PRINCIPLES

OF

Source: Core elements of the risk management process as defined in ISO 31000
What is risk.????
WHAT IS RISK.????

Source: http://pt.slideshare.net/neilthompson3386/what-is-risk-lightning-talk-for-software-testers
clipartfest.com
WHAT IS RISK

deviation from the expected —

Effect of
uncertainty on
organization-
wide objectives can have different
aspects such as
financial, health and
project
can apply at safety, operational and
different environmental goals
levels
product

strategic
process
WHAT IS RISK

Risk is often characterized by reference to

• potential events and consequences or
• combination of these

Likelihood
Consequences
of an event
of
occurrence
Risk
 ORGANISATIONAL RISK SAMPLES..

• Improper/ inaccurate staff forecast resulting in work lagging

• Delay in requests / transactions from departments resulting in
Leave processing
• Administrative & Regulatory approvals delays affecting new visas
• Chemical / Oil spills resulting in Env impacts and image
• New process/ procedure identification leading to Occupational
and Health Hazards
• New laws/ regulation’ effect affecting operations/ business
RISK ASSESSMENT - PURPOSE

Evidence-
based
information

PURPOSE treat particular

risks
Analysis for
informed select
decisions between
options
RISK ASSESSMENT - BENEFITS
• Understand the risks
• Potential impact on objectives
• Assist in selecting treatment options
• Meet regulatory requirements

• Provide information to decision makers

• identify important contributors to risks
• Identify weak links in systems and organization
• Compare risks in alternative systems, technologies or
approaches
• Establish priorities
• Based on pre-defined criteria evaluate whether risk is
acceptable
• Assess risks for end-of-life disposal

• Assist in selection of treatment options/forms by

understanding risks
• Communicating risks and uncertainties
• Contribute towards incident prevention based upon
post-incident investigation
 Risk Management

Plan policies,
procedures and
other control
mechanisms
Identify

Measure,
Assess &
Monitor &
Analyse
Control Risk
Management

Manage risks Evaluate

on an ongoing
basis
Action
Implement
plans

Source: ISO 3100:2009 & ISO 31010:2009

 Risk Assessment & Management Process

1. Defining the context appropriately

2. Ensure that risks are adequately identified

3. Secure endorsement and support for a treatment

plan

4. Communication and consultation

 Risk Management- Context

Source: ISO 3100:2009

Establishing Context

External Issues Internal Issues

cultural, political, legal, resources and knowledge
regulatory, financial, economic
and competitive environment information flows and decision-
factors (international, national, making processes
regional or local)
standards and reference models
adopted by the organization

perceptions and values of structures (e.g. governance, roles

external stakeholders and accountabilities)

policies and processes

key drivers and trends having perceptions, values and culture

impact on objectives of the
organization Organisational objectives and
strategies

internal stakeholders
 Risk Management- Consider..
Involving stakeholders in the risk management process would
❖ Assist in developing a communication plan

❖ Ensure that the interests of stakeholders are understood and

considered

❖ Bring together different areas of expertise for identifying and

analysing risk

❖ Ensure that different views are appropriately considered in evaluating

risks

❖ Interface the risk assessment process with other management

disciplines, including change management, project and programme
management and also financial management
Risk Management

➢Risk assessment
❑ Risk identification
❑ Risk analysis
❑ Risk evaluation

➢Risk treatment

➢Monitoring and review

 Risk identification

Process of finding, recognizing and recording risks. This

includes
• identifying the causes and source of the risk (hazard in the
context of physical harm),
• events, situations or circumstances which could have a
material impact upon objectives and
• the nature of that impact
 Risk identification

Purpose
Identify what might happen or what situations might exist that
might affect the achievement of the objectives of the system or
organization.

Once risk identified ?

Organization should identify any existing controls such as design
features, people, processes and systems.
 Risk identification - Methods

• Evidence based methods - check-lists and reviews of

historical data
• systematic team approaches
- identify risks by means of a structured set of prompts or
questions;
• inductive reasoning techniques such as HAZOP.
• Various supporting techniques to improve accuracy and
completeness in risk identification
❑ Brainstorming
❑ Delphi methodology
 Back to Activity

• Check identified risks

• Check if they are linked to the Context analysis
 Risk Identification

1. Unacceptable
2. Undesirable
3. Action Recommended
(ALARP)
4. Broadly Acceptable

•Classifications are developed

inside the organization and
approved by senior
management

Source: ISO 31010:2009

Risk Analysis

- consider the causes and sources of risk

- determine the consequences and their
probabilities for identified risk events
- take into account the presence (or not) and the
effectiveness of any existing controls.

