Understanding Principles of Risk Management

Axis is a leader in PMO and often help our clients to Risk Strategies. The principles of risk management can be applied across sectors, industries, and within all types of businesses (small, enterprise, public, private) and in governmental agencies and regulatory entities.

There are two main elements that shape the concept of risk, (a) the probability of a deleterious event occurring and (b) the severity of the harm or damage caused by that event. Although this understanding of risk is straightforward, the application of risk management—particularly across a diverse set of stakeholders—can be more difficult. This disconnect stems from the different perceptions each stakeholder might have in regard to both the probability and severity of harm posed by the risk(s) under consideration. To successfully resolve this disconnect and appropriately account for and manage risk, key principles and their related functions should be applied.

Process and Related Responsibilities

The process of risk management should be systematic and commensurate with the level of risk anticipated. The robustness of the process can be calibrated through the level of effort, degree of formality, and extent of documentation and communication established.

With systematic processes in place, decision-making capabilities and clarity of responsibility are enhanced. When forming the responsible team, experts from each relevant area (e.g., engineering, marketing, operations, quality, analytics) should be included, along with internal or external project support from individuals with the requisite knowledge, skills, and abilities (KSAs).

More clearly, here is an example five-step risk management process:

·        Define the risk under consideration, including any relevant assumptions.

·        Acquire as much qualitative and quantitative data about the potential risk and related impact.

·        Identify critical resources, their current state/condition and degree of availability.

·        Select leadership. Representation from both a project level and business unit are ideal.

·        Specify the project timeline, deliverables, critical path, and decision making framework.

Identification and Assessment

Risk identification is the systematic application of using information to inform the risk assessment process. The types of information used can include a wide range of both qualitative (e.g., expert opinions) and quantitative sources (e.g., historical analyses). Risk assessment addresses the question of “What could go wrong?” with the goal of identifying the possible consequences and further steps toward its management.

After the initial “What could go wrong” question is quantified, there are two additional questions that need to be asked for risk assessment purposes:

·        What is the probability it will go wrong?

·        How severe are the consequences?

Together, these three fundamental questions help provide the framework necessary to begin risk analysis.

Analysis, Evaluation, and Control

Now having answered the three fundamental questions of what could, how likely, and how bad, let’s take a deeper dive into associating the probability of occurrence and severity of damage to the identified risks. The analysis of risk also includes the consideration of detectability, or the ability to detect harm/damage of the associated risk event.

Next, risk evaluation considers the strength of available data for each of the three fundamental questions. That is, the identified and analyzed risks are evaluated against established risk management criteria. What results is the output of both qualitative (descriptive – such as low, medium, high) and quantitative (estimation – such as 20%, 50%, and 95%) range of risk. This evaluative process helps the team estimate overall project risk and develop appropriate control measures.

The risk control process is primarily concerned with the following considerations:

·        Is the risk level acceptable?

·        What actions can be taken to mitigate or eliminate the risk?

·        What is the optimum balance of benefit to risk ratio?

·        Are there any additional risks that would result from implementation of risk control measures?

These questions are designed to inform the decision-making process to accept or reduce a particular risk. It is important to note here both the tactical and strategic nature of these questions.