Importance of a common language for Risk Management
- A common language of risk is required throughout the organization if the contribution of risk management is to be maximized.
- The use of a common language will also enable the organization to develop an agreed perception of risk.
- Part of developing this common language and perception of risk is to agree a risk classification system or series of such systems.
Risks and Risk Management
- Risks and Risk Management
- Project risk is always in the future.
- Risk management only becomes easier the more often it is practiced.
- Risk known and unknown
- Known-known
- It’s a fact not a risk !
- Tipically identied as part of requirements and scope.
- Known-unknown
- Identified risks
- Proactively manages during Risk Response Planning.
- Identified risks
- Unknown-known
- Hidden fact
- Typically adressed through progressive risk elaboration integrated with execution of the endeavor.
- Hidden fact
- Unknown-unknown
- Emergent risk
- Can be managed through organizational resilience.
- Due to the unpredictability, resilient organizations encourage teams to question the status quo, and increase the flow of information.
- These actions stretch the boundaries of influence and prepare to better respond to and recover from such events.
- Emergent risk
- Known-known
Risk classification approach
- Classify risks according to the timeframe for the impact of the risk.
- The classification of risks as long, medium and short-term impact is a very useful means of analysing the risk exposure of an organization.
- Classification
- Long-term risks
- In general terms, long-term risks will impact several years, perhaps up to five years, after the event occurs or the decision is taken.
- Long-term risks therefore relate to strategic decisions.
- When a decision is taken to launch a new product, the impact of that decision (and the success of the product itself) may not be fully apparent for some time.
- In general terms, long-term risks will impact several years, perhaps up to five years, after the event occurs or the decision is taken.
- Medium-term risks
- Medium-term risks have their impact some time after the event occurs or the decision is taken, and typically this will be about a year later.
- Medium-term risks are often associated with projects or programmes of work.
- For example, if a new computer software system is to be installed, then the choice of computer system is a long-term or strategic decision.
- However, decisions regarding the project to implement the new software will be medium-term decisions with medium-term risk attached.
- Medium-term risks have their impact some time after the event occurs or the decision is taken, and typically this will be about a year later.
- Short-term risks
- Short-term risks have their impact immediately after the event occurs.
- Accidents at work, traffic accidents, fire and theft are all short-term risks that have an immediate impact and immediate consequences as soon as the event has occurred.
- These short-term risks cause immediate disruption to normal efficient operations and are probably the easiest types of risks to identify and manage.
- Insurable risks are quite often short-term risks, although the exact timing and magnitude/ impact of the insured events is uncertain. In other words, insurance is designed to provide protection against risks that have immediate consequences.
- In the case of insurable risks, the nature and consequences of the event may be understood, but the timing of the event is unpredictable.
- In fact, whether the event will occur at all is not known at the time the insurance policy is taken out.
- These risks will be related to the strategy, tactics and operations of the organization, respectively.
- In this context, risks may be considered as related to events, changes in circumstances, actions or decisions.
- Short-term risks have their impact immediately after the event occurs.
- Long-term risks
Risk types
- Hazard (or pure) risks
- Definition
- There are certain risk events that can only result in negative outcomes.
- These risks are hazard risks or pure risks, and these may be thought of as operational or insurable risks.
- In general, organizations will have a tolerance of hazard risks and these need to be managed within the levels of tolerance of the organization.
- Approach
- The application of risk management tools and techniques to the management of hazard risks is the best and longest-established branch of risk management, and much of this text will concentrate on hazard risks.
- There is a hierarchy of controls that apply to hazard risks and this will be discussed in a later post.
- Hazard risks are associated with a source of potential harm or a situation with the potential to undermine objectives in a negative way.
- Hazard risks are the most common risks associated with organizational risk management, including occupational health and safety programmes.
- Hazard risks can be divided into many types of risks, including risks to property, risks to people and risks to the continuity of the business.
- Hazard risks are the risks that can only inhibit achievement of the corporate mission.
- Typically, these are insurable type risks or perils, and will include fire, storm, flood, injury and so on.
- The discipline of risk management has strong origins in the management and control of hazard risks.
- Normal efficient operations may be disrupted by loss, damage, breakdown, theft and other threats associated with a wide range of dependencies.
- Hazard risks may include
- people;
- premises (bâtiments)
- assets
- suppliers
- information technology (IT)
- communications
- others
- The application of risk management tools and techniques to the management of hazard risks is the best and longest-established branch of risk management, and much of this text will concentrate on hazard risks.
- Definition
- Control (or uncertainty) risks
- Definition
- There are certain risks that give rise to uncertainty about the outcome of a situation.
- These can be described as control risks and are frequently associated with project management.
- In general, organizations will have an aversion to control risks.
- Uncertainties can be associated with the benefits that the project produces, as well as uncertainty about the delivery of the project on time, within budget and to specification.
- The management of control risks will often be undertaken in order to ensure that the outcome from the business activities falls within the desired range.
- There are certain risks that give rise to uncertainty about the outcome of a situation.
- Approach
- Control risks are associated with unknown and unexpected events.
- They are sometimes referred to as uncertainty risks and they can be extremely diffi cult to quantify.
- Control risks are often associated with project management. In these circumstances, it is known that the events will occur, but the precise consequences of those events are diffi cult to predict and control.
- Therefore, the approach is based on minimizing the potential consequences of these events.
- Control risks are risks that cause doubt about the ability to achieve the mission of the organization. Internal financial control protocols are a good example of a response to a control risk.
- If the control protocols are removed, there is no way of being certain about what will happen.
- Control risks are the most difficult type of risk to describe, but later Parts of this book will assist with understanding.
- Control risks are associated with uncertainty, and examples include the potential for legal non-compliance and losses caused by fraud.
- They are usually dependent on the successful management of people and successful implementation of control protocols.
- Although most organizations ensure that control risks are carefully managed, they may, nevertheless, remain potentially significant.
- Control risks are associated with unknown and unexpected events.
- Definition
- Opportunity (or speculative) risks
- Definition
- Organizations deliberately take risks, especially marketplace or commercial risks, in order to achieve a positive return.
- These can be considered as opportunity or speculative risks, and an organization will have a specific appetite for investment in such risks.
- Approach
- There are two main aspects associated with opportunity risks.
- There are risks/dangers associated with taking an opportunity, but there are also risks associated with not taking the opportunity.
- Opportunity risks may not be visible or physically apparent, and they are often financial in nature.
- Although opportunity risks are taken with the intention of having a positive outcome, this is not guaranteed.
- Opportunity risks for small businesses include moving a business to a new location, acquiring new property, expanding a business and diversifying into new products.
- Opportunity risks are the risks that are (usually) deliberately sought by the organization.
- These risks arise because the organization is seeking to enhance the achievement of the mission, although they might inhibit the organization if the outcome is adverse.
- This is the most important type of risk for the future long-term success of any organization.
- Many organizations are willing to invest in high-risk business strategies in anticipation of a high profit or return.
- These organizations may be considered to have a large appetite for opportunity investment.
- Often, the same organization will have the opposite approach to hazard risks and have a small hazard tolerance.
- This may be appropriate, because the attitude of the organization may be that it does not want hazard-related risks consuming corporate resources, when it is putting so much value at risk investing in opportunities.
- There are two main aspects associated with opportunity risks.
- Definition
Risk management serie
Risk management : introduction and definitions
Risk Management : risk management common language
Enterprise Risk Mangement series
Enterprise Risk Management : introduction and definitions
PMI-RMP certification : 2022 exam
Updated : 08/01/2022