Done
Risk Analysis and Assessment
In this assignment, students can work individually or a team of 2 members.
To complete this assignment, students will select only one industry/business to review, analyze, and assess risks using the LSS tools/techniques, quantitative risk assessment, and your creative ideas. Suppose you are the operation and quality coordinator in the organization, with the current COVID-19 situation, new government with some new policies. To stimulate the overall performance, the company CEO provided a budget for each department to improve productivity of its employees/workers. The results must show at least 7% increase in outputs within the next 6 months.
Your selection can be a specific organization or overall industry, for example
Overall industry – Automotive, Pharmaceutical, Hotel and hospitality, E-commerce, Social Media, Retail, Wholesale, Education, or others.
Specific business – GM, Toyota, Ford, Johnson & Johnson, Pfizer, Marriott International, Sheraton Hotels and Resorts, Amazon.com, Facebook, Google, Walmart, Target, Costco, or others.
The final product writing with calculation, tables and diagrams (if any) should be at least 3-5 pages (for individual), 5-8 pages for a team of two students, following APA style, double space.
Significant information (if any) can be added into an Appendix section. The writing must include answers of these 5 items:
1. Reviewing general information of your selection, about 150-200 words on demographic data (e.g. organization, nature of its business, products/services, annual revenue, current situation, quality dimension,…)
2. Assessing risk factors – consider your selection and construct a risk analysis that examines the various forms of potential risk (technical, financial, operational, perimeter, strategic risks,…) related to the existing of the business. How would your analysis change if your overall business’ revenue was down 5% due to the COVID-19 situation?
3. Qualitative risk assessment – Imagine that you are a member of a project team that has been charged to improve productivity of your operation sections by purchasing new application/software system. Using a qualitative risk analysis matrix, develop a risk assessment for a project based on the following information:
Identified risk factors Likelihood
1. Your manager/supervisor resigned 1. High
2. Chance of economic downturn 2. Low
3. Budget cut 3. Medium
4. Project scope changes 4. High
5. Poor spec. performance 5. Low
Based on this information, how would you rate the consequences of each of the identified risk factors? Why? Construct the risk matrix and classify each of the risk factors in the matrix.
Tips: Using the handout – Risk Analysis (Unit Two/Supplement/Handout), pages 2-4, for guideline in drawing a simple 3×3 risk matrix with Probability and Consequences as the two axes. Depending on how you view the consequences of each of the above risks, it is possible to classify them into one of the quadrants of the qualitative risk matrix. The key is that students justify their classifications by giving a logical reason for the consequences they perceive for each risk factor, should the problem actually occur.
4. Developing Risk Mitigation Strategies. Develop a preliminary risk mitigation strategy for each of the risk factors identified in Problem 2. If you were to prioritize your efforts, which risk factors would you address first? Why?
5. Quantitative Risk Assessment. Assume the following information:
Probability of Failure Consequences of Failure
Maturity = .3 Cost = .1
Complexity = .3 Schedule = .7
Dependency = .5 Performance = .5
Calculate the overall risk factor for this project. Would you assess this level of risk as low, moderate, or high? Why?
Post your final product in the BB/Discussion Board, check the assignment due date in Course Schedule.
Suggestion: Handouts located in Unit Two/Supplement will be helpful in completing this assignment.
Handout
– Risk management
This handout is summarized from web resources (ISO, PMI) and the textbook used in IndM 4250/5150 Project Management by Jeffrey Pinto (5th edition), Chapter Seven – Risk Management. Use for an educational purpose for students in the Industrial Management program.
Definition and Risk Factors
What is risk management?
A risk can be defined as an uncertain event or a situation that if occurs can create positive or negative effect on the project objectives. Risk management is the continuous process of
identifying, assessing, and treating loss exposures and monitoring risk control and financial resources to mitigate the adverse effects of loss. These threats, or risks, could stem from a wide variety of sources, including financial uncertainty, legal liabilities, strategic management errors, accidents and natural disasters.
