Introduction to Risk Management

Kannan SubbiahDirector, Operations

Knowledge Universe Technologies India1

Objectives Understanding Risk Risk Management as a process Exercise Q & A

2

How to learn Risk Management? http://www.youtube.com/watch?v=laKprX-HP94&feature=related

3

What is a Risk?

A risk is ANYTHING that may affect the achievement of an organization’s objectives.

It is the UNCERTAINTY that surrounds future events and outcomes.

It is the expression of the likelihood and impact of an event with the potential to influence the achievement of an organization’s objectives.

4

Alternatively …

Risk is a potential event with negative consequences that had not happened yet Could also be an event with positive consequences

A possibility of loss – not the loss itself A source of problem Find the root cause and not the leaves

Something that makes the project special In the widest sense, everything is a risk Helps identify better ways of handling problems

5

Why do we need Risk Management?

The only alternative to risk management is crisis management --- and crisis management is much more expensive, time consuming and embarrassing.

JAMES LAM, Enterprise Risk Management, Wiley Finance © 2003

Without good risk management practices, government cannot

manage its resources effectively. Risk management means more than preparing for the worst; it also means taking advantage of

opportunities to improve services or lower costs. Sheila Fraser, Auditor General of Canada

6

How does Risk Management help?

Increase risk awareness & understanding Allows intelligent “informed” risk-taking. Focuses efforts –helps prioritize. Is proactive…. not reactive – Prepare for risks

before they happen. Improve outcomes – achievement of objectives Enables accountability, transparency and

responsibility And maybe even mean survival

7

Key Terms Risk – Exposure to chance of hazard Risk Level – A measure to represent the significance of the risk Controls – Action(s) that could eliminate or reduce the risk

level Residual Risk – Risk level after implementing controls Risk Response – An action on the risk, whether to accept, or

not to accept

8

Exercise - I Think of a risk in your daily life Determine the probability of occurrence Make an assessment of an impact, if it occurs.

9

1

Who is involved? Customer End user Project Team Senior Management Related Project teams Vendors and suppliers

10

When? A continuous process

Starts from proposal stage

Ends on project completion

Review stages Business case analysis

Project approval

Project planning

Technology, Tools & Vendor selection

Project status reviews

Deployment and Maintenance

11

Risk Management Basics

12

Risk (uncertainty) may affect the achievement of objectives.

Effective mitigation strategies/controls can reduce negative risks or increase opportunities.

Residual risk is the level of risk after evaluating the effectiveness of controls.

Acceptance and action should be based on residual risk levels.

INHERENT

A Simple Framework

13

Evaluate & Take Action

EstablishObjectives

IdentifyRisks & Controls

AssessRisks & Controls

Monitor& Report

Step 1 Step 2 Step 3 Step 4 Step 5

Communicate, learn, improve

Risk Identification Techniques

Brainstorming Interviewing Root cause analysis Checklists SWOT

14

Risk Management is critical to ALL levels of decisions

UNCERTAINTY

Strategic Strategic

Programme Programme

Project & Operational Project & Operational

Strategic Decisions

Decisions transferring strategy into action

Decisions required for implementation

15

Decisions can be categorized into three types. The amount of risk (uncertainty) varies with the type of decisions. Most decisions are concerned with implementation.

The HM Treasury’s The Orange Book

Risk Environment

MOHLTC Extended Enterprise

External Risk Environment

MOHLTCRisk Environment

Laws &

regula

tions

Capacity

The Economy

Corporate Governance Requirements

Stakeh

older

expe

ctatio

ns

Political

Outcom

esPublic

Perception

Oth

er

Min

istrie

s

Partner-

Organizations

LHINs

Financial

Organizational

Governance

Human Resources

Information

Info

rmat

ion

Tech

nolo

gy

Lega

l/C

ompl

ianc

e

Operational

Strateg

ic/

Policy

Transfer Payment

Accountability &

Governance

Communication & Learning

Monitor

Evaluate

Assess

IdentifyEstablish

Communication& Learning

Communication& Learning

16

Internal

Extended

Categorizing Risk – Comprehensive

17 Slide 17

1. Political or Reputational Risk

2. Financial Risk

3. Service Delivery or Operational Risk

4. People / HR Risk

5. Information/Knowledge Risk

6. Strategic / Policy Risk

7. Stakeholder Satisfaction / Public Perception Risk

8. Legal / Compliance Risk

9. Technology Risk

10. Governance / Organizational Risk

11. Privacy Risk

12. Security Risk

13. Equity Risk

Risk Prioritization – likelihood and impact

Likelihood of a risk event occurring Very High: Is almost certain to occur

High: Is likely to occur

Medium: Is as likely as not to occur

Low: May occur occasionally

Very Low: Unlikely to occur

Risk Impact: Level of damage that can occur when a risk event occurs

Very High: Threatens the success of the project

High: Substantial impact on time, cost or quality

Medium: Notable impact on time, cost or quality

Low: Minor impact on time, cost or quality

Very Low: Negligible impact

18 Slide 18

Third dimension for rating risks - proximity

Immediate – nowLess than 6 months Between 6-12 monthsBetween 12 – 24 monthsBetween 24 – 36 monthsMore than 36 months

19

Risk rating …Combining impact and likelihood

20 Slide 20

LIKELIHOOD

IMPA

CT

1

1

2

2

3

3

4

4

5

5

RISKI x L

RISKI x L

RISKI x L

RISK PRIORITIZATION MATRIX

Risk reporting and communications

21

Risk Level Action and Level of Involvement Required

Critical Risk Inform Chief Executive Officer and Board of Directors Immediate action required

High Risk Inform Chief Executive Officer Strategy Team involvement/attention is essential to manage risks

– provide report to Board as appropriate

Moderate Risk Management mitigation and ongoing monitoring required Inform relevant Strategy Team members

Low Risk Accept, but monitor risks Manage by routine procedures within the program and site

22

Measure and report RM implementation progress

23

Excellent

• Advanced capabilities to identify, measure, manage all risk exposures within tolerances

• Advanced implementation, development and execution of ERM parameters• Consistently optimizes risk adjusted returns throughout the organization

Strong

• Clear vision of risk tolerance and overall risk profile• Risk control exceeds adequate for most major risks• Has robust processes to identify and prepare for emerging risks • Incorporates risk management and decision making to optimize risk adjusted

returns

Adequate

• Has fully functioning control systems in place for all of their major risks• May lack a robust process for identifying and preparing for emerging risks• Performing good classical “silo” based risk management • Not fully developed process to optimize risk adjusted returns

Weak• Incomplete control process for one or more major risks• Inconsistent or limited capabilities to identify, measure or manage major risk

exposures

Source: Standard & Poor

The Cyclist and the Risk Manager

24

Exercise II – 15 minutes

Identify risks that the cyclists faces in cycling to work. Report back.

25

1

RisksThreats: Death

Head Injury Injury Reputation Financial Damage to the bike Sunburn/frost bite

Opportunities: Exercise Sunlight Reputation Financial Role model Environment

26

Mitigation Strategies for threats

Death, head injury, other injury – helmet, bright clothes, lights, bell, CANbike course, obeying traffic laws, positive attitude, anger management course

Reputation – great outfit, change of wrinkle-free clothes, shower, time management

Financial – high quality locks, “beater”, stopping at stop signs

Damage to the bike – regular maintenance, avoiding pot holes

Sunburn/frost bite – sunscreen, mittens, hats, token/change Dehydration- filled water bottle

27

Acknowledgements Practical approach to Risk Management - by Finance Management Institute,

Toronto Chapter. Introduction to Risk Management for Outsourcing projects - by Peter Kolb

28

Questions?

29