Wednesday, April 25, 2007

Risk Analysis and Management

Function: How to evaluate and control the risks you face

Why use the tool? Risk Analysis is a formal framework that helps you to assess the risks that you or your organizations face. A good risk analysis will help you to decide what actions to take to minimize disruptions to your plans. It will also help you to decide whether the strategies you could use to control risk are cost-effective.

How to use the tool: Here we define risk as “the perceived extent of possible loss”. Different people will have different views of the impact of a particular risk: What may be a small risk for one person may destroy the livelihood of someone else.

One way of putting figures to risk is to calculate a value for it as:

Risk = probability of event x cost of event

This allows you to compare risks objectively. We use this approach formally in decision making with Decision Trees.

To carry out a risk analysis, follow these steps:

1. Identify Threats:
The first stage of a risk analysis is to identify threats facing you. Threats may be:
 Human - from individuals or organizations, illness, death, etc.
 Procedural - from failures of accountability, internal systems and controls, organization, etc.
 Natural - threats from weather, natural disaster, accident, disease, etc.
 Technical - from advances in technology, technical failure, etc.
 Political - from changes in tax regimes, public opinion, government policy, foreign influence, etc.
 Project - risks of cost over-runs, jobs taking too long, of insufficient product or service quality, etc.
 Financial - from business failure, stock market, interest rates, unemployment, etc.
 Others

This analysis of threat is important because it is so easy to overlook important threats. Perhaps the best way to identifying all threats is to use a number of approaches:
 Firstly, run through a list such as the one above, to see if any apply.
 Secondly, think through the systems, organizations or structures you operate, and analyze risks to any part of those.
 See if you can see any vulnerability within these systems or structures.
 Ask other people, who might have different perspectives.

2. Estimate Risk:
Once you have identified the threats you face, the next step is to work out the likelihood of the threat being realized and to assess its impact. One approach to this is to work out the probability of the event occurring, and to multiply this by the amount it will cost you to set things right after it has happened. This gives you a value for the risk. Your estimates of the probability of the risk occurring and of the cost of the event will depend on your knowledge of your own systems, controls and resources.

3. Managing Risk:
Once you have worked out the value of risks you face, you can start to look at ways of minimizing them. When you are doing this, it is important to choose cost effective approaches. There is no point in spending more to eliminating a risk than the cost of the event if it occurs. In many cases it may be better to accept the risk than to use excessive resources to eliminate it.

Risk may be managed in a number of ways:
By using existing assets: Here existing resources can be used to counter risk. This may involve improvements to existing methods and systems, changes in responsibilities, improvements to accountability and internal controls, etc.
By contingency planning: You may decide to accept a risk, but choose to develop a plan to minimize its effects. A good contingency plan will allow you to take action immediately, with the minimum of project control.
By investing in new resources: Your risk analysis should give you the basis for deciding whether to bring in additional resources to counter the risk.

4. Reviews:
Once you have carried out a risk analysis and management exercise, it may be worth carrying out regular reviews. These might involve formal reviews of the risk analysis, or may involve testing systems and plans appropriately.

Key points: Risk analysis allows you to examine the risks that you or your organization faces. It is based on a structured approach to thinking through threats, followed by an evaluation of the probability and cost of events occurring. Risk analysis forms the basis for risk management. Here the emphasis is on cost effectiveness. Risk management involves adapting the use of existing resources, contingency planning and good use of new resources.

Source: Manktelow, James, ”Mind Tools: Practical Thinking Skills for an Excellent Life”, Mind Tools Ltd, U.K, 2003.

No comments: