Risk is the deviation of one
or more results of one or more events from their expected value, and that value
can be positive or negative; “downside risk” involves incurring a
cost and “upside risk” involves failing to attain a benefit.
According to PRINCE2, risk relates to an
uncertain event or set of events that, should it occur, will have an effect on
the achievement of objectives. A risk is measured by a combination of the
probability of a perceived threat or opportunity occurring, and the magnitude
of its impact on objectives. Using this definition, the objectives would be the
objectives of the business.
Risk can be identified using
a range of strategic models, such as the external risks highlighted in “turnaround tools” (as well as one that
isn’t here – SWOT), the internal
risks highlighted in the “tree roots”
analogy (interestingly, the derivation of the word risk is a Greek word meaning
“root”) and other risks found with culture or other staff-related issues.
However I have found just one
strategic risk model that concerns itself with the
identification, stratification and evaluation of internal risk and then to provide the control levers that are
required to correct the course of risk. Listed below are some other tools that
take a more operational approach.
Depending on the culture of
the organisation, industry practice and compliance requirements, risk may be
identified using a number of techniques:
·
Objectives-based:
as above, any event that may endanger the achievement of objectives, either in
part or completely
·
Scenario-based:
objectives may be achieved in different ways with different risks or different
interaction of forces
·
Common-risk:
some risks (particularly industry-specific risks) are known and quantifiable
·
Risk
charting: assumes that resources are a risk
There are a number of tools
associated with risk management, such as Monte Carlo simulation, Risk AofA, risk register, Cura
Enterprise, Cura Quants, CRIMS, the Aggregate Risk
Tool, the Probability Impact Model, SAPHIRE, SCHRAM, TRIMS, etc.
Associated with risk is the
management of risk, and associated with this are risk responses (within which
there are trade-offs):
·
Avoidance
(eliminate, withdraw from, not become involved)
·
Reduction
(optimise, mitigate)
·
Share
(transfer, outsource, insure)
·
Retention
(accept and budget)