CHAPTER 1

INTRODUCTION TO RISK AND RISK

MANAGEMENT

LECTURE GIVEN BY:

DR NUR KAMALIAH MUSTAFFA
 LEARNING OUTCOME

At the end of this class, students will be

able to:
Distinguish the differences between risk,
certainty and uncertainty (CO1-PO2)

https://www.youtube.com/watch?
v=dcdXzQq84PU
Introduction to risk and risk management

 What is risk?
 What is hazard?
 What is uncertainty?
 What is certainty?
 What is uncertainty management?
 What is risk management process?
 What is risk?
 Many researchers believe that every human activity involves risk
 Risk (pure risk) normally refers to a negative perception or threats that arise from human
activity
 Risk is the probability or likelihood of failing to achieve a particular cost, performance
or scheduled objective (Convrov and Shishido, 1997; Baldry, 1998; Faber and Stewart,
2003; Ray, 2003)
 What is risk?
 Live with on a day to day basis
 Riskis combination of the likelihood and severity of a
specified hazardous event.
 Likelihoodis an event likely to occur and severity is
the outcome from an event (e.g. severity of injury,
damage to property)
 A risk is a potential problem – it might happen and it might not
 Conceptual definition of risk
 Risk concerns future happenings
 Risk involves change in mind, opinion, actions, places, etc.
 Risk involves choice and the uncertainty that choice entails
 Two characteristics of risk
 Uncertainty – the risk may or may not happen, that is, there are no 100%
risks (those, instead, are called constraints)
 Loss – the risk becomes a reality and unwanted consequences or losses
occur

(Source: Pressman, R. Software Engineering: A Practitioner’s Approach. McGraw-Hill, 2005)

The risk is the outcome
of an action taken or
not taken, in a
particular situation
which may result in loss
or gain

It is termed as a chance or loss or

exposure to danger, arising out of
internal or external factors, that can
be minimised through preventive
measures. (Surbhi S, 2016)
 Cont…
 CCTA (1995) defines risk as the chance of exposure to the adverse consequences of
future events
 AS/NZS 4360 (1999) defines risk as ‘the chance of something happening that will have
an impact upon the selected objectives
 According to Oxford Advanced Learner’s dictionary, risk is the possibility of
something bad happening at some time in the future.
 Cont…
 However, there are wider aspects to risk which have a positive meaning, such as
opportunities in business.
 Hillson (2002) suggests that risk should encompass opportunities and threats, the
positive and negative effects or the gain and loss.
 Several researchers in risk succumb to this definition (Edwards, 1995; Bannister,
1999; Clarke and Varma, 1999; Jafaari, 2001; Power, 2004; El-Sayeh, 2007;
Olsson, 2007)
 Kontio (2001) emphasises that risk management in software engineering can also
increase the reputation of an organisation, compliance with constraints set to the
project, the need to maintain compatibility with other systems, and process
performance requirements.
 Cont…
 In software engineering, Boehm (1991) used risk exposure as
the same meaning as risk impact, or risk factor. Risk
exposure is defined as the relationship:
risk exposure = Probability(outcome)X loss(outcome)
 In conclusion, the words ‘probability’, ‘hazards’,
‘likelihood’, ‘chance’ ‘consequences’, and ‘impact’ are used
to explain the meaning of risk in a negative sense. Most of
the definitions of risk concentrate on the negative meaning
(Al-Bahar and Crancdall, 1990).
RISK IN HUMAN ACTIVITY

Risk (pure risk) normally refers to a negative

perception or threats that arise from human
activity
Risk Categorization – Approach #1
 Project risks
 They threaten the project plan
 If they become real, it is likely that the project schedule will
slip and that costs will increase
 Technical risks
 They threaten the quality and timeliness of the software to be
produced
 If they become real, implementation may become difficult or
impossible
 Business risks
 They threaten the viability of the software to be built
 If they become real, they jeopardize the project or the product
Risk Categorization – Approach #2
 Known risks
 Those risks that can be uncovered after careful evaluation of
the project plan, the business and technical environment in
which the project is being developed, and other reliable
information sources (e.g., unrealistic delivery date)
 Predictable risks
 Those risks that are extrapolated from past project experience
(e.g., past turnover)
 Unpredictable risks
 Those risks that can and do occur, but are extremely difficult
to identify in advance
Cont…
 Sub-categories of Business risks
 Market risk – building an excellent product or
system that no one really wants
 Strategic risk – building a product that no longer fits
into the overall business strategy for the company
 Sales risk – building a product that the sales force
doesn't understand how to sell
 Management risk – losing the support of senior
management due to a change in focus or a change in
people
 Budget risk – losing budgetary or personnel
commitment
Risks can be classified into following 13 categories

Cont’…
Risks can be classified into following 13 categories

Cont’…
Risks can be classified into following 13 categories

Cont’…
Risks can be classified into following 13 categories
Aspects should be considers when deals with risk:

 The probability that an event will occur

 The event and its nature
 The consequences of that event
 The period of exposure to the event ( and to its consequences )
WHAT IS HAZARD?
CLASSIFICATION OF HAZARD
PHYSICAL HAZARD

• Mainly hazard that can cause

physical harm.
• Examples :
Light

Loud noise and vibration

Frayed cord
CHEMICAL HAZARD

• Any hazard that comes from a solid, liquid or gas element, compound or mixture
that could cause health problems or pollution.
• Examples :

Cleaning product Pesticides Welding fumes

 BIOLOGICAL HAZARD
• A living or once-living organism that
have a potential to poses a threat to
human health.
• Examples :

Bacteria

Fungi

Blood or other blood

fluids
ERGONOMIC HAZARD
• Hazard that can create physical and psychological stress because of repetitive work,
improper work techniques or poorly designed tools & workspaces.
• Examples :

Repetitive work Poor lighting Poor posture

PSYCHOSOCIAL HAZARD

• Aspects of the work environment

and the way that work is
organized that are associated with
psychiatric, psychological and/or Stress
physical injuries or illness.
• Examples :

Bullying Sexual Harassment

SOURCES OF HAZARDS
METHODS OF IDENTIFYING HAZARD
What is uncertainty?

 the state of being uncertain; doubt; hesitancy: His uncertainty

gave impetus to his inquiry.
 an instance of uncertainty, doubt, etc.
 unpredictability; indeterminacy; indefiniteness.
(http://dictionary.reference.com/browse/uncertainty)
 Cont…

 The effects of uncertainty

 Uncertainty is uncomfortable and creates tensions that motivate us,
although not always in the right direction.
What is certainty?

 When we are certain about the world around us, we feel that
we understand things, can predict what will happen, and are in
control such that we can sustain our safety. We will thus seek
to understand and control in order to achieve certainty.
Predictions which come true provide proof that we can
continue to be certain about what we know.
(http://changingminds.org/explanations/needs/certainty.htm)
 Certainty is a lack of doubt about some state of affairs.
 Something that is clearly established or assured
 Uncertainty and Risk
C A U S E S

Complexity Non-linearity Scale Opacity Capacity

Uncertainty

Risk

Source: Oades, 2007

Time
The relationship

CERTAINTY RISK UNCERTAINTY

Knows Does not know May not know what

what to exactly what are the resources,
expect resources will be constraints or
available objectives will be
 Certainty, risk and uncertainty

 Certainty means when you are 100% sure about the outcome.
E.g. Square root of 81. It's like when you check the answer at
the back of the book.
 Uncertainty means when you don't know about the result or
you are doing a question for the first time and you are
completely unaware of the information.
 Risk means you have partial information. And some of the
information is missing.
 Risk comes in between the two extremes of certainty and
uncertainty.

http://www.blurtit.com/q331673.html
What is risk management?

 According to The Association of Project Management (2006),

risk management as ‘initiation step to define scope and
objectives, after which risks can be identified’ (APM, p.26).
 The British Standard Guide defines risk management as
‘The process whereby decisions are made to accept a known or
assessed risk and/or the implementation of actions to reduce
the consequences or probability of occurrence’ (BS 6079:
1996. p3).
Cont…

 Williams et al., (1995) explained risk management in the

insurance industry where the process comprises five elements:
mission identification, risk and uncertainty assessment, risk
control, risk financing, and program administration
 Cont…
Main Aspects Risk Elements Tools and Techniques
Checklists
Decision-driver analysis
Risk identification
Assumption analysis
Decomposition
Decision analysis
Risk Assessment Cost models
Risk analysis
Quality factor analysis
Performance analysis
Risk exposure
Risk prioritisation Risk reduction leverage
Compound reduction
RISK Buying information
Risk avoidance
MANAGEMENT Risk management
Risk reduction
planning
Risk element planning
Risk plan integration
Prototypes
Simulations
Risk Control
Risk resolution Benchmarks
Analysis
Staffing
Milestone tracking
Top 10 tracking
Risk monitoring
Risk assessment
Corrective action
Boehm’s risk management framework
(Source: Boehm, 1991)
Cont…

 the concept of risk management is applicable to various industries.

 Insurance, finance, software engineering and others industries are
enjoying the benefit of using risk management practice to improve
their business (Ranasinghe, 1998)
 the most important point is how to make risk management
effective in any activity
 The awareness and the check and balance during the
implementation are important
 The need for flexibility in controlling the risk should be there to
make sure the industry keeps on enjoying the benefits of the risk
management concept.
Cont…

 According to Ward et al., (1991) and Carr (1997), many

organisations are unable to manage their risks effectively
because of one of the following reasons:
• A risk-averse culture
• Negative attitudes
• An inadequate management infrastructure to support effective risk
management
• Lack of a systematic and repeatable method to identify, analysed,
plan risk mitigation
• Mistrust of risk analysis.
 RISK

NATURAL RISK HUMAN RISK

CLIMATE /WEATHER SOCIAL POLITICAL CULTURAL HEALTH

GEOLOGICAL ECONOMIC FINANCIAL TECHNICAL

BIOLOGICAL
MANAGERIAL
EXTRA-TERRESTRIAL

Source: Edwards & Bowen, 2005

 Risk management standards

A number of standards have been developed worldwide

Its help organizations implement risk management systematically and
effectively.
These standards seek to establish a common view on frameworks, processes
and practice, and are generally set by recognised international standards bodies
or by industry groups.
Risk management is a fast-moving discipline and standards are regularly
supplemented and updated.
The different standards reflect the different motivations and technical focus of
their developers, and are appropriate for different organisations and situations.
Standards are normally voluntary, although adherence to a standard may be
required by regulators or by contract.
Commonly used standards include:

ISO 31000 2009 – Risk Management Principles and Guidelines

A Risk Management Standard – IRM/Alarm/AIRMIC 2002 – developed in
2002 by the UK’s 3 main risk organisations.
ISO/IEC 31010:2009 - Risk Management - Risk Assessment Techniques
COSO 2004 - Enterprise Risk Management - Integrated Framework
OCEG “Red Book” 2.0: 2009 - a Governance, Risk and Compliance
Capability Model