أ. شريف نايف عوايص

محاضر في ادارة الأعمال- رئيس قسم التسجيل - عمادة القبول والتسجيل

Risk management3

Steps in the risk management process

 Establish the context

 Establishing the context involves

 1.            Identification
of risk in a selected domain of interest

 2.            Planning
the remainder of the process.

 3.            Mapping
out the following:

 o             the social scope of risk management

 o             the identity and objectives of stakeholders

o             the basis upon which risks will be evaluated, constraints.

4.            Defining
a framework for the activity and an agenda for identification.

5.            Developing
an analysis of risks involved in the process.

6.            Mitigation
of risks using available technological, human and organizational resources.

Identification

After establishing the context, the next step in the process
of managing risk is to identify potential risks. Risks are about events that,
when triggered, cause problems. Hence, risk identification can start with the
source of problems, or with the problem itself.

              Source
analysis Risk sources may be internal or external to the system that is the
target of risk management. Examples of risk sources are: stakeholders of a
project, employees of a company or the weather over an airport.

              Problem
analysis Risks are related to identified threats. For example: the threat of
losing money, the threat of abuse of privacy information or the threat of
accidents and casualties. The threats may exist with various entities, most
important with shareholders, customers and legislative bodies such as the
government.

 When either source or problem is known, the events that a
source may trigger or the events that can lead to a problem can be
investigated. For example: stakeholders withdrawing during a project may
endanger funding of the project; privacy information may be stolen by employees
even within a closed network; lightning striking a Boeing 747 during takeoff
may make all people onboard immediate casualties.

 The chosen method of identifying risks may depend on
culture, industry practice and compliance. The identification methods are
formed by templates or the development of templates for identifying source,
problem or event. Common risk identification methods are:

              Objectives-based
risk identification Organizations and project teams have objectives. Any event
that may endanger achieving an objective partly or completely is identified as
risk. Objective-based risk identification is at the basis of COSO's Enterprise
Risk Management - Integrated Framework

              Scenario-based
risk identification In scenario analysis different scenarios are created. The
scenarios may be the alternative ways to achieve an objective, or an analysis
of the interaction of forces in, for example, a market or battle. Any event
that triggers an undesired scenario alternative is identified as risk - see
Futures Studies for methodology used by Futurists.

              Taxonomy-based
risk identification The taxonomy in taxonomy-based risk identification is a
breakdown of possible risk sources. Based on the taxonomy and knowledge of best
practices, a questionnaire is compiled. The answers to the questions reveal
risks. Taxonomy-based risk identification in software industry can be found in
CMU/SEI-93-TR-6.

              Common-risk
Checking In several industries lists with known risks are available. Each risk
in the list can be checked for application to a particular situation. An
example of known risks in the software industry is the Common Vulnerability and
Exposures list found at http://cve.mitre.org.

              Risk
Charting This method combines the above approaches by listing Resources at
risk, Threats to those resources Modifying Factors which may increase or reduce
the risk and Consequences it is wished to avoid. Creating a matrix under these
headings enables a variety of approaches. One can begin with resources and
consider the threats they are exposed to and the consequences of each.
Alternatively one can start with the threats and examine which resources they
would affect, or one can begin with the consequences and determine which
combination of threats and resources would be involved to bring them about.

 Assessment

 Once risks have been identified, they must then be assessed as
to their potential severity of loss and to the probability of occurrence. These
quantities can be either simple to measure, in the case of the value of a lost
building, or impossible to know for sure in the case of the probability of an
unlikely event occurring. Therefore, in the assessment process it is critical
to make the best educated guesses possible in order to properly prioritize the
implementation of the risk management plan.

 The fundamental difficulty in risk assessment is determining
the rate of occurrence since statistical information is not available on all
kinds of past incidents. Furthermore, evaluating the severity of the
consequences (impact) is often quite difficult for immaterial assets. Asset
valuation is another question that needs to be addressed. Thus, best educated
opinions and available statistics are the primary sources of information.
Nevertheless, risk assessment should produce such information for the
management of the organization that the primary risks are easy to understand and
that the risk management decisions may be prioritized. Thus, there have been
several theories and attempts to quantify risks. Numerous different risk
formulae exist, but perhaps the most widely accepted formula for risk
quantification is:

 Rate of occurrence multiplied by the impact of the event
equals risk

 Later research has shown that the financial benefits of risk
management are less dependent on the formula used but are more dependent on the
frequency and how risk assessment is performed.

 In business it is imperative to be able to present the
findings of risk assessments in financial terms. Robert Courtney Jr. (IBM,
1970) proposed a formula for presenting risks in financial terms. The Courtney
formula was accepted as the official risk analysis method for the US
governmental agencies. The formula proposes calculation of ALE (annualised loss
expectancy) and compares the expected loss value to the security control
implementation costs (cost-benefit analysis).

 Potential risk treatments

 Once risks have been identified and assessed, all techniques
to manage the risk fall into one or more of these four major categories:
(Dorfman, 1997)

              Avoidance
(aka elimination)

              Reduction
(aka mitigation)

              Retention
(aka acceptance)

              Transfer
(aka buying insurance)

 Ideal use of these strategies may not be possible. Some of
them may involve trade-offs that are not acceptable to the organization or
person making the risk management decisions. Another source, from the US
Department of Defense, Defense Acquisition University, calls these categories
ACAT, for Avoid, Control, Accept, or Transfer. This use of the ACAT acronym is
reminiscent of another ACAT (for Acquisition Category) used in US Defense
industry procurements, in which Risk Management figures prominently in decision
making and planning.

 Risk avoidance

 Includes not performing an activity that could carry risk.
An example would be not buying a property or business in order to not take on
the liability that comes with it. Another would be not flying in order to not take
the risk that the airplane were to be hijacked. Avoidance may seem the answer
to all risks, but avoiding risks also means losing out on the potential gain
that accepting (retaining) the risk may have allowed. Not entering a business
to avoid the risk of loss also avoids the possibility of earning profits.

 Risk reduction

 Involves methods that reduce the severity of the loss or the
likelihood of the loss from occurring. Examples include sprinklers designed to
put out a fire to reduce the risk of loss by fire. This method may cause a
greater loss by water damage and therefore may not be suitable. Halon fire
suppression systems may mitigate that risk, but the cost may be prohibitive as
a strategy.

 Modern software development methodologies reduce risk by developing
and delivering software incrementally. Early methodologies suffered from the
fact that they only delivered software in the final phase of development; any
problems encountered in earlier phases meant costly rework and often
jeopardized the whole project. By developing in iterations, software projects
can limit effort wasted to a single iteration.

 Outsourcing could be an example of risk reduction if the
outsourcer can demonstrate higher capability at managing or reducing risks. [1]
In this case companies outsource only some of their departmental needs. For
example, a company may outsource only its software development, the
manufacturing of hard goods, or customer support needs to another company,
while handling the business management itself. This way, the company can
concentrate more on business development without having to worry as much about
the manufacturing process, managing the development team, or finding a physical
location for a call center.

 Risk retention

 Involves accepting the loss when it occurs. True self
insurance falls in this category. Risk retention is a viable strategy for small
risks where the cost of insuring against the risk would be greater over time
than the total losses sustained. All risks that are not avoided or transferred are
retained by default. This includes risks that are so large or catastrophic that
they either cannot be insured against or the premiums would be infeasible. War
is an example since most property and risks are not insured against war, so the
loss attributed by war is retained by the insured. Also any amounts of
potential loss (risk) over the amount insured is retained risk. This may also
be acceptable if the chance of a very large loss is small or if the cost to
insure for greater coverage amounts is so great it would hinder the goals of
the organization too much.

 Risk transfer

 Means causing another party to accept the risk, typically by
contract or by hedging. Insurance is one type of risk transfer that uses
contracts. Other times it may involve contract language that transfers a risk
to another party without the payment of an insurance premium. Liability among
construction or other contractors is very often transferred this way. On the
other hand, taking offsetting positions in derivatives is typically how firms
use hedging to financially manage risk.

 Some ways of managing risk fall into multiple categories.
Risk retention pools are technically retaining the risk for the group, but
spreading it over the whole group involves transfer among individual members of
the group. This is different from traditional insurance, in that no premium is
exchanged between members of the group up front, but instead losses are
assessed to all members of the group.

 

 

 

الملفات المرفقة

التقويم الأكاديمي

البوابة الالكترونية للنظام الأكاديمي

 

الأسئلة المتكررة

 

الأسئلة المتكررة

دليل الطالب التعريفي

خواطر

نحو مجتمع متكافل !

التعاون

هل نكره التعاون ؟

هل نحن نعيش حقا في مجتمع يساعد فيه الناس بعضهم بعضا , بدرجة تسمح لنا أن نقول أنه  قد تحققت فينا الآية الكريمة : ( وتعاونوا على البر والتقوى ولا تعاونوا على الإثم والعدوان ) , هل تحقق التعاون بمعناه القرآني في الحاجات وفعل الخيرات , أو كما في النص : ( بالبر والتقوى )

التقويم

Managemen

Motivation

Principles of Management

Time Management Skills

عمادة القبول والتسجيل

حفل تخريج الدفعة الثالثة

 

تابع أخبار الجامعة

 

Managers And Managing

Management Theories

Org.Enviorenment

Planning Function

 

Motivation

 

ERP-Process

Management Study Guide


بوابة مواقع أعضاء هيئة التدريس

الخدمات الالكترونية لأعضاء هيئة التدريس والموظفين

 

للتواصل

  064041221

sh.away[email protected]

إحصائية الموقع

عدد الصفحات: 713

البحوث والمحاضرات: 1345

الزيارات: 61632