Risk Mgmt V1 0c

Risk managementA management perspective

mercredi 28 avril 2010

Plan

What is risk ?

Risk Governance

Risk management

Risk and culture

Risk taxonomy

Risk Metrics

Wrap-up


IntroductionWhat is risk ?


A definition of risk

Pb(event) x impact


Risk has two meanings

In English, Risk is an umbrella term, with two varieties:

opportunity which is a risk with positive effects

threat which is a risk with negative effects

Hillson(2001)mercredi 28 avril 2010

Risk is not uncertainty

Risk refers to situations where the decision-maker can assign mathematical probabilities to the randomness which he is faced with.

Uncertainty refers to situations when this randomness "cannot" be expressed in terms of specific mathematical probabilities.

Knight, Frank H. (1921)mercredi 28 avril 2010

Risk and uncertainty

The terms risk and uncertainty have become interchangeable, and one can often be found in the description of the other.

Beck(1986)

Risk and uncertainty will be defined and used accordingly as separate issues of the same complex phenomena, that of hazard management.


Risk is formal

Risk can be considered as a systematic way of dealing with hazards.

If it is assumed that there is uncertainty associated with any prediction of a hazard occurring, then there is only uncertainty because there is only ever a prediction of the likely occurrence.

Beck(1986)mercredi 28 avril 2010

Uncertainty is not risk

By uncertain knowledge, (...) I do not mean merely to distinguish what is known for certain from what is only probable.

uncertainty is present when there is no scientific basis on which to form any calculable probability whatever.

We simply do not know.

Keynes(1937)mercredi 28 avril 2010

Risk and probability

The very assignment of numerical probabilities - even if subjective - implies that it represents choice under "risk"

These probabilities are merely expressions of what is ultimately amorphous belief and thus may seem more like "uncertainty".

Savage(1954)mercredi 28 avril 2010

Risk is about outcomes

Risk is the probability that an event will occur.

In epidemiology, it is most often used to express the probability that a particular outcome will occur following a particular exposure.

Last JM, (2001)mercredi 28 avril 2010

What is the problem ?

Risk is an old concept, classically measured as a product of outcome, usually negative, and a measure of uncertainty, such as probability, balancing bad, but unlikely, outcomes with less bad but more frequent ones.

The problems arise in defining

what one means by an outcome and

how one assesses the probabilities.

Hudson(2003)mercredi 28 avril 2010

time 0

Util

ity Risk

management RISK

Risk Management


A more complete definition

R! (E,A,!) "


E : element at risk

Element (asset, process, system, etc.) or group of elements that have an expected utility (u) for a given period of time (Δt) in a finite space (s)

A : Hazard (real, foreseeable or perceived)

Event or sequence of events resulting from the exploitation of a vulnerability (ψ) of an element at risk (E) which can cause a dammage (δ) which results in a reduction of the expected utility (u) for a given period of time (Δt) in a finite space (s)

ψ : vulnerability

Fragility (relative) of an element at risk (E) to a hazard (A)


θ : resilience

Capacity of an element at risk (E) to overcome a hazard (A) by minimizing damages (δ) or by using adversity as a catalyst for improvement. It is linked to organisational maturity

δ: damage (real, foreseen or perceived)

Reduction of the expected utility (u) of an element at risk (E) by a hazard (A)

t : time

s: space


The risk triangle

Hazard or thre at

Vuln

e rab

i l it y

Damage or impact

Risk(E,t,s)


Risk governanceA management perspective


Ecosystemic view

http://www.neok12.com/php/watch.php?

• A system formed by an ecological community and its environment that functions as a unit.

• The interconnectedness of organisms (plants, animals, microbes) with each other and their environment.


http://www.neok12.com/php/watch.php?v=zX7f004f660f740c57050277&t=Ecosystems






http://en.wiktionary.org/wiki/system

http://en.wiktionary.org/wiki/system

http://en.wiktionary.org/wiki/ecological

http://en.wiktionary.org/wiki/ecological

http://en.wiktionary.org/wiki/community

http://en.wiktionary.org/wiki/community

http://en.wiktionary.org/wiki/environment


http://en.wiktionary.org/wiki/function

http://en.wiktionary.org/wiki/function

http://en.wiktionary.org/wiki/unit

http://en.wiktionary.org/wiki/unit



Governance structure

Executive

Strategic

Tactical

Operational

Corporate directors

Professionals

Governance comitee

Management comitee

supports

directs

manages



Role of the Board of directors

Management Stockholders Employees

Board of directors

Lenders SuppliersOther

stakeholders


Roles and responsibilities

Mission statement and values

Sets culture and normative framework

Arbitrage

Exercises authority


Subsidiarity

Responsability for actions must be alloted to the smallest possible entity that can resolve it

