Introduction to

Risk Management

1
 Objectives
• Understanding Risk
• Risk Management as a process
• Exercise
• Q&A

2
 How to learn Risk
Management?
• http://www.youtube.com/watch?v=laKpr
X-HP94&feature=related

3
 What is a Risk?
A risk is ANYTHING that may affect the
achievement of an organization’s
objectives.
It is the UNCERTAINTY that surrounds
future events and outcomes.
It is the expression of the likelihood and
impact of an event with the potential to
influence the achievement of an
organization’s objectives.
4
 Alternatively …
• Risk is a potential event with negative
consequences that had not happened yet
• Could also be an event with positive
consequences
• A possibility of loss – not the loss itself
• A source of problem
• Find the root cause and not the leaves
• Something that makes the project special
• In the widest sense, everything is a risk
5

• Helps identify better ways of handling problems

 Why do we need Risk
Management?
The only alternative to risk management is crisis
management --- and crisis management is much more
expensive, time consuming and embarrassing.
JAMES LAM, Enterprise Risk Management, Wiley Finance © 2003

Without good risk management practices, government

cannot manage its resources effectively. Risk
management means more than preparing for the worst;
it also means taking advantage of opportunities to
improve services or lower costs.
Sheila Fraser, Auditor General of Canada
6
 How does Risk
Management help?
• Increase risk awareness &
understanding
• Allows intelligent “informed” risk-taking.
• Focuses efforts –helps prioritize.
• Is proactive…. not reactive – Prepare for
risks before they happen.
• Improve outcomes – achievement of
objectives
• Enables accountability, transparency and
responsibility
• And maybe even mean survival
7
 Key Terms

• Risk – Exposure to chance of hazard

• Risk Level – A measure to represent the
significance of the risk
• Controls – Action(s) that could eliminate or
reduce the risk level
• Residual Risk – Risk level after
implementing controls
• Risk Response – An action on the risk,
whether to accept, or not to accept
8
 Exercise - I
• Think of a risk in your daily life
• Determine the probability of occurrence
• Make an assessment of an impact, if it occurs.

9
 Who is involved?

• Customer
• End user
• Project Team
• Senior Management
• Related Project teams
• Vendors and suppliers

10
 When?
• A continuous process
• Starts from proposal stage
• Ends on project completion
• Review stages
• Business case analysis
• Project approval
• Project planning
• Technology, Tools & Vendor selection
• Project status reviews
• Deployment and Maintenance
11
 Risk Management Basics
 Risk (uncertainty) may affect the
achievement of objectives.
 Effective mitigation strategies/controls can
reduce negative risks or increase
opportunities.
 Residual risk is the level of risk after
evaluating the effectiveness of controls.
 Acceptance and action should be based on
residual risk levels.

INHEREN 12
T
 A Simple Framework

Step 1 Step 2 Step 3 Step 4 Step 5

Assess
Assess
Identify
Identify Evaluate
Evaluate
Establish
Establish Risks
Risks&& Monitor
Monitor
Risks
Risks&& &&Take
Take
Objectives
Objectives Controls
Controls &&Report
Report
Controls
Controls Action
Action

Communicate, learn, improve

13
 Risk Identification
Techniques

• Brainstorming
• Interviewing
• Root cause analysis
• Checklists
• SWOT
14
 Risk Management is critical to
ALL levels of decisions
UNCERTAINTY
Strategic Decisions

Stra
tegic tegic
Stra
Decisions transferring
strategy into action
e
Prog
r amm gr amm
e Pro

Decisions required for

implementation
Pro
ject al
& Ope r ation
r atio & Ope
nal ject
Pro

Decisions can be categorized into three types. The amount of

risk (uncertainty) varies with the type of decisions. Most
decisions are concerned with implementation.
The HM Treasury’s The Orange Book 15
 Categorizing Risk –
1.
Comprehensive
Political or Reputational Risk
2. Financial Risk
3. Service Delivery or Operational Risk
4. People / HR Risk
5. Information/Knowledge Risk
6. Strategic / Policy Risk
7. Stakeholder Satisfaction / Public Perception Risk
8. Legal / Compliance Risk
9. Technology Risk
10. Governance / Organizational Risk
11. Privacy Risk
12. Security Risk
13. Equity Risk 16

Slide 16
 Risk Prioritization – likelihood
and impact
Likelihood of a risk event occurring Risk Impact: Level of damage
that can occur when a risk
• Very High: Is almost certain to occur event occurs

• Very High: Threatens the success of

the project
• High: Is likely to occur

• High: Substantial impact on time,

cost or quality
• Medium: Is as likely as not to occur
• Medium: Notable impact on time,
cost or quality

• Low: May occur occasionally

• Low: Minor impact on time, cost or
quality

• Very Low: Unlikely to occur

• Very Low: Negligible impact 17

Slide 17
Third dimension for rating risks -
proximity
Immediate – now
Less than 6 months
Between 6-12 months
Between 12 – 24
months
Between 24 – 36
months
More than 36 months

18
 Risk reporting and
Risk Level
communications
Action and Level of Involvement Required

 Inform Chief Executive Officer and Board of Directors

Critical Risk
 Immediate action required

 Inform Chief Executive Officer

High Risk  Strategy Team involvement/attention is essential to manage risks
– provide report to Board as appropriate

 Management mitigation and ongoing monitoring required

Moderate Risk
 Inform relevant Strategy Team members

 Accept, but monitor risks

Low Risk
 Manage by routine procedures within the program and site

19
 Measure and report RM implementation progress
• Advanced capabilities to identify, measure, manage all risk exposures within
tolerances
Excellent • Advanced implementation, development and execution of ERM parameters
• Consistently optimizes risk adjusted returns throughout the organization
• Clear vision of risk tolerance and overall risk profile
• Risk control exceeds adequate for most major risks
Strong • Has robust processes to identify and prepare for emerging risks
• Incorporates risk management and decision making to optimize risk adjusted
returns
• Has fully functioning control systems in place for all of their major risks
• May lack a robust process for identifying and preparing for emerging risks
Adequate
• Performing good classical “silo” based risk management
• Not fully developed process to optimize risk adjusted returns
• Incomplete control process for one or more major risks
Weak • Inconsistent or limited capabilities to identify, measure or manage major risk
exposures 20

Source: Standard & Poor

The Cyclist and the Risk
Manager

21
 Exercise II – 15 minutes
• Identify risks that the cyclists faces in
cycling to work.
• Report back.

22
 Risks
Threats: Opportunities:
Death Exercise
Head Injury Sunlight
Injury Reputation
Reputation Financial
Financial Role model
Damage to the bike Environment
Sunburn/frost bite

23
 Mitigation Strategies for
threats
Death, head injury, other injury – helmet, bright
clothes, lights, bell, CANbike course, obeying
traffic laws, positive attitude, anger management
course
Reputation – great outfit, change of wrinkle-free
clothes, shower, time management
Financial – high quality locks, “beater”, stopping
at stop signs
Damage to the bike – regular maintenance,
avoiding pot holes
Sunburn/frost bite – sunscreen, mittens, hats,
24

token/change
 Acknowledgements

• Practical approach to Risk Management

- by Finance Management Institute,
Toronto Chapter.
• Introduction to Risk Management for
Outsourcing projects - by Peter Kolb

25
Questions?

26