Understanding Risk And Risk Management 4kuu
This document was ed by and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this report form. Report 2z6p3t
Overview 5o1f4z
& View Understanding Risk And Risk Management as PDF for free.
More details 6z3438
- Words: 1,616
- Pages: 30
Understanding Risk and Risk Management John Cvetko CISSP, CISA Principal Consultant TEK Associates, LLC Email [email protected] Phone 503 799 2242
Overview • Risk and Risk Frameworks – Perspectives of risk frameworks
• Risk Management Process – Review the basic elements of a Risk Management process
• Scenario – Step though a scenario that demonstrates the Risk Management elements 2
How Do Organizations Use Risk Management Techniques? •
Liability Tool – Identify and manage liabilities
•
Opportunity Tool – Identify areas of high risk that can lead companies to new opportunities
•
Organization Tool – Understand how to organize and apply resources – A guide for maximizing results
•
Compliance Tool – Demonstrate compliance
•
Communications Tool – Communicate progress and risk positions to management and the functional project teams
3
What is a Risk? • Different disciplines have different definitions (EPA, Nuclear, Medical) • PMI Definition (PMBOK®, Third Edition) – A risk is an uncertain event or condition, that if it occurs, has a positive or negative effect on at least one project objective
• COSO Enterprise Risk Management View (Committee of Sponsoring Organizations )
– “… a process, effected by an entity's board of directors, management and other personnel, applied in a strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”
• Risk is Uncertainty
4
COSO Business Risk Framework Committee of Sponsoring Organizations for the Treadway Commission
• Objectives can be viewed in the context of four categories: – Strategic – Operations – Reporting – Compliance
• Spans all levels of the organization: – – – –
Enterprise-level Division or subsidiary Business unit processes Subsidiary
• Usually paired with IT benchmarking standards – COBIT, ITIL
5
Project Based Risk Management Framework • Project risk management – Key differences are: • Objective setting is known as risk planning • Information and Communications are assumed • Tailored more for a specific project
Risk Management Planning
Risk Identification
Risk Assessment
Risk Response Planning and Control
Risk Monitoring
6
Risk Management Planning
Risk Identification
Risk Management Plan • What is in a good plan? – State objective and expectations of the risk management effort. – Responsibility for decision events • Delegated authority for specific risk types
Risk Assessment
Risk Response Planning and Control
Risk Monitoring
– Processes for Risk Identification, Assessment, Mitigation/Control and Monitoring. (Flow Charts). – Show links to other processes and plans (project plan, change management process, schedule, for e.g.) – Explain how risks will be communicated to management? • Timeframe and Dashboard • Emergency issues
– Independent Review • Reporting structure
7
Common Plan Errors • Not making the plan practical/realistic for the project at hand. • Confuse risk management plan with the project plan. • Lack of independent review/peer review.
8
Risk Identification: Understanding the Project Requirements • Collect actionable/quantifiable requirements – Business goals or requirements – Product or service functionality, schedule and budget – Service level or performance goals
• Sample of quantifiable requirements – Start of production date, process transactions within 10 seconds, availability of system is 99.999%, increase efficiency by x%.
• Unclear Requirements = Unclear Risks – Unclear requirements are a risk 9
Risk Identification • Known Risks – These are the obvious risks that jump out quickly at the beginning of every project.
• Unknown Risks – Are usually a result of inexperience in particular areas
• Unknowable Risks – Are risks that can’t be predicted even with the best information and experience available. 10
Risk Identification Risks can come from many different sources: • Products –
•
Procedures –
•
scope, schedule, resource availability, etc.
People –
•
cost, profit, regulations, competition, market fluctuations, etc.
Project –
•
development and operational processes, etc.
Business environment –
•
configuration, technology, requirements, etc.
human error, skills, culture, blind spots, etc.
External –
public opinion, economy, natural disasters etc.
