Project Risk Management

Project Risk Management

All projects are essential and every project has its own risk elements. Commencing from initiation to post completion of the project, the degree of risk grows within, as does the haze of uncertainty, thus proper project risk management can make a difference.

Risk inevitably comes with any project. It resides in the project as a contrary and hinders as an adversary. Enclosed within, the compound constraint of time, budget, workforce and multiple quantifiable and non-quantifiable determinants; a project marches towards its success and the risk factors follow until project execution.

To be precise, “risk” in a project management is the threat or possibility that an action or occurrence will unfavorably affect a project’s potentiality to achieve its objectives. Any counter event and adverse causes that can become an obstacle are risk factors.

However, inside the project management line of attack is the term “risk” this term is considered as a negative component resembling an occurrence that will adversely affect the goal of the project. Nevertheless, in the optimistic and neo project management approach, “risk” can be considered as a prospective occurrence or a productive event; if handled and executed properly it may lead to achieve enhanced objectives, improved and advanced.

Project risk management is the procedure of determining or evaluating risk and developing strategies to manage it, and is concerned with identifying risk and putting in place policies to eliminate or reduce these perils.

Project risk analysis is the detection and quantification of these probabilities and collisions of events that may harm the project. The risk analysis process identifies risk in advance, and the risk management process established methods of avoiding these risks thus reducing the impacts that may occur.

Risk Detection

Risk detection is an initial step in the risk management course. As these potential hazards occur causing problems in its kinetics there needs to be a plan for identification. To identify these concealed threats at their origin before their occurrences whether they are quantifiable or non-quantifiable is the foremost groundwork; this groundwork is the risk identification course of action.

Risk detection starts with tracing risk sources as a root cause, and its source branches including internal to external and primary to secondary.

Some of the most common risk detection methods in project risk management are as follows;

1. Objective Oriented Risk Detection

2. Scenario Oriented Risk Detection

3. Taxonomy Oriented Risk Detection

4. Regular Risk Inspection

Risk Evaluation in Project Risk Management

Once the risk detection process is concluded, then they must be evaluated for their latent severity for loss, and its likelihood for hazards. In project risk management, each risk should be exploited independently as they vary from simple to complex results.

Generally, plain risk can easily be quantified, while those risks of probabilities are unfeasible to enumerate; thus in the evaluation process it is significant to take a finer presumption to accurately accentuate the implementation of the risk management remedy. Moreover, the primary problem in risk evaluation is lack of statistical information and scientific evidences for determining the pace of risk events that may occur.

Conversely, gauging risk is often quite a complicated process, although numerous formulae are being followed; a popular yet simple formula is;

Project Risk = Accident X (Probability X Impact)


Project Risk = Accident Probability X Accident Impact

Here, risk is directly equivalent to “probability of accident” multiplied by the “impact of accident”. In opposition, project risk management is less reliant only on the type of formula pursued, but more reliant on the risk occurrence and on how risk management is employed.

However, in general a systematic tactical plan that should be prearranged for risk management is as follows:

Risk: Description of the Actual Risk

Impact: Impact on the Project if the Risk Occurs

Possibility: Possibility of Loss if Risk Occurs

Action: Action Remedy to Reduce the Impact

Cost: Cost if the Risk Occurs

Once risk is identified and evaluated, there are four major practices that need to be followed to prevent a failed remedy, they are:

1. Risk Evasion: Avoidance of the Risk Altogether

2. Risk Diminution: Reducing the Degree of Risk through Precaution Measures

3. Risk Retention: Accepting the Degree of Risk with Loss

4. Risk Relocating: Transferring the Risk to Another Party

Hence, in the combat of project risk management etiquette, a precedence procedure should be tracked, whereby risks with the maximum loss and the maximum probability of evils should be handled first; vice versa to those with minimum risk.

Project risk management is the tactic of methodically applying lucrative action for diminishing the effect of hazard to the project. Risks are never fully avoidable due to exterior elements and limitation of financial and practical margins. However, with the acceptance of a certain degree of risk and the arrangements of its counter to tackle it, the risk at hand can be recompensed.

All risks can never be fully avoided or mitigated, therefore all projects have to accept some level of residual risks, but if the risk is handled with mythological and proficient approach referring to statistically and scientific information then risk rewards.

Your Risk Management Process

Your Risk Management Process

Some experts have said that a strong risk management process can decrease problems on a project by as much as 80 or 90 percent. In combination with solid project management practices–having a well-defined scope, incorporating input from the appropriate stakeholders, following a good change management process, and keeping open the lines of communication–a good risk management process is critical in cutting down on surprises, or unexpected project risks. Such a process can also help with problem resolution when changes occur, because now those changes are anticipated and actions have already been reviewed and approved, avoiding knee jerk reactions.

Defining “Risk”

Before one can embark on a risk management process, one must have a solid understanding of some key definitions. Project risks as defined from a PMI perspective are, at their core, unknown events. These events can be positive or negative, so that the word “risk” is inherently neutral. That said, most of the time and focus is spent handling negative project risks, or “threats,” rather than positive project risks, or “opportunities.”

Often, companies that do perform a risk management process on a fairly typical multi-month project (no longer than 12 months) will identify and manage possibly five to ten easily recognized project risks. However, that number should in fact be much higher. With a high number of project risks identified early on, a team’s awareness of what to look for is increased, so that potential problems are recognized earlier and opportunities are seen more readily.

It may seem that project risks cannot be managed without taking away from the actual work of the project. However, this can effectively be accomplished with a seven-step risk management process that can be utilized and modified with each project.

The Risk Management Process

Step one of the risk management process is to have each person involved in the planning process individually list at least ten potential risk items. Often with this step, team members will assume that certain project risks are already known, and therefore do not need to be listed. For example, scope creep is a typical problem on most projects. Yet it still must be listed because even with the best practice management processes in place, it could still occur and cause problems on a project over time. Therefore it should be addressed rather than ignored.

Step two of the risk management process is to collect the lists of project risks and compile them into a single list with the duplicates removed.

Step three of the risk management process is to assess the probability (or likelihood), the impact (or consequence) and the detectability of each item on the master list. This can be done by assigning each item on the list a numerical rating such as on a scale from 1 to 4 or a subjective term such as high, medium, or low. Detectability is optional, but it can be simple to assess – if a risk is harder to see, such as with scope creep, then it’s a riskier item. If it’s easier to catch early, such as loss of management support or loss of a key resource, then it’s lower risk.

Step four of the risk management process is to break the planning team into subgroups and to give a portion of the master list to each subgroup. Each subgroup can then identify the triggers (warning signs) for its assigned list of project risks. All triggers should be noted, even minor ones. Normally there will be at least three triggers for each risk.

Step five of the risk management process is for those same subgroups to identify possible preventive actions for the threats and enhancement actions for the opportunities.

Step six of the risk management process is for the subgroups to then create a contingency plan for most but not all project risks – a plan that includes the actions one would take if a trigger or a risk were to occur. This plan will be created for those risks scoring above a certain cut-off point, which is determined after looking at the total scores for all risks. This keeps the risk management process manageable. The risk management process is not effective if it is so time-consuming that it is never done.

Step seven, the final step in planning the risk management process, is to determine the owner of each risk on the list. The owner is the person who is responsible for watching out for triggers and then for responding appropriately if the triggers do in fact occur by implementing the pre-approved and now established contingency plan. Often, the owner of the risk is the project manager, but it is always in the best interest of the project for all team members to watch for triggers while working on the project.

Rather than start this risk management process from scratch for every new project, it can be followed once to establish a list of generic project risks and triggers, skipping step three. Then, a team simply has to add project-specific project risks and triggers and assess the probability, impact, and detectability for each risk, saving a great amount of time and helping to ingrain a risk mentality into your project culture.

Creating a Risk Register or Risk Matrix

Upon completion of the risk management process, a master document, known as a risk register or risk matrix, is created. The most effective format for this document is a table, because it will allow a great deal of information to be conveyed in a few pages. If the information is instead presented in paragraph form, it may not be read by people and will be rendered ineffective. The columns in the table can include risk description, probability, impact, detectability, triggers, preventive actions, and contingency plan. Other columns, such as quantitative value, can also be added as appropriate.

Important Things to Remember

Often, the steps in which triggers and preventive actions are identified are overlooked. However, these are vital to the entire risk management process. After a team has completed this exercise once, the members will be better conditioned on what to pay attention to while managing the project so they are more proactive in catching changes or issues early. If these steps in the risk management process are skipped, the team can find themselves in constant reaction mode, simply implementing a contingency plan for each risk after that risk catches them by surprise. They could also ignore a seemingly overwhelming list of project risks, which is why narrowing the list down to the most important risks is critical for making sure the list is used.

Once the risk register is complete, it is easy to maintain. It can be reviewed during regular status meetings, with as little as 15 minutes spent making sure the list is still current. Determine if any project risks can be closed (but not removed completely), if any risks have increased or decreased in value, and if there are any new project risks to add. This will ensure that the list is continually seen as relevant and useful throughout the life of the project.


A risk management process does not have to be complicated or time consuming to be effective. By following a simple, tested, and proven approach that involves seven steps taken at the beginning of each project (fewer if a generic list of project risks has already been established), the project team can prepare itself for whatever may occur. Of course there will always be changes and there may still be surprises, but the end result is that they are fewer, that the team feels prepared and that the project is not taken off course.

Article Source:

Implement Enterprise Risk Management

Implement Enterprise Risk Management

Organizations have long practiced various parts of what has come to be called enterprise risk management. Identifying and prioritizing risks, either with foresight or following a disaster, has long been a standard management activity. Treating risk by transfer, though insurance or other financial products, has also been common practice, as has contingency planning and crisis management.

What has changed, beginning very near the close of the last century, is treating the vast variety of risks in a holistic manner, and elevating risk management to a senior management responsibility. Although practices have not progressed uniformly though different industries and different organizations, the general evolution toward ERM can be characterized by a number of driving forces.

What is Risk Management?

Risk management is simply a practice of systematically selecting cost effective approaches for minimizing the effect of threat realization to the organization. All risks can never be fully avoided or mitigated simply because of financial and practical limitations. Therefore all organizations have to accept some level of residual risks.

Whereas risk management tends to be pre-emptive, business continuity planning (BCP) was invented to deal with the consequences of realized residual risks. The necessity to have BCP in place arises because even very unlikely events will occur if given enough time. Risk management and BCP are often mistakenly seen as rivals or overlapping practices. In fact these processes are so tightly tied together that such separation seems artificial. For example, the risk management process creates important inputs for the BCP (assets, impact assessments, cost estimates etc). Risk management also proposes applicable controls for the observed risks. Therefore, risk management covers several areas that are vital for the BCP process. However, the BCP process goes beyond risk management’s pre-emptive approach and moves on from the assumption that the disaster will realize at some point.

Financial risk management is the practice of creating value in a firm by using financial instruments to manage exposure to risk. Similar to general risk management, financial risk management requires identifying the sources of risk, measuring risk, and plans to address them. As a specialization of risk management, financial risk management focuses on when and how to hedge using financial instruments to manage costly exposures to risk.

In the banking sector worldwide, Basel Accord are generally adopted by internationally active banks to tracking, reporting and exposing operational, credit and market risks.

Currently working for Compass Bank, a smaller regional bank, the same general risk is still apparent. From deposit fraud including check kiting, Insider Trading fraud, Internet Banking concerns, and robbery. Compass Bank must insure to continually track, monitor, rethink or revamp, and implement.

Finance theory (i.e. financial economics) prescribes that a firm should take on a project when it increases shareholder value. Finance theory also shows that firm managers cannot create value for shareholders, also called its investors, by taking on project that shareholders could do for themselves at the same cost. When applied to financial risk management, this implies that firm managers should not hedge risks that investors can hedge for themselves at the same cost. This notion is captured by the hedging irrelevance proposition: In a perfect market, the firm cannot create value by hedging a risk when the price of bearing that risk within the firm is the same as the price of bearing it outside of the firm. In practice, financial markets are not likely to be perfect markets. This suggests that firm managers likely have many opportunities to create value for shareholders using financial risk management. The trick is to determine which risks are cheaper for the firm to manage than the shareholders. A general rule of thumb, however, is that market risks that result in unique risks for the firm are the best candidates for financial risk management.

Why the Change?

The Sarbanes-Oxley Act of 2002 (Pub. L. No. 107-204, 116 Stat. 745, also known as the Public Company Accounting Reform and Investor Protection Act of 2002 and commonly called SOX or Sarbox; July 30, 2002) is a United States federal law passed in response to a number of major corporate and accounting scandals including those affecting Enron, Tyco International, Peregrine Systems and WorldCom (recently MCI and currently now part of Verizon Businesses). These scandals resulted in a decline of public trust in accounting and reporting practices. Named after sponsors Senator Paul Sarbanes (D-Md.) and Representative Michael G. Oxley (R-Oh.), the Act was approved by the House by a vote of 423-3 and by the Senate 99-0. The legislation is wide ranging and establishes new or enhanced standards for all U.S. public company boards, management, and public accounting firms. The Act contains 11 titles, or sections, ranging from additional Corporate Board responsibilities to criminal penalties, and requires the Securities and Exchange Commission (SEC) to implement rulings on requirements to comply with the new law. Some believe the legislation was necessary and useful, others believe it does more economic damage than it prevents, and yet others observe how essentially modest the Act is compared to the heavy rhetoric accompanying it.

The first and most important part of the Act establishes a new quasi-public agency, the Public Company Accounting Oversight Board, which is charged with overseeing, regulating, inspecting, and disciplining accounting firms in their roles as auditors of public companies. The Act also covers issues such as auditor independence, corporate governance and enhanced financial disclosure. It is considered by some as one of the most significant changes to United States securities laws since the New Deal in the 1930s.

The Sarbanes-Oxley Act’s major provisions include the following:

o Creation of the Public Company Accounting Oversight Board (PCAOB)

o A requirement that public companies evaluate and disclose the effectiveness of their internal controls as they relate to financial reporting, and that independent auditors for such companies “attest” (i.e., agree, or qualify) to such disclosure

o Certification of financial reports by chief executive officers and chief financial officers

o Auditor independence, including outright bans on certain types of work for audit clients and pre-certification by the company’s Audit Committee of all other non-audit work

o A requirement that companies listed on stock exchanges have fully independent audit
committees that oversee the relationship between the company and its auditor

o Ban on most personal loans to any executive officer or director

o Accelerated reporting of insider trading

o Prohibition on insider trades during pension fund blackout periods

o Additional disclosure

o Enhanced criminal and civil penalties for violations of securities law

o Significantly longer maximum jail sentences and larger fines for corporate executives who knowingly and willfully misstate financial statements, although maximum sentences are largely irrelevant because judges generally follow the Federal Sentencing Guidelines in setting actual sentences

o Employee protections allowing those corporate fraud whistleblowers who file complaints with OSHA within 90 days to win reinstatement, back pay and benefits, compensatory damages, and congressional page abatement orders, and reasonable attorney fees and costs.

But enacting a law with out a governing body to oversee the provisions and rules would be a waste of time and taxpayers dollars. The Sarbanes-Oxley Act was placed into law to help stop corruption and deception to protection the employees and citizen from scandal.

Governed by Whom

The committee of Sponsoring Organizations of the Treadway Commission (COSO) is a U.S. private-sector initiative, formed in 1985. Its major objective is to identify the factors that cause fraudulent financial reporting and to make recommendations to reduce its incidence. COSO has established a common definition of internal controls, standards, and criteria against which companies and organizations can assess their control systems.

COSO is sponsored and funded by 5 main professional accounting associations and institutes; American Institute of Certified Public Accountants (AICPA), American Accounting Association (AAA), Financial Executives Institute (FEI), The Institute of Internal Auditors (IIA) and The Institute of Management Accountants (IMA).
COSO has setup some internal controls. The controls are as follows.

o Internal control is a process. It is a means to an end, not an end in itself.

o Internal control is affected by people. It’s not merely policy manuals and forms, but people at every level of an organization.

o Internal control can be expected to provide only reasonable assurance, not absolute assurance, to an entity’s management and board.

o Internal control is geared to the achievement of objectives in one or more separate but overlapping categories.

Internal control consists of five interrelated components. These components provide an effective framework for describing and analyzing the internal control system implemented in an organization. The five components are the following:

Control environment: The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure. Control environment factors include the integrity, ethical values, management’s operating style, delegation of authority systems, as well as the processes for managing and developing people in the organization.

Compass Bank tries to control the environment inside the company. We offer different foundations to help build an ethical place to work. We try to hire the “right” person for the position in hopes of aspiring the correct mindset. But hiring the right person is not always perfect. We have been tested by unethical decisions of our employees, which have placed the company in court, mitigation, or litigation.

Risk assessment: Every entity faces a variety of risks from external and internal sources that must be assessed. A precondition to risk assessment is establishment of objectives and thus risk assessment is the identification and analysis of relevant risks to achievement of assigned objectives. Risk assessment is a prerequisite for determining how the risks should be managed.

Internal and external risk is a constant threat to any bank including Compass Bank. Some of the internal and external risk is the Internet and providing instant, on-demand results for our customer opens the door to Internet threats and/or fraud. We assess the risk, evaluate, and put into place backup plans. We try to eliminate risk before it happens.

Control activities: Control activities are the policies and procedures that help ensure management directives are carried out. They help ensure that necessary actions are taken to address risks to achievement of the entity’s objectives. Control activities occur throughout the organization, at all levels and in all functions. They include a range of activities as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets and segregation of duties.

Most companies provide a level of control activities. Compass Bank limits different control activities base on your position within the bank. At my level, a manger, I would have different authorities, like up to $5 million dollar transfer approvals, whereas a customer service representative would only have $100 thousand dollar transfer approvals abilities. Based on the position within Compass Bank, most activities are controlled based on risk involved.
Information and communication: Information systems play a key role in internal control systems as they produce reports, including operational, financial and compliance-related information, that make it possible to run and control the business. In a broader sense, effective communication must ensure information flows down, across and up the organization. Effective communication should also be ensured with external parties, such as customers, suppliers, regulators and shareholders.

Information and communication is key to any success for a company. Compass Bank assess the information and determines how much of the information to communicate. If the assessment determines there is not a lot of risk, the information is not always shared. But if the information is needed at the lower level employees, like the recent TJX problem of hackers compromising credit card information, limited information is provided to help our customers.

Monitoring: Internal control systems need to be monitored–a process that assesses the quality of the system’s performance over time. This is accomplished through ongoing monitoring activities or separate evaluations. Internal control deficiencies detected through these monitoring activities should be reported upstream and corrective actions should be taken to ensure continuous improvement of the system.

Compass Bank has internal monitoring of all activities. We are constantly audited to make sure we stay in compliance with all federal, state and local laws. One thing we do each year is to make sure all of our employees’ go through compliance testing. The test involves the Bank Secrecy Act and the Anti-money Laundering Act. Each employee must pass both test with an 80% or better. We have other monitors setup but I am unable to elaborate on them.

In conclusion, it is reasonable to expect that the forces cited above will continue. Accordingly, risk management practices will become more and more sophisticated. As capabilities continue to improve, organizations will increasingly adopt better ERM controls because they can.

Enterprise risk management is a “big idea.’ Among other things, ERM can be viewed as the broad conceptual framework that unifies the many varied parts of the actuarial discipline. ERM provides a logical structure to lin these subject area together in a compelling way to form an integrated whole. In so doing, ERM addresses critical business issues such as growth, return, consistency and value creation. It expresses risk not just as threat, but as opportunity – the fundament reason that business is conducted in a free enterprise system.

The Principles of Risk Management

The Principles of Risk Management

Every project manager and business leader needs to be aware of the practices and principles of effective risk management. Understanding how to identify and treat risks to an organisation, a programme or a project can save unnecessary difficulties later on, and will prepare managers and team members for any unavoidable incidences or issues.

The OGC M_o_R (Management of Risk) framework identifies twelve principles, which are intended “not … to be prescriptive but [to] provide supportive guidance to enable organisations to develop their own policies, processes, strategies and plan.”

Organisational context
A fundamental principle of all generic management methods, including PRINCE2 and MSP as well as M_o_R, is that all organisations are different. Project managers, programme managers and risk managers need to consider the specific context of the organisation in order to ensure thorough identification of risks and appropriate risk treatment procedures.

The term ‘organisational context’ encompasses the political, economic, social, technological, legal and environmental backdrop of an organisation.

Stakeholder involvement
It is easy for a management team to become internalised and forget that stakeholders are also key participants in everyday business procedures, short-term projects and business-wide change programmes.

Understanding the roles of individual stakeholders and managing stakeholder involvement is crucial to successful. Stakeholders should, as far as is appropriate, be made aware of risks to a project or programme. Within the context and stakeholder involvement, “appropriate” concerns: the identity and role of the stakeholder, the level of influence that the stakeholder has over and outside of the organisation, the level of investment that the stakeholder has in the organisation, and the type, probability and potential impact of the risk.

Organisational objectives
Risks exist only in relation to the activities and objectives of an organisation. Rain is a negative risk for a picnic, a positive risk for drought-ridden farmland and a non-risk for the occupants of a submarine.

It is imperative that the individual responsible for risk management (whether that is the business leader, the project/programme manager or a specialist risk manager) understands the objectives of the organisation, in order to ensure a tailored approach.

M_o_R approach
The processes, policies, strategies and plans within the M_o_R framework provide generic guidelines and templates within a particular organisation. These guidelines are based on the experience and research of professional risk managers from a wide range of organisations and management backgrounds. Following best practices ensures that individuals involved in managing the risks associated with an organisation’s activity are able to learn from the mistakes, experiments and lessons of others.

Accurately and clearly representing data, and the transmission of this data to the appropriate staff members, managers and stakeholders, is crucial to successful risk management. The M_o_R methodology provides standard templates and tested structures for managing the frequency, content and participants of risk communication.

Roles and responsibilities
Fundamental to risk management best practice is the clear definition of risk management roles and responsibilities. Individual functions and accountability must be transparent, both within and outside an organisation. This is important both in terms of organisational governance, and to ensure that all the necessary responsibilities are covered by appropriate individuals.

Support structure
A support structure is the provision within an organisation of standardised guidelines, information, training and funding for individuals managing risks that may arise in any specific area or project.

This can include a centralised risk management team, a standard risk management approach and best-practice guidelines for reporting and reviewing organisational risks.

Early warning indicators
Risk identification is an essential first step for removing or alleviating risks. In some cases, however, it is not possible to remove risks in advance. Early warning indicators are pre-defined and quantified triggers that alert individuals responsible for risk management that an identified risk is imminent. This enables the most thorough and prepared approach to handling the situation.

Review cycle
Related to the need for early warning indicators is the review cycle. This establishes the regular review of identified risks and ensures that risk managers remain sensitive to new risks, and to the effectiveness of current policies.

Overcoming barriers to M_o_R
Any successful strategy requires thoughtful consideration of possible barriers to implementation. Common issues include:
o established roles, responsibilities, accountabilities and ownership
o an appropriate budget for embedding approach and carrying out activities
o adequate and accessible training, tools and techniques
o risk management orientation, induction and training processes
o regular assessment of M_o_R approach (including all of the above issues)

Supportive culture
Risk management underpins many different areas and aspects of an organisation’s activity. A supportive culture is essential for ensuring that everybody with risk management responsibilities feels confident raising, discussing and managing risks. A supportive risk management culture will also include evaluation and reward of risk management competencies for the appropriate individuals.

Continual improvement
In an evolving organisation, nothing stands still. An effective risk management policy includes the capacity for re-evaluation and improvement. At a practical level, this will require the nomination of an individual or a group of individuals to the responsibility of ensuring that risk management policies and procedures are up-to-date, as well as the establishment of regular review cycles of the organisation’s risk management approach.

Risk Management and Project Risk

Risk Management and Project Risk

Whenever we undertake a project, risk is inevitable, since projects enable change – and whenever you have change, it introduces uncertainty and hence risk.

A risk is defined as an uncertain event which should it occur, will have an effect on the project meeting its objectives. These uncertain events can be positive in which case it would be called an Opportunity, when negative it is called a Threat. Both have the common thread of uncertainty.

When carrying out risk management, the purpose is to reduce the probability and impact of threats and to increase the probability of opportunities and/or their positive impact. It is helpful to consider that risk is “an event that may all may not occur in the future, but if it does occur it will have an impact on the project objectives”.

The Business Case will contain information weighing project cost and risk against the business benefits. Put simply, that the aggregated project risk is worth the benefits. If this is so, then the Business Case remains viable, desirable, and achievable. This one fact highlights the importance of proper risk management. Whenever a new risk is identified, an existing risk changes its characteristics, an issue is identified, or at important control points such as end stage assessments — the Business Case should be checked for viability — and this includes the aggregated value of all of the risks.

Effective risk management entails clearly identifying each risk, and estimating it in terms of its probability and impact and controlling it by taking appropriate action and ensuring such actions have, and continue to have, the desired effect.

Before getting into the details of risks, a project must determine the Risk Management Strategy which describes how risk management will be both used and implemented within the project. The risk management strategy should include, amongst other aspects:

– particular tools and techniques to be used
– the responsibilities for risk management actions
– the procedure for risk management, such as Identify, Assess, Countermeasures/actions, implementation and communication.
– the scales to be used for calibrating and estimating probability and impact
– the reporting and timing of risk management activities, such as at the end of each project stage
– the risk categories as to be defined, the action categories, definition of risk proximity, and risk trigger indicators.
– for contingency or fallback actions, a risk budget should also be agreed. This budget is used to pay for any such risk actions should they be needed.
– when using management by exception, the risk tolerance or “risk appetite” should be agreed between the project manager and the project board.

It is worth discussing that last bullet in more detail:

Tolerance is an allowable variation of typically time and cost that the project manager can “use” to allow for small deviations and estimating errors. Should at any point, the project or stage be forecast to exceed this tolerance, the project manager must escalate the situation up to the next level of management – who need to make a decision on what to do next.

However, the tolerance used may be risk tolerance. In such case, discussions should be had between the project board and project manager, about how much risk can be tolerated (“risk appetite”). Factors such as particular risk impacts increasing beyond a particular value, or their probability increasing in the same way. It might be risks under a particular category – such as those affecting corporate image, that may be the escalation triggers.

The Risk Register should be created early in the project, and used to capture all details and the status of each risk identified. The project manager is responsible for ensuring that risks are managed properly but there will be the need for risk owners for all risks, and these owners may be other people involved in the project. They should be chosen as the best person to keep an eye on the risk. The owners may be the person required to implement risk action, or to act as a “forward scout” to report risk status back to the project manager

The first step in the risk management procedure is to identify the risks, and this is normally done within a risk workshop. Other useful sources of possible risk identification, is to review lessons from previous projects. Yet more sources include organisational risk checklists, or the use of industry-wide checklists or tables.

Many people make the mistake of naming risks such as ” there is a risk is that the project may come in late” — but this is a mistake, because the statement is not naming the risk itself, but its impact. This is where “Fish-bone” or Ishikawa Diagrams can be useful in separating the risk event, it’s cause, and the effect (the risk impact)

It is helpful to consider that the source of the risk is called the risk cause (the potential trigger points for each risk), the risk event describes the area of uncertainty, and the risk effect which describes the risk impact on the project objectives.

The next step is to estimate and evaluate each risk, and there are various estimation techniques that may be used:

Probability trees. These are diagrammatic representations of possible risk events shown as linked rectangles each with a probability and impact. When linked together, the aggregated value of project risk can be determined. These help the decision-makers to determine possible outcomes, and ensures suitable actions can be implemented.

Expected value. This technique multiplies the cost of the risk impact with the probability of the risk occurring. For example, if the cost of a risk was £10,000, and the probability equal to 40%, then the expected value would be £ 4000. Summing all of these expected values together will give the aggregated risk expected monetary value of the project. This is helpful in determining a potential Risk Budget.

Pareto Analysis. This is often called the 80/20 rule, from the observation that 20% of the risks will have the most impact on a project, and allows management to focus their attention on managing and controlling those risks. It gives the best “Risk ROI”

The probability impact grid. This is a table with the vertical axis scaled in probability and the horizontal axis scaled in impact. Suitable scales are determined, typically 10% probability, as very low through to very high between 70 to 90% of ability. The impact scale usually covers from very low to very high. The grid is used to provide an assessment of the severity of a risk and so enable risks to be ranked such that management effort can be prioritised.

The summary risk profile. This again is a grid of probability against impact, but instead of measuring the severity of each risk (probability times impact), it plots each risk as a number much like a scatter diagram so that the spread and severity of risks can be directly seen. For example any risks which have a very high impact and probability would be seen as severe threats and this will enable appropriate actions or counter measures to be determined.

The next step is to plan the appropriate responses, both for threats and opportunities. There are many ways to describe such actions, but the following are most often used:

For Threats:

Avoid. An action is planned for the project to do something different, such that the threat can either no longer have an impact on the project and/or its probability is zero.

Reduce. An action is planned to either reduce the probability of the risk occurring, and/or to reduce the impact of the event should it occur.

Fallback (often called Contingency). An action is planned but only implemented should of the linked risk occur.

Transfer. An action is planned that reduces the financial impact of the threat. Usually, the action is via some form of insurance, or an appropriate clause in a contract so that the other party bears the financial pain.

Accept. This is the “take no action” option. The threat should still be continuously monitored to ensure that it remains tolerable. This action is often chosen because the risk has a low probability and/or a low impact, or that the costs and effort of any actions outweigh the severity of the threat.

Threat or Opportunity:

Share. Often carried out within contracts using third parties, where a pain/gain formula is agreed should the threat or opportunity occur


Exploit. Taking action to ensure that the opportunity will happen and that the positive impact will be realized.
Enhance. Taking proactive actions which either enhance the probability and/or the impact of the event.
Reject. A decision taken not to exploit or enhance the opportunity.

All of the above actions are captured and entered within the risk register, and project or stage level plans have the above activities and resources added.

It is helpful to include the proximity for each risk. This is the time frame of the risk event occurring from the present day. This is helpful in focusing resources on actions for risks in the near future. But it is also helpful in determining when each risk event will occur, as this will have an effect on the severity of the impact.

Throughout a project, new risks can be identified, and existing risks can change their status — for this reason risk management should be seen as an ongoing activity throughout the entire project. It should also be remembered that as issues arise, these can in themselves impact existing risks or cause new risks.

At the end of each stage of a project, the total risk situation needs to be calculated, and used as part of the data for management to make an informed decision as to whether to proceed with the project or not. At the end of a project, as part of closure, any outstanding risks which would therefore have an impact on the end product’s operational life should be found a new owner, so that such risks can continue to be successfully managed and controlled.

Preparing Annual Risk Management Strategy

Preparing Annual Risk Management Strategy

Organizations would be focusing on preparing the risk management strategy and plan for 2011 as it is the last quarter of the year. Normally, Chief Audit Executives, Chief Risk Officers, Head of Internal Audit, Chief Information Security Officers, Head of Compliance, Head of Ethics and Head of Fraud Risks are very busy in the last quarter finishing off the year-end targets, objectives and key performance indicators. The next year strategy is developed from the previous year reports, observations, balance score cards and risk dashboards. A simplistic risk management strategy focuses on the following:

1) Financials -Developing a budget and other cost indicators

2) Operations- Preparing audit and review schedules. Listing out policies, procedures and manuals to be prepared and reviewed.

3) Resources- Formulating a hiring and a training plan

4) Knowledge – Developing knowledge bases, writing research papers and upgrading risk management tools and software.

Risk management has become complex and critical in the present economic environment. Without sophisticated and skilled risk management departments the organizations may face multiple disaster scenarios. Globalization, technology, economic environment, regulators, competitors, and speed of change, all have contributed in making business operations more complex. Risk management departments need to gear up and develop annual strategy considering these aspects in mind.

Five suggestions for preparing a comprehensive annual strategy are given below:

1. Break the Silo Approach

Depending on the size of the organization, the organization may have a number of departments focusing on risk management. To name some, in respect to the department heads mentioned in the first paragraph, we have Internal Audit, Fraud Prevention & Investigation, Compliance, Information Security and Business Ethics. These departments generally have some overlapping functions and turf wars. Silos are formed and the senior management has difficulty in making sense of various risk dashboards and reports presented by the department heads.

Prepare individual plans for the departments and roll them upwards to have a combined one of all risk management departments. Prepare one single strategy and plan for the organization as a whole to present the same to senior management. Present a plan to the management which emphasis on the top risks to the organization, with a plan to mitigate and control them. The management will have higher respect and provide greater support to the integrated approach. Various risk management departments will also be able to save cost and time on monitoring various risks by reducing duplication of work, leveraging synergies and sharing tools and information.

2. Determine Risk Philosophy and Appetite of the Organization

In some cases, the risk management departments present a risk dashboard to the senior management of the organization. If the CEO of the organization asks “Can I hold you on this? Are you sure that if these top 10 risks are mitigated, the organization will sail through the year?”; the head of the department generally cannot a say a definitive “yes”. The answer is given with a maybe, but, if etc. but not a “yes”. So the question is how should a head of department address this concern.

Risk managers need to determine the risk philosophy and appetite of the organization. To assess the risk philosophy, understand the organization culture and environment. The way business operations are conducted daily and the organization’s strategy are good indicators to find the risk philosophy. Assess whether business has an aggressive or conservative attitude towards risks for achieving business goals.

Risk appetite is the amount of risk which the organization is willing to take to undertake business activities. A simple question to ask the board of members would be -“What amount is going to make you uncomfortable if it appears in the business newspapers?” Consolidate the risk exposures from the various risks identified by the risk departments and present it to the board. Finally, assess whether the company’s internal outlook on risk philosophy and appetite are consistent with the viewpoints of the board and other stakeholders. Realign the two where required to prepare the annual strategy.

3. Understand and Integrate with Business Strategy

In a few companies, the annual strategies and plans of business and risk management are drawn up in parallel, with neither having information of what the other is planning. The risk management strategy cannot be internally department focused. The risk department heads need to obtain information on the business strategy of the organization to understand strategic risks.

For example, obtain information on new products and services which the organization is introducing in the coming year. Identify the territories, branches, and countries which the organization is planning to expand its business operations. Determine what will be the risks of expansion and innovation. Let us say, a USA company is planning to introduce its products in India. Now India has different laws, regulations and taxes. Also, the operational risks are different. Understand these risks and integrate them in the annual strategy and plan. This way, neither the risk management departments nor the business operation departments will be surprised. The budgets and plans would be incorporated and approved before the year commences, hence there will be limited fire fighting.

4. Focus on Building Relationships

One of the grouses which risk departments have is that they are not on CXO’s radar, do not have direct reporting to the top or representation at the board and are sidelined from the critical business operations due to negative perceptions.

Plan for the coming year and prepare a wish list. Include in it time required from CEO and other CXO’s, formation and membership of risk oversight committee, a new organization structure with the head directly reporting to CEO and a nomination at the board. Discuss these aspects with the CEO and senior management during plan preparation. This will ensure that the senior management schedules the requirements in their plans. Insist that the CEO puts risk management as one of the points in his/her personal balance score card. This will make sure he/she is dedicated and committed to risk management throughout the year.

Discuss the composition of the risk oversight committee and audit committee. Identify the members you wish to nominate who support risk management initiatives. Define the process of reporting to the board and the audit committee. Get their commitment for board nomination and new organization structure for risk management departments. Start the groundwork for building relationships at the planning stage itself.

5. Assess Competitors Strategies

The risk departments are generally happy with what they are doing and discover information about tools and methodologies from various institutes periodicals, magazines and conferences. In a few cases there is some focus on the operations of risk management departments of competing businesses and organizations.

Determine which organizations are competition to the business in respect to products and services in various territories. Focus on finding information of the risk management department operations of these organizations. Find out which risks the organizations faced, how they were mitigated, what kind of tools and knowledge bases they are using, what are the staff strength and the skill set and the organization structure. Will some of the practices result in cost savings and better synergies within business? Determine the similarities and differences, and assess what can be incorporated in your organization effectively. There are some lessons which can be learned from competitors success and failures. Leverage on competition knowledge to learn these lessons.

Risk Management

Risk Management

Every business carries an element of risk. Therefore, managing risks is crucial process in many organizations. Depending on the business, steps can be taken to reduce the frequency and intensity of risk. Risk management is a process or group in an organization that takes management action to reduce risk. This activity involves the process of measuring and developing strategies to manage the risk. The strategies employed include transferring the risk to another party, avoiding the risk, reducing the negative effect of risk, and accepting some or all of the consequences of a particular risk.

There are two kinds of risk management. Traditional risk management is focused on risks stemming from physical and legal causes like natural disasters, accidents, death or lawsuits. Financial risk management focuses on risks that can be managed by using traded financial instruments. Large corporations employ risk management teams while smaller corporations practice informal, if not formal, risk management techniques that are rolled into the responsibilities of operational managers. Risk managers recognize and review their organizations loss exposures including property, liability, personnel and net income. This helps promote growth through profit, continuous operation and stable earnings.

The function of risk management is to organize and carry out a plan to control or reduce the risks to which a firm is exposed. This planning involves a five-step process. The first step is to identify potential risks. The method of identifying risks may depend on the organizational culture, industry practice and compliance. Once risks have been identified, the next step is to assess the potential severity of loss and probability of occurrence. The third step is to find a potential treatment for the problem. This may involve the transfer, avoidance, reduction or retention of a potential risk. Next is to implement the plan by choosing the right method of treatment. Prior to implementation, a review and evaluation of the plan is necessary.

Initial risk management plans are never perfect. Practice, experience and actual results, will necessitate changes in the plan. Therefore, the plan should make room for flexibility in decision making. Risk management is considered an art in management circles and experience and exposure to situations helps mastering this art.

Control Self-Assessment

control Self-Assessment (CSA) is a technique that was originally developed by Gulf Canada in 1987. In March 2000, the European Commission approved a white paper on CSA. In the United States when the Sarbanes-Oxley Act was implemented in 2007, section 404 of the Act required the companies to perform a top down risk assessment which necessitated CSA. In the United Kingdom in 2011 the Financial Services Authority (now Financial Conduct Authority) recognised in its recommendations for the improvement of operational risk management that the assessment of risks through a control self-assessment may be an important means of identifying risks. Today, a wide range of entities including private sector companies, voluntary sector (charities) and the public sector entities use CSA to assess the effectiveness of their risk management and control processes.

The Institute of Internal Auditors run courses, seminars and offer Certification in Control Self-Assessment (CCSA).

The Information Systems Audit and Control Association (ISACA) created a framework called COBIT (Control Objectives for Information and Related Technology). Control Self-Assessment is contained within COBIT’s Control Objective ME2.4.

What is Control Self-Assessment

CSA is a management technique that can be used to assure key stakeholders, both internal and external, that a company’s internal controls system is reliable. CSA allows managers and work teams directly involved in the business units, functions or processes to participate in assessing the company’s risk management and control processes. CSA can cover objectives, risks, controls and processes.

CSA is a sustainable process whereby management validates the operating effectiveness of its internal controls via testing. Each process owner and functional control owner within a company performs effectiveness testing to verify that the key controls are operating effectively.

Each process owner develops test scripts for each key control and engages their team to perform the given tests throughout the year. This allows management to verify that these controls are working effectively. A CSA program expands the role of operations management from merely assessing the design of its internal controls to testing and validating the effectiveness of its internal controls throughout the year.

Benefits of a CSA Program

An effective CSA program can deliver a number of benefits including:

• Creation of clear line of accountability for internal controls;

• Minimising the risk of fraud;

• Creation of an improved controls environment resulting in a lower risk profile for the company;

• Sustainability of management’s compliance program;

• Reduction in regulatory compliance costs

CSA Program

The first step in any CSA program is to document the company’s control processes with the aim of identifying suitable ways of measuring or testing each control. The actual testing of the controls is performed by staff whose day-to-day role is within the area of the company that is being evaluated as they have the greatest knowledge of how the processes operate. The common techniques for performing the evaluations are:

• Internal Control Questionnaire (ICQ) or Customised Survey Questionnaires

• Interview Techniques

• Control model Workshops or Interactive Workshops

Some companies choose a combination of methodologies that suits their operations to implement an effective CSA program. On completion of the assessment each control may be rated based on the responses received to determine the probability of its failure and the impact if a failure occurred. These ratings can be summarised to produce a risk matrix showing potential areas of vulnerability.

In any CSA program, the key steps are to define the nature and extent of the company’s CSA program, roll out the program, perform the first round of testing and review, and then incorporate lessons learned before going through the process again.

Conclusion :

Entities have different drivers for wanting to enhance internal controls environment e.g. regulatory requirements, change in ownership, change in senior management, implementation of a major ERP system or simply wanting stronger internal controls to improve efficiency. Whatever the driver is, implementing a CSA program should be considered. By implementing an effective CSA program, the entity can embed internal control accountability deep into the company, ensure the sustainability of the internal controls compliance efforts, and ultimately reduce the cost of overall compliance efforts. In other words, an effective CSA program will drive a much improved internal control environment, giving assurance to all key stakeholders, internal and external alike, that the company’s controls are operating effectively.

Tips To Reduce The Ways Your Sales Force Might Be Putting Your Business At Risk

When you think about the risks your sales force may be creating, the main thing to bear in mind is that salespeople are often working alone and away from the supervision, support and the sort of controls that reduce risks in other parts of the business. Let us consider what these risks are.

Damage to your reputation. This could be caused by overenthusiasm or by a lack of respect for the potential customer.
Compliance issues. Mis-selling is the obvious one, but data protection is another. In some industries there are still more.
Overpromising. Usually about availability or delivery. Possibly about quality or performance.
Giving away money! Allowing too many discounts or making special offers without proper approval.
Lone working. Salespeople often work from home or are out on the road a lot. This makes supervision difficult and may leave them vulnerable to all kinds of risks which would not apply to workers in an office or a factory.
Stress. Pressure to achieve targets, especially when coupled with working alone, can lead to stress-related health problems.
The “grey fleet” risk. If salespeople are on the road a lot, even using their own vehicles, there are elements of the motor risk that can fall on the employer. These include vicarious liability for third party accidents and the risk of their having inadequate or inappropriate motor insurance themselves.

Here are some tips on minimising the risks without reducing your sales.

1. Have clear policies and procedures against mis-selling and make sure you provide training so your salespeople know them. Frequent updates and refreshers will be worthwhile.

2. Have clear rules about levels of authority for negotiating discounts or other benefits, otherwise your sales people could be selling your products at a loss out of the desire to get a sale at all costs – to you!

3. Check driving licences and insurance certificates of all people who use their own vehicles on your business or you could find yourself liable for accidents they may cause.

4. Set realistic targets and programmes so you will not be held to be the cause of any accidents due to drivers being too tired or driving for over-long times.

5. Issue appropriate Health & Safety advice to people working alone.

6. Issue rules and guidelines for the use of IT and social media, whether the kit is provided by the business or not.

7. Have procedures for handling complaints which involve independent review to ensure fairness to both customers and employees.

8. Make sure members of the sales force do not handle money or invoices to guard against fraud and protect the innocent from false accusations.

9. Try to get out there and see what is happening in reality, do not just rely on reports on paper or online. Meet customers and salespeople occasionally at the front line.

Remember that in all these things rules are no use unless taught and enforced.

Risk Management Strategies for IT Systems

Risk management has been around for a long time. Financial managers run risk assessments for nearly all business models, and the idea of risk carries nearly as many definitions as the Internet. However, for IT managers and IT professionals, risk management still frequently takes a far lower priority that other operations and support activities.

For IT managers a good, simple definition for RISK may be from the Open FAIR model which states:

“Risk is defined as the probable frequency and magnitude of future loss”

Risk management should follow a structured process acknowledging many aspects of the IT operations process, with special considerations for security and systems availability.

Frameworks, such as Open FAIR, distill risk into a structure of probabilities, frequencies, and values. Each critical system or process is considered independently, with a probability of disruption or loss event paired with a probable value.

It would not be uncommon for an organization to perform numerous risk assessments based on critical systems, identifying and correcting shortfalls as needed to mitigate the probability or magnitude of a potential event or loss. Much like other frameworks used in the enterprise architecture process / framework, service delivery (such as ITIL), or governance, the objective is to produce a structured risk assessment and analysis approach, without becoming overwhelming.

IT risk management has been neglected in many organizations, possibly due to the rapid evolution of IT systems, including cloud computing and implementation of broadband networks. When service disruptions occur, or security events occur, those organizations find themselves either unprepared for dealing with the loss magnitude of the disruptions, and a lack of preparation or mitigation for disasters may result in the organization never fully recovering from the event.

Fortunately processes and frameworks guiding a risk management process are becoming far more mature, and attainable by nearly all organizations. The Open Group’s Open FAIR standard and taxonomy provide a very robust framework, as does ISACA’s Cobit 5 Risk guidance.

In addition, the US Government’s National Institute of Standards and Technology (NIST) provides open risk assessment and management guidance for both government and non-government users within the NIST Special Publication Series, including SP 800-30 (Risk Assessment), SP 800-37 (System Risk Management Framework), and SP 800-39 (Enterprise-Wide Risk Management).

ENISA also publishes a risk management process which is compliant with the ISO 13335 standard, and builds on ISO 27005..

What is the objective of going through the risk assessment and analysis process? Of course it is to build mitigation controls, or build resistance to potential disruptions, threats, and events that would result in a loss to the company, or other direct and secondary stakeholders.

However, many organizations, particularly small to medium enterprises, either do not believe they have the resources to go through risk assessments, have no formal governance process, no formal security management process, or simply believe spending the time on activities which do not directly support rapid growth and development of the company continue to be at risk.

As managers, leaders, investors, and customers we have an obligation to ensure our own internal risk is assessed and understood, as well as from the viewpoint of customers or consumers that our suppliers and vendors are following formal risk management processes. In a fast, agile, global, and unforgiving market, the alternative is not pretty.