Risk management


Risk management is the identification, evaluation, and prioritization of risks, followed by the minimization, monitoring, and control of the impact or probability of those risks occurring. Risks can come from various sources including uncertainty in international markets, political instability, dangers of project failures, legal liabilities, credit risk, accidents, natural causes and disasters, deliberate attack from an adversary, or events of uncertain or unpredictable root-cause. Retail traders also apply risk management by using fixed percentage position sizing and risk-to-reward frameworks to avoid large drawdowns and support consistent decision-making under pressure.
Two types of events are analyzed in risk management: risks and opportunities. Negative events can be classified as risks while positive events are classified as opportunities. Risk management standards have been developed by various institutions, including the Project Management Institute, the National Institute of Standards and Technology, actuarial societies, and International Organization for Standardization. Methods, definitions and goals vary widely according to whether the risk management method is in the context of project management, security, engineering, industrial processes, financial portfolios, actuarial assessments, or public health and safety. Certain risk management standards have been criticized for having no measurable improvement on risk, whereas the confidence in estimates and decisions seems to increase.
Strategies to manage threats typically include avoiding the threat, reducing the negative effect or probability of the threat, transferring all or part of the threat to another party, and even retaining some or all of the potential or actual consequences of a particular threat. The opposite of these strategies can be used to respond to opportunities.
As a professional role, a risk manager will "oversee the organization's comprehensive insurance and risk management program, assessing and identifying risks that could impede the reputation, safety, security, or financial success of the organization", and then develop plans to minimize and/or mitigate any negative outcomes. Risk analysts support the technical side of the organization's risk management approach: once risk data has been compiled and evaluated, analysts share their findings with their managers, who use those insights to decide among possible solutions.
See also Chief Risk Officer, internal audit, and.

Introduction

Risk is defined as the possibility that an event will occur that adversely affects the achievement of an objective. Uncertainty, therefore, is a key aspect of risk. Risk management appears in scientific and management literature since the 1920s. It became a formal science in the 1950s, when articles and books with "risk management" in the title also appear in library searches. Most of research was initially related to finance and insurance. One popular standard clarifying vocabulary used in risk management is ISO Guide 31073:2022, "Risk management — Vocabulary".
Ideally in risk management, a prioritization process is followed. Whereby the risks with the greatest loss and the greatest probability of occurring are handled first. Risks with lower probability of occurrence and lower loss are handled in descending order. In practice the process of assessing overall risk can be tricky, and organisation has to balance resources used to mitigate between risks with a higher probability but lower loss, versus a risk with higher loss but lower probability. Opportunity cost represents a unique challenge for risk managers. It can be difficult to determine when to put resources toward risk management and when to use those resources elsewhere. Again, ideal risk management optimises resource usage, and also minimizes the negative effects of risks.

Risks vs. opportunities

Opportunities first appear in academic research or management books in the 1990s. The first PMBoK Project Management Body of Knowledge draft of 1987 doesn't mention opportunities at all.
Modern project management school recognize the importance of opportunities. Opportunities have been included in project management literature since the 1990s, e.g. in PMBoK, and became a significant part of project risk management in the years 2000s, when articles titled "opportunity management" also begin to appear in library searches. Opportunity management thus became an important part of risk management.
Modern risk management theory deals with any type of external events, positive and negative. Positive risks are called opportunities. Similarly to risks, opportunities have specific mitigation strategies: exploit, share, enhance, ignore.
In practice, risks are considered "usually negative". Risk-related research and practice focus significantly more on threats than on opportunities. This can lead to negative phenomena such as target fixation.

Method

For the most part, these methods consist of the following elements, performed, more or less, in the following order:
  1. Identify the threats.
  2. Assess the vulnerability of critical assets to specific threats.
  3. Determine the risk.
  4. Identify ways to reduce those risks.
  5. Prioritize risk reduction measures.
The Risk management knowledge area, as defined by the Project Management Body of Knowledge PMBoK, consists of the following processes:
  1. Plan Risk Management – defining how to conduct risk management activities.
  2. Identify Risks – identifying individual project risks as well as sources.
  3. Perform Qualitative Risk Analysis – prioritizing individual project risks by assessing probability and impact.
  4. Perform Quantitative Risk Analysis – numerical analysis of the effects.
  5. Plan Risk Responses – developing options, selecting strategies and actions.
  6. Implement Risk Responses – implementing agreed-upon risk response plans. In the 4th Ed. of PMBoK, this process was included as an activity in the Monitor and Control process, but was later separated as a distinct process in PMBoK 6th Ed.
  7. Monitor Risks – monitoring the implementation. This process was known as Monitor and Control in the previous PMBoK 4th Ed., when it also included the "Implement Risk Responses" process.

    Principles

The International Organization for Standardization identifies the following principles for risk management:
  • Create value – resources expended to mitigate risk should be less than the consequence of inaction.
  • Be an integral part of organizational processes.
  • Be part of the decision-making process.
  • Explicitly address uncertainty and assumptions.
  • Use a systematic and structured process.
  • Use the best available information.
  • Be flexible.
  • Take human factors into account.
  • Be transparent and inclusive.
  • Be dynamic, iterative and responsive to change.
  • Be capable of continual improvement and enhancement.
  • Continual reassessment.

    Mild versus wild risk

distinguished between "mild" and "wild" risk and argued that risk assessment and management must be fundamentally different for the two types of risk. Mild risk follows normal or near-normal probability distributions, is subject to regression to the mean and the law of large numbers, and is therefore relatively predictable. Wild risk follows fat-tailed distributions, e.g., Pareto or power-law distributions, is subject to regression to the tail, and is therefore difficult or impossible to predict. A common error in risk assessment and management is to underestimate the wildness of risk, assuming risk to be mild when in fact it is wild, which must be avoided if risk assessment and management are to be valid and reliable, according to Mandelbrot.

Process

According to the standard ISO 31000, "Risk management – Guidelines", the process of risk management consists of several steps as follows:

Establishing the context

This involves:
  1. observing the context
  2. * the social scope of risk management
  3. * the identity and objectives of stakeholders
  4. * the basis upon which risks will be evaluated, constraints.
  5. defining a framework for the activity and an agenda for identification
  6. developing an analysis of risks involved in the process
  7. mitigation or solution of risks using available technological, human and organizational resources

    Identification

After establishing the context, the next step in the process of managing risk is to identify potential risks. Risks are about events that, when triggered, cause problems or benefits. Hence, risk identification can start with the source of problems and those of competitors, or with the problem's consequences.
  • Source analysis – Risk sources may be internal or external to the system that is the target of risk management.
Some examples of risk sources are: stakeholders of a project, employees of a company or the weather over an airport.
  • Problem analysis – Risks are related to identified threats. For example: the threat of losing money, the threat of abuse of confidential information or the threat of human errors, accidents and casualties. The threats may exist with various entities, most important with shareholders, customers and legislative bodies such as the government.
When either source or problem is known, the events that a source may trigger or the events that can lead to a problem can be investigated. For example: stakeholders withdrawing during a project may endanger funding of the project; confidential information may be stolen by employees even within a closed network; lightning striking an aircraft during takeoff may make all people on board immediate casualties.
The chosen method of identifying risks may depend on culture, industry practice and compliance. The identification methods are formed by templates or the development of templates for identifying source, problem or event. Common risk identification methods are:
  • Objectives-based risk identification – Organizations and project teams have objectives. Any event that may prevent an objective from being achieved is identified as risk.
  • Scenario-based risk identification – In scenario analysis different scenarios are created. The scenarios may be the alternative ways to achieve an objective, or an analysis of the interaction of forces in, for example, a market or battle. Any event that triggers an undesired scenario alternative is identified as risk – see Futures Studies for methodology used by Futurists.
  • Taxonomy-based risk identification – The taxonomy in taxonomy-based risk identification is a breakdown of possible risk sources. Based on the taxonomy and knowledge of best practices, a questionnaire is compiled. The answers to the questions reveal risks.
  • Common-risk checking – In several industries, lists with known risks are available. Each risk in the list can be checked for application to a particular situation.
  • Risk charting – This method combines the above approaches by listing resources at risk, threats to those resources, modifying factors which may increase or decrease the risk and consequences it is wished to avoid. Creating a matrix under these headings enables a variety of approaches. One can begin with resources and consider the threats they are exposed to and the consequences of each. Alternatively one can start with the threats and examine which resources they would affect, or one can begin with the consequences and determine which combination of threats and resources would be involved to bring them about.