Loss may result from the following:
1. Financial risks such as cost of claims and liability judgments
2. Operational risks such as labor strikes
3. Perimeter risks including weather or political change
4. Strategic risks including management changes or loss of reputation
Why to Manage Risk?
There are many reasons to manage risk. Some of them include:
1. Saving resources: people, income, property, assets, time
2. Protecting public image
3. Protecting people from harm
4. Preventing/reducing legal liability
5. Protecting the environment
Typical risk factors include: financial, technical, commercial, executive, contractual or legal risks. The below Figure presents Risk breakdown structure (Pinto, 2019)
Risk Assessment
Qualitative Risk Assessment Matrix
Quantitative risk assessment calculations
Enterprise risk management (ERM)
· The enterprise risk management business strategy identifies and prepares for hazards with a company’s operations and objectives.
· ERM is a new and evolving management discipline that has changed along with the corporate and regulatory landscape of the last decade.
Enterprise risk management framework (Narvaez, K. (N,D)
This ERM framework was designed to help management and boards of directors answer these relevant business questions:
1. What are all the risks to our business strategy and operations (coverage)?
2. How much risk are we willing to take (risk appetite)?
3. How do we govern risk taking (culture, governance, and policies)?
4. How do we capture the information we need to manage these risks (risk data and infrastructure)?
5. How do we control the risks (control environment)?
6. How do we know the size of the various risks (measurement and evaluation)?
7. What are we doing about these risks (response)?
8. What possible scenarios could hurt us (stress testing)?
9. How are various risks interrelated (stress testing)?
Reducing enterprise risk and developing a common risk management language requires an organization to:
Define scope – identify and prioritize critical business processes and their related risks.
Map Risk – determine which threats could jeopardize business objectives or critical strategy, share that information and set controls to offset these risks.
Develop an Action plan – create a risk treatment plan to identify unacceptable risks and resolve risk gaps.
Automate – Use AI technologies to automate inefficient and ineffective manual processes.
Monitor and measure – establish metrics to identify key control deficiencies. Evaluate how the enterprise risk management program is progressing, how it varies from policy and the number of risk incidents.
ISO Standards – Risk Management
What are the ISO standards applicable?
Since the early 2000s, several industry and government bodies have expanded regulatory compliance rules that scrutinize companies’ risk management plans, policies and procedures. In an increasing number of industries, boards of directors are required to review and report on the adequacy of enterprise risk management processes. As a result, risk analysis, internal audits and other means of risk assessment have become major components of business strategy.
Risk management standards have been developed by several organizations, including the National Institute of Standards and Technology (NIST) and the International Organization for Standardization (ISO). These standards are designed to help organizations identify specific threats, assess unique vulnerabilities to determine their risk, identify ways to reduce these risks and then implement risk reduction efforts according to organizational strategy.
The ISO 31000 principles, for example, provide frameworks for risk management process improvements that can be used by companies, regardless of the organization’s size or target sector. The ISO 31000 is designed to “increase the likelihood of achieving objectives, improve the identification of opportunities and threats, and effectively allocate and use resources for risk treatment,” according to the ISO website. Although ISO 31000 cannot be used for certification purposes, it can help provide guidance for internal or external risk audit, and it allows organizations to compare their risk management practices with the internationally recognized benchmarks.
The ISO recommends the following target areas, or principles, should be part of the overall risk management process:
· The process should create value for the organization.
· It should be an integral part of the overall organizational process.
· It should factor into the company’s overall decision-making process.
· It must explicitly address any uncertainty.
· It should be systematic and structured.
· It should be based on the best available information.
· It should be tailored to the project.
· It must take into account human factors, including potential errors.
· It should be transparent and all-inclusive.
· It should be adaptable to change.
· It should be continuously monitored and improved upon.