Decision making as close as possible to the end-user or customer

Act locally: responsabilize the actors

Empower local competencies and decentralize


Risk governanceBasic ethical principles


Due diligence

Organisations need to demonstrate that they are being diligent

They need to be able to demonstrate that they have in place formal processes to ensure that risks are known and managed


Precaution

When there is the possibility, event if unlikely, that hazards may cause grave or irreversible dammages, the absence of absolute scientific certitude can not become a pretext to avoid taking actions to prevent the degredation of the situation

Contrary to rational theory, precausion justifies taking decisions in cases of incomplete information to avoid irreversable damages. It justifies non optimal solutions that may satisfy all parties (minimum regrets)


Continuous improvementDeming’s wheell approachRecurrence feedback loopsEvolution of solutions aligned withthe availability of ressources


Evaluation

Must determine, a priori:ObjectivesFollow-up parametersControl and corrective action plansA space for all stakeholders to review information

Finality:Create mecanisms that allow the conversion of data into usefull planning information


Risk ManagementFormal processes


IPMa process

Identify risks

Prioritize

Mobiize ressources

Audit

IPMamercredi 28 avril 2010

Qualitative or Quantitative ?

In the absence of solid historical data, all data is subjective.

Sources of historical data:

Past events, hazards and incidents in the organization

Data from similar organizations

Regulatory bodies

Gartner group, IDC, Forester Research and litterature

Standards (ITU, ISO, IEEE)


Scenario based risk mgmt

Using scenarios is the most ‘human sensitive’ approach to risk management

it’s simpler to get people to tell you a story

What if ...

Then ...

This would result in ...

But, we could do ... to prevent it or to reduce it’s impacts.


Incidents are central

Using past incidents is a key to risk management

Quantitative data finds it’s source in historical data

It is a chance to improve

individuals has to feel that they can, and must, report incidents

Management has to support this

A risk registry, or journal, serves this purpose


IPM process

Identify

Hazards

Vulnerabilities

Damages

Prioritize

Mobilize ressources


Cognitive processesThe cognitive operations of individual decision makers involved on decisions about risk are (in order) :

Identify the scenarios to consider

Predict the consequences for each scenario and estimate their likelyhood

Identify the variables susceptible to influence utility and ajust them to account for the context

Evaluate the probabilities to assign to contexts that have been retained

Apply a decisional strategy


Transferrisk

Avoidrisk

Acceptrisk

Mitigaterisk

D a m a g e s

Likelihood


Transferrisk Avoid

risk

Acceptrisk Mitigate

risk

D a m a g e s

Likelihood

Tolerate risks


Biaises that may affect decision makers

Errors in reasoning

Cognitive dissonances

Heuristics

Cultural variations

Limitis of vigilance


Methodologies

Several are available

All have their limitations

Choice of variables

Scientificity

Validity (internal and external)

Must consider maturity


Risk Management FrameworkAn integrated risk framework allows organisation to integrate all the organisational, regulatory and scientific requirements in a cyclical approach (continuous improvement).

Should include:

Business processes

Standard Operating Procedures

A governance model

Risk awareness, education & training programs

Workflow management tool (software)


Change management

Implementing a RMF is a Change management problem

five (5) stages of change

Denial

Resistance

Decompensation

Resignation

Integration


How to facilitate change ?

Education, training

Setting normative factors

Rationalization

Consensus

Other (dictatorship, coersion,esoteric)


Risk and cultureRisk, culture, perception and subjectivity


Risk, culture and perception

According to one cultural theory, people choose what to fear as a way to defend their way of life.

The theory hypothesizes that adherents of a hierarchical culture will approve of technology, provided it is certified as safe by their experts.

Competitive individualists will view risk as opportunity and, hence, be optimistic about technology.

And egalitarians will view technology as part of the apparatus by which corporate capitalism maintains inequalities that harm society and the natural environment. Widavsky (2002)


Difficulty to assess risk

Risk is not always easy to assess, since the probability of occurrence and the consequence of occurrence are usually not directly measurable parameters and must be estimated by statistical or other procedures.

Risk constitutes a lack of knowledge of future events. Typically, future events (or outcomes) that are favorable are called opportunities, whereas unfavorable events are called risks. Another element of risk is its cause.

Kerzner, H. (2003)mercredi 28 avril 2010

Risk tolerance

Risk tolerance looks at acceptable/unacceptable deviations from what is expected.

In financial investments, The extent to wish an investor is willing to accept more risk in exchange for the possibility of a higher return.


Risk appetite

Where do we feel we should allocate our limited time and resources to minimise risk exposures?

What level of risk exposure requires immediate action?

What level of risk requires a formal response strategy to mitigate the potentially material impact?

What events have occurred in the past, and at what level were they managed?


Predictable outcomesMany activities undertaken by organizations do not have predictable outcomes

One can’t predict the return from a new project, for example.

Occurrence of these types of events can only be described in terms of a range of possible outcomes and the likelihood or probability of each outcome.

The lack of predictability of outcomes is referred to as risk.

The concept of risk does not imply all possible outcomes are adverse, only that the precise probabilities of the outcomes are unknown.

Lewis(2003)mercredi 28 avril 2010

Distribution of outcomes

According to classical decision theory, risk is generally understood to be the distribution of possible outcomes, their likelihood, and their subjective values.

In project management, this definition can be applied to time, cost, performance, and many other influential factors in any project that impact these three concerns.

March and Shapira (1987) in Kwak(2005)mercredi 28 avril 2010

Reference points

The reference points that people use to evaluate risky prospects affect risk-taking.

In this respect, risk tolerance is a subjective notion in the absence of clear and uniform communication and tools for risk analysis.

Kahneman and Taversky (1979) and Taversky and Kahneman (1992) in Kwak(2005)mercredi 28 avril 2010

Risk taxonomyCategories of organisational risks


Risk categories

There is an infinite number of categories of risk

Depends on :

organisational culture

legislation

many other factors


Risk Taxonomy


What is needed ?

For each incident identified, information needs to be collected about :

direct monetary losses caused by the incident

Annualized (or aligned on budgetary strategy)

indirect losses (reputation damage or lost business)

with an estimate of the monetary losses resulting from these indirect losses.

Blakley, B., McDermott, E., Geer, D.(2001)mercredi 28 avril 2010

Risk register

Dates: As the register is a living document, it is important to record the date that risks are identified or modified. Optional dates to include are the target and completion dates.

Description of the Risk: A phrase that describes the risk.

Project Management Institute Body of Knowledge (PMBOK)mercredi 28 avril 2010

Risk register

Risk type (business, project, stage): Classification of the risk, business risks relate to delivery of achieved benefits, project risks relate to the management of the project such as timeframes and resources, stage risks are risks associated with a specific stage plan.

Likelihood of Occurrence: Provides an assessment on how likely it is that this risk will occur. Examples of classifications are: L-Low (<30%), M-Medium (31-70%), H-High (>70%).


Risk register

Severity of effect: Provides an assessment of the impact that the occurrence of this risk would have on the project.

Counter Measures: Action to be taken to prevent, reduce or transfer the risk. This may include production of contingency plans.

Owner: Individual responsible for the ensuring this risk is appropriately managed and counter measures are undertaken.


Risk register

Status: Indicates whether this is a current risk or if risk can no longer arise and impact the project. Example classifications are: C-current or E-ended.

Other columns such as quantitative value can also be added if appropriate.


Risk metricsA management perspective


The use of metrics

From the governanced based risk management perspective:

Risk assessment

Continuous improvement

Evaluation


Identifying variables

Metrics are about measurement

Attributing values to variables

Values depend on measurement scales

There are rules on how to use measurement scales

nominal, ordinal, interval, proportional


Example of measurement scales


Scientificity and reliability

Scientific data must meet certain criterias

trust, repeatable, verifyable

We must be able to justify the choices we make

in data and in manipulation (formulas)


[email protected]

Montreal, Quebec, Canada:+1(514)824-6302Philadelphia, PA, USA:+1(215)543-6352

Paris, France: +33.(0)9.77.19.63.02

LinkedIn: http://www.linkedin.com/in/itriskmgrBlog: http://crhoma.org/blogue

http://www.leger.ca


http://www.linkedin.com/in/itriskmgr

http://www.linkedin.com/in/itriskmgr

Documents

Risk Mgmt V1 0c