- Factors that affect consequences and probability

should be identified.
- An event can have multiple consequences and
can affect multiple objectives

- The consequences and their probabilities are

then combined to determine a level of risk
 Risk Analysis

Methods used in analysing risks can be

• Qualitative
• semi-quantitative or
• Quantitative
The degree of detail required will depend upon the particular
application, the availability of reliable data and the decision-
making needs of the organization
 Risk Assessment- Severity

Evaluate the severity, or consequences, of each possible accident

and rank order them by severity of the outcome. Determine the
potential negative impact of each hazard scenario on
• Personnel
• Equipment
• Operations
• Public
• Environment
• The system itself
 Risk Assessment- Likelihood

Likelihood, or Probability, assignment

• Qualitative
• Quantitative
Estimate the probability of each possible incident.
• Past history of deviations/incidents
• Industry benchmarks
Likelihood/Probability Definition
Can be defined in terms of occurrences per
• Units of time /Events /Population /Items /Activity
 Risk Matrix- Sample
Rate and rank the risks identified, using the severity and likelihood matrix given

Source:
 Risk Evaluation
Purpose of risk evaluation
• To assist in making decisions
• To know which risks need treatment
(Compare the level of risk found during risk analysis with
established risk criteria)
• To prioritize treatment implementation based on
❖ Wider context of the risk
❖ Tolerance of the risks borne by parties other than the
organization that benefits from the risk.
❖ Legal, regulatory and other requirements.
 Risk Treatment
not necessarily
mutually exclusive
or appropriate in
Risk treatment involves all circumstances
• Selecting one or more options for modifying risks
• Implementing those options
• Once implemented, treatments provide or modify the controls

The options can include the following:

• avoiding the risk by deciding not to start or continue with the activity that gives rise
to the risk;
• taking or increasing the risk in order to pursue an opportunity;
• removing the risk source;
• changing the likelihood;
• changing the consequences;
• sharing the risk with another party or parties
• retaining the risk by informed decision.
 Risk Mitigation (Control Strategies)

Source:
Risk Control Strategies
An organization must choose any of four basic strategies
to control risks
➢Avoidance: applying safeguards that eliminate or
reduce the remaining uncontrolled risks for the
vulnerability
➢Transference: shifting the risk to other areas or to
outside entities
➢Mitigation: reducing the impact should the vulnerability
be exploited
➢Acceptance: understanding the consequences and
accepting the risk without control or mitigation
Risk Treatment Options

- social responsibility
Balancing - legal and regulatory
costs & - protection of the natural
environment.
efforts

Economic Combination
grounds of treatment
options

Stakeholder Impact on
values & Priority
Order risk
perceptions elsewhere

Acceptability
Communication to
to stakeholders stakeholders
Risk Treatment

Assessing a risk
treatment

Assessing Residual risk levels

effectiveness of new tolerable

If not tolerable,
generate new risk
treatment
 Back to Activity

• Identify and assess the action plans/ treatment

options
• Also define the review mechanisms of those actions
and the frequency/ time for review.
Monitoring & Review
•Changes to • Regular checking
•-Risk • Periodic/ ad hoc
•-Risk criteria
•-Risk treatment
•-Priority
• Emerging risks
Changes in
external & Planned
internal Process
context

Learning
Aspects of
from events
risk
through
management
analysis
• Changes • Controls are
• Trends effective & efficient
• Successes & • Improve risk
failures assessment
 Recording Risk Management Process

Risk management activities should be traceable

Organisation's
Needs
Re-using Costs &
information Efforts

Creation
of Legal, regulatory
Information Records & operational
Sensitivity needs

Accessibility,
Retention retrievability &
Period storage
 Risk Assessment Methods/ tools
Method Description Application

Used in varied ways. Checklist

Simple and quick identification of possible assessments. Low
Checklists risk uncertainties. complexity. Tailored to application.
Preliminary Objective is to identify hazardous Used for threat analysis and cyber
hazard analysis. situations. security, etc.
Structured
interview and Objective is to collect ideas, rank, and
brainstorming evaluate them. Used for risk auditing

System for combining expert opinions

about probability and likelihood in the Used for collaborative risk
Delphi method risk assessment. assessments.
Structured ‘what System by a team to identify and own
if’ risks. Used in facilitated workshop.

Objective is to understand ergonomic and Used to understand human reliability

Human reliability human system performance. and risks.
Root cause Objective is to understand root cause of a Used in single loss analysis. Medium
analysis singe loss. complexity