The ISO standards have been developed worldwide to help organizations systematically implement risk management best practices. The ultimate goal for these standards is to establish common frameworks and processes to effectively implement risk management strategies. These standards are often recognized by international regulatory bodies, or by target industry groups. They are also regularly supplemented and updated to reflect rapidly changing sources of business risk. Although following these standards is usually voluntary, adherence may be required by industry regulators or through business contracts.
Like many other ISO standards, ISO 31000 refers to an umbrella of risk management standards. The ISO 31000 family consists of:
1. ISO 31000:2018 (Principles and Guidelines on Implementation)
This section sets a framework for the Risk management framework with three concepts of risk such as Potential event, Probability of that event occurring , and the resulting severity of the outcome, should the event occur .ISO 31000 focuses more on conceptual definitions of risk, tied to higher-level concepts of business objectives and context.
2. ISO/IEC 31010:2009 (Risk Assessment Techniques)
3. ISO Guide 73:2009 (Risk Management Vocabulary)
Each of these supplements one another; they’re all designed to provide a clear and universally applicable set of guidelines and best practice principles for risk management.
How do industries implement this?
1. Identify Potential Exposures to Loss: Understand the circumstances in which the rest of the process will take place. The criteria that will be used to evaluate risk should also be
2. established and the structure of the analysis should be defined.
3. Measure Frequency and Severity The company identifies and defines potential risks that may negatively influence a specific company process or project.
4. Risk analysis. Once specific types of risk are identified, the company then determines the odds of them occurring, as well as their consequences. The goal of risk analysis is to further understand each specific instance of risk, and how it could influence the company’s projects and objectives.
5. Risk assessment and evaluation. The risk is then further evaluated after determining the risk’s overall likelihood of occurrence combined with its overall consequence. The company can then make decisions on whether the risk is acceptable and whether the company is willing to take it on based on its risk appetite.
6. Risk mitigation
. During this step, companies assess their highest-ranked risks and develop a plan to alleviate them using specific risk controls. These plans include risk mitigation processes, risk prevention tactics and contingency plans in the event the risk comes to fruition.
7. Risk monitoring
. Part of the mitigation plan includes following up on both the risks and the overall plan to continuously monitor and track new and existing risks. The overall risk management process should also be reviewed and updated accordingly.
8. Communicate and consult. Internal and external shareholders should be included in communication and consultation at each appropriate step of the risk management process and regarding the process as a whole.
Framework of risk management standards
The risk management framework is to determines how risk management is integrated with the organization’s management system
The framework should include
· Risk architecture: roles and responsibilities of individuals and committees that support the risk management process (who “owns” different risks?)
· Strategy: objectives of the risk management activity in the organization
· Protocols: how the strategy will be implemented, and risks managed (procedures, indicators, risk reporting and escalation procedures)
Risk management Framework , Marsden. E (N.D),
Advantages of the risk management standards
ISO 31000 provides a structure, or framework, which allows your businesses to assess and manage risks. It gives companies steps to follow so they anticipate most problems and identify measures to mitigate their impact. When properly implemented, the risk management process can help an organization:
1. Identify threats and opportunities
2. Minimize losses
3. Improve operational efficiency and effectiveness
4. Encourage personnel to identify and treat risks
5. Improve risk management controls
Other advantages are
· Giving you a competitive advantage because ISO is an internationally recognized symbol for quality standards
· Increasing employee awareness of organizational risks by including them in the management framework and giving them responsibility for the processes they commonly use
· Reduce the frequency of, and ultimately eliminate risks by educating employees and stakeholders on identified risks
· Improve trust of stakeholders by maintaining transparency and communicating risks (and demonstrating risk responsibility and mitigation)
· Foster forward-thinking mentalities by encouraging employees to envision all potential outcomes of a given situation
· Improve company culture by bringing disparate departments together to exchange fresh perspectives, and consider how they might work together more effectively
· Improve success rate in all business operations by focusing on the process, thinking preemptively instead of reactively, and giving employees ownership of their work responsibilities
Principles of risk management
This idea is expanded upon by the eight principles of ISO 31000, which are:
Risk management must be integrated into all business operations and activities
1. The approach must be structured and comprehensive.
2. Processes and the risk management framework should be customized to suit the organization’s goals and context.
3. Stakeholders must be involved with the management framework; it must be inclusive.
4. Risk management must be dynamic and robust; preemptive thinking, anticipating, detecting, acknowledging and responding to changes.
5. Risk management takes into account any limitations of available information.
6. Human and cultural factors are paramount and should be considered at all stages and aspects of risk management.
7. The risk management framework is continuously improved through learning and experience.
Risk Control Techniques
1. Avoidance of activities which cause loss.
2. Reduction of the frequency of loss – risk prevention.
3. Reduction of the severity of loss – risk reduction.
4. Contractual transfer of responsibility for loss occurrence.
Six Sigma and Risk management.
Risk management is the identification, assessment, and prioritization of risks, followed by implementation of resources to minimize and control the probability of any unfortunate events. So, the main objective of risk management is to assure that uncertainty does not avert the endeavor from the business goals. Such management of risk across an organization can improve the organization’s ability to accept the right amount of risk to capture strategic opportunities.
Just like risk management, there is another methodology that works on the same principles to serve the same goals; and that is Six Sigma. Both risk management and Six Sigma rely on business processes and data integrity, and deal with risks and uncertainty to deliver value. However, while risk management approaches risk and uncertainty from a financial reporting viewpoint, Six Sigma does the same from an operations and production viewpoint. Also, Six Sigma determines whether a process is improving over time or not, which can help to measure improvements in risk management processes. The structure and statistical methods of Six Sigma can enhance the effectiveness and implementation of risk management in terms of employee expertise, implementation tools, and value creation. This is why it is very beneficial to incorporate both Six Sigma and risk management together within an organization for ultimate results.
Work culture
The behavior and attributes of all the workers within an organization, along with their view of their level of responsibility, and commitment to development, all have an effect on the conformity to risk management. Using Six Sigma change management tools can help in creating a positive working culture within the organization by looking on process improvement in an optimistic manner.
Objective setting
Employees are generally rewarded for their contribution toward financial success of their business segment, in whatever way it may be. However, their actions may also have an adverse effect on the entire organization. Six Sigma tools along with change management can shift the focus to Voice of Customer and Voice of Process, which can bring several opportunities for the organization to increase its value through top-line growth.
Risk identification
Six Sigma can significantly assist leadership in managing the identification of risks by providing an insight into the sources of potential failure events, and highlighting constraints that restrict the organization’s ability to meet the demand. Also, various opportunities can be determined to gather metrics that service as leading and lagging indicators. Furthermore, by applying Lean principles, processes can be streamlined to eliminate waste and inefficiencies.
Risk assessment
Conducting a risk assessment can help evaluate the degree of risks that any potential events may have on an organization’s ability to achieve its goals. Six Sigma tools like cause-and-effect matrix, risk matrix, and failure mode and effects analysis can be used to convert qualitative approaches to quantitative methods.
Monitoring and control
After the processes have been improved, the process owner is responsible to constantly monitor the outputs and inputs to ensure that the process doesn’t return to its former state. Six Sigma combines various process control systems into a single framework so that process owners can constantly monitor and report the inputs, outputs, and process metrics that more accurately reflect the organization’s performance.
Associations with other standards
Above Fig, explains the relation of ISO 31000 with other standards at different categories such as framework, terminology, requirements, Guidelines and tool.
References
Marsden. E (N.D), The ISO31 000 standard on risk management. Retrieved from https://risk-engineering.org/static/PDF/slides-ISO31000-risk-management
Narvaez, K. (N,D). ERM Strategies. Retrieved from www.erm-strategies.com
Pinto, J. (2019). Project Management: Achieving Competitive Advantage (5th Edition), Pearson.
Rouse, M, (N.D). Enterprise risk management (ERM). Retrieved from https://searchcio.techtarget.com/definition/enterprise-risk-management