Risk is the possibility of happening unknown or known events that can affect the main objectives of a project. It is not necessary that all the risk will cause disruption in achieving objectives of a goal because a risk can come in the form of a threat or an opportunity. If it comes as an opportunity that it will help the project to get benefit out of it. If you want to keep the risk to a controllable and manageable level, you need to follow the five processes and those are:
In order to identify a risk, you need to obtain information about the things that is subject to risk management. For example, you want to mitigate the risk of server downtime of an organization to a certain time limit, you need to collect all the information of the software, hardware, physical location, environment protection and power supply system as well as the custodian and owner of the servers. So, the identification of a risk begins with collection of the relevant information of a system that you want to protect from an impending threats. During the identification process you need to list all the threats and opportunities in a risk register, which is just a register to enlist of the identified risks.
You can follow a few techniques that are commonly used to systematically identify risks and those are:
- Review lessons
- Risk checklists
- Risk prompt lists
- Brain storming
- Risk breakdown structure
Risk assessment: this has two parts-one is estimation and the other one is evaluation. In risk estimation part you have to find out the probability of occurring a certain threat and its impact on the business operation. For assessment, you can use some well-known techniques such as probability trees, expected values, Pareto analysis, and probability impact grid. In the evaluation part, you have to figure out the aggregated effect of the identified risks. Risk models and expected monetary value are two important techniques that can be used in the evaluation process.
As you know that the nature of risks are unpredictable at times. Despite every attempt to prevent risks, there are unknown sources and reasons which only revealed to us when the actual risk occurs. So, as a risk manager you always need to prepare your plan in order to respond any particular threats and opportunities. When preparing the risk plan, one need to consider that the cost of implementation, probability the risks and its impact on the business. Depending on the consequences and impact of risk on your business operation, you need to prepare a threat and opportunity responses. In the plan phase you need to mention the name of risk owner (who manage, monitor and control risks) and the risk auctioneers (the ones who carry out the risk response procedures when a risk occurs).
Threat response plan
Avoid the risk
Exploit the opportunity to improve security and reliability of a system
Reduce the risk
Enhance the opportunity
Make a fall back plan as a response
Transfer the risk (such as insurance)
Share the risk among various parties or departments
Accept the risk
Reject the opportunity( opposite of exploiting)
Note: there are two types of risks: primary and secondary. The primary risks are the threats and opportunities and the secondary risks are the risk that may occur when you respond to the primary risk.
Implementation: making a response plan is not enough unless the full potential of the risk response techniques are realized, which is only possible when any risk incident takes place. When a risk occur, you need to ensure that the planned risk responses are effective, efficient and monitored well enough so that you can make an effective performance report on risk response methods and can take necessary steps to improve it.
If you are managing risks in a project, then you need to take every steps that ensure the reporting of risks at every report in a project life cycle such as in the checkpoint, highlight, end stage, end project and lesson reports. This process of risk management is also known as communication, where the risks are communicated to the proper authorities for any special comment or feedback. Finally, the risk management is a continuous process and there are not perfect methods on Earth that can guarantee that threats will not be materialized. Despite taking all the high level precautions by the greatest planner on Earth, there occurred space shuttle challenger disaster in 1986. So, plan for the risks with all your knowledge and keep improving your plan as you see an opportunity to do so.