DEFINITON In some cases the acceptable risk may be near zero.

Risks can come from accidents, natural causes and disasters as well as deliberate attacks from an adversary. INTRODUCTION A prioritization process is followed whereby the risks with the greatest loss and the greatest probability of occurring are handled first, and risks with lower probability of occurrence and lower loss are handled in descending order. In practice the process can be very difficult, and balancing between risks with a high probability of occurrence but lower loss versus a risk with high loss but lower probability of occurrence can often be mishandled. Q: Risk management also faces difficulties allocating resources. This is the idea of opportunity cost. Resources spent on risk management could have been spent on more profitable activities. Again, ideal risk management minimizes spending while maximizing the reduction of the negative effects of risks. PRINCIPLES PROCESS The elements of the risk management process are summarised in Figure 3.1.

Establish the Context Identify the risks Risk Assesment Communicate and Consult Analyze the risks Evaluate the risks Monitor and Review

Treat the risks

1. Communication and consultation is ultimately one of the most important aspects of risk management and is integral to the entire risk management process. As such, communication and consultation will be reflected in each step of the process described in this guide. 2. When considering risk management within a small business, it is important to first establish some boundaries within which the risk management process will apply. For example, the business owner may be only interested in identifying financial risks as such the information collected will pertain only to that area of risk. Establish internal, external and risk management context, develop risk criteria, define the structure for risk analysis, Q: Tips for developing risk criteria; Decide or define the acceptable level of risk for each activity Determine what is unacceptable Clearly identify who is responsible for accepting risk and at what level. 3. Risk cannot be managed unless it is first identified. Once the context of the business has been defined, the next step is to utilise the information to identify as many risks as possible. Once risks have been identified, they must then be assessed as to their potential severity of loss and to the probability of occurrence. These quantities can be either simple to measure, in the case of the value of a lost building, or impossible to know for sure in the case of the probability of an unlikely event occurring. Therefore, in the assessment process it is critical to make the best educated guesses possible in order to properly prioritize the implementation of the risk management plan. Retrospective risk identification is often the most common way to identify risk, and the easiest. Its easier to believe something if it has happened before. It is also easier to quantify its impact and to see the damage it has caused. There are many sources of information about retrospective risk. These include: hazard or incident logs or registers audit reports customer complaints accreditation documents and reports past staff or client surveys newspapers or professional media, such as journals or websites. Methods for identifying prospective risks include: 1. 2. 3. 4. Brainstorming with staff or external stakeholders Researching the economic, political, legislative and operating environment Conducting interviews with relevant people and/or organisations Undertaking surveys of staff or clients to identify anticipated issues or problems

5. Flow charting a process 6. Reviewing system design or preparing system analysis techniques 4. During The risk analysis step will assist in determining which risks have a greater consequence or impact than others. This will assist in providing a better understanding of the possible impact of a risk, or the likelihood of it occurring, in order to make a decision about committing resources to control the risk. As previously introduced, to determine the level of risk, risk analysis involves combining the consequence of a risk with the likelihood of the risk occurring: Risk = consequence x likelihood* This is known as the risk analysis equation. Q: So how is the level of risk determined? Elements of risk analysis The elements of risk analysis are as follows: 1. Identify existing strategies and controls that act to minimise negative risk and enhance opportunities. 2. Determine the consequences of a negative impact or an opportunity (these may be positive or negative). 3. Determine the likelihood of a negative consequence or an opportunity. 4. Estimate the level of risk by combining consequence and likelihood. 5. Consider and identify any uncertainties in the estimates 5.As discussed in Section 3.3, it is important to be able to determine how serious the risks are that the business is facing. The business owner must determine the level of risk that a business is willing to accept. Risk evaluation involves comparing the level of risk found during the analysis process with previously established risk criteria, and deciding whether these risks require treatment. The result of a risk evaluation is a prioritized list of risks that require further action. This step is about deciding whether risks are acceptable or need treatment. Q: Risk acceptance Low or tolerable risks may be accepted. Acceptable means the business chooses to accept that the risk exists, either because the risk is at a low level and the cost of treating the risk will outweigh the benefit, or there is no reasonable treatment that can be implemented. This is also known as ALARP (as low as reasonably practicable).

6. Risk treatment should also aim to enhance positive outcomes. It is often either not possible or cost-effective to implement all treatment strategies. A business owner should aim to choose, prioritise and implement the most appropriate combination of risk treatments. Avoid the risk One method of dealing with risk is to avoid the risk by not proceeding with the activity likely to generate the risk. Risk avoidance should only occur when control measures do not exist or do not reduce the risk to an acceptable level. Uncontrolled or inappropriate risk avoidance may lead to organisational risk avoidance, resulting in missed opportunities and an increase in the significance of other risks. Change the likelihood of the occurrence This option enhances the likelihood of beneficial outcomes and reduces the possibility of loss Change the consequences This will increase the size of gains and reduce the size of losses. This may include business continuity plans, and emergency and contingency plans. Share the risk Part or most of a risk may be transferred to another party so that they share responsibility. Retain the risk After risks have been reduced or transferred, residual risk may be retained if it is at an acceptable level. Risk Mgmt Plan The risk management plan should propose applicable and effective security controls for managing the risks. For example, an observed high risk of computer viruses could be reduced by acquiring and implementing antivirus software. A good risk management plan should contain a schedule for control implementation and responsible persons for those actions. Initial risk management plans will never be perfect. Practice, experience, and actual loss results will necessitate changes in the plan and contribute information to allow possible different decisions to be made in dealing with the risks being faced. Risk analysis results and management plans should be updated periodically. Q: Why risk mgmt plans should be updated periodically? There are two primary reasons for this: 1. to evaluate whether the previously selected security controls are still applicable and effective, and 2. to evaluate the possible risk level changes in the business environment. For example, information risks are a good example of rapidly changing business environment.

7. Monitor and review Monitor and review is an essential and integral step in the risk management process. A business owner must monitor risks and review the effectiveness of the treatment plan, strategies and management system that have been set up to effectively manage risk. Risks need to be monitored periodically to ensure changing circumstances do not alter the risk priorities. Very few risks will remain static, therefore the risk management process needs to be regularly repeated, so that new risks are captured in the process and effectively managed. A risk management plan at a business level should be reviewed at least on an annual basis. An effective way to ensure that this occurs is to combine risk planning or risk review with annual business planning.

ERM In enterprise risk management, a risk is defined as a possible event or circumstance that can have negative influences on the enterprise in question. Its impact can be on the very existence, the resources (human and capital), the products and services, or the customers of the enterprise, as well as external impacts on society, markets, or the environment. In a financial institution, enterprise risk management is normally thought of as the combination of credit risk, interest rate risk or asset liability management, market risk, and operational risk. It provides a framework for risk management, which typically involves identifying particular events or circumstances relevant to the organization's objectives (risks and opportunities), assessing them in terms of likelihood and magnitude of impact, determining a response strategy, and monitoring progress. Risk-management activities as applied to project management In project management, risk management includes the following activities:

Planning how risk will be managed in the particular project. Plan should include risk management tasks, responsibilities, activities and budget. Assigning a risk officer - a team member other than a project manager who is responsible for foreseeing potential project problems. Typical characteristic of risk officer is a healthy skepticism. Maintaining live project risk database. Each risk should have the following attributes: opening date, title, short description, probability and importance. Optionally a risk may have an assigned person responsible for its resolution and a date by which the risk must be resolved.

Creating anonymous risk reporting channel. Each team member should have possibility to report risk that he foresees in the project. Preparing mitigation plans for risks that are chosen to be mitigated. The purpose of the mitigation plan is to describe how this particular risk will be handled what, when, by who and how will it be done to avoid it or minimize consequences if it becomes a liability. Summarizing planned and faced risks, effectiveness of mitigation activities, and effort spent for the risk management.

LIMITATIONS If risks are improperly assessed and prioritized, time can be wasted in dealing with risk of losses that are not likely to occur. Spending too much time assessing and managing unlikely risks can divert resources that could be used more profitably. Unlikely events do occur but if the risk is unlikely enough to occur it may be better to simply retain the risk and deal with the result if the loss does in fact occur. Prioritizing too highly the risk management processes could keep an organization from ever completing a project or even getting started. This is especially true if other work is suspended until the risk management process is considered complete. It is also important to keep in mind the distinction between risk and uncertainty. Risk can be measured by impacts x probability. Unlikely events do occur but if the risk is unlikely enough to occur it may be better to simply retain the risk and deal with the result if the loss does in fact occur. SUMMARY Risk management is simply a practice of systematically selecting cost effective approaches for minimising the effect of threat realization to the organization. All risks can never be fully avoided or mitigated simply because of financial and practical limitations. Therefore all organizations have to accept some level of residual risks.