Risk is defined in ISO 31000 ISO 31000 is intended to be a family of standards relating to risk management codified by the International Organization for Standardization. The purpose of ISO 31000:2009 is to provide principles and generic guidelines on risk management. ISO 31000 seeks to provide a universally recognised paradigm for practitioners and companies employing risk as the effect of uncertainty on objectives (whether positive or negative). Risk management can therefore be considered the identification, assessment, and prioritization of risks Risk concerns the deviation of one or more results of one or more future events from their expected value. Technically, the value of those results may be positive or negative. However, general usage tends to focus only on potential harm that may arise from a future event, which may accrue either from incurring a cost or by failing to attain some followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events^[1] or to maximize the realization of opportunities. Risks can come from uncertainty in financial markets, project failures, legal liabilities, credit risk, accidents, natural causes and disasters as well as deliberate attacks from an adversary. Several risk management standards have been developed including the Project Management Institute The Project Management Institute is a non-profit professional organization for the project management profession with the purpose of advancing project management, the National Institute of Science and Technology The National Institute of Science and Technology is an engineering college in Palur Hills, Orissa, India. It was started in 1996 by a few NRIs, some of who belonged to Orissa. This institute was set up and is managed by the SM Charitable Educational Trust with the aim of promoting higher technical education. This was the first engineering college, actuarial societies, and ISO standards.^[2][3] Methods, definitions and goals vary widely according to whether the risk management method is in the context of project management, security, engineering Risk analysis should be performed as part of the risk management process for each project. The data of which would be based on risk discussion workshops to identify potential issues and risks ahead of time before these were to pose cost and/ or schedule negative impacts, industrial processes, financial portfolios, actuarial assessments, or public health and safety.

The strategies to manage risk include transferring the risk to another party, avoiding the risk, reducing the negative effect of the risk, and accepting some or all of the consequences of a particular risk.

Certain aspects of many of the risk management standards have come under criticism for having no measurable improvement on risk even though the confidence in estimates and decisions increase.^[1]

Introduction

This section provides an introduction to the principles of risk management. The vocabulary of risk management is defined in ISO Guide 73, "Risk management. Vocabulary."^[2]

In ideal risk management, a prioritization process is followed whereby the risks with the greatest loss and the greatest probability Probability is a way of expressing knowledge or belief that an event will occur or has occurred. The concept has been given an exact mathematical meaning in probability theory, which is used extensively in such areas of study as mathematics, statistics, finance, gambling, science, and philosophy to draw conclusions about the likelihood of of occurring are handled first, and risks with lower probability of occurrence and lower loss are handled in descending order. In practice the process can be very difficult, and balancing between risks with a high probability of occurrence but lower loss versus a risk with high loss but lower probability of occurrence can often be mishandled.

Intangible risk management identifies a new type of a risk that has a 100% probability of occurring but is ignored by the organization due to a lack of identification ability. For example, when deficient knowledge is applied to a situation, a knowledge Knowledge is defined by the Oxford English Dictionary as expertise, and skills acquired by a person through experience or education; the theoretical or practical understanding of a subject; (ii) what is known in a particular field or in total; facts and information; or (iii) awareness or familiarity gained by experience of a fact or situation risk materializes. Relationship risk appears when ineffective collaboration occurs. Process-engagement risk may be an issue when ineffective operational procedures are applied. These risks directly reduce the productivity of knowledge workers, decrease cost effectiveness, profitability, service, quality, reputation, brand value, and earnings quality. Intangible risk management allows risk management to create immediate value from the identification and reduction of risks that reduce productivity.

Risk management also faces difficulties in allocating resources. This is the idea of opportunity cost Opportunity cost is the cost related to the next-best choice available to someone who has picked between several mutually exclusive choices. It is a key concept in economics. It has been described as expressing "the basic relationship between scarcity and choice." The notion of opportunity cost plays a crucial part in ensuring that. Resources spent on risk management could have been spent on more profitable activities. Again, ideal risk management minimizes spending and minimizes the negative effects of risks.

Method

For the most part, these methods consist of the following elements, performed, more or less, in the following order.

