This report details a risk management strategy for a given organization based on Australian Standards AS4360.
Risk Management Strategy details:
1& 2. Rationale for managing risks and risk management objectives
All companies face risk. The main rationale for managing risk is to reduce the likelihood of project failure, be it financial, schedule or performance based. A formal risk management strategy provides a structured way to highlight threats to a project success. The strategy provides advice to the project team and management to benefit the organization as a whole by assisting in the decision and planning process, identifying opportunities or threats and gaining value from changing situations. The strategy takes a proactive approach to management and allocates resources more efficiently. Reduction of loss can be reduced and stakeholder trust is improved (Australian Standards, 2004). A balance between being able to take action on opportunities versus protecting the company against loss must be decided upon. Risk management should be part of company culture so that everyone in the company has a role to play and is aware of risk management. In the early days insurance was how organizations managed risk but now it is an essential part of all management teams.
According to Sadgrove (2005), there are two types of business risk, non entrepreneurial risk and entrepreneurial risk. Non entrepreneurial is for example company fraud, theft or fire. Entrepreneurial risk is for example the opening of a new shop or produces a new product. It is in the best interests for the company directors to manage risk as it applies to all manage decisions. Risk is a pre-condition for innovation, a key ingredient of a successful company (Sadgrove, 2005). Risk management objectives are to reduce company cost, disruption and unhappiness (Sadgrove, 2005). It rates which activities are worth investigating for risk and which activities do not present current risk.
By identifying risks earlier, managers can better plan for their possible occurrence in the future. Further objectives and benefits to the company include improved planning, greater resource efficiency, more timely scheduling, prevention reduced costs, improved company reputation, less surprises, enhanced communication between managers and staff, reassurance of stakeholders, higher quality products and more flexible and robust contingency plans (Carol and Elizabeth, 2005).
As indicated in AS4360 when formulating objective for a risk management process, they must take into account the internal and external environmental factors (Australian Standards, 2004).
Risk management is growing in importance these days for a number of factors. These include tougher legislation, more expensive insurance, customers less likely to accept product failure, higher standards for public image and changing management attitudes to a more global outlook.
3. Risk strategy issues
According to Sadgrove (2005), issues covered by a risk strategy may be based on operation, strategic, compliance and financial issues. Operational issues include risks associated with employees, suppliers or natural events such as rain. Strategic issues include other markets, the economy and legal issues. Compliance issues may be accounting standards, tax requirements or government legislation. Financial issues include cost issues, interest rates and profitability concerns.
The areas covered by the risk strategy will be influenced by the requirements of the company and its objectives. The products and / or services it supplies and the processes and practices used by the company will also affect the type of risk strategy employed.
4. Acceptable risk tolerance.
According to Fischoff, Lichtenstein, Slovic, Derby and Keeney (1981), acceptable risk ” describes the likelihood of an event that has two factors. Firstly, the chance of occurrence is small. Secondly, the consequence is small. s are so slight, or whose benefits (perceived or real) are so great, that individuals or groups in society are willing to take or be subjected to the risk that the event might occur.”
The stakeholders and managers often determine acceptable risk factors. It is based on their perception on what they believe constitutes firstly a risk and secondly whether or not it is an acceptable one. An acceptable risk determination can vary and depends on factors such as differences in values, different requirements, project assumptions, concerns, concepts as they relate to the project being considered.
According to AS4360, (Australian Standards, 2004), a team approach is very effective in determining and identifying risks more effectively. Risks are compared against a set of criteria from which priorities are set. The decision is then made to either treat the risks if they are deemed unacceptable or to continue to monitor and review the risks if they are currently viewed as acceptable. The risk criteria which is used to determine whether a risk a acceptable or not is based on financial, operational, humanitarian, legal, technical, social, environmental, or other criteria. The risk is evaluated and decisions are made about which risks need attention. The company or organization must make a decision on how much risk it is willing to accept as part of normal business practice. This level can then be set as the benchmark and gives the company a tolerance level to work with. This tolerance may depend on the maturity of the risk management plan, experience of management, data available for consideration and other important factors.
Some firms want to accept new ventures with higher risks while other companies want to maintain a steady course. Often young companies with less to lose will take larger risks where as older individuals may not wish to risk as much (Sadgrove, 2005). The acceptable risk tolerance depends on the reward. As the risk increases so to must the reward in order to make it worthwhile.
5. Risk infrastructure, management, identification, assessment and treatment.
A company, which has a risk management strategy in place, needs an appropriate policy plan and an adequate support system in place to ensure the strategy is implemented correctly (Australian Standards, 2004). According to AS4360, in assessing the risks once they have been identified, there are three general types of analysis. These are qualitative analysis, Semi-quantitative analysis and Quantitative analysis. Qualitative analysis may be used as an initial tool to identify preliminary risks which are to be analyzed in more detail later. It should be combined with factual information when it is able to be sourced. Semi-quantitative analysis must be used with care since the data chosen to support the qualitative words may be misleading that can lead to inappropriate outcomes. Quantitative analysis depends on the accuracy of the numerical values and they may be expressed in terms of the criteria initially set by the risk identification.
According to an article by the Project Management Institute (Project Management Institute, 2008), if you don’t identify risk areas and have a response plan then possible tough times may be ahead. By beginning with a brainstorming session, and including a wide cross-section of stakeholders from many levels throughout the company, possible problems on the way to success may be identified. Ms. Reed, a vice president of an American project management firm notes that when running such meetings criticism should be left at the door, otherwise it may turn into an unorganized discussion.
6. Risk management responsibilities. Risk identification, assessment and treatment. System review, documentation and maintenance.
Responsibilities for the risk management process should be detailed in the risk management plan and this plan should also detail how the plan shall be conducted throughout the organization. Treatment plans may either be separate from the risk management plan or included with it.
An example of an organization which follows the AS4360 guidelines is the State Records Department of the New South Wales Government in Australia (NSW Government – State Records. 2009). With their plan, senior management are allocated the responsibility of ensuring that the risk analysis, identification and assessment procedure are implemented regularly. They are also responsible for managing the budget allocated for the risk management strategy and ensuring that it is implemented to protect the records and systems of the State Records Department. The review of their systems is continuous as is stated in the AS4360 guidelines. According to the AS4360 guidelines (Australian Standards, 2004), few risks remain static. Continual review is essential to ensure that the risk management strategy remains relevant. The Risk Assessment will be continuously monitored and updated throughout the life of a given project, with monthly assessments included in the status report and open to amendment by the Project Manager.
The company senior directors and executives are responsible for managing risk in their organization. All employees are responsible for the risk management within their given areas of managerial responsibility. The risk management plan can be broken down into specific sections based on different functions and areas within the project. Each area should have a separate plan, consist with the main company risk management plan, that details risks most relevant for their particular team and sub project requirements and concerns. The project manager for each team is responsible for the management of each risk management plan and ensuring his or her team is under the watch of the localized plan. This manager must also however ensure that the risks of the organizational risk management plan are also kept in mind. The senior staff of an organization must also be committed to the risk management strategy of all these senior managers (Australian Standards, 2004).
Documentation to record details of risks must be generated to record priorities and highlight changes in risk priorities. Reports should record treatments and if incidents occur the lessons learned should be recorded. The entire risk management plan system progress should also be documented as a whole.
7. Risk management documentation requirements.
A common tool used in the documentation of risk management system is the risk matrix.
The risk matrix is a table used in risk analysis in which rows show the risks and columns show their likelihood or probability of occurrence and their impact.
For each important business function or area, a risk matrix can be created. Often numerical values from one, meaning no impact, to five, meaning maximum impact, can be assigned for each function. This simple approach to documenting risk can provide a useful set of raw data from which appropriate plans can be devised. Many larger organizations also use this simple approach (National Computing Centre, 2009).
8. Risk management system budgets and its determination.
Such a risk management strategy has a cost associated with it and this cost must be balanced against the cost of the potential loss if it were to occur (Microsoft Press, 2009). Through the application of risk management methodologies, a company can manage risk levels so that it does not reach a determined unacceptable level.
The budget size for a risk management system will of course depend on the size of the company, its complexity and the responsibilities of the manager in charge of the risk management program (Sadrove, 2005, p55). A good policy is to make the risk management services free to departments and only charge the departments when they make a loss. By charging them when mistakes are made the managers are more likely to seek help and pay more close attention to the risk management strategy. This is better than just waiting for an issue to occur. Too much investment in risk management will burden the company and make it uncompetitive. Underinvestment in risk management will make it more vulnerable and likely to receive expensive incident costs. The optimal position is somewhere in the middle (Sadgrove, 2005, p14).
Mochal (2006), shows that a risk management system budget can be established by basing it on the Expected Monetary Value (EVM) index. For each risk there are two parameters assigned. Firstly, the probability that the risk will occur and secondly the impact to the project if the risk occurs. If this is completed for all the risks the potential impact to the project can be calculated. Hence the risk management system budget should reflect the impact of the risk and the likelihood that it will happen.
According to AS4360, if the budget for the risk management system is restricted, there should be a clear priority order for the risk treatments.
9. Risk management policy approval and its source.
Senior management should review and endorse the risk management policy for an organization. The source of the policy should come from all higher end managers concerned as well as all concerned stakeholders. Dialogue with key internal and external stakeholders should be undertaken as to avoid a one way flow of information. Stakeholders often have different views on what should be ranked as high-risk priorities due to factors such as differences in values, requirements concepts and concerns about the project concerned (Australian Standards, 2004).
Alexander, C., Sheedy, E. 2005. The Professional Risk Managers’ Handbook: A Comprehensive Guide to Current Theory and Best Practices. PRMIA Publications.
Fischoff, B.; Lichtenstein, S.; Slovic, P.; Derby, S. L.; and Keeney, R. L. 1981. Acceptable Risk. Cambridge. UK, Cambridge University Press.
Microsoft Press. 2009. Why Manage Risks Formally? Retrieved on 5th October, 2009 from http://msdn.microsoft.com/en-us/library/cc500373.aspx
Mochal, T. (2006). Create a risk contingency budget using Expected Monetary Value (EMV). Retrieved on 5th October, 2009 from http://articles.techrepublic.com.com/5100-10878_11-6069576.html
National Computing Centre. 2009. A matrix approach to risk assessment. Retrieved on 5th October 2009 from http://www.nccmembership.co.uk/pooled/articles/BF_WEBART/view.asp?Q=BF_WEBART_113283
NSW Government – State Records. 2009. Risk Assessment. Retrieved on 5th October, 2009 from http://www.records.nsw.gov.au/recordkeeping/government-recordkeeping-manual/guidance/guidelines/guideline-5/guideline-5-part-3
Project Management Institute. 2009. Risk Identification – Uncover project troubles before they blow up. Retrieved on 5th October 2009 from http://www.pmi.org/Pages/Risk_Identification.aspx
Sadgrove, K. (2005). The complete guide to business risk management. England, Gower Publishing Limited.
Standards Australia. 2004. Australian/New Zealand Standard AS 4360 – 2004. Australia, Standards Australia International Limited.