Organizations of any kind face internal and external factors and influences that make it uncertain whether, when and the extent to which they will achieve or exceed their objectives. The effect this uncertainty has on the organization’s objectives is “risk”. (AS/NZS ISO 31000:2009, p. iv)
Thus risk is the effect of uncertainty on objectives. Typically projects have a variety of objectives. For example typically construction projects have objectives related to time, cost, quality, safety and environmental impact. The uncertainty involved may come from a variety of sources. It may be the result of some inherent randomness regarding the factor involved. For example it is difficult to predict the weather. It may be the result of a lack of information that can be rectified by some investigation. For example the uncertainty in the proportion of soil and required for an excavation. It may be because the factor is under the control of somebody else. For example, will a negotiation be successful, and how long will it take to resolve. However, basic principles for dealing the resulting risk are the same. Sometimes there are legal requirements of analysing and assessing risk, particularly in the occupational health and safety area and in environmental issues. These legal issues will not be covered, however the approach discussed should be applicable to any specific legislation.
Consequence and Likelihood
A risk event is something that if it were to occur would have an impact on objectives. Risk is measured in terms of likelihood and consequences. The likelihood is the chance that the risk will happen. It may be expressed qualitatively or quantitatively. Quantitative measures include probability and average recurrence interval. The consequence is the impact that the risk event will have on the objective. Sometimes it can be measured easily, for example the number of days that a project is late. Other times it may be difficult to measure, for example the level of injury received in an accident. The consequences may be beneficial or detrimental. Usually when people think about risk management they think about dealing with the risks that might have an adverse effect. However, positive risks should also be measured. Positive risks are called opportunities. Managing them involves maximising the scope for taking advantage of them.
Management of Risk
Lay people tend to judge risk by the salience of the risk. For example nuclear power seems more dangerous than coal power because people can easily recall nuclear disasters such as Chernobyl and Fukushima Daiichi. However much more coal is needed than uranium to produce a given amount of electricity and coal mines are dangerous. Furthermore it does not occur to many people that the exhaust from coal power stations is carcinogenic.
Factors that increase tolerability of risks
• • • • • • • • • • • Risks assumed voluntarily Delayed effects No alternative Large benefits Well understood risk Encountered occupationally Familiar Not dreadful Will not be misused Reversible consequences Person has some control
Risk management is the coordinated activities to direct and control an organisation with regard to risk. (ISO Guide 73:2009, definition 2.1)
It involves: Culture Processes Structures Opposite of crisis management Risk management needs to fit into the normal management system Treatment often involves ongoing activities that need to be managed Ordinary managers should be considering risks whenever they make decisions
Management of Risk
Benefits of Risk Management
an increased understanding of the risks ... and their possible impact, which can lead to the minimisation of risks for a party and/or the allocation of risks to the party best able to handle them. an understanding of how risks ... can lead to the use of a more suitable type