5. What is arisk?
Understanding the difference between “risk” and “problem”
Problem/Crisis
• Happened/is happening
• Result of past decision
Risk:
• Not yet happen/potential in the future
• Result of today’s decision
5
واالستشارات للتدريب العرب االستراتيجيون
6. Risk modelling
Risk Drivers /
Causes
Risks Events Outcomes
Frequency
(controls)
Severity
(controls)
Source: ERM - SOAR – Gregory Monahan (2008). Illustration – are we taking the right risks and the amount ofrisk?
6
“Risk is “effect of uncertainty on objectives”
- ISO Guide73
واالستشارات للتدريب العرب االستراتيجيون
7. Ishikawa diagram (Fish-bone diagram)
People
competencies and
quantities
Methode,
sistem,
technology
Infra structure,
equipment,
computers
Resources, budget
allocation
Data,
information, raw
materials
Working
environment,
corporate culture
INTERNAL
ENVIRONMENT
7
POLITI
C
ECONOM
Y
SOCIAL &
CULTURA
L
TECHNOLOG
Y
LAW ENVIRONMEN
T
OBJECTIVE
EXTERNAL
ENVIRONMENT
BUSINESS
PROCESSES
MEDI
A
VENDO
R
COMPETITO
R
CUSTOME
R
REGULATO
R
واالستشارات للتدريب العرب االستراتيجيون
9. According ISO 31000:
Risk owner is person or entity with the accountability and
authority to manage risk - ISO Guide 73
HE/SHE WHO IS
ACCOUNTABLE
FOR ACHIEVING
THE OBJECTIVES
RISK
OWNER
KPI’s
OWNER
9
Risk Owner
واالستشارات للتدريب العرب االستراتيجيون
10. Different levels, different types of risks
Risks ultimately
should be filtered
to the lowest level
possible for
ownership and
mitigation
Corporate Level
Division Level
Department Level
Section Level
RISKS
Source: Diana Borgmeyer, VIMA (2012)
10
Risk Owner
واالستشارات للتدريب العرب االستراتيجيون
12. 12
Tobe reconfirmed:
▪ RISKS are closely related withOBJECTIVES;
▪ RISK OWNER is THE OWNER OFTHE OBJECTIVES
and basically it is valid for all levels within the
organization;
▪ ACCOUNTABILITY is the duty to answer the result of an
action or decision. It includes the failure or not to act or to
make decision ornot to decide;
▪ RESPONSIBILITY is the duty to perform the job
assigned or to carry out a decision or to oversee other as
instructed or the duty to carry out an order.
Risk Owner
واالستشارات للتدريب العرب االستراتيجيون
13. 13
Risk managementbasic
Six basic questions, which we should answer in riskmanagement
1. What are we trying toachieve?
2. Whatmight affect us?
3. Which is all of these thing is the most important one?
4. What should we do aboutit?
5. Did itwork?
6. What ischanges?
(This process is often called as “intuitive” risk management)
واالستشارات للتدريب العرب االستراتيجيون
14. 14
Because there are several standards that support it:
▪ Risk management vocabulary – ISO/IECGuide 73:2009;
▪ Risk assessment techniques – ISO 31010:2009;
▪ Guide on implementation – ISO 31004 : 2013;
▪ Assurance / auditing:
▪ ISO 19011: 2011 Guidelines for auditing managementsystems;
▪ SA/SNZ HB 158 : 2010 Delivering assurance based on ISO
31000 : 2009 Risk management — Principles and guidelines;
▪ IIA- IPPF Practice Guide 2010 :Assessing the adequacy of
Risk Management using ISO31000;
▪ ISO 21500:2012 Guidance on ProjectManagement,
especially for project riskmanagement;
▪ ISO 19600:2014 Compliance management systems —
Guidelines
Why ISO31000
واالستشارات للتدريب العرب االستراتيجيون
15. ISO 31000 Risk Management – Guidelines
Source: ISO 31000:2018
Risk Management Principles
15
Risk Management Framework Risk Management Process
واالستشارات للتدريب العرب االستراتيجيون
20. Example: LikelihoodCriteria
Likelihood Criteria
(
1 tahun)
1
(Almostnever)
2
(Littlepossibilities)
3
(Maybe)
4
(Big possibilities)
5
(Almost certain)
Qualitative
The possibilities
of risks to occur
is very big/
almost certainto
happen.
Quantitative >80 - 100%
20
21. Qualitative Probability and Impact Matrix
IMPACT
PROBABILITY
High
Low
Medium
Low Medium High
M
L/M
M/H
M
L/M
M/H
Risk 1
L
H
Risk 3
Risk 2
M
1
22. Example: Risk MapFormat
3 4 5
1
2
3
4
5
1 2
Insignificant Minor Moderate Major Significant
Almost
Never
Unlikely
Possible
Likely
Almost
Certain
CONSEQUENCE
22
LIKELIHOOD
MEDIUM
5
HIGH
10
HIGH
15
CRISIS
20
CRISIS
25
LOW
4
MEDIUM
8
HIGH
12
CRISIS
16
CRISIS
20
LOW
3
MEDIUM
6
HIGH
9
HIGH
12
HIGH
15
LOW
2
LOW
4
MEDIUM
6
MEDIUM
8
HIGH
10
LOW
1
LOW
2
LOW
3
LOW
4
HIGH
5
23. Example: RiskAppetite & Tolerance in Risk Map
2
3
4
2
1
4
3 4 5
10
9
12
15
12
1 2 3 4 5
1
2
3
4
5
Insignificant Minor Moderate Major Significant
Almost
Never
Unlikely
Possible
Likely
Almost
Certain
CONSEQUENCE
LIKELIHOOD
LOW LOW LOW LOW
LOW
LOW
LOW
LOW MEDIUM
8
MEDIUM
5
MEDIUM
6
MEDIUM
6
MEDIUM
8
HIGH
HIGH
HIGH
15
HIGH
HIGH
HIGH
HIGH
HIGH
10
CRISIS
20
CRISIS
25
CRISIS
20
CRISIS
16
23
24. Source: PMBOK® Guide, pp. 303-304
Accept (accepting the consequences)
Mitigate (reducing the expected value of a threat)
• Minimizing the probability of the threat event
• Minimizing the impact of the threat event
Transfer (shifting some or all of the threat to another)
Avoid (eliminating a specific threat, usuallyby
eliminating the cause)
Response Strategies for Threats
1
25. Accept
If risk exposure is acceptable to the project and the
company—
• Review organizational tolerances
• Assess organizational capacity (tolerance) for additional
risk exposure
• Document and communicate strategy
• Continue to reassess the risk throughout the projectfor
changes in risk exposure (Watch List)
Acceptance can be—
• Active: Develop a contingency plan
• Passive: Fully accept the consequences; do nothing
26. Mitigate
If risk exposure is not acceptable to the project and
company—
• Take specific actions to—
– Lower the probability of occurrence
– Lower the impact of occurrence
• Evaluate and estimate effectiveness of risk mitigation
strategy
• Document and communicate strategy
• Continue to reassess the risk throughout the projectfor
changes to risk exposure
27. • Transfer all or part of the risk to a third party
– Subcontract
– Warranties
– Insurance
– Customer contract
• Transference does not eliminate the risk
• Transference may involve payment of a risk premium
Source: PMBOK® Guide, p.303
28. Avoid
If risk exposure is not acceptable and/or risk mitigation or transference
is not sufficiently effective—
• Cause of risk must be avoided and threat eliminated; take an alternative
approach
– Review organizational tolerances
– Assess task vs. project avoidance
– Document and communicate strategy
– Continue to reassess the risk throughout the project
The product description for an elementary social sciences education multimedia program
references stock video clips of children riding bikes and roller skating without helmets or knee
pads. During risk identification , the project team reviewed the product description and identified a
potential risk of school administration not buying the program because it appears to advocate
unsafe activities. Team avoided this risk by changing the project scope so that it did not include
the videos.
29. Response Strategies for Opportunities
Source: PMBOK® Guide, pp. 304-305
Accept: Active or passive
Enhance
• Maximize the probability of the opportunityevent
• Maximize the impact of the opportunity event
Exploit (ensure opportunity is realized)
Share (allocate all or part of the ownership to thirdparty)
30. Enhance
• Facilitate or strengthen the cause of the opportunity
– Target or reinforce the trigger
• Take specific actions to—
– Maximize the probability of the opportunity event
– Maximize the impact of the opportunity event
Examples of enhancing opportunities include adding more
resources to an activity to finish early
31. Exploit
• Take specific actions to ensure the opportunity realized
• Eliminate the uncertainty associated with a particular risk
• Possibly shorten the duration of a project by:
– Assign more talented resources
– Provide better quality that originally planned
Examples of directly exploiting responses include
assigning an organization’s most talented resources to the
project to reduce the time to completion or to provide lower
cost than originally planned
32. Share
• Sharing the opportunity with a third party who can benefit
from the opportunity
– Create risk sharing partnerships or joint ventures with
the express purpose of managing opportunities