Risk Management for Managers - 5 Simple Steps - YouTube

Welcome to this course on introduction to risk management.

All types of organizations, face with the some form of risks, which may affect their

chance of success.

Understanding the risks, and effectively managing these, will greatly help the organizations,

in achieving the long term success.

Risk Management can be an important tool, to eliminate potential problems in an organization.

Even though the current version of ISO 9001, does not specifically require the use of risk

management, in the preventive action clause, some of the industry specific standards require

it specifically.

For example, the quality management standard for aviation industry, and healthcare industry,

have risk management requirement, included in the preventive action clause.

These are the topics covered in this course.

First we will understand the definitions of risk and risk management.

Then we will look at five key steps for managing risks.

Companies face a number of internal and external factors, which make it uncertain, whether

the company will meet its objectives.

These uncertain events, or conditions, are called the risks.

So far in this course, we thought that the risks always have a negative impact.

Lets be clear here, that the result of a risk, is not always negative.

Risks are uncertain events.

These uncertain events could lead to positive or negative results.

Positive risks are known as opportunities.

Organizations attempt to avoid, or reduce the impacts of negative risks.

However when it comes to the positive risks, organizations would like to take maximum advantage

of these opportunities.

This slide explains the difference between a risk, and an issue.

While a risk is a future uncertain event, an issue is an event which has already occurred.

The concepts of risk appetite, and risk tolerance, are related to the extent to which, an organization

is comfortable taking risk.

Taking big risks could be lead to big losses, or big rewards.

While risk appetite is about the willingness to take risk, risk tolerance is about what

the organization can bear.

As discussed on the previous slide, risk is associated with reward.

Organizations take risks to gain more rewards.

This is the definition of risk management, taken from wikipedia dot org.

If you find this definition confusing, then please proceed to the next slide.

This same definition is presented there, in form of a diagram.

In risk management, you identify the potential risks, then you assess them so that you know

which of the identified risks are more critical and which are less.

Based on that assessment you give more priority to some risks and less to others.

You can not cover all risks since you have limited resources.

With this priority you put your resources on high priority risks.

As we talked earlier a risk can be a negative or positive risk.

You attempt to minimize the impact of negative risks, monitor then and keep them under control.

However if it is a positive risk, or an opportunity, you put your resources to maximize the opportunity.

For risk management process to be effective, these are some of the key principles, that

should be considered.

Since the organization is spending resources, to manage risks, it should create value.

Risk management should be performed systematically, and be integral part of the organization's

work processes.

As the organization matures, the types of risks or challenges change.

The organization should adopt to these changes, and improve the risk management process.

Risk management is applied in variety of fields such as project management, military, space,

medical, engineering, plant operation, safety and in financial portfolio management.

Key benefits of implementing risk management includes fewer shocks and unwelcome surprises;

effective use of resources, and reassuring stakeholders.

Instead of being unprepared for the threats and opportunities, that happen during the

course of a project or business, risk management can help plan and prepare for them.

This preparedness helps organizations in saving costs and time.

Risk management process, can be divided into these five key steps.

It starts with having a risk management plan.

The next step is to identify the potential risks and prepare a list of all risks.

This list of risks is then analyzed, using qualitative, and quantitative techniques,

to identify high priority, medium priority and low priority risks.

Response is planned for these risks, depending upon the priority.

Risks are then monitored and controlled.

We will look at each of these steps, in the following slides.

Risk management plan specifies the management intent, systems and procedures required for

managing risks.

Risk management plan will provide the definitions of various risk related terms.

Roles and responsibilities related to risk, and tools and templates, are also included

in it.

In a way risk management plan specifies how the next four steps listed on this slide are

executed in the organization.

That is, how the organization will identify risks, how these risks will be analyzed, how

the risk response will be planned, and how the risks will be monitored and controlled.

Once the plan is in place, identify risks is the first key step in actual management

of risks.

This is the process of identifying the potential risks, their root cause, and the risk consequences.

Risk identification is a systematic process.

It is a group effort, where subject matter experts from various groups participate.

The most common tool used in risk identification process, is brain storming.

In this, the subject matter experts from various groups meet together, and list down all the

potential risks.

During brain storming, no identified risk is evaluated, or criticized.

The intent here is to list down as many possibles risks, in limited time.

Other tools such as Ishikawa diagram, flow diagram, and SWOT analysis may also be used.

Here the term SWOT, stands for Strengths, weaknesses, opportunities and threats.

The outcome of risk identification is a list of risks, or risk register.

What is done with the list of risks depends on the nature of the risk.

A few low priority risks may be kept simply as a list of red flag items, and periodically

monitored.

Some high priority risks, may go through the rigorous process of assessment, analysis,

mitigation and planning.

The next risk management process, that is analyze risks, helps in deciding that.

Organizations do not have resources to address all risks.

After having the list of all potential risks, the next logical step is to analyze and prioritize

risks.

Some risks may need detailed action plan, and some may just need periodic monitoring.

Organization may accept some of the risks without any action.

In this step, that is analyze risks, we will look at how the risks are analyzed and prioritized.

This is the process of quantifying the risk events, documented in the previous step, so

that the organization can focus on critical risks.

For risk analysis, qualitative and quantitative analysis are conducted.

Qualitative risk analysis is a subjective analysis, and is quick and easy to perform.

One tool to conduct the qualitative analysis is probability and impact matrix.

We will cover this tool in next few slides.

On the other hand, Quantitative risk analysis is the detailed analysis of the risk.

It is not required to conduct quantitative analysis for all risks, and is conducted when

it is worth the time and effort required to conduct it.

Tools to conduct quantitative risk analysis include, expected monitory value analysis,

Monte Carlo analysis, and decision tree.

These tools are not covered in this training course.

As discussed in the previous slide, the Probability and Impact Matrix, is a qualitative risk analysis

tool.

This matrix has two aspects, the probability that the risk will actually happen, and the

potential impact if the risk happens.

These two are classified from very unlikely, to very likely.

In the probability and impact matrix, the risk probability, and the risk impact are

assigned a score of 1 to 9.

Where 1 is the least, and 9 is the highest.

A risk score is then calculated, by multiplying these two numbers.

Instead of assigning a score of 1 to 9, a score of 1 to 3, or a score of 1 to 5 may

be used.

These rules are defined in your risk management plan.

In this course we are using a score of 1 to 9.

In this example, the group assigns a score of 1 to the probability of risk, and a score

of 9 to the impact value.

This means that the risk being discussed, has a very low chance of happening, but if

it happens, the impact will be very high.

Since the score of 1 to 9 assigned to the probability, and impact, are subjective, organization

managing the risk creates some guidelines, to ensure that these are consistent.

This slide shows a sample table, for assigning probability number.

The next slide will show a sample impact table.

This is a sample table, to assign the risk impact number.

The risk may impact cost, schedule, scope or quality.

Once we have assigned a risk probability number, and an impact number, these are plotted on

the probability and impact matrix.

A simple example of that is shown here.

Let us look at the four boxes shown here.

Risks towards the top right corner, are of critical importance, since these are High

impact and high probability risks.

These are your top priorities risks, that you must pay close attention to.

Risks in the bottom left corner are low impact, and low probability risks.

You can often ignore them.

Risks in the top left corner, are of moderate importance, since these are Low impact, and

high probability risks.

If these things happen, you can cope with them, and move on.

However, you should try to reduce the likelihood, that they'll occur.

Risks in the bottom right corner, are high impact, and low probability risks, and these

are very unlikely to happen.

For these, you should do what you can to reduce the impact, and you should have contingency

plans in place, just in case they occur.

This and the next slide, show examples of probability and impact matrix.

In this example, a score of 1 to 9 is assigned to the probability, and the impact.

This is an example of the probability and impact matrix, where the probability, and

the impact, are assigned a value between very low, to very high.

Once we have analyzed risks, the next step in risk management, is to plan risk response,

for each identified risk.

When planning a risk response, we attempt to reduce the impact and chance, of negative

risks, and enhance the impact and chance, of positive risks.

This slide shows the four risk responses, for negative risks, and the corresponding

responses for positive risks.

In the next eight slides, we will look at each of these responses.

In risk avoidance, we completely eliminate the possibility of the risk.

An example might be to use a old and proven process, instead of new and risky process.

Risk can also be avoided by improved communication, providing information, or acquiring an expert.

If you can not avoid a risk completely, you attempt to mitigate it.

The purpose of risk mitigation is to reduce the size of the risk exposure.

This is done by either reducing the probability of the risk, or by reducing the impact.

The risk transfer strategy aims to pass ownership for a particular risk to a third party.

It is also important to remember that risk transfer almost always involves payment of

a risk premium.

A Cost and benefit analysis might be done, to ensure that the cost of transferring risk

is justified.

Acceptance of a risk means that the probability, and or the severity, of the risk is low enough,

that we will do nothing about the risk, unless it occurs.

There are two kinds of acceptance, active and passive.

Acceptance is passive, when nothing at all is done to deal with the risk.

Acceptance is active, when we decide to make a contingency plan, for what to do, when the

risk occurs.

The next four slides, will deal with the risk responses for positive risks, or opportunities.

The first response to deal with the positive risk is to exploit it.

This response tries to remove any uncertainty, so that the opportunity is certain to happen.

The enhance response, focuses on the root cause of the opportunity, and goes on to influence

those factors, which will increase the likelihood of the opportunity occurring.

Sometimes exploiting a positive risk is not possible, without collaboration.

A partnership with a different group, department, or company may be required, to exploit a positive

risk Just like dealing with negative risks, we

may actively or passively accept a positive risk.

Acceptance of a risk means that the probability, and or the severity, of the risk is low enough,

that we will do nothing about the risk, unless it occurs.

Once we have identified risks, analyzed then and made a plan to deal with them, the next

step is to monitor and control the risks.

A risk management program is never finished.

Risk monitoring and control, should be ongoing and continual.

New risks will emerge, and existing risks will disappear.

You have to stay on top of it.

While monitoring and controlling risks, unexpected risks occur.

These unexpected risks are the risks, which you did not identify in your risk identification

process.

A workaround is created to deal with such risks.

Thank you for attending this course at QualityGurus.com.