Topic 3

Risk Management
Framework/
Process
What is risk management process?

The management framework to facilitate a

consistent and comprehensive approach, the means
of embedding the process and the key steps of risk
identification, evaluation, treatment of risk and
ongoing assurance through reporting and review.
 What is risk management process?

The risk management process consists of all activities related to:

• defining the risk management policy & plan,

• the identification & assessment of risks,

• decision on & reduction of risks,

• monitoring, communication & acceptance of risks

Risk Management Process
In summary, the process involves:
• identifying risks in relation to key objectives
• evaluating risks to establish criteria
• the probability of those risks occurring
• the potential impact if they did occur
• your attitude to those risks in terms of willingness to accept
them or not (looking at individual risks and the organization's
overall exposure to risk)
• what to do about them – transfer/share them, tolerate/accept
them, treat/mitigate them or terminate/avoid them.
Risk Management
Framework/Process
Risk Management Framework/
Model
Risk Management Framework For Small Enterprise
Establish the Context

A competent risk management practitioner will be able to

establish the Context, including:
• articulating the organization's objectives
• defining the external environment in which the organization seeks
to achieve its objectives, and its external stakeholders
• defining the internal environment in which the organization seeks
to achieve its objectives, and its internal stakeholders
• developing the risk criteria against which to evaluate risks
• identifying the purpose and scope of the particular risk
management activity
Communication and Consultation

A competent risk management practitioner will understand

the role of communication and consultation at various
stages of the risk management process and be able to:

•develop a communication plan for both internal and

external stakeholders about components of the risk
management plan.

•devise and implement appropriate methods to communicate

with and consult internal and external stakeholders, and others
as needed, on components of the risk management activity.
Risk Assessment
Risk Assessment is defined as the overall process of risk analysis.

Risk assessment is the determination of quantitative or qualitative

value of risk related to a concrete situation and a recognized
threat (also called hazard).

Risk assessment consists of an objective evaluation of risk in

which assumptions and uncertainties are clearly considered and
presented
Risk Identification

A competent risk management practitioner will understand

the concept of "risk" and therefore be able to:

•select appropriate risk identification techniques that will

reveal sources of risk, potential events and their causes
and consequences
•use information from various sources
•describe risks in an appropriate way
•apply the above skills to identify risks in a selected risk
context
Risk Analysis

A competent risk management practitioner will understand

the purpose of risk analysis and be able to:

•describe a range of analytical techniques and the type of risk

analysis to which each is suited
•recognize and evaluate existing controls
•select a method of combining consequence and likelihood
that is appropriate to the purpose of the risk
assessment and available information
•analyze risks using selected methods
cause
event event consequence
cause

score likelihood impact on safety

score severity impact on safety 5 maximum certain to occur, …
5 catastrophic loss of life, … 4 high …
4 critical … 3 …
3 … …
…

5 5 X 5 = 25
maximum risk
risk score
4
likelihood
3

1
1 2 3 4 5
severity
 risk index = severity X likelihood

likelihood 5
Risk index Risk magnitude
5 10 15 20 25

20 - 25 Maximum risk
4
4 8 12 16 20 15 - 19 High risk
3 3 6 9 12 15
10 - 14 Medium risk
5-9 Low risk
1-4 Minimum risk
2 4 6 8 10
2

1 2 3 4 5
1

1 2 3 4 5 severity
Risk Evaluation

Risk evaluation is determining the acceptability of risks.

Risk evaluation involves:

Applying the risk management policy to find the acceptable and
the unacceptable risks.

A competent risk management practitioner will be

able to evaluate risks against the criteria decided
earlier so that decisions can be made about
treatment of risks and priorities for treatment.
 risk acceptance criteria,
criteria to determine actions on risk

unacceptable risks

10 15 20 25
5 12 16 20
4 8 12 15
acceptable risks 3 6 9 10
2 4 6 8
1 2 3 4 5

Risk index Risk magnitude Risk acceptability & proposed actions

20 - 25 Maximum risk Unacceptable risk:
take action to reduce risk with highest priority -
seek project management attention.
15 - 19 High risk Unacceptable risk:
see above

10 - 14 Medium risk Unacceptable risk:

take action to reduce risk - seek attention at next
higher management level.
5-9 Low risk Acceptable risk:
no risk reduction, control, monitor – inform
responsible work package management.
1-4 Minimum risk Acceptable risk:
see above.
 unacceptable risks

cause consequence
cause consequence 10 15 20 25
event event
consequence
causecause event event consequence
5 12 16 20
consequence
causecause event event consequence 4 8 12 15
consequence
causecause event event consequence acceptable risks 3 6 9 10
cause event event consequence
cause consequence 2 4 6 8
1 2 3 4 5
Risk Treatment

A competent risk management practitioner will be able to:

•devise and evaluate treatment options so as to take advantage

of opportunities presented by risks, reduce risks or make
existing risk controls more reliable
•devise risk treatment implementation plans
•implement risk treatments
•assess new risks arising as a consequence of the risk
treatment
Risk Treatment

The risks can either be:

• Accept
• Share/Transferred
• Avoided
• Manage/Mitigate
Monitoring and Review
A competent risk management practitioner will understand
the role of both monitoring and review and be
able to:

•identify appropriate aspects of each stage of the risk

management process that warrant monitoring and devise
appropriate methods for doing so (including selecting
appropriate methods to report and use the information
obtained)
•identify appropriate aspects of each stage of the risk
management process that warrant periodic review and
devise appropriate methods for doing so (including selecting
appropriate methods to express, report and use the
information obtained)
•integrate monitoring and review processes into the
organization's assurance programme.
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38