1. identify, characterize, and assess threats
2. assess the vulnerability of critical assets to specific threats
3. determine the risk (i.e. the expected consequences of specific types of attacks on specific assets)
4. identify ways to reduce those risks
5. prioritize risk reduction measures based on a strategy

Principles of risk management

The International Organization for Standardization The International Organization for Standardization , widely known as ISO (pronounced /ˈaɪsoʊ/ EYE-soe), is an international-standard-setting body composed of representatives from various national standards organizations. Founded on 23 February 1947, the organization promulgates worldwide proprietary industrial and commercial standards. It has identifies the following principles of risk management:^[4]

Risk management should:

• create value.
• be an integral part of organizational processes.
• be part of decision making.
• explicitly address uncertainty.
• be systematic and structured.
• be based on the best available information.
• be tailored.
• take into account human factors.
• be transparent and inclusive.
• be dynamic, iterative and responsive to change.
• be capable of continual improvement and enhancement.

Process

According to the standard ISO 31000 ISO 31000 is intended to be a family of standards relating to risk management codified by the International Organization for Standardization. The purpose of ISO 31000:2009 is to provide principles and generic guidelines on risk management. ISO 31000 seeks to provide a universally recognised paradigm for practitioners and companies employing risk "Risk management -- Principles and guidelines on implementation,"^[3] the process of risk management consists of several steps as follows:

Establishing the context

Establishing the context involves:

1. Identification of risk in a selected domain of interest
2. Planning the remainder of the process.
3. Mapping out the following:
   • the social scope of risk management
   • the identity and objectives of stakeholders
   • the basis upon which risks will be evaluated, constraints.
4. Defining a framework for the activity and an agenda for identification.
5. Developing an analysis of risks involved in the process.
6. Mitigation or Solution of risks using available technological, human and organizational resources.

Identification

After establishing the context, the next step in the process of managing risk is to identify potential risks. Risks are about events that, when triggered, cause problems. Hence, risk identification can start with the source of problems, or with the problem itself.

• Source analysis^{[citation needed]} Risk sources may be internal or external to the system that is the target of risk management.

Examples of risk sources are: stakeholders of a project, employees of a company or the weather over an airport.

• Problem analysis^{[citation needed]} Risks are related to identified threats. For example: the threat of losing money, the threat of abuse of privacy information or the threat of accidents and casualties. The threats may exist with various entities, most important with shareholders, customers and legislative bodies such as the government.

When either source or problem is known, the events that a source may trigger or the events that can lead to a problem can be investigated. For example: stakeholders withdrawing during a project may endanger funding of the project; privacy information may be stolen by employees even within a closed network; lightning striking a Boeing 747 during takeoff may make all people onboard immediate casualties.

The chosen method of identifying risks may depend on culture, industry practice and compliance. The identification methods are formed by templates or the development of templates for identifying source, problem or event. Common risk identification methods are:

• Objectives-based risk identification^{[citation needed]} Organizations and project teams have objectives. Any event that may endanger achieving an objective partly or completely is identified as risk.
• Scenario-based risk identification In scenario analysis Scenario analysis can also be used to illuminate "wild cards." For example, analysis of the possibility of the earth being struck by a large celestial object suggests that whilst the probability is low, the damage inflicted is so high that the event is much more important (threatening) than the low probability (in any one year) alone different scenarios are created. The scenarios may be the alternative ways to achieve an objective, or an analysis of the interaction of forces in, for example, a market or battle. Any event that triggers an undesired scenario alternative is identified as risk - see Futures Studies Futurology is the study of postulating possible, probable, and preferable futures and the worldviews and myths that underlie them. It is considered as a topic in philosophy[citation needed]. Some claim it is a science, or art. In general, it can be considered as a branch under the more general scope of the field of history. Futures studies ( for methodology used by Futurists Futurists or futurologists are scientists and social scientists whose speciality is to attempt systematically to predict the future, whether that of human society in particular or of life on earth in general.
• Taxonomy-based risk identification The taxonomy in taxonomy-based risk identification is a breakdown of possible risk sources. Based on the taxonomy and knowledge of best practices, a questionnaire is compiled. The answers to the questions reveal risks.^[5]
• Common-risk checking In several industries lists with known risks are available. Each risk in the list can be checked for application to a particular situation.^[6]
• Risk charting^[7] This method combines the above approaches by listing resources at risk, Threats to those resources Modifying Factors which may increase or decrease the risk and Consequences it is wished to avoid. Creating a matrix A risk is the total of each of the hazards that contribute to it. The risk of any particular hazard, H, can be defined as its probability, p, multiplied by its consequence, c. In layman's terms: how likely it is to happen and how bad it would be if it happened under these headings enables a variety of approaches. One can begin with resources and consider the threats they are exposed to and the consequences of each. Alternatively one can start with the threats and examine which resources they would affect, or one can begin with the consequences and determine which combination of threats and resources would be involved to bring them about.