11
Risk Identification Process • Cross Functional Team – Populate a well rounded team when identifying and assessing risks
• Methods for teasing out risk items – – – – – –
Brainstorming Interviews/Questionnaires Review of similar projects Subject matter experts External experienced consultants Technical Standards • Program specific Best Practice Guides, e.g., IT= CoBit, ITIL, ISO17799
– GAP analysis, SWOT, Cause and Effect, Fault Tree, Hazard and Operability (HAZOP), business impact analysis techniques – Prototyping
12
Risk Identification Process (cont) • Capture each risk item using wording such as: – Due to/As a of result <definitive cause>, a/an
may occur which could lead to <some effect on program objective(s)>
• Document each item in a risk event list/database • Ensure a clear description of the consequence is included – Define the “so what”
13
Common Risk Identification Errors • Lack of experience in a crucial subject area • Not understanding what constitutes a risk – not listening with a risk management perspective • Not understanding blind spots • Not prepared for a significant amount of information • Over focus on a particular risk
14
Risk Assessment Process • Once risks are identified, each risk event needs to be assessed for: – Impact to the project if the risk event occurs • Qualitative vs. Quantitative Assessments
– Probability that the risk event will occur • Qualitative vs. Quantitative Assessments
• Initially let each team member assess their own risks – Likely result: • A predominance of events characterized as high likelihood, high consequence • Everyone thinks their risk items are the most important, i.e. high consequence, high likelihood
• Assessments should then be made tly by all the team to gain agreement – The assessment results will impact what resources are devoted to which tasks
15
Risk Assessment Process • Risk index numbering establishes priorities – Enables the team to agree on the relative ranking of risk items • Caution: don’t let the debate divert the process
Risk Ranking
High Impact Exposure Medium Low
Probability High Medium Low 1 2 4 3
5
7
6
8
9
16
Common Assessment Errors • Not breaking the problem or risk down to manageable pieces. • Not having enough information to fully assess the risk • Not having the authority to make decisions • Being overwhelmed…when in doubt ask for help.
17
Risk Response Strategies • Response strategies for dealing with identified risks – Avoidance (Elimination) • pursue a completely different approach (e.g. use another supplier) – Transfer • move risk elsewhere (e.g. back to the customer, buy insurance.) – Mitigation (Reduction) • take steps to minimize the consequence and/or likelihood of the risk occurring (e.g. develop secondary approach, train multiple personnel) – Acceptance • ”if it happens, it happens and we’ll deal with it”
• Strategy use – Multiple strategies can be used per risk event and strategies may change with time
18
Risk Response Planning • Develop a response plan to implement the strategy – What is to be done, what is the budget, what is the schedule… – Develop a plan “B”
• Determine who is responsible for implementing the plan – ability
• Communicate – Inform management and project team of the plan
19
Common Response Plan Errors • Not clearly asg ability for individual plans. • Not having a plan “B” • Creating a plan on half an assessment. • Not understanding residual risk
20
Risk Event Monitoring • Continuous monitoring and proactively addressing developments are vital to a successful risk management process – Review ‘Red’ items an trigger events at least weekly • Track actual closure of risk items – Closure date, how/why closed, any special issues or circumstances
21
Risk Management Status Tracking • Summary Matrix – A risk summary matrix of risk priorities is ‘quick look’ approach to monitoring and communicating status
22
Risk Scenario
S1
•
You work for the ACME car insurance company. ACME is a $1 billion dollar public company that is implementing a new collection system to enable customers to review their bills and take credit card and direct deposit payments on-line. This system will replace an existing manual system that requires 250 people to manage. The cost of this system is $20 million dollars and is expected to save the company $26k dollars a day.
•
This software system is a commercial off the shelf (COTS) system with the exception of the on-line (credit card and direct deposit) payment module. The module is currently being developed by the software supplier. The supplier is new to the world of on-line financial transactions.
