan Risk Response
Reduce the probability and/or impact of
the risk
Negative Risk

Examples: Avoid
❖ Simplify the processes Mitigate
❖ Develop prototype Transfer
❖ Additional inspections
Accept
❖ Lessons Learned from past
 4. Plan Risk Response
Transfer the risk to a third party
Negative Risk
Examples:
Avoid
❖ Insurance
❖ Performance warranty Mitigate
❖ Subcontract Transfer
Accept
 4. Plan Risk Response
Accept the risk if:
❖ no action is feasible or
❖ the probability and/or impact is too small.
Negative Risk
Avoid
❖ Two types of acceptance: Mitigate
❖ Passive Acceptance: No plan created to
deal with these Transfer
❖ Active Acceptance: Contingency plan is Accept
created and risks are monitored
 4. Plan Risk Response
Exploit: Make sure that positive risk
happens and make best use of the
opportunity Positive Risk
Exploit
Examples: Enhance
❖ Put best team members and more
Share
resources
Accept
 4. Plan Risk Response
Enhance: Increase the probability and/or
impact of the risk
Positive Risk

Examples: Exploit
❖ Put best team members and more Enhance
resources
Share
Accept
 4. Plan Risk Response
Share the opportunity with a third party

Positive Risk
Examples:
Exploit
❖ Forming team, Joint Venture or a
company with a third party. Enhance
Share
Accept
 4. Plan Risk Response
Accept the opportunity when it happens
but not actively pursuing it
Positive Risk

Examples: Exploit
❖ Probability and rewards are not Enhance
attractive.
Share
Accept
 5. Monitor and Control Risks

Plan Risk Plan Risk Monitor and

Identify Risks Analyze Risks
Management Response Control Risks
 5. Monitor and Control Risks
❖ Regularly review the identified risks and
ensure that these are still relevant
❖ Identify new risks
❖ Remove risks that are not relevant
❖ Risk audits may be conducted to ensure
that the plan is being implemented and
is effective.
 5. Monitor and Control Risks
Unexpected Risks

❖ Use workarounds to deal with

unexpected risks to reduce the impact
❖ Workaround should be documented for
future reference
❖ Workarounds are unplanned responses
to the risks that were not identified or
expected