Risk Management Slides
Risk Management Slides
Risk Identification
Introduction to Risk Identification
● Risk identification is the process of determining which risks may affect the
project and documenting their characteristics.
● The objective of this step is to identify all possible risks and find a way to
mitigate it.
Reactive Vs Proactive Strategies
● A risk breakdown structure is a tool for managing risks which are any events
that you have not planned for or expected.
● Risk is usually thought of as a negative impact on the project’s budget,
timeline or quality
● there are also positive risks that can benefit a project.
● A risk breakdown structure breaks down risks in a hierarchical graph,
beginning at the higher level and moving down to the finer level risks.
The Four Categories of Risk in a Project
6. Working groups: Useful to surface detailed information about the risks i.e.
source, causes, consequences, stakeholder impacted, existing controls.
● Risk prioritization is the process of identifying all the risks to a project and
then deciding which ones are the most serve, so they can be addressed first.
● It is a process of determining which risk you should act upon first.
● Prioritization should be based on the likelihood of a risk and the potential
harm it poses to the organization.
● A risk prioritization matrix can be used for evaluation.
Risk Response plan
It is a tool used to rate project risks as low, medium, high and very high.
You start by defining the rating scales for probability and impact to use that
tool.
Below is an example Probability Scale.
And, below is an example Impact Scale.
As shown in the tables above, 5 is the highest probability and impact. Multiplying
probability by impact gives us a risk score. For instance, if the probability of a
risk is 4 and its impact is 5, then the risk score will be 20 (4×5).
This tool can be applied to both positive and negative risks.
Quantitative Risk Analysis Process
Step 1: Identify areas for uncertainty
● When identifying areas of potential risk, examine every step of the project.
● Using a project outline or management plan that breaks the overall project
into smaller sections is an excellent way to search for areas where risk or
uncertainty exist.
● Create a list of all areas of potential risk, noting the phase of the project, the
potential risk that you identified and how that risk can affect the execution of
the project.
● Common effects include making costs increase, causing delays or reducing
the quality of the output.
Step 2: Assess the costs of each risk
● Once you have identified where risk exists within your project, you can
calculate the relative cost of each risk. To do this, determine the
expected cost when each potential risk occurs. For basic risks that are
likely to present the same way any time they occur, simply record the
expected cost of remedying the risk.
● For complicated risks that may have variable costs, there are two
methods of identifying this number. The easier option is to decide upon
an average cost for all potential responses to the risk. A more accurate
option is to further breakdown variable risks into multiple items.
Step 3: Determine the probability of each risk occurring
● The total numbers identified in the prior step are a listing of all potential
risks, which means you are unlikely to encounter all of them over the
course of one project. In order to determine how much risk your project
carries, you then have to determine how likely it is that each risk may
occur.
● The two most important elements when calculating probabilities are
research and experience. The more you know about each scenario, the
more accurately you can estimate the chances that a problem will occur
during execution.
Step 3: Calculate the expected cost of each potential risk
Determining the expected cost of each risk is as simple as multiplying the
estimated cost of each error by its probability. If you wrote your
probabilities out as percentages instead of fractions or decimals, divide the
resulting number by 100 to find the expected risk costs of each element. To
calculate the total estimated cost of risk on the project, add up the risk costs
for each individual element.
Categories of Risks
Operational Risks
● This risk is where a product is released to the market but the users are
resistant to change, or there is conflict between users.
● Ensuring that the users of a product will actually adopt the software will
directly link to its success. In the case of a company building software for an
external customer, it will correlate with profitability. In the case of an
enterprise building software for internal use, it can determine whether the
software will actually improve productivity within the company.
Some possible mitigation strategies for this risk include:
1. Risk Identification
● identify the risks that the organization faces
● include IT risk, operational risk, regulatory risk, legal risk, political risk,
strategic risk, and credit risk.
2. Risk Measurement
● to create a risk profile for each risk that has been identified.
● it is important to consider the effect of that risk on the overall risk profile
of the organization.
4. Risk Mitigation
• It examine the risks that have been identified
• It decide on which risks to eliminate or minimize, and how many of
its core risks to retain.
5. Risk Reporting and Monitoring
• regularly reexamining the risks
• to ensure that risk levels remain at an optimal level.
6. Risk Governance
• ensures all company employees perform their duties in accordance
with the (RMF)
Steps of RMF
1. Prepare
● the organization to take initial proactive steps for properly managing security and
privacy risk.
2. Categorize
● system and information processed, stored and transmitted by the system based on
an analysis of thw impact of loss.
