Risk management is the identification, assessment, and prioritization of risks (defined in ISO 31000 as the effect of uncertainty on objectives, whether positive or negative) followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities. Risks can come from uncertainty in financial markets, threats from project failures (at any phase in design, development, production, or sustainment life-cycles), legal liabilities, credit risk, accidents, natural causes and disasters as well as deliberate attack from an adversary, or events of uncertain or unpredictable root-cause. Natural causes and disasters also refers to Act of God in a legal term which is for events outside human control, such as sudden floods or other natural disasters, for which no one can be held responsible. In the law of contracts, an act of God may be interpreted as an implied defense under the rule of impossibility or impracticability. If so, the promise is discharged because of unforeseen occurrences, which were unavoidable and would result in insurmountable delay, expense, or other material breach.
An example scenario could assume that an opera singer and a concert hall have a contract. The singer promises to appear and perform at a certain time on a certain date. The hall promises to have the stage and audio equipment ready for her. However, a tornado destroys the hall a month before the concert is to take place. Of course, the hall is not responsible for the tornado. It may be impossible for the hall to rebuild in time to keep its promise. On the other hand, it may be possible but extraordinarily expensive to reconstruct on such short notice. The hall would argue that the tornado was an act of God and excuses its nonperformance via impossibility or impracticability.
In other contracts, such as indemnification, an act of God may be no excuse, and in fact may be the central risk assumed by the promisor e.g., flood insurance or crop insurance—the only variables being the timing and extent of the damage. In many cases, failure by way of ignoring obvious risks due to “natural phenomena” will not be sufficient to excuse performance of the obligation, even if the events are relatively rare: e.g., the year 2000 problem in computers. Under the Uniform Commercial Code, 2-615, failure to deliver goods sold may be excused by an “act of God” if the absence of such act was a “basic assumption” of the contract, but has made the delivery “commercially impracticable”.
Recently, human activities have been claimed to be the root causes of some events until now considered natural disasters. In particular:
- water pressure in dams releasing a geological fault
- geothermal injections of water provoking earthquakes
- drilling provoking mud volcano
Such events are possibly threatening the legal status of Acts of God and may establish liabilities where none existed until now.
Several risk management standards have been developed including the Project Management Institute, the National Institute of Standards and Technology, actuarial societies, and ISO standards. Methods, definitions and goals vary widely according to whether the risk management method is in the context of project management, security, engineering, industrial processes, financial portfolios, actuarial assessments, or public health and safety.
The strategies to manage threats (uncertainties with negative consequences) typically include transferring the threat to another party, avoiding the threat, reducing the negative effect or probability of the threat, or even accepting some or all of the potential or actual consequences of a particular threat, and the opposites for opportunities (uncertain future states with benefits).
Certain aspects of many of the risk management standards have come under criticism for having no measurable improvement on risk, whether the confidence in estimates and decisions seem to increase.
Method of Risk Management
For the most part, these methods consist of the following elements, performed, more or less, in the following order.
- identify, characterize threats
- assess the vulnerability of critical assets to specific threats
- determine the risk (i.e. the expected likelihood and consequences of specific types of
- attacks on specific assets)
- identify ways to reduce those risks
- prioritize risk reduction measures based on a strategy
- Principles of risk management
The International Organization for Standardization (ISO) identifies the following principles of risk management:
Risk management should:
- create value – resources expended to mitigate risk should be less than the consequence of inaction, or (as in value engineering), the gain should exceed the pain
- be an integral part of organizational processes
- be part of decision making process
- explicitly address uncertainty and assumptions
- be systematic and structured
- be based on the best available information
- be tailorable
- take human factors into account
- be transparent and inclusive
- be dynamic, iterative and responsive to change
- be capable of continual improvement and enhancement
- be continually or periodically re-assessed
Assessment
Risk assessment is the determination of quantitative or qualitative value of risk related to a concrete situation and a recognized threat (also called hazard). Quantitative risk assessment requires calculations of two components of risk (R):, the magnitude of the potential loss (L), and the probability (p) that the loss will occur. Acceptable risk is a risk that is understood and tolerated usually because the cost or difficulty of implementing an effective countermeasure for the associated vulnerability exceeds the expectation of loss.
In all types of engineering of complex systems sophisticated risk assessments are often made within Safety engineering and Reliability engineering when it concerns threats to life, environment or machine functioning. The nuclear, aerospace, oil, rail and military industries have a long history of dealing with risk assessment. Also, medical, hospital, social service and food industries control risks and perform risk assessments on a continual basis. Methods for assessment of risk may differ between industries and whether it pertains to general financial decisions or environmental, ecological, or public health risk assessment.
Risk assessment consists of an objective evaluation of risk in which assumptions and uncertainties are clearly considered and presented. Part of the difficulty in risk management is that measurement of both of the quantities in which risk assessment is concerned – potential loss and probability of occurrence – can be very difficult to measure. The chance of error in measuring these two concepts is large. Risk with a large potential loss and a low probability of occurring is often treated differently from one with a low potential loss and a high likelihood of occurring. In theory, both are of nearly equal priority, but in practice it can be very difficult to manage when faced with the scarcity of resources, especially time, in which to conduct the risk management process.
Financial decisions, such as insurance, express loss in terms of dollar amounts. When risk assessment is used for public health or environmental decisions, loss can be quantified in a common metric such as a country’s currency or some numerical measure of a location’s quality of life. For public health and environmental decisions, loss is simply a verbal description of the outcome, such as increased cancer incidence or incidence of birth defects.
If the risk estimate takes into account information on the number of individuals exposed, it is termed a “population risk” and is in units of expected increased cases per a time period. If the risk estimate does not take into account the number of individuals exposed, it is termed an “individual risk” and is in units of incidence rate per a time period. Population risks are of more use for cost/benefit analysis; individual risks are of more use for evaluating whether risks to individuals are “acceptable”.
Risk Treatments
Once risks have been identified and assessed, all techniques to manage the risk fall into one or more of these four major categories:
- Avoidance (eliminate, withdraw from or not become involved)
- Reduction (optimize – mitigate)
- Sharing (transfer – outsource or insure)
- Retention (accept and budget)
Risk avoidance
This includes not performing an activity that could carry risk. An example would be not buying a property or business in order to not take on the legal liability that comes with it. Another would be not flying in order not to take the risk that the airplane was to be hijacked. Avoidance may seem the answer to all risks, but avoiding risks also means losing out on the potential gain that accepting (retaining) the risk may have allowed. Not entering a business to avoid the risk of loss also avoids the possibility of earning profits. Increasing risk regulation in hospitals has led to avoidance of treating higher risk conditions, in favour of patients presenting with lower risk.
Risk reduction
Risk reduction or “optimization” involves reducing the severity of the loss or the likelihood of the loss from occurring. For example, sprinklers are designed to put out a fire to reduce the risk of loss by fire. This method may cause a greater loss by water damage and therefore may not be suitable. Halon fire suppression systems may mitigate that risk, but the cost may be prohibitive as a strategy.
Acknowledging that risks can be positive or negative, optimizing risks means finding a balance between negative risk and the benefit of the operation or activity; and between risk reduction and effort applied. By an offshore drilling contractor effectively applying HSE Management in its organization, it can optimize risk to achieve levels of residual risk that are tolerable.
Modern software development methodologies reduce risk by developing and delivering software incrementally. Early methodologies suffered from the fact that they only delivered software in the final phase of development; any problems encountered in earlier phases meant costly rework and often jeopardized the whole project. By developing in iterations, software projects can limit effort wasted to a single iteration.
Outsourcing could be an example of risk reduction if the outsourcer can demonstrate higher capability at managing or reducing risks. For example, a company may outsource only its software development, the manufacturing of hard goods, or customer support needs to another company, while handling the business management itself. This way, the company can concentrate more on business development without having to worry as much about the manufacturing process, managing the development team, or finding a physical location for a call center.
Risk sharing
Briefly defined as “sharing with another party the burden of loss or the benefit of gain, from a risk, and the measures to reduce a risk.”
The term of ‘risk transfer’ is often used in place of risk sharing in the mistaken belief that you can transfer a risk to a third party through insurance or outsourcing. In practice if the insurance company or contractor go bankrupt or end up in court, the original risk is likely to still revert to the first party. As such in the terminology of practitioners and scholars alike, the purchase of an insurance contract is often described as a “transfer of risk.” However, technically speaking, the buyer of the contract generally retains legal responsibility for the losses “transferred”, meaning that insurance may be described more accurately as a post-event compensatory mechanism. For example, a personal injuries insurance policy does not transfer the risk of a car accident to the insurance company. The risk still lies with the policy holder namely the person who has been in the accident. The insurance policy simply provides that if an accident (the event) occurs involving the policy holder then some compensation may be payable to the policy holder that is commensurate to the suffering/damage.
Some ways of managing risk fall into multiple categories. Risk retention pools are technically retaining the risk for the group, but spreading it over the whole group involves transfer among individual members of the group. This is different from traditional insurance, in that no premium is exchanged between members of the group up front, but instead losses are assessed to all members of the group.
Risk retention
Involves accepting the loss, or benefit of gain, from a risk when it occurs. True self-insurance falls in this category. Risk retention is a viable strategy for small risks where the cost of insuring against the risk would be greater over time than the total losses sustained. All risks that are not avoided or transferred are retained by default. This includes risks that are so large or catastrophic that they either cannot be insured against or the premiums would be infeasible. War is an example since most property and risks are not insured against war, so the loss attributed by war is retained by the insured. Also any amounts of potential loss (risk) over the amount insured are retained risk. This may also be acceptable if the chance of a very large loss is small or if the cost to insure for greater coverage amounts is so great it would hinder the goals of the organization too much.
Risk management plan
A Risk Management Plan is a document that a project manager prepares to foresee risks, estimate impacts, and define responses to issues. It also contains a risk assessment matrix.
Initial risk management plans will never be perfect. Practice, experience, and actual loss results will necessitate changes in the plan and contribute information to allow possible different decisions to be made in dealing with the risks being faced.