Assessment

Once risks have been identified, they must then be assessed as to their potential severity of loss and to the probability of occurrence. These quantities can be either simple to measure, in the case of the value of a lost building, or impossible to know for sure in the case of the probability of an unlikely event occurring. Therefore, in the assessment process it is critical to make the best educated guesses possible in order to properly prioritize the implementation of the risk management plan A Risk Management Plan is a document prepared by a project manager to foresee risks, to estimate the effectiveness, and to create response plans to mitigate them. It also consists of the risk assessment matrix.

The fundamental difficulty in risk assessment Risk assessment is a step in a risk management process. Risk assessment is the determination of quantitative or qualitative value of risk related to a concrete situation and a recognized threat . Quantitative risk assessment requires calculations of two components of risk: R, the magnitude of the potential loss L, and the probability p, that the is determining the rate of occurrence since statistical information is not available on all kinds of past incidents. Furthermore, evaluating the severity of the consequences (impact) is often quite difficult for immaterial assets. Asset valuation is another question that needs to be addressed. Thus, best educated opinions and available statistics are the primary sources of information. Nevertheless, risk assessment should produce such information for the management of the organization that the primary risks are easy to understand and that the risk management decisions may be prioritized. Thus, there have been several theories and attempts to quantify risks. Numerous different risk formulae exist, but perhaps the most widely accepted formula for risk quantification is:

Rate of occurrence multiplied by the impact of the event equals risk

Composite Risk Index

The above formula can also be re-written in terms of a Composite Risk Index, as follows:

Composite Risk Index = Impact of Risk event x Probability of Occurrence

The impact of the risk event is assessed on a scale of 0 to 5, where 0 and 5 represent the minimum and maximum possible impact of an occurrence of a risk (usually in terms of financial losses).

The probability of occurrence is likewise assessed on a scale from 0 to 5, where 0 represents a zero probability of the risk event actually occurring while 5 represents a 100% probability of occurrence.

The Composite Index thus can take values ranging from 0 through 25, and this range is usually arbitrarily divided into three sub-ranges. The overall risk assessment is then Low, Medium or High, depending on the sub-range containing the calculated value of the Composite Index. For instance, the three sub-ranges could be defined as 0 to 8, 9 to 16 and 17 to 25.

Note that the probability of risk occurrence is difficult to estimate since the past data on frequencies are not readily available, as mentioned above.

Likewise, the impact of the risk is not easy to estimate since it is often difficult to estimate the potential financial loss in the event of risk occurrence.

Further, both the above factors can change in magnitude depending on the adequacy of risk avoidance and prevention measures taken and due to changes in the external business environment. Hence it is absolutely necessary to periodically re-assess risks and intensify/relax mitigation measures as necessary.

Risk Options

Risk mitigation measures are usually formulated according to one or more of the following major risk options, which are:

1. Design a new business process with adequate built-in risk control and containment measures from the start.

2. Periodically re-assess risks that are accepted in ongoing processes as a normal feature of business operations and modify mitigation measures.

3. Transfer risks to an external agency (e.g. an insurance company)

4. Avoid risks altogether (e.g. by closing down a particular high-risk business area)

Later research^{[citation needed]} has shown that the financial benefits of risk management are less dependent on the formula used but are more dependent on the frequency and how risk assessment Risk assessment is a step in a risk management process. Risk assessment is the determination of quantitative or qualitative value of risk related to a concrete situation and a recognized threat . Quantitative risk assessment requires calculations of two components of risk: R, the magnitude of the potential loss L, and the probability p, that the is performed.

In business it is imperative to be able to present the findings of risk assessments in financial terms. Robert Courtney Jr. (IBM, 1970) proposed a formula for presenting risks in financial terms.^[8] The Courtney formula was accepted as the official risk analysis method for the US governmental agencies. The formula proposes calculation of ALE (annualised loss expectancy) and compares the expected loss value to the security control implementation costs (cost-benefit analysis Under both definitions the process involves, whether explicitly or implicitly, weighing the total expected costs against the total expected benefits of one or more actions in order to choose the best or most profitable option. The formal process is often referred to as either CBA or BCA (Benefit-Cost Analysis)).

Show All>>

What Links Here:

Recently Viewed Pages:

• Home
• Intentional Tort: Answers

Most Popular Pages:

• Intentional Tort: Answers
• Risk Management: Encyclopedia

Related 'Risk Management' Searches: