SlideShare ist ein Scribd-Unternehmen logo

Risk Mgmt V1 0c

Marc-Andre Leger
Marc-Andre Leger

Summary of the principal issues of risk management

1 von 65
Downloaden Sie, um offline zu lesen
Risk management A management perspective mercredi 28 avril 2010
Plan What is risk ? Risk Governance Risk management Risk and culture Risk taxonomy Risk Metrics Wrap-up mercredi 28 avril 2010
Introduction What is risk ? mercredi 28 avril 2010
A definition of risk Pb(event) x impact mercredi 28 avril 2010
Risk has two meanings In English, Risk is an umbrella term, with two varieties: opportunity which is a risk with positive effects threat which is a risk with negative effects Hillson(2001) mercredi 28 avril 2010
Risk is not uncertainty Risk refers to situations where the decision-maker can assign mathematical probabilities to the randomness which he is faced with. Uncertainty refers to situations when this randomness "cannot" be expressed in terms of specific mathematical probabilities. Knight, Frank H. (1921) mercredi 28 avril 2010
Risk and uncertainty The terms risk and uncertainty have become interchangeable, and one can often be found in the description of the other. Risk and uncertainty will be defined and used accordingly as separate issues of the same complex phenomena, that of hazard management. Beck(1986) mercredi 28 avril 2010
Risk is formal Risk can be considered as a systematic way of dealing with hazards. If it is assumed that there is uncertainty associated with any prediction of a hazard occurring, then there is only uncertainty because there is only ever a prediction of the likely occurrence. Beck(1986) mercredi 28 avril 2010
Uncertainty is not risk By uncertain knowledge, (...) I do not mean merely to distinguish what is known for certain from what is only probable. uncertainty is present when there is no scientific basis on which to form any calculable probability whatever. We simply do not know. Keynes(1937) mercredi 28 avril 2010
Risk and probability The very assignment of numerical probabilities - even if subjective - implies that it represents choice under "risk" These probabilities are merely expressions of what is ultimately amorphous belief and thus may seem more like "uncertainty". Savage(1954) mercredi 28 avril 2010
Risk is about outcomes Risk is the probability that an event will occur. In epidemiology, it is most often used to express the probability that a particular outcome will occur following a particular exposure. Last JM, (2001) mercredi 28 avril 2010
What is the problem ? Risk is an old concept, classically measured as a product of outcome, usually negative, and a measure of uncertainty, such as probability, balancing bad, but unlikely, outcomes with less bad but more frequent ones. The problems arise in defining what one means by an outcome and how one assesses the probabilities. Hudson(2003) mercredi 28 avril 2010
Risk Management Risk Utility management RISK 0 time mercredi 28 avril 2010
A more complete definition R! (E,A,!) " mercredi 28 avril 2010
E : element at risk Element (asset, process, system, etc.) or group of elements that have an expected utility (u) for a given period of time (Δt) in a finite space (s) A : Hazard (real, foreseeable or perceived) Event or sequence of events resulting from the exploitation of a vulnerability (ψ) of an element at risk (E) which can cause a dammage (δ) which results in a reduction of the expected utility (u) for a given period of time (Δt) in a finite space (s) ψ : vulnerability Fragility (relative) of an element at risk (E) to a hazard (A) mercredi 28 avril 2010
θ : resilience Capacity of an element at risk (E) to overcome a hazard (A) by minimizing damages (δ) or by using adversity as a catalyst for improvement. It is linked to organisational maturity δ: damage (real, foreseen or perceived) Reduction of the expected utility (u) of an element at risk (E) by a hazard (A) t : time s: space mercredi 28 avril 2010
The risk triangle Da ma ity ge bil or ra Risk lne im Vu (E,t,s) pa ct Ha z a rd or t hre at mercredi 28 avril 2010
Risk governance A management perspective mercredi 28 avril 2010
Ecosystemic view • A system formed by an ecological community and its environment that functions as a unit. • The interconnectedness of organisms (plants, animals, microbes) with each other and their environment. http:// www.neok12.com/ php/watch.php? mercredi 28 avril 2010
Governance structure Executive Corporate directors supports Strategic Governance comitee directs Tactical Management comitee manages Operational Professionals mercredi 28 avril 2010
mercredi 28 avril 2010
Role of the Board of directors Management Stockholders Employees Board of directors Other Lenders Suppliers stakeholders mercredi 28 avril 2010
Roles and responsibilities Mission statement and values Sets culture and normative framework Arbitrage Exercises authority mercredi 28 avril 2010
Subsidiarity Responsability for actions must be alloted to the smallest possible entity that can resolve it Decision making as close as possible to the end-user or customer Act locally: responsabilize the actors Empower local competencies and decentralize mercredi 28 avril 2010
Risk governance Basic ethical principles mercredi 28 avril 2010
Due diligence Organisations need to demonstrate that they are being diligent They need to be able to demonstrate that they have in place formal processes to ensure that risks are known and managed mercredi 28 avril 2010
Precaution When there is the possibility, event if unlikely, that hazards may cause grave or irreversible dammages, the absence of absolute scientific certitude can not become a pretext to avoid taking actions to prevent the degredation of the situation Contrary to rational theory, precausion justifies taking decisions in cases of incomplete information to avoid irreversable damages. It justifies non optimal solutions that may satisfy all parties (minimum regrets) mercredi 28 avril 2010
Continuous improvement Deming’s wheell approach Recurrence feedback loops Evolution of solutions aligned with the availability of ressources mercredi 28 avril 2010
Evaluation Must determine, a priori: Objectives Follow-up parameters Control and corrective action plans A space for all stakeholders to review information Finality: Create mecanisms that allow the conversion of data into usefull planning information mercredi 28 avril 2010
Risk Management Formal processes mercredi 28 avril 2010
IPMa process Identify risks IPMa Prioritize Mobiize ressources Audit mercredi 28 avril 2010
Qualitative or Quantitative ? In the absence of solid historical data, all data is subjective. Sources of historical data: Past events, hazards and incidents in the organization Data from similar organizations Regulatory bodies Gartner group, IDC, Forester Research and litterature Standards (ITU, ISO, IEEE) mercredi 28 avril 2010
Scenario based risk mgmt Using scenarios is the most ‘human sensitive’ approach to risk management it’s simpler to get people to tell you a story What if ... Then ... This would result in ... But, we could do ... to prevent it or to reduce it’s impacts. mercredi 28 avril 2010
Incidents are central Using past incidents is a key to risk management Quantitative data finds it’s source in historical data It is a chance to improve individuals has to feel that they can, and must, report incidents Management has to support this A risk registry, or journal, serves this purpose mercredi 28 avril 2010
IPM process Identify Hazards Vulnerabilities Damages Prioritize Mobilize ressources mercredi 28 avril 2010
Cognitive processes The cognitive operations of individual decision makers involved on decisions about risk are (in order) : Identify the scenarios to consider Predict the consequences for each scenario and estimate their likelyhood Identify the variables susceptible to influence utility and ajust them to account for the context Evaluate the probabilities to assign to contexts that have been retained Apply a decisional strategy mercredi 28 avril 2010
L i Transfer Avoid k risk risk e li h o Accept Mitigate o risk risk d D a m a g e s mercredi 28 avril 2010
L i Transfer risk Avoid k risk e li h Accept risk Mitigate o risk o d Tolerate risks D a m a g e s mercredi 28 avril 2010
Biaises that may affect decision makers Errors in reasoning Cognitive dissonances Heuristics Cultural variations Limitis of vigilance mercredi 28 avril 2010
Methodologies Several are available All have their limitations Choice of variables Scientificity Validity (internal and external) Must consider maturity mercredi 28 avril 2010
Risk Management Framework An integrated risk framework allows organisation to integrate all the organisational, regulatory and scientific requirements in a cyclical approach (continuous improvement). Should include: Business processes Standard Operating Procedures A governance model Risk awareness, education & training programs Workflow management tool (software) mercredi 28 avril 2010
Change management Implementing a RMF is a Change management problem five (5) stages of change Denial Resistance Decompensation Resignation Integration mercredi 28 avril 2010
How to facilitate change ? Education, training Setting normative factors Rationalization Consensus Other (dictatorship, coersion,esoteric) mercredi 28 avril 2010
Risk and culture Risk, culture, perception and subjectivity mercredi 28 avril 2010
Risk, culture and perception According to one cultural theory, people choose what to fear as a way to defend their way of life. The theory hypothesizes that adherents of a hierarchical culture will approve of technology, provided it is certified as safe by their experts. Competitive individualists will view risk as opportunity and, hence, be optimistic about technology. And egalitarians will view technology as part of the apparatus by which corporate capitalism maintains inequalities that harm society and the natural environment. Widavsky (2002) mercredi 28 avril 2010
Difficulty to assess risk Risk is not always easy to assess, since the probability of occurrence and the consequence of occurrence are usually not directly measurable parameters and must be estimated by statistical or other procedures. Risk constitutes a lack of knowledge of future events. Typically, future events (or outcomes) that are favorable are called opportunities, whereas unfavorable events are called risks. Another element of risk is its cause. Kerzner, H. (2003) mercredi 28 avril 2010
Risk tolerance Risk tolerance looks at acceptable/unacceptable deviations from what is expected. In financial investments, The extent to wish an investor is willing to accept more risk in exchange for the possibility of a higher return. mercredi 28 avril 2010
Risk appetite Where do we feel we should allocate our limited time and resources to minimise risk exposures? What level of risk exposure requires immediate action? What level of risk requires a formal response strategy to mitigate the potentially material impact? What events have occurred in the past, and at what level were they managed? mercredi 28 avril 2010
Predictable outcomes Many activities undertaken by organizations do not have predictable outcomes One can’t predict the return from a new project, for example. Occurrence of these types of events can only be described in terms of a range of possible outcomes and the likelihood or probability of each outcome. The lack of predictability of outcomes is referred to as risk. The concept of risk does not imply all possible outcomes are adverse, only that the precise probabilities of the outcomes are unknown. Lewis(2003) mercredi 28 avril 2010
Distribution of outcomes According to classical decision theory, risk is generally understood to be the distribution of possible outcomes, their likelihood, and their subjective values. In project management, this definition can be applied to time, cost, performance, and many other influential factors in any project that impact these three concerns. March and Shapira (1987) in Kwak(2005) mercredi 28 avril 2010
Reference points The reference points that people use to evaluate risky prospects affect risk-taking. In this respect, risk tolerance is a subjective notion in the absence of clear and uniform communication and tools for risk analysis. Kahneman and Taversky (1979) and Taversky and Kahneman (1992) in Kwak(2005) mercredi 28 avril 2010
Risk taxonomy Categories of organisational risks mercredi 28 avril 2010
Risk categories There is an infinite number of categories of risk Depends on : organisational culture legislation many other factors mercredi 28 avril 2010
Risk Taxonomy mercredi 28 avril 2010
What is needed ? For each incident identified, information needs to be collected about : direct monetary losses caused by the incident Annualized (or aligned on budgetary strategy) indirect losses (reputation damage or lost business) with an estimate of the monetary losses resulting from these indirect losses. Blakley, B., McDermott, E., Geer, D.(2001) mercredi 28 avril 2010
Risk register Dates: As the register is a living document, it is important to record the date that risks are identified or modified. Optional dates to include are the target and completion dates. Description of the Risk: A phrase that describes the risk. Project Management Institute Body of Knowledge (PMBOK) mercredi 28 avril 2010
Risk register Risk type (business, project, stage): Classification of the risk, business risks relate to delivery of achieved benefits, project risks relate to the management of the project such as timeframes and resources, stage risks are risks associated with a specific stage plan. Likelihood of Occurrence: Provides an assessment on how likely it is that this risk will occur. Examples of classifications are: L-Low (<30%), M-Medium (31-70%), H-High (>70%). Project Management Institute Body of Knowledge (PMBOK) mercredi 28 avril 2010
Risk register Severity of effect: Provides an assessment of the impact that the occurrence of this risk would have on the project. Counter Measures: Action to be taken to prevent, reduce or transfer the risk. This may include production of contingency plans. Owner: Individual responsible for the ensuring this risk is appropriately managed and counter measures are undertaken. Project Management Institute Body of Knowledge (PMBOK) mercredi 28 avril 2010
Risk register Status: Indicates whether this is a current risk or if risk can no longer arise and impact the project. Example classifications are: C-current or E-ended. Other columns such as quantitative value can also be added if appropriate. Project Management Institute Body of Knowledge (PMBOK) mercredi 28 avril 2010
Risk metrics A management perspective mercredi 28 avril 2010
The use of metrics From the governanced based risk management perspective: Risk assessment Continuous improvement Evaluation mercredi 28 avril 2010
Identifying variables Metrics are about measurement Attributing values to variables Values depend on measurement scales There are rules on how to use measurement scales nominal, ordinal, interval, proportional mercredi 28 avril 2010
Example of measurement scales mercredi 28 avril 2010
Scientificity and reliability Scientific data must meet certain criterias trust, repeatable, verifyable We must be able to justify the choices we make in data and in manipulation (formulas) mercredi 28 avril 2010
marcandre@leger.ca http://www.leger.ca Montreal, Quebec, Canada:+1(514)824-6302 Philadelphia, PA, USA:+1(215)543-6352 Paris, France: +33.(0)9.77.19.63.02 LinkedIn: http://www.linkedin.com/in/itriskmgr Blog: http://crhoma.org/blogue mercredi 28 avril 2010

Empfohlen

The fascinating world of storytelling pps
The fascinating world of storytelling ppsThe fascinating world of storytelling pps
The fascinating world of storytelling ppsmarcela60
 
Video Gaming for Information Literacy
Video Gaming for Information LiteracyVideo Gaming for Information Literacy
Video Gaming for Information LiteracyJohn Fudrow
 
Infolit Gaming
Infolit GamingInfolit Gaming
Infolit GamingJohn Fudrow
 
ULS Pittsburgh Finals Frenzy Infographic
ULS Pittsburgh Finals Frenzy InfographicULS Pittsburgh Finals Frenzy Infographic
ULS Pittsburgh Finals Frenzy InfographicJohn Fudrow
 
Gaming In Libraries
Gaming In LibrariesGaming In Libraries
Gaming In LibrariesJohn Fudrow
 
Lingua Hebraica VI
Lingua Hebraica VILingua Hebraica VI
Lingua Hebraica VIAldenei Barros
 
Gaming In Libraries
Gaming In LibrariesGaming In Libraries
Gaming In LibrariesJohn Fudrow
 
Uiucpresentation
UiucpresentationUiucpresentation
UiucpresentationJohn Fudrow
 

Empfohlen

The fascinating world of storytelling pps
The fascinating world of storytelling ppsThe fascinating world of storytelling pps
The fascinating world of storytelling ppsmarcela60
 
Video Gaming for Information Literacy
Video Gaming for Information LiteracyVideo Gaming for Information Literacy
Video Gaming for Information LiteracyJohn Fudrow
 
Infolit Gaming
Infolit GamingInfolit Gaming
Infolit GamingJohn Fudrow
 
ULS Pittsburgh Finals Frenzy Infographic
ULS Pittsburgh Finals Frenzy InfographicULS Pittsburgh Finals Frenzy Infographic
ULS Pittsburgh Finals Frenzy InfographicJohn Fudrow
 
Gaming In Libraries
Gaming In LibrariesGaming In Libraries
Gaming In LibrariesJohn Fudrow
 
Lingua Hebraica VI
Lingua Hebraica VILingua Hebraica VI
Lingua Hebraica VIAldenei Barros
 
Gaming In Libraries
Gaming In LibrariesGaming In Libraries
Gaming In LibrariesJohn Fudrow
 
Uiucpresentation
UiucpresentationUiucpresentation
UiucpresentationJohn Fudrow
 
An introduction to Education 4.0
An introduction to Education 4.0An introduction to Education 4.0
An introduction to Education 4.0Marc-Andre Leger
 
Pedagogical engineering model canvas version 1.0b
Pedagogical engineering model canvas version 1.0bPedagogical engineering model canvas version 1.0b
Pedagogical engineering model canvas version 1.0bMarc-Andre Leger
 
Introduction to Industrie 4.0
Introduction to Industrie 4.0Introduction to Industrie 4.0
Introduction to Industrie 4.0Marc-Andre Leger
 
Ed Tech: transforming education
Ed Tech: transforming educationEd Tech: transforming education
Ed Tech: transforming educationMarc-Andre Leger
 
The case for 3D printing in the Always-On supply chain
The case for 3D printing in the Always-On supply chainThe case for 3D printing in the Always-On supply chain
The case for 3D printing in the Always-On supply chainMarc-Andre Leger
 
What is industry 4.0
What is industry 4.0 What is industry 4.0
What is industry 4.0 Marc-Andre Leger
 
What are maturity models
What are maturity models What are maturity models
What are maturity models Marc-Andre Leger
 
Pedagogical engineering for STEAM education in Fab Labs and makerspaces
Pedagogical engineering for STEAM education in Fab Labs and makerspacesPedagogical engineering for STEAM education in Fab Labs and makerspaces
Pedagogical engineering for STEAM education in Fab Labs and makerspacesMarc-Andre Leger
 
La gouvernance de fablabs et makerspace au Canada
La gouvernance de fablabs et makerspace au CanadaLa gouvernance de fablabs et makerspace au Canada
La gouvernance de fablabs et makerspace au CanadaMarc-Andre Leger
 
An introduction to Business Technology Management
An introduction to Business Technology ManagementAn introduction to Business Technology Management
An introduction to Business Technology ManagementMarc-Andre Leger
 
Using the Emerging Technology Analysis Canvas
Using the Emerging Technology Analysis CanvasUsing the Emerging Technology Analysis Canvas
Using the Emerging Technology Analysis CanvasMarc-Andre Leger
 
3D Printing drives the «Always-on» Supply Chain
3D Printing drives the «Always-on» Supply Chain3D Printing drives the «Always-on» Supply Chain
3D Printing drives the «Always-on» Supply ChainMarc-Andre Leger
 
Chus Gouvernance T Ien Santé V1 1b
Chus Gouvernance T Ien Santé V1 1bChus Gouvernance T Ien Santé V1 1b
Chus Gouvernance T Ien Santé V1 1bMarc-Andre Leger
 

Weitere ähnliche Inhalte

Mehr von Marc-Andre Leger

An introduction to Education 4.0
An introduction to Education 4.0An introduction to Education 4.0
An introduction to Education 4.0Marc-Andre Leger
 
Pedagogical engineering model canvas version 1.0b
Pedagogical engineering model canvas version 1.0bPedagogical engineering model canvas version 1.0b
Pedagogical engineering model canvas version 1.0bMarc-Andre Leger
 
Introduction to Industrie 4.0
Introduction to Industrie 4.0Introduction to Industrie 4.0
Introduction to Industrie 4.0Marc-Andre Leger
 
Ed Tech: transforming education
Ed Tech: transforming educationEd Tech: transforming education
Ed Tech: transforming educationMarc-Andre Leger
 
The case for 3D printing in the Always-On supply chain
The case for 3D printing in the Always-On supply chainThe case for 3D printing in the Always-On supply chain
The case for 3D printing in the Always-On supply chainMarc-Andre Leger
 
Pedagogical engineering for STEAM education in Fab Labs and makerspaces
Pedagogical engineering for STEAM education in Fab Labs and makerspacesPedagogical engineering for STEAM education in Fab Labs and makerspaces
Pedagogical engineering for STEAM education in Fab Labs and makerspacesMarc-Andre Leger
 
La gouvernance de fablabs et makerspace au Canada
La gouvernance de fablabs et makerspace au CanadaLa gouvernance de fablabs et makerspace au Canada
La gouvernance de fablabs et makerspace au CanadaMarc-Andre Leger
 
An introduction to Business Technology Management
An introduction to Business Technology ManagementAn introduction to Business Technology Management
An introduction to Business Technology ManagementMarc-Andre Leger
 
Using the Emerging Technology Analysis Canvas
Using the Emerging Technology Analysis CanvasUsing the Emerging Technology Analysis Canvas
Using the Emerging Technology Analysis CanvasMarc-Andre Leger
 
3D Printing drives the «Always-on» Supply Chain
3D Printing drives the «Always-on» Supply Chain3D Printing drives the «Always-on» Supply Chain
3D Printing drives the «Always-on» Supply ChainMarc-Andre Leger
 
Chus Gouvernance T Ien Santé V1 1b
Chus Gouvernance T Ien Santé V1 1bChus Gouvernance T Ien Santé V1 1b
Chus Gouvernance T Ien Santé V1 1bMarc-Andre Leger
 

Mehr von Marc-Andre Leger (13)

An introduction to Education 4.0
An introduction to Education 4.0An introduction to Education 4.0
An introduction to Education 4.0
 
Pedagogical engineering model canvas version 1.0b
Pedagogical engineering model canvas version 1.0bPedagogical engineering model canvas version 1.0b
Pedagogical engineering model canvas version 1.0b
 
Introduction to Industrie 4.0
Introduction to Industrie 4.0Introduction to Industrie 4.0
Introduction to Industrie 4.0
 
Ed Tech: transforming education
Ed Tech: transforming educationEd Tech: transforming education
Ed Tech: transforming education
 
The case for 3D printing in the Always-On supply chain
The case for 3D printing in the Always-On supply chainThe case for 3D printing in the Always-On supply chain
The case for 3D printing in the Always-On supply chain
 
What is industry 4.0
What is industry 4.0 What is industry 4.0
What is industry 4.0
 
What are maturity models
What are maturity models What are maturity models
What are maturity models
 
Pedagogical engineering for STEAM education in Fab Labs and makerspaces
Pedagogical engineering for STEAM education in Fab Labs and makerspacesPedagogical engineering for STEAM education in Fab Labs and makerspaces
Pedagogical engineering for STEAM education in Fab Labs and makerspaces
 
La gouvernance de fablabs et makerspace au Canada
La gouvernance de fablabs et makerspace au CanadaLa gouvernance de fablabs et makerspace au Canada
La gouvernance de fablabs et makerspace au Canada
 
An introduction to Business Technology Management
An introduction to Business Technology ManagementAn introduction to Business Technology Management
An introduction to Business Technology Management
 
Using the Emerging Technology Analysis Canvas
Using the Emerging Technology Analysis CanvasUsing the Emerging Technology Analysis Canvas
Using the Emerging Technology Analysis Canvas
 
3D Printing drives the «Always-on» Supply Chain
3D Printing drives the «Always-on» Supply Chain3D Printing drives the «Always-on» Supply Chain
3D Printing drives the «Always-on» Supply Chain
 
Chus Gouvernance T Ien Santé V1 1b
Chus Gouvernance T Ien Santé V1 1bChus Gouvernance T Ien Santé V1 1b
Chus Gouvernance T Ien Santé V1 1b
 

Risk Mgmt V1 0c

  • 1. Risk management A management perspective mercredi 28 avril 2010
  • 2. Plan What is risk ? Risk Governance Risk management Risk and culture Risk taxonomy Risk Metrics Wrap-up mercredi 28 avril 2010
  • 3. Introduction What is risk ? mercredi 28 avril 2010
  • 4. A definition of risk Pb(event) x impact mercredi 28 avril 2010
  • 5. Risk has two meanings In English, Risk is an umbrella term, with two varieties: opportunity which is a risk with positive effects threat which is a risk with negative effects Hillson(2001) mercredi 28 avril 2010
  • 6. Risk is not uncertainty Risk refers to situations where the decision-maker can assign mathematical probabilities to the randomness which he is faced with. Uncertainty refers to situations when this randomness "cannot" be expressed in terms of specific mathematical probabilities. Knight, Frank H. (1921) mercredi 28 avril 2010
  • 7. Risk and uncertainty The terms risk and uncertainty have become interchangeable, and one can often be found in the description of the other. Risk and uncertainty will be defined and used accordingly as separate issues of the same complex phenomena, that of hazard management. Beck(1986) mercredi 28 avril 2010
  • 8. Risk is formal Risk can be considered as a systematic way of dealing with hazards. If it is assumed that there is uncertainty associated with any prediction of a hazard occurring, then there is only uncertainty because there is only ever a prediction of the likely occurrence. Beck(1986) mercredi 28 avril 2010
  • 9. Uncertainty is not risk By uncertain knowledge, (...) I do not mean merely to distinguish what is known for certain from what is only probable. uncertainty is present when there is no scientific basis on which to form any calculable probability whatever. We simply do not know. Keynes(1937) mercredi 28 avril 2010
  • 10. Risk and probability The very assignment of numerical probabilities - even if subjective - implies that it represents choice under "risk" These probabilities are merely expressions of what is ultimately amorphous belief and thus may seem more like "uncertainty". Savage(1954) mercredi 28 avril 2010
  • 11. Risk is about outcomes Risk is the probability that an event will occur. In epidemiology, it is most often used to express the probability that a particular outcome will occur following a particular exposure. Last JM, (2001) mercredi 28 avril 2010
  • 12. What is the problem ? Risk is an old concept, classically measured as a product of outcome, usually negative, and a measure of uncertainty, such as probability, balancing bad, but unlikely, outcomes with less bad but more frequent ones. The problems arise in defining what one means by an outcome and how one assesses the probabilities. Hudson(2003) mercredi 28 avril 2010
  • 13. Risk Management Risk Utility management RISK 0 time mercredi 28 avril 2010
  • 14. A more complete definition R! (E,A,!) " mercredi 28 avril 2010
  • 15. E : element at risk Element (asset, process, system, etc.) or group of elements that have an expected utility (u) for a given period of time (Δt) in a finite space (s) A : Hazard (real, foreseeable or perceived) Event or sequence of events resulting from the exploitation of a vulnerability (ψ) of an element at risk (E) which can cause a dammage (δ) which results in a reduction of the expected utility (u) for a given period of time (Δt) in a finite space (s) ψ : vulnerability Fragility (relative) of an element at risk (E) to a hazard (A) mercredi 28 avril 2010
  • 16. θ : resilience Capacity of an element at risk (E) to overcome a hazard (A) by minimizing damages (δ) or by using adversity as a catalyst for improvement. It is linked to organisational maturity δ: damage (real, foreseen or perceived) Reduction of the expected utility (u) of an element at risk (E) by a hazard (A) t : time s: space mercredi 28 avril 2010
  • 17. The risk triangle Da ma ity ge bil or ra Risk lne im Vu (E,t,s) pa ct Ha z a rd or t hre at mercredi 28 avril 2010
  • 18. Risk governance A management perspective mercredi 28 avril 2010
  • 19. Ecosystemic view • A system formed by an ecological community and its environment that functions as a unit. • The interconnectedness of organisms (plants, animals, microbes) with each other and their environment. http:// www.neok12.com/ php/watch.php? mercredi 28 avril 2010
  • 20. Governance structure Executive Corporate directors supports Strategic Governance comitee directs Tactical Management comitee manages Operational Professionals mercredi 28 avril 2010
  • 22. Role of the Board of directors Management Stockholders Employees Board of directors Other Lenders Suppliers stakeholders mercredi 28 avril 2010
  • 23. Roles and responsibilities Mission statement and values Sets culture and normative framework Arbitrage Exercises authority mercredi 28 avril 2010
  • 24. Subsidiarity Responsability for actions must be alloted to the smallest possible entity that can resolve it Decision making as close as possible to the end-user or customer Act locally: responsabilize the actors Empower local competencies and decentralize mercredi 28 avril 2010
  • 25. Risk governance Basic ethical principles mercredi 28 avril 2010
  • 26. Due diligence Organisations need to demonstrate that they are being diligent They need to be able to demonstrate that they have in place formal processes to ensure that risks are known and managed mercredi 28 avril 2010
  • 27. Precaution When there is the possibility, event if unlikely, that hazards may cause grave or irreversible dammages, the absence of absolute scientific certitude can not become a pretext to avoid taking actions to prevent the degredation of the situation Contrary to rational theory, precausion justifies taking decisions in cases of incomplete information to avoid irreversable damages. It justifies non optimal solutions that may satisfy all parties (minimum regrets) mercredi 28 avril 2010
  • 28. Continuous improvement Deming’s wheell approach Recurrence feedback loops Evolution of solutions aligned with the availability of ressources mercredi 28 avril 2010
  • 29. Evaluation Must determine, a priori: Objectives Follow-up parameters Control and corrective action plans A space for all stakeholders to review information Finality: Create mecanisms that allow the conversion of data into usefull planning information mercredi 28 avril 2010
  • 30. Risk Management Formal processes mercredi 28 avril 2010
  • 31. IPMa process Identify risks IPMa Prioritize Mobiize ressources Audit mercredi 28 avril 2010
  • 32. Qualitative or Quantitative ? In the absence of solid historical data, all data is subjective. Sources of historical data: Past events, hazards and incidents in the organization Data from similar organizations Regulatory bodies Gartner group, IDC, Forester Research and litterature Standards (ITU, ISO, IEEE) mercredi 28 avril 2010
  • 33. Scenario based risk mgmt Using scenarios is the most ‘human sensitive’ approach to risk management it’s simpler to get people to tell you a story What if ... Then ... This would result in ... But, we could do ... to prevent it or to reduce it’s impacts. mercredi 28 avril 2010
  • 34. Incidents are central Using past incidents is a key to risk management Quantitative data finds it’s source in historical data It is a chance to improve individuals has to feel that they can, and must, report incidents Management has to support this A risk registry, or journal, serves this purpose mercredi 28 avril 2010
  • 35. IPM process Identify Hazards Vulnerabilities Damages Prioritize Mobilize ressources mercredi 28 avril 2010
  • 36. Cognitive processes The cognitive operations of individual decision makers involved on decisions about risk are (in order) : Identify the scenarios to consider Predict the consequences for each scenario and estimate their likelyhood Identify the variables susceptible to influence utility and ajust them to account for the context Evaluate the probabilities to assign to contexts that have been retained Apply a decisional strategy mercredi 28 avril 2010
  • 37. L i Transfer Avoid k risk risk e li h o Accept Mitigate o risk risk d D a m a g e s mercredi 28 avril 2010
  • 38. L i Transfer risk Avoid k risk e li h Accept risk Mitigate o risk o d Tolerate risks D a m a g e s mercredi 28 avril 2010
  • 39. Biaises that may affect decision makers Errors in reasoning Cognitive dissonances Heuristics Cultural variations Limitis of vigilance mercredi 28 avril 2010
  • 40. Methodologies Several are available All have their limitations Choice of variables Scientificity Validity (internal and external) Must consider maturity mercredi 28 avril 2010
  • 41. Risk Management Framework An integrated risk framework allows organisation to integrate all the organisational, regulatory and scientific requirements in a cyclical approach (continuous improvement). Should include: Business processes Standard Operating Procedures A governance model Risk awareness, education & training programs Workflow management tool (software) mercredi 28 avril 2010
  • 42. Change management Implementing a RMF is a Change management problem five (5) stages of change Denial Resistance Decompensation Resignation Integration mercredi 28 avril 2010
  • 43. How to facilitate change ? Education, training Setting normative factors Rationalization Consensus Other (dictatorship, coersion,esoteric) mercredi 28 avril 2010
  • 44. Risk and culture Risk, culture, perception and subjectivity mercredi 28 avril 2010
  • 45. Risk, culture and perception According to one cultural theory, people choose what to fear as a way to defend their way of life. The theory hypothesizes that adherents of a hierarchical culture will approve of technology, provided it is certified as safe by their experts. Competitive individualists will view risk as opportunity and, hence, be optimistic about technology. And egalitarians will view technology as part of the apparatus by which corporate capitalism maintains inequalities that harm society and the natural environment. Widavsky (2002) mercredi 28 avril 2010
  • 46. Difficulty to assess risk Risk is not always easy to assess, since the probability of occurrence and the consequence of occurrence are usually not directly measurable parameters and must be estimated by statistical or other procedures. Risk constitutes a lack of knowledge of future events. Typically, future events (or outcomes) that are favorable are called opportunities, whereas unfavorable events are called risks. Another element of risk is its cause. Kerzner, H. (2003) mercredi 28 avril 2010
  • 47. Risk tolerance Risk tolerance looks at acceptable/unacceptable deviations from what is expected. In financial investments, The extent to wish an investor is willing to accept more risk in exchange for the possibility of a higher return. mercredi 28 avril 2010
  • 48. Risk appetite Where do we feel we should allocate our limited time and resources to minimise risk exposures? What level of risk exposure requires immediate action? What level of risk requires a formal response strategy to mitigate the potentially material impact? What events have occurred in the past, and at what level were they managed? mercredi 28 avril 2010
  • 49. Predictable outcomes Many activities undertaken by organizations do not have predictable outcomes One can’t predict the return from a new project, for example. Occurrence of these types of events can only be described in terms of a range of possible outcomes and the likelihood or probability of each outcome. The lack of predictability of outcomes is referred to as risk. The concept of risk does not imply all possible outcomes are adverse, only that the precise probabilities of the outcomes are unknown. Lewis(2003) mercredi 28 avril 2010
  • 50. Distribution of outcomes According to classical decision theory, risk is generally understood to be the distribution of possible outcomes, their likelihood, and their subjective values. In project management, this definition can be applied to time, cost, performance, and many other influential factors in any project that impact these three concerns. March and Shapira (1987) in Kwak(2005) mercredi 28 avril 2010
  • 51. Reference points The reference points that people use to evaluate risky prospects affect risk-taking. In this respect, risk tolerance is a subjective notion in the absence of clear and uniform communication and tools for risk analysis. Kahneman and Taversky (1979) and Taversky and Kahneman (1992) in Kwak(2005) mercredi 28 avril 2010
  • 52. Risk taxonomy Categories of organisational risks mercredi 28 avril 2010
  • 53. Risk categories There is an infinite number of categories of risk Depends on : organisational culture legislation many other factors mercredi 28 avril 2010
  • 55. What is needed ? For each incident identified, information needs to be collected about : direct monetary losses caused by the incident Annualized (or aligned on budgetary strategy) indirect losses (reputation damage or lost business) with an estimate of the monetary losses resulting from these indirect losses. Blakley, B., McDermott, E., Geer, D.(2001) mercredi 28 avril 2010
  • 56. Risk register Dates: As the register is a living document, it is important to record the date that risks are identified or modified. Optional dates to include are the target and completion dates. Description of the Risk: A phrase that describes the risk. Project Management Institute Body of Knowledge (PMBOK) mercredi 28 avril 2010
  • 57. Risk register Risk type (business, project, stage): Classification of the risk, business risks relate to delivery of achieved benefits, project risks relate to the management of the project such as timeframes and resources, stage risks are risks associated with a specific stage plan. Likelihood of Occurrence: Provides an assessment on how likely it is that this risk will occur. Examples of classifications are: L-Low (<30%), M-Medium (31-70%), H-High (>70%). Project Management Institute Body of Knowledge (PMBOK) mercredi 28 avril 2010
  • 58. Risk register Severity of effect: Provides an assessment of the impact that the occurrence of this risk would have on the project. Counter Measures: Action to be taken to prevent, reduce or transfer the risk. This may include production of contingency plans. Owner: Individual responsible for the ensuring this risk is appropriately managed and counter measures are undertaken. Project Management Institute Body of Knowledge (PMBOK) mercredi 28 avril 2010
  • 59. Risk register Status: Indicates whether this is a current risk or if risk can no longer arise and impact the project. Example classifications are: C-current or E-ended. Other columns such as quantitative value can also be added if appropriate. Project Management Institute Body of Knowledge (PMBOK) mercredi 28 avril 2010
  • 60. Risk metrics A management perspective mercredi 28 avril 2010
  • 61. The use of metrics From the governanced based risk management perspective: Risk assessment Continuous improvement Evaluation mercredi 28 avril 2010
  • 62. Identifying variables Metrics are about measurement Attributing values to variables Values depend on measurement scales There are rules on how to use measurement scales nominal, ordinal, interval, proportional mercredi 28 avril 2010
  • 63. Example of measurement scales mercredi 28 avril 2010
  • 64. Scientificity and reliability Scientific data must meet certain criterias trust, repeatable, verifyable We must be able to justify the choices we make in data and in manipulation (formulas) mercredi 28 avril 2010
  • 65. marcandre@leger.ca http://www.leger.ca Montreal, Quebec, Canada:+1(514)824-6302 Philadelphia, PA, USA:+1(215)543-6352 Paris, France: +33.(0)9.77.19.63.02 LinkedIn: http://www.linkedin.com/in/itriskmgr Blog: http://crhoma.org/blogue mercredi 28 avril 2010