Module 4
Risk Management Process
1
�Risk Management Process
2
� Risk Management Process Management Elements
SCOPE
• program to achieve Organisational
Objectives
• Governance, policy and processes
CONTEXT
• Organisational operating environment
• Organizational operations and
management
• Impact on stakeholders Scope, Context, Criteria
CRITERIA
• Determination of risk acceptance and
tolerance
Risk Assessment
Communication & Consultation
Communication &
Monitoring & Review
Consultation Risk Identification
• Communications Strategy Monitoring & Review
• Client and Stakeholder • Accountability
requirements • Responsibility
• Privacy • Consistency
• Confidentiality Risk Analysis • Probity
• Sources of validation • Audit
• Process guidance • Assurance
• Roles • Policy and process
• Information access and Risk Evaluation review
use
Risk Treatment
Recording & Reporting
• Records Policy
• Records management system Recording & Reporting
• Access to documentation
• Reporting Channels
�Risk Management Assessment and Treatment Process Elements
Scope, Context, Criteria
RISK ASSESSMENT
Risk Identification
• Value and Criticality of Assets Risk Assessment
Communication & Consultation
• Proposed level of access and authority
• Current Vulnerability and Sources of Threat
Monitoring & Review
Risk Analysis Risk Identification
• Impact analysis of loss or damage
• Level of certainty
• Volatility – rate of changes in variables
Risk Identification
• Potential for Risk Analysis
• loss or damage of assets
• Product quality loss
• Damage to reputation
• Impact on clients/customers
• Los of competitiveness Risk Identification
RISK TREATMENT
Specific selection criteria
• Physical Controls Risk Treatment
• Personal Controls
• Information Management Controls
• Work History and performance Recording and Reporting
• Cyber Controls
• Review and Improvement Processes
�� Identify Sources of Risk
Personnel/human behavior.
Management activities and controls.
Economic circumstances.
Natural events.
Political circumstances.
Technology/technical issues.
Commercial and legal relationships.
The activity itself.
6
� Risk Identification
Process of finding recognizing and describing risks
Comprehensive list of risks based on events that might create, enhance,
prevent, degrade, accelerate or delay achievement of objectives
A risk that is not identified at this stage will not be included in further
analysis
Identification should include risks whether or not their source is under
the control of the organization
7
�Example
8
� Risk Analysis
It involves consideration of the causes and sources of
risk, their positive and negative consequences, and the
likelihood that those consequences can occur
9
� Risk Evaluation
The purpose of risk evaluation is to assist in making
decisions, based on the outcomes of risk analysis, about
which risks need treatment and the priority for treatment
implementation
10
� Risk Criteria
Risk criteria are used to evaluate the significance of risk
based on organizational objectives, and external and
internal context i.e. the risk level.
It can be derived from standards, laws, policies and other
requirements
11
� Example :Level of Risk
Magnitude of a risk or combination of risks, expressed in terms of
the combination of consequences and their likelihood
Risk levels with relation to the project objectives are evaluated using
the risk matrices
Example: Risk level of events that may have a negative impact on
the project cost or time schedule is evaluated using the "Cost
increase" or "Delay" risk matrices, respectively. And ;
Risk level of events that may have a positive impact on the project's
cost or time schedule is evaluated using the "Cost decrease" or
"Advance" risk matrices, respectively.
12
�Example : Risk Matrices
13
�Risk Assessment Matrix
14
� Example :Risk Matrices
Definition of likelihood classes in the Risk Matrices:
Possible : Event is possible, but not expected to happen in
the project period.
Probable : Event may happen in the project period.
Likely : Event is expected to happen in the project period.
15
� Example: Definition of Consequence
classes in the Risk Matrices
you should modify a appropriate for your project scale, and maybe
add some arguments to why the values are chosen as they are:
Negligible : Event will have negligible impact on the objective.
Project cost: about ±$10k, or less
Time schedule: about ±1 week, or less
Serious : Event will have a sizeable impact on the objective.
Project cost: about ±$100k
Time schedule: about ±1 month
Major : Event will have a large impact on the objective.
Project cost: about ±$1m, or more
Time schedule: about ±6 months, or more
16
�The colors of the Matrix fields indicate
Risk level:
High risk
Medium risk
Low risk
17
� Example: Evaluation of Risk levels
The criteria for evaluation of risk levels are:
If the risk level is high, risk treatment is required and implementation
of risk controls is a high priority, to reduce the risk level to medium
or low risk.
If the risk level is medium, risk treatment is recommended, but not
required. If risk controls are not implemented, it should be justified
why this is acceptable.
If the risk level is low, risk treatment is not required. Risk may be
accepted without further justification.
18
� Risk Treatment
Selecting the most appropriate risk treatment option
involves balancing the costs and efforts of
implementation against the benefits derived, with regard
to legal, regulatory, and other requirements such as
social responsibility and the protection of the natural
environment
19
� Risk Treatment
A signification risk can be the failure on ineffectiveness
the risk treatment measures
20
� Monitor & Review
Monitoring
Continual checking, supervising, critically observing or determining
the status in order to identify change from the performance level
requires or expected
Can be applied to a risk management framework, risk management
process, risk or control
Reviewing
Activity undertaken to determine suitability, adequacy and
effectiveness of subject matter to achieve established objectives
Can be applied to a risk management framework, risk management
process, risk or control
21