3. Select
● security controls to protect the informational system's confidentiality and
cohesion.
4. Implement
● complete security control and fix all the necessary processes for operation work.
5. Assess
● processes are controlled appropriately, and you can reduce risks and protect
the data.
6. Authorize
● evaluate if the level of risk is acceptable and track failed controls.
7. Monitor
● focused on continuous automated monitoring in vulnerable environments
● record changes, report problems, and impact analysis for the system.
Benefits of RMF
55
History Of PERT
● In 1958, the U.S. Navy introduced network scheduling techniques by developing PERT as
a management control system for the development of the Polaris missile program. PERT’s
focus was to give managers the means to plan and control processes and activities so the
project could be completed within the specified time period. The Polaris program involved
250 prime contractors, more than 9,000 subcontractors, and hundreds of thousands of
tasks.
● PERT was introduced as an event-oriented, probabilistic technique to increase the Program
Manager’s control in projects where time was the critical factor and time estimates were
difficult to make with confidence. The events used in this technique represent the start and
finish of the activities. PERT uses three-time estimates for each activity: optimistic,
pessimistic, and most likely. An expected time is calculated based on a beta probability
distribution for each activity from these estimates.
56
Purpose of PERT Analysis
PERT Analysis informs Program Manager and project personnel on the project’s
tasks and the estimated amount of time required to complete each task. By
utilizing this information a Program Manager will be able to estimate the
minimum amount of time required to complete the entire project. This helps in
the creation of more realistic schedules and cost estimates.
Formula of Pert Analysis are:- (P+4M+O)/6
57
FTA
58
FMEA
FMEA Stands for Failure modes and effective Analysis.
FMEA is a systematic, proactive method for evaluating a process to identify
where and how it might fail and to assess the relative impact of different failures,
in order to identify the part of the process that are most in need of change.
FMEA includes review of the following:
59
HAZOP
60
Types of HAZOP
The four types of HAZOP studies that are conducted are: process HAZOP,
procedure HAZOP, human HAZOP and software HAZOP.
1. Process HAZOP: Assesses plants and process systems
2. Procedure HAZOP: Reviews procedures and operational sequences.
3. Human HAZOP: Focuses on human errors opposed to technical failure.
4. Software HAZOP: Identifies possible errors in the development of software.
61
Incident BowTie
A bow tie is a graphical depiction of pathways from the causes of an event or risk to
its consequences in a simple qualitative cause-consequence diagram.
Simple bow tie analysis can be conducted using :
● Identify the risk to be examined in the bow tie analysis. Bow tie analysis is of
most use for risks that have high levels of risk, and particularly those with high
consequences.
● Describe the risk, in the form [something happens] and leads to [a consequence
for our objectives], and note the main risk analysis outcomes from the risk
register.
● List the causes of the risk on the left and the consequences of the risk on the
right, drawing on material from the risk register and expanding where possible.
● List the existing controls on the causes (preventive controls) below the causes on
the left, and the controls on the consequences (corrective controls) below the
consequences on the right. If a control acts on both causes and consequences,
then show it twice, on each side of the template.
● Assess the effectiveness of each control, by asking ‘Is it designed well (could
it work)?’ and ‘Is it implemented well (does it work)?’
● Identify options for enhancing existing controls, to improve their
effectiveness or to fill gaps. This may include enhanced monitoring and more
frequent review,for example using control self-assessment.
● Look for gaps, where there are causes and consequences for which there are
no matching controls.
● Identify options for creating new controls to fill the gaps.
● Evaluate the advantages and disadvantages of each option, agree options to
be pursued, and develop implementation plans.
Event Tree Analysis
● An event tree analysis (ETA) is an inductive procedure that shows all
possible outcomes resulting from an accidental (initiating) event, taking into
account whether installed safety barriers are functioning or not, and
additional events and factors.
● By studying all relevant accidental events (that have been identified by a
preliminary hazard analysis, a HAZOP, or some other technique), the ETA
can be used to identify all potential accident scenarios and sequences in a
complex system.
● Design and procedural weaknesses can be identified, and probabilities of the
various outcomes from an accidental event can be determined.
Example
Steps
1. Identify (and define) a relevant accidental (initial) event that may give rise to
unwanted consequences
2. Identify the barriers that are designed to deal with the accidental event
3. Construct the event tree
4. Describe the (potential) resulting accident sequences
5. Determine the frequency of the accidental event and the (conditional) probabilities
of the branches in the event tree
6. Calculate the probabilities/frequencies for the identified consequences (outcomes)
7. Compile and present the results from the analysis
Applications