Monday Morning Team Meeting Status
23
Risk Identification Build-up List
S2
Monday Morning Team Meeting Team : Project Manager Engineering Manager Business Owner Security Officer Finance
24
Initial Risk Impact Ranking
S3
25
Risk Management Status Tracking
S4
Monday Afternoon Weekly Executive Briefing
7 6 5 4 3 2 1 0
Green Yellow
Operations
Purchasing
Material Control
Financial
Product
Sales
Red
Engineering
# of Events in Category
By Functional Area
26
Risk Assessment Process
S5
Tuesday Afternoon
27
Risk Response Development and Implementation
S6
Wednesday Afternoon
28
Updated Risk Impact Ranking
S7
Wednesday Afternoon
29
Risk Management Planning
Risk Identification
Summar y
• Apply some form of a risk management process to all your projects – Every project has risks: if you listen for them you can manage and communicate them appropriately
• Apply the KISS principle Risk Assessment
Risk Response Planning and Control
• Use risk management as a tool that facilitates: – – – –
Communications Organization Opportunity identification Liability and Compliance Management
• Learn each time you use an RM process Risk Monitoring
– It is a skill that can be learned and mastered with practice
30
Overview • Risk and Risk Frameworks – Perspectives of risk frameworks
• Risk Management Process – Review the basic elements of a Risk Management process
• Scenario – Step though a scenario that demonstrates the Risk Management elements 2
How Do Organizations Use Risk Management Techniques? •
Liability Tool – Identify and manage liabilities
•
Opportunity Tool – Identify areas of high risk that can lead companies to new opportunities
•
Organization Tool – Understand how to organize and apply resources – A guide for maximizing results
•
Compliance Tool – Demonstrate compliance
•
Communications Tool – Communicate progress and risk positions to management and the functional project teams
3
What is a Risk? • Different disciplines have different definitions (EPA, Nuclear, Medical) • PMI Definition (PMBOK®, Third Edition) – A risk is an uncertain event or condition, that if it occurs, has a positive or negative effect on at least one project objective
• COSO Enterprise Risk Management View (Committee of Sponsoring Organizations )
– “… a process, effected by an entity's board of directors, management and other personnel, applied in a strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”
• Risk is Uncertainty
4
COSO Business Risk Framework Committee of Sponsoring Organizations for the Treadway Commission
• Objectives can be viewed in the context of four categories: – Strategic – Operations – Reporting – Compliance
• Spans all levels of the organization: – – – –
Enterprise-level Division or subsidiary Business unit processes Subsidiary
• Usually paired with IT benchmarking standards – COBIT, ITIL
5
Project Based Risk Management Framework • Project risk management – Key differences are: • Objective setting is known as risk planning • Information and Communications are assumed • Tailored more for a specific project
Risk Management Planning
Risk Identification
Risk Assessment
Risk Response Planning and Control
Risk Monitoring
6
Risk Management Planning
Risk Identification
Risk Management Plan • What is in a good plan? – State objective and expectations of the risk management effort. – Responsibility for decision events • Delegated authority for specific risk types
Risk Assessment
Risk Response Planning and Control
Risk Monitoring
– Processes for Risk Identification, Assessment, Mitigation/Control and Monitoring. (Flow Charts). – Show links to other processes and plans (project plan, change management process, schedule, for e.g.) – Explain how risks will be communicated to management? • Timeframe and Dashboard • Emergency issues
– Independent Review • Reporting structure
7
Common Plan Errors • Not making the plan practical/realistic for the project at hand. • Confuse risk management plan with the project plan. • Lack of independent review/peer review.
8
Risk Identification: Understanding the Project Requirements • Collect actionable/quantifiable requirements – Business goals or requirements – Product or service functionality, schedule and budget – Service level or performance goals
• Sample of quantifiable requirements – Start of production date, process transactions within 10 seconds, availability of system is 99.999%, increase efficiency by x%.
• Unclear Requirements = Unclear Risks – Unclear requirements are a risk 9
Risk Identification • Known Risks – These are the obvious risks that jump out quickly at the beginning of every project.
• Unknown Risks – Are usually a result of inexperience in particular areas
• Unknowable Risks – Are risks that can’t be predicted even with the best information and experience available. 10
Risk Identification Risks can come from many different sources: • Products –
•
Procedures –
•
scope, schedule, resource availability, etc.
People –
•
cost, profit, regulations, competition, market fluctuations, etc.
Project –
•
development and operational processes, etc.
Business environment –
•
configuration, technology, requirements, etc.
human error, skills, culture, blind spots, etc.
External –
public opinion, economy, natural disasters etc.
11
Risk Identification Process • Cross Functional Team – Populate a well rounded team when identifying and assessing risks
• Methods for teasing out risk items – – – – – –
Brainstorming Interviews/Questionnaires Review of similar projects Subject matter experts External experienced consultants Technical Standards • Program specific Best Practice Guides, e.g., IT= CoBit, ITIL, ISO17799
– GAP analysis, SWOT, Cause and Effect, Fault Tree, Hazard and Operability (HAZOP), business impact analysis techniques – Prototyping
12
Risk Identification Process (cont) • Capture each risk item using wording such as: – Due to/As a of result <definitive cause>, a/an
• Document each item in a risk event list/database • Ensure a clear description of the consequence is included – Define the “so what”
13
Common Risk Identification Errors • Lack of experience in a crucial subject area • Not understanding what constitutes a risk – not listening with a risk management perspective • Not understanding blind spots • Not prepared for a significant amount of information • Over focus on a particular risk
14
Risk Assessment Process • Once risks are identified, each risk event needs to be assessed for: – Impact to the project if the risk event occurs • Qualitative vs. Quantitative Assessments
– Probability that the risk event will occur • Qualitative vs. Quantitative Assessments
• Initially let each team member assess their own risks – Likely result: • A predominance of events characterized as high likelihood, high consequence • Everyone thinks their risk items are the most important, i.e. high consequence, high likelihood
• Assessments should then be made tly by all the team to gain agreement – The assessment results will impact what resources are devoted to which tasks
15
Risk Assessment Process • Risk index numbering establishes priorities – Enables the team to agree on the relative ranking of risk items • Caution: don’t let the debate divert the process
Risk Ranking
High Impact Exposure Medium Low
Probability High Medium Low 1 2 4 3
5
7
6
8
9
16
Common Assessment Errors • Not breaking the problem or risk down to manageable pieces. • Not having enough information to fully assess the risk • Not having the authority to make decisions • Being overwhelmed…when in doubt ask for help.
17
Risk Response Strategies • Response strategies for dealing with identified risks – Avoidance (Elimination) • pursue a completely different approach (e.g. use another supplier) – Transfer • move risk elsewhere (e.g. back to the customer, buy insurance.) – Mitigation (Reduction) • take steps to minimize the consequence and/or likelihood of the risk occurring (e.g. develop secondary approach, train multiple personnel) – Acceptance • ”if it happens, it happens and we’ll deal with it”
• Strategy use – Multiple strategies can be used per risk event and strategies may change with time
18
Risk Response Planning • Develop a response plan to implement the strategy – What is to be done, what is the budget, what is the schedule… – Develop a plan “B”
• Determine who is responsible for implementing the plan – ability
• Communicate – Inform management and project team of the plan
19
Common Response Plan Errors • Not clearly asg ability for individual plans. • Not having a plan “B” • Creating a plan on half an assessment. • Not understanding residual risk
20
Risk Event Monitoring • Continuous monitoring and proactively addressing developments are vital to a successful risk management process – Review ‘Red’ items an trigger events at least weekly • Track actual closure of risk items – Closure date, how/why closed, any special issues or circumstances
21
Risk Management Status Tracking • Summary Matrix – A risk summary matrix of risk priorities is ‘quick look’ approach to monitoring and communicating status
22
Risk Scenario
S1
•
You work for the ACME car insurance company. ACME is a $1 billion dollar public company that is implementing a new collection system to enable customers to review their bills and take credit card and direct deposit payments on-line. This system will replace an existing manual system that requires 250 people to manage. The cost of this system is $20 million dollars and is expected to save the company $26k dollars a day.
•
This software system is a commercial off the shelf (COTS) system with the exception of the on-line (credit card and direct deposit) payment module. The module is currently being developed by the software supplier. The supplier is new to the world of on-line financial transactions.
Monday Morning Team Meeting Status
23
Risk Identification Build-up List
S2
Monday Morning Team Meeting Team : Project Manager Engineering Manager Business Owner Security Officer Finance
24
Initial Risk Impact Ranking
S3
25
Risk Management Status Tracking
S4
Monday Afternoon Weekly Executive Briefing
7 6 5 4 3 2 1 0
Green Yellow
Operations
Purchasing
Material Control
Financial
Product
Sales
Red
Engineering
# of Events in Category
By Functional Area
26
Risk Assessment Process
S5
Tuesday Afternoon
27
Risk Response Development and Implementation
S6
Wednesday Afternoon
28
Updated Risk Impact Ranking
S7
Wednesday Afternoon
29
Risk Management Planning
Risk Identification
Summar y
• Apply some form of a risk management process to all your projects – Every project has risks: if you listen for them you can manage and communicate them appropriately
• Apply the KISS principle Risk Assessment
Risk Response Planning and Control
• Use risk management as a tool that facilitates: – – – –
Communications Organization Opportunity identification Liability and Compliance Management
• Learn each time you use an RM process Risk Monitoring
– It is a skill that can be learned and mastered with practice
30
Related Documents c2h70
Understanding Risk And Risk Management 4kuu
March 2021 0
Risk Management And Insurance 2y1c50
December 2019 54
Risk Management 2t6y42
April 2020 36
Insurance And Risk Management 466370
October 2019 93
Risk Management 2t6y42
April 2020 19
Risk Management 3r655e
April 2020 23More Documents from "Semargarengpetrukbag" 5d6c4x