Risk is the potential loss to an
organization. Projects usually have weaknesses or environment that may present
threat to the project. The weaknesses can be called as vulnerabilities. Risk
identified during planning phase needs to have some corrective actions called
as controls which will come into action, if some risk is triggered. The controls
are expected to reduce the risk or remove the risk as much as possible. Although
controls and risk analysis can reduce the risk, but we can act as much as
possible to reduce risk using the process.
The risk is turned into a loss by threat. A threat
is the trigger that causes the risk to become a loss. While it is difficult
to deal with risks, one can deal very specifically with threats. Threats are
reduced or eliminated by controls. Thus, control can be identified as
anything that tends to cause the reduction of risk. If our controls are
inadequate to reduce the risk, we have vulnerability. Vulnerability, therefore,
can be defined as a flaw in the system of control that will enable a threat to
be exploited. Risk Analysis is the process of evaluating risks, threats, controls, and
vulnerabilities
Scenarios that can
happen based on how risk was handled during planning.
Case 1: Risk identified in Risk
Analysis and proper control identified in case such scenario arise in future.
Loss will be minimized or risk will be avoided in this case. Even in case of
loss to Organisation, Stakeholder would be satisfied as the risk was expected
to happen and with control in Place, the impact of the loss was reduced
considerably
Case 2: Risk was identified
during planning phase but proper control were not provided during analysis,
thus loss was reduced but still the scenario could have been done in a better
manner.
Case 3: In case no risk Analysis
is in Place, in case a threat is triggered, It sends out panic within the team,
though some action will be taken by stakeholder, but chances of loss to
organisation are very high and it is highly possible that it is too late to
correct the mistake and the loss has already done to the project. Thus
impacting team, confidence with client, client business and relationship and
own business also.
Once a risk happen, we have to
take either of the control action which are described below:
- Avoid
the Risk – We should try to avoid the risk to convert into planning control
activities to avoid risk.
- Mitigate
the Risk – In case a risk becomes an event and control were defined during
planning to reduce the risk. We should have mitigation controls in place already
defined during planning that would reduce impact of the risk.
- Transfer
the Risk – Insuring the project or transfer of work to specialized external
team is a good way to transfer the risk in case avoiding the risk or mitigating
the risk are not feasible .
- Accept
the Risk – There may be risk that does not have any solution and are not able
to be channelized using either of above control action. An example could be
change in regulations for a regulatory work. Such risk although should be analyzed
during risk Analysis Phase
Risk Analysis should be done at
different levels, and not only at leadership skill. Even risk Analysis should
be done in everyday life periodically to identify if we are on right track or
not.
In this series, in next article
we will discuss on Risk templates, common risks in Quality, types of risk and
how risk analysis happens