Risk Management Principles Simple & Precise Explanation
Risk management as understood by its name is process of managing the
risks, that involves first identify, assess and prioritize the risks and then
implement the coordinated measures and/or resources to eliminate,
minimize and monitor the probability and impact of the unwanted
events or situations.
Risk management is the identification, evaluation, and prioritization of
risks (defined in ISO 31000 as the effect of uncertainty on objectives)
followed by coordinated and economical application of resources to
minimize, monitor, and control the probability or impact of unfortunate
events or to maximize the realization of opportunities.
The risk that we need to manage can be of any type i.e. credit risk,
uncertainty in financial markets, project failure at any stage of the
project, natural disaster, IT infrastructure failure, bankruptcy of
creditors, hacking of servers and an accident or attack from enemies
etc.
Organizations adopt various approaches for managing the risks some
may prefer to transfer the risk to other parties i.e. through insurance of
plants and machinery and even complete projects (although there is still
risk of bankruptcy of insurer).
Some may decide to avoid it by altering the processes and or by
denying the orders from a fragile client.
Also some organizations manage the creditors’ risks by increasing their
profit margins etc. Risk sharing is another approach in which you share
the benefit of gain or burden of loss from a risk and from measures
taken to mitigate the risk.
There are some strategies to manage threats (uncertainties with negative
consequences) which typically include avoiding the threat, reducing the
negative effect or probability of the threat, transferring all or part of the
threat to another party, and even retaining some or all of the potential or
actual consequences of a particular threat, and the opposites for
opportunities (uncertain future states with benefits).
There are several risk management standards available globally and that
consider varying aspects of the risk management depending upon the
target business areas i.e. engineering, project management and IT etc.
Certain risk management standards have been criticized for having no
measurable improvement on risk, whereas the confidence in estimates
and decisions seems to increase. For example, one study found that one
in six IT projects were “black swans” with gigantic overruns (cost
overruns averaged 200%, and schedule overruns 70%).
There are risk management standards by PMI, NIST and ISO.
Risk Management Principles
The International Organization for Standardization (ISO) identifies the
following principles of risk management:
Risk management should:
Create value – resources expended to mitigate risk should be less
than the consequence of inaction
Be an integral part of organizational processes
Be part of decision making process
Explicitly address uncertainty and assumptions
Be a systematic and structured process
Be based on the best available information
Be tailorable
Take human factors into account
Be transparent and inclusive
To be dynamic, iterative and responsive to change
Be capable of continual improvement and enhancement
Be continually or periodically re-assessed
Risk management methods are adopted mostly in the following
sequence:
- To identify, characterize, and assess the potential threats to
company assets or operations - To assess the vulnerability of critical assets and processes to
specific threats - To determine the risk through risk assessment approach
- Identify the practical ways to reduce the risks
- Prioritize risk reduction measures based on a business strategy