Wednesday, April 8, 2009

Risk Management


Risk can be defined as the combination of the probability of an event and its consequences (ISO/IEC Guide 73) and the possible effect can be either negative or positive. Nevertheless, risk management is focused on the management of the prevention and mitigation of the risks. Gone are the years when flipping a coin will give you a decision, now risks are identified at an very early stage. Hence, risk management is just a state being prepared for the worst, which we are always on top of it.

To manage an asset, there a number of risks involved that need to be assessed, such as:
    1. External risk
    2. Internal risk

A simple asset risk management model is shown below:


Risk Identification

External risk comes from external factors such financial risk, strategic risk, operational risk and hazard risk. Internally, the risks are nearer to the organization such as information systems, work force, internal financial control and so forth. The risk must be identified all activities and processes of an asset life cycle. There is risk in human behaviour such as unexpected behaviour and misinterpretation of instruction, which can categorized in any of the external and internal risk.

A simple template or even a questionnaire such as the figure below will assist in identifying all risks.




Risk Analysis

Once the organization has identified all risks that will be encountered, the risks are rated according to the probability of occurrence, criticality, impact and importance. All risks must rated to determine its mitigation priority, and it is done systematically by first looking at its probable effect to the asset. For example, unexpected human behaviour will cause rapid deterioration to the asset due to, such as, uncontrollable anger towards the asset. Another example would be that changes in customer would make the asset obsolete in shorter period, which new asset need to be planned and this mean capital expenditure.

A sample template is shown below:


Risk Evaluation

Risk evaluation involves processes to establish the costs, compliance to legal requirements or even environmental factors. This is done after risk analysis, which involve primarily rating the risk. There are a few factors that need to be considered in proposing a treatment such as the cost of mitigation, the effectiveness of treatment and compliance to existing legal environment.

Furthermore, risk evaluation involves decision-making on the risk and the impact of the risk to the organization and the asset concern whether to accept the risk without treatment or with the proposed treatment. Once the decision to treat the risks is accepted, the next step would be to treat the risk.



Risk Mitigation and Treatment

Risk mitigation and treatment is the process to reduce or even nullify a risk using the appropriate or proposed method. The process needs to be constantly monitored and communicate back to the stakeholders on the treatment effectiveness.

Risk Review

Risk review is a process of monitoring of the risk mitigation/treatment and emergence of new risks. Risk review also will highlight the effectiveness of the treatment, any issues in implementation of the mitigation measures and so forth. These reviews will be the basis of effective risk mitigation and treatment whilst acting as a knowledge database.

Risk Reporting

The risk management team shall generate and distribute periodic reports to stakeholders on implementation of the risk management program. The stakeholders need to know that the risk is effectively treated and the actual cost the organization has to bear.

Risk Management Plan

At the end of the day, the organization will have a risk management plan comprising of the above topic. The plan shall contain amongst others the structure for risk management, risk management policy, role and responsibility, monitoring frequency and so forth